1*54fd6939SJiyong ParkGeneric threat model 2*54fd6939SJiyong Park******************** 3*54fd6939SJiyong Park 4*54fd6939SJiyong Park************************ 5*54fd6939SJiyong ParkIntroduction 6*54fd6939SJiyong Park************************ 7*54fd6939SJiyong ParkThis document provides a generic threat model for TF-A firmware. 8*54fd6939SJiyong Park 9*54fd6939SJiyong Park.. note:: 10*54fd6939SJiyong Park 11*54fd6939SJiyong Park This threat model doesn't consider Root and Realm worlds introduced by 12*54fd6939SJiyong Park :ref:`Realm Management Extension (RME)`. 13*54fd6939SJiyong Park 14*54fd6939SJiyong Park************************ 15*54fd6939SJiyong ParkTarget of Evaluation 16*54fd6939SJiyong Park************************ 17*54fd6939SJiyong ParkIn this threat model, the target of evaluation is the Trusted 18*54fd6939SJiyong ParkFirmware for A-class Processors (TF-A). This includes the boot ROM (BL1), 19*54fd6939SJiyong Parkthe trusted boot firmware (BL2) and the runtime EL3 firmware (BL31) as 20*54fd6939SJiyong Parkshown on Figure 1. Everything else on Figure 1 is outside of the scope of 21*54fd6939SJiyong Parkthe evaluation. 22*54fd6939SJiyong Park 23*54fd6939SJiyong ParkTF-A can be configured in various ways. In this threat model we consider 24*54fd6939SJiyong Parkonly the most basic configuration. To that end we make the following 25*54fd6939SJiyong Parkassumptions: 26*54fd6939SJiyong Park 27*54fd6939SJiyong Park- All TF-A images are run from either ROM or on-chip trusted SRAM. This means 28*54fd6939SJiyong Park TF-A is not vulnerable to an attacker that can probe or tamper with off-chip 29*54fd6939SJiyong Park memory. 30*54fd6939SJiyong Park 31*54fd6939SJiyong Park- Trusted boot is enabled. This means an attacker can't boot arbitrary images 32*54fd6939SJiyong Park that are not approved by platform providers. 33*54fd6939SJiyong Park 34*54fd6939SJiyong Park- There is no Secure-EL2. We don't consider threats that may come with 35*54fd6939SJiyong Park Secure-EL2 software. 36*54fd6939SJiyong Park 37*54fd6939SJiyong ParkData Flow Diagram 38*54fd6939SJiyong Park====================== 39*54fd6939SJiyong ParkFigure 1 shows a high-level data flow diagram for TF-A. The diagram 40*54fd6939SJiyong Parkshows a model of the different components of a TF-A-based system and 41*54fd6939SJiyong Parktheir interactions with TF-A. A description of each diagram element 42*54fd6939SJiyong Parkis given on Table 1. On the diagram, the red broken lines indicate 43*54fd6939SJiyong Parktrust boundaries. Components outside of the broken lines 44*54fd6939SJiyong Parkare considered untrusted by TF-A. 45*54fd6939SJiyong Park 46*54fd6939SJiyong Park.. uml:: ../resources/diagrams/plantuml/tfa_dfd.puml 47*54fd6939SJiyong Park :caption: Figure 1: TF-A Data Flow Diagram 48*54fd6939SJiyong Park 49*54fd6939SJiyong Park.. table:: Table 1: TF-A Data Flow Diagram Description 50*54fd6939SJiyong Park 51*54fd6939SJiyong Park +-----------------+--------------------------------------------------------+ 52*54fd6939SJiyong Park | Diagram Element | Description | 53*54fd6939SJiyong Park +=================+========================================================+ 54*54fd6939SJiyong Park | ``DF1`` | | At boot time, images are loaded from non-volatile | 55*54fd6939SJiyong Park | | memory and verified by TF-A boot firmware. These | 56*54fd6939SJiyong Park | | images include TF-A BL2 and BL31 images, as well as | 57*54fd6939SJiyong Park | | other secure and non-secure images. | 58*54fd6939SJiyong Park +-----------------+--------------------------------------------------------+ 59*54fd6939SJiyong Park | ``DF2`` | | TF-A log system framework outputs debug messages | 60*54fd6939SJiyong Park | | over a UART interface. | 61*54fd6939SJiyong Park +-----------------+--------------------------------------------------------+ 62*54fd6939SJiyong Park | ``DF3`` | | Debug and trace IP on a platform can allow access | 63*54fd6939SJiyong Park | | to registers and memory of TF-A. | 64*54fd6939SJiyong Park +-----------------+--------------------------------------------------------+ 65*54fd6939SJiyong Park | ``DF4`` | | Secure world software (e.g. trusted OS) interact | 66*54fd6939SJiyong Park | | with TF-A through SMC call interface and/or shared | 67*54fd6939SJiyong Park | | memory. | 68*54fd6939SJiyong Park +-----------------+--------------------------------------------------------+ 69*54fd6939SJiyong Park | ``DF5`` | | Non-secure world software (e.g. rich OS) interact | 70*54fd6939SJiyong Park | | with TF-A through SMC call interface and/or shared | 71*54fd6939SJiyong Park | | memory. | 72*54fd6939SJiyong Park +-----------------+--------------------------------------------------------+ 73*54fd6939SJiyong Park | ``DF6`` | | This path represents the interaction between TF-A and| 74*54fd6939SJiyong Park | | various hardware IPs such as TrustZone controller | 75*54fd6939SJiyong Park | | and GIC. At boot time TF-A configures/initializes the| 76*54fd6939SJiyong Park | | IPs and interacts with them at runtime through | 77*54fd6939SJiyong Park | | interrupts and registers. | 78*54fd6939SJiyong Park +-----------------+--------------------------------------------------------+ 79*54fd6939SJiyong Park 80*54fd6939SJiyong Park 81*54fd6939SJiyong Park********************* 82*54fd6939SJiyong ParkThreat Analysis 83*54fd6939SJiyong Park********************* 84*54fd6939SJiyong ParkIn this section we identify and provide assessment of potential threats to TF-A 85*54fd6939SJiyong Parkfirmware. The threats are identified for each diagram element on the 86*54fd6939SJiyong Parkdata flow diagram above. 87*54fd6939SJiyong Park 88*54fd6939SJiyong ParkFor each threat, we identify the *asset* that is under threat, the 89*54fd6939SJiyong Park*threat agent* and the *threat type*. Each threat is given a *risk rating* 90*54fd6939SJiyong Parkthat represents the impact and likelihood of that threat. We also discuss 91*54fd6939SJiyong Parkpotential mitigations. 92*54fd6939SJiyong Park 93*54fd6939SJiyong ParkAssets 94*54fd6939SJiyong Park================== 95*54fd6939SJiyong ParkWe have identified the following assets for TF-A: 96*54fd6939SJiyong Park 97*54fd6939SJiyong Park.. table:: Table 2: TF-A Assets 98*54fd6939SJiyong Park 99*54fd6939SJiyong Park +--------------------+---------------------------------------------------+ 100*54fd6939SJiyong Park | Asset | Description | 101*54fd6939SJiyong Park +====================+===================================================+ 102*54fd6939SJiyong Park | ``Sensitive Data`` | | These include sensitive data that an attacker | 103*54fd6939SJiyong Park | | must not be able to tamper with (e.g. the Root | 104*54fd6939SJiyong Park | | of Trust Public Key) or see (e.g. secure logs, | 105*54fd6939SJiyong Park | | debugging information such as crash reports). | 106*54fd6939SJiyong Park +--------------------+---------------------------------------------------+ 107*54fd6939SJiyong Park | ``Code Execution`` | | This represents the requirement that the | 108*54fd6939SJiyong Park | | platform should run only TF-A code approved by | 109*54fd6939SJiyong Park | | the platform provider. | 110*54fd6939SJiyong Park +--------------------+---------------------------------------------------+ 111*54fd6939SJiyong Park | ``Availability`` | | This represents the requirement that TF-A | 112*54fd6939SJiyong Park | | services should always be available for use. | 113*54fd6939SJiyong Park +--------------------+---------------------------------------------------+ 114*54fd6939SJiyong Park 115*54fd6939SJiyong ParkThreat Agents 116*54fd6939SJiyong Park===================== 117*54fd6939SJiyong ParkTo understand the attack surface, it is important to identify potential 118*54fd6939SJiyong Parkattackers, i.e. attack entry points. The following threat agents are 119*54fd6939SJiyong Parkin scope of this threat model. 