nrfconnect · vlilleboe · Apr 4, 2022 · Apr 4, 2022 · Apr 4, 2022 · Apr 4, 2022
diff --git a/cmake/spe-CMakeLists.cmake b/cmake/spe-CMakeLists.cmake
@@ -13,7 +13,7 @@ cmake_minimum_required(VERSION 3.15)
 include(spe_config)
 include(spe_export)
 
-set_target_properties(tfm_config psa_interface PROPERTIES IMPORTED_GLOBAL True)
+set_target_properties(tfm_config psa_interface psa_crypto_config PROPERTIES IMPORTED_GLOBAL True)
 target_link_libraries(tfm_config INTERFACE psa_interface)
 
 # In actual NS integration, NS side build should include the source files

diff --git a/cmake/version.cmake b/cmake/version.cmake
@@ -16,7 +16,7 @@ execute_process(COMMAND git describe --tags --always
 # In a repository cloned with --no-tags option TFM_VERSION_FULL will be a hash
 # only hence checking it for a tag format to accept as valid version.
 
-string(FIND ${TFM_VERSION_FULL} "TF-M" TFM_TAG)
+string(FIND ${TFM_VERSION_FULL} "v" TFM_TAG)
 if(TFM_TAG EQUAL -1)
     set(TFM_VERSION_FULL v${TFM_VERSION_MANUAL})
     message(WARNING "Actual TF-M version is not available from Git repository. Settled to " ${TFM_VERSION_FULL})

diff --git a/config/check_config.cmake b/config/check_config.cmake
@@ -17,6 +17,8 @@ tfm_invalid_config(TFM_MULTI_CORE_TOPOLOGY AND TFM_NS_MANAGE_NSID)
 tfm_invalid_config(TFM_PLAT_SPECIFIC_MULTI_CORE_COMM AND NOT TFM_MULTI_CORE_TOPOLOGY)
 tfm_invalid_config(TFM_ISOLATION_LEVEL EQUAL 3 AND CONFIG_TFM_STACK_WATERMARKS)
 
+tfm_invalid_config(CONFIG_TFM_LOG_SHARE_UART AND NOT SECURE_UART1)
+
 ########################## BL2 #################################################
 
 get_property(MCUBOOT_STRATEGY_LIST CACHE MCUBOOT_UPGRADE_STRATEGY PROPERTY STRINGS)

diff --git a/config/config_base.cmake b/config/config_base.cmake
@@ -81,6 +81,9 @@ set(CONFIG_TFM_HALT_ON_CORE_PANIC       OFF         CACHE BOOL       "On fatal e
 
 set(CONFIG_TFM_STACK_WATERMARKS         OFF         CACHE BOOL      "Whether to pre-fill partition stacks with a set value to help determine stack usage")
 
+set(PROJECT_CONFIG_HEADER_FILE          "${CMAKE_SOURCE_DIR}/config/config_base.h" CACHE FILEPATH "User defined header file for TF-M config")
+
+set(CONFIG_TFM_LOG_SHARE_UART           OFF         CACHE BOOL      "Allow TF-M and the non-secure application to share the UART instance. TF-M will use it while it is booting, after which the non-secure application will use it until an eventual fatal error is handled and logged by TF-M. Logging from TF-M will therefore otherwise be suppressed")
 ############################ Platform ##########################################
 
 set(NUM_MAILBOX_QUEUE_SLOT              1           CACHE BOOL      "Number of mailbox queue slots")
@@ -121,6 +124,7 @@ set(BL2_TRAILER_SIZE                    0x000       CACHE STRING    "BL2 Trailer
 set(TFM_PARTITION_PROTECTED_STORAGE     OFF         CACHE BOOL      "Enable Protected Storage partition")
 set(PS_ENCRYPTION                       ON          CACHE BOOL      "Enable encryption for Protected Storage partition")
 set(PS_CRYPTO_AEAD_ALG                  PSA_ALG_GCM CACHE STRING    "The AEAD algorithm to use for authenticated encryption in Protected Storage")
+set(PS_CRYPTO_KDF_ALG                   PSA_ALG_HKDF\(PSA_ALG_SHA_256\) CACHE STRING "KDF Algorithm to use for Protect Storage")
 
 set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE OFF      CACHE BOOL      "Enable Internal Trusted Storage partition")
 set(ITS_ENCRYPTION                   OFF         CACHE BOOL      "Enable authenticated encryption of ITS files using platform specific APIs")

diff --git a/config/profile/config_profile_medium.h b/config/profile/config_profile_medium.h
@@ -72,7 +72,7 @@
 
