aboutsummaryrefslogtreecommitdiff
path: root/docs/security/security_advisories/crypto_multi_part_ops_abort_fail.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/security/security_advisories/crypto_multi_part_ops_abort_fail.rst')
-rw-r--r--docs/security/security_advisories/crypto_multi_part_ops_abort_fail.rst209
1 files changed, 209 insertions, 0 deletions
diff --git a/docs/security/security_advisories/crypto_multi_part_ops_abort_fail.rst b/docs/security/security_advisories/crypto_multi_part_ops_abort_fail.rst
new file mode 100644
index 0000000000..a450de36f8
--- /dev/null
+++ b/docs/security/security_advisories/crypto_multi_part_ops_abort_fail.rst
@@ -0,0 +1,209 @@
+Advisory TFMV-3
+===============
+
++-----------------+------------------------------------------------------------+
+| Title | ``abort()`` function may not take effect in TF-M Crypto |
+| | multi-part MAC/hashing/cipher operations. |
++=================+============================================================+
+| CVE ID | CVE-2021-32032 |
++-----------------+------------------------------------------------------------+
+| Public | May 10, 2021 |
+| Disclosure Date | |
++-----------------+------------------------------------------------------------+
+| Versions | Affected all versions up to and including TF-M v1.3.0 |
+| Affected | |
++-----------------+------------------------------------------------------------+
+| Configurations | All |
++-----------------+------------------------------------------------------------+
+| Impact | It can cause memory leakage in TF-M Crypto service, |
+| | eventually making TF-M Crypto service unavailable and |
+| | impacting other services relied on it. |
++-----------------+------------------------------------------------------------+
+| Fix Version | commit `7e2e52`_ |
++-----------------+------------------------------------------------------------+
+| Credit | | Chongqing Lei, Southeast University |
+| | | Zhen Ling, Associate Professor, Southeast University |
+| | | Xinwen Fu, Professor, University of Massachusetts Lowell |
++-----------------+------------------------------------------------------------+
+
+Background
+----------
+
+PSA multi-part crypto operation sequence
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+PSA Crypto API specification defines a common sequence for all multi-part crypto
+operations. The sequence can be simplified to the following steps:
+
+- ``setup()`` sets up the multi-part operation.
+- ``update()`` adds data/configurations into the multi-part operation.
+- ``finish()`` completes the multi-part operation.
+
+PSA Crypto API specification requests that the corresponding ``abort()``
+function shall be called when ``update()`` or ``finish()`` function fails.
+The ``abort()`` function aborts the ongoing multi-part operation and cleans up
+the operation context.
+
+TF-M multi-part crypto operation functions eventually call the underlying crypto
+library (Mbed TLS by default) to perform those steps, including ``abort()``
+step.
+
+PSA multi-part crypto operation objects
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+PSA Crypto API specification defines an operation object for each type of
+multi-part crypto operations. For example, ``psa_mac_operation_t`` for
+multi-part MAC operations and ``psa_hash_operation_t`` for multi-part hashing
+operations.
+
+TF-M Crypto service relies on the underlying crypto library (Mbed TLS by
+default) to implement those objects. The structures of those objects are crypto
+library specific and hidden to TF-M. The underlying crypto library usually
+stores and manages the context of ongoing multi-part crypto operations in the
+corresponding PSA operation object. For example, Mbed TLS stores multi-part
+hashing operation context in its ``psa_hash_operation_t`` implementation.
+
+The context is cleaned up in crypto library ``abort()`` function when the client
+calls ``abort()`` to handle a previous error. The clean-up execution can include
+zeroing the memory area and freeing allocated memory.
+
+TF-M multi-part crypto operation objects
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+TF-M Crypto service defines a dedicated operation structure
+``tfm_crypto_operation_s`` to wrap PSA multi-part crypto operation object and
+maintains its own status, as shown in the code block below.
+
+.. code-block:: c
+
+ struct tfm_crypto_operation_s {
+
+ ...
+
+ union {
+ psa_cipher_operation_t cipher; /*!< Cipher operation context */
+ psa_mac_operation_t mac; /*!< MAC operation context */
+ psa_hash_operation_t hash; /*!< Hash operation context */
+ psa_key_derivation_operation_t key_deriv; /*!< Key derivation operation context */
+ } operation;
+ };
+
+TF-M Crypto service assigns a ``tfm_crypto_operation_s`` object for each
+multi-part crypto operation sequence during ``setup()`` step. The
+``tfm_crypto_operation_s`` object content will be cleaned after the sequence
+completes or fails.
