TFMV-7: SPM: Fix ARoT to PRot data access vulnerability.

Please check the advisory document for details. Signed-off-by: Anton Komlev <anton.komlev@arm.com> Change-Id: I3fc948c948379e5a36cc577bdbac7c5f7a2c3d1e
vili-nordic · Apr 12, 2024 · e6f5d8c · e6f5d8c
1 parent acda8bb
commit e6f5d8c
Show file tree

Hide file tree

Showing 3 changed files with 89 additions and 1 deletion.
diff --git a/docs/security/security_advisories/debug_log_vulnerability.rst b/docs/security/security_advisories/debug_log_vulnerability.rst
@@ -0,0 +1,69 @@
+Advisory TFMV-7
+===============
+
++------------------+-----------------------------------------------------------+
+| Title            | ARoT can access PRoT data via debug logging functionality |
++==================+===========================================================+
+| CVE ID           | `CVE-2023-51712`_                                         |
++------------------+-----------------------------------------------------------+
+| Public           | The issue was publicly reported on 2023.12.04             |
+| Disclosure Date  |                                                           |
++------------------+-----------------------------------------------------------+
+| Versions         | All version up to TF-M v2.0.0 inclusive                   |
+| Affected         |                                                           |
++------------------+-----------------------------------------------------------+
+| Configurations   | IPC mode with TFM_SP_LOG_RAW_ENABLED=1                    |
++------------------+-----------------------------------------------------------+
+| Impact           | A malicious ARoT partition can expose any part of memory  |
+|                  | via stdio interface if TFM_SP_LOG_RAW_ENABLED is set      |
++------------------+-----------------------------------------------------------+
+| Fix Version      | TBD                                                       |
++------------------+-----------------------------------------------------------+
+| Credit           | Roman Mazurak, Infineon                                   |
++------------------+-----------------------------------------------------------+
+
+Background
+----------
+
+TF-M log subsystem if enabled by ``TFM_SP_LOG_RAW_ENABLED`` config option,
+uses a SVC call to print logging messages on the stdio output interface.
+Since the SVC handler has the highest privilege level and full memory
+access, this communication channel can be exploited to expose any memory content
+to stdout device, usually UART.
+The logging subsystem is available to the secure side only but in isolation
+level 2 and higher PSA Root of Trust partitions (PRoT) shall be protected
+from an access from Application Root of Trust (ARoT) partitions. Although
+a direct call of ``tfm_hal_output_sp_log()`` from ARoT partition will be
+blocked by MPU raising the ``MemoryManagement()`` exception, a malicious
+ARoT partition can create an alternative SVC call to output any memory
+data like this:
+
+.. code-block:: c
+
+    static int tfm_output_unpriv_string(const unsigned char *str, size_t len)
+    {
+        __ASM volatile("SVC %0         \n"
+                       "BX LR          \n"
+                        : : "I" (2));
+    }
+
+Impact
+------
+
+In IPC mode with PSA isolation level 2 and higher and ``TFM_SP_LOG_RAW_ENABLED``
+option enabled an ARoT partition can expose to the stdout device any memory
+data using TF-M logging subsystem via SVC call.
+
+Mitigation
+----------
+
+Ensure that data sent for logging belongs to the current partition. For that purpose
+``tfm_hal_memory_check(curr_partition->boundary, data, size, TFM_HAL_ACCESS_READABLE)``
+is added to the logging function of the SVC handler. If the check fails
+then ``tfm_core_panic()`` is invoked and system halts.
+
+.. _CVE-2023-51712: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51712
+
+---------------------
+
+*Copyright (c) 2024, Arm Limited. All rights reserved.*
diff --git a/docs/security/security_advisories/index.rst b/docs/security/security_advisories/index.rst
@@ -12,6 +12,7 @@ Security Advisories
     profile_small_key_id_encoding_vulnerability
     fwu_write_vulnerability
     cc3xx_partial_tag_compare_on_chacha20_poly1305
+    debug_log_vulnerability
 
 +------------+-----------------------------------------------------------------+
 | ID         | Title                                                           |
@@ -33,13 +34,16 @@ Security Advisories
 |  |TFMV-6|  | Partial tag comparison when using Chacha20-Poly1305 on the PSA  |
 |            | driver API interface in CryptoCell enabled platforms            |
 +------------+-----------------------------------------------------------------+
+|  |TFMV-7|  | ARoT can access PRoT data via debug logging functionality       |
++------------+-----------------------------------------------------------------+
 
 .. |TFMV-1| replace:: :doc:`TFMV-1 <stack_seal_vulnerability>`
 .. |TFMV-2| replace:: :doc:`TFMV-2 <svc_caller_sp_fetching_vulnerability>`
 .. |TFMV-3| replace:: :doc:`TFMV-3 <crypto_multi_part_ops_abort_fail>`
 .. |TFMV-4| replace:: :doc:`TFMV-4 <profile_small_key_id_encoding_vulnerability>`
 .. |TFMV-5| replace:: :doc:`TFMV-5 <fwu_write_vulnerability>`
 .. |TFMV-6| replace:: :doc:`TFMV-6 <cc3xx_partial_tag_compare_on_chacha20_poly1305>`
+.. |TFMV-7| replace:: :doc:`TFMV-7 <debug_log_vulnerability>`
 
 --------------
 

diff --git a/secure_fw/spm/core/tfm_svcalls.c b/secure_fw/spm/core/tfm_svcalls.c
@@ -192,6 +192,11 @@ bool tfm_svc_thread_mode_spm_active(void)
 static uint32_t handle_spm_svc_requests(uint32_t svc_number, uint32_t exc_return,
                                         uint32_t *svc_args, uint32_t *msp)
 {
+#if TFM_SP_LOG_RAW_ENABLED
+    struct partition_t *curr_partition;
+    fih_int fih_rc = FIH_FAILURE;
+#endif
+
     switch (svc_number) {
     case TFM_SVC_SPM_INIT:
         exc_return = tfm_spm_init();
@@ -213,7 +218,17 @@ static uint32_t handle_spm_svc_requests(uint32_t svc_number, uint32_t exc_return
 #endif
 #if TFM_SP_LOG_RAW_ENABLED
     case TFM_SVC_OUTPUT_UNPRIV_STRING:
-        svc_args[0] = tfm_hal_output_spm_log((const char *)svc_args[0], svc_args[1]);
+        /* Protect PRoT data from unauthorised access from ARoT partition.
+         * This fixes the TFMV-7 vulnerability
+         */
+        curr_partition = GET_CURRENT_COMPONENT();
+        FIH_CALL(tfm_hal_memory_check, fih_rc, curr_partition->boundary, (uintptr_t)svc_args[0],
+                svc_args[1], TFM_HAL_ACCESS_READABLE);
+        if (fih_eq(fih_rc, fih_int_encode(PSA_SUCCESS))) {
+            svc_args[0] = tfm_hal_output_spm_log((const char *)svc_args[0], svc_args[1]);
+        } else {
+            tfm_core_panic();
+        }
         break;
 #endif
 #if TFM_ISOLATION_LEVEL > 1