Domů Procházet Nápověda
Přihlásit se
OWEALs
/
arm-trusted-firmware
zrcadlo https://github.com/ARM-software/arm-trusted-firmware
2
0
Rozštěpit 0
Soubory Úkoly 1 Wiki
Strom: 4ec2948fe3
Větve Značky
arm-trusted-fir...
/
docs
/
threat_model
/
firmware_threat_model
/
threat_model_arm_cca.rst

threat_model_arm_cca.rst 12 KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225 
  1. Threat Model for TF-A with Arm CCA support
    2. 

  2. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    3. 

  3. 

  4. Introduction
    5. 

  5. ************
    6. 

  6. 

  7. This document provides a threat model of TF-A firmware for platforms with Arm
    8. 

  8. Realm Management Extension (RME) support which implement Arm Confidential
    9. 

  9. Compute Architecture (Arm CCA).
    10. 

  10. 

  11. Although it is a separate document, it references the :ref:`Generic Threat
    12. 

  12. Model` in a number of places, as some of the contents is commonly applicable to
    13. 

  13. TF-A with or without Arm CCA support.
    14. 

  14. 

  15. Target of Evaluation
    16. 

  16. ********************
    17. 

  17. 

  18. In this threat model, the target of evaluation is the Trusted Firmware for
    19. 

  19. A-class Processors (TF-A) with RME support and Arm CCA support. This includes
    20. 

  20. the boot ROM (BL1), the trusted boot firmware (BL2) and the runtime EL3 firmware
    21. 

  21. (BL31).
    22. 

  22. 

  23. Assumptions
    24. 

  24. ===========
    25. 

  25. 

  26. We make the following assumptions:
    27. 

  27. 

  28. - :ref:`Realm Management Extension (RME)` is enabled on the platform.
    29. 

  29. 

  30. - Arm CCA Hardware Enforced Security (HES) is available on the platform, as
    31. 

  31.   recommended by `Arm CCA security model`_:
    32. 

  32. 

  33.     *[R0004] Arm strongly recommends that all implementations of CCA utilize*
    34. 

  34.     *hardware enforced security (CCA HES).*
    35. 

  35. 

  36. - All TF-A images run from on-chip memory. Data used by these images also live
    37. 

  37.   in on-chip memory. This means TF-A is not vulnerable to an attacker that can
    38. 

  38.   probe or tamper with off-chip memory.
    39. 

  39. 

  40.   These are requirements of the `Arm CCA security model`_:
    41. 

  41. 

  42.     *[R0147] Monitor code executes entirely from on-chip memory.*
    43. 

  43. 

  44.     *[R0149] Any monitor data that may affect the CCA security guarantee, other*
    45. 

  45.     *than GPT, is either held in on-chip memory, or in external memory but with*
    46. 

  46.     *additional integrity protection.*
    47. 

  47. 

  48.   Note that this threat model hardens *[R0149]* requirement by forbidding to
    49. 

  49.   hold data in external memory, even if it is integrity-protected - except for
    50. 

  50.   GPT data.
    51. 

  51. 

  52. - TF-A BL1 image is immutable and thus implicitly trusted. It runs from
    53. 

  53.   read-only memory or write-protected memory. This could be on-chip ROM, on-chip
    54. 

  54.   OTP, locked on-chip flash, or write-protected on-chip RAM for example.
    55. 

  55. 

  56.   This is a requirement of the `Arm CCA security model`_:
    57. 

  57. 

  58.     *[R0158] Arm recommends that all initial boot code is immutable on a*
    59. 

  59.     *secured system.*
    60. 

  60. 

  61.     *[R0050] If all or part of initial boot code is instantiated in on-chip*
    62. 

  62.     *memory then other trusted subsystems or application PE cannot modify that*
    63. 

  63.     *code before it has been executed.*
    64. 

  64. 

  65. - Trusted boot and measured boot are enabled. This means an attacker can't boot
    66. 

  66.   arbitrary images that are not approved by platform providers.
    67. 

  67. 

  68.   These are requirements of the `Arm CCA security model`_:
    69. 

  69. 

  70.     *[R0048] A secured system can only load authorized CCA firmware.*
    71. 

  71. 

  72.     *[R0079] All Monitor firmware loaded by PE initial boot is measured and*
    73. 

  73.     *verified as outlined in Verified boot.*
    74. 

  74. 

  75. - No experimental features are enabled. These are typically incomplete features,
    76. 

  76.   which need more time to stabilize. Thus, we do not consider threats that may
    77. 

  77.   come from them. It is not recommended to use these features in production
    78. 

  78.   builds.
    79. 

  79. 

