diff options
Diffstat (limited to 'docs/security/security_advisories/crypto_multi_part_ops_abort_fail.rst')
-rw-r--r-- | docs/security/security_advisories/crypto_multi_part_ops_abort_fail.rst | 209 |
1 files changed, 209 insertions, 0 deletions
diff --git a/docs/security/security_advisories/crypto_multi_part_ops_abort_fail.rst b/docs/security/security_advisories/crypto_multi_part_ops_abort_fail.rst new file mode 100644 index 0000000000..a450de36f8 --- /dev/null +++ b/docs/security/security_advisories/crypto_multi_part_ops_abort_fail.rst @@ -0,0 +1,209 @@ +Advisory TFMV-3 +=============== + ++-----------------+------------------------------------------------------------+ +| Title | ``abort()`` function may not take effect in TF-M Crypto | +| | multi-part MAC/hashing/cipher operations. | ++=================+============================================================+ +| CVE ID | CVE-2021-32032 | ++-----------------+------------------------------------------------------------+ +| Public | May 10, 2021 | +| Disclosure Date | | ++-----------------+------------------------------------------------------------+ +| Versions | Affected all versions up to and including TF-M v1.3.0 | +| Affected | | ++-----------------+------------------------------------------------------------+ +| Configurations | All | ++-----------------+------------------------------------------------------------+ +| Impact | It can cause memory leakage in TF-M Crypto service, | +| | eventually making TF-M Crypto service unavailable and | +| | impacting other services relied on it. | ++-----------------+------------------------------------------------------------+ +| Fix Version | commit `7e2e52`_ | ++-----------------+------------------------------------------------------------+ +| Credit | | Chongqing Lei, Southeast University | +| | | Zhen Ling, Associate Professor, Southeast University | +| | | Xinwen Fu, Professor, University of Massachusetts Lowell | ++-----------------+------------------------------------------------------------+ + +Background +---------- + +PSA multi-part crypto operation sequence +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +PSA Crypto API specification defines a common sequence for all multi-part crypto +operations. The sequence can be simplified to the following steps: + +- ``setup()`` sets up the multi-part operation. +- ``update()`` adds data/configurations into the multi-part operation. +- ``finish()`` completes the multi-part operation. + +PSA Crypto API specification requests that the corresponding ``abort()`` +function shall be called when ``update()`` or ``finish()`` function fails. +The ``abort()`` function aborts the ongoing multi-part operation and cleans up +the operation context. + +TF-M multi-part crypto operation functions eventually call the underlying crypto +library (Mbed TLS by default) to perform those steps, including ``abort()`` +step. + +PSA multi-part crypto operation objects +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +PSA Crypto API specification defines an operation object for each type of +multi-part crypto operations. For example, ``psa_mac_operation_t`` for +multi-part MAC operations and ``psa_hash_operation_t`` for multi-part hashing +operations. + +TF-M Crypto service relies on the underlying crypto library (Mbed TLS by +default) to implement those objects. The structures of those objects are crypto +library specific and hidden to TF-M. The underlying crypto library usually +stores and manages the context of ongoing multi-part crypto operations in the +corresponding PSA operation object. For example, Mbed TLS stores multi-part +hashing operation context in its ``psa_hash_operation_t`` implementation. + +The context is cleaned up in crypto library ``abort()`` function when the client +calls ``abort()`` to handle a previous error. The clean-up execution can include +zeroing the memory area and freeing allocated memory. + +TF-M multi-part crypto operation objects +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +TF-M Crypto service defines a dedicated operation structure +``tfm_crypto_operation_s`` to wrap PSA multi-part crypto operation object and +maintains its own status, as shown in the code block below. + +.. code-block:: c + + struct tfm_crypto_operation_s { + + ... + + union { + psa_cipher_operation_t cipher; /*!< Cipher operation context */ + psa_mac_operation_t mac; /*!