120*54fd6939SJiyong Park 121*54fd6939SJiyong Park.. table:: Table 3: Threat Agents 122*54fd6939SJiyong Park 123*54fd6939SJiyong Park +-------------------+-------------------------------------------------------+ 124*54fd6939SJiyong Park | Threat Agent | Description | 125*54fd6939SJiyong Park +===================+=======================================================+ 126*54fd6939SJiyong Park | ``NSCode`` | | Malicious or faulty code running in the Non-secure | 127*54fd6939SJiyong Park | | world, including NS-EL0 NS-EL1 and NS-EL2 levels | 128*54fd6939SJiyong Park +-------------------+-------------------------------------------------------+ 129*54fd6939SJiyong Park | ``SecCode`` | | Malicious or faulty code running in the secure | 130*54fd6939SJiyong Park | | world, including S-EL0 and S-EL1 levels | 131*54fd6939SJiyong Park +-------------------+-------------------------------------------------------+ 132*54fd6939SJiyong Park | ``AppDebug`` | | Physical attacker using debug signals to access | 133*54fd6939SJiyong Park | | TF-A resources | 134*54fd6939SJiyong Park +-------------------+-------------------------------------------------------+ 135*54fd6939SJiyong Park | ``PhysicalAccess``| | Physical attacker having access to external device | 136*54fd6939SJiyong Park | | communication bus and to external flash | 137*54fd6939SJiyong Park | | communication bus using common hardware | 138*54fd6939SJiyong Park +-------------------+-------------------------------------------------------+ 139*54fd6939SJiyong Park 140*54fd6939SJiyong Park.. note:: 141*54fd6939SJiyong Park 142*54fd6939SJiyong Park In this threat model an advanced physical attacker that has the capability 143*54fd6939SJiyong Park to tamper with a hardware (e.g. "rewiring" a chip using a focused 144*54fd6939SJiyong Park ion beam (FIB) workstation or decapsulate the chip using chemicals) is 145*54fd6939SJiyong Park considered out-of-scope. 146*54fd6939SJiyong Park 147*54fd6939SJiyong ParkThreat Types 148*54fd6939SJiyong Park======================== 149*54fd6939SJiyong ParkIn this threat model we categorize threats using the `STRIDE threat 150*54fd6939SJiyong Parkanalysis technique`_. In this technique a threat is categorized as one 151*54fd6939SJiyong Parkor more of these types: ``Spoofing``, ``Tampering``, ``Repudiation``, 152*54fd6939SJiyong Park``Information disclosure``, ``Denial of service`` or 153*54fd6939SJiyong Park``Elevation of privilege``. 154*54fd6939SJiyong Park 155*54fd6939SJiyong ParkThreat Risk Ratings 156*54fd6939SJiyong Park======================== 157*54fd6939SJiyong ParkFor each threat identified, a risk rating that ranges 158*54fd6939SJiyong Parkfrom *informational* to *critical* is given based on the likelihood of the 159*54fd6939SJiyong Parkthreat occuring if a mitigation is not in place, and the impact of the 160*54fd6939SJiyong Parkthreat (i.e. how severe the consequences could be). Table 4 explains each 161*54fd6939SJiyong Parkrating in terms of score, impact and likelihood. 162*54fd6939SJiyong Park 163*54fd6939SJiyong Park.. table:: Table 4: Rating and score as applied to impact and likelihood 164*54fd6939SJiyong Park 165*54fd6939SJiyong Park +-----------------------+-------------------------+---------------------------+ 166*54fd6939SJiyong Park | **Rating (Score)** | **Impact** | **Likelihood** | 167*54fd6939SJiyong Park +=======================+=========================+===========================+ 168*54fd6939SJiyong Park | ``Critical (5)`` | | Extreme impact to | | Threat is almost | 169*54fd6939SJiyong Park | | entire organization | certain to be exploited.| 170*54fd6939SJiyong Park | | if exploited. | | 171*54fd6939SJiyong Park | | | | Knowledge of the threat | 172*54fd6939SJiyong Park | | | and how to exploit it | 173*54fd6939SJiyong Park | | | are in the public | 174*54fd6939SJiyong Park | | | domain. | 175*54fd6939SJiyong Park +-----------------------+-------------------------+---------------------------+ 176*54fd6939SJiyong Park | ``High (4)`` | | Major impact to entire| | Threat is relatively | 177*54fd6939SJiyong Park | | organization or single| easy to detect and | 178*54fd6939SJiyong Park | | line of business if | exploit by an attacker | 179*54fd6939SJiyong Park | | exploited | with little skill. | 180*54fd6939SJiyong Park +-----------------------+-------------------------+---------------------------+ 181*54fd6939SJiyong Park | ``Medium (3)`` | | Noticeable impact to | | A knowledgeable insider | 182*54fd6939SJiyong Park | | line of business if | or expert attacker could| 183*54fd6939SJiyong Park | | exploited. | exploit the threat | 184*54fd6939SJiyong Park | | | without much difficulty.| 185*54fd6939SJiyong Park +-----------------------+-------------------------+---------------------------+ 186*54fd6939SJiyong Park | ``Low (2)`` | | Minor damage if | | Exploiting the threat | 187*54fd6939SJiyong Park | | exploited or could | would require | 188*54fd6939SJiyong Park | | be used in conjunction| considerable expertise | 189*54fd6939SJiyong Park | | with other | and resources | 190*54fd6939SJiyong Park | | vulnerabilities to | | 191*54fd6939SJiyong Park | | perform a more serious| | 192*54fd6939SJiyong Park | | attack | | 193*54fd6939SJiyong Park +-----------------------+-------------------------+---------------------------+ 194*54fd6939SJiyong Park | ``Informational (1)`` | | Poor programming | | Threat is not likely | 195*54fd6939SJiyong Park | | practice or poor | to be exploited on its | 196*54fd6939SJiyong Park | | design decision that | own, but may be used to | 197*54fd6939SJiyong Park | | may not represent an | gain information for | 198*54fd6939SJiyong Park | | immediate risk on its | launching another | 199*54fd6939SJiyong Park | | own, but may have | attack | 200*54fd6939SJiyong Park | | security implications | | 201*54fd6939SJiyong Park | | if multiplied and/or | | 202*54fd6939SJiyong Park | | combined with other | | 203*54fd6939SJiyong Park | | threats. | | 204*54fd6939SJiyong Park +-----------------------+-------------------------+---------------------------+ 205*54fd6939SJiyong Park 206*54fd6939SJiyong ParkAggregate risk scores are assigned to identified threats; 207*54fd6939SJiyong Parkspecifically, the impact score multiplied by the likelihood score. 208*54fd6939SJiyong ParkFor example, a threat with high likelihood and low impact would have an 209*54fd6939SJiyong Parkaggregate risk score of eight (8); that is, four (4) for high likelihood 210*54fd6939SJiyong Parkmultiplied by two (2) for low impact. The aggregate risk score determines 211*54fd6939SJiyong Parkthe finding's overall risk level, as shown in the following table. 