Lines Matching defs:A
8 This document provides a generic threat model for TF-A firmware.
17 Firmware for A-class Processors (TF-A). This includes the boot ROM (BL1),
22 TF-A can be configured in various ways. In this threat model we consider
26 - All TF-A images are run from either ROM or on-chip trusted SRAM. This means
27 TF-A is not vulnerable to an attacker that can probe or tamper with off-chip
39 The :ref:`Threat Model for TF-A with Arm CCA support` covers these types of
49 Figure 1 shows a high-level data flow diagram for TF-A. The diagram
50 shows a model of the different components of a TF-A-based system and
51 their interactions with TF-A. A description of each diagram element
54 are considered untrusted by TF-A.
57 :caption: Figure 1: TF-A Data Flow Diagram
59 .. table:: Table 1: TF-A Data Flow Diagram Description
65 | | memory and verified by TF-A boot firmware. These |
66 | | images include TF-A BL2 and BL31 images, as well as |
69 | DF2 | | TF-A log system framework outputs debug or |
75 | | to registers and memory of TF-A. |
78 | | with TF-A through SMC call interface and/or shared |
82 | | with TF-A through SMC call interface and/or shared |
85 | DF6 | | This path represents the interaction between TF-A and|
87 | | and GIC. At boot time TF-A configures/initializes the|
99 In this section we identify and provide assessment of potential threats to TF-A
111 We have identified the following assets for TF-A:
113 .. table:: Table 2: TF-A Assets
124 | | platform should run only TF-A code approved by |
127 | Availability | | This represents the requirement that TF-A |
150 | | TF-A resources |
200 | Medium (3) | | Noticeable impact to | | A knowledgeable insider |
250 target environment in which TF-A is running. For example, attacks
310 | Affected TF-A | BL1, BL2, BL31 |
321 | Impact | N/A | Low (2) | Low (2) |
323 | Likelihood | N/A | High (4) | High (4) |
325 | Total Risk Rating | N/A | Medium (8) | Medium (8) |
366 | | modify TF-A registers and memory allowing the |
372 | Affected TF-A | BL1, BL2, BL31 |
384 | Impact | N/A | High (4) | High (4) |
386 | Likelihood | N/A | Critical (5) | Critical (5) |
388 | Total Risk Rating | N/A | Critical (20) | Critical (20) |
410 | | | Like in other software, TF-A has multiple points |
422 | Affected TF-A | BL1, BL2, BL31 |
455 | | `TF-A error handling policy`_. TF-A provides an |
461 | | TF-A uses a combination of manual code reviews |
463 | | detect and fix memory corruption bugs. All TF-A |
466 | | is performed using Coverity Scan on all TF-A code. |
468 | | `Trusted Firmware-A Tests`_ on Juno and FVP |
482 | | | A misconfiguration of the MMU could |
490 | Affected TF-A | BL1, BL2, BL31 |
521 | | | TF-A provides a library which abstracts the |
541 | Affected TF-A | BL1, BL2, BL31 |
571 | | with TF-A execution environment.** |
582 | Affected TF-A | BL1, BL2, BL31 |
636 | | | Some TF-A images are loaded from external |
645 | Affected TF-A | BL2, BL31 |
688 | Affected TF-A | BL2, BL31 |
740 | Affected TF-A | BL1, BL2 |
751 | Impact | N/A | Critical (5) | Critical (5) |
753 | Likelihood | N/A | Medium (3) | Medium (3) |
755 | Total Risk Rating | N/A | High (15) | High (15) |
779 | | | TF-A relies on a chain of trust that starts with the|
792 | Affected TF-A | BL1, BL2 |
803 | Impact | N/A | Critical (5) | Critical (5) |
805 | Likelihood | N/A | Medium (3) | Medium (3) |
807 | Total Risk Rating | N/A | High (15) | High (15) |
821 | | to harden TF-A against such attacks. |
822 | | **At the moment TF-A doesn't implement such |
834 could compromise |TF-A| execution environment's security.
837 attestation. However, these are outside the |TF-A| security boundary and
842 A limitation of the current Measured Boot design is that it is dependent upon
864 | | | Secure and non-secure clients access TF-A services |
866 | | place the TF-A runtime into an inconsistent state |
872 | Affected TF-A | BL31 |
907 | | | When switching between worlds, TF-A register state |
913 | Affected TF-A | BL31 |
934 | | | This is the default behaviour in TF-A. |
944 | | TF-A memory via microarchitectural side channels**|
950 | | data from TF-A memory. |
954 | Affected TF-A | BL31 |
975 | | | TF-A implements software mitigations for Spectre |
998 | | side-channel timing attacks against TF-A. |
1002 | Affected TF-A | BL31 |
1041 Threats to be Mitigated by an External Agent Outside of TF-A
1060 | Affected TF-A | BL31, BL32 |
1083 | Mitigations | | None in TF-A itself. This option is only used by |
1100 .. _TF-A error handling policy: https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-guidelines.html#error-handling-and-robustness
1102 .. _Trusted Firmware-A Tests: https://git.trustedfirmware.org/TF-A/tf-a-tests.git/about/