Djam/arm-trusted-firmware
1
0
Fork 0
mirror of https://github.com/ARM-software/arm-trusted-firmware.git synced 2025-04-17 01:54:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge "docs(threat-model): cover threats inherent to receiving data over UART" into integration

Browse source
This commit is contained in:
Sandrine Bailleux 2023-11-14 08:43:42 +01:00 committed by TrustedFirmware Code Review
commit dcbf3a1173
4 changed files with 62 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
docs/resources/diagrams/plantuml/tfa_dfd.puml
View file

@ -25,7 +25,7 @@ digraph tfa_dfd {
nsec [label="Non-secure\nClients"] nsec [label="Non-secure\nClients"]
sec [label="Secure\nClients"] sec [label="Secure\nClients"]
dbg [label="Debug & Trace"] dbg [label="Debug & Trace"]
logs [label="Logs\n(UART)"] uart [label="UART"]
nvm [label="Non-volatile\nMemory"] nvm [label="Non-volatile\nMemory"]
# Trust boundary cluster # Trust boundary cluster
@ -56,7 +56,7 @@ digraph tfa_dfd {
# Interactions between nodes # Interactions between nodes
nvm -> bl31 [lhead=cluster_tfa label="DF1"] nvm -> bl31 [lhead=cluster_tfa label="DF1"]
logs -> bl31 [dir="back" lhead=cluster_tfa label="DF2"] uart -> bl31 [dir="both" lhead=cluster_tfa label="DF2"]
dbg -> bl2 [dir="both" lhead=cluster_tfa label="DF3"] dbg -> bl2 [dir="both" lhead=cluster_tfa label="DF3"]
sec -> bl2 [dir="both" lhead=cluster_tfa label="DF4"] sec -> bl2 [dir="both" lhead=cluster_tfa label="DF4"]
nsec -> bl1 [dir="both" lhead=cluster_tfa, label="DF5"] nsec -> bl1 [dir="both" lhead=cluster_tfa, label="DF5"]

4
docs/resources/diagrams/plantuml/tfa_rss_dfd.puml
View file

@ -25,7 +25,7 @@ digraph tfa_dfd {
nsec [label="Non-secure\nClients"] nsec [label="Non-secure\nClients"]
sec [label="Secure\nClients"] sec [label="Secure\nClients"]
dbg [label="Debug & Trace"] dbg [label="Debug & Trace"]
logs [label="Logs\n(UART)"] uart [label="UART"]
nvm [label="Non-volatile\nMemory"] nvm [label="Non-volatile\nMemory"]
@ -65,7 +65,7 @@ digraph tfa_dfd {
# Interactions between nodes # Interactions between nodes
nvm -> bl31 [lhead=cluster_tfa label="DF1"] nvm -> bl31 [lhead=cluster_tfa label="DF1"]
logs -> bl31 [dir="back" lhead=cluster_tfa label="DF2"] uart -> bl31 [dir="both" lhead=cluster_tfa label="DF2"]
dbg -> bl2 [dir="both" lhead=cluster_tfa label="DF3"] dbg -> bl2 [dir="both" lhead=cluster_tfa label="DF3"]
sec -> bl2 [dir="both" lhead=cluster_tfa label="DF4"] sec -> bl2 [dir="both" lhead=cluster_tfa label="DF4"]
nsec -> bl1 [dir="both" lhead=cluster_tfa, label="DF5"] nsec -> bl1 [dir="both" lhead=cluster_tfa, label="DF5"]

57
docs/threat_model/threat_model.rst
View file

@ -63,8 +63,10 @@ are considered untrusted by TF-A.
| | images include TF-A BL2 and BL31 images, as well as | | | images include TF-A BL2 and BL31 images, as well as |
| | other secure and non-secure images. | | | other secure and non-secure images. |
+-----------------+--------------------------------------------------------+ +-----------------+--------------------------------------------------------+
| DF2 | | TF-A log system framework outputs debug messages | | DF2 | | TF-A log system framework outputs debug or |
| | over a UART interface. | | | informative messages over a UART interface. |
| | |
| | | Also, characters can be read from a UART interface. |
+-----------------+--------------------------------------------------------+ +-----------------+--------------------------------------------------------+
| DF3 | | Debug and trace IP on a platform can allow access | | DF3 | | Debug and trace IP on a platform can allow access |
| | to registers and memory of TF-A. | | | to registers and memory of TF-A. |
@ -552,6 +554,57 @@ General Threats for All Firmware Images
| | soon as they are not needed anymore. | | | soon as they are not needed anymore. |
+------------------------+-----------------------------------------------------+ +------------------------+-----------------------------------------------------+
| Mitigations | | Yes / Platform specific | | Mitigations | | Yes / Platform specific |
| implemented? | |
+------------------------+-----------------------------------------------------+
+------------------------+-----------------------------------------------------+
| ID | 15 |
+========================+=====================================================+
| Threat | | **Improper handling of input data received over |
| | a UART interface may allow an attacker to tamper |
| | with TF-A execution environment.** |
| | |
| | | The consequences of the attack depend on the |
| | the exact usage of input data received over UART. |
| | Examples are injection of arbitrary data, |
| | sensitive data tampering, influencing the |
| | execution path, denial of service (if using |
| | blocking I/O). This list may not be exhaustive. |
+------------------------+-----------------------------------------------------+
| Diagram Elements | DF2, DF4, DF5 |
+------------------------+-----------------------------------------------------+
| Affected TF-A | BL1, BL2, BL31 |
| Components | |
+------------------------+-----------------------------------------------------+
| Assets | Sensitive Data, Code Execution, Availability |
+------------------------+-----------------------------------------------------+
| Threat Agent | NSCode, SecCode |
+------------------------+-----------------------------------------------------+
| Threat Type | Tampering, Information Disclosure, Denial of |
| | service, Elevation of privilege. |
+------------------------+-------------------+----------------+----------------+
| Application | Server | IoT | Mobile |
+------------------------+-------------------+----------------+----------------+
| Impact | Critical (5) | Critical (5) | Critical (5) |
+------------------------+-------------------+----------------+----------------+
| Likelihood | Critical (5) | Critical (5) | Critical (5) |
+------------------------+-------------------+----------------+----------------+
| Total Risk Rating | Critical (25) | Critical (25) | Critical (25) |
+------------------------+-------------------+----------------+----------------+
| Mitigations | | By default, the code to read input data from UART |
| | interfaces is disabled (see `ENABLE_CONSOLE_GETC` |
| | build option). It should only be enabled on a |
| | need basis. |
| | |
| | | Data received over UART interfaces should be |
| | treated as untrusted data. As such, it should be |
| | properly sanitized and handled with caution. |
+------------------------+-----------------------------------------------------+
| Mitigations | | Platform specific. |
| implemented? | |
| | | Generic code does not read any input data from |
| | UART interface(s). |
+------------------------+-----------------------------------------------------+ +------------------------+-----------------------------------------------------+

4
docs/threat_model/threat_model_fvp_r.rst
View file

@ -90,8 +90,10 @@ implementation:
and since the MPU configuration is equivalent with that for the fvp and since the MPU configuration is equivalent with that for the fvp
platform and others, this is not expected to be a concern. platform and others, this is not expected to be a concern.
- ID 15: Improper handling of input data received over a UART interface may
allow an attacker to tamper with TF-A execution environment.
-------------- --------------
*Copyright (c) 2021, Arm Limited. All rights reserved.* *Copyright (c) 2021-2023, Arm Limited. All rights reserved.*