blob: db4745854ca499641064ed8396eac3ffb5effa05 [file] [log] [blame]
Joel Hutton9e605632019-02-25 15:18:56 +00001+----------------+-------------------------------------------------------------+
2| Title | Enabled secure self-hosted invasive debug interface can |
3| | allow normal world to panic secure world |
4+================+=============================================================+
Paul Beesley75017f22019-03-05 17:10:07 +00005| CVE ID | `CVE-2017-7564`_ |
Joel Hutton9e605632019-02-25 15:18:56 +00006+----------------+-------------------------------------------------------------+
7| Date | 02 Feb 2017 |
8+----------------+-------------------------------------------------------------+
9| Versions | All versions up to v1.3 |
10| Affected | |
11+----------------+-------------------------------------------------------------+
12| Configurations | All |
13| Affected | |
14+----------------+-------------------------------------------------------------+
15| Impact | Denial of Service (secure world panic) |
16+----------------+-------------------------------------------------------------+
17| Fix Version | 15 Feb 2017 `Pull Request #841`_ |
18+----------------+-------------------------------------------------------------+
19| Credit | ARM |
20+----------------+-------------------------------------------------------------+
21
22The ``MDCR_EL3.SDD`` bit controls AArch64 secure self-hosted invasive debug
23enablement. By default, the BL1 and BL31 images of the current version of ARM
24Trusted Firmware (TF) unconditionally assign this bit to ``0`` in the early
25entrypoint code, which enables debug exceptions from the secure world. This can
26be seen in the implementation of the ``el3_arch_init_common`` `AArch64 macro`_ .
27Given that TF does not currently contain support for this feature (for example,
28by saving and restoring the appropriate debug registers), this may allow a
29normal world attacker to induce a panic in the secure world.
30
31The ``MDCR_EL3.SDD`` bit should be assigned to ``1`` to disable debug exceptions
32from the secure world.
33
34Earlier versions of TF (prior to `commit 495f3d3`_) did not assign this bit.
35Since the bit has an architecturally ``UNKNOWN`` reset value, earlier versions
36may or may not have the same problem, depending on the platform.
37
38A similar issue applies to the ``MDCR_EL3.SPD32`` bits, which control AArch32
39secure self-hosted invasive debug enablement. TF assigns these bits to ``00``
40meaning that debug exceptions from Secure EL1 are enabled by the authentication
41interface. Therefore this issue only exists for AArch32 Secure EL1 code when
42secure privileged invasive debug is enabled by the authentication interface, at
43which point the device is vulnerable to other, more serious attacks anyway.
44
45However, given that TF contains no support for handling debug exceptions, the
46``MDCR_EL3.SPD32`` bits should be assigned to ``10`` to disable debug exceptions
47from AArch32 Secure EL1.
48
49Finally, this also issue applies to AArch32 platforms that use the TF SP_MIN
50image or integrate the `AArch32 equivalent`_ of the ``el3_arch_init_common``
51macro. Here the affected bits are ``SDCR.SPD``, which should also be assigned to
52``10`` instead of ``00``
53
Paul Beesley75017f22019-03-05 17:10:07 +000054.. _CVE-2017-7564: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7564
Joel Hutton9e605632019-02-25 15:18:56 +000055.. _commit 495f3d3: https://github.com/ARM-software/arm-trusted-firmware/commit/495f3d3
56.. _AArch64 macro: https://github.com/ARM-software/arm-trusted-firmware/blob/bcc2bf0/include/common/aarch64/el3_common_macros.S#L85
57.. _AArch32 equivalent: https://github.com/ARM-software/arm-trusted-firmware/blob/bcc2bf0/include/common/aarch32/el3_common_macros.S#L41
58.. _Pull Request #841: https://github.com/ARM-software/arm-trusted-firmware/pull/841