Does Spectre and Meltdown affect Beaglebone Black?

218 views
Skip to first unread message

Luther Goh Lu Feng

unread,
Jan 7, 2018, 1:52:45 PM1/7/18
to BeagleBoard
I am under the impression that BBB is affected as it runs AM335x 1GHz ARM® Cortex-A8. What are the mitigations/recommendations to address this, if any?

--Luther

Robert Nelson

unread,
Jan 7, 2018, 2:00:33 PM1/7/18
to Beagle Board
On Sun, Jan 7, 2018 at 12:52 PM, 'Luther Goh Lu Feng' via BeagleBoard
<beagl...@googlegroups.com> wrote:
> I am under the impression that BBB is affected as it runs AM335x 1GHz ARM® Cortex-A8. What are the mitigations/recommendations to address this, if any?

Well, according to "ARM":

https://developer.arm.com/support/security-update

No : indicates not affected by the particular variant.
Yes : indicates affected by the particular variant but has a
mitigation (unless otherwise stated).

Cortex-A8

Variant 1:Yes (under review)
Variant 2: Yes
Variant 3: No
Variant 3a: No

Regards,

--
Robert Nelson
https://rcn-ee.com/

Jason Kridner

unread,
Jan 7, 2018, 3:50:37 PM1/7/18
to beagl...@googlegroups.com
This leaves a lot of questions for me. TI is working on a more formal response that better summarizes our/their position. There are a number of mitigations, but I think more analysis should be performed to determine the confidence-level they provide. GKH has some thoughtful blog material, but also stops short of being conclusive. I've heard some question if VFP or NEON provide additional attack vectors.

Fundamentally, I think those of us making embedded systems need to be conscientious of what untrusted code we allow to run on our systems and that there are likely more interesting attack vectors, depending on how we secure our systems.

For example, do you disable ssh and evaluate the security of other network-based servers on the system? I just mean that Meltdown and Spectre attacks assume some ability to run userspace code on your system and you should probably already be preventing that. IoT worms/trojans and/or web server overflow bugs are more likely to be a security issue in an embedded system.

In yet more other words, security requirements should be considered at a system-design level and a one-size-fits all solution of chasing down the latest issues facing desktop systems isn't likely to address your security needs.

Hope this didn't come across as deflective or rude, as I do think a good analysis of the BeagleBone/BeagleBoard risks related to Meltdown/Spectre are necessary. I just don't think the analysis or the mitigations are ready to declare at this time.

In addition to Robert's link, you can read http://www.kroah.com/log/blog/2018/01/06/meltdown-status/ as well.
 
The ARM recommended mitigations look a bit complex at this point, but are worth examining if you have concerns about the information that can be recovered using these attack methods and your system is exposed to them.


Regards,

--
Robert Nelson
https://rcn-ee.com/

--
For more options, visit http://beagleboard.org/discuss
---
You received this message because you are subscribed to the Google Groups "BeagleBoard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to beagleboard...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/beagleboard/CAOCHtYjY%3DG3nEF7eCYi8tmSdRPdxCRbvaRhfOfDt4n-ak%2BqveA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


--

Roberts Maria

unread,
Jan 7, 2018, 7:01:57 PM1/7/18
to beagl...@googlegroups.com

--------------------------------------------
On Sun, 1/7/18, Jason Kridner <jkri...@beagleboard.org> wrote:

Subject: Re: [beagleboard] Does Spectre and Meltdown affect Beaglebone Black?
To: beagl...@googlegroups.com
Date: Sunday, January 7, 2018, 11:50 PM
To view this discussion on the web visit https://groups.google.com/d/msgid/beagleboard/CA%2BT6QP%3DixDcmWjOviCTkOPWfq%3D2iUFYsTZ0Jp7YnZ6GeJpLbOA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.
n aceste conditii la 17 august 1867 incepea guvernarea celui de-al doilea 3t liberal'care are la baza intelegerea de la Concordia . Prim-ministru este nnat stefan Golescu care activase in guvernele revolutionare de Ia 1848 si lase un guvern al tarii Romanesti in 1861.

Jason Kridner

unread,
Jan 7, 2018, 8:57:22 PM1/7/18
to beagl...@googlegroups.com

Robert Nelson

unread,
Jan 7, 2018, 9:20:28 PM1/7/18
to Beagle Board
> One useful mitigation:
> http://lists.infradead.org/pipermail/linux-arm-kernel/2018-January/552243.html

Okay, that's a lot better..

From ARM's website, it really looked like ARM didn't care about the
arm32 (A8/A9/A15/A17) family...

Robert Nelson

unread,
Jan 7, 2018, 9:22:40 PM1/7/18
to Beagle Board
On Sun, Jan 7, 2018 at 8:19 PM, Robert Nelson <robert...@gmail.com> wrote:
>> One useful mitigation:
>> http://lists.infradead.org/pipermail/linux-arm-kernel/2018-January/552243.html
>
> Okay, that's a lot better..
>
> From ARM's website, it really looked like ARM didn't care about the
> arm32 (A8/A9/A15/A17) family...

PS, it would be nice to see a proof of concept exploit on the A8, then
we can prove
those mitigation actually work.. ;)

Jason Kridner

unread,
Jan 9, 2018, 11:17:14 AM1/9/18
to beagl...@googlegroups.com

--
For more options, visit http://beagleboard.org/discuss
---
You received this message because you are subscribed to the Google Groups "BeagleBoard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to beagleboard...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/beagleboard/CAOCHtYjjWUbaGa_xLN3KDjNL7BMAZ1HsQWT-EMzvjsP4msjYAQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.


--
Reply all
Reply to author
Forward
0 new messages