+
+Impact
+------
+
+During multi-part hashing/MAC/cipher operations, if the underlying crypto
+library function returns an error code, TF-M ``update()`` and ``finish()``
+functions will immediately clean up the structure ``tfm_crypto_operation_s``
+content and exit.
+
+When ``tfm_crypto_operation_s`` content is cleaned in TF-M ``update()`` and
+``finish()`` functions, the content in PSA multi-part crypto operation object
+inside ``tfm_crypto_operation_s`` is also cleaned. If the underlying crypto
+library stores operation context in the PSA operation object, the operation
+context is lost before clients call ``abort()`` to handle the error.
+
+Therefore, the underlying crypto library ``abort()`` function can be unable to
+perform normal abort operation if it cannot fetch the context or its content.
+In other words, the underlying crypto library ``abort()`` may not work normally
+or take effect.
+
+In theory when the case analyzed above occurs:
+
+- If the underlying crypto library dynamically allocates some memory regions
+ during multi-part operation and stores those memory region pointers in the PSA
+ multi-part operation object, the underlying crypto library will be unable to
+ locate and free those allocated memory regions in ``abort()``.
+ It will cause memory leakage in TF-M Crypto service. It may further make TF-M
+ Crypto service unavailable and affect other services relying on TF-M Crypto
+ service.
+
+- The underlying crypto library ``abort()`` may still consider the field values
+ in the context as valid. ``abort()`` may perform unexpected behaviors or
+ access invalid memory regions. It may trigger further faults and block TF-M
+ Crypto service or even the whole system.
+
+.. note::
+
+ The actual consequences depend on the implementation of the multi-part
+ operations in the underlying crypto library.
+
+Impacted PSA Crypto API functions
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The following PSA multi-part crypto operation functions are impacted:
+
+- Multi-part hashing operations
+
+ - ``psa_hash_update()``
+ - ``psa_hash_finish()``
+ - ``psa_hash_verify()``
+ - ``psa_hash_clone()``
+
+- Multi-part MAC operations
+
+ - ``psa_mac_update()``
+ - ``psa_mac_sign_finish()``
+ - ``psa_mac_verify_finish()``
+
+- Multi-part cipher operations
+
+ - ``psa_cipher_generate_iv()``
+ - ``psa_cipher_set_iv()``
+ - ``psa_cipher_update()``
+ - ``psa_cipher_finish()``
+
+Justifications on unaffected multi-part operations
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+TF-M multi-part AEAD operations and multi-part key derivation operations are not
+impacted by this issue.
+
+TF-M Crypto service has not implemented multi-part AEAD operations. TF-M
+multi-part AEAD functions directly return an error of unsupported operations.
+
+In TF-M key derivation implementation, the ``psa_key_derivation_operation_t``
+object is only cleaned in the ``abort()`` function after the underlying crypto
+library completes abort.
+
+Mitigation
+----------
+
+The clean-up operation shall be removed from error handling routines in the
+following TF-M Crypto functions:
+
+- Multi-part hashing operations
+
+ - ``tfm_crypto_hash_update()``
+ - ``tfm_crypto_hash_finish()``
+ - ``tfm_crypto_hash_verify()``
+ - ``tfm_crypto_hash_clone()``
+
+- Multi-part MAC operations
+
+ - ``tfm_crypto_mac_update()``
+ - ``tfm_crypto_mac_sign_finish()``
+ - ``tfm_crypto_mac_verify_finish()``
+
+- Multi-part cipher operations
+
+ - ``tfm_crypto_cipher_generate_iv()``
+ - ``tfm_crypto_cipher_set_iv()``
+ - ``tfm_crypto_cipher_update()``
+ - ``tfm_crypto_cipher_finish()``
+
+.. note::
+
+ This mitigation assumes that client follows the sequence specified in PSA
+ Crypto API specification to call ``abort()`` when an error occurs during
+ multi-part crypto operations.
+
+.. _7e2e52: https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/commit/?id=7e2e523a1c4e9ac7b9cc4fd551831f7639ed5ff9
+
+---------------------
+
+*Copyright (c) 2021, Arm Limited. All rights reserved.*