1*91f16700SchasingluluThreat Model for TF-A with Arm CCA support 2*91f16700Schasinglulu~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3*91f16700Schasinglulu 4*91f16700SchasingluluIntroduction 5*91f16700Schasinglulu************ 6*91f16700Schasinglulu 7*91f16700SchasingluluThis document provides a threat model of TF-A firmware for platforms with Arm 8*91f16700SchasingluluRealm Management Extension (RME) support which implement Arm Confidential 9*91f16700SchasingluluCompute Architecture (Arm CCA). 10*91f16700Schasinglulu 11*91f16700SchasingluluAlthough it is a separate document, it references the :ref:`Generic Threat 12*91f16700SchasingluluModel` in a number of places, as some of the contents is commonly applicable to 13*91f16700SchasingluluTF-A with or without Arm CCA support. 14*91f16700Schasinglulu 15*91f16700SchasingluluTarget of Evaluation 16*91f16700Schasinglulu******************** 17*91f16700Schasinglulu 18*91f16700SchasingluluIn this threat model, the target of evaluation is the Trusted Firmware for 19*91f16700SchasingluluA-class Processors (TF-A) with RME support and Arm CCA support. This includes 20*91f16700Schasingluluthe boot ROM (BL1), the trusted boot firmware (BL2) and the runtime EL3 firmware 21*91f16700Schasinglulu(BL31). 22*91f16700Schasinglulu 23*91f16700SchasingluluAssumptions 24*91f16700Schasinglulu=========== 25*91f16700Schasinglulu 26*91f16700SchasingluluWe make the following assumptions: 27*91f16700Schasinglulu 28*91f16700Schasinglulu- :ref:`Realm Management Extension (RME)` is enabled on the platform. 29*91f16700Schasinglulu 30*91f16700Schasinglulu- Arm CCA Hardware Enforced Security (HES) is available on the platform, as 31*91f16700Schasinglulu recommended by `Arm CCA security model`_: 32*91f16700Schasinglulu 33*91f16700Schasinglulu *[R0004] Arm strongly recommends that all implementations of CCA utilize* 34*91f16700Schasinglulu *hardware enforced security (CCA HES).* 35*91f16700Schasinglulu 36*91f16700Schasinglulu- All TF-A images run from on-chip memory. Data used by these images also live 37*91f16700Schasinglulu in on-chip memory. This means TF-A is not vulnerable to an attacker that can 38*91f16700Schasinglulu probe or tamper with off-chip memory. 39*91f16700Schasinglulu 40*91f16700Schasinglulu These are requirements of the `Arm CCA security model`_: 41*91f16700Schasinglulu 42*91f16700Schasinglulu *[R0147] Monitor code executes entirely from on-chip memory.* 43*91f16700Schasinglulu 44*91f16700Schasinglulu *[R0149] Any monitor data that may affect the CCA security guarantee, other* 45*91f16700Schasinglulu *than GPT, is either held in on-chip memory, or in external memory but with* 46*91f16700Schasinglulu *additional integrity protection.* 47*91f16700Schasinglulu 48*91f16700Schasinglulu Note that this threat model hardens *[R0149]* requirement by forbidding to 49*91f16700Schasinglulu hold data in external memory, even if it is integrity-protected - except for 50*91f16700Schasinglulu GPT data. 51*91f16700Schasinglulu 52*91f16700Schasinglulu- TF-A BL1 image is immutable and thus implicitly trusted. It runs from 53*91f16700Schasinglulu read-only memory or write-protected memory. This could be on-chip ROM, on-chip 54*91f16700Schasinglulu OTP, locked on-chip flash, or write-protected on-chip RAM for example. 55*91f16700Schasinglulu 56*91f16700Schasinglulu This is a requirement of the `Arm CCA security model`_: 57*91f16700Schasinglulu 58*91f16700Schasinglulu *[R0158] Arm recommends that all initial boot code is immutable on a* 59*91f16700Schasinglulu *secured system.