< MAC operation context */ + psa_hash_operation_t hash; /*!< Hash operation context */ + psa_key_derivation_operation_t key_deriv; /*!< Key derivation operation context */ + } operation; + }; + +TF-M Crypto service assigns a ``tfm_crypto_operation_s`` object for each +multi-part crypto operation sequence during ``setup()`` step. The +``tfm_crypto_operation_s`` object content will be cleaned after the sequence +completes or fails. + +Impact +------ + +During multi-part hashing/MAC/cipher operations, if the underlying crypto +library function returns an error code, TF-M ``update()`` and ``finish()`` +functions will immediately clean up the structure ``tfm_crypto_operation_s`` +content and exit. + +When ``tfm_crypto_operation_s`` content is cleaned in TF-M ``update()`` and +``finish()`` functions, the content in PSA multi-part crypto operation object +inside ``tfm_crypto_operation_s`` is also cleaned. If the underlying crypto +library stores operation context in the PSA operation object, the operation +context is lost before clients call ``abort()`` to handle the error. + +Therefore, the underlying crypto library ``abort()`` function can be unable to +perform normal abort operation if it cannot fetch the context or its content. +In other words, the underlying crypto library ``abort()`` may not work normally +or take effect. + +In theory when the case analyzed above occurs: + +- If the underlying crypto library dynamically allocates some memory regions + during multi-part operation and stores those memory region pointers in the PSA + multi-part operation object, the underlying crypto library will be unable to + locate and free those allocated memory regions in ``abort()``. + It will cause memory leakage in TF-M Crypto service. It may further make TF-M + Crypto service unavailable and affect other services relying on TF-M Crypto + service. + +- The underlying crypto library ``abort()`` may still consider the field values + in the context as valid. ``abort()`` may perform unexpected behaviors or + access invalid memory regions. It may trigger further faults and block TF-M + Crypto service or even the whole system. + +.. note:: + + The actual consequences depend on the implementation of the multi-part + operations in the underlying crypto library. + +Impacted PSA Crypto API functions +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The following PSA multi-part crypto operation functions are impacted: + +- Multi-part hashing operations + + - ``psa_hash_update()`` + - ``psa_hash_finish()`` + - ``psa_hash_verify()`` + - ``psa_hash_clone()`` + +- Multi-part MAC operations + + - ``psa_mac_update()`` + - ``psa_mac_sign_finish()`` + - ``psa_mac_verify_finish()`` + +- Multi-part cipher operations + + - ``psa_cipher_generate_iv()`` + - ``psa_cipher_set_iv()`` + - ``psa_cipher_update()`` + - ``psa_cipher_finish()`` + +Justifications on unaffected multi-part operations +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +TF-M multi-part AEAD operations and multi-part key derivation operations are not +impacted by this issue. + +TF-M Crypto service has not implemented multi-part AEAD operations. TF-M +multi-part AEAD functions directly return an error of unsupported operations. + +In TF-M key derivation implementation, the ``psa_key_derivation_operation_t`` +object is only cleaned in the ``abort()`` function after the underlying crypto +library completes abort. + +Mitigation +---------- + +The clean-up operation shall be removed from error handling routines in the +following TF-M Crypto functions: + +- Multi-part hashing operations + + - ``tfm_crypto_hash_update()`` + - ``tfm_crypto_hash_finish()`` + - ``tfm_crypto_hash_verify()`` + - ``tfm_crypto_hash_clone()`` + +- Multi-part MAC operations + + - ``tfm_crypto_mac_update()`` + - ``tfm_crypto_mac_sign_finish()`` + - ``tfm_crypto_mac_verify_finish()`` + +- Multi-part cipher operations + + - ``tfm_crypto_cipher_generate_iv()`` + - ``tfm_crypto_cipher_set_iv()`` + - ``tfm_crypto_cipher_update()`` + - ``tfm_crypto_cipher_finish()`` + +.. note:: + + This mitigation assumes that client follows the sequence specified in PSA + Crypto API specification to call ``abort()`` when an error occurs during + multi-part crypto operations. + +.. _7e2e52: https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/commit/?id=7e2e523a1c4e9ac7b9cc4fd551831f7639ed5ff9 + +--------------------- + +*Copyright (c) 2021, Arm Limited. All rights reserved.* |