212*54fd6939SJiyong Park 213*54fd6939SJiyong Park.. table:: Table 5: Overall risk levels and corresponding aggregate scores 214*54fd6939SJiyong Park 215*54fd6939SJiyong Park +---------------------+-----------------------------------+ 216*54fd6939SJiyong Park | Overall Risk Level | Aggregate Risk Score | 217*54fd6939SJiyong Park | | (Impact multiplied by Likelihood) | 218*54fd6939SJiyong Park +=====================+===================================+ 219*54fd6939SJiyong Park | Critical | 20–25 | 220*54fd6939SJiyong Park +---------------------+-----------------------------------+ 221*54fd6939SJiyong Park | High | 12–19 | 222*54fd6939SJiyong Park +---------------------+-----------------------------------+ 223*54fd6939SJiyong Park | Medium | 6–11 | 224*54fd6939SJiyong Park +---------------------+-----------------------------------+ 225*54fd6939SJiyong Park | Low | 2–5 | 226*54fd6939SJiyong Park +---------------------+-----------------------------------+ 227*54fd6939SJiyong Park | Informational | 1 | 228*54fd6939SJiyong Park +---------------------+-----------------------------------+ 229*54fd6939SJiyong Park 230*54fd6939SJiyong ParkThe likelihood and impact of a threat depends on the 231*54fd6939SJiyong Parktarget environment in which TF-A is running. For example, attacks 232*54fd6939SJiyong Parkthat require physical access are unlikely in server environments while 233*54fd6939SJiyong Parkthey are more common in Internet of Things(IoT) environments. 234*54fd6939SJiyong ParkIn this threat model we consider three target environments: 235*54fd6939SJiyong Park``Internet of Things(IoT)``, ``Mobile`` and ``Server``. 236*54fd6939SJiyong Park 237*54fd6939SJiyong ParkThreat Assessment 238*54fd6939SJiyong Park============================ 239*54fd6939SJiyong ParkThe following threats were identified by applying STRIDE analysis on 240*54fd6939SJiyong Parkeach diagram element of the data flow diagram. 241*54fd6939SJiyong Park 242*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 243*54fd6939SJiyong Park| ID | 01 | 244*54fd6939SJiyong Park+========================+====================================================+ 245*54fd6939SJiyong Park| ``Threat`` | | **An attacker can mangle firmware images to | 246*54fd6939SJiyong Park| | execute arbitrary code** | 247*54fd6939SJiyong Park| | | 248*54fd6939SJiyong Park| | | Some TF-A images are loaded from external | 249*54fd6939SJiyong Park| | storage. It is possible for an attacker to access| 250*54fd6939SJiyong Park| | the external flash memory and change its contents| 251*54fd6939SJiyong Park| | physically, through the Rich OS, or using the | 252*54fd6939SJiyong Park| | updating mechanism to modify the non-volatile | 253*54fd6939SJiyong Park| | images to execute arbitrary code. | 254*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 255*54fd6939SJiyong Park| ``Diagram Elements`` | DF1, DF4, DF5 | 256*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 257*54fd6939SJiyong Park| ``Affected TF-A | BL2, BL31 | 258*54fd6939SJiyong Park| Components`` | | 259*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 260*54fd6939SJiyong Park| ``Assets`` | Code Execution | 261*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 262*54fd6939SJiyong Park| ``Threat Agent`` | PhysicalAccess, NSCode, SecCode | 263*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 264*54fd6939SJiyong Park| ``Threat Type`` | Tampering, Elevation of Privilege | 265*54fd6939SJiyong Park+------------------------+------------------+-----------------+---------------+ 266*54fd6939SJiyong Park| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | 267*54fd6939SJiyong Park+------------------------+------------------+-----------------+---------------+ 268*54fd6939SJiyong Park| ``Impact`` | Critical (5) | Critical (5) | Critical (5) | 269*54fd6939SJiyong Park+------------------------+------------------+-----------------+---------------+ 270*54fd6939SJiyong Park| ``Likelihood`` | Critical (5) | Critical (5) | Critical (5) | 271*54fd6939SJiyong Park+------------------------+------------------+-----------------+---------------+ 272*54fd6939SJiyong Park| ``Total Risk Rating`` | Critical (25) | Critical (25) | Critical (25) | 273*54fd6939SJiyong Park+------------------------+------------------+-----------------+---------------+ 274*54fd6939SJiyong Park| ``Mitigations`` | | TF-A implements the `Trusted Board Boot (TBB)`_ | 275*54fd6939SJiyong Park| | feature which prevents malicious firmware from | 276*54fd6939SJiyong Park| | running on the platform by authenticating all | 277*54fd6939SJiyong Park| | firmware images. In addition to this, the TF-A | 278*54fd6939SJiyong Park| | boot firmware performs extra checks on | 279*54fd6939SJiyong Park| | unauthenticated data, such as FIP metadata, prior| 280*54fd6939SJiyong Park| | to use. | 281*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 282*54fd6939SJiyong Park 283*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 284*54fd6939SJiyong Park| ID | 02 | 285*54fd6939SJiyong Park+========================+====================================================+ 286*54fd6939SJiyong Park| ``Threat`` | | **An attacker may attempt to boot outdated, | 287*54fd6939SJiyong Park| | potentially vulnerable firmware image** | 288*54fd6939SJiyong Park| | | 289*54fd6939SJiyong Park| | | When updating firmware, an attacker may attempt | 290*54fd6939SJiyong Park| | to rollback to an older version that has unfixed | 291*54fd6939SJiyong Park| | vulnerabilities. | 292*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 293*54fd6939SJiyong Park| ``Diagram Elements`` | DF1, DF4, DF5 | 294*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 295*54fd6939SJiyong Park| ``Affected TF-A | BL2, BL31 | 296*54fd6939SJiyong Park| Components`` | | 297*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 298*54fd6939SJiyong Park| ``Assets`` | Code Execution | 299*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 300*54fd6939SJiyong Park| ``Threat Agent`` | PhysicalAccess, NSCode, SecCode | 301*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 302*54fd6939SJiyong Park| ``Threat Type`` | Tampering | 303*54fd6939SJiyong Park+------------------------+------------------+-----------------+---------------+ 304*54fd6939SJiyong Park| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | 305*54fd6939SJiyong Park+------------------------+------------------+-----------------+---------------+ 306*54fd6939SJiyong Park| ``Impact`` | Critical (5) | Critical (5) | Critical (5) | 307*54fd6939SJiyong Park+------------------------+------------------+-----------------+---------------+ 308*54fd6939SJiyong Park| ``Likelihood`` | Critical (5) | Critical (5) | Critical (5) | 309*54fd6939SJiyong Park+------------------------+------------------+-----------------+---------------+ 310*54fd6939SJiyong Park| ``Total Risk Rating`` | Critical (25) | Critical (25) | Critical (25) | 311*54fd6939SJiyong Park+------------------------+------------------+-----------------+---------------+ 312*54fd6939SJiyong Park| ``Mitigations`` | | TF-A