  80. Data Flow Diagram
    81. 

  81. =================
    82. 

  82. 

  83. Figure 1 shows a high-level data flow diagram for TF-A. The diagram shows a
    84. 

  84. model of the different components of a TF-A-based system and their interactions
    85. 

  85. with TF-A. A description of each diagram element is given on Table 1. On the
    86. 

  86. diagram, the red broken lines indicate trust boundaries. Components outside of
    87. 

  87. the broken lines are considered untrusted by TF-A.
    88. 

  88. 

  89. .. uml:: ../../resources/diagrams/plantuml/tfa_arm_cca_dfd.puml
    90. 

  90.   :caption: Figure 1: Data Flow Diagram
    91. 

  91. 

  92. .. table:: Table 1: Data Flow Diagram Description
    93. 

  93. 

  94.   +-----------------+--------------------------------------------------------+
    95. 

  95.   | Diagram Element | Description                                            |
    96. 

  96.   +=================+========================================================+
    97. 

  97.   |       DF1       | | Refer to DF1 description in the                      |
    98. 

  98.   |                 |   :ref:`Generic Threat Model`. Additionally TF-A       |
    99. 

  99.   |                 |   loads realm images.                                  |
    100. 

  100.   +-----------------+--------------------------------------------------------+
    101. 

  101.   |     DF2-DF6     | | Refer to DF2-DF6 descriptions in the                 |
    102. 

  102.   |                 |   :ref:`Generic Threat Model`.                         |
    103. 

  103.   +-----------------+--------------------------------------------------------+
    104. 

  104.   |       DF7       | | Boot images interact with Arm CCA HES to record boot |
    105. 

  105.   |                 |   measurements and retrieve data used for AP images    |
    106. 

  106.   |                 |   authentication.                                      |
    107. 

  107.   |                 |                                                        |
    108. 

  108.   |                 | | The runtime firmware interacts with Arm CCA HES to   |
    109. 

  109.   |                 |   obtain sensitive attestation data for the realm      |
    110. 

  110.   |                 |   world.                                               |
    111. 

  111.   +-----------------+--------------------------------------------------------+
    112. 

  112.   |       DF8       | | Realm world software (e.g. TF-RMM) interact with     |
    113. 

  113.   |                 |   TF-A through SMC call interface and/or shared        |
    114. 

  114.   |                 |   memory.                                              |
    115. 

  115.   +-----------------+--------------------------------------------------------+
    116. 

  116. 

  117. Threat Analysis
    118. 

  118. ***************
    119. 

  119. 

  120. In this threat model, we use the same method to analyse threats as in the
    121. 

  121. :ref:`Generic Threat Model`. This section only points out differences where
    122. 

  122. applicable.
    123. 

  123. 

  124. - There is an additional threat agent: *RealmCode*. It takes the form of
    125. 

  125.   malicious or faulty code running in the realm world, including R-EL2, R-EL1
    126. 

  126.   and R-EL0 levels.
    127. 

  127. 

  128. - At this time we only consider the ``Server`` target environment. New threats
    129. 

  129.   identified in this threat model will only be given a risk rating for this
    130. 

  130.   environment. Other environments may be added in a future revision
    131. 

  131. 

  132. Threat Assessment
    133. 

  133. =================
    134. 

  134. 

  135. General Threats for All Firmware Images
    136. 

  136. ---------------------------------------
    137. 

  137. 

  138. The following table analyses the :ref:`General Threats` in the context of this
    139. 

  139. threat model. Only deltas are pointed out.
    140. 

  140. 

  141.   +----+-------------+-------------------------------------------------------+
    142. 

  142.   | ID | Applicable? | Comments                                              |
    143. 

  143.   +====+=============+=======================================================+
    144. 

  144.   | 05 |     Yes     |                                                       |
    145. 

  145.   +----+-------------+-------------------------------------------------------+
    146. 

  146.   | 06 |     Yes     |                                                       |
    147. 

  147.   +----+-------------+-------------------------------------------------------+
    148. 

  148.   | 08 |     Yes     | Additional diagram element: DF8.                      |
    149. 

  149.   |    |             |                                                       |
    150. 

  150.   |    |             | Additional threat agent: RealmCode.                   |
    151. 

  151.   +----+-------------+-------------------------------------------------------+
    152. 

  152.   | 11 |     Yes     | | Misconfiguration of the Memory Management Unit      |
    153. 

  153.   |    |             |   (MMU) may allow a **normal/secure/realm** world     |
    154. 

  154.   |    |             |   software to access sensitive data, execute arbitrary|
    155. 

  155.   |    |             |   code or access otherwise restricted HW interface.   |
    156. 