 /* Enable PSA Crypto Cipher module */
 #ifndef CRYPTO_CIPHER_MODULE_ENABLED
-#define CRYPTO_CIPHER_MODULE_ENABLED           1
+#define CRYPTO_CIPHER_MODULE_ENABLED           0
 #endif
 
 /* Enable PSA Crypto asymmetric key signature module */

diff --git a/config/profile/config_profile_medium_arotless.h b/config/profile/config_profile_medium_arotless.h
@@ -72,7 +72,7 @@
 
 /* Enable PSA Crypto Cipher module */
 #ifndef CRYPTO_CIPHER_MODULE_ENABLED
-#define CRYPTO_CIPHER_MODULE_ENABLED           1
+#define CRYPTO_CIPHER_MODULE_ENABLED           0
 #endif
 
 /* Enable PSA Crypto asymmetric key signature module */

diff --git a/config/profile/config_profile_small.h b/config/profile/config_profile_small.h
@@ -69,7 +69,7 @@
 
 /* Enable PSA Crypto Cipher module */
 #ifndef CRYPTO_CIPHER_MODULE_ENABLED
-#define CRYPTO_CIPHER_MODULE_ENABLED           1
+#define CRYPTO_CIPHER_MODULE_ENABLED           0
 #endif
 
 /* Enable PSA Crypto asymmetric key signature module */

diff --git a/config/profile/profile_medium.conf b/config/profile/profile_medium.conf
@@ -46,7 +46,7 @@ CONFIG_CRYPTO_KEY_MODULE_ENABLED=y
 CONFIG_CRYPTO_AEAD_MODULE_ENABLED=y
 CONFIG_CRYPTO_MAC_MODULE_ENABLED=y
 CONFIG_CRYPTO_HASH_MODULE_ENABLED=y
-CONFIG_CRYPTO_CIPHER_MODULE_ENABLED=y
+CONFIG_CRYPTO_CIPHER_MODULE_ENABLED=n
 CONFIG_CRYPTO_ASYM_SIGN_MODULE_ENABLED=y
 CONFIG_CRYPTO_ASYM_ENCRYPT_MODULE_ENABLED=n
 CONFIG_CRYPTO_KEY_DERIVATION_MODULE_ENABLED=y

diff --git a/config/profile/profile_medium_arotless.conf b/config/profile/profile_medium_arotless.conf
@@ -42,7 +42,7 @@ CONFIG_CRYPTO_KEY_MODULE_ENABLED=y
 CONFIG_CRYPTO_AEAD_MODULE_ENABLED=y
 CONFIG_CRYPTO_MAC_MODULE_ENABLED=y
 CONFIG_CRYPTO_HASH_MODULE_ENABLED=y
-CONFIG_CRYPTO_CIPHER_MODULE_ENABLED=y
+CONFIG_CRYPTO_CIPHER_MODULE_ENABLED=n
 CONFIG_CRYPTO_ASYM_SIGN_MODULE_ENABLED=y
 CONFIG_CRYPTO_ASYM_ENCRYPT_MODULE_ENABLED=n
 CONFIG_CRYPTO_KEY_DERIVATION_MODULE_ENABLED=y

diff --git a/config/profile/profile_small.conf b/config/profile/profile_small.conf
@@ -40,7 +40,7 @@ CONFIG_CRYPTO_KEY_MODULE_ENABLED=y
 CONFIG_CRYPTO_AEAD_MODULE_ENABLED=y
 CONFIG_CRYPTO_MAC_MODULE_ENABLED=y
 CONFIG_CRYPTO_HASH_MODULE_ENABLED=y
-CONFIG_CRYPTO_CIPHER_MODULE_ENABLED=y
+CONFIG_CRYPTO_CIPHER_MODULE_ENABLED=n
 CONFIG_CRYPTO_ASYM_SIGN_MODULE_ENABLED=n
 CONFIG_CRYPTO_ASYM_ENCRYPT_MODULE_ENABLED=n
 CONFIG_CRYPTO_KEY_DERIVATION_MODULE_ENABLED=y

