9.13. Advisory TFV-13 (CVE-2024-7881)
Title |
An unprivileged context can trigger a data memory-dependent prefetch engine to fetch the contents of a privileged location and consume those contents as an address that is also dereferenced. |
|---|---|
CVE ID |
|
Date |
Reported on 16 August 2024 |
Versions Affected |
TF-A version from v2.2 to v2.12 LTS releases lts-v2.8.0 to lts-v2.8.28 LTS releases lts-v2.10.0 to lts-v2.10.12 |
Configurations Affected |
All |
Impact |
Potential leakage of secure world data to normal world. |
Fix Version |
Gerrit topic #ar/smccc_arch_wa_4 Also see mitigation guidance in the Official Arm Advisory |
Credit |
Arm |
9.13.1. Description
An issue has been identified in some Arm-based CPUs that may allow an unprivileged context to trigger a data memory-dependent prefetch engine to fetch the contents of a privileged location (for which it does not have read permission) and consume those contents as an address that is also dereferenced.
The below table lists all the CPUs impacted by this vulnerability and have mitigation in TF-A.
Core |
Cortex-X3 |
Cortex-X4 |
Cortex-X925 |
Neoverse-V2 |
Neoverse-V3 |
Neoverse-V3AE |
9.13.2. Mitigation and Recommendations
Arm recommends following the mitigation steps and configuration changes described in the official advisory. The mitigation for CVE-2024-7881 is implemented at EL3 and addresses vulnerabilities caused by memory-dependant speculative prefetching. This issue is avoided by setting CPUACTLR6_EL1[41] to 1, this disables the affected prefetcher.
Arm has updated the SMC Calling Convention spec so that privileged normal world software can identify when the issue has been mitigated in firmware (SMCCC_ARCH_WORKAROUND_4). Refer to the SMC Calling Convention Specification for more details.
The above workaround is enabled by default (on vulnerable CPUs only). Platforms can choose to disable them at compile time if they do not require them.
For further technical information, affected CPUs, and detailed guidance, refer to the full Official Arm Advisory.