| Joel Hutton | 9e60563 | 2019-02-25 15:18:56 +0000 | [diff] [blame] | 1 | +----------------+-------------------------------------------------------------+ |
| 2 | | Title | Arm Trusted Firmware exposure to speculative processor | |
| 3 | | | vulnerabilities using cache timing side-channels | |
| 4 | +================+=============================================================+ |
| 5 | | CVE ID | `CVE-2017-5753`_ / `CVE-2017-5715`_ / `CVE-2017-5754`_ | |
| 6 | +----------------+-------------------------------------------------------------+ |
| 7 | | Date | 03 Jan 2018 (Updated 11 Jan, 18 Jan, 26 Jan, 30 Jan and 07 | |
| 8 | | | June 2018) | |
| 9 | +----------------+-------------------------------------------------------------+ |
| 10 | | Versions | All, up to and including v1.4 | |
| 11 | | Affected | | |
| 12 | +----------------+-------------------------------------------------------------+ |
| 13 | | Configurations | All | |
| 14 | | Affected | | |
| 15 | +----------------+-------------------------------------------------------------+ |
| 16 | | Impact | Leakage of secure world data to normal world | |
| 17 | +----------------+-------------------------------------------------------------+ |
| 18 | | Fix Version | `Pull Request #1214`_, `Pull Request #1228`_, | |
| 19 | | | `Pull Request #1240`_ and `Pull Request #1405`_ | |
| 20 | +----------------+-------------------------------------------------------------+ |
| 21 | | Credit | Google / Arm | |
| 22 | +----------------+-------------------------------------------------------------+ |
| 23 | |
| 24 | This security advisory describes the current understanding of the Arm Trusted |
| 25 | Firmware (TF) exposure to the speculative processor vulnerabilities identified |
| 26 | by `Google Project Zero`_. To understand the background and wider impact of |
| 27 | these vulnerabilities on Arm systems, please refer to the `Arm Processor |
| 28 | Security Update`_. |
| 29 | |
| 30 | Variant 1 (`CVE-2017-5753`_) |
| 31 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 32 | |
| 33 | At the time of writing, no vulnerable patterns have been observed in upstream TF |
| 34 | code, therefore no workarounds have been applied or are planned. |
| 35 | |
| 36 | Variant 2 (`CVE-2017-5715`_) |
| 37 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 38 | |
| 39 | Where possible on vulnerable CPUs, Arm recommends invalidating the branch |
| 40 | predictor as early as possible on entry into the secure world, before any branch |
| 41 | instruction is executed. There are a number of implementation defined ways to |
| 42 | achieve this. |
| 43 | |
| 44 | For Cortex-A57 and Cortex-A72 CPUs, the Pull Requests (PRs) in this advisory |
| 45 | invalidate the branch predictor when entering EL3 by disabling and re-enabling |
| 46 | the MMU. |
| 47 | |
| 48 | For Cortex-A73 and Cortex-A75 CPUs, the PRs in this advisory invalidate the |
| 49 | branch predictor when entering EL3 by temporarily dropping into AArch32 |
| 50 | Secure-EL1 and executing the ``BPIALL`` instruction. This workaround is |
| 51 | signifiantly more complex than the "MMU disable/enable" workaround. The latter |
| 52 | is not effective at invalidating the branch predictor on Cortex-A73/Cortex-A75. |
| 53 | |
| 54 | Note that if other privileged software, for example a Rich OS kernel, implements |
| 55 | its own branch predictor invalidation during context switch by issuing an SMC |
| 56 | (to execute firmware branch predictor invalidation), then there is a dependency |
| 57 | on the PRs in this advisory being deployed in order for those workarounds to |
| 58 | work. If that other privileged software is able to workaround the vulnerability |
| 59 | locally (for example by implementing "MMU disable/enable" itself), there is no |
| 60 | such dependency. |
| 61 | |
| 62 | `Pull Request #1240`_ and `Pull Request #1405`_ optimise the earlier fixes by |
| 63 | implementing a specified `CVE-2017-5715`_ workaround SMC |
| 64 | (``SMCCC_ARCH_WORKAROUND_1``) for use by normal world privileged software. This |
| 65 | is more efficient than calling an arbitrary SMC (for example ``PSCI_VERSION``). |
| 66 | Details of ``SMCCC_ARCH_WORKAROUND_1`` can be found in the `CVE-2017-5715 |
| 67 | mitigation specification`_. The specification and implementation also enable |
| 68 | the normal world to discover the presence of this firmware service. |
| 69 | |
| 70 | On Juno R1 we measured the round trip latency for both the ``PSCI_VERSION`` and |
| 71 | ``SMCCC_ARCH_WORKAROUND_1`` SMCs on Cortex-A57, using both the "MMU |
| 72 | disable/enable" and "BPIALL at AArch32 Secure-EL1" workarounds described above. |
| 73 | This includes the time spent in test code conforming to the SMC Calling |
| 74 | Convention (SMCCC) from AArch64. For the ``SMCCC_ARCH_WORKAROUND_1`` cases, the |
| 75 | test code uses SMCCC v1.1, which reduces the number of general purpose registers |