* 60*91f16700Schasinglulu 61*91f16700Schasinglulu *[R0050] If all or part of initial boot code is instantiated in on-chip* 62*91f16700Schasinglulu *memory then other trusted subsystems or application PE cannot modify that* 63*91f16700Schasinglulu *code before it has been executed.* 64*91f16700Schasinglulu 65*91f16700Schasinglulu- Trusted boot and measured boot are enabled. This means an attacker can't boot 66*91f16700Schasinglulu arbitrary images that are not approved by platform providers. 67*91f16700Schasinglulu 68*91f16700Schasinglulu These are requirements of the `Arm CCA security model`_: 69*91f16700Schasinglulu 70*91f16700Schasinglulu *[R0048] A secured system can only load authorized CCA firmware.* 71*91f16700Schasinglulu 72*91f16700Schasinglulu *[R0079] All Monitor firmware loaded by PE initial boot is measured and* 73*91f16700Schasinglulu *verified as outlined in Verified boot.* 74*91f16700Schasinglulu 75*91f16700Schasinglulu- No experimental features are enabled. These are typically incomplete features, 76*91f16700Schasinglulu which need more time to stabilize. Thus, we do not consider threats that may 77*91f16700Schasinglulu come from them. It is not recommended to use these features in production 78*91f16700Schasinglulu builds. 79*91f16700Schasinglulu 80*91f16700SchasingluluData Flow Diagram 81*91f16700Schasinglulu================= 82*91f16700Schasinglulu 83*91f16700SchasingluluFigure 1 shows a high-level data flow diagram for TF-A. The diagram shows a 84*91f16700Schasinglulumodel of the different components of a TF-A-based system and their interactions 85*91f16700Schasingluluwith TF-A. A description of each diagram element is given on Table 1. On the 86*91f16700Schasingluludiagram, the red broken lines indicate trust boundaries. Components outside of 87*91f16700Schasingluluthe broken lines are considered untrusted by TF-A. 88*91f16700Schasinglulu 89*91f16700Schasinglulu.. uml:: ../resources/diagrams/plantuml/tfa_arm_cca_dfd.puml 90*91f16700Schasinglulu :caption: Figure 1: Data Flow Diagram 91*91f16700Schasinglulu 92*91f16700Schasinglulu.. table:: Table 1: Data Flow Diagram Description 93*91f16700Schasinglulu 94*91f16700Schasinglulu +-----------------+--------------------------------------------------------+ 95*91f16700Schasinglulu | Diagram Element | Description | 96*91f16700Schasinglulu +=================+========================================================+ 97*91f16700Schasinglulu | DF1 | | Refer to DF1 description in the | 98*91f16700Schasinglulu | | :ref:`Generic Threat Model`. Additionally TF-A | 99*91f16700Schasinglulu | | loads realm images. | 100*91f16700Schasinglulu +-----------------+--------------------------------------------------------+ 101*91f16700Schasinglulu | DF2-DF6 | | Refer to DF2-DF6 descriptions in the | 102*91f16700Schasinglulu | | :ref:`Generic Threat Model`. | 103*91f16700Schasinglulu +-----------------+--------------------------------------------------------+ 104*91f16700Schasinglulu | DF7 | | Boot images interact with Arm CCA HES to record boot | 105*91f16700Schasinglulu | | measurements and retrieve data used for AP images | 106*91f16700Schasinglulu | | authentication. | 107*91f16700Schasinglulu | | | 108*91f16700Schasinglulu | | | The runtime firmware interacts with Arm CCA HES to | 109*91f16700Schasinglulu | | obtain sensitive attestation data for the realm | 110*91f16700Schasinglulu | | world. | 111*91f16700Schasinglulu +-----------------+--------------------------------------------------------+ 112*91f16700Schasinglulu | DF8 | | Realm world software (e.g. TF-RMM) interact with | 113*91f16700Schasinglulu | | TF-A through SMC call interface and/or shared | 114*91f16700Schasinglulu | | memory. | 115*91f16700Schasinglulu +-----------------+--------------------------------------------------------+ 116*91f16700Schasinglulu 117*91f16700SchasingluluThreat Analysis 118*91f16700Schasinglulu*************** 119*91f16700Schasinglulu 120*91f16700SchasingluluIn this threat model, we use the same method to analyse threats as in the 121*91f16700Schasinglulu:ref:`Generic Threat Model`. This section only points out differences where 122*91f16700Schasingluluapplicable. 