supports anti-rollback protection using | 313*54fd6939SJiyong Park| | non-volatile counters (NV counters) as required | 314*54fd6939SJiyong Park| | by `TBBR-Client specification`_. After a firmware| 315*54fd6939SJiyong Park| | image is validated, the image revision number | 316*54fd6939SJiyong Park| | taken from a certificate extension field is | 317*54fd6939SJiyong Park| | compared with the corresponding NV counter stored| 318*54fd6939SJiyong Park| | in hardware to make sure the new counter value is| 319*54fd6939SJiyong Park| | larger or equal to the current counter value. | 320*54fd6939SJiyong Park| | Platforms must implement this protection using | 321*54fd6939SJiyong Park| | platform specific hardware NV counters. | 322*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 323*54fd6939SJiyong Park 324*54fd6939SJiyong Park+------------------------+-------------------------------------------------------+ 325*54fd6939SJiyong Park| ID | 03 | 326*54fd6939SJiyong Park+========================+=======================================================+ 327*54fd6939SJiyong Park| ``Threat`` | | **An attacker can use Time-of-Check-Time-of-Use | 328*54fd6939SJiyong Park| | (TOCTOU) attack to bypass image authentication | 329*54fd6939SJiyong Park| | during the boot process** | 330*54fd6939SJiyong Park| | | 331*54fd6939SJiyong Park| | | Time-of-Check-Time-of-Use (TOCTOU) threats occur | 332*54fd6939SJiyong Park| | when the security check is produced before the time | 333*54fd6939SJiyong Park| | the resource is accessed. If an attacker is sitting | 334*54fd6939SJiyong Park| | in the middle of the off-chip images, they could | 335*54fd6939SJiyong Park| | change the binary containing executable code right | 336*54fd6939SJiyong Park| | after the integrity and authentication check has | 337*54fd6939SJiyong Park| | been performed. | 338*54fd6939SJiyong Park+------------------------+-------------------------------------------------------+ 339*54fd6939SJiyong Park| ``Diagram Elements`` | DF1 | 340*54fd6939SJiyong Park+------------------------+-------------------------------------------------------+ 341*54fd6939SJiyong Park| ``Affected TF-A | BL1, BL2 | 342*54fd6939SJiyong Park| Components`` | | 343*54fd6939SJiyong Park+------------------------+-------------------------------------------------------+ 344*54fd6939SJiyong Park| ``Assets`` | Code Execution, Sensitive Data | 345*54fd6939SJiyong Park+------------------------+-------------------------------------------------------+ 346*54fd6939SJiyong Park| ``Threat Agent`` | PhysicalAccess | 347*54fd6939SJiyong Park+------------------------+-------------------------------------------------------+ 348*54fd6939SJiyong Park| ``Threat Type`` | Elevation of Privilege | 349*54fd6939SJiyong Park+------------------------+---------------------+-----------------+---------------+ 350*54fd6939SJiyong Park| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | 351*54fd6939SJiyong Park+------------------------+---------------------+-----------------+---------------+ 352*54fd6939SJiyong Park| ``Impact`` | N/A | Critical (5) | Critical (5) | 353*54fd6939SJiyong Park+------------------------+---------------------+-----------------+---------------+ 354*54fd6939SJiyong Park| ``Likelihood`` | N/A | Medium (3) | Medium (3) | 355*54fd6939SJiyong Park+------------------------+---------------------+-----------------+---------------+ 356*54fd6939SJiyong Park| ``Total Risk Rating`` | N/A | High (15) | High (15) | 357*54fd6939SJiyong Park+------------------------+---------------------+-----------------+---------------+ 358*54fd6939SJiyong Park| ``Mitigations`` | | TF-A boot firmware copies image to on-chip | 359*54fd6939SJiyong Park| | memory before authenticating an image. | 360*54fd6939SJiyong Park+------------------------+-------------------------------------------------------+ 361*54fd6939SJiyong Park 362*54fd6939SJiyong Park+------------------------+-------------------------------------------------------+ 363*54fd6939SJiyong Park| ID | 04 | 364*54fd6939SJiyong Park+========================+=======================================================+ 365*54fd6939SJiyong Park| ``Threat`` | | **An attacker with physical access can execute | 366*54fd6939SJiyong Park| | arbitrary image by bypassing the signature | 367*54fd6939SJiyong Park| | verification stage using glitching techniques** | 368*54fd6939SJiyong Park| | | 369*54fd6939SJiyong Park| | | Glitching (Fault injection) attacks attempt to put | 370*54fd6939SJiyong Park| | a hardware into a undefined state by manipulating an| 371*54fd6939SJiyong Park| | environmental variable such as power supply. | 372*54fd6939SJiyong Park| | | 373*54fd6939SJiyong Park| | | TF-A relies on a chain of trust that starts with the| 374*54fd6939SJiyong Park| | ROTPK, which is the key stored inside the chip and | 375*54fd6939SJiyong Park| | the root of all validation processes. If an attacker| 376*54fd6939SJiyong Park| | can break this chain of trust, they could execute | 377*54fd6939SJiyong Park| | arbitrary code on the device. This could be | 378*54fd6939SJiyong Park| | achieved with physical access to the device by | 379*54fd6939SJiyong Park| | attacking the normal execution flow of the | 380*54fd6939SJiyong Park| | process using glitching techniques that target | 381*54fd6939SJiyong Park| | points where the image is validated against the | 382*54fd6939SJiyong Park| | signature. | 383*54fd6939SJiyong Park+------------------------+-------------------------------------------------------+ 384*54fd6939SJiyong Park| ``Diagram Elements`` | DF1 | 385*54fd6939SJiyong Park+------------------------+-------------------------------------------------------+ 386*54fd6939SJiyong Park| ``Affected TF-A | BL1, BL2 | 387*54fd6939SJiyong Park| Components`` | | 388*54fd6939SJiyong Park+------------------------+-------------------------------------------------------+ 389*54fd6939SJiyong Park| ``Assets`` | Code Execution | 390*54fd6939SJiyong Park+------------------------+-------------------------------------------------------+ 391*54fd6939SJiyong Park| ``Threat Agent`` | PhysicalAccess | 392*54fd6939SJiyong Park+------------------------+-------------------------------------------------------+ 393*54fd6939SJiyong Park| ``Threat Type`` | Tampering, Elevation of Privilege | 394*54fd6939SJiyong Park+------------------------+---------------------+-----------------+---------------+ 395*54fd6939SJiyong Park| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | 396*54fd6939SJiyong Park+------------------------+---------------------+-----------------+---------------+ 397*54fd6939SJiyong Park| ``Impact`` | N/A | Critical (5) | Critical (5) | 398*54fd6939SJiyong Park+------------------------+---------------------+-----------------+---------------+ 399*54fd6939SJiyong Park| ``Likelihood`` | N/A | Medium (3) | Medium (3) | 400*54fd6939SJiyong Park+------------------------+---------------------+-----------------+---------------+ 401*54fd6939SJiyong Park| ``Total Risk Rating`` | N/A | High (15) | High (15) | 402*54fd6939SJiyong Park+------------------------+---------------------+-----------------+---------------+ 403*54fd6939SJiyong Park| ``Mitigations`` | | The most effective mitigation is adding glitching | 404*54fd6939SJiyong Park| | detection and mitigation circuit at the hardware | 405*54fd6939SJiyong Park| | level. However, software techniques, | 406*54fd6939SJiyong Park| | such as adding redundant checks when performing | 407*54fd6939SJiyong Park| | conditional branches that are security sensitive, | 408*54fd6939SJiyong Park| | can be used to harden TF-A against such attacks. | 409*54fd6939SJiyong Park| | **At the moment TF-A doesn't implement such | 410*54fd6939SJiyong Park| | mitigations.