Merge "docs(threat-model): add threat model for PSA FWU and TBBR FWU(recovery)" into integration

2025-04-15 17:14:21 +00:00 · 2024-01-19 21:39:59 +01:00 · 2024-01-19 21:39:59 +01:00 · 57410eebe6
commit 57410eebe6
parent 0ec25e386a bb4d7d7195
2 changed files with 104 additions and 0 deletions
--- a/docs/threat_model/index.rst
+++ b/docs/threat_model/index.rst
@ -35,6 +35,7 @@ data flow diagram, as well as a list of threats we have identified using the
   threat_model_fvp_r
   threat_model_rss_interface
   threat_model_arm_cca
+   threat_model_fw_update_and_recovery

 --------------

--- a/docs/threat_model/threat_model_fw_update_and_recovery.rst
+++ b/docs/threat_model/threat_model_fw_update_and_recovery.rst
@ -0,0 +1,103 @@
+Threat Model for TF-A with PSA FWU or TBBR FWU support
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Introduction
+************
+
+This document provides a threat model of TF-A firmware for platforms with
+the feature PSA firmware update or TBBR firmware update or both enabled.
+To understand the design of the firmware update refer
+:ref:`Firmware Update (FWU)`.
+
+Although it is a separate document, it references the :ref:`Generic Threat
+Model` in a number of places, as some of the contents are applicable to this
+threat model.
+
+Target of Evaluation
+********************
+
+In this threat model, the target of evaluation is the Trusted Firmware for
+A-class Processors (TF-A) when PSA FWU support is enabled or TBBR FWU mode
+is enabled. This includes the boot ROM (BL1), the trusted boot firmware (BL2).
+
+Threat Assessment
+*****************
+
+For this section, please reference the Threat Assessment under the
+:ref:`Generic Threat Model`. Here only the differences are highlighted.
+
+PSA FWU
+*******
+
+Threats to be Mitigated by the Boot Firmware
+--------------------------------------------
+
+The following table analyses the :ref:`Boot Firmware Threats` in the context
+of this threat model. Only additional details are pointed out.
+
+----+-------------+-------------------------------------------------------+
+| ID | Applicable? | Comments                                              |
+====+=============+=======================================================+
+| 01 |     Yes     | | Attacker can use arbitrary images to update the     |
+|    |             |   system.                                             |
+----+-------------+-------------------------------------------------------+
+| 02 |     Yes     | | Attacker tries to update the system with the        |
+|    |             |   vulnerable/older firmware.                          |
+----+-------------+-------------------------------------------------------+
+| 03 |     Yes     |                                                       |
+----+-------------+-------------------------------------------------------+
+| 04 |     Yes     |                                                       |
+----+-------------+-------------------------------------------------------+
+
+
+Threats to be mitigated by platform design
+------------------------------------------
+
+PSA FWU is driven by metadata stored in non-volatile storage. This metadata
+is not cryptographically signed. Also, depending on the hardware design,
+it may be stored in untrusted storage, which makes it possible for software
+outside of TF-A security boundary or for a physical attacker to modify it
+in order to change the behaviour of the FWU process.
+
+Below we provide some possible FWU metadata corruption scenarios:
+
+1. The FWU metadata includes the firmware bank for booting; the attacker
+   tries to modify it to prevent the execution of the updated firmware.
+2. The FWU metadata features a field indicating the firmware's status, either
+   in trial run or accepted run. The attacker tries to manipulate this field,
+   ensuring the updated firmware consistently runs in trial mode, with the
+   intention of preventing the anti-rollback update.
+
+By design, no software mitigations exist to prevent this. The safeguarding
+of FWU metadata relies on the platform's hardware design to mitigate potential
+attacks on it, if this is a concern in the platform's threat model.
+For example, FWU metadata may be stored in secure storage under exclusive
+access from secure software, protecting it from physical, unauthenticated
+accesses and from non-secure software accesses.
+
+TBBR FWU - Firmware Recovery
+****************************
+
+Threats to be Mitigated by the Boot Firmware
+--------------------------------------------
+
+The following table analyses the :ref:`Boot Firmware Threats` in the context
+of this threat model. Only additional details are pointed out.
+
+----+-------------+-------------------------------------------------------+
+| ID | Applicable? | Comments                                              |
+====+=============+=======================================================+
+| 01 |     Yes     | | Attacker can use arbitrary images to recover the    |
+|    |             |   system.                                             |
+----+-------------+-------------------------------------------------------+
+| 02 |     Yes     | | Attacker tries to recover the system with the       |
+|    |             |   vulnerable/older firmware.                          |
+----+-------------+-------------------------------------------------------+
+| 03 |     Yes     |                                                       |
+----+-------------+-------------------------------------------------------+
+| 04 |     Yes     |                                                       |
+----+-------------+-------------------------------------------------------+
+
+--------------
+
+*Copyright (c) 2024, Arm Limited. All rights reserved.*