123*91f16700Schasinglulu 124*91f16700Schasinglulu- There is an additional threat agent: *RealmCode*. It takes the form of 125*91f16700Schasinglulu malicious or faulty code running in the realm world, including R-EL2, R-EL1 126*91f16700Schasinglulu and R-EL0 levels. 127*91f16700Schasinglulu 128*91f16700Schasinglulu- At this time we only consider the ``Server`` target environment. New threats 129*91f16700Schasinglulu identified in this threat model will only be given a risk rating for this 130*91f16700Schasinglulu environment. Other environments may be added in a future revision 131*91f16700Schasinglulu 132*91f16700SchasingluluThreat Assessment 133*91f16700Schasinglulu================= 134*91f16700Schasinglulu 135*91f16700SchasingluluGeneral Threats for All Firmware Images 136*91f16700Schasinglulu--------------------------------------- 137*91f16700Schasinglulu 138*91f16700SchasingluluThe following table analyses the :ref:`General Threats` in the context of this 139*91f16700Schasingluluthreat model. Only deltas are pointed out. 140*91f16700Schasinglulu 141*91f16700Schasinglulu +----+-------------+-------------------------------------------------------+ 142*91f16700Schasinglulu | ID | Applicable? | Comments | 143*91f16700Schasinglulu +====+=============+=======================================================+ 144*91f16700Schasinglulu | 05 | Yes | | 145*91f16700Schasinglulu +----+-------------+-------------------------------------------------------+ 146*91f16700Schasinglulu | 06 | Yes | | 147*91f16700Schasinglulu +----+-------------+-------------------------------------------------------+ 148*91f16700Schasinglulu | 08 | Yes | Additional diagram element: DF8. | 149*91f16700Schasinglulu | | | | 150*91f16700Schasinglulu | | | Additional threat agent: RealmCode. | 151*91f16700Schasinglulu +----+-------------+-------------------------------------------------------+ 152*91f16700Schasinglulu | 11 | Yes | | Misconfiguration of the Memory Management Unit | 153*91f16700Schasinglulu | | | (MMU) may allow a **normal/secure/realm** world | 154*91f16700Schasinglulu | | | software to access sensitive data, execute arbitrary| 155*91f16700Schasinglulu | | | code or access otherwise restricted HW interface. | 156*91f16700Schasinglulu | | | | 157*91f16700Schasinglulu | | | | **Note that on RME systems, MMU configuration also | 158*91f16700Schasinglulu | | | includes Granule Protection Tables (GPT) setup.** | 159*91f16700Schasinglulu | | | | 160*91f16700Schasinglulu | | | | Additional diagram elements: DF4, DF7, DF8. | 161*91f16700Schasinglulu | | | | 162*91f16700Schasinglulu | | | | Additional threat agents: SecCode, RealmCode. | 163*91f16700Schasinglulu +----+-------------+-------------------------------------------------------+ 164*91f16700Schasinglulu | 13 | Yes | Additional diagram element: DF8. | 165*91f16700Schasinglulu | | | | 166*91f16700Schasinglulu | | | Additional threat agent: RealmCode. | 167*91f16700Schasinglulu +----+-------------+-------------------------------------------------------+ 168*91f16700Schasinglulu | 15 | Yes | Additional diagram element: DF8. | 169*91f16700Schasinglulu | | | | 170*91f16700Schasinglulu | | | Additional threat agent: RealmCode. | 171*91f16700Schasinglulu +----+-------------+-------------------------------------------------------+ 