From 348446ad2a836f7fa0ab05cdf6142342a1c4a4b3 Mon Sep 17 00:00:00 2001 From: Sandrine Bailleux Date: Wed, 11 Oct 2023 08:27:43 +0200 Subject: [PATCH] docs(threat-model): cover threats inherent to receiving data over UART TF-A supports reading input data from UART interfaces. This opens up an attack vector for arbitrary data to be injected into TF-A, which is not covered in the threat model right now. Fill this gap by: - Updating the data flow diagrams. Data may flow from the UART into TF-A (and not only the other way around). - Documenting the threats inherent to reading untrusted data from a UART. Change-Id: I508da5d2f7ad5d20717b958d76ab9337c5eca50f Signed-off-by: Sandrine Bailleux --- docs/resources/diagrams/plantuml/tfa_dfd.puml | 4 +- .../diagrams/plantuml/tfa_rss_dfd.puml | 4 +- docs/threat_model/threat_model.rst | 57 ++++++++++++++++++- docs/threat_model/threat_model_fvp_r.rst | 4 +- 4 files changed, 62 insertions(+), 7 deletions(-) diff --git a/docs/resources/diagrams/plantuml/tfa_dfd.puml b/docs/resources/diagrams/plantuml/tfa_dfd.puml index 000791105..9d3dcba42 100644 --- a/docs/resources/diagrams/plantuml/tfa_dfd.puml +++ b/docs/resources/diagrams/plantuml/tfa_dfd.puml @@ -25,7 +25,7 @@ digraph tfa_dfd { nsec [label="Non-secure\nClients"] sec [label="Secure\nClients"] dbg [label="Debug & Trace"] - logs [label="Logs\n(UART)"] + uart [label="UART"] nvm [label="Non-volatile\nMemory"] # Trust boundary cluster @@ -56,7 +56,7 @@ digraph tfa_dfd { # Interactions between nodes nvm -> bl31 [lhead=cluster_tfa label="DF1"] - logs -> bl31 [dir="back" lhead=cluster_tfa label="DF2"] + uart -> bl31 [dir="both" lhead=cluster_tfa label="DF2"] dbg -> bl2 [dir="both" lhead=cluster_tfa label="DF3"] sec -> bl2 [dir="both" lhead=cluster_tfa label="DF4"] nsec -> bl1 [dir="both" lhead=cluster_tfa, label="DF5"] diff --git a/docs/resources/diagrams/plantuml/tfa_rss_dfd.puml b/docs/resources/diagrams/plantuml/tfa_rss_dfd.puml index 23f5b174e..a7e0ce576 100644 --- a/docs/resources/diagrams/plantuml/tfa_rss_dfd.puml +++ b/docs/resources/diagrams/plantuml/tfa_rss_dfd.puml @@ -25,7 +25,7 @@ digraph tfa_dfd { nsec [label="Non-secure\nClients"] sec [label="Secure\nClients"] dbg [label="Debug & Trace"] - logs [label="Logs\n(UART)"] + uart [label="UART"] nvm [label="Non-volatile\nMemory"] @@ -65,7 +65,7 @@ digraph tfa_dfd { # Interactions between nodes nvm -> bl31 [lhead=cluster_tfa label="DF1"] - logs -> bl31 [dir="back" lhead=cluster_tfa label="DF2"] + uart -> bl31 [dir="both" lhead=cluster_tfa label="DF2"] dbg -> bl2 [dir="both" lhead=cluster_tfa label="DF3"] sec -> bl2 [dir="both" lhead=cluster_tfa label="DF4"] nsec -> bl1 [dir="both" lhead=cluster_tfa, label="DF5"] diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst index 57a5e1b81..d1a77f587 100644 --- a/docs/threat_model/threat_model.rst +++ b/docs/threat_model/threat_model.rst @@ -63,8 +63,10 @@ are considered untrusted by TF-A. | | images include TF-A BL2 and BL31 images, as well as | | | other secure and non-secure images. | +-----------------+--------------------------------------------------------+ - | DF2 | | TF-A log system framework outputs debug messages | - | | over a UART interface. | + | DF2 | | TF-A log system framework outputs debug or | + | | informative messages over a UART interface. | + | | | + | | | Also, characters can be read from a UART interface. | +-----------------+--------------------------------------------------------+ | DF3 | | Debug and trace IP on a platform can allow access | | | to registers and memory of TF-A. | @@ -552,6 +554,57 @@ General Threats for All Firmware Images | | soon as they are not needed anymore. | +------------------------+-----------------------------------------------------+ | Mitigations | | Yes / Platform specific | +| implemented? | | ++------------------------+-----------------------------------------------------+ + + ++------------------------+-----------------------------------------------------+ +| ID | 15 | ++========================+=====================================================+ +| Threat | | **Improper handling of input data received over | +| | a UART interface may allow an attacker to tamper | +| | with TF-A execution environment.** | +| | | +| | | The consequences of the attack depend on the | +| | the exact usage of input data received over UART. | +| | Examples are injection of arbitrary data, | +| | sensitive data tampering, influencing the | +| | execution path, denial of service (if using | +| | blocking I/O). This list may not be exhaustive. | ++------------------------+-----------------------------------------------------+ +| Diagram Elements | DF2, DF4, DF5 | ++------------------------+-----------------------------------------------------+ +| Affected TF-A | BL1, BL2, BL31 | +| Components | | ++------------------------+-----------------------------------------------------+ +| Assets | Sensitive Data, Code Execution, Availability | ++------------------------+-----------------------------------------------------+ +| Threat Agent | NSCode, SecCode | ++------------------------+-----------------------------------------------------+ +| Threat Type | Tampering, Information Disclosure, Denial of | +| | service, Elevation of privilege. | ++------------------------+-------------------+----------------+----------------+ +| Application | Server | IoT | Mobile | ++------------------------+-------------------+----------------+----------------+ +| Impact | Critical (5) | Critical (5) | Critical (5) | ++------------------------+-------------------+----------------+----------------+ +| Likelihood | Critical (5) | Critical (5) | Critical (5) | ++------------------------+-------------------+----------------+----------------+ +| Total Risk Rating | Critical (25) | Critical (25) | Critical (25) | ++------------------------+-------------------+----------------+----------------+ +| Mitigations | | By default, the code to read input data from UART | +| | interfaces is disabled (see `ENABLE_CONSOLE_GETC` | +| | build option). It should only be enabled on a | +| | need basis. | +| | | +| | | Data received over UART interfaces should be | +| | treated as untrusted data. As such, it should be | +| | properly sanitized and handled with caution. | ++------------------------+-----------------------------------------------------+ +| Mitigations | | Platform specific. | +| implemented? | | +| | | Generic code does not read any input data from | +| | UART interface(s). | +------------------------+-----------------------------------------------------+ diff --git a/docs/threat_model/threat_model_fvp_r.rst b/docs/threat_model/threat_model_fvp_r.rst index c1462bb51..725eeed92 100644 --- a/docs/threat_model/threat_model_fvp_r.rst +++ b/docs/threat_model/threat_model_fvp_r.rst @@ -90,8 +90,10 @@ implementation: and since the MPU configuration is equivalent with that for the fvp platform and others, this is not expected to be a concern. + - ID 15: Improper handling of input data received over a UART interface may + allow an attacker to tamper with TF-A execution environment. -------------- -*Copyright (c) 2021, Arm Limited. All rights reserved.* +*Copyright (c) 2021-2023, Arm Limited. All rights reserved.*