1*91f16700SchasingluluAdvisory TFV-7 (CVE-2018-3639) 2*91f16700Schasinglulu============================== 3*91f16700Schasinglulu 4*91f16700Schasinglulu+----------------+-------------------------------------------------------------+ 5*91f16700Schasinglulu| Title | Trusted Firmware-A exposure to cache speculation | 6*91f16700Schasinglulu| | vulnerability Variant 4 | 7*91f16700Schasinglulu+================+=============================================================+ 8*91f16700Schasinglulu| CVE ID | `CVE-2018-3639`_ | 9*91f16700Schasinglulu+----------------+-------------------------------------------------------------+ 10*91f16700Schasinglulu| Date | 21 May 2018 (Updated 7 June 2018) | 11*91f16700Schasinglulu+----------------+-------------------------------------------------------------+ 12*91f16700Schasinglulu| Versions | All, up to and including v1.5 | 13*91f16700Schasinglulu| Affected | | 14*91f16700Schasinglulu+----------------+-------------------------------------------------------------+ 15*91f16700Schasinglulu| Configurations | All | 16*91f16700Schasinglulu| Affected | | 17*91f16700Schasinglulu+----------------+-------------------------------------------------------------+ 18*91f16700Schasinglulu| Impact | Leakage of secure world data to normal world | 19*91f16700Schasinglulu+----------------+-------------------------------------------------------------+ 20*91f16700Schasinglulu| Fix Version | `Pull Request #1392`_, `Pull Request #1397`_ | 21*91f16700Schasinglulu+----------------+-------------------------------------------------------------+ 22*91f16700Schasinglulu| Credit | Google | 23*91f16700Schasinglulu+----------------+-------------------------------------------------------------+ 24*91f16700Schasinglulu 25*91f16700SchasingluluThis security advisory describes the current understanding of the Trusted 26*91f16700SchasingluluFirmware-A (TF-A) exposure to Variant 4 of the cache speculation vulnerabilities 27*91f16700Schasingluluidentified by `Google Project Zero`_. To understand the background and wider 28*91f16700Schasingluluimpact of these vulnerabilities on Arm systems, please refer to the `Arm 29*91f16700SchasingluluProcessor Security Update`_. 30*91f16700Schasinglulu 31*91f16700SchasingluluAt the time of writing, the TF-A project is not aware of a Variant 4 exploit 32*91f16700Schasingluluthat could be used against TF-A. It is likely to be very difficult to achieve an 33*91f16700Schasingluluexploit against current standard configurations of TF-A, due to the limited 34*91f16700Schasingluluinterfaces into the secure world with attacker-controlled inputs. However, this 35*91f16700Schasingluluis becoming increasingly difficult to guarantee with the introduction of complex 36*91f16700Schasinglulunew firmware interfaces, for example the `Software Delegated Exception Interface 37*91f16700Schasinglulu(SDEI)`_. Also, the TF-A project does not have visibility of all 38*91f16700Schasingluluvendor-supplied interfaces. Therefore, the TF-A project takes a conservative 39*91f16700Schasingluluapproach by mitigating Variant 4 in hardware wherever possible during secure 40*91f16700Schasingluluworld execution. The mitigation is enabled by setting an implementation defined 41*91f16700Schasinglulucontrol bit to prevent the re-ordering of stores and loads. 42*91f16700Schasinglulu 43*91f16700SchasingluluFor each affected CPU type, TF-A implements one of the two following mitigation 44*91f16700Schasingluluapproaches in `Pull Request #1392`_ and `Pull Request #1397`_. Both approaches 45*91f16700Schasingluluhave a system performance impact, which varies for each CPU type and use-case. 46*91f16700SchasingluluThe mitigation code is enabled by default, but can be disabled at compile time 47*91f16700Schasinglulufor platforms that are unaffected or where the risk is deemed low enough. 48*91f16700Schasinglulu 49*91f16700SchasingluluArm CPUs not mentioned below are unaffected. 50*91f16700Schasinglulu 51*91f16700SchasingluluStatic mitigation 52*91f16700Schasinglulu----------------- 53*91f16700Schasinglulu 54*91f16700SchasingluluFor affected CPUs, this approach enables the mitigation during EL3 55*91f16700Schasingluluinitialization, following every PE reset. No mechanism is provided to disable 56*91f16700Schasingluluthe mitigation at runtime. 