CWE-1326: Missing Immutable Root of Trust in Hardware

Description

A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code.

A System-on-Chip (SoC) implements secure boot by verifying or authenticating signed boot code. The signing of the code is achieved by an entity that the SoC trusts. Before executing the boot code, the SoC verifies that the code or the public key with which the code has been signed has not been tampered with. The other data upon which the SoC depends are system-hardware settings in fuses such as whether "Secure Boot is enabled". These data play a crucial role in establishing a Root of Trust (RoT) to execute secure-boot flows. One of the many ways RoT is achieved is by storing the code and data in memory or fuses. This memory should be immutable, i.e., once the RoT is programmed/provisioned in memory, that memory should be locked and prevented from further programming or writes. If the memory contents (i.e., RoT) are mutable, then an adversary can modify the RoT to execute their choice of code, resulting in a compromised secure boot. Note that, for components like ROM, secure patching/update features should be supported to allow authenticated and authorized updates in the field.

Potential Impact

Authentication, Authorization

Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands, Modify Memory

Demonstrative Examples

The RoT is stored in memory. This memory can be modified by an adversary. For example, if an SoC implements "Secure Boot" by storing the boot code in an off-chip/on-chip flash, the contents of the flash can be modified by using a flash programmer. Similarly, if the boot code is stored in ROM (Read-Only Memory) but the public key or the hash of the public key (used to enable "Secure Boot") is stored in Flash or a memory that is susceptible to modifications or writes, the implementation is vulnerable.
In general, if the boot code, key materials and data that enable "Secure Boot" are all mutable, the implementation is vulnerable.
Good architecture defines RoT as immutable in hardware. One of the best ways to achieve immutability is to store boot code, public key or hash of the public key and other relevant data in Read-Only Memory (ROM) or One-Time Programmable (OTP) memory that prevents further programming or writes.

The example code below is a snippet from the bootrom of the HACK@DAC'19 buggy OpenPiton SoC [REF-1348]. The contents of the bootrom are critical in implementing the hardware root of trust.

It performs security-critical functions such as defining the system's device tree, validating the hardware cryptographic accelerators in the system, etc. Hence, write access to bootrom should be strictly limited to authorized users or removed completely so that bootrom is immutable. In this example (see the vulnerable code source), the boot instructions are stored in bootrom memory, mem. This memory can be read using the read address, addr_i, but write access should be restricted or removed.

Bad

...
                            always_ff @(posedge clk_i) begin
                                if (req_i) begin
                                    if (!we_i) begin
										raddr_q <= addr_i[$clog2(RomSize)-1+3:3];
										end else begin
										mem[addr_i[$clog2(RomSize)-1+3:3]] <= wdata_i;
										end
									end
								end
                        	...
							
								// this prevents spurious Xes from propagating into the speculative fetch stage of the core
							
							assign rdata_o = (raddr_q < RomSize) ? mem[raddr_q] : '0;
							...

The vulnerable code shows an insecure implementation of the bootrom where bootrom can be written directly by enabling write enable, we_i, and using write address, addr_i, and write data, wdata_i.  

To mitigate this issue, remove the write access to bootrom memory. [REF-1349]

Good

...
                            always_ff @(posedge clk_i) begin
                                if (req_i) begin
										raddr_q <= addr_i[$clog2(RomSize)-1+3:3];
									end
								end
                        	...
							
								// this prevents spurious Xes from propagating into the speculative fetch stage of the core
							
							assign rdata_o = (raddr_q < RomSize) ? mem[raddr_q] : '0;
							...

Mitigations & Prevention

Architecture and Design

When architecting the system, the RoT should be designated for storage in a memory that does not allow further programming/writes.

Implementation

During implementation and test, the RoT memory location should be demonstrated to not allow further programming/writes.

Detection Methods

Automated Dynamic Analysis High — Automated testing can verify that RoT components are immutable.
Architecture or Design Review High — Root of trust elements and memory should be part of architecture and design reviews.

Frequently Asked Questions

What is CWE-1326?

CWE-1326 (Missing Immutable Root of Trust in Hardware) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code.

How can CWE-1326 be exploited?

Attackers can exploit CWE-1326 (Missing Immutable Root of Trust in Hardware) to gain privileges or assume identity, execute unauthorized code or commands, modify memory. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-1326?

Key mitigations include: When architecting the system, the RoT should be designated for storage in a memory that does not allow further programming/writes.

What is the severity of CWE-1326?

CWE-1326 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.