1*91f16700SchasingluluAdvisory TFV-6 (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) 2*91f16700Schasinglulu============================================================ 3*91f16700Schasinglulu 4*91f16700Schasinglulu+----------------+-------------------------------------------------------------+ 5*91f16700Schasinglulu| Title | Trusted Firmware-A exposure to speculative processor | 6*91f16700Schasinglulu| | vulnerabilities using cache timing side-channels | 7*91f16700Schasinglulu+================+=============================================================+ 8*91f16700Schasinglulu| CVE ID | `CVE-2017-5753`_ / `CVE-2017-5715`_ / `CVE-2017-5754`_ | 9*91f16700Schasinglulu+----------------+-------------------------------------------------------------+ 10*91f16700Schasinglulu| Date | 03 Jan 2018 (Updated 11 Jan, 18 Jan, 26 Jan, 30 Jan and 07 | 11*91f16700Schasinglulu| | June 2018) | 12*91f16700Schasinglulu+----------------+-------------------------------------------------------------+ 13*91f16700Schasinglulu| Versions | All, up to and including v1.4 | 14*91f16700Schasinglulu| Affected | | 15*91f16700Schasinglulu+----------------+-------------------------------------------------------------+ 16*91f16700Schasinglulu| Configurations | All | 17*91f16700Schasinglulu| Affected | | 18*91f16700Schasinglulu+----------------+-------------------------------------------------------------+ 19*91f16700Schasinglulu| Impact | Leakage of secure world data to normal world | 20*91f16700Schasinglulu+----------------+-------------------------------------------------------------+ 21*91f16700Schasinglulu| Fix Version | `Pull Request #1214`_, `Pull Request #1228`_, | 22*91f16700Schasinglulu| | `Pull Request #1240`_ and `Pull Request #1405`_ | 23*91f16700Schasinglulu+----------------+-------------------------------------------------------------+ 24*91f16700Schasinglulu| Credit | Google / Arm | 25*91f16700Schasinglulu+----------------+-------------------------------------------------------------+ 26*91f16700Schasinglulu 27*91f16700SchasingluluThis security advisory describes the current understanding of the Trusted 28*91f16700SchasingluluFirmware-A exposure to the speculative processor vulnerabilities identified by 29*91f16700Schasinglulu`Google Project Zero`_. To understand the background and wider impact of these 30*91f16700Schasingluluvulnerabilities on Arm systems, please refer to the `Arm Processor Security 31*91f16700SchasingluluUpdate`_. 32*91f16700Schasinglulu 33*91f16700SchasingluluVariant 1 (`CVE-2017-5753`_) 34*91f16700Schasinglulu---------------------------- 35*91f16700Schasinglulu 36*91f16700SchasingluluAt the time of writing, no vulnerable patterns have been observed in upstream TF 37*91f16700Schasinglulucode, therefore no workarounds have been applied or are planned. 38*91f16700Schasinglulu 39*91f16700SchasingluluVariant 2 (`CVE-2017-5715`_) 40*91f16700Schasinglulu---------------------------- 41*91f16700Schasinglulu 42*91f16700SchasingluluWhere possible on vulnerable CPUs, Arm recommends invalidating the branch 43*91f16700Schasinglulupredictor as early as possible on entry into the secure world, before any branch 44*91f16700Schasingluluinstruction is executed. There are a number of implementation defined ways to 45*91f16700Schasingluluachieve this. 46*91f16700Schasinglulu 47*91f16700SchasingluluFor Cortex-A57 and Cortex-A72 CPUs, the Pull Requests (PRs) in this advisory 48*91f16700Schasingluluinvalidate the branch predictor when entering EL3 by disabling and re-enabling 49*91f16700Schasingluluthe MMU. 50*91f16700Schasinglulu 51*91f16700SchasingluluFor Cortex-A73 and Cortex-A75 CPUs, the PRs in this advisory invalidate the 52*91f16700Schasinglulubranch predictor when entering EL3 by temporarily dropping into AArch32 53*91f16700SchasingluluSecure-EL1 and executing the ``BPIALL`` instruction. This workaround is 54*91f16700Schasinglulusignificantly more complex than the "MMU disable/enable" workaround. The latter 55*91f16700Schasingluluis not effective at invalidating the branch predictor on Cortex-A73/Cortex-A75. 