57*91f16700Schasinglulu 58*91f16700SchasingluluThis approach permanently mitigates the entire software stack and no additional 59*91f16700Schasinglulumitigation code is required in other software components. 60*91f16700Schasinglulu 61*91f16700SchasingluluTF-A implements this approach for the following affected CPUs: 62*91f16700Schasinglulu 63*91f16700Schasinglulu- Cortex-A57 and Cortex-A72, by setting bit 55 (Disable load pass store) of 64*91f16700Schasinglulu ``CPUACTLR_EL1`` (``S3_1_C15_C2_0``). 65*91f16700Schasinglulu 66*91f16700Schasinglulu- Cortex-A73, by setting bit 3 of ``S3_0_C15_C0_0`` (not documented in the 67*91f16700Schasinglulu Technical Reference Manual (TRM)). 68*91f16700Schasinglulu 69*91f16700Schasinglulu- Cortex-A75, by setting bit 35 (reserved in TRM) of ``CPUACTLR_EL1`` 70*91f16700Schasinglulu (``S3_0_C15_C1_0``). 71*91f16700Schasinglulu 72*91f16700SchasingluluDynamic mitigation 73*91f16700Schasinglulu------------------ 74*91f16700Schasinglulu 75*91f16700SchasingluluFor affected CPUs, this approach also enables the mitigation during EL3 76*91f16700Schasingluluinitialization, following every PE reset. In addition, this approach implements 77*91f16700Schasinglulu``SMCCC_ARCH_WORKAROUND_2`` in the Arm architectural range to allow callers at 78*91f16700Schasinglululower exception levels to temporarily disable the mitigation in their execution 79*91f16700Schasinglulucontext, where the risk is deemed low enough. This approach enables mitigation 80*91f16700Schasingluluon entry to EL3, and restores the mitigation state of the lower exception level 81*91f16700Schasingluluon exit from EL3. For more information on this approach, see `Firmware 82*91f16700Schasingluluinterfaces for mitigating cache speculation vulnerabilities`_. 83*91f16700Schasinglulu 84*91f16700SchasingluluThis approach may be complemented by additional mitigation code in other 85*91f16700Schasinglulusoftware components, for example code that calls ``SMCCC_ARCH_WORKAROUND_2``. 86*91f16700SchasingluluHowever, even without any mitigation code in other software components, this 87*91f16700Schasingluluapproach will effectively permanently mitigate the entire software stack, since 88*91f16700Schasingluluthe default mitigation state for firmware-managed execution contexts is enabled. 89*91f16700Schasinglulu 90*91f16700SchasingluluSince the expectation in this approach is that more software executes with the 91*91f16700Schasinglulumitigation disabled, this may result in better system performance than the 92*91f16700Schasinglulustatic approach for some systems or use-cases. However, for other systems or 93*91f16700Schasingluluuse-cases, this performance saving may be outweighed by the additional overhead 94*91f16700Schasingluluof ``SMCCC_ARCH_WORKAROUND_2`` calls and TF-A exception handling. 95*91f16700Schasinglulu 96*91f16700SchasingluluTF-A implements this approach for the following affected CPU: 97*91f16700Schasinglulu 98*91f16700Schasinglulu- Cortex-A76, by setting and clearing bit 16 (reserved in TRM) of 99*91f16700Schasinglulu ``CPUACTLR2_EL1`` (``S3_0_C15_C1_1``). 100*91f16700Schasinglulu 101*91f16700Schasinglulu.. _Google Project Zero: https://bugs.chromium.org/p/project-zero/issues/detail?id=1528 102*91f16700Schasinglulu.. _Arm Processor Security Update: http://www.arm.com/security-update 103*91f16700Schasinglulu.. _CVE-2018-3639: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639 104*91f16700Schasinglulu.. _Software Delegated Exception Interface (SDEI): http://infocenter.arm.com/help/topic/com.arm.doc.den0054a/ARM_DEN0054A_Software_Delegated_Exception_Interface.pdf 105*91f16700Schasinglulu.. _Firmware interfaces for mitigating cache speculation vulnerabilities: https://developer.arm.com/cache-speculation-vulnerability-firmware-specification 106*91f16700Schasinglulu.. _Pull Request #1392: https://github.com/ARM-software/arm-trusted-firmware/pull/1392 107*91f16700Schasinglulu.. _Pull Request #1397: https://github.com/ARM-software/arm-trusted-firmware/pull/1397 108