search

chipsalliance / caliptra-sw

Caliptra software (ROM, FMC, runtime firmware), and libraries/tools needed to build and test
Apache License 2.0
53 stars 39 forks source link

Runtime CFI check of mailbox lock causes race condition #1546

Closed rusty1968 closed 4 months ago

rusty1968 commented 4 months ago

The second read of the lock register was inserted to prevent a glitch attack from bypassing the FIPS self test logic and execute a different mailbox command. However, the second read causes a race condition and the SoC can maliciously or accidentally force Caliptra to crash by releasing the lock at the time the CFI check of the lock is performed.

Given an attacker can prevent FIPS self-test from happening by just controlling the acquisition and release of the lock, the CFI check is not protecting much and can potentially be removed altogether.

sree-revoori1 commented 4 months ago

LGTM, thanks for finding this