This repository has been archived by the owner on Sep 14, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
/
Security_Advisory-Ref_FSC-HWSEC-VR2021-0002-OP-TEE_TrustZone_bypass_at_wakeup.txt
161 lines (121 loc) · 6.88 KB
/
Security_Advisory-Ref_FSC-HWSEC-VR2021-0002-OP-TEE_TrustZone_bypass_at_wakeup.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
Security advisory: OP-TEE TrustZone bypass at wakeup on NXP i.MX6UL
===================================================================
The Open Portable Trusted Execution Environment (OP-TEE) [1] is an open source
Trusted Execution Environment (TEE) implementing the Arm TrustZone technology.
F-Secure Foundry, in the process of developing its own TEE framework (GoTEE
[2]), reviewed the existing Open Source offering and identified a vulnerability
in OP-TEE support for the Central Security Unit (CSU) configuration on the NXP
i.MX6UL System-on-Chip (SoC).
Based on this, as well as previous [7] findings, F-Secure advises OP-TEE users
to treat all OP-TEE supported platforms as insecure by default and carefully
review and practically test their implementation before integration.
TrustZone configuration on i.MX SoCs
------------------------------------
The following GoTEE tutorial [3] provides an in-depth explanation of the
various aspects of an effective TrustZone configuration.
In a nutshell, along with standard ARM core configuration, each SoC requires
its peripherals to be assigned to either the Secure World or Normal World (aka
NonSecure World), which respectively represent the privileged and unprivileged
TrustZone domains.
The Central Security Unit (CSU) is the component that enables TrustZone
peripheral configuration on the NXP i.MX family for peripherals that are
not capable of asserting TrustZone signals independently.
The CSU Config Security Level (CSL) defines restrictions for accessing
individual (or groups of) peripherals (e.g. whether a peripheral can be
accessed from NonSecure World) while the Security Access (SA) defines the
access security policy for the peripheral (e.g. whether the peripheral
makes bus accesses as "Secure" or "NonSecure").
Vulnerability (CVE-2021-44149)
------------------------------
The OP-TEE OS CSU driver [4] sets the CSU Security Access (SA) policy for the
ARM Cortex-A7 block (CA7) to "Secure" for its NXP i.MX6UL SoC support.
The NXP documentation on the role of the CA7 SA setting does not provide any
details on its effects, therefore F-Secure conducted a thorough analysis of its
manipulation, which resulted in identification of a vulnerability.
It has been verified that the OP-TEE configuration allows a processor suspended
in Normal World security state to wake up from low power mode in Secure World
state.
The wakeup sequence implemented in the NXP i.MX6UL boot ROM jumps, in secure
processor state, to function pointers held in the System Reset Controller (SRC)
registers. The vulnerability takes place when the Normal World OS is allowed to
set the SRC wakeup pointers before going in low power mode.
For example when running Linux under OP-TEE OS the boot ROM executes a wakeup
handler previously configured by Normal World Linux, within Secure World. This
results in Linux re-initializing the MMU and resuming all its execution context
as Secure World.
This configuration effectively bypasses any intended TrustZone protection as
the Normal World OS is capable of transforming itself, through a low power
suspend/wakeup procedure, to a Secure one.
It should be highlighted that the boot ROM unconditionally wakes up in secure
processor state. The CA7 SA only affects the CP15SDISABLE input signal which,
when set as "NonSecure", causes a fault in the boot ROM code, even if running
in Secure World, as it becomes incapable of accessing specific secure registers
needed by its wake up flow.
Impact
------
On vanilla OP-TEE OS the NXP i.MX6UL SoC has no effective TrustZone isolation
as the Normal World can arbitrarily change its processor state to Secure World,
resulting in a full compromise of the Trusted Execution Environment.
The same vulnerability also applies to the NXP OP-TEE fork [5].
Mitigation
----------
Any suspend/wakeup functionality must be handled by the Secure World TEE as the
CSU Config Security Level (CSL) must be set to protect, from Normal World
access, all blocks responsible for the wakeup sequence such as the GPC and SRC
blocks on the i.MX6UL SoC family.
When suspend/wakeup functionality is not required, implementers of trusted
firmware using the OP-TEE framework can re-configure the SA policy ensuring
that the CA7 value is set as "NonSecure" prior to Normal World execution.
When running Linux in Normal World this is incompatible with Linux power
management drivers which require SRC support on i.MX6 SoCs (example:
`CONFIG_CPU_IDLE`).
It is emphasized that changing the CA7 SA policy bit to "NonSecure", while
effective, represents a weaker form of mitigation as the exploitation of the
vulnerability is only incidentally prevented, the proper mitigation remains the
CSL protection for the responsible GPC and SRC blocks.
Please also note that such mitigations do not constitute an example of a fully
secure configuration and only focus on the specific aspects reported in this
advisory.
Vendor response
---------------
The OP-TEE project own security advisory can be found at [8].
Affected versions
-----------------
The OP-TEE OS component of all OP-TEE releases supporting the NXP i.MX6UL SoC
is vulnerable, this includes any fork (such as the NXP one [5]) based on them
that does not correctly prevent Normal World control of the System Reset
Controller (SRC) wakeup execution context.
Please be advised that OP-TEE does not provide a secure CSU configuration on
multiple NXP i.MX P/Ns for reasons which go beyond this specific finding (see
CVE-2021-36133 [7]).
Credit
------
Vulnerabilities discovered and reported by Andrea Barisani and Andrej Rosano
(F-Secure Foundry [6]).
CVE
---
CVE-2021-44149: OP-TEE TrustZone bypass at wakeup on NXP i.MX6UL
Timeline
--------
2021-11-05: findings reported by F-Secure to OP-TEE security contact.
2021-11-05: F-Secure requests 14 days embargo.
2021-11-18: OP-TEE requests 30 days embargo.
2021-11-18: OP-TEE and NXP confirms the finding.
2021-11-18: OP-TEE confirms no mitigation will be applied, only improved docs.
2021-11-18: F-Secure confirms initial 14 days embargo.
2021-11-22: F-Secure receives CVE-2021-44149 assignment from MITRE.
2021-11-22: advisory release.
2021-12-15: NXP clarifies CA7 SA affecting only CP15SDISABLE, update mitigation.
References
----------
[1] https://www.op-tee.org/
[2] https://github.com/f-secure-foundry/GoTEE
[3] https://github.com/f-secure-foundry/GoTEE/wiki/TrustZone-configuration
[4] https://github.com/OP-TEE/optee_os/blob/3.15.0/core/arch/arm/plat-imx/drivers/imx_csu.c
[5] https://source.codeaurora.org/external/imx/imx-optee-os/tree/core/arch/arm/plat-imx/drivers/imx_csu.c?h=lf-5.10.52_2.1.0
[6] https://foundry.f-secure.com
[7] https://github.com/f-secure-foundry/advisories/blob/master/Security_Advisory-Ref_FSC-HWSEC-VR2021-0001-OP-TEE_TrustZone_bypass.txt
[8] https://github.com/OP-TEE/optee_os/security/advisories/GHSA-4pqr-q8rf-8464
Permalink
---------
https://github.com/f-secure-foundry/advisories/blob/master/Security_Advisory-Ref_FSC-HWSEC-VR2021-0002-OP-TEE_TrustZone_bypass_at_wakeup.txt