56*91f16700Schasinglulu 57*91f16700SchasingluluNote that if other privileged software, for example a Rich OS kernel, implements 58*91f16700Schasingluluits own branch predictor invalidation during context switch by issuing an SMC 59*91f16700Schasinglulu(to execute firmware branch predictor invalidation), then there is a dependency 60*91f16700Schasingluluon the PRs in this advisory being deployed in order for those workarounds to 61*91f16700Schasingluluwork. If that other privileged software is able to workaround the vulnerability 62*91f16700Schasinglululocally (for example by implementing "MMU disable/enable" itself), there is no 63*91f16700Schasinglulusuch dependency. 64*91f16700Schasinglulu 65*91f16700Schasinglulu`Pull Request #1240`_ and `Pull Request #1405`_ optimise the earlier fixes by 66*91f16700Schasingluluimplementing a specified `CVE-2017-5715`_ workaround SMC 67*91f16700Schasinglulu(``SMCCC_ARCH_WORKAROUND_1``) for use by normal world privileged software. This 68*91f16700Schasingluluis more efficient than calling an arbitrary SMC (for example ``PSCI_VERSION``). 69*91f16700SchasingluluDetails of ``SMCCC_ARCH_WORKAROUND_1`` can be found in the `CVE-2017-5715 70*91f16700Schasinglulumitigation specification`_. The specification and implementation also enable 71*91f16700Schasingluluthe normal world to discover the presence of this firmware service. 72*91f16700Schasinglulu 73*91f16700SchasingluluOn Juno R1 we measured the round trip latency for both the ``PSCI_VERSION`` and 74*91f16700Schasinglulu``SMCCC_ARCH_WORKAROUND_1`` SMCs on Cortex-A57, using both the "MMU 75*91f16700Schasingluludisable/enable" and "BPIALL at AArch32 Secure-EL1" workarounds described above. 76*91f16700SchasingluluThis includes the time spent in test code conforming to the SMC Calling 77*91f16700SchasingluluConvention (SMCCC) from AArch64. For the ``SMCCC_ARCH_WORKAROUND_1`` cases, the 78*91f16700Schasinglulutest code uses SMCCC v1.1, which reduces the number of general purpose registers 79*91f16700Schasingluluit needs to save/restore. Although the ``BPIALL`` instruction is not effective 80*91f16700Schasingluluat invalidating the branch predictor on Cortex-A57, the drop into Secure-EL1 81*91f16700Schasingluluwith MMU disabled that this workaround entails effectively does invalidate the 82*91f16700Schasinglulubranch predictor. Hence this is a reasonable comparison. 83*91f16700Schasinglulu 84*91f16700SchasingluluThe results were as follows: 85*91f16700Schasinglulu 86*91f16700Schasinglulu+------------------------------------------------------------------+-----------+ 87*91f16700Schasinglulu| Test | Time (ns) | 88*91f16700Schasinglulu+==================================================================+===========+ 89*91f16700Schasinglulu| ``PSCI_VERSION`` baseline (without PRs in this advisory) | 515 | 90*91f16700Schasinglulu+------------------------------------------------------------------+-----------+ 91*91f16700Schasinglulu| ``PSCI_VERSION`` baseline (with PRs in this advisory) | 527 | 92*91f16700Schasinglulu+------------------------------------------------------------------+-----------+ 93*91f16700Schasinglulu| ``PSCI_VERSION`` with "MMU disable/enable" | 930 | 94*91f16700Schasinglulu+------------------------------------------------------------------+-----------+ 95*91f16700Schasinglulu| ``SMCCC_ARCH_WORKAROUND_1`` with "MMU disable/enable" | 386 | 96*91f16700Schasinglulu+------------------------------------------------------------------+-----------+ 97*91f16700Schasinglulu| ``PSCI_VERSION`` with "BPIALL at AArch32 Secure-EL1" | 1276 | 98*91f16700Schasinglulu+------------------------------------------------------------------+-----------+ 99*91f16700Schasinglulu| ``SMCCC_ARCH_WORKAROUND_1`` with "BPIALL at AArch32 Secure-EL1" | 770 | 100*91f16700Schasinglulu+------------------------------------------------------------------+-----------+ 101*91f16700Schasinglulu 102*91f16700SchasingluluDue to the high severity and wide applicability of this issue, the above 103*91f16700Schasingluluworkarounds are enabled by default (on vulnerable CPUs only), despite some 104*91f16700Schasingluluperformance and code size overhead. Platforms can choose to disable them at 105*91f16700Schasinglulucompile time if they do not require them. `Pull Request #1240`_ disables the 106*91f16700Schasingluluworkarounds for unaffected upstream platforms. 