From f10dd3e03938bb0dba6f0671289bf512c233a2ce Mon Sep 17 00:00:00 2001 From: Sandrine Bailleux Date: Tue, 10 May 2022 14:55:01 +0200 Subject: [PATCH 1/3] docs(threat-model): cosmetic changes - Add empty lines after titles. - Reduce number of highlighting characters to fit title length. - Remove most ``monospaced text``. I think most of it looked weird in the rendered HTML version and it had no obvious meaning. Change-Id: I5f746a3de035d8ac59eec0af491c187bfe86dad7 Signed-off-by: Sandrine Bailleux --- docs/threat_model/threat_model.rst | 357 +++++++++++++++-------------- 1 file changed, 183 insertions(+), 174 deletions(-) diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst index 072babc56..d7cbaf6b1 100644 --- a/docs/threat_model/threat_model.rst +++ b/docs/threat_model/threat_model.rst @@ -1,9 +1,10 @@ Generic Threat Model ******************** -************************ +************ Introduction -************************ +************ + This document provides a generic threat model for TF-A firmware. .. note:: @@ -11,9 +12,10 @@ This document provides a generic threat model for TF-A firmware. This threat model doesn't consider Root and Realm worlds introduced by :ref:`Realm Management Extension (RME)`. -************************ +******************** Target of Evaluation -************************ +******************** + In this threat model, the target of evaluation is the Trusted Firmware for A-class Processors (TF-A). This includes the boot ROM (BL1), the trusted boot firmware (BL2) and the runtime EL3 firmware (BL31) as @@ -35,7 +37,8 @@ assumptions: Secure-EL2 software. Data Flow Diagram -====================== +================= + Figure 1 shows a high-level data flow diagram for TF-A. The diagram shows a model of the different components of a TF-A-based system and their interactions with TF-A. A description of each diagram element @@ -51,26 +54,26 @@ are considered untrusted by TF-A. +-----------------+--------------------------------------------------------+ | Diagram Element | Description | +=================+========================================================+ - | ``DF1`` | | At boot time, images are loaded from non-volatile | + | DF1 | | At boot time, images are loaded from non-volatile | | | memory and verified by TF-A boot firmware. These | | | images include TF-A BL2 and BL31 images, as well as | | | other secure and non-secure images. | +-----------------+--------------------------------------------------------+ - | ``DF2`` | | TF-A log system framework outputs debug messages | + | DF2 | | TF-A log system framework outputs debug messages | | | over a UART interface. | +-----------------+--------------------------------------------------------+ - | ``DF3`` | | Debug and trace IP on a platform can allow access | + | DF3 | | Debug and trace IP on a platform can allow access | | | to registers and memory of TF-A. | +-----------------+--------------------------------------------------------+ - | ``DF4`` | | Secure world software (e.g. trusted OS) interact | + | DF4 | | Secure world software (e.g. trusted OS) interact | | | with TF-A through SMC call interface and/or shared | | | memory. | +-----------------+--------------------------------------------------------+ - | ``DF5`` | | Non-secure world software (e.g. rich OS) interact | + | DF5 | | Non-secure world software (e.g. rich OS) interact | | | with TF-A through SMC call interface and/or shared | | | memory. | +-----------------+--------------------------------------------------------+ - | ``DF6`` | | This path represents the interaction between TF-A and| + | DF6 | | This path represents the interaction between TF-A and| | | various hardware IPs such as TrustZone controller | | | and GIC. At boot time TF-A configures/initializes the| | | IPs and interacts with them at runtime through | @@ -78,9 +81,10 @@ are considered untrusted by TF-A. +-----------------+--------------------------------------------------------+ -********************* +*************** Threat Analysis -********************* +*************** + In this section we identify and provide assessment of potential threats to TF-A firmware. The threats are identified for each diagram element on the data flow diagram above. @@ -91,7 +95,8 @@ that represents the impact and likelihood of that threat. We also discuss potential mitigations. Assets -================== +====== + We have identified the following assets for TF-A: .. table:: Table 2: TF-A Assets @@ -99,21 +104,22 @@ We have identified the following assets for TF-A: +--------------------+---------------------------------------------------+ | Asset | Description | +====================+===================================================+ - | ``Sensitive Data`` | | These include sensitive data that an attacker | + | Sensitive Data | | These include sensitive data that an attacker | | | must not be able to tamper with (e.g. the Root | | | of Trust Public Key) or see (e.g. secure logs, | | | debugging information such as crash reports). | +--------------------+---------------------------------------------------+ - | ``Code Execution`` | | This represents the requirement that the | + | Code Execution | | This represents the requirement that the | | | platform should run only TF-A code approved by | | | the platform provider. | +--------------------+---------------------------------------------------+ - | ``Availability`` | | This represents the requirement that TF-A | + | Availability | | This represents the requirement that TF-A | | | services should always be available for use. | +--------------------+---------------------------------------------------+ Threat Agents -===================== +============= + To understand the attack surface, it is important to identify potential attackers, i.e. attack entry points. The following threat agents are in scope of this threat model. @@ -123,16 +129,16 @@ in scope of this threat model. +-------------------+-------------------------------------------------------+ | Threat Agent | Description | +===================+=======================================================+ - | ``NSCode`` | | Malicious or faulty code running in the Non-secure | + | NSCode | | Malicious or faulty code running in the Non-secure | | | world, including NS-EL0 NS-EL1 and NS-EL2 levels | +-------------------+-------------------------------------------------------+ - | ``SecCode`` | | Malicious or faulty code running in the secure | + | SecCode | | Malicious or faulty code running in the secure | | | world, including S-EL0 and S-EL1 levels | +-------------------+-------------------------------------------------------+ - | ``AppDebug`` | | Physical attacker using debug signals to access | + | AppDebug | | Physical attacker using debug signals to access | | | TF-A resources | +-------------------+-------------------------------------------------------+ - | ``PhysicalAccess``| | Physical attacker having access to external device | + | PhysicalAccess | | Physical attacker having access to external device | | | communication bus and to external flash | | | communication bus using common hardware | +-------------------+-------------------------------------------------------+ @@ -145,7 +151,8 @@ in scope of this threat model. considered out-of-scope. Threat Types -======================== +============ + In this threat model we categorize threats using the `STRIDE threat analysis technique`_. In this technique a threat is categorized as one or more of these types: ``Spoofing``, ``Tampering``, ``Repudiation``, @@ -153,7 +160,8 @@ or more of these types: ``Spoofing``, ``Tampering``, ``Repudiation``, ``Elevation of privilege``. Threat Risk Ratings -======================== +=================== + For each threat identified, a risk rating that ranges from *informational* to *critical* is given based on the likelihood of the threat occuring if a mitigation is not in place, and the impact of the @@ -165,7 +173,7 @@ rating in terms of score, impact and likelihood. +-----------------------+-------------------------+---------------------------+ | **Rating (Score)** | **Impact** | **Likelihood** | +=======================+=========================+===========================+ - | ``Critical (5)`` | | Extreme impact to | | Threat is almost | + | Critical (5) | | Extreme impact to | | Threat is almost | | | entire organization | certain to be exploited.| | | if exploited. | | | | | | Knowledge of the threat | @@ -173,17 +181,17 @@ rating in terms of score, impact and likelihood. | | | are in the public | | | | domain. | +-----------------------+-------------------------+---------------------------+ - | ``High (4)`` | | Major impact to entire| | Threat is relatively | + | High (4) | | Major impact to entire| | Threat is relatively | | | organization or single| easy to detect and | | | line of business if | exploit by an attacker | | | exploited | with little skill. | +-----------------------+-------------------------+---------------------------+ - | ``Medium (3)`` | | Noticeable impact to | | A knowledgeable insider | + | Medium (3) | | Noticeable impact to | | A knowledgeable insider | | | line of business if | or expert attacker could| | | exploited. | exploit the threat | | | | without much difficulty.| +-----------------------+-------------------------+---------------------------+ - | ``Low (2)`` | | Minor damage if | | Exploiting the threat | + | Low (2) | | Minor damage if | | Exploiting the threat | | | exploited or could | would require | | | be used in conjunction| considerable expertise | | | with other | and resources | @@ -191,7 +199,7 @@ rating in terms of score, impact and likelihood. | | perform a more serious| | | | attack | | +-----------------------+-------------------------+---------------------------+ - | ``Informational (1)`` | | Poor programming | | Threat is not likely | + | Informational (1) | | Poor programming | | Threat is not likely | | | practice or poor | to be exploited on its | | | design decision that | own, but may be used to | | | may not represent an | gain information for | @@ -235,14 +243,15 @@ In this threat model we consider three target environments: ``Internet of Things(IoT)``, ``Mobile`` and ``Server``. Threat Assessment -============================ +================= + The following threats were identified by applying STRIDE analysis on each diagram element of the data flow diagram. +------------------------+----------------------------------------------------+ | ID | 01 | +========================+====================================================+ -| ``Threat`` | | **An attacker can mangle firmware images to | +| Threat | | **An attacker can mangle firmware images to | | | execute arbitrary code** | | | | | | | Some TF-A images are loaded from external | @@ -252,26 +261,26 @@ each diagram element of the data flow diagram. | | updating mechanism to modify the non-volatile | | | images to execute arbitrary code. | +------------------------+----------------------------------------------------+ -| ``Diagram Elements`` | DF1, DF4, DF5 | +| Diagram Elements | DF1, DF4, DF5 | +------------------------+----------------------------------------------------+ -| ``Affected TF-A | BL2, BL31 | -| Components`` | | +| Affected TF-A | BL2, BL31 | +| Components | | +------------------------+----------------------------------------------------+ -| ``Assets`` | Code Execution | +| Assets | Code Execution | +------------------------+----------------------------------------------------+ -| ``Threat Agent`` | PhysicalAccess, NSCode, SecCode | +| Threat Agent | PhysicalAccess, NSCode, SecCode | +------------------------+----------------------------------------------------+ -| ``Threat Type`` | Tampering, Elevation of Privilege | +| Threat Type | Tampering, Elevation of Privilege | +------------------------+------------------+-----------------+---------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+------------------+-----------------+---------------+ -| ``Impact`` | Critical (5) | Critical (5) | Critical (5) | +| Impact | Critical (5) | Critical (5) | Critical (5) | +------------------------+------------------+-----------------+---------------+ -| ``Likelihood`` | Critical (5) | Critical (5) | Critical (5) | +| Likelihood | Critical (5) | Critical (5) | Critical (5) | +------------------------+------------------+-----------------+---------------+ -| ``Total Risk Rating`` | Critical (25) | Critical (25) | Critical (25) | +| Total Risk Rating | Critical (25) | Critical (25) | Critical (25) | +------------------------+------------------+-----------------+---------------+ -| ``Mitigations`` | | TF-A implements the `Trusted Board Boot (TBB)`_ | +| Mitigations | | TF-A implements the `Trusted Board Boot (TBB)`_ | | | feature which prevents malicious firmware from | | | running on the platform by authenticating all | | | firmware images. In addition to this, the TF-A | @@ -283,33 +292,33 @@ each diagram element of the data flow diagram. +------------------------+----------------------------------------------------+ | ID | 02 | +========================+====================================================+ -| ``Threat`` | | **An attacker may attempt to boot outdated, | +| Threat | | **An attacker may attempt to boot outdated, | | | potentially vulnerable firmware image** | | | | | | | When updating firmware, an attacker may attempt | | | to rollback to an older version that has unfixed | | | vulnerabilities. | +------------------------+----------------------------------------------------+ -| ``Diagram Elements`` | DF1, DF4, DF5 | +| Diagram Elements | DF1, DF4, DF5 | +------------------------+----------------------------------------------------+ -| ``Affected TF-A | BL2, BL31 | -| Components`` | | +| Affected TF-A | BL2, BL31 | +| Components | | +------------------------+----------------------------------------------------+ -| ``Assets`` | Code Execution | +| Assets | Code Execution | +------------------------+----------------------------------------------------+ -| ``Threat Agent`` | PhysicalAccess, NSCode, SecCode | +| Threat Agent | PhysicalAccess, NSCode, SecCode | +------------------------+----------------------------------------------------+ -| ``Threat Type`` | Tampering | +| Threat Type | Tampering | +------------------------+------------------+-----------------+---------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+------------------+-----------------+---------------+ -| ``Impact`` | Critical (5) | Critical (5) | Critical (5) | +| Impact | Critical (5) | Critical (5) | Critical (5) | +------------------------+------------------+-----------------+---------------+ -| ``Likelihood`` | Critical (5) | Critical (5) | Critical (5) | +| Likelihood | Critical (5) | Critical (5) | Critical (5) | +------------------------+------------------+-----------------+---------------+ -| ``Total Risk Rating`` | Critical (25) | Critical (25) | Critical (25) | +| Total Risk Rating | Critical (25) | Critical (25) | Critical (25) | +------------------------+------------------+-----------------+---------------+ -| ``Mitigations`` | | TF-A supports anti-rollback protection using | +| Mitigations | | TF-A supports anti-rollback protection using | | | non-volatile counters (NV counters) as required | | | by `TBBR-Client specification`_. After a firmware| | | image is validated, the image revision number | @@ -324,7 +333,7 @@ each diagram element of the data flow diagram. +------------------------+-------------------------------------------------------+ | ID | 03 | +========================+=======================================================+ -| ``Threat`` | | **An attacker can use Time-of-Check-Time-of-Use | +| Threat | | **An attacker can use Time-of-Check-Time-of-Use | | | (TOCTOU) attack to bypass image authentication | | | during the boot process** | | | | @@ -336,33 +345,33 @@ each diagram element of the data flow diagram. | | after the integrity and authentication check has | | | been performed. | +------------------------+-------------------------------------------------------+ -| ``Diagram Elements`` | DF1 | +| Diagram Elements | DF1 | +------------------------+-------------------------------------------------------+ -| ``Affected TF-A | BL1, BL2 | -| Components`` | | +| Affected TF-A | BL1, BL2 | +| Components | | +------------------------+-------------------------------------------------------+ -| ``Assets`` | Code Execution, Sensitive Data | +| Assets | Code Execution, Sensitive Data | +------------------------+-------------------------------------------------------+ -| ``Threat Agent`` | PhysicalAccess | +| Threat Agent | PhysicalAccess | +------------------------+-------------------------------------------------------+ -| ``Threat Type`` | Elevation of Privilege | +| Threat Type | Elevation of Privilege | +------------------------+---------------------+-----------------+---------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+---------------------+-----------------+---------------+ -| ``Impact`` | N/A | Critical (5) | Critical (5) | +| Impact | N/A | Critical (5) | Critical (5) | +------------------------+---------------------+-----------------+---------------+ -| ``Likelihood`` | N/A | Medium (3) | Medium (3) | +| Likelihood | N/A | Medium (3) | Medium (3) | +------------------------+---------------------+-----------------+---------------+ -| ``Total Risk Rating`` | N/A | High (15) | High (15) | +| Total Risk Rating | N/A | High (15) | High (15) | +------------------------+---------------------+-----------------+---------------+ -| ``Mitigations`` | | TF-A boot firmware copies image to on-chip | +| Mitigations | | TF-A boot firmware copies image to on-chip | | | memory before authenticating an image. | +------------------------+-------------------------------------------------------+ +------------------------+-------------------------------------------------------+ | ID | 04 | +========================+=======================================================+ -| ``Threat`` | | **An attacker with physical access can execute | +| Threat | | **An attacker with physical access can execute | | | arbitrary image by bypassing the signature | | | verification stage using glitching techniques** | | | | @@ -381,26 +390,26 @@ each diagram element of the data flow diagram. | | points where the image is validated against the | | | signature. | +------------------------+-------------------------------------------------------+ -| ``Diagram Elements`` | DF1 | +| Diagram Elements | DF1 | +------------------------+-------------------------------------------------------+ -| ``Affected TF-A | BL1, BL2 | -| Components`` | | +| Affected TF-A | BL1, BL2 | +| Components | | +------------------------+-------------------------------------------------------+ -| ``Assets`` | Code Execution | +| Assets | Code Execution | +------------------------+-------------------------------------------------------+ -| ``Threat Agent`` | PhysicalAccess | +| Threat Agent | PhysicalAccess | +------------------------+-------------------------------------------------------+ -| ``Threat Type`` | Tampering, Elevation of Privilege | +| Threat Type | Tampering, Elevation of Privilege | +------------------------+---------------------+-----------------+---------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+---------------------+-----------------+---------------+ -| ``Impact`` | N/A | Critical (5) | Critical (5) | +| Impact | N/A | Critical (5) | Critical (5) | +------------------------+---------------------+-----------------+---------------+ -| ``Likelihood`` | N/A | Medium (3) | Medium (3) | +| Likelihood | N/A | Medium (3) | Medium (3) | +------------------------+---------------------+-----------------+---------------+ -| ``Total Risk Rating`` | N/A | High (15) | High (15) | +| Total Risk Rating | N/A | High (15) | High (15) | +------------------------+---------------------+-----------------+---------------+ -| ``Mitigations`` | | The most effective mitigation is adding glitching | +| Mitigations | | The most effective mitigation is adding glitching | | | detection and mitigation circuit at the hardware | | | level. However, software techniques, | | | such as adding redundant checks when performing | @@ -413,7 +422,7 @@ each diagram element of the data flow diagram. +------------------------+---------------------------------------------------+ | ID | 05 | +========================+===================================================+ -| ``Threat`` | | **Information leak via UART logs such as | +| Threat | | **Information leak via UART logs such as | | | crashes** | | | | | | | During the development stages of software it is | @@ -426,26 +435,26 @@ each diagram element of the data flow diagram. | | attacker to develop a working exploit if left | | | in the production version. | +------------------------+---------------------------------------------------+ -| ``Diagram Elements`` | DF2 | +| Diagram Elements | DF2 | +------------------------+---------------------------------------------------+ -| ``Affected TF-A | BL1, BL2, BL31 | -| Components`` | | +| Affected TF-A | BL1, BL2, BL31 | +| Components | | +------------------------+---------------------------------------------------+ -| ``Assets`` | Sensitive Data | +| Assets | Sensitive Data | +------------------------+---------------------------------------------------+ -| ``Threat Agent`` | AppDebug | +| Threat Agent | AppDebug | +------------------------+---------------------------------------------------+ -| ``Threat Type`` | Information Disclosure | +| Threat Type | Information Disclosure | +------------------------+------------------+----------------+---------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+------------------+----------------+---------------+ -| ``Impact`` | N/A | Low (2) | Low (2) | +| Impact | N/A | Low (2) | Low (2) | +------------------------+------------------+----------------+---------------+ -| ``Likelihood`` | N/A | High (4) | High (4) | +| Likelihood | N/A | High (4) | High (4) | +------------------------+------------------+----------------+---------------+ -| ``Total Risk Rating`` | N/A | Medium (8) | Medium (8) | +| Total Risk Rating | N/A | Medium (8) | Medium (8) | +------------------------+------------------+----------------+---------------+ -| ``Mitigations`` | | In TF-A, crash reporting is only enabled for | +| Mitigations | | In TF-A, crash reporting is only enabled for | | | debug builds by default. Alternatively, the log | | | level can be tuned at build time (from verbose | | | to no output at all), independently of the | @@ -455,7 +464,7 @@ each diagram element of the data flow diagram. +------------------------+----------------------------------------------------+ | ID | 06 | +========================+====================================================+ -| ``Threat`` | | **An attacker can read sensitive data and | +| Threat | | **An attacker can read sensitive data and | | | execute arbitrary code through the external | | | debug and trace interface** | | | | @@ -468,27 +477,27 @@ each diagram element of the data flow diagram. | | attacker to read sensitive data and execute | | | arbitrary code. | +------------------------+----------------------------------------------------+ -| ``Diagram Elements`` | DF3 | +| Diagram Elements | DF3 | +------------------------+----------------------------------------------------+ -| ``Affected TF-A | BL1, BL2, BL31 | -| Components`` | | +| Affected TF-A | BL1, BL2, BL31 | +| Components | | +------------------------+----------------------------------------------------+ -| ``Assets`` | Code Execution, Sensitive Data | +| Assets | Code Execution, Sensitive Data | +------------------------+----------------------------------------------------+ -| ``Threat Agent`` | AppDebug | +| Threat Agent | AppDebug | +------------------------+----------------------------------------------------+ -| ``Threat Type`` | Tampering, Information Disclosure, | +| Threat Type | Tampering, Information Disclosure, | | | Elevation of privilege | +------------------------+------------------+---------------+-----------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+------------------+---------------+-----------------+ -| ``Impact`` | N/A | High (4) | High (4) | +| Impact | N/A | High (4) | High (4) | +------------------------+------------------+---------------+-----------------+ -| ``Likelihood`` | N/A | Critical (5) | Critical (5) | +| Likelihood | N/A | Critical (5) | Critical (5) | +------------------------+------------------+---------------+-----------------+ -| ``Total Risk Rating`` | N/A | Critical (20) | Critical (20) | +| Total Risk Rating | N/A | Critical (20) | Critical (20) | +------------------------+------------------+---------------+-----------------+ -| ``Mitigations`` | | Configuration of debug and trace capabilities is | +| Mitigations | | Configuration of debug and trace capabilities is | | | platform specific. Therefore, platforms must | | | disable the debug and trace capability for | | | production releases or enable proper debug | @@ -498,7 +507,7 @@ each diagram element of the data flow diagram. +------------------------+------------------------------------------------------+ | ID | 07 | +========================+======================================================+ -| ``Threat`` | | **An attacker can perform a denial-of-service | +| Threat | | **An attacker can perform a denial-of-service | | | attack by using a broken SMC call that causes the | | | system to reboot or enter into unknown state.** | | | | @@ -508,26 +517,26 @@ each diagram element of the data flow diagram. | | by calling unimplemented SMC call or by passing | | | invalid arguments. | +------------------------+------------------------------------------------------+ -| ``Diagram Elements`` | DF4, DF5 | +| Diagram Elements | DF4, DF5 | +------------------------+------------------------------------------------------+ -| ``Affected TF-A | BL31 | -| Components`` | | +| Affected TF-A | BL31 | +| Components | | +------------------------+------------------------------------------------------+ -| ``Assets`` | Availability | +| Assets | Availability | +------------------------+------------------------------------------------------+ -| ``Threat Agent`` | NSCode, SecCode | +| Threat Agent | NSCode, SecCode | +------------------------+------------------------------------------------------+ -| ``Threat Type`` | Denial of Service | +| Threat Type | Denial of Service | +------------------------+-------------------+----------------+-----------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+-------------------+----------------+-----------------+ -| ``Impact`` | Medium (3) | Medium (3) | Medium (3) | +| Impact | Medium (3) | Medium (3) | Medium (3) | +------------------------+-------------------+----------------+-----------------+ -| ``Likelihood`` | High (4) | High (4) | High (4) | +| Likelihood | High (4) | High (4) | High (4) | +------------------------+-------------------+----------------+-----------------+ -| ``Total Risk Rating`` | High (12) | High (12) | High (12) | +| Total Risk Rating | High (12) | High (12) | High (12) | +------------------------+-------------------+----------------+-----------------+ -| ``Mitigations`` | | The generic TF-A code validates SMC function ids | +| Mitigations | | The generic TF-A code validates SMC function ids | | | and arguments before using them. | | | Platforms that implement SiP services must also | | | validate SMC call arguments. | @@ -536,7 +545,7 @@ each diagram element of the data flow diagram. +------------------------+------------------------------------------------------+ | ID | 08 | +========================+======================================================+ -| ``Threat`` | | **Memory corruption due to memory overflows and | +| Threat | | **Memory corruption due to memory overflows and | | | lack of boundary checking when accessing resources | | | could allow an attacker to execute arbitrary code, | | | modify some state variable to change the normal | @@ -558,27 +567,27 @@ each diagram element of the data flow diagram. | | validations might also result in these kinds of | | | errors in release builds. | +------------------------+------------------------------------------------------+ -| ``Diagram Elements`` | DF4, DF5 | +| Diagram Elements | DF4, DF5 | +------------------------+------------------------------------------------------+ -| ``Affected TF-A | BL1, BL2, BL31 | -| Components`` | | +| Affected TF-A | BL1, BL2, BL31 | +| Components | | +------------------------+------------------------------------------------------+ -| ``Assets`` | Code Execution, Sensitive Data | +| Assets | Code Execution, Sensitive Data | +------------------------+------------------------------------------------------+ -| ``Threat Agent`` | NSCode, SecCode | +| Threat Agent | NSCode, SecCode | +------------------------+------------------------------------------------------+ -| ``Threat Type`` | Tampering, Information Disclosure, | +| Threat Type | Tampering, Information Disclosure, | | | Elevation of Privilege | +------------------------+-------------------+-----------------+----------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+-------------------+-----------------+----------------+ -| ``Impact`` | Critical (5) | Critical (5) | Critical (5) | +| Impact | Critical (5) | Critical (5) | Critical (5) | +------------------------+-------------------+-----------------+----------------+ -| ``Likelihood`` | Medium (3 | Medium (3) | Medium (3) | +| Likelihood | Medium (3 | Medium (3) | Medium (3) | +------------------------+-------------------+-----------------+----------------+ -| ``Total Risk Rating`` | High (15) | High (15) | High (15) | +| Total Risk Rating | High (15) | High (15) | High (15) | +------------------------+-------------------+-----------------+----------------+ -| ``Mitigations`` | | TF-A uses a combination of manual code reviews and | +| Mitigations | | TF-A uses a combination of manual code reviews and | | | automated program analysis and testing to detect | | | and fix memory corruption bugs. All TF-A code | | | including platform code go through manual code | @@ -607,7 +616,7 @@ each diagram element of the data flow diagram. +------------------------+------------------------------------------------------+ | ID | 09 | +========================+======================================================+ -| ``Threat`` | | **Improperly handled SMC calls can leak register | +| Threat | | **Improperly handled SMC calls can leak register | | | contents** | | | | | | | When switching between secure and non-secure | @@ -615,26 +624,26 @@ each diagram element of the data flow diagram. | | register contents of other normal world clients | | | can be leaked. | +------------------------+------------------------------------------------------+ -| ``Diagram Elements`` | DF5 | +| Diagram Elements | DF5 | +------------------------+------------------------------------------------------+ -| ``Affected TF-A | BL31 | -| Components`` | | +| Affected TF-A | BL31 | +| Components | | +------------------------+------------------------------------------------------+ -| ``Assets`` | Sensitive Data | +| Assets | Sensitive Data | +------------------------+------------------------------------------------------+ -| ``Threat Agent`` | NSCode | +| Threat Agent | NSCode | +------------------------+------------------------------------------------------+ -| ``Threat Type`` | Information Disclosure | +| Threat Type | Information Disclosure | +------------------------+-------------------+----------------+-----------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+-------------------+----------------+-----------------+ -| ``Impact`` | Medium (3) | Medium (3) | Medium (3) | +| Impact | Medium (3) | Medium (3) | Medium (3) | +------------------------+-------------------+----------------+-----------------+ -| ``Likelihood`` | High (4) | High (4) | High (4) | +| Likelihood | High (4) | High (4) | High (4) | +------------------------+-------------------+----------------+-----------------+ -| ``Total Risk Rating`` | High (12) | High (12) | High (12) | +| Total Risk Rating | High (12) | High (12) | High (12) | +------------------------+-------------------+----------------+-----------------+ -| ``Mitigations`` | | TF-A saves and restores registers | +| Mitigations | | TF-A saves and restores registers | | | by default when switching contexts. Build options | | | are also provided to save/restore additional | | | registers such as floating-point registers. | @@ -643,7 +652,7 @@ each diagram element of the data flow diagram. +------------------------+-----------------------------------------------------+ | ID | 10 | +========================+=====================================================+ -| ``Threat`` | | **SMC calls can leak sensitive information from | +| Threat | | **SMC calls can leak sensitive information from | | | TF-A memory via microarchitectural side channels**| | | | | | | Microarchitectural side-channel attacks such as | @@ -652,26 +661,26 @@ each diagram element of the data flow diagram. | | use this kind of attack to leak sensitive | | | data from TF-A memory. | +------------------------+-----------------------------------------------------+ -| ``Diagram Elements`` | DF4, DF5 | +| Diagram Elements | DF4, DF5 | +------------------------+-----------------------------------------------------+ -| ``Affected TF-A | BL31 | -| Components`` | | +| Affected TF-A | BL31 | +| Components | | +------------------------+-----------------------------------------------------+ -| ``Assets`` | Sensitive Data | +| Assets | Sensitive Data | +------------------------+-----------------------------------------------------+ -| ``Threat Agent`` | SecCode, NSCode | +| Threat Agent | SecCode, NSCode | +------------------------+-----------------------------------------------------+ -| ``Threat Type`` | Information Disclosure | +| Threat Type | Information Disclosure | +------------------------+-------------------+----------------+----------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+-------------------+----------------+----------------+ -| ``Impact`` | Medium (3) | Medium (3) | Medium (3) | +| Impact | Medium (3) | Medium (3) | Medium (3) | +------------------------+-------------------+----------------+----------------+ -| ``Likelihood`` | Medium (3) | Medium (3) | Medium (3) | +| Likelihood | Medium (3) | Medium (3) | Medium (3) | +------------------------+-------------------+----------------+----------------+ -| ``Total Risk Rating`` | Medium (9) | Medium (9) | Medium (9) | +| Total Risk Rating | Medium (9) | Medium (9) | Medium (9) | +------------------------+-------------------+----------------+----------------+ -| ``Mitigations`` | | TF-A implements software mitigations for Spectre | +| Mitigations | | TF-A implements software mitigations for Spectre | | | type attacks as recommended by `Cache Speculation | | | Side-channels`_ for the generic code. SiPs should | | | implement similar mitigations for code that is | @@ -681,7 +690,7 @@ each diagram element of the data flow diagram. +------------------------+----------------------------------------------------+ | ID | 11 | +========================+====================================================+ -| ``Threat`` | | **Misconfiguration of the Memory Management Unit | +| Threat | | **Misconfiguration of the Memory Management Unit | | | (MMU) may allow a normal world software to | | | access sensitive data or execute arbitrary | | | code** | @@ -692,26 +701,26 @@ each diagram element of the data flow diagram. | | execute code if the proper security mechanisms | | | are not in place. | +------------------------+----------------------------------------------------+ -| ``Diagram Elements`` | DF5, DF6 | +| Diagram Elements | DF5, DF6 | +------------------------+----------------------------------------------------+ -| ``Affected TF-A | BL1, BL2, BL31 | -| Components`` | | +| Affected TF-A | BL1, BL2, BL31 | +| Components | | +------------------------+----------------------------------------------------+ -| ``Assets`` | Sensitive Data, Code execution | +| Assets | Sensitive Data, Code execution | +------------------------+----------------------------------------------------+ -| ``Threat Agent`` | NSCode | +| Threat Agent | NSCode | +------------------------+----------------------------------------------------+ -| ``Threat Type`` | Information Disclosure, Elevation of Privilege | +| Threat Type | Information Disclosure, Elevation of Privilege | +------------------------+-----------------+-----------------+----------------+ -| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | +| Application | Server | IoT | Mobile | +------------------------+-----------------+-----------------+----------------+ -| ``Impact`` | Critical (5) | Critical (5) | Critical (5) | +| Impact | Critical (5) | Critical (5) | Critical (5) | +------------------------+-----------------+-----------------+----------------+ -| ``Likelihood`` | High (4) | High (4) | High (4) | +| Likelihood | High (4) | High (4) | High (4) | +------------------------+-----------------+-----------------+----------------+ -| ``Total Risk Rating`` | Critical (20) | Critical (20) | Critical (20) | +| Total Risk Rating | Critical (20) | Critical (20) | Critical (20) | +------------------------+-----------------+-----------------+----------------+ -| ``Mitigations`` | | In TF-A, configuration of the MMU is done | +| Mitigations | | In TF-A, configuration of the MMU is done | | | through a translation tables library. The | | | library provides APIs to define memory regions | | | and assign attributes including memory types and | @@ -729,7 +738,7 @@ each diagram element of the data flow diagram. +------------------------+-----------------------------------------------------+ | ID | 12 | +========================+=====================================================+ -| ``Threat`` | | **Incorrect configuration of Performance Monitor | +| Threat | | **Incorrect configuration of Performance Monitor | | | Unit (PMU) counters can allow an attacker to | | | mount side-channel attacks using information | | | exposed by the counters** | @@ -741,24 +750,24 @@ each diagram element of the data flow diagram. | | software) to potentially carry out | | | side-channel timing attacks against TF-A. | +------------------------+-----------------------------------------------------+ -| ``Diagram Elements`` | DF5, DF6 | +| Diagram Elements | DF5, DF6 | +------------------------+-----------------------------------------------------+ -| ``Affected TF-A | BL31 | -| Components`` | | +| Affected TF-A | BL31 | +| Components | | +------------------------+-----------------------------------------------------+ -| ``Assets`` | Sensitive Data | +| Assets | Sensitive Data | +------------------------+-----------------------------------------------------+ -| ``Threat Agent`` | NSCode | +| Threat Agent | NSCode | +------------------------+-----------------------------------------------------+ -| ``Threat Type`` | Information Disclosure | +| Threat Type | Information Disclosure | +------------------------+-------------------+----------------+----------------+ -| ``Impact`` | Medium (3) | Medium (3) | Medium (3) | +| Impact | Medium (3) | Medium (3) | Medium (3) | +------------------------+-------------------+----------------+----------------+ -| ``Likelihood`` | Low (2) | Low (2) | Low (2) | +| Likelihood | Low (2) | Low (2) | Low (2) | +------------------------+-------------------+----------------+----------------+ -| ``Total Risk Rating`` | Medium (6) | Medium (6) | Medium (6) | +| Total Risk Rating | Medium (6) | Medium (6) | Medium (6) | +------------------------+-------------------+----------------+----------------+ -| ``Mitigations`` | | TF-A follows mitigation strategies as described | +| Mitigations | | TF-A follows mitigation strategies as described | | | in `Secure Development Guidelines`_. General | | | events and cycle counting in the Secure world is | | | prohibited by default when applicable. However, | @@ -774,7 +783,7 @@ each diagram element of the data flow diagram. -------------- -*Copyright (c) 2021, Arm Limited. All rights reserved.* +*Copyright (c) 2021-2022, Arm Limited. All rights reserved.* .. _STRIDE threat analysis technique: https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats#stride-model From 4365b30ccfccf9fdc79d0c2512f5c3b657d96c4e Mon Sep 17 00:00:00 2001 From: Sandrine Bailleux Date: Thu, 12 May 2022 14:57:26 +0200 Subject: [PATCH 2/3] docs(threat-model): make experimental features out of scope By nature, experimental features are incomplete pieces of work, sometimes going under rapid change. Typically, the threat model implications have not been fully considered yet. Change-Id: Ice8d4273a789558e912f82cde592da4747b37fdf Signed-off-by: Sandrine Bailleux --- docs/threat_model/threat_model.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst index d7cbaf6b1..46f8a5256 100644 --- a/docs/threat_model/threat_model.rst +++ b/docs/threat_model/threat_model.rst @@ -36,6 +36,9 @@ assumptions: - There is no Secure-EL2. We don't consider threats that may come with Secure-EL2 software. +- No experimental features are enabled. We do not consider threats that may come + from them. + Data Flow Diagram ================= From 1b7c82cafe8f5bd83f46a7c6f26618d58cdd36f2 Mon Sep 17 00:00:00 2001 From: Sandrine Bailleux Date: Fri, 13 May 2022 12:40:22 +0200 Subject: [PATCH 3/3] docs(threat-model): remove some redundant text in threat #08 The threat description was repeating the threat title. Change-Id: I67de2c0aab6e86bf33eb91e7562e075fcb76259b Signed-off-by: Sandrine Bailleux --- docs/threat_model/threat_model.rst | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst index 46f8a5256..611e8a108 100644 --- a/docs/threat_model/threat_model.rst +++ b/docs/threat_model/threat_model.rst @@ -555,13 +555,8 @@ each diagram element of the data flow diagram. | | flow of the program, or leak sensitive | | | information** | | | | -| | | Like in other software, the Trusted Firmware has | -| | multiple points where memory corruption security | -| | errors can arise. Memory corruption is a dangerous | -| | security issue since it could allow an attacker | -| | to execute arbitrary code, modify some state | -| | variable to change the normal flow of the program, | -| | or leak sensitive information. | +| | | Like in other software, TF-A has multiple points | +| | where memory corruption security errors can arise. | | | | | | | Some of the errors include integer overflow, | | | buffer overflow, incorrect array boundary checks, |