  156.   |    |             |                                                       |
    157. 

  157.   |    |             | | **Note that on RME systems, MMU configuration also  |
    158. 

  158.   |    |             |   includes Granule Protection Tables (GPT) setup.**   |
    159. 

  159.   |    |             |                                                       |
    160. 

  160.   |    |             | | Additional diagram elements: DF4, DF7, DF8.         |
    161. 

  161.   |    |             |                                                       |
    162. 

  162.   |    |             | | Additional threat agents: SecCode, RealmCode.       |
    163. 

  163.   +----+-------------+-------------------------------------------------------+
    164. 

  164.   | 13 |     Yes     | Additional diagram element: DF8.                      |
    165. 

  165.   |    |             |                                                       |
    166. 

  166.   |    |             | Additional threat agent: RealmCode.                   |
    167. 

  167.   +----+-------------+-------------------------------------------------------+
    168. 

  168.   | 15 |     Yes     | Additional diagram element: DF8.                      |
    169. 

  169.   |    |             |                                                       |
    170. 

  170.   |    |             | Additional threat agent: RealmCode.                   |
    171. 

  171.   +----+-------------+-------------------------------------------------------+
    172. 

  172. 

  173. Threats to be Mitigated by the Boot Firmware
    174. 

  174. --------------------------------------------
    175. 

  175. 

  176. The following table analyses the :ref:`Boot Firmware Threats` in the context of
    177. 

  177. this threat model. Only deltas are pointed out.
    178. 

  178. 

  179.   +----+-------------+-------------------------------------------------------+
    180. 

  180.   | ID | Applicable? | Comments                                              |
    181. 

  181.   +====+=============+=======================================================+
    182. 

  182.   | 01 |     Yes     | Additional diagram element: DF8.                      |
    183. 

  183.   |    |             |                                                       |
    184. 

  184.   |    |             | Additional threat agent: RealmCode.                   |
    185. 

  185.   +----+-------------+-------------------------------------------------------+
    186. 

  186.   | 02 |     Yes     | Additional diagram element: DF8.                      |
    187. 

  187.   |    |             |                                                       |
    188. 

  188.   |    |             | Additional threat agent: RealmCode.                   |
    189. 

  189.   +----+-------------+-------------------------------------------------------+
    190. 

  190.   | 03 |     Yes     |                                                       |
    191. 

  191.   +----+-------------+-------------------------------------------------------+
    192. 

  192.   | 04 |     Yes     |                                                       |
    193. 

  193.   +----+-------------+-------------------------------------------------------+
    194. 

  194. 

  195. Threats to be Mitigated by the Runtime EL3 Firmware
    196. 

  196. ---------------------------------------------------
    197. 

  197. 

  198. The following table analyses the :ref:`Runtime Firmware Threats` in the context
    199. 

  199. of this threat model. Only deltas are pointed out.
    200. 

  200. 

  201.   +----+-------------+-------------------------------------------------------+
    202. 

  202.   | ID | Applicable? | Comments                                              |
    203. 

  203.   +====+=============+=======================================================+
    204. 

  204.   | 07 |     Yes     | Additional diagram element: DF8.                      |
    205. 

  205.   |    |             |                                                       |
    206. 

  206.   |    |             | Additional threat agent: RealmCode.                   |
    207. 

  207.   +----+-------------+-------------------------------------------------------+
    208. 

  208.   | 09 |     Yes     | Additional diagram element: DF8.                      |
    209. 

  209.   |    |             |                                                       |
    210. 

  210.   |    |             | Additional threat agent: RealmCode.                   |
    211. 

  211.   +----+-------------+-------------------------------------------------------+
    212. 

  212.   | 10 |     Yes     | Additional diagram element: DF8.                      |
    213. 

  213.   |    |             |                                                       |
    214. 

  214.   |    |             | Additional threat agent: RealmCode.                   |
    215. 

  215.   +----+-------------+-------------------------------------------------------+
    216. 

  216.   | 12 |     Yes     | Additional diagram element: DF8.                      |
    217. 

  217.   |    |             |                                                       |
    218. 

  218.   |    |             | Additional threat agent: RealmCode.                   |
    219. 

  219.   +----+-------------+-------------------------------------------------------+
    220. 

  220.   | 14 |     Yes     |                                                       |
    221. 

  221.   +----+-------------+-------------------------------------------------------+
    222. 

  222. 

  223. *Copyright (c) 2023-2024, Arm Limited. All rights reserved.*
    224. 

  224. 

  225. .. _Arm CCA Security Model: https://developer.arm.com/documentation/DEN0096/A_a
    226.