Advisory Summary
This vulnerability may be present in any system using the UFS Boot feature, regardless of manufacturer. The UFS boot feature is provided by UFS devices to support platforms that need to download the system boot loader from an external non-volatile source. To accomplish this, the host reads the Boot Well Known Logical Unit (BOOT WKLU) data at system startup. This step is required for the platform to access the host SoC boot code.
The attack scenarios allow an attacker to completely disable the boot capability of the host platform, rendering the platform useless, or in some cases, it allows the attacker to revert to an old boot loader code. These scenarios may arise due to improper validation of UFS attributes in the host boot ROM code. The attack scenarios typically require elevated permissions on the UFS host, which may be obtained through a separate chain of vulnerabilities involving escalation of privileges. Physical access to the host platform or device is not required.
Disabling platform boot capability scenario:
An attacker which has the requisite permissions to access the bBootLunEn attribute may disable the UFS Boot feature by setting the bBootLunEn attribute to 0x0 in the UFS device. After platform power-up or reset, host Boot ROM code tries to read the Boot Well Known Logical Unit data from the UFS device, however, since the UFS Boot feature was disabled, the operation fails and the host is no longer able to boot.
Downgrade attack scenario:
In the downgrade attack scenario, the adversary sets bBootLunEn to the alternate Boot LU, causing the host platform to boot with a potentially old version of the boot code.