1Advisory TFMV-4 2=============== 3 4+-----------------+------------------------------------------------------------+ 5| Title | NSPE may access secure keys stored in TF-M Crypto service | 6| | in Profile Small with Crypto key ID encoding disabled. | 7+=================+============================================================+ 8| CVE ID | CVE-2021-40327 | 9+-----------------+------------------------------------------------------------+ 10| Public | 22nd Nov, 2021 | 11| Disclosure Date | | 12+-----------------+------------------------------------------------------------+ 13| Versions | TF-M v1.4.0 | 14| Affected | | 15+-----------------+------------------------------------------------------------+ 16| Configurations | Profile Small | 17+-----------------+------------------------------------------------------------+ 18| Impact | In Profile Small, secure keys stored in Crypto service can | 19| | be leaked to NSPE if NSPE acquires secure key IDs. | 20+-----------------+------------------------------------------------------------+ 21| Fix Version | Commit `42e77b`_ and `v1.4.1`_ | 22+-----------------+------------------------------------------------------------+ 23| Credit | N/A | 24+-----------------+------------------------------------------------------------+ 25 26Background 27---------- 28 29TF-M Profile Small disabled Crypto key ID encoding with key owner client ID in 30TF-M v1.4.0 release. 31 32When the Crypto key is stored into TF-M Crypto service, the key ID is not 33encoded with the client ID of key owner in Profile Small in TF-M v1.4.0. 34Therefore, TF-M Crypto service is unable to distinguish or validate owners of 35keys in Profile Small. NSPE can access the keys belonging to SPE in Profile 36Small in some scenarios. 37 38Details 39------- 40 41In TF-M v1.4.0, TF-M Crypto service by default relies on two mechanisms to 42validate key owners in key management. 43 44 - TF-M Crypto service maintains a key handle array. When a key is stored in 45 Crypto service, the key ID and the key owner client ID are stored in the 46 array. When a caller requests to access a key, TF-M Crypto service validates 47 the request by comparing the caller client ID with the stored key client ID. 48 49 - Mbed TLS stores a special structure encoded by key owner client ID and the 50 key ID. When a caller requests to access a key, Mbed TLS validates the 51 request by comparing the caller client ID with the key client ID stored in 52 that structure. 53 54Secure clients are not isolated from each other in Profile Small and it doesn’t 55require to validate key owner client ID between secure clients. Therefore, in 56TF-M v1.4.0, Profile Small disabled both mechanisms above to optimize the key 57storage size. The key directly or indirectly stored via ``psa_import_key()`` is 58not encoded with key owner client ID. 59 60However, it also disables the validation of NS client ID when a NS client 61accesses keys stored in TF-M Crypto. NS clients can call 62``psa_open_key()``/``psa_export_key()`` to access secure clients' keys stored 63via ``psa_import_key()``, if NS clients acquire the key ID of secure clients. 64 65Impact 66------ 67 68Only TF-M Profile Small is impacted. All the other configurations or Profiles 69are not affected. 70 71Analysis of RoT services in Profile Small 72^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 73 74TF-M Profile Small enables Internal Trusted Storage (ITS), Crypto and Initial 75Attestation by default. The following analysis focuses on the impact on RoT 76services in Profile Small. 77 78 - ITS service doesn’t create or store its own key in Crypto service. It is not 79 impacted directly. 80 81 - Crypto service key derivation may be impacted. 82 83 - ``psa_key_derivation_output_key()`` eventually stores the derived key in 84 Crypto service. The stored derived keys can be accessed by a NS client if 85 the NS client acquires the derived key ID value. 86 87 - Platform specific implementation may store Hardware Unique Key (HUK) into 88 Crypto service for key derivation from HUK via ``psa_import_key()``. 89 90 - Platform driver may import HUK as a temporary key into Crypto service 91 during derivation and close the temporary key when derivation completes. 92 93 If a NS client preempts the derivation and calls PSA Cryptography API to 94 access temporary HUK data stored in Crypto service, the access will be 95 captured by TF-M re-entry detection and rejected by TF-M SPE. 96 97 - Platform driver may permanently store HUK via Crypto service for 98 derivation and the key is still managed by Crypto service when NSPE is 99 running. 100 101 NS client can access HUK data via PSA Cryptography API if it 102 acquires the key ID of stored HUK. 103 104 - Symmetric key algorithm based Initial Attestation temporarily stores 105 symmetric Initial Attestation Key (IAK) in Crypto service during Initial 106 Attestation Token generation. It imports symmetric IAK into Crypto service 107 during generation and removes it from Crypto service when generation 108 completes. 109 110 If a NS client preempts the generation and calls PSA Cryptography API to 111 access the temporary IAK data stored in Crypto service, the access will be 112 captured by TF-M re-entry detection and rejected by TF-M SPE. 113 114 Therefore, Initial Attestation is not impacted directly. 115 116Impact on Profile Small default implementation 117^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 118 119Default Profile Small RoT services don't initially call Crypto key derivation or 120store any secure key into Crypto service. 121 122According to the analysis of RoT services above, device HUK can be accessed by 123NS clients and leaked to NSPE, in Profile Small default implementation, when all 124the following conditions are met. 125 126 - Platform specific implementation stores HUK in Crypto service, initially or 127 during a derivation requested by NS client. 128 - HUK is still stored in Crypto service when NSPE is running. 129 - An NS client acquires the key ID of HUK in Crypto service and accesses HUK 130 key via PSA Cryptography API. 131 132Other vulnerabilities are not found yet so far. 133 134Impact on vendor RoT services 135^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 136 137If a vendor RoT service is integrated in Profile Small, its keys stored via 138``psa_import_key()`` or derived from ``psa_key_derivation_output_key()`` can be 139accessed by NS client and leaked to NSPE when both following conditions are met. 140 141 - The secure key is stored in Crypto service when NSPE is running. 142 - An NS client acquires the key ID and accesses the key via PSA Cryptography 143 API. 144 145How NS client can acquire secure key ID is related to key management 146implementation of the underlying crypto library in TF-M Crypto service. 147With default Mbed TLS, NS hackers can import a NS key at first to obtain the 148rough base value of Mbed TLS key slots and then try a smaller subset of key ID 149values by brute-force. 150 151Mitigation 152---------- 153 154This issue has been fixed by enforcing Mbed TLS key ID encoding with key owner 155client ID to be enabled. 156 157This patch intended to optimize TF-M Crypto service key handle array and 158coincidentally fixed the issue. 159 160`v1.4.1`_ fixed this issue as a patch release. 161 162.. _42e77b: https://review.trustedfirmware.org/plugins/gitiles/TF-M/trusted-firmware-m/+/42e77b561fcfe19819ff1e63cb7c0b672ee8ba41 163 164.. _v1.4.1: https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tag/?h=TF-Mv1.4.1 165 166--------------------- 167 168*Copyright (c) 2021, Arm Limited. All rights reserved.* 169
