feat(docs): update mboot threat model with dTPM

Add the discrete TPM to the TCG event log section of the measured boot threat model. Include the example of a physical vurnerability that can be used to compromise a dTPM. Signed-off-by: Abhi Singh <abhi.singh@arm.com> Change-Id: I2c06edf5e9031adc970c24426a8ae52b06efb614
2025-04-15 17:14:21 +00:00 · 2024-11-01 15:36:18 -05:00 · 2024-11-01 15:36:18 -05:00 · b00f6ece56
commit b00f6ece56
parent a2dd13cacb
1 changed files with 21 additions and 1 deletions
--- a/docs/threat_model/firmware_threat_model/threat_model.rst
+++ b/docs/threat_model/firmware_threat_model/threat_model.rst
@ -928,6 +928,12 @@ nonetheless once execution has reached the runtime EL3 firmware.
     Measured Boot implementation in |TF-A| is that it does not extend the
     measurements into a |PCR| of a Discrete |TPM|, where measurements would
     be securely stored and protected against tampering.
   - Discrete |TPM|: Implemented in |TF-A| as a proof of concept, the Discrete
     |TPM| is used alongside the existing TCG-compliant Event Log. This
     Measured Boot implementation extends measurement hashes to a |PCR| in the
     |TPM|, which provides a hardware-backed root of trust. The measurements in
     the Event Log can now be hashed and compared to the value of the |PCR| to
     determine if tampering of the Event Log has taken place.
   - `CCA Measured Boot`_: Implemented by |TF-M|. Measurements are stored in
     |HES| secure on-chip memory. |HES| implements protection against tampering
     its on-chip memory. |HES| interface is available for BL1 and BL2.
@ -942,6 +948,20 @@ nonetheless once execution has reached the runtime EL3 firmware.
 to protect or threats to defend against that could compromise |TF-A| execution
 environment's security.
 When considering the implementation of Measured Boot using a TCG-compliant
 Event Log backed by a discrete TPM, physical vulnerabilities come to mind.
 Platforms have many different ways of integrating a discrete TPM, and these
 implementations can be susceptible to man-in-the-middle attacks, where the
 attacker intercepts the bus traffic between the discrete TPM and the host
 machine. This can lead to PCR extend operations being modified, compromising
 Measured Boot. This vulnerability requires physical access to the host machine.
 TF-A does not provide any mitigations against these physical vulnerabilities,
 it is the responsibility of the platform owners to address this based on their
 specific threat model. Mitigation of this can be achieved through dedicated
 hardware solutions, such as an encrypted AP/dTPM bus, or software-based
 approaches designed to protect sensitive data such as parameter encryption.
 There are general security assets and threats associated with remote/delegated
 attestation. However, these are outside the |TF-A| security boundary and
 should be dealt with by the appropriate agent in the platform/system.
@ -1192,7 +1212,7 @@ Threats to be Mitigated by an External Agent Outside of TF-A
 --------------
-*Copyright (c) 2021-2024, Arm Limited. All rights reserved.*
+*Copyright (c) 2021-2025, Arm Limited. All rights reserved.*
 .. _STRIDE threat analysis technique: https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats#stride-model