107*91f16700Schasinglulu 108*91f16700SchasingluluFor vulnerable AArch32-only CPUs (for example Cortex-A8, Cortex-A9 and 109*91f16700SchasingluluCortex-A17), the ``BPIALL`` instruction should be used as early as possible on 110*91f16700Schasingluluentry into the secure world. For Cortex-A8, also set ``ACTLR[6]`` to 1 during 111*91f16700Schasingluluearly processor initialization. Note that the ``BPIALL`` instruction is not 112*91f16700Schasinglulueffective at invalidating the branch predictor on Cortex-A15. For that CPU, set 113*91f16700Schasinglulu``ACTLR[0]`` to 1 during early processor initialization, and invalidate the 114*91f16700Schasinglulubranch predictor by performing an ``ICIALLU`` instruction. 115*91f16700Schasinglulu 116*91f16700SchasingluluOn AArch32 EL3 systems, the monitor and secure-SVC code is typically tightly 117*91f16700Schasingluluintegrated, for example as part of a Trusted OS. Therefore any Variant 2 118*91f16700Schasingluluworkaround should be provided by vendors of that software and is outside the 119*91f16700Schasingluluscope of TF. However, an example implementation in the minimal AArch32 Secure 120*91f16700SchasingluluPayload, ``SP_MIN`` is provided in `Pull Request #1228`_. 121*91f16700Schasinglulu 122*91f16700SchasingluluOther Arm CPUs are not vulnerable to this or other variants. This includes 123*91f16700SchasingluluCortex-A76, Cortex-A53, Cortex-A55, Cortex-A32, Cortex-A7 and Cortex-A5. 124*91f16700Schasinglulu 125*91f16700SchasingluluFor more information about non-Arm CPUs, please contact the CPU vendor. 126*91f16700Schasinglulu 127*91f16700SchasingluluVariant 3 (`CVE-2017-5754`_) 128*91f16700Schasinglulu---------------------------- 129*91f16700Schasinglulu 130*91f16700SchasingluluThis variant is only exploitable between Exception Levels within the same 131*91f16700Schasinglulutranslation regime, for example between EL0 and EL1, therefore this variant 132*91f16700Schasinglulucannot be used to access secure memory from the non-secure world, and is not 133*91f16700Schasingluluapplicable for TF. However, Secure Payloads (for example, Trusted OS) should 134*91f16700Schasingluluprovide mitigations on vulnerable CPUs to protect themselves from exploited 135*91f16700SchasingluluSecure-EL0 applications. 136*91f16700Schasinglulu 137*91f16700SchasingluluThe only Arm CPU vulnerable to this variant is Cortex-A75. 138*91f16700Schasinglulu 139*91f16700Schasinglulu.. _Google Project Zero: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html 140*91f16700Schasinglulu.. _Arm Processor Security Update: http://www.arm.com/security-update 141*91f16700Schasinglulu.. _CVE-2017-5753: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 142*91f16700Schasinglulu.. _CVE-2017-5715: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 143*91f16700Schasinglulu.. _CVE-2017-5754: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 144*91f16700Schasinglulu.. _Pull Request #1214: https://github.com/ARM-software/arm-trusted-firmware/pull/1214 145*91f16700Schasinglulu.. _Pull Request #1228: https://github.com/ARM-software/arm-trusted-firmware/pull/1228 146*91f16700Schasinglulu.. _Pull Request #1240: https://github.com/ARM-software/arm-trusted-firmware/pull/1240 147*91f16700Schasinglulu.. _Pull Request #1405: https://github.com/ARM-software/arm-trusted-firmware/pull/1405 148*91f16700Schasinglulu.. _CVE-2017-5715 mitigation specification: https://developer.arm.com/cache-speculation-vulnerability-firmware-specification 149