1*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 2*4fe91230SJoel Hutton| Title | Not saving x0 to x3 registers can leak information from one | 3*4fe91230SJoel Hutton| | Normal World SMC client to another | 4*4fe91230SJoel Hutton+================+=============================================================+ 5*4fe91230SJoel Hutton| CVE ID | CVE-2018-19440 | 6*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 7*4fe91230SJoel Hutton| Date | 27 Nov 2018 | 8*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 9*4fe91230SJoel Hutton| Versions | All | 10*4fe91230SJoel Hutton| Affected | | 11*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 12*4fe91230SJoel Hutton| Configurations | Multiple normal world SMC clients calling into AArch64 BL31 | 13*4fe91230SJoel Hutton| Affected | | 14*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 15*4fe91230SJoel Hutton| Impact | Leakage of SMC return values from one normal world SMC | 16*4fe91230SJoel Hutton| | client to another | 17*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 18*4fe91230SJoel Hutton| Fix Version | `Pull Request #1710`_ | 19*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 20*4fe91230SJoel Hutton| Credit | Secmation | 21*4fe91230SJoel Hutton+----------------+-------------------------------------------------------------+ 22*4fe91230SJoel Hutton 23*4fe91230SJoel HuttonWhen taking an exception to EL3, BL31 saves the CPU context. The aim is to 24*4fe91230SJoel Huttonrestore it before returning into the lower exception level software that called 25*4fe91230SJoel Huttoninto the firmware. However, for an SMC exception, the general purpose registers 26*4fe91230SJoel Hutton``x0`` to ``x3`` are not part of the CPU context saved on the stack. 27*4fe91230SJoel Hutton 28*4fe91230SJoel HuttonAs per the `SMC Calling Convention`_, up to 4 values may be returned to the 29*4fe91230SJoel Huttoncaller in registers ``x0`` to ``x3``. In TF-A, these return values are written 30*4fe91230SJoel Huttoninto the CPU context, typically using one of the ``SMC_RETx()`` macros provided 31*4fe91230SJoel Huttonin the ``include/lib/aarch64/smccc_helpers.h`` header file. 32*4fe91230SJoel Hutton 33*4fe91230SJoel HuttonBefore returning to the caller, the ``restore_gp_registers()`` function is 34*4fe91230SJoel Huttoncalled. It restores the values of all general purpose registers taken from the 35*4fe91230SJoel HuttonCPU context stored on the stack. This includes registers ``x0`` to ``x3``, as 36*4fe91230SJoel Huttoncan be seen in the ``lib/el3_runtime/aarch64/context.S`` file at line 339 37*4fe91230SJoel Hutton(referring to the version of the code as of `commit c385955`_): 38*4fe91230SJoel Hutton 39*4fe91230SJoel Hutton.. code:: c 40*4fe91230SJoel Hutton 41*4fe91230SJoel Hutton /* 42*4fe91230SJoel Hutton * This function restores all general purpose registers except x30 from the 43*4fe91230SJoel Hutton * CPU context. x30 register must be explicitly restored by the caller. 44*4fe91230SJoel Hutton */ 45*4fe91230SJoel Hutton func restore_gp_registers 46*4fe91230SJoel Hutton ldp x0, x1, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X0] 47*4fe91230SJoel Hutton ldp x2, x3, [sp, #CTX_GPREGS_OFFSET + CTX_GPREG_X2] 48*4fe91230SJoel Hutton 49*4fe91230SJoel HuttonIn the case of an SMC handler that does not use all 4 return values, the 50*4fe91230SJoel Huttonremaining ones are left unchanged in the CPU context. As a result, 51*4fe91230SJoel Hutton``restore_gp_registers()`` restores the stale values saved by a previous SMC 52*4fe91230SJoel Huttonrequest (or asynchronous exception to EL3) that used these return values. 