TFMV-4: Profile Small Key ID encoding vulnerability
Change-Id: I02be66fbcab4125318abd31dbf9800908b94bd13
Signed-off-by: David Hu <david.hu@arm.com>
diff --git a/docs/security/security_advisories/index.rst b/docs/security/security_advisories/index.rst
index 5f03f31..65759ab 100644
--- a/docs/security/security_advisories/index.rst
+++ b/docs/security/security_advisories/index.rst
@@ -8,6 +8,7 @@
stack_seal_vulnerability
svc_caller_sp_fetching_vulnerability
crypto_multi_part_ops_abort_fail
+ profile_small_key_id_encoding_vulnerability
--------------
diff --git a/docs/security/security_advisories/profile_small_key_id_encoding_vulnerability.rst b/docs/security/security_advisories/profile_small_key_id_encoding_vulnerability.rst
new file mode 100644
index 0000000..722640f
--- /dev/null
+++ b/docs/security/security_advisories/profile_small_key_id_encoding_vulnerability.rst
@@ -0,0 +1,168 @@
+Advisory TFMV-4
+===============
+
++-----------------+------------------------------------------------------------+
+| Title | NSPE may access secure keys stored in TF-M Crypto service |
+| | in Profile Small with Crypto key ID encoding disabled. |
++=================+============================================================+
+| CVE ID | CVE-2021-40327 |
++-----------------+------------------------------------------------------------+
+| Public | 22nd Nov, 2021 |
+| Disclosure Date | |
++-----------------+------------------------------------------------------------+
+| Versions | TF-M v1.4.0 |
+| Affected | |
++-----------------+------------------------------------------------------------+
+| Configurations | Profile Small |
++-----------------+------------------------------------------------------------+
+| Impact | In Profile Small, secure keys stored in Crypto service can |
+| | be leaked to NSPE if NSPE acquires secure key IDs. |
++-----------------+------------------------------------------------------------+
+| Fix Version | Commit `42e77b`_ and `v1.4.1`_ |
++-----------------+------------------------------------------------------------+
+| Credit | N/A |
++-----------------+------------------------------------------------------------+
+
+Background
+----------
+
+TF-M Profile Small disabled Crypto key ID encoding with key owner client ID in
+TF-M v1.4.0 release.
+
+When the Crypto key is stored into TF-M Crypto service, the key ID is not
+encoded with the client ID of key owner in Profile Small in TF-M v1.4.0.
+Therefore, TF-M Crypto service is unable to distinguish or validate owners of
+keys in Profile Small. NSPE can access the keys belonging to SPE in Profile
+Small in some scenarios.
+
+Details
+-------
+
+In TF-M v1.4.0, TF-M Crypto service by default relies on two mechanisms to
+validate key owners in key management.
+
+ - TF-M Crypto service maintains a key handle array. When a key is stored in
+ Crypto service, the key ID and the key owner client ID are stored in the
+ array. When a caller requests to access a key, TF-M Crypto service validates
+ the request by comparing the caller client ID with the stored key client ID.
+
+ - Mbed TLS stores a special structure encoded by key owner client ID and the
+ key ID. When a caller requests to access a key, Mbed TLS validates the
+ request by comparing the caller client ID with the key client ID stored in
+ that structure.
+
+Secure clients are not isolated from each other in Profile Small and it doesn’t
+require to validate key owner client ID between secure clients. Therefore, in
+TF-M v1.4.0, Profile Small disabled both mechanisms above to optimize the key
+storage size. The key directly or indirectly stored via ``psa_import_key()`` is
+not encoded with key owner client ID.
+
+However, it also disables the validation of NS client ID when a NS client
+accesses keys stored in TF-M Crypto. NS clients can call
+``psa_open_key()``/``psa_export_key()`` to access secure clients' keys stored
+via ``psa_import_key()``, if NS clients acquire the key ID of secure clients.
+
+Impact
+------
+
+Only TF-M Profile Small is impacted. All the other configurations or Profiles
+are not affected.
