[BUG] Cross-privilege TLB leakage through SLS

[TobiasKovats]

Is there an existing CVA6 bug for this?

• I have searched the existing bug issues

Bug Description

Hi!

Our microarchitectural fuzzer has found that CVA6 is susceptible to SLS (straight-line speculation [1]) and thus allows leakage through the TLB across privileges. Since speculatively issued loads and stores from a higher privilege access the TLB, their addresses can be recovered from a lower privilege. Thus, privileged code that (architecturally) does not leak any sensitive data through its control flow or memory operations, leaks transiently to an unprivileged attacker.

We provide a snippet from the generated test case bellow:

...
0xffffffd8200a244c lw      s2, 456(ra) # load some privileged data from S-mode
...
0xffffffd8200a2dd8 sret   # SPP=1, so we remain in S-mode
0xffffffd8200a2ddc sb      t0,-1338(a0)  # the store is executed transiently before we go to SEPC, and privileged data in a0 is used to access the TLB before the store is killed.
...
0xffffffd8200d0f50 sret # SPP=0, so we go to U-mode. The TLB is not flushed.
...
0xffffffd820067b50 sh      t0, -754(t2) # a store now leaks from the TLB.
...

We provide the ELF of the leaking test below, which can be executed using the setup of Cascade.

testcase.tar.gz

[1] https://developer.arm.com/documentation/102825/latest/