| 76 | it needs to save/restore. Although the ``BPIALL`` instruction is not effective |
| 77 | at invalidating the branch predictor on Cortex-A57, the drop into Secure-EL1 |
| 78 | with MMU disabled that this workaround entails effectively does invalidate the |
| 79 | branch predictor. Hence this is a reasonable comparison. |
| 80 | |
| 81 | The results were as follows: |
| 82 | |
| 83 | +------------------------------------------------------------------+-----------+ |
| 84 | | Test | Time (ns) | |
| 85 | +==================================================================+===========+ |
| 86 | | ``PSCI_VERSION`` baseline (without PRs in this advisory) | 515 | |
| 87 | +------------------------------------------------------------------+-----------+ |
| 88 | | ``PSCI_VERSION`` baseline (with PRs in this advisory) | 527 | |
| 89 | +------------------------------------------------------------------+-----------+ |
| 90 | | ``PSCI_VERSION`` with "MMU disable/enable" | 930 | |
| 91 | +------------------------------------------------------------------+-----------+ |
| 92 | | ``SMCCC_ARCH_WORKAROUND_1`` with "MMU disable/enable" | 386 | |
| 93 | +------------------------------------------------------------------+-----------+ |
| 94 | | ``PSCI_VERSION`` with "BPIALL at AArch32 Secure-EL1" | 1276 | |
| 95 | +------------------------------------------------------------------+-----------+ |
| 96 | | ``SMCCC_ARCH_WORKAROUND_1`` with "BPIALL at AArch32 Secure-EL1" | 770 | |
| 97 | +------------------------------------------------------------------+-----------+ |
| 98 | |
| 99 | Due to the high severity and wide applicability of this issue, the above |
| 100 | workarounds are enabled by default (on vulnerable CPUs only), despite some |
| 101 | performance and code size overhead. Platforms can choose to disable them at |
| 102 | compile time if they do not require them. `Pull Request #1240`_ disables the |
| 103 | workarounds for unaffected upstream platforms. |
| 104 | |
| 105 | For vulnerable AArch32-only CPUs (for example Cortex-A8, Cortex-A9 and |
| 106 | Cortex-A17), the ``BPIALL`` instruction should be used as early as possible on |
| 107 | entry into the secure world. For Cortex-A8, also set ``ACTLR[6]`` to 1 during |
| 108 | early processor initialization. Note that the ``BPIALL`` instruction is not |
| 109 | effective at invalidating the branch predictor on Cortex-A15. For that CPU, set |
| 110 | ``ACTLR[0]`` to 1 during early processor initialization, and invalidate the |
| 111 | branch predictor by performing an ``ICIALLU`` instruction. |
| 112 | |
| 113 | On AArch32 EL3 systems, the monitor and secure-SVC code is typically tightly |
| 114 | integrated, for example as part of a Trusted OS. Therefore any Variant 2 |
| 115 | workaround should be provided by vendors of that software and is outside the |
| 116 | scope of TF. However, an example implementation in the minimal AArch32 Secure |
| 117 | Payload, ``SP_MIN`` is provided in `Pull Request #1228`_. |
| 118 | |
| 119 | Other Arm CPUs are not vulnerable to this or other variants. This includes |
| 120 | Cortex-A76, Cortex-A53, Cortex-A55, Cortex-A32, Cortex-A7 and Cortex-A5. |
| 121 | |
| 122 | For more information about non-Arm CPUs, please contact the CPU vendor. |
| 123 | |
| 124 | Variant 3 (`CVE-2017-5754`_) |
| 125 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 126 | |
| 127 | This variant is only exploitable between Exception Levels within the same |
| 128 | translation regime, for example between EL0 and EL1, therefore this variant |
| 129 | cannot be used to access secure memory from the non-secure world, and is not |
| 130 | applicable for TF. However, Secure Payloads (for example, Trusted OS) should |
| 131 | provide mitigations on vulnerable CPUs to protect themselves from exploited |
| 132 | Secure-EL0 applications. |
| 133 | |
| 134 | The only Arm CPU vulnerable to this variant is Cortex-A75. |
| 135 | |
| 136 | .. _Google Project Zero: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html |
| 137 | .. _Arm Processor Security Update: http://www.arm.com/security-update |
| 138 | .. _CVE-2017-5753: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 |
| 139 | .. _CVE-2017-5715: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 |
| 140 | .. _CVE-2017-5754: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 |
| 141 | .. _Pull Request #1214: https://github.com/ARM-software/arm-trusted-firmware/pull/1214 |
| 142 | .. _Pull Request #1228: https://github.com/ARM-software/arm-trusted-firmware/pull/1228 |
| 143 | .. _Pull Request #1240: https://github.com/ARM-software/arm-trusted-firmware/pull/1240 |
| 144 | .. _Pull Request #1405: https://github.com/ARM-software/arm-trusted-firmware/pull/1405 |
| 145 | .. _CVE-2017-5715 mitigation specification: https://developer.arm.com/cache-speculation-vulnerability-firmware-specification |