** | 411*54fd6939SJiyong Park+------------------------+-------------------------------------------------------+ 412*54fd6939SJiyong Park 413*54fd6939SJiyong Park+------------------------+---------------------------------------------------+ 414*54fd6939SJiyong Park| ID | 05 | 415*54fd6939SJiyong Park+========================+===================================================+ 416*54fd6939SJiyong Park| ``Threat`` | | **Information leak via UART logs such as | 417*54fd6939SJiyong Park| | crashes** | 418*54fd6939SJiyong Park| | | 419*54fd6939SJiyong Park| | | During the development stages of software it is | 420*54fd6939SJiyong Park| | common to include crash reports with detailed | 421*54fd6939SJiyong Park| | information of the CPU state including current | 422*54fd6939SJiyong Park| | values of the registers, privilege level and | 423*54fd6939SJiyong Park| | stack dumps. This information is useful when | 424*54fd6939SJiyong Park| | debugging problems before releasing the | 425*54fd6939SJiyong Park| | production version, but it could be used by an | 426*54fd6939SJiyong Park| | attacker to develop a working exploit if left | 427*54fd6939SJiyong Park| | in the production version. | 428*54fd6939SJiyong Park+------------------------+---------------------------------------------------+ 429*54fd6939SJiyong Park| ``Diagram Elements`` | DF2 | 430*54fd6939SJiyong Park+------------------------+---------------------------------------------------+ 431*54fd6939SJiyong Park| ``Affected TF-A | BL1, BL2, BL31 | 432*54fd6939SJiyong Park| Components`` | | 433*54fd6939SJiyong Park+------------------------+---------------------------------------------------+ 434*54fd6939SJiyong Park| ``Assets`` | Sensitive Data | 435*54fd6939SJiyong Park+------------------------+---------------------------------------------------+ 436*54fd6939SJiyong Park| ``Threat Agent`` | AppDebug | 437*54fd6939SJiyong Park+------------------------+---------------------------------------------------+ 438*54fd6939SJiyong Park| ``Threat Type`` | Information Disclosure | 439*54fd6939SJiyong Park+------------------------+------------------+----------------+---------------+ 440*54fd6939SJiyong Park| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | 441*54fd6939SJiyong Park+------------------------+------------------+----------------+---------------+ 442*54fd6939SJiyong Park| ``Impact`` | N/A | Low (2) | Low (2) | 443*54fd6939SJiyong Park+------------------------+------------------+----------------+---------------+ 444*54fd6939SJiyong Park| ``Likelihood`` | N/A | High (4) | High (4) | 445*54fd6939SJiyong Park+------------------------+------------------+----------------+---------------+ 446*54fd6939SJiyong Park| ``Total Risk Rating`` | N/A | Medium (8) | Medium (8) | 447*54fd6939SJiyong Park+------------------------+------------------+----------------+---------------+ 448*54fd6939SJiyong Park| ``Mitigations`` | | In TF-A, crash reporting is only enabled for | 449*54fd6939SJiyong Park| | debug builds by default. Alternatively, the log | 450*54fd6939SJiyong Park| | level can be tuned at build time (from verbose | 451*54fd6939SJiyong Park| | to no output at all), independently of the | 452*54fd6939SJiyong Park| | build type. | 453*54fd6939SJiyong Park+------------------------+---------------------------------------------------+ 454*54fd6939SJiyong Park 455*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 456*54fd6939SJiyong Park| ID | 06 | 457*54fd6939SJiyong Park+========================+====================================================+ 458*54fd6939SJiyong Park| ``Threat`` | | **An attacker can read sensitive data and | 459*54fd6939SJiyong Park| | execute arbitrary code through the external | 460*54fd6939SJiyong Park| | debug and trace interface** | 461*54fd6939SJiyong Park| | | 462*54fd6939SJiyong Park| | | Arm processors include hardware-assisted debug | 463*54fd6939SJiyong Park| | and trace features that can be controlled without| 464*54fd6939SJiyong Park| | the need for software operating on the platform. | 465*54fd6939SJiyong Park| | If left enabled without authentication, this | 466*54fd6939SJiyong Park| | feature can be used by an attacker to inspect and| 467*54fd6939SJiyong Park| | modify TF-A registers and memory allowing the | 468*54fd6939SJiyong Park| | attacker to read sensitive data and execute | 469*54fd6939SJiyong Park| | arbitrary code. | 470*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 471*54fd6939SJiyong Park| ``Diagram Elements`` | DF3 | 472*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 473*54fd6939SJiyong Park| ``Affected TF-A | BL1, BL2, BL31 | 474*54fd6939SJiyong Park| Components`` | | 475*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 476*54fd6939SJiyong Park| ``Assets`` | Code Execution, Sensitive Data | 477*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 478*54fd6939SJiyong Park| ``Threat Agent`` | AppDebug | 479*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 480*54fd6939SJiyong Park| ``Threat Type`` | Tampering, Information Disclosure, | 481*54fd6939SJiyong Park| | Elevation of privilege | 482*54fd6939SJiyong Park+------------------------+------------------+---------------+-----------------+ 483*54fd6939SJiyong Park| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | 484*54fd6939SJiyong Park+------------------------+------------------+---------------+-----------------+ 485*54fd6939SJiyong Park| ``Impact`` | N/A | High (4) | High (4) | 486*54fd6939SJiyong Park+------------------------+------------------+---------------+-----------------+ 487*54fd6939SJiyong Park| ``Likelihood`` | N/A | Critical (5) | Critical (5) | 488*54fd6939SJiyong Park+------------------------+------------------+---------------+-----------------+ 489*54fd6939SJiyong Park| ``Total Risk Rating`` | N/A | Critical (20) | Critical (20) | 490*54fd6939SJiyong Park+------------------------+------------------+---------------+-----------------+ 491*54fd6939SJiyong Park| ``Mitigations`` | | Configuration of debug and trace capabilities is | 492*54fd6939SJiyong Park| | platform specific. Therefore, platforms must | 493*54fd6939SJiyong Park| | disable the debug and trace capability for | 494*54fd6939SJiyong Park| | production releases or enable proper debug | 495*54fd6939SJiyong Park| | authentication as recommended by [`DEN0034`_]. | 496*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 497*54fd6939SJiyong Park 498*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 499*54fd6939SJiyong Park| ID | 07 | 500*54fd6939SJiyong Park+========================+======================================================+ 501*54fd6939SJiyong Park| ``Threat`` | | **An attacker can perform a denial-of-service | 502*54fd6939SJiyong Park| | attack by using a broken SMC call that causes the | 503*54fd6939SJiyong Park| | system to reboot or enter into unknown state.