diff options
| author | Bipin Ravi <bipin.ravi@arm.com> | 2026-06-18 04:44:06 +0000 |
|---|---|---|
| committer | TrustedFirmware Code Review <review@review.trustedfirmware.org> | 2026-06-18 04:44:06 +0000 |
| commit | 8a5e5bc4b5901057ca4ae865c4ec23241a57c54f (patch) | |
| tree | eaaf8ada3b5a31e7272156d5af85384e319b56d8 /docs | |
| parent | 6afde8d543348a3dcf771113ebab0e1438f1d85d (diff) | |
| parent | 8d8c18cd54c787d0d733f807d280453964efd60b (diff) | |
| download | arm-trusted-firmware-8a5e5bc4b5901057ca4ae865c4ec23241a57c54f.tar.gz arm-trusted-firmware-8a5e5bc4b5901057ca4ae865c4ec23241a57c54f.zip | |
Merge changes from topic "gr/CVE-2025-10263" into integration
* changes:
fix: apply workaround for CVE-2025-10263 to N1
docs: add security advisory for CVE-2025-10263
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/security_advisories/index.rst | 2 | ||||
| -rw-r--r-- | docs/security_advisories/security-advisory-tfv-17.rst | 103 |
2 files changed, 105 insertions, 0 deletions
diff --git a/docs/security_advisories/index.rst b/docs/security_advisories/index.rst index 32979bf3e..f1fd4fdcd 100644 --- a/docs/security_advisories/index.rst +++ b/docs/security_advisories/index.rst @@ -21,3 +21,5 @@ Security Advisories security-advisory-tfv-14.rst security-advisory-tfv-15.rst security-advisory-tfv-16.rst + security-advisory-tfv-17.rst + diff --git a/docs/security_advisories/security-advisory-tfv-17.rst b/docs/security_advisories/security-advisory-tfv-17.rst new file mode 100644 index 000000000..eeafeace6 --- /dev/null +++ b/docs/security_advisories/security-advisory-tfv-17.rst @@ -0,0 +1,103 @@ +Advisory TFV-17 (CVE-2025-10263) +================================ + ++----------------+-------------------------------------------------------------+ +| Title | TLBI+DSB might complete too early | ++================+=============================================================+ +| CVE ID | `CVE-2025-10263`_ | ++----------------+-------------------------------------------------------------+ +| Date | Reported on 13 August 2025 | ++----------------+-------------------------------------------------------------+ +| Versions | All, up to and including v2.15 | +| Affected | | ++----------------+-------------------------------------------------------------+ +| Configurations | All platforms containing any of the following cores: (note | +| Affected | that if even a single affected core is present that all | +| | cores must implement the workaround, which the TFA patch | +| | does) | +| | | +| | - Cortex-A76 | +| | - Cortex-A76AE | +| | - Cortex-A77 | +| | - Cortex-X1 | +| | - Cortex-X1C | +| | - Cortex-A78 | +| | - Cortex-A78C | +| | - Cortex-A78AE | +| | - Cortex-A710 | +| | - Cortex-X2 | +| | - Cortex-X3 | +| | - Cortex-X4 | +| | - Cortex-X925 | +| | - Neoverse-N1 | +| | - Neoverse-N2 | +| | - Neoverse-V1 | +| | - Neoverse-V2 | +| | - Neoverse-V3 | +| | - Neoverse-V3AE | +| | - C1-Ultra | +| | - C1-Premium | ++----------------+-------------------------------------------------------------+ +| Impact | Exploitation may allow an attacker to corrupt page table | +| | entries or other memory-management data structures during | +| | translation invalidation operations. | ++----------------+-------------------------------------------------------------+ +| Fix Version | `Commit 08fab0f083db` (merged on 16 June 2026) | +| | | +| | `Gerrit topic #gr/CVE-2025-10263`_ | ++----------------+-------------------------------------------------------------+ +| Credit | Arm | ++----------------+-------------------------------------------------------------+ + +Description +----------- + +A race condition exists in affected Arm CPUs whereby a memory store performed by +one Processing Element (PE) may remain incomplete after another PE has +invalidated the corresponding translation and completed the architecturally +required TLBI and DSB sequence. Under specific microarchitectural conditions, +the assumption that all memory accesses made using the invalidated translation +table entry have completed might not hold true. + +This behavior can result in memory corruption affecting translation tables and +other protected memory structures. Successful exploitation may lead to denial +of service or privilege escalation within the affected translation regime. + +Practical exploitation has been demonstrated to the extent of page table +corruption. Feasible privilege escalation is considered possible, although full +exploitation has not yet been publicly demonstrated. + +Conditions +---------- + +1. PE A executes a store that crosses a page boundary. +2. PE B executes a TLB invalidate instruction which affects at least one of + pages targeted by PE A's store, followed by a DSB. +3. Complex micro-architectural conditions occur. +4. PE B's DSB may complete before the global observation of a portion of PE A's + store which was affected by the TLB invalidation. The relevant TLB entries + are invalidated correctly before the completion of the DSB. + +Workaround +---------- + +This can be avoided by executing the TLBI and DSB instructions a 2nd time. For +code sequences that have multiple TLB invalidate instuctions followed by a +single DSB, only the last TLB invalidate and DSB need to be repeated. + +Impact on TF-A +-------------- + +TF-a uses an affected instruction sequence only in the Xlat library, so the +workaround is inserted at the end of that function. Unlike most CVEs, this +workaround is disabled by default due to it being needed when a platform +contains any single CPU that is affected. So it must be explicitly enabled +using the flag WORKAROUND_CVE_2025_10263 by the platform when an affected +CPU is present. + +For further information, affected CPUs, and detailed guidance, refer to the full +`Official Arm Advisory`_. + +.. _CVE-2025-10263: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10263 +.. _Gerrit topic #gr/CVE-2025-10263: https://review.trustedfirmware.org/q/topic:gr/CVE-2025-10263 +.. _Official Arm Advisory: https://developer.arm.com/documentation/112137 |
