docs/security_advisories/security-advisory-tfv-2.rst - tf-a-mtk - Git at Google

 Advisory TFV-2 (CVE-2017-7564)
 ==============================

 +----------------+-------------------------------------------------------------+
 | Title          | Enabled secure self-hosted invasive debug interface can     |
 |                | allow normal world to panic secure world                    |
 +================+=============================================================+
 | CVE ID         | `CVE-2017-7564`_                                            |
 +----------------+-------------------------------------------------------------+
 | Date           | 02 Feb 2017                                                 |
 +----------------+-------------------------------------------------------------+
 | Versions       | All versions up to v1.3                                     |
 | Affected       |                                                             |
 +----------------+-------------------------------------------------------------+
 | Configurations | All                                                         |
 | Affected       |                                                             |
 +----------------+-------------------------------------------------------------+
 | Impact         | Denial of Service (secure world panic)                      |
 +----------------+-------------------------------------------------------------+
 | Fix Version    | 15 Feb 2017 `Pull Request #841`_                            |
 +----------------+-------------------------------------------------------------+
 | Credit         | ARM                                                         |
 +----------------+-------------------------------------------------------------+

 The ``MDCR_EL3.SDD`` bit controls AArch64 secure self-hosted invasive debug
 enablement. By default, the BL1 and BL31 images of the current version of ARM
 Trusted Firmware (TF) unconditionally assign this bit to ``0`` in the early
 entrypoint code, which enables debug exceptions from the secure world. This can
 be seen in the implementation of the ``el3_arch_init_common`` `AArch64 macro`_ .
 Given that TF does not currently contain support for this feature (for example,
 by saving and restoring the appropriate debug registers), this may allow a
 normal world attacker to induce a panic in the secure world.

 The ``MDCR_EL3.SDD`` bit should be assigned to ``1`` to disable debug exceptions
 from the secure world.

 Earlier versions of TF (prior to `commit 495f3d3`_) did not assign this bit.
 Since the bit has an architecturally ``UNKNOWN`` reset value, earlier versions
 may or may not have the same problem, depending on the platform.

 A similar issue applies to the ``MDCR_EL3.SPD32`` bits, which control AArch32
 secure self-hosted invasive debug enablement. TF assigns these bits to ``00``
 meaning that debug exceptions from Secure EL1 are enabled by the authentication
 interface. Therefore this issue only exists for AArch32 Secure EL1 code when
 secure privileged invasive debug is enabled by the authentication interface, at
 which point the device is vulnerable to other, more serious attacks anyway.

 However, given that TF contains no support for handling debug exceptions, the
 ``MDCR_EL3.SPD32`` bits should be assigned to ``10`` to disable debug exceptions
 from AArch32 Secure EL1.

 Finally, this also issue applies to AArch32 platforms that use the TF SP_MIN
 image or integrate the `AArch32 equivalent`_ of the ``el3_arch_init_common``
 macro. Here the affected bits are ``SDCR.SPD``, which should also be assigned to
 ``10`` instead of ``00``

 .. _CVE-2017-7564: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7564
 .. _commit 495f3d3: https://github.com/ARM-software/arm-trusted-firmware/commit/495f3d3
 .. _AArch64 macro: https://github.com/ARM-software/arm-trusted-firmware/blob/bcc2bf0/include/common/aarch64/el3_common_macros.S#L85
 .. _AArch32 equivalent: https://github.com/ARM-software/arm-trusted-firmware/blob/bcc2bf0/include/common/aarch32/el3_common_macros.S#L41
 .. _Pull Request #841: https://github.com/ARM-software/arm-trusted-firmware/pull/841
	Advisory TFV-2 (CVE-2017-7564)
	==============================

	+----------------+-------------------------------------------------------------+
	\| Title \| Enabled secure self-hosted invasive debug interface can \|
	\| \| allow normal world to panic secure world \|
	+================+=============================================================+
	\| CVE ID \| `CVE-2017-7564`_ \|
	+----------------+-------------------------------------------------------------+
	\| Date \| 02 Feb 2017 \|
	+----------------+-------------------------------------------------------------+
	\| Versions \| All versions up to v1.3 \|
	\| Affected \| \|
	+----------------+-------------------------------------------------------------+
	\| Configurations \| All \|
	\| Affected \| \|
	+----------------+-------------------------------------------------------------+
	\| Impact \| Denial of Service (secure world panic) \|
	+----------------+-------------------------------------------------------------+
	\| Fix Version \| 15 Feb 2017 `Pull Request #841`_ \|
	+----------------+-------------------------------------------------------------+
	\| Credit \| ARM \|
	+----------------+-------------------------------------------------------------+

	The ``MDCR_EL3.SDD`` bit controls AArch64 secure self-hosted invasive debug
	enablement. By default, the BL1 and BL31 images of the current version of ARM
	Trusted Firmware (TF) unconditionally assign this bit to ``0`` in the early
	entrypoint code, which enables debug exceptions from the secure world. This can
	be seen in the implementation of the ``el3_arch_init_common`` `AArch64 macro`_ .
	Given that TF does not currently contain support for this feature (for example,
	by saving and restoring the appropriate debug registers), this may allow a
	normal world attacker to induce a panic in the secure world.

	The ``MDCR_EL3.SDD`` bit should be assigned to ``1`` to disable debug exceptions
	from the secure world.

	Earlier versions of TF (prior to `commit 495f3d3`_) did not assign this bit.
	Since the bit has an architecturally ``UNKNOWN`` reset value, earlier versions
	may or may not have the same problem, depending on the platform.

	A similar issue applies to the ``MDCR_EL3.SPD32`` bits, which control AArch32
	secure self-hosted invasive debug enablement. TF assigns these bits to ``00``
	meaning that debug exceptions from Secure EL1 are enabled by the authentication
	interface. Therefore this issue only exists for AArch32 Secure EL1 code when
	secure privileged invasive debug is enabled by the authentication interface, at
	which point the device is vulnerable to other, more serious attacks anyway.

	However, given that TF contains no support for handling debug exceptions, the
	``MDCR_EL3.SPD32`` bits should be assigned to ``10`` to disable debug exceptions
	from AArch32 Secure EL1.

	Finally, this also issue applies to AArch32 platforms that use the TF SP_MIN
	image or integrate the `AArch32 equivalent`_ of the ``el3_arch_init_common``
	macro. Here the affected bits are ``SDCR.SPD``, which should also be assigned to
	``10`` instead of ``00``

	.. _CVE-2017-7564: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7564
	.. _commit 495f3d3: https://github.com/ARM-software/arm-trusted-firmware/commit/495f3d3
	.. _AArch64 macro: https://github.com/ARM-software/arm-trusted-firmware/blob/bcc2bf0/include/common/aarch64/el3_common_macros.S#L85
	.. _AArch32 equivalent: https://github.com/ARM-software/arm-trusted-firmware/blob/bcc2bf0/include/common/aarch32/el3_common_macros.S#L41
	.. _Pull Request #841: https://github.com/ARM-software/arm-trusted-firmware/pull/841