** | 504*54fd6939SJiyong Park| | | 505*54fd6939SJiyong Park| | | Secure and non-secure clients access TF-A services | 506*54fd6939SJiyong Park| | through SMC calls. Malicious code can attempt to | 507*54fd6939SJiyong Park| | place the TF-A runtime into an inconsistent state | 508*54fd6939SJiyong Park| | by calling unimplemented SMC call or by passing | 509*54fd6939SJiyong Park| | invalid arguments. | 510*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 511*54fd6939SJiyong Park| ``Diagram Elements`` | DF4, DF5 | 512*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 513*54fd6939SJiyong Park| ``Affected TF-A | BL31 | 514*54fd6939SJiyong Park| Components`` | | 515*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 516*54fd6939SJiyong Park| ``Assets`` | Availability | 517*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 518*54fd6939SJiyong Park| ``Threat Agent`` | NSCode, SecCode | 519*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 520*54fd6939SJiyong Park| ``Threat Type`` | Denial of Service | 521*54fd6939SJiyong Park+------------------------+-------------------+----------------+-----------------+ 522*54fd6939SJiyong Park| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | 523*54fd6939SJiyong Park+------------------------+-------------------+----------------+-----------------+ 524*54fd6939SJiyong Park| ``Impact`` | Medium (3) | Medium (3) | Medium (3) | 525*54fd6939SJiyong Park+------------------------+-------------------+----------------+-----------------+ 526*54fd6939SJiyong Park| ``Likelihood`` | High (4) | High (4) | High (4) | 527*54fd6939SJiyong Park+------------------------+-------------------+----------------+-----------------+ 528*54fd6939SJiyong Park| ``Total Risk Rating`` | High (12) | High (12) | High (12) | 529*54fd6939SJiyong Park+------------------------+-------------------+----------------+-----------------+ 530*54fd6939SJiyong Park| ``Mitigations`` | | The generic TF-A code validates SMC function ids | 531*54fd6939SJiyong Park| | and arguments before using them. | 532*54fd6939SJiyong Park| | Platforms that implement SiP services must also | 533*54fd6939SJiyong Park| | validate SMC call arguments. | 534*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 535*54fd6939SJiyong Park 536*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 537*54fd6939SJiyong Park| ID | 08 | 538*54fd6939SJiyong Park+========================+======================================================+ 539*54fd6939SJiyong Park| ``Threat`` | | **Memory corruption due to memory overflows and | 540*54fd6939SJiyong Park| | lack of boundary checking when accessing resources | 541*54fd6939SJiyong Park| | could allow an attacker to execute arbitrary code, | 542*54fd6939SJiyong Park| | modify some state variable to change the normal | 543*54fd6939SJiyong Park| | flow of the program, or leak sensitive | 544*54fd6939SJiyong Park| | information** | 545*54fd6939SJiyong Park| | | 546*54fd6939SJiyong Park| | | Like in other software, the Trusted Firmware has | 547*54fd6939SJiyong Park| | multiple points where memory corruption security | 548*54fd6939SJiyong Park| | errors can arise. Memory corruption is a dangerous | 549*54fd6939SJiyong Park| | security issue since it could allow an attacker | 550*54fd6939SJiyong Park| | to execute arbitrary code, modify some state | 551*54fd6939SJiyong Park| | variable to change the normal flow of the program, | 552*54fd6939SJiyong Park| | or leak sensitive information. | 553*54fd6939SJiyong Park| | | 554*54fd6939SJiyong Park| | | Some of the errors include integer overflow, | 555*54fd6939SJiyong Park| | buffer overflow, incorrect array boundary checks, | 556*54fd6939SJiyong Park| | and incorrect error management. | 557*54fd6939SJiyong Park| | Improper use of asserts instead of proper input | 558*54fd6939SJiyong Park| | validations might also result in these kinds of | 559*54fd6939SJiyong Park| | errors in release builds. | 560*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 561*54fd6939SJiyong Park| ``Diagram Elements`` | DF4, DF5 | 562*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 563*54fd6939SJiyong Park| ``Affected TF-A | BL1, BL2, BL31 | 564*54fd6939SJiyong Park| Components`` | | 565*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 566*54fd6939SJiyong Park| ``Assets`` | Code Execution, Sensitive Data | 567*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 568*54fd6939SJiyong Park| ``Threat Agent`` | NSCode, SecCode | 569*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 570*54fd6939SJiyong Park| ``Threat Type`` | Tampering, Information Disclosure, | 571*54fd6939SJiyong Park| | Elevation of Privilege | 572*54fd6939SJiyong Park+------------------------+-------------------+-----------------+----------------+ 573*54fd6939SJiyong Park| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | 574*54fd6939SJiyong Park+------------------------+-------------------+-----------------+----------------+ 575*54fd6939SJiyong Park| ``Impact`` | Critical (5) | Critical (5) | Critical (5) | 576*54fd6939SJiyong Park+------------------------+-------------------+-----------------+----------------+ 577*54fd6939SJiyong Park| ``Likelihood`` | Medium (3 | Medium (3) | Medium (3) | 578*54fd6939SJiyong Park+------------------------+-------------------+-----------------+----------------+ 579*54fd6939SJiyong Park| ``Total Risk Rating`` | High (15) | High (15) | High (15) | 580*54fd6939SJiyong Park+------------------------+-------------------+-----------------+----------------+ 581*54fd6939SJiyong Park| ``Mitigations`` | | TF-A uses a combination of manual code reviews and | 582*54fd6939SJiyong Park| | automated program analysis and testing to detect | 583*54fd6939SJiyong Park| | and fix memory corruption bugs. All TF-A code | 584*54fd6939SJiyong Park| | including platform code go through manual code | 585*54fd6939SJiyong Park| | reviews. Additionally, static code analysis is | 586*54fd6939SJiyong Park| | performed using Coverity Scan on all TF-A code. | 587*54fd6939SJiyong Park| | The code is also tested with | 588*54fd6939SJiyong Park| | `Trusted Firmware-A Tests`_ on Juno and FVP | 589*54fd6939SJiyong Park| | platforms. | 590*54fd6939SJiyong Park| | | 591*54fd6939SJiyong Park| | | Data received from normal world, such as addresses | 592*54fd6939SJiyong Park| | and sizes identifying memory regions, are | 593*54fd6939SJiyong Park| | sanitized before being used. These security checks | 594*54fd6939SJiyong Park| | make sure that the normal world software does not | 595*54fd6939SJiyong Park| | access memory beyond its limit. | 596*54fd6939SJiyong Park| | | 597*54fd6939SJiyong Park| | | By default *asserts* are only used to check for | 598*54fd6939SJiyong Park| | programming errors in debug builds. Other types of | 599*54fd6939SJiyong Park| | errors are handled through condition checks that | 600*54fd6939SJiyong Park| | remain enabled in release builds. See | 601*54fd6939SJiyong Park| | `TF-A error handling