1Advisory TFV-6 (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754)
2============================================================
3
4+----------------+-------------------------------------------------------------+
5| Title          | Trusted Firmware-A exposure to speculative processor        |
6|                | vulnerabilities using cache timing side-channels            |
7+================+=============================================================+
8| CVE ID         | `CVE-2017-5753`_ / `CVE-2017-5715`_ / `CVE-2017-5754`_      |
9+----------------+-------------------------------------------------------------+
10| Date           | 03 Jan 2018 (Updated 11 Jan, 18 Jan, 26 Jan, 30 Jan and 07  |
11|                | June 2018)                                                  |
12+----------------+-------------------------------------------------------------+
13| Versions       | All, up to and including v1.4                               |
14| Affected       |                                                             |
15+----------------+-------------------------------------------------------------+
16| Configurations | All                                                         |
17| Affected       |                                                             |
18+----------------+-------------------------------------------------------------+
19| Impact         | Leakage of secure world data to normal world                |
20+----------------+-------------------------------------------------------------+
21| Fix Version    | `Pull Request #1214`_, `Pull Request #1228`_,               |
22|                | `Pull Request #1240`_ and `Pull Request #1405`_             |
23+----------------+-------------------------------------------------------------+
24| Credit         | Google / Arm                                                |
25+----------------+-------------------------------------------------------------+
26
27This security advisory describes the current understanding of the Trusted
28Firmware-A exposure to the speculative processor vulnerabilities identified by
29`Google Project Zero`_.  To understand the background and wider impact of these
30vulnerabilities on Arm systems, please refer to the `Arm Processor Security
31Update`_.
32
33Variant 1 (`CVE-2017-5753`_)
34----------------------------
35
36At the time of writing, no vulnerable patterns have been observed in upstream TF
37code, therefore no workarounds have been applied or are planned.
38
39Variant 2 (`CVE-2017-5715`_)
40----------------------------
41
42Where possible on vulnerable CPUs, Arm recommends invalidating the branch
43predictor as early as possible on entry into the secure world, before any branch
44instruction is executed. There are a number of implementation defined ways to
45achieve this.
46
47For Cortex-A57 and Cortex-A72 CPUs, the Pull Requests (PRs) in this advisory
48invalidate the branch predictor when entering EL3 by disabling and re-enabling
49the MMU.
50
51For Cortex-A73 and Cortex-A75 CPUs, the PRs in this advisory invalidate the
52branch predictor when entering EL3 by temporarily dropping into AArch32
53Secure-EL1 and executing the ``BPIALL`` instruction. This workaround is
54significantly more complex than the "MMU disable/enable" workaround. The latter
55is not effective at invalidating the branch predictor on Cortex-A73/Cortex-A75.
56
57Note that if other privileged software, for example a Rich OS kernel, implements
58its own branch predictor invalidation during context switch by issuing an SMC
59(to execute firmware branch predictor invalidation), then there is a dependency
60on the PRs in this advisory being deployed in order for those workarounds to
61work. If that other privileged software is able to workaround the vulnerability
62locally (for example by implementing "MMU disable/enable" itself), there is no
63such dependency.
64
65`Pull Request #1240`_ and `Pull Request #1405`_ optimise the earlier fixes by
66implementing a specified `CVE-2017-5715`_ workaround SMC
67(``SMCCC_ARCH_WORKAROUND_1``) for use by normal world privileged software. This
68is more efficient than calling an arbitrary SMC (for example ``PSCI_VERSION``).
69Details of ``SMCCC_ARCH_WORKAROUND_1`` can be found in the `CVE-2017-5715
70mitigation specification`_.  The specification and implementation also enable
71the normal world to discover the presence of this firmware service.
72
73On Juno R1 we measured the round trip latency for both the ``PSCI_VERSION`` and
74``SMCCC_ARCH_WORKAROUND_1`` SMCs on Cortex-A57, using both the "MMU
75disable/enable" and "BPIALL at AArch32 Secure-EL1" workarounds described above.
