Information about vulnerability of Toradex System on Modules to Speculative Side Channel Attacks aka Meltdown and Spectre

Friday, January 19, 2018
Meltdown and Spectre

Google research found an issue in many modern processors which can allow programs to access protected data. This could enable potential attacker software to defeat memory access controls and get access to confidential and sensitive information such as passwords.

There are three different variations of the vulnerability; CVE-2017-5753 and CVE-2017-5715 called “Spectre” and CVE-2017-5754 known as “Meltdown”.
For more details about the vulnerability, please visit: https://spectreattack.com/

Meltdown and Spectre

Is my Toradex System on Module affected?

Toradex Products Arm Core Variant 1
SPECTRE
CVE-2017-5753
Variant 2
SPECTRE
CVE-2017-5715
Variant 3
MELTDOWN
CVE-2017-5754
Colibri VF50
Colibri VF61
Cortex®-A5 Not Affected Not Affected Not Affected
Colibri iMX6ULL
Colibri iMX7
Cortex®-A7 Not Affected Not Affected Not Affected
Colibri iMX6S
Colibri iMX6DL
Colibri T30
Colibri T20
Apalis iMX6D
Apalis iMX6Q
Apalis T30
Cortex®-A9 Affected Affected Not Affected
Apalis TK1 Cortex®-A15 Affected Affected Not Affected
Colibri PXA270
Colibri PXA300
Colibri PXA310
Colibri PXA320
XScale® Not Affected Not Affected Not Affected

The Cortex®-M4 Cores on the Colibri VF61, Colibri iMX7, and Apalis TK1 are not affected.

What is Toradex doing to patch the vulnerabilities?

These vulnerabilities can be fixed via software patches. As this issue affects the Arm Cores, Arm® is leading the efforts. For the most up to date information about the current status, please check: https://developer.arm.com/support/arm-security-updates

Toradex is working with NXP® and NVIDIA® to integrate the software patches in the Linux Board Support Packages (BSPs) provided by Toradex.

NVIDIA also provides public information about the status of the TK1 SoC, please see: http://nvidia.custhelp.com/app/answers/detail/a_id/4616

Toradex is in contact with Microsoft regarding patches for Windows Embedded Compact. We will provide updates as soon as we have a roadmap.

Is my product at risk?

To exploit these security vulnerabilities, a carefully crafted malware must be loaded onto the system. On many embedded systems, the OEM is controlling the software which can run on the system which reduces the risk. The high degree of customizations and relatively low volumes of embedded systems make a large general attack unlikely. We are not able to give a general recommendation, and you will need to assess the risk for your particular device depending on the use case. In general, it is recommended only to allow authenticated software to be executed.

We will proivde future updates via our Developer Center.

If you have any questions, please contact us on the community, via support email, or call your local Toradex Office.

Have a Question?