Search by Tags

Information about vulnerability of Toradex System on Modules to Speculative Side Channel Attacks aka Meltdown and Spectre

 
Article updated at 02 Aug 2018
Compare with Revision

Google research found an issue in many modern processors which can allow programs to access protected data. This could enable potential attacker software to defeat memory access controls and get access to confidential and sensitive information such as passwords.

There are three different variations of the vulnerability; CVE-2017-5753 and CVE-2017-5715 called “Spectre” and CVE-2017-5754 known as “Meltdown”.
For more details about the vulnerability, please visit: https://spectreattack.com/

Meltdown and Spectre

Is my Toradex System on Module affected?

Toradex Products Arm Core Variant 1
SPECTRE
CVE-2017-5753
Variant 2
SPECTRE
CVE-2017-5715
Variant 3
MELTDOWN
CVE-2017-5754
Colibri VF50
Colibri VF61
Cortex®-A5 Not Affected Not Affected Not Affected
Colibri iMX6ULL
Colibri iMX7
Cortex®-A7 Not Affected Not Affected Not Affected
Colibri iMX6S
Colibri iMX6DL
Apalis iMX6D
Apalis iMX6Q
Cortex®-A9 Affected
Patched in Linux BSP 2.8b3
Affected
Patched in Linux BSP 2.8b3
Not Affected
Colibri T30
Colibri T20
Apalis T30
Cortex®-A9 Affected Affected Not Affected
Apalis TK1 Cortex®-A15 Affected
Patched in Linux BSP 2.8b3
Affected
Patched in Linux BSP 2.8b3
Not Affected
Colibri PXA270
Colibri PXA300
Colibri PXA310
Colibri PXA320
XScale® Not Affected Not Affected Not Affected

The Cortex®-M4 Cores on the Colibri VF61, Colibri iMX7, and Apalis TK1 are not affected.

What is Toradex doing to patch the vulnerabilities?

Note: The solutions proposed by NVIDIA and NXP were integrated to the Embedded Linux BSP for all i.MX 6 and TK1 based modules, starting from Toradex Embedded Linux BSP release 2.8b3. Please see this release note for more details.

These vulnerabilities can be fixed via software patches. As this issue affects the Arm Cores, Arm® is leading the efforts. For the most up to date information about the current status, please check: https://developer.arm.com/support/security-update

Toradex is working with NXP® and NVIDIA® to integrate the software patches in the Linux Board Support Packages (BSPs) provided by Toradex.

NVIDIA also provides public information about the status of the TK1 SoC, please see: http://nvidia.custhelp.com/app/answers/detail/a_id/4616

Toradex is in contact with Microsoft about this issue but currently there is no roadmap for fixes.

Is my product at risk?

To exploit these security vulnerabilities, a carefully crafted malware must be loaded onto the system. On many embedded systems, the OEM is controlling the software which can run on the system which reduces the risk. The high degree of customizations and relatively low volumes of embedded systems make a large general attack unlikely. We are not able to give a general recommendation, and you will need to assess the risk for your particular device depending on the use case. In general, it is recommended only to allow authenticated software to be executed.


See Also:
https://developer.toradex.com/knowledge-base/access-security(colibri)

https://www.toradex.com/blog/wannacry-cyber-attack-impact-on-wince

https://developer.toradex.com/knowledge-base/webinterface

https://developer.toradex.com/knowledge-base/registry-access-using-program