Summary
Last year we published research at Black Hat in which we disclosed multiple vulnerabilities in Huawei Kirin SoC’s DDR Controller (DMSS) Access Permission system which allowed some SoC cores or DMA-capable peripherals to directly access secure world memory and completely compromise the entire memory of the SoC. This advisory focuses on a new access permission vulnerability in the same DMSS. The vulnerability can be used to entirely compromise the Trusted Execution Environment from the Baseband. The vulnerability was fixed in February 2022.
Vulnerability Details
The peripheral DMA lives up to its name, as it is mainly used to interact between multiple communication peripherals (e.g. UART, SPI) and the main CPU.
Both the Linux kernel and the secure world utilize this DMA.
The DMA engine is programmable in a proprietary way, which can be understood from the Linux kernel source (drivers/dma/hisi_dma_64.c
).
The engine operates in different channels, the first (0th) channel has the highest privileges, as it is used by the “fw_lpm3” for logging into secure world memory space.
The access rights when using the 0th channel are ultimately controlled by the DMSS subsystem.
A header file in the Linux kernel source (drivers/hisi/ap/platform/kirin990/soc_mid.h
) enumerates the master IDs of various cores and peripherals.
This list identifies the flag bit which defines which ASI table entries apply to the Peripheral DMA.
#define SOC_DMAC_MID 0x10
The ASI entries corresponding to this ID show that the access rules are overly permissive: they grant full secure read-write access to the trustfirmware (0x13000000-0x135fffff
) and the teeos and the trustlets (0x13600000-0x192fffff
) memory ranges.
DMSS entry address | index | range begin-end | (N)S: (non)secure R/W | AXI Master ID for (W)rite and (R)ead
0xffe82e30 19: 0x13000000 - 0x135fffff SR SW W00010020 R00010020
0xffe82e40 20: 0x13600000 - 0x192fffff SR SW W00010420 R00010420
The DMA programming happens through 4-byte wide writes to registers. The essential registers (source, destination, size, start) are located next to each other in the memory mapping at an address that is not affected by modem ASLR and is accessible by default for the baseband based on the MPU configuration:
[ 4] on 0xe2000000 - 0xfffe0000 | R1 W1 R0 W0 | S - -
By default, the Peripheral DMA can not write directly into the modem memory space, however the SRAM memory region of the LPMCU core turns out to be a memory range that is directly addressable by both the Peripheral DMA and the modem core. This allows the baseband to program transactions with the Peripheral DMA where the source/destination contents can be arbitrarily chosen.
For a detailed description of the vulnerability impact, see our presentation.
Affected Devices (Verified)
-
Kirin 990
- Huawei Mate 30 Pro (LIO)
- Huawei P40 Pro (ELS)
- Huawei P40 (ANA)
-
Kirin 9000
- Huawei Mate40 Pro (NOH)
Fix
Huawei OTA images, released after February 2022, contain the fix for the vulnerability.
Timeline
- 2021.08.05. Bug reported to Huawei PSIRT
- 2021.09.08. Huawei PSIRT confirms vulnerability, does not provide severity rating
- 2021.09.21. Additional reporting to Huawei PSIRT shows Kirin 9000 is vulnerable
- 2021.10.19. Update Requested
- 2021.10.20. Huawei confirms final assessment and High severity rating
- 2022.02.03. Huawei promises a later response
- 2022.02.25. Huawei confirms CVE released in security bulletin, confirms disclosure allowed in May