76This includes the time spent in test code conforming to the SMC Calling
77Convention (SMCCC) from AArch64. For the ``SMCCC_ARCH_WORKAROUND_1`` cases, the
78test code uses SMCCC v1.1, which reduces the number of general purpose registers
79it needs to save/restore. Although the ``BPIALL`` instruction is not effective
80at invalidating the branch predictor on Cortex-A57, the drop into Secure-EL1
81with MMU disabled that this workaround entails effectively does invalidate the
82branch predictor. Hence this is a reasonable comparison.
83
84The results were as follows:
85
86+------------------------------------------------------------------+-----------+
87| Test                                                             | Time (ns) |
88+==================================================================+===========+
89| ``PSCI_VERSION`` baseline (without PRs in this advisory)         | 515       |
90+------------------------------------------------------------------+-----------+
91| ``PSCI_VERSION`` baseline (with PRs in this advisory)            | 527       |
92+------------------------------------------------------------------+-----------+
93| ``PSCI_VERSION`` with "MMU disable/enable"                       | 930       |
94+------------------------------------------------------------------+-----------+
95| ``SMCCC_ARCH_WORKAROUND_1`` with "MMU disable/enable"            | 386       |
96+------------------------------------------------------------------+-----------+
97| ``PSCI_VERSION`` with "BPIALL at AArch32 Secure-EL1"             | 1276      |
98+------------------------------------------------------------------+-----------+
99| ``SMCCC_ARCH_WORKAROUND_1`` with "BPIALL at AArch32 Secure-EL1"  | 770       |
100+------------------------------------------------------------------+-----------+
101
102Due to the high severity and wide applicability of this issue, the above
103workarounds are enabled by default (on vulnerable CPUs only), despite some
104performance and code size overhead. Platforms can choose to disable them at
105compile time if they do not require them. `Pull Request #1240`_ disables the
106workarounds for unaffected upstream platforms.
107
108For vulnerable AArch32-only CPUs (for example Cortex-A8, Cortex-A9 and
109Cortex-A17), the ``BPIALL`` instruction should be used as early as possible on
110entry into the secure world. For Cortex-A8, also set ``ACTLR[6]`` to 1 during
111early processor initialization. Note that the ``BPIALL`` instruction is not
112effective at invalidating the branch predictor on Cortex-A15. For that CPU, set
113``ACTLR[0]`` to 1 during early processor initialization, and invalidate the
114branch predictor by performing an ``ICIALLU`` instruction.
115
116On AArch32 EL3 systems, the monitor and secure-SVC code is typically tightly
117integrated, for example as part of a Trusted OS. Therefore any Variant 2
118workaround should be provided by vendors of that software and is outside the
119scope of TF. However, an example implementation in the minimal AArch32 Secure
120Payload, ``SP_MIN`` is provided in `Pull Request #1228`_.
121
122Other Arm CPUs are not vulnerable to this or other variants. This includes
123Cortex-A76, Cortex-A53, Cortex-A55, Cortex-A32, Cortex-A7 and Cortex-A5.
124
125For more information about non-Arm CPUs, please contact the CPU vendor.
126
127Variant 3 (`CVE-2017-5754`_)
128----------------------------
129
130This variant is only exploitable between Exception Levels within the same
131translation regime, for example between EL0 and EL1, therefore this variant
132cannot be used to access secure memory from the non-secure world, and is not
133applicable for TF. However, Secure Payloads (for example, Trusted OS) should
134provide mitigations on vulnerable CPUs to protect themselves from exploited
135Secure-EL0 applications.
136
137The only Arm CPU vulnerable to this variant is Cortex-A75.
138
139.. _Google Project Zero: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
140.. _Arm Processor Security Update: http://www.arm.com/security-update
141.. _CVE-2017-5753: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
142.. _CVE-2017-5715: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
143.. _CVE-2017-5754: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
144.. _Pull Request #1214: https://github.com/ARM-software/arm-trusted-firmware/pull/1214
145.. _Pull Request #1228: https://github.com/ARM-software/arm-trusted-firmware/pull/1228
146.. _Pull Request #1240: https://github.com/ARM-software/arm-trusted-firmware/pull/1240
147.. _Pull Request #1405: https://github.com/ARM-software/arm-trusted-firmware/pull/1405
148.. _CVE-2017-5715 mitigation specification: https://developer.arm.com/cache-speculation-vulnerability-firmware-specification
149