policy`_. TF-A provides an | 602*54fd6939SJiyong Park| | option to use *asserts* in release builds, however | 603*54fd6939SJiyong Park| | we recommend using proper runtime checks instead | 604*54fd6939SJiyong Park| | of relying on asserts in release builds. | 605*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 606*54fd6939SJiyong Park 607*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 608*54fd6939SJiyong Park| ID | 09 | 609*54fd6939SJiyong Park+========================+======================================================+ 610*54fd6939SJiyong Park| ``Threat`` | | **Improperly handled SMC calls can leak register | 611*54fd6939SJiyong Park| | contents** | 612*54fd6939SJiyong Park| | | 613*54fd6939SJiyong Park| | | When switching between secure and non-secure | 614*54fd6939SJiyong Park| | states, register contents of Secure world or | 615*54fd6939SJiyong Park| | register contents of other normal world clients | 616*54fd6939SJiyong Park| | can be leaked. | 617*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 618*54fd6939SJiyong Park| ``Diagram Elements`` | DF5 | 619*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 620*54fd6939SJiyong Park| ``Affected TF-A | BL31 | 621*54fd6939SJiyong Park| Components`` | | 622*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 623*54fd6939SJiyong Park| ``Assets`` | Sensitive Data | 624*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 625*54fd6939SJiyong Park| ``Threat Agent`` | NSCode | 626*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 627*54fd6939SJiyong Park| ``Threat Type`` | Information Disclosure | 628*54fd6939SJiyong Park+------------------------+-------------------+----------------+-----------------+ 629*54fd6939SJiyong Park| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | 630*54fd6939SJiyong Park+------------------------+-------------------+----------------+-----------------+ 631*54fd6939SJiyong Park| ``Impact`` | Medium (3) | Medium (3) | Medium (3) | 632*54fd6939SJiyong Park+------------------------+-------------------+----------------+-----------------+ 633*54fd6939SJiyong Park| ``Likelihood`` | High (4) | High (4) | High (4) | 634*54fd6939SJiyong Park+------------------------+-------------------+----------------+-----------------+ 635*54fd6939SJiyong Park| ``Total Risk Rating`` | High (12) | High (12) | High (12) | 636*54fd6939SJiyong Park+------------------------+-------------------+----------------+-----------------+ 637*54fd6939SJiyong Park| ``Mitigations`` | | TF-A saves and restores registers | 638*54fd6939SJiyong Park| | by default when switching contexts. Build options | 639*54fd6939SJiyong Park| | are also provided to save/restore additional | 640*54fd6939SJiyong Park| | registers such as floating-point registers. | 641*54fd6939SJiyong Park+------------------------+------------------------------------------------------+ 642*54fd6939SJiyong Park 643*54fd6939SJiyong Park+------------------------+-----------------------------------------------------+ 644*54fd6939SJiyong Park| ID | 10 | 645*54fd6939SJiyong Park+========================+=====================================================+ 646*54fd6939SJiyong Park| ``Threat`` | | **SMC calls can leak sensitive information from | 647*54fd6939SJiyong Park| | TF-A memory via microarchitectural side channels**| 648*54fd6939SJiyong Park| | | 649*54fd6939SJiyong Park| | | Microarchitectural side-channel attacks such as | 650*54fd6939SJiyong Park| | `Spectre`_ can be used to leak data across | 651*54fd6939SJiyong Park| | security boundaries. An attacker might attempt to | 652*54fd6939SJiyong Park| | use this kind of attack to leak sensitive | 653*54fd6939SJiyong Park| | data from TF-A memory. | 654*54fd6939SJiyong Park+------------------------+-----------------------------------------------------+ 655*54fd6939SJiyong Park| ``Diagram Elements`` | DF4, DF5 | 656*54fd6939SJiyong Park+------------------------+-----------------------------------------------------+ 657*54fd6939SJiyong Park| ``Affected TF-A | BL31 | 658*54fd6939SJiyong Park| Components`` | | 659*54fd6939SJiyong Park+------------------------+-----------------------------------------------------+ 660*54fd6939SJiyong Park| ``Assets`` | Sensitive Data | 661*54fd6939SJiyong Park+------------------------+-----------------------------------------------------+ 662*54fd6939SJiyong Park| ``Threat Agent`` | SecCode, NSCode | 663*54fd6939SJiyong Park+------------------------+-----------------------------------------------------+ 664*54fd6939SJiyong Park| ``Threat Type`` | Information Disclosure | 665*54fd6939SJiyong Park+------------------------+-------------------+----------------+----------------+ 666*54fd6939SJiyong Park| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | 667*54fd6939SJiyong Park+------------------------+-------------------+----------------+----------------+ 668*54fd6939SJiyong Park| ``Impact`` | Medium (3) | Medium (3) | Medium (3) | 669*54fd6939SJiyong Park+------------------------+-------------------+----------------+----------------+ 670*54fd6939SJiyong Park| ``Likelihood`` | Medium (3) | Medium (3) | Medium (3) | 671*54fd6939SJiyong Park+------------------------+-------------------+----------------+----------------+ 672*54fd6939SJiyong Park| ``Total Risk Rating`` | Medium (9) | Medium (9) | Medium (9) | 673*54fd6939SJiyong Park+------------------------+-------------------+----------------+----------------+ 674*54fd6939SJiyong Park| ``Mitigations`` | | TF-A implements software mitigations for Spectre | 675*54fd6939SJiyong Park| | type attacks as recommended by `Cache Speculation | 676*54fd6939SJiyong Park| | Side-channels`_ for the generic code. SiPs should | 677*54fd6939SJiyong Park| | implement similar mitigations for code that is | 678*54fd6939SJiyong Park| | deemed to be vulnerable to such attacks. | 679*54fd6939SJiyong Park+------------------------+-----------------------------------------------------+ 680*54fd6939SJiyong Park 681*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 682*54fd6939SJiyong Park| ID | 11 | 683*54fd6939SJiyong Park+========================+====================================================+ 684*54fd6939SJiyong Park| ``Threat`` | | **Misconfiguration of the Memory Management Unit | 685*54fd6939SJiyong Park| | (MMU) may allow a normal world software to | 686*54fd6939SJiyong Park| | access sensitive data or execute arbitrary | 687*54fd6939SJiyong Park| | code** | 688*54fd6939SJiyong Park| | | 689*54fd6939SJiyong Park| | | A misconfiguration of the MMU could | 690*54fd6939SJiyong Park| | lead to an open door for software running in the | 691*54fd6939SJiyong Park| | normal world to access sensitive data or even | 692*54fd6939SJiyong Park| | execute code if the proper security mechanisms | 693*54fd6939SJiyong Park| | are not in place. | 694*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 695*54fd6939SJiyong Park| ``Diagram Elements`` | DF5, DF6 | 696*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 697*54fd6939SJiyong Park| ``Affected TF-A | BL1, BL2, BL31 | 698*54fd6939SJiyong Park| Components`` | | 699*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 700*54fd6939SJiyong Park| ``Assets`` | Sensitive