[beagleboard] Does Spectre and Meltdown affect Beaglebone Black?

jkridner · January 8, 2018, 1:57am

Subject: Re: [beagleboard] Does Spectre and Meltdown affect Beaglebone Black?
To: beagleboard@googlegroups.com
Date: Sunday, January 7, 2018, 11:50 PM

On Sun,
Jan 7, 2018 at 12:52 PM, ‘Luther Goh Lu Feng’ via
BeagleBoard

<beagleboard@googlegroups.com>
wrote:

I am under the impression that BBB is affected as it

runs AM335x 1GHz ARM® Cortex-A8. What are the
mitigations/recommendations to address this, if any?

Well, according to “ARM”:

https://developer.arm.com/support/security-update

No : indicates not affected by the particular variant.

Yes : indicates affected by the particular variant but has
a

mitigation (unless otherwise stated).

Cortex-A8

Variant 1:Yes (under review)

Variant 2: Yes

Variant 3: No

Variant 3a: No

This leaves a lot of questions for
me. TI is working on a more formal response that better
summarizes our/their position. There are a number of
mitigations, but I think more analysis should be performed
to determine the confidence-level they provide. GKH has some
thoughtful blog material, but also stops short of being
conclusive. I’ve heard some question if VFP or NEON
provide additional attack vectors.
Fundamentally, I think those of us
making embedded systems need to be conscientious of what
untrusted code we allow to run on our systems and that there
are likely more interesting attack vectors, depending on how
we secure our systems.
For example, do you disable ssh and
evaluate the security of other network-based servers on the
system? I just mean that Meltdown and Spectre attacks assume
some ability to run userspace code on your system and you
should probably already be preventing that. IoT
worms/trojans and/or web server overflow bugs are more
likely to be a security issue in an embedded
system.
In yet more
other words, security requirements should be considered at a
system-design level and a one-size-fits all solution of
chasing down the latest issues facing desktop systems
isn’t likely to address your security
needs.
Hope this
didn’t come across as deflective or rude, as I do think
a good analysis of the BeagleBone/BeagleBoard risks related
to Meltdown/Spectre are necessary. I just don’t think
the analysis or the mitigations are ready to declare at this
time.

One useful mitigation: http://lists.infradead.org/pipermail/linux-arm-kernel/2018-January/552243.html

RobertCNelson · January 8, 2018, 2:19am

One useful mitigation:
http://lists.infradead.org/pipermail/linux-arm-kernel/2018-January/552243.html

Okay, that's a lot better..

From ARM's website, it really looked like ARM didn't care about the
arm32 (A8/A9/A15/A17) family...

Regards,

RobertCNelson · January 8, 2018, 2:22am

PS, it would be nice to see a proof of concept exploit on the A8, then
we can prove
those mitigation actually work..

Regards,

jkridner · January 9, 2018, 4:16pm

TI’s note on Meltdown and Spectre:

http://e2e.ti.com/support/arm/sitara_arm/f/791/t/654938