+
+Analysis of RoT services in Profile Small
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+TF-M Profile Small enables Internal Trusted Storage (ITS), Crypto and Initial
+Attestation by default. The following analysis focuses on the impact on RoT
+services in Profile Small.
+
+ - ITS service doesn’t create or store its own key in Crypto service. It is not
+ impacted directly.
+
+ - Crypto service key derivation may be impacted.
+
+ - ``psa_key_derivation_output_key()`` eventually stores the derived key in
+ Crypto service. The stored derived keys can be accessed by a NS client if
+ the NS client acquires the derived key ID value.
+
+ - Platform specific implementation may store Hardware Unique Key (HUK) into
+ Crypto service for key derivation from HUK via ``psa_import_key()``.
+
+ - Platform driver may import HUK as a temporary key into Crypto service
+ during derivation and close the temporary key when derivation completes.
+
+ If a NS client preempts the derivation and calls PSA Cryptography API to
+ access temporary HUK data stored in Crypto service, the access will be
+ captured by TF-M re-entry detection and rejected by TF-M SPE.
+
+ - Platform driver may permanently store HUK via Crypto service for
+ derivation and the key is still managed by Crypto service when NSPE is
+ running.
+
+ NS client can access HUK data via PSA Cryptography API if it
+ acquires the key ID of stored HUK.
+
+ - Symmetric key algorithm based Initial Attestation temporarily stores
+ symmetric Initial Attestation Key (IAK) in Crypto service during Initial
+ Attestation Token generation. It imports symmetric IAK into Crypto service
+ during generation and removes it from Crypto service when generation
+ completes.
+
+ If a NS client preempts the generation and calls PSA Cryptography API to
+ access the temporary IAK data stored in Crypto service, the access will be
+ captured by TF-M re-entry detection and rejected by TF-M SPE.
+
+ Therefore, Initial Attestation is not impacted directly.
+
+Impact on Profile Small default implementation
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Default Profile Small RoT services don't initially call Crypto key derivation or
+store any secure key into Crypto service.
+
+According to the analysis of RoT services above, device HUK can be accessed by
+NS clients and leaked to NSPE, in Profile Small default implementation, when all
+the following conditions are met.
+
+ - Platform specific implementation stores HUK in Crypto service, initially or
+ during a derivation requested by NS client.
+ - HUK is still stored in Crypto service when NSPE is running.
+ - An NS client acquires the key ID of HUK in Crypto service and accesses HUK
+ key via PSA Cryptography API.
+
+Other vulnerabilities are not found yet so far.
+
+Impact on vendor RoT services
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+If a vendor RoT service is integrated in Profile Small, its keys stored via
+``psa_import_key()`` or derived from ``psa_key_derivation_output_key()`` can be
+accessed by NS client and leaked to NSPE when both following conditions are met.
+
+ - The secure key is stored in Crypto service when NSPE is running.
+ - An NS client acquires the key ID and accesses the key via PSA Cryptography
+ API.
+
+How NS client can acquire secure key ID is related to key management
+implementation of the underlying crypto library in TF-M Crypto service.
+With default Mbed TLS, NS hackers can import a NS key at first to obtain the
+rough base value of Mbed TLS key slots and then try a smaller subset of key ID
+values by brute-force.
+
+Mitigation
+----------
+
+This issue has been fixed by enforcing Mbed TLS key ID encoding with key owner
+client ID to be enabled.
+
+This patch intended to optimize TF-M Crypto service key handle array and
+coincidentally fixed the issue.
+
+`v1.4.1`_ fixed this issue as a patch release.
+
+.. _42e77b: https://review.trustedfirmware.org/plugins/gitiles/TF-M/trusted-firmware-m/+/42e77b561fcfe19819ff1e63cb7c0b672ee8ba41
+
+.. _v1.4.1: https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/log/?h=TF-Mv1.4.x
+
+---------------------
+
+*Copyright (c) 2021, Arm Limited. All rights reserved.*