Frequently asked questions
Can you explain the problem in layman's terms?
- Security researchers have uncovered a novel use of an existing side-channel technique which could result in small pieces of data being accessed while the processor is functioning as designed without flaws.
- This method is dependent on malware running locally and could be used to access data from privileged memory (DRAM or CPU cache).
- Our silicon partners have been notified and if their chips are impacted, we are encouraging them to implement the software mitigations we have worked with Intel, AMD, and our OS ecosystem to develop.
Since Arm is working with Intel and AMD, this must be more serious than you're letting on right?
No. Arm, Intel, and AMD were the companies notified by Project Zero and, as this was an industry-wide issue, it was important to have the three companies, which have a history of collaborating on industry standards, work together to develop mitigations.
What kind of data is vulnerable?
Malware using this method and running locally could expose data such as passwords and encryption keys.
What is a cache side-channel attack?
When using the time taken to execute instructions that access the cache (such as loads or stores) it's possible to infer what items are in the cache. By being able to infer such information, the values of addresses that have been used to allocate items into the cache can be deduced.
What is Google Project Zero and why is this information being disclosed?
Any questions about Google Project Zero should be directed to Google.
What does this mean for the average mobile user?
This technique still requires bad actors to execute malicious code on devices, which means it's imperative for mobile users to practice good security hygiene by keeping their software up-to-date and avoid suspicious links or downloads.
Can you explain the implications of the variants and what this means?
The three variant mechanisms Project Zero has identified can potentially use the processor's speculative execution which can be used to extract some information that would not otherwise be accessible to software.
When did you find out?
Google Project Zero notified Arm, Intel, and AMD, in June 2017.
What did you do upon being notified by Project Zero?
We immediately notified our architecture licensees (who create their own processor designs) so they could start testing their processors, while we started testing our own processor designs. We assessed the scope of impact and worked together as an industry-wide effort including OS providers on software mitigation measures designed to run on Arm processors. We have communicated our recommended mitigation measures to all affected silicon partners.
Why didn’t you do something sooner?
There was no delay between Google providing details of the new technique and Arm starting to take action.
What have you done with Google Project Zero since they notified you?
We cannot provide specifics on our ongoing communications with Project Zero beyond what's captured in their blog.
What Arm chips are impacted?
- No Cortex-M processors are impacted. The M-profile designs do not perform sufficient speculation to create this issue.
- Most Cortex-R processors are not impacted. For the two out-of-order speculative Cortex-R processors that could theoretically be affected, most use cases do not include open platforms - and have very controlled running of processes and would preclude the side-channel processes/applications being installed, hence avoiding this situation.
- Information on which Cortex-A and Cortex-R processors are impacted by variant can be found at www.arm.com/security-update
Can you estimate how many chips are impacted?
We are not providing that information at this time.
What consumer products are affected? PCs? Servers? Data centers? Enterprise networking equipment?
Advanced processors are a part of all sorts of devices. This new technique doesn’t give them a master key to anything. It is another tool in their tool bag, and we will be addressing it in our next processor design.
Are Arm chips safer than Intel's?
This is an industry-wide concern that can have varying impact on all modern CPUs that run applications.
Can you describe the three security issue variants?
It's important to note that all variants are locally executed cache timing side-channel attacks requiring installation of malicious code on the system.
- Variant No. 1: Bounds Check Bypass - Use existing code with access to secrets by making it speculatively execute memory operations with out-of-range arguments.
- Variant No. 2: Branch Target Injection - Malicious code usurps properties of CPU branch prediction features to speculatively run code.
- Variant No. 3: Rogue Data Load - Access memory controlled by the OS while running a malicious application.
Spectre is an alternative name for Variants 1 and 2, and Meltdown is an alternative name for Variant 3.
Is there a fix?
There a number of different variants and each will have a different set of mitigations.
Are software mitigations available, and will I get them?
The major operating systems running on Arm are aware of these issues and are deploying software mitigations. Please contact the suppliers of that software for their plans in this regard.
Linux patches are now under community review and can be found here: https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/log/?h=kpti.
Arm trusted firmware patches are being made available through GitHub: https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Security-Advisory-TFV-6. Specifications of the changes required in Firmware are available here.
Will future Arm cores and architectures address this?
Future implementations will reduce the scope for exploiting these side-channels and will provide further tools to help software be more robust to them.
Where can I get information about Arm's architecture partners?
We will post links to our partner’s information as they become available to us. However, any questions related to our partners should be directed to them.
Is Google's Retpoline considered effective for mitigating Variant 2 vulnerability on Arm based systems?
Arm has investigated the use of retpoline and has concluded that it doesn't provide effective mitigation on Arm-based systems. Retpoline relies on specific aspects of the design of the branch prediction logic in the CPU, which do not apply to Arm-based systems.
Variant 2 mitigations for Arm systems have been implemented in the Linux kernel and Arm Trusted Firmware and can be implemented in other operating systems. For details see www.arm.com/security-update.
See our FAQ "Are software mitigations available, and will I get them?" for more information.
Will compilers provide mitigations for Variant 2?
Arm is not currently aware of any effective compiler-based mitigation techniques (such as retpolines) for Variant 2.
Variant 2 mitigations for Arm systems have been implemented in the Linux kernel and Arm Trusted Firmware, and can be implemented in other operating systems. For details see www.arm.com/security-update.
What are SpectrePrime and MeltdownPrime and will additional work be required to mitigate these variants?
The terms SpectrePrime and MeltdownPrime come from a recently published paper here.
This new information does not affect Arm's existing mitigations for Variants 1, 2 or 3 - these will already be effective against the 'prime' variations.