[Bug 2076397] [NEW] Ghostwrite mitigation

Heinrich Schuchardt 2076397 at bugs.launchpad.net
Fri Aug 9 07:55:12 UTC 2024 

*** This bug is a security vulnerability ***

Public security bug reported:

https://ghostwriteattack.com/riscvuzz.pdf describes that some T-Head
processors allow unprivileged users to access any physical address due
to incorrectly implemented vector instructions.

We have published 22.04 and 24.04 images for the Nezha D1 and LicheeRV
Dock boards. These use the T-Head C906 core mentioned in the
publication.

The VS field of the mstatus CRC can be used to disable vector
instructions as described in chapter 3.1.6., "Machine Status Registers
(mstatus and mstatush)" of the Privileged Architecture Specification
version 2024-04-11.

On T-Head C906, C908, C910 cores OpenSBI should set the VS field to 0
(Off) and adjust the published ISA extensions in the device-tree and
possibly in the misa register.

We need to check that with this change vector instructions result in a
trap.

** Affects: opensbi (Ubuntu)
     Importance: High
         Status: New


** Tags: foundations-todo

** Tags added: foundations-todo

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to opensbi in Ubuntu.
https://bugs.launchpad.net/bugs/2076397

Title:
  Ghostwrite mitigation

Status in opensbi package in Ubuntu:
  New

Bug description:
  https://ghostwriteattack.com/riscvuzz.pdf describes that some T-Head
  processors allow unprivileged users to access any physical address due
  to incorrectly implemented vector instructions.

  We have published 22.04 and 24.04 images for the Nezha D1 and LicheeRV
  Dock boards. These use the T-Head C906 core mentioned in the
  publication.

  The VS field of the mstatus CRC can be used to disable vector
  instructions as described in chapter 3.1.6., "Machine Status Registers
  (mstatus and mstatush)" of the Privileged Architecture Specification
  version 2024-04-11.

  On T-Head C906, C908, C910 cores OpenSBI should set the VS field to 0
  (Off) and adjust the published ISA extensions in the device-tree and
  possibly in the misa register.

  We need to check that with this change vector instructions result in a
  trap.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/opensbi/+bug/2076397/+subscriptions

More information about the foundations-bugs mailing list