53*4fe91230SJoel Hutton 54*4fe91230SJoel HuttonIn the presence of multiple normal world SMC clients, this behaviour might leak 55*4fe91230SJoel Huttonsome of the return values from one client to another. For example, if a victim 56*4fe91230SJoel Huttonclient first sends an SMC that returns 4 values, a malicious client may then 57*4fe91230SJoel Huttonsend a second SMC expecting no return values (for example, a 58*4fe91230SJoel Hutton``SDEI_EVENT_COMPLETE`` SMC) to get the 4 return values of the victim client. 59*4fe91230SJoel Hutton 60*4fe91230SJoel HuttonIn general, the responsibility for mitigating threats due to the presence of 61*4fe91230SJoel Huttonmultiple normal world SMC clients lies with EL2 software. When present, EL2 62*4fe91230SJoel Huttonsoftware must trap SMC calls from EL1 software to ensure secure behaviour. 63*4fe91230SJoel Hutton 64*4fe91230SJoel HuttonFor this reason, TF-A does not save ``x0`` to ``x3`` in the CPU context on an 65*4fe91230SJoel HuttonSMC synchronous exception. It has behaved this way since the first version. 66*4fe91230SJoel Hutton 67*4fe91230SJoel HuttonWe can confirm that at least upstream KVM-based systems mitigate this threat, 68*4fe91230SJoel Huttonand are therefore unaffected by this issue. Other EL2 software should be audited 69*4fe91230SJoel Huttonto assess the impact of this threat. 70*4fe91230SJoel Hutton 71*4fe91230SJoel HuttonEL2 software might find mitigating this threat somewhat onerous, because for all 72*4fe91230SJoel HuttonSMCs it would need to be aware of which return registers contain valid data, so 73*4fe91230SJoel Huttonit can sanitise any unused return registers. On the other hand, mitigating this 74*4fe91230SJoel Huttonin EL3 is relatively easy and cheap. Therefore, TF-A will now ensure that no 75*4fe91230SJoel Huttoninformation is leaked through registers ``x0`` to ``x3``, by preserving the 76*4fe91230SJoel Huttonregister state over the call. 77*4fe91230SJoel Hutton 78*4fe91230SJoel HuttonNote that AArch32 TF-A is not affected by this issue. The SMC handling code in 79*4fe91230SJoel Hutton``SP_MIN`` already saves all general purpose registers - including ``r0`` to 80*4fe91230SJoel Hutton``r3``, as can be seen in the ``include/lib/aarch32/smccc_macros.S`` file at 81*4fe91230SJoel Huttonline 19 (referring to the version of the code as of `commit c385955`_): 82*4fe91230SJoel Hutton 83*4fe91230SJoel Hutton.. code:: c 84*4fe91230SJoel Hutton 85*4fe91230SJoel Hutton /* 86*4fe91230SJoel Hutton * Macro to save the General purpose registers (r0 - r12), the banked 87*4fe91230SJoel Hutton * spsr, lr, sp registers and the `scr` register to the SMC context on entry 88*4fe91230SJoel Hutton * due a SMC call. The `lr` of the current mode (monitor) is expected to be 89*4fe91230SJoel Hutton * already saved. The `sp` must point to the `smc_ctx_t` to save to. 90*4fe91230SJoel Hutton * Additionally, also save the 'pmcr' register as this is updated whilst 91*4fe91230SJoel Hutton * executing in the secure world. 92*4fe91230SJoel Hutton */ 93*4fe91230SJoel Hutton .macro smccc_save_gp_mode_regs 94*4fe91230SJoel Hutton /* Save r0 - r12 in the SMC context */ 95*4fe91230SJoel Hutton stm sp, {r0-r12} 96*4fe91230SJoel Hutton 97*4fe91230SJoel Hutton.. _commit c385955: https://github.com/ARM-software/arm-trusted-firmware/commit/c385955 98*4fe91230SJoel Hutton.. _SMC Calling Convention: http://arminfo.emea.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pdf 99*4fe91230SJoel Hutton.. _Pull Request #1710: https://github.com/ARM-software/arm-trusted-firmware/pull/1710 100