From 5fb5cce06602de15d7083e1021863b46d6ffc781 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Mon, 11 Mar 2024 17:21:54 +0000 Subject: [PATCH 1/7] Add ChangeLog for PSA buffer sharing fix Signed-off-by: David Horstmann --- ChangeLog.d/psa-shared-memory-protection.txt | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 ChangeLog.d/psa-shared-memory-protection.txt diff --git a/ChangeLog.d/psa-shared-memory-protection.txt b/ChangeLog.d/psa-shared-memory-protection.txt new file mode 100644 index 000000000..f4f6ea0f4 --- /dev/null +++ b/ChangeLog.d/psa-shared-memory-protection.txt @@ -0,0 +1,8 @@ +Security + * Support calling PSA functions with buffer arguments that are in memory + shared with an untrusted party. The PSA core now makes copies of all + buffers before passing them to drivers to protect drivers against + modification of buffers during operations. + This feature increases code-size and memory usage. If buffers passed to + PSA functions are all trusted, buffer copying may be disabled by + unsetting MBEDTLS_PSA_COPY_CALLER_BUFFERS. From 1d3276da659583bd8b4040dc2078560dc7cef75d Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Tue, 12 Mar 2024 16:47:46 +0000 Subject: [PATCH 2/7] Reword ChangeLog entry for shared memory work Specifically: * Clarify that passing shared buffers is now secure by default (not newly supported) * Remove spurious hyphen * Clarify that we do not guarantee copying, but rather guarantee protection, allowing us to implement this differently in future if required. * Mention both protection of inputs from modification and outputs from exposure of intermediate results. * Invert the config option, from an enable-option to a disable-option. Signed-off-by: David Horstmann --- ChangeLog.d/psa-shared-memory-protection.txt | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/ChangeLog.d/psa-shared-memory-protection.txt b/ChangeLog.d/psa-shared-memory-protection.txt index f4f6ea0f4..6322563b1 100644 --- a/ChangeLog.d/psa-shared-memory-protection.txt +++ b/ChangeLog.d/psa-shared-memory-protection.txt @@ -1,8 +1,10 @@ Security - * Support calling PSA functions with buffer arguments that are in memory - shared with an untrusted party. The PSA core now makes copies of all - buffers before passing them to drivers to protect drivers against - modification of buffers during operations. - This feature increases code-size and memory usage. If buffers passed to - PSA functions are all trusted, buffer copying may be disabled by - unsetting MBEDTLS_PSA_COPY_CALLER_BUFFERS. + * Passing buffers that are stored in untrusted memory as arguments + to PSA functions is now secure by default. + The PSA core now protects against modification of inputs or exposure + of intermediate outputs during operations. This is currently implemented + by copying buffers. + This feature increases code size and memory usage. If buffers passed to + PSA functions are owned exclusively by the PSA core for the duration of + the function call, copying may be disabled by setting + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. From 7102d0f747c33996c91c850c1c28803c9b08835d Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Tue, 12 Mar 2024 16:56:49 +0000 Subject: [PATCH 3/7] Add bugfix section about buffer sharing Mention that arbitrary overlap is now supported, except whenever MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set. Signed-off-by: David Horstmann --- ChangeLog.d/psa-shared-memory-protection.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog.d/psa-shared-memory-protection.txt b/ChangeLog.d/psa-shared-memory-protection.txt index 6322563b1..a158ae853 100644 --- a/ChangeLog.d/psa-shared-memory-protection.txt +++ b/ChangeLog.d/psa-shared-memory-protection.txt @@ -8,3 +8,7 @@ Security PSA functions are owned exclusively by the PSA core for the duration of the function call, copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. +Bugfix + * Fully support arbitrary overlap between inputs and outputs of PSA + functions. Note that overlap is only partial supported when + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set. From 7fc35a5ea18c1d030cfe60f482f51368d87e5222 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 13 Mar 2024 13:30:55 +0000 Subject: [PATCH 4/7] Reword ChangeLog entry. Specifically: * Fix a grammatical typo * Mention shared memory * Mention overlap support in the security section * Improve wording Signed-off-by: David Horstmann --- ChangeLog.d/psa-shared-memory-protection.txt | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog.d/psa-shared-memory-protection.txt b/ChangeLog.d/psa-shared-memory-protection.txt index a158ae853..765c97c52 100644 --- a/ChangeLog.d/psa-shared-memory-protection.txt +++ b/ChangeLog.d/psa-shared-memory-protection.txt @@ -6,9 +6,12 @@ Security by copying buffers. This feature increases code size and memory usage. If buffers passed to PSA functions are owned exclusively by the PSA core for the duration of - the function call, copying may be disabled by setting + the function call (i.e. no buffer parameters are stored in memory shared + with an untrusted party), copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. + Note that setting this option will cause input-output buffer overlap to + be only partially supported. Bugfix * Fully support arbitrary overlap between inputs and outputs of PSA - functions. Note that overlap is only partial supported when + functions. Note that overlap is still only partially supported when MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set. From 4407aba55264b411d606ce5a18fde83ab1004b7f Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 13 Mar 2024 13:34:31 +0000 Subject: [PATCH 5/7] Mention the CVE number that is fixed Signed-off-by: David Horstmann --- ChangeLog.d/psa-shared-memory-protection.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog.d/psa-shared-memory-protection.txt b/ChangeLog.d/psa-shared-memory-protection.txt index 765c97c52..e5ee51397 100644 --- a/ChangeLog.d/psa-shared-memory-protection.txt +++ b/ChangeLog.d/psa-shared-memory-protection.txt @@ -11,6 +11,7 @@ Security MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. Note that setting this option will cause input-output buffer overlap to be only partially supported. + Fixes CVE-2024-28960 Bugfix * Fully support arbitrary overlap between inputs and outputs of PSA functions. Note that overlap is still only partially supported when From eff3d1ebb58c500355711dd790c5368dd43298b1 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 13 Mar 2024 14:06:58 +0000 Subject: [PATCH 6/7] Use the exact phrase 'shared memory' This allows people searching for this phrase to find this ChangeLog entry. Signed-off-by: David Horstmann --- ChangeLog.d/psa-shared-memory-protection.txt | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ChangeLog.d/psa-shared-memory-protection.txt b/ChangeLog.d/psa-shared-memory-protection.txt index e5ee51397..e19c9bc1a 100644 --- a/ChangeLog.d/psa-shared-memory-protection.txt +++ b/ChangeLog.d/psa-shared-memory-protection.txt @@ -6,9 +6,8 @@ Security by copying buffers. This feature increases code size and memory usage. If buffers passed to PSA functions are owned exclusively by the PSA core for the duration of - the function call (i.e. no buffer parameters are stored in memory shared - with an untrusted party), copying may be disabled by setting - MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. + the function call (i.e. no buffer parameters are in shared memory), + copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. Note that setting this option will cause input-output buffer overlap to be only partially supported. Fixes CVE-2024-28960 From 0634168296750837ca2321a35daa392a591b4166 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 13 Mar 2024 14:09:41 +0000 Subject: [PATCH 7/7] Reference issue #3266 This is the issue that tracks incomplete support for buffer overlap, so we should refer to it when we discuss partial support whenever MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set. Signed-off-by: David Horstmann --- ChangeLog.d/psa-shared-memory-protection.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog.d/psa-shared-memory-protection.txt b/ChangeLog.d/psa-shared-memory-protection.txt index e19c9bc1a..09779b7d2 100644 --- a/ChangeLog.d/psa-shared-memory-protection.txt +++ b/ChangeLog.d/psa-shared-memory-protection.txt @@ -9,9 +9,9 @@ Security the function call (i.e. no buffer parameters are in shared memory), copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. Note that setting this option will cause input-output buffer overlap to - be only partially supported. + be only partially supported (#3266). Fixes CVE-2024-28960 Bugfix * Fully support arbitrary overlap between inputs and outputs of PSA functions. Note that overlap is still only partially supported when - MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set. + MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (#3266).