F-Secure recently reported an issue with the default CSU configuration in the OP-TEE OS CSU driver for NXP i.MX6UL SoC support. The report [1] says that the current OP-TEE configuration is susceptible to an attack that effectively bypasses any intended TrustZone protection as the Normal World OS is capable of transforming itself, through a low power suspend/wakeup procedure, to a Secure one.
The i.MX 6 processor family peripherals listed below are used to implement advanced power management features:
- System Reset Controller (
SRC)
- Clock Controller Module (
CCM)
- Secure Non-Volatile Storage (
SNVS)
- General Power Controller (
GPC)
NXP acknowledges that if the peripheral access security policy for these peripherals is not configured correctly in the Central Security Unit (CSU), then on exit from low power mode, it is possible for the Normal World to incorrectly resume its executing context in the Secure World. More details on the reported issue can be found in the report from F-Secure [1].
Mitigation
To prevent this potential scenario when implementing the low-power and Suspend & Resume functionalities, NXP recommends, to lock the SRC registers with the respective CSU Config Security Level (CSU_CSL) bit fields. The CSU allows trusted code to set security access privileges on the peripherals, hence ensuring that these group of peripherals will have their configuration registers protected and only be accessible from the Secure World.
Note: With the recommended CSU settings to support this low-power and Suspend & Resume functionalities on i.MX 6 platforms, all power management functions and clock operations must be operated from the Secure World.
Users should modify the CSU configuration from the default non-secure configuration based on the security requirements of their final application/end product:
- The
CSU_CSLn registers that control the peripheral access policy and the CSU_SA registers that control the master’s privilege policy should be set appropriately.
- All
CSU register configurations should be locked with the appropriate bit fields to prevent any CSU modification at runtime.
- The
CSU may need to be re-configured upon power state transitions depending on the platform and low power support.
Patches
The OP-TEE upstream project cannot implement the proposed mitigation, since it would prevent the system from booting up on basically all i.MX6UL devices, mainly because the clock handling is in Linux on most devices/BSPs. Rationale is that OP-TEE is the reference implementation for developers and device manufacturers. Reference implementations need to be adapted to the chipmakers security guidelines before going into production.
However, to reduce the likelihood that end products are affected by this, we are going clarify it in the documentation and introduce warning showing up when the device is booting, in short:
- The porting guidelines in the documentation have got a new section [2] where we further have clarified the role of OP-TEE and what needs to be done by SoC vendors and OEMs.
- Boot messages: We will add a generic print [3] mentioning that current configuration is insecure and needs to be updated according to the chipmakers security guidelines and documentation.
These changes available starting from OP-TEE v3.16.0, hence the reason for stating that as the patched version. However, we repeat that depending on the device used in the end products, there are in many cases more work that needs to be done to fully secure the device.
Workarounds
N/A
References
[1] Security_Advisory-Ref_FSC-HWSEC-VR2021-0002-OP-TEE_TrustZone_bypass_at_wakeup.txt
[2] OP-TEE porting guidelines
[3] PR#4987
OP-TEE ID
N/A
Reported by
Andrea Barisani and Andrej Rosano F-Secure
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.
F-Secure recently reported an issue with the default
CSUconfiguration in the OP-TEE OSCSUdriver for NXPi.MX6UL SoCsupport. The report [1] says that the current OP-TEE configuration is susceptible to an attack that effectively bypasses any intended TrustZone protection as the Normal World OS is capable of transforming itself, through a low power suspend/wakeup procedure, to a Secure one.The
i.MX 6processor family peripherals listed below are used to implement advanced power management features:SRC)CCM)SNVS)GPC)NXP acknowledges that if the peripheral access security policy for these peripherals is not configured correctly in the Central Security Unit (
CSU), then on exit from low power mode, it is possible for the Normal World to incorrectly resume its executing context in the Secure World. More details on the reported issue can be found in the report from F-Secure [1].Mitigation
To prevent this potential scenario when implementing the low-power and Suspend & Resume functionalities, NXP recommends, to lock the
SRCregisters with the respectiveCSUConfig Security Level (CSU_CSL) bit fields. TheCSUallows trusted code to set security access privileges on the peripherals, hence ensuring that these group of peripherals will have their configuration registers protected and only be accessible from the Secure World.Note: With the recommended
CSUsettings to support this low-power and Suspend & Resume functionalities oni.MX 6platforms, all power management functions and clock operations must be operated from the Secure World.Users should modify the
CSUconfiguration from the default non-secure configuration based on the security requirements of their final application/end product:CSU_CSLnregisters that control the peripheral access policy and theCSU_SAregisters that control the master’s privilege policy should be set appropriately.CSUregister configurations should be locked with the appropriate bit fields to prevent anyCSUmodification at runtime.CSUmay need to be re-configured upon power state transitions depending on the platform and low power support.Patches
The OP-TEE upstream project cannot implement the proposed mitigation, since it would prevent the system from booting up on basically all
i.MX6ULdevices, mainly because the clock handling is in Linux on most devices/BSPs. Rationale is that OP-TEE is the reference implementation for developers and device manufacturers. Reference implementations need to be adapted to the chipmakers security guidelines before going into production.However, to reduce the likelihood that end products are affected by this, we are going clarify it in the documentation and introduce warning showing up when the device is booting, in short:
These changes available starting from OP-TEE
v3.16.0, hence the reason for stating that as the patched version. However, we repeat that depending on the device used in the end products, there are in many cases more work that needs to be done to fully secure the device.Workarounds
N/A
References
[1] Security_Advisory-Ref_FSC-HWSEC-VR2021-0002-OP-TEE_TrustZone_bypass_at_wakeup.txt
[2] OP-TEE porting guidelines
[3] PR#4987
OP-TEE ID
N/A
Reported by
Andrea Barisani and Andrej Rosano F-Secure
For more information
For more information regarding the security incident process in OP-TEE, please read the information that can be found when going to the "Security" page at https://www.trustedfirmware.org.