Samsung: RKP kernel protection bypass via lack of MSR trapping on Qualcomm devices  




As part of Samsung KNOX, Samsung phones include a security hypervisor called RKP (Real-time Kernel Protection), running in EL2. This hypervisor is meant to ensure that the HLOS kernel running in EL1 remains protected from exploits and aims to prevent privilege escalation attacks by "shielding" certain data structures within the hypervisor.

In order to prevent EL0 and EL1 code from creating disallowed memory mappings (e.g., disabling PXN on areas not in the kernel text or enabling write permissions to a kernel code page), RKP employs a system through which all modifications to the S1 translation table are validated by the hypervisor. Moreover, RKP marks the EL0 and EL1 translation tables as read-only in the stage 2 translation table for EL0/1.

On devices based on the Exynos SoC, RKP sets the TVM bit in HCR_EL2 in order to trap all requests to modify memory management control registers in EL1. These requests can then be processed according to the policy enforced by RKP in order to make sure they comply with the "allowed" set of memory mappings.

However, on Qualcomm devices RKP does not set the TVM bit, allowing all MSRs from EL1 to be executed without trapping into EL2. This allows an attacker to subvert RKP's memory mapping policies.

As noted in previous reports, an attacker may modify the value of TTBR1 in order to set locations other than kernel memory as executable (removing PXN), thus allowing the execution of arbitrary code in the kernel (without tripping kernel integrity checks). Moreover, there is no shortage of MSR opcodes which are executable from EL1, since all RKP code is freely executable from EL1 (also noted in previous reports).

I've dynamically verified this issue by examining the value of HCR_EL2 in the RKP debug log (/proc/tima_debug_rkp_log), on a fully updated Galaxy S7 (G930U). I've also verified that the HYP binary does not contain trap handlers for emulation of opcodes trapped by HCR.TVM.

This issue can be addressed by setting HCR.TVM and implementing trap handlers in EL2 for MSRs to sensitive memory management control registers executed by EL1.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.



Found by: laginimaineb