Data, Code execution | 701*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 702*54fd6939SJiyong Park| ``Threat Agent`` | NSCode | 703*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 704*54fd6939SJiyong Park| ``Threat Type`` | Information Disclosure, Elevation of Privilege | 705*54fd6939SJiyong Park+------------------------+-----------------+-----------------+----------------+ 706*54fd6939SJiyong Park| ``Application`` | ``Server`` | ``IoT`` | ``Mobile`` | 707*54fd6939SJiyong Park+------------------------+-----------------+-----------------+----------------+ 708*54fd6939SJiyong Park| ``Impact`` | Critical (5) | Critical (5) | Critical (5) | 709*54fd6939SJiyong Park+------------------------+-----------------+-----------------+----------------+ 710*54fd6939SJiyong Park| ``Likelihood`` | High (4) | High (4) | High (4) | 711*54fd6939SJiyong Park+------------------------+-----------------+-----------------+----------------+ 712*54fd6939SJiyong Park| ``Total Risk Rating`` | Critical (20) | Critical (20) | Critical (20) | 713*54fd6939SJiyong Park+------------------------+-----------------+-----------------+----------------+ 714*54fd6939SJiyong Park| ``Mitigations`` | | In TF-A, configuration of the MMU is done | 715*54fd6939SJiyong Park| | through a translation tables library. The | 716*54fd6939SJiyong Park| | library provides APIs to define memory regions | 717*54fd6939SJiyong Park| | and assign attributes including memory types and | 718*54fd6939SJiyong Park| | access permissions. Memory configurations are | 719*54fd6939SJiyong Park| | platform specific, therefore platforms need make | 720*54fd6939SJiyong Park| | sure the correct attributes are assigned to | 721*54fd6939SJiyong Park| | memory regions. When assigning access | 722*54fd6939SJiyong Park| | permissions, principle of least privilege ought | 723*54fd6939SJiyong Park| | to be enforced, i.e. we should not grant more | 724*54fd6939SJiyong Park| | privileges than strictly needed, e.g. code | 725*54fd6939SJiyong Park| | should be read-only executable, RO data should | 726*54fd6939SJiyong Park| | be read-only XN, and so on. | 727*54fd6939SJiyong Park+------------------------+----------------------------------------------------+ 728*54fd6939SJiyong Park 729*54fd6939SJiyong Park+------------------------+-----------------------------------------------------+ 730*54fd6939SJiyong Park| ID | 12 | 731*54fd6939SJiyong Park+========================+=====================================================+ 732*54fd6939SJiyong Park| ``Threat`` | | **Incorrect configuration of Performance Monitor | 733*54fd6939SJiyong Park| | Unit (PMU) counters can allow an attacker to | 734*54fd6939SJiyong Park| | mount side-channel attacks using information | 735*54fd6939SJiyong Park| | exposed by the counters** | 736*54fd6939SJiyong Park| | | 737*54fd6939SJiyong Park| | | Non-secure software can configure PMU registers | 738*54fd6939SJiyong Park| | to count events at any exception level and in | 739*54fd6939SJiyong Park| | both Secure and Non-secure states. This allows | 740*54fd6939SJiyong Park| | a Non-secure software (or a lower-level Secure | 741*54fd6939SJiyong Park| | software) to potentially carry out | 742*54fd6939SJiyong Park| | side-channel timing attacks against TF-A. | 743*54fd6939SJiyong Park+------------------------+-----------------------------------------------------+ 744*54fd6939SJiyong Park| ``Diagram Elements`` | DF5, DF6 | 745*54fd6939SJiyong Park+------------------------+-----------------------------------------------------+ 746*54fd6939SJiyong Park| ``Affected TF-A | BL31 | 747*54fd6939SJiyong Park| Components`` | | 748*54fd6939SJiyong Park+------------------------+-----------------------------------------------------+ 749*54fd6939SJiyong Park| ``Assets`` | Sensitive Data | 750*54fd6939SJiyong Park+------------------------+-----------------------------------------------------+ 751*54fd6939SJiyong Park| ``Threat Agent`` | NSCode | 752*54fd6939SJiyong Park+------------------------+-----------------------------------------------------+ 753*54fd6939SJiyong Park| ``Threat Type`` | Information Disclosure | 754*54fd6939SJiyong Park+------------------------+-------------------+----------------+----------------+ 755*54fd6939SJiyong Park| ``Impact`` | Medium (3) | Medium (3) | Medium (3) | 756*54fd6939SJiyong Park+------------------------+-------------------+----------------+----------------+ 757*54fd6939SJiyong Park| ``Likelihood`` | Low (2) | Low (2) | Low (2) | 758*54fd6939SJiyong Park+------------------------+-------------------+----------------+----------------+ 759*54fd6939SJiyong Park| ``Total Risk Rating`` | Medium (6) | Medium (6) | Medium (6) | 760*54fd6939SJiyong Park+------------------------+-------------------+----------------+----------------+ 761*54fd6939SJiyong Park| ``Mitigations`` | | TF-A follows mitigation strategies as described | 762*54fd6939SJiyong Park| | in `Secure Development Guidelines`_. General | 763*54fd6939SJiyong Park| | events and cycle counting in the Secure world is | 764*54fd6939SJiyong Park| | prohibited by default when applicable. However, | 765*54fd6939SJiyong Park| | on some implementations (e.g. PMUv3) Secure world | 766*54fd6939SJiyong Park| | event counting depends on external debug interface| 767*54fd6939SJiyong Park| | signals, i.e. Secure world event counting is | 768*54fd6939SJiyong Park| | enabled if external debug is enabled. | 769*54fd6939SJiyong Park| | Configuration of debug signals is platform | 770*54fd6939SJiyong Park| | specific, therefore platforms need to make sure | 771*54fd6939SJiyong Park| | that external debug is disabled in production or | 772*54fd6939SJiyong Park| | proper debug authentication is in place. | 773*54fd6939SJiyong Park+------------------------+-----------------------------------------------------+ 774*54fd6939SJiyong Park 775*54fd6939SJiyong Park-------------- 776*54fd6939SJiyong Park 777*54fd6939SJiyong Park*Copyright (c) 2021, Arm Limited. All rights reserved.* 778*54fd6939SJiyong Park 779*54fd6939SJiyong Park 780*54fd6939SJiyong Park.. _STRIDE threat analysis technique: https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats#stride-model 781*54fd6939SJiyong Park.. _DEN0034: https://developer.arm.com/documentation/den0034/latest 782*54fd6939SJiyong Park.. _Cache Speculation Side-channels: https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability 783*54fd6939SJiyong Park.. _Spectre: https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability 784*54fd6939SJiyong Park.. _TBBR-Client specification: https://developer.arm.com/documentation/den0006/d/ 785*54fd6939SJiyong Park.. _Trusted Board Boot (TBB): https://trustedfirmware-a.readthedocs.io/en/latest/design/trusted-board-boot.html 786*54fd6939SJiyong Park.. _TF-A error handling policy: https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-guidelines.html#error-handling-and-robustness 787*54fd6939SJiyong Park.. _Secure Development Guidelines: https://trustedfirmware-a.readthedocs.io/en/latest/process/security-hardening.html#secure-development-guidelines 788*54fd6939SJiyong Park.. _Trusted Firmware-A Tests: https://git.trustedfirmware.org/TF-A/tf-a-tests.git/about/ 789