diff --git a/docs/security/security_advisories/debug_log_vulnerability.rst b/docs/security/security_advisories/debug_log_vulnerability.rst
@@ -0,0 +1,69 @@
+Advisory TFMV-7
+===============
+
++------------------+-----------------------------------------------------------+
+| Title            | ARoT can access PRoT data via debug logging functionality |
++==================+===========================================================+
+| CVE ID           | `CVE-2023-51712`_                                         |
++------------------+-----------------------------------------------------------+
+| Public           | The issue was publicly reported on 2023.12.04             |
+| Disclosure Date  |                                                           |
++------------------+-----------------------------------------------------------+
+| Versions         | All version up to TF-M v2.0.0 inclusive                   |
+| Affected         |                                                           |
++------------------+-----------------------------------------------------------+
+| Configurations   | IPC mode with TFM_SP_LOG_RAW_ENABLED=1                    |
++------------------+-----------------------------------------------------------+
+| Impact           | A malicious ARoT partition can expose any part of memory  |
+|                  | via stdio interface if TFM_SP_LOG_RAW_ENABLED is set      |
++------------------+-----------------------------------------------------------+
+| Fix Version      | TBD                                                       |
++------------------+-----------------------------------------------------------+
+| Credit           | Roman Mazurak, Infineon                                   |
++------------------+-----------------------------------------------------------+
+
+Background
+----------
+
+TF-M log subsystem if enabled by ``TFM_SP_LOG_RAW_ENABLED`` config option,
+uses a SVC call to print logging messages on the stdio output interface.
+Since the SVC handler has the highest privilege level and full memory
+access, this communication channel can be exploited to expose any memory content
+to stdout device, usually UART.
+The logging subsystem is available to the secure side only but in isolation
+level 2 and higher PSA Root of Trust partitions (PRoT) shall be protected
+from an access from Application Root of Trust (ARoT) partitions. Although
+a direct call of ``tfm_hal_output_sp_log()`` from ARoT partition will be
+blocked by MPU raising the ``MemoryManagement()`` exception, a malicious
+ARoT partition can create an alternative SVC call to output any memory
+data like this:
+
+.. code-block:: c
+
+    static int tfm_output_unpriv_string(const unsigned char *str, size_t len)
+    {
+        __ASM volatile("SVC %0         \n"
+                       "BX LR          \n"
+                        : : "I" (2));
+    }
+
+Impact
+------
+
+In IPC mode with PSA isolation level 2 and higher and ``TFM_SP_LOG_RAW_ENABLED``
+option enabled an ARoT partition can expose to the stdout device any memory
+data using TF-M logging subsystem via SVC call.
+
+Mitigation
+----------
+
+Ensure that data sent for logging belongs to the current partition. For that purpose
+``tfm_hal_memory_check(curr_partition->boundary, data, size, TFM_HAL_ACCESS_READABLE)``
+is added to the logging function of the SVC handler. If the check fails
+then ``tfm_core_panic()`` is invoked and system halts.
+
+.. _CVE-2023-51712: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51712
+
+---------------------
+
+*Copyright (c) 2024, Arm Limited. All rights reserved.*
diff --git a/docs/security/security_advisories/index.rst b/docs/security/security_advisories/index.rst
@@ -12,6 +12,7 @@ Security Advisories
     profile_small_key_id_encoding_vulnerability
     fwu_write_vulnerability
     cc3xx_partial_tag_compare_on_chacha20_poly1305
+    debug_log_vulnerability
 
 +------------+-----------------------------------------------------------------+
 | ID         | Title                                                           |
@@ -33,13 +34,16 @@ Security Advisories
 |  |TFMV-6|  | Partial tag comparison when using Chacha20-Poly1305 on the PSA  |
 |            | driver API interface in CryptoCell enabled platforms            |
 +------------+-----------------------------------------------------------------+
+|  |TFMV-7|  | ARoT can access PRoT data via debug logging functionality       |
++------------+-----------------------------------------------------------------+
 
 .. |TFMV-1| replace:: :doc:`TFMV-1 <stack_seal_vulnerability>`
 .. |TFMV-2| replace:: :doc:`TFMV-2 <svc_caller_sp_fetching_vulnerability>`
 .. |TFMV-3| replace:: :doc:`TFMV-3 <crypto_multi_part_ops_abort_fail>`
 .. |TFMV-4| replace:: :doc:`TFMV-4 <profile_small_key_id_encoding_vulnerability>`
 .. |TFMV-5| replace:: :doc:`TFMV-5 <fwu_write_vulnerability>`
 .. |TFMV-6| replace:: :doc:`TFMV-6 <cc3xx_partial_tag_compare_on_chacha20_poly1305>`
+.. |TFMV-7| replace:: :doc:`TFMV-7 <debug_log_vulnerability>`
 
 --------------