172*91f16700Schasinglulu 173*91f16700SchasingluluThreats to be Mitigated by the Boot Firmware 174*91f16700Schasinglulu-------------------------------------------- 175*91f16700Schasinglulu 176*91f16700SchasingluluThe following table analyses the :ref:`Boot Firmware Threats` in the context of 177*91f16700Schasingluluthis threat model. Only deltas are pointed out. 178*91f16700Schasinglulu 179*91f16700Schasinglulu +----+-------------+-------------------------------------------------------+ 180*91f16700Schasinglulu | ID | Applicable? | Comments | 181*91f16700Schasinglulu +====+=============+=======================================================+ 182*91f16700Schasinglulu | 01 | Yes | Additional diagram element: DF8. | 183*91f16700Schasinglulu | | | | 184*91f16700Schasinglulu | | | Additional threat agent: RealmCode. | 185*91f16700Schasinglulu +----+-------------+-------------------------------------------------------+ 186*91f16700Schasinglulu | 02 | Yes | Additional diagram element: DF8. | 187*91f16700Schasinglulu | | | | 188*91f16700Schasinglulu | | | Additional threat agent: RealmCode. | 189*91f16700Schasinglulu +----+-------------+-------------------------------------------------------+ 190*91f16700Schasinglulu | 03 | Yes | | 191*91f16700Schasinglulu +----+-------------+-------------------------------------------------------+ 192*91f16700Schasinglulu | 04 | Yes | | 193*91f16700Schasinglulu +----+-------------+-------------------------------------------------------+ 194*91f16700Schasinglulu 195*91f16700SchasingluluThreats to be Mitigated by the Runtime EL3 Firmware 196*91f16700Schasinglulu--------------------------------------------------- 197*91f16700Schasinglulu 198*91f16700SchasingluluThe following table analyses the :ref:`Runtime Firmware Threats` in the context 199*91f16700Schasingluluof this threat model. Only deltas are pointed out. 200*91f16700Schasinglulu 201*91f16700Schasinglulu +----+-------------+-------------------------------------------------------+ 202*91f16700Schasinglulu | ID | Applicable? | Comments | 203*91f16700Schasinglulu +====+=============+=======================================================+ 204*91f16700Schasinglulu | 07 | Yes | Additional diagram element: DF8. | 205*91f16700Schasinglulu | | | | 206*91f16700Schasinglulu | | | Additional threat agent: RealmCode. | 207*91f16700Schasinglulu +----+-------------+-------------------------------------------------------+ 208*91f16700Schasinglulu | 09 | Yes | Additional diagram element: DF8. | 209*91f16700Schasinglulu | | | | 210*91f16700Schasinglulu | | | Additional threat agent: RealmCode. | 211*91f16700Schasinglulu +----+-------------+-------------------------------------------------------+ 212*91f16700Schasinglulu | 10 | Yes | Additional diagram element: DF8. | 213*91f16700Schasinglulu | | | | 214*91f16700Schasinglulu | | | Additional threat agent: RealmCode. | 215*91f16700Schasinglulu +----+-------------+-------------------------------------------------------+ 216*91f16700Schasinglulu | 12 | Yes | Additional diagram element: DF8. | 217*91f16700Schasinglulu | | | | 218*91f16700Schasinglulu | | | Additional threat agent: RealmCode. | 219*91f16700Schasinglulu +----+-------------+-------------------------------------------------------+ 220*91f16700Schasinglulu | 14 | Yes | | 221*91f16700Schasinglulu +----+-------------+-------------------------------------------------------+ 222*91f16700Schasinglulu 223*91f16700Schasinglulu*Copyright (c) 2023, Arm Limited. All rights reserved.* 224*91f16700Schasinglulu 225*91f16700Schasinglulu.. _Arm CCA Security Model: https://developer.arm.com/documentation/DEN0096/A_a 226