-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-23:14.smccc                                      Security Advisory
                                                          The FreeBSD Project

Topic:          arm64 boot CPUs may lack speculative execution protections

Category:       core
Module:         arm64
Announced:      2023-10-03
Affects:        FreeBSD 13.2
Corrected:      2023-09-25 12:13:47 UTC (stable/13, 13.2-STABLE)
                2023-10-03 21:29:11 UTC (releng/13.2, 13.2-RELEASE-p4)
CVE Name:       CVE-2023-5370

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

To mitigate speculative execution side channel attacks on some AArch64
hardware the kernel can call into the boot firmware using the Secure Monitor
Call Calling Convention (SMCCC) mechanism.

To decide if the kernel needs to use the SMCCC mitigation on a given CPU it
can query the firmware if the SMCCC workaround is present.

II.  Problem Description

On CPU 0 the check for the SMCCC workaround is called before SMCCC support
has been initialized.

III. Impact

No speculative execution workarounds are installed on CPU 0.

IV.  Workaround

No workaround is available. Not all AArch64 CPUs are affected.

Systems where CPU 0 has the CSV2 and PSTATE.SSBS processor
features are unaffected by the speculative execution attacks.
The kernel will print the following under CPU 0 on unaffected
CPUs:

Processor Features 0 = <...CVS2...>
Processor Features 1 = <...PSTATE.SSBS...>

The Arm Cortex-A35, Cortex-A53, and Cortex-A55 CPUs are
unaffected.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date
and reboot.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-23:14/smccc.patch
# fetch https://security.FreeBSD.org/patches/SA-23:14/smccc.patch.asc
# gpg --verify smccc.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

This issue is corrected by the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/13/                              4df1447f2c76    stable/13-n256420
releng/13.2/                            485912e051bb  releng/13.2-n254637
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5370>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:14.smccc.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmUclU8ACgkQbljekB8A
Gu8zqQ//bCjUB/hXZxypEFmnnnyUPr0Y/pzHd1i7EcIFQubd6kosUw4k2VGzwOsi
/BwKU4W/MrUyr/wwSkjJ/lmeA+CRX2TAPWPTPC0umnN58fOXRqhKpVAi0yfho+L9
lYUfdLWM0xS4XWsZk7DapjfN8XznLnn6iQrWmFLmZd0ViJFGkGJcxjdWr7aSs7ZX
C8v8GoqFx6GUUdOgRERdpZ/2mxi7ibs9LbCt4PUTwKV8clAmq4w4Mv+q4xfZPSnM
nXGrTd+t2G5ZrmEZ9Rq32C9JqGaAaQUTp/NsOw8yQq5YVBXanA12VJLx2kdoVKsj
84e3rJz/QTpXTpgiSkVmWdT3ziZW8Zs9aygvUXyzK6C/s2ZiKd8o65dnF3MGCyJs
Y7aNgAS51mX/fgPyXwicF/eYA1nm/1AJAK9J/eUBbsi+hu9DW5XjpiLUYAe10KKf
9XsgJ1vTJMKXIv/UAlN0d78SfSfcGyUCbH0qk7zCzw9XfLYj+r9a7de/vnAc0qtm
8Gh0hqbacA6dqtxrNEDC9R1Tp6inf0YYR6gP5HPjjy96FvfZCGmHk5XUmbmk4C4T
UylvLXrO4gJiyBXhdZ3P3Mib6HdMWkLMRh095Y2revdAGMv0BrGs3G+eaMVIgNt2
puELCPfLgJF1ljcHV8svdQcuy0Fea2R2R22cqwsT1vPuKqgmP60=
=lOTX
-----END PGP SIGNATURE-----