blob: 572268aae40d9185552b49cfb9fe3d19bba63de7 [file] [log] [blame]
Joel Hutton9e605632019-02-25 15:18:56 +00001+----------------+-------------------------------------------------------------+
2| Title | Trusted Firmware-A exposure to cache speculation |
3| | vulnerability Variant 4 |
4+================+=============================================================+
5| CVE ID | `CVE-2018-3639`_ |
6+----------------+-------------------------------------------------------------+
7| Date | 21 May 2018 (Updated 7 June 2018) |
8+----------------+-------------------------------------------------------------+
9| Versions | All, up to and including v1.5 |
10| Affected | |
11+----------------+-------------------------------------------------------------+
12| Configurations | All |
13| Affected | |
14+----------------+-------------------------------------------------------------+
15| Impact | Leakage of secure world data to normal world |
16+----------------+-------------------------------------------------------------+
17| Fix Version | `Pull Request #1392`_, `Pull Request #1397`_ |
18+----------------+-------------------------------------------------------------+
19| Credit | Google |
20+----------------+-------------------------------------------------------------+
21
22This security advisory describes the current understanding of the Trusted
23Firmware-A (TF-A) exposure to Variant 4 of the cache speculation vulnerabilities
24identified by `Google Project Zero`_. To understand the background and wider
25impact of these vulnerabilities on Arm systems, please refer to the `Arm
26Processor Security Update`_.
27
28At the time of writing, the TF-A project is not aware of a Variant 4 exploit
29that could be used against TF-A. It is likely to be very difficult to achieve an
30exploit against current standard configurations of TF-A, due to the limited
31interfaces into the secure world with attacker-controlled inputs. However, this
32is becoming increasingly difficult to guarantee with the introduction of complex
33new firmware interfaces, for example the `Software Delegated Exception Interface
34(SDEI)`_. Also, the TF-A project does not have visibility of all
35vendor-supplied interfaces. Therefore, the TF-A project takes a conservative
36approach by mitigating Variant 4 in hardware wherever possible during secure
37world execution. The mitigation is enabled by setting an implementation defined
38control bit to prevent the re-ordering of stores and loads.
39
40For each affected CPU type, TF-A implements one of the two following mitigation
41approaches in `Pull Request #1392`_ and `Pull Request #1397`_. Both approaches
42have a system performance impact, which varies for each CPU type and use-case.
43The mitigation code is enabled by default, but can be disabled at compile time
44for platforms that are unaffected or where the risk is deemed low enough.
45
46Arm CPUs not mentioned below are unaffected.
47
48Static mitigation
49~~~~~~~~~~~~~~~~~
50
51For affected CPUs, this approach enables the mitigation during EL3
52initialization, following every PE reset. No mechanism is provided to disable
53the mitigation at runtime.
54
55This approach permanently mitigates the entire software stack and no additional
56mitigation code is required in other software components.
57
58TF-A implements this approach for the following affected CPUs:
59
60- Cortex-A57 and Cortex-A72, by setting bit 55 (Disable load pass store) of
61 ``CPUACTLR_EL1`` (``S3_1_C15_C2_0``).
62
63- Cortex-A73, by setting bit 3 of ``S3_0_C15_C0_0`` (not documented in the
64 Technical Reference Manual (TRM)).
65
66- Cortex-A75, by setting bit 35 (reserved in TRM) of ``CPUACTLR_EL1``
67 (``S3_0_C15_C1_0``).
68
69Dynamic mitigation
70~~~~~~~~~~~~~~~~~~
71
72For affected CPUs, this approach also enables the mitigation during EL3
73initialization, following every PE reset. In addition, this approach implements
74``SMCCC_ARCH_WORKAROUND_2`` in the Arm architectural range to allow callers at
75lower exception levels to temporarily disable the mitigation in their execution
76context, where the risk is deemed low enough. This approach enables mitigation
77on entry to EL3, and restores the mitigation state of the lower exception level
78on exit from EL3. For more information on this approach, see `Firmware
79interfaces for mitigating cache speculation vulnerabilities`_.
80
81This approach may be complemented by additional mitigation code in other
82software components, for example code that calls ``SMCCC_ARCH_WORKAROUND_2``.
83However, even without any mitigation code in other software components, this
84approach will effectively permanently mitigate the entire software stack, since
85the default mitigation state for firmware-managed execution contexts is enabled.
86
87Since the expectation in this approach is that more software executes with the
88mitigation disabled, this may result in better system performance than the
89static approach for some systems or use-cases. However, for other systems or
90use-cases, this performance saving may be outweighed by the additional overhead
91of ``SMCCC_ARCH_WORKAROUND_2`` calls and TF-A exception handling.
92
93TF-A implements this approach for the following affected CPU:
94
95- Cortex-A76, by setting and clearing bit 16 (reserved in TRM) of
96 ``CPUACTLR2_EL1`` (``S3_0_C15_C1_1``).
97
98.. _Google Project Zero: https://bugs.chromium.org/p/project-zero/issues/detail?id=1528
99.. _Arm Processor Security Update: http://www.arm.com/security-update
100.. _CVE-2018-3639: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639
101.. _Software Delegated Exception Interface (SDEI): http://infocenter.arm.com/help/topic/com.arm.doc.den0054a/ARM_DEN0054A_Software_Delegated_Exception_Interface.pdf
102.. _Firmware interfaces for mitigating cache speculation vulnerabilities: https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
103.. _Pull Request #1392: https://github.com/ARM-software/arm-trusted-firmware/pull/1392
104.. _Pull Request #1397: https://github.com/ARM-software/arm-trusted-firmware/pull/1397