Etusivu Tutki Apua
Kirjaudu sisään
OWEALs
/
arm-trusted-firmware
peilaus alkaen https://github.com/ARM-software/arm-trusted-firmware
2
0
Fork 0
Tiedostot Ongelmat 1 Wiki
Puu: 4ec2948fe3
Haarat Tagit
arm-trusted-fir...
/
docs
/
threat_model
/
firmware_threat_model
/
threat_model_rse_interface.rst

threat_model_rse_interface.rst 2.6 KB
Historia Raaka

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859 
  1. Threat Model for RSE - AP interface
    2. 

  2. ***********************************
    3. 

  3. 

  4. ************
    5. 

  5. Introduction
    6. 

  6. ************
    7. 

  7. This document is an extension for the general TF-A threat-model. It considers
    8. 

  8. those platforms where a Runtime Security Engine (RSE) is included in the SoC
    9. 

  9. next to the Application Processor (AP).
    10. 

  10. 

  11. ********************
    12. 

  12. Target of Evaluation
    13. 

  13. ********************
    14. 

  14. The scope of this threat model only includes the interface between the RSE and
    15. 

  15. AP. Otherwise, the TF-A :ref:`Generic Threat Model` document is applicable for
    16. 

  16. the AP core. The threat model for the RSE firmware will be provided by the RSE
    17. 

  17. firmware project in the future.
    18. 

  18. 

  19. 

  20. Data Flow Diagram
    21. 

  21. =================
    22. 

  22. This diagram is different only from the general TF-A data flow diagram in that
    23. 

  23. it includes the RSE and highlights the interface between the AP and the RSE
    24. 

  24. cores. The interface description only focuses on the AP-RSE interface the rest
    25. 

  25. is the same as in the general TF-A threat-model document.
    26. 

  26. 

  27. .. uml:: ../../resources/diagrams/plantuml/tfa_rse_dfd.puml
    28. 

  28.   :caption: Figure 1: TF-A Data Flow Diagram including RSE
    29. 

  29. 

  30. .. table:: Table 1: TF-A - RSE data flow diagram
    31. 

  31. 

  32.   +-----------------+--------------------------------------------------------+
    33. 

  33.   | Diagram Element | Description                                            |
    34. 

  34.   +=================+========================================================+
    35. 

  35.   |       DF7       | | Boot images interact with RSE over a communication   |
    36. 

  36.   |                 |   channel to record boot measurements and get image    |
    37. 

  37.   |                 |   verification keys. At runtime, BL31 obtains the      |
    38. 

  38.   |                 |   realm world attestation signing key from RSE.        |
    39. 

  39.   +-----------------+--------------------------------------------------------+
    40. 

  40. 

  41. Threat Assessment
    42. 

  42. =================
    43. 

  43. For this section, please reference the Threat Assessment under the general TF-A
    44. 

  44. threat-model document, :ref:`Generic Threat Model`. All the threats listed there
    45. 

  45. are applicable for the AP core, here only the differences are highlighted.
    46. 

  46. 

  47.     - ID 11: The access to the communication interface between AP and RSE is
    48. 

  48.       allowed only for firmware running at EL3. Accidentally exposing this
    49. 

  49.       interface to NSCode can allow malicious code to interact with RSE and
    50. 

  50.       gain access to sensitive data.
    51. 

  51.     - ID 13: Relevant in the context of the realm attestation key, which can be
    52. 

  52.       retrieved by BL31 through DF7. The RSE communication protocol layer
    53. 

  53.       mitigates against this by clearing its internal buffer when reply is
    54. 

  54.       received. The caller of the API must do the same if data is not needed
    55. 

  55.       anymore.
    56. 

  56. 

  57. --------------
    58. 

  58. 

  59. *Copyright (c) 2022-2024, Arm Limited. All rights reserved.*
    60.