OP-TEE TrustZone bypass at wakeup on NXP i.MX6UL

Product OP-TEE
Severity Medium
CVE Reference CVE-2021-44149
Type Local Privilege Escalation

The Open Portable Trusted Execution Environment (OP-TEE) is an open source Trusted Execution Environment (TEE) implementing the Arm TrustZone technology.

F-Secure Foundry, in the process of developing its own TEE framework (GoTEE), reviewed the existing Open Source offering and identified a vulnerability in OP-TEE support for the Central Security Unit (CSU) configuration on the NXP
i.MX6UL System-on-Chip (SoC).

Based on this, as well as previous findings, F-Secure advises OP-TEE users to treat all OP-TEE supported platforms as insecure by default and carefully
review and practically test their implementation before integration.

TrustZone configuration on i.MX SoCs

This linked GoTEE tutorial provides an in-depth explanation of the various aspects of an effective TrustZone configuration.

In a nutshell, along with standard ARM core configuration, each SoC requires its peripherals to be assigned to either the Secure World or Normal World (aka NonSecure World), which respectively represent the privileged and unprivileged TrustZone domains.

The Central Security Unit (CSU) is the component that enables TrustZone peripheral configuration on the NXP i.MX family for peripherals that are not capable of asserting TrustZone signals independently.

The CSU Config Security Level (CSL) defines restrictions for accessing individual (or groups of) peripherals (e.g. whether a peripheral can be accessed from NonSecure World) while the Security Access (SA) defines the
access security policy for the peripheral (e.g. whether the peripheral makes bus accesses as "Secure" or "NonSecure").

Vulnerability

The OP-TEE OS CSU driver sets the CSU Security Access (SA) policy for the ARM Cortex-A7 block (CA7) to "Secure" for its NXP i.MX6UL SoC support.

The NXP documentation on the role of the CA7 SA setting does not provide any details on its effects, therefore F-Secure conducted a thorough analysis of its impact when set as "Secure".

It has been verified that a CA7 SA set to "Secure" allows to suspend a processor in "NonSecure" security state and have it wakeup from low power mode in Secure World.

The wakeup sequence implemented in the NXP i.MX6UL boot ROM jumps, in secure processor state, to function pointers held in the System Reset Controller (SRC) registers. The vulnerability takes place when the Normal World OS is allowed to set the SRC wakeup pointers before going in low power mode.

For example when running Linux under OP-TEE OS, which sets the CA7 SA to "Secure", the boot ROM executes a wakeup handler previously configured by Normal World Linux, within Secure World. This results in Linux re-initializing the MMU and resuming all its execution context as Secure World.

This configuration effectively bypasses any intended TrustZone protection as the Normal World OS is capable of transforming itself, through a low power suspend/wakeup procedure, to a Secure one.

Impact

On vanilla OP-TEE OS the NXP i.MX6UL SoC has no effective TrustZone isolation as the Normal World can arbitrarily change its processor state to Secure World, resulting in a full compromise of the Trusted Execution Environment.

The same vulnerability also applies to the NXP OP-TEE fork.

Mitigation

When suspend/wakeup functionality is required the sequence must be handled by the Secure World TEE and the CSU Config Security Level (CSL) must be set to protect, from Normal World access, all blocks responsible for the wakeup sequence such as the GPC and SRC blocks on the i.MX6UL SoC family.

When suspend/wakeup functionality is not required, implementers of trusted firmware using the OP-TEE framework must re-configure the SA policy ensuring that the CA7 value is set as "NonSecure" prior to Normal World execution.

When running Linux in Normal World this is incompatible with Linux power management drivers which require SRC support on i.MX6 SoCs (example: `CONFIG_CPU_IDLE`).

It is emphasized that the role of CA7 SA policy bit has been identified by F-Secure through testing and is pending verification by NXP on its complete effects.

Please also note that such mitigations do not constitute an example of a fully secure configuration and only focus on the specific aspects reported in this advisory.

Vendor response

The OP-TEE project own security advisory can be found here.

Affected versions

The OP-TEE OS component of all OP-TEE releases supporting the NXP i.MX6UL SoC is vulnerable, this includes any fork (such as the NXP one [5]) based on them that does not correctly prevent Normal World control of the System Reset Controller (SRC) wakeup execution context.

Please be advised that OP-TEE does not provide a secure CSU configuration on multiple NXP i.MX P/Ns for reasons which go beyond this specific finding (see CVE-2021-36133).

Credit

Vulnerabilities discovered and reported by Andrea Barisani and Andrej Rosano (F-Secure Foundry).

CVE

CVE-2021-44149: OP-TEE TrustZone bypass at wakeup on NXP i.MX6UL

Timeline

 

2021-11-05 findings reported by F-Secure to OP-TEE security contact
2021-11-05 F-Secure requests 14 days embargo
2021-11-18 OP-TEE requests 30 days embargo
2021-11-18 OP-TEE and NXP confirm the finding
2021-11-18 OP-TEE confirms no mitigation will be applied, only improved documentation
2021-11-18 F-Secure confirms initial 14 days embargo
2021-11-22 F-Secure receives CVE-2021-44149 assignment from MITRE
2021-11-22 Advisory released