1Advisory TFMV-7
2===============
3
4+------------------+-----------------------------------------------------------+
5| Title            | ARoT can access PRoT data via debug logging functionality |
6+==================+===========================================================+
7| CVE ID           | `CVE-2023-51712`_                                         |
8+------------------+-----------------------------------------------------------+
9| Public           | The issue was publicly reported on 2023.12.04             |
10| Disclosure Date  |                                                           |
11+------------------+-----------------------------------------------------------+
12| Versions         | All version up to TF-M `v2.0.0`_ inclusive                |
13| Affected         |                                                           |
14+------------------+-----------------------------------------------------------+
15| Configurations   | IPC mode with TFM_SP_LOG_RAW_ENABLED=1                    |
16+------------------+-----------------------------------------------------------+
17| Impact           | A malicious ARoT partition can expose any part of memory  |
18|                  | via stdio interface if TFM_SP_LOG_RAW_ENABLED is set      |
19+------------------+-----------------------------------------------------------+
20| Fix Version      | TBD                                                       |
21+------------------+-----------------------------------------------------------+
22| Credit           | Roman Mazurak, Infineon                                   |
23+------------------+-----------------------------------------------------------+
24
25Background
26----------
27
28TF-M log subsystem if enabled by ``TFM_SP_LOG_RAW_ENABLED`` config option,
29uses a SVC call to print logging messages on the stdio output interface.
30Since the SVC handler has the highest privilege level and full memory
31access, this communication channel can be exploited to expose any memory content
32to stdout device, usually UART.
33The logging subsystem is available to the secure side only but in isolation
34level 2 and higher PSA Root of Trust partitions (PRoT) shall be protected
35from an access from Application Root of Trust (ARoT) partitions. Although
36a direct call of ``tfm_hal_output_sp_log()`` from ARoT partition will be
37blocked by MPU raising the ``MemoryManagement()`` exception, a malicious
38ARoT partition can create an alternative SVC call to output any memory
39data like this:
40
41.. code-block:: c
42
43    static int tfm_output_unpriv_string(const unsigned char *str, size_t len)
44    {
45        __ASM volatile("SVC %0         \n"
46                       "BX LR          \n"
47                        : : "I" (2));
48    }
49
50Impact
51------
52
53In IPC mode with PSA isolation level 2 and higher and ``TFM_SP_LOG_RAW_ENABLED``
54option enabled an ARoT partition can expose to the stdout device any memory
55data using TF-M logging subsystem via SVC call.
56
57Mitigation
58----------
59
60Ensure that data sent for logging belongs to the current partition. For that purpose
61``tfm_hal_memory_check(curr_partition->boundary, data, size, TFM_HAL_ACCESS_READABLE)``
62is added to the logging function of the SVC handler. If the check fails
63then ``tfm_core_panic()`` is invoked and system halts.
64
65.. _CVE-2023-51712: https://www.cve.org/CVERecord?id=CVE-2023-51712
66
67---------------------
68
69.. _v2.0.0: https://git.trustedfirmware.org/plugins/gitiles/TF-M/trusted-firmware-m/+/refs/tags/TF-Mv2.0.0
70
71*Copyright (c) 2024, Arm Limited. All rights reserved.*
72