Update the SPM threat model with information about FF-A v1.1
memory sharing functionality.
Change-Id: I65ea0d53aba8ac2f8432539968ceaab6be109ac8
Signed-off-by: J-Alves <joao.alves@arm.com>
TF-A currently does not have any TPM2 driver for extending
measurements into a discrete TPM chip. In TPM-based attestation
scheme, measurements are just stored into a TCG-compatible event
log buffer in secure memory.
In light of the fact that Event Log measurements are taken by BL1 and
BL2, we need to trust these components to store genuine measurements,
and the Generic Threat Model always mitigates against attacks on these
components, therefore, there is no explicit document for the Measured
Boot threat model at this time is needed.
Change-Id: I41b037b2f5956d327b53cd834345e5aefdcfb5ef
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
The top-level page for threat model documents is evidently out-dated,
as it contains text which no longer makes sense on its own. Most
likely it relates back to the days where we had a single threat model
document.
Reword it accordingly. While we are at it, explain the motivation and
structure of the documents.
Change-Id: I63c8f38ec32b6edbfd1b4332eeaca19a01ae70e9
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
There were some late comments to the prior change (18635) which are
address in this commit. There was also an invalid return value check
which was changed and the wrong result was being returned via the SMC
call for loading OP-TEE which is now fixed.
Signed-off-by: Jeffrey Kardatzke <jkardatzke@google.com>
Change-Id: I883ddf966662549a3ef9c801a2d4f47709422332
This adds the ability to load the OP-TEE image via an SMC called from
non-secure userspace rather than loading it during boot. This should
only be utilized on platforms that can ensure security is maintained up
until the point the SMC is invoked as it breaks the normal barrier
between the secure and non-secure world.
Signed-off-by: Jeffrey Kardatzke <jkardatzke@google.com>
Change-Id: I21cfa9699617c493fa4190f01d1cbb714e7449cc
Adding a new threat which is about leaving
sensitive information in internal buffers
which could be stolen by an attacker.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: I737e802c0adc9b00c89a0e21779745c51afb4b17
Update SPM threat model for possible threats, from malicious
endpoints, related to interrupt management. The mitigations
are based on the guidance provided in FF-A v1.1 EAC0 spec.
Change-Id: Ib9e26e3f1c60fe3a2734a67de1dcf1cea4883d38
Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
Top level sections are not numbered. Adding numbers makes referring to
sections easier. For example the Maintainers page changes from
"about/3.1" to simply "1.3.1".
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: If90a18ee8d6a6858d58f0687f31ea62b69399e04
Threat model for EL3 SPMC.
The mitigations are based on the guidance
provided in FF-A v1.1 EAC0 spec.
Signed-off-by: Shruti Gupta <shruti.gupta@arm.com>
Change-Id: I7f4c9370b6eefe6d1a7d1afac27e8b3a7b476072
- Cite crash reports as an example of sensitive
information. Previously, it might have sounded like this was the
focus of the threat.
- Warn about logging high-precision timing information, as well as
conditionally logging (potentially nonsensitive) information
depending on sensitive information.
Change-Id: I33232dcb1e4b5c81efd4cd621b24ab5ac7b58685
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
For each threat, we now separate:
- how to mitigate against it;
- whether TF-A currently implements these mitigations.
A new "Mitigations implemented?" box is added to each threat to
provide the implementation status. For threats that are partially
mitigated from platform code, the original text is improved to make
these expectations clearer. The hope is that platform integrators will
have an easier time identifying what they need to carefully implement
in order to follow the security recommendations from the threat model.
Change-Id: I8473d75946daf6c91a0e15e61758c183603e195b
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Add an explicit note that measured boot is out of scope of the threat
model. For example, we have no threat related to the secure
management of measurements, nor do we list its security benefits
(e.g. in terms of repudiation).
This might be a future improvement to the threat model but for now
just acknowledge it is not considered.
Change-Id: I2fb799a2ef0951aa681a755a948bd2b67415d156
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Reword the description of threat #9 to make it more future-proof for
Arm CCA. By avoiding specific references to secure or non-secure
contexts, in favour of "worlds" and "security contexts", we make the
description equally applicable to 2-world and 4-world architectures.
Note that there are other threats that would benefit from such a
similar revamp but this is out of scope of this patch.
Also list malicious secure world code as a potential threat
agent. This seems to be an oversight in the first version of the
threat model (i.e. this change is not related to Arm CCA).
Change-Id: Id8c8424b0a801104c4f3dc70e344ee702d2b259a
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
The threat description was repeating the threat title.
Change-Id: I67de2c0aab6e86bf33eb91e7562e075fcb76259b
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
By nature, experimental features are incomplete pieces of work,
sometimes going under rapid change. Typically, the threat model
implications have not been fully considered yet.
Change-Id: Ice8d4273a789558e912f82cde592da4747b37fdf
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
- Add empty lines after titles.
- Reduce number of highlighting characters to fit title length.
- Remove most ``monospaced text``.
I think most of it looked weird in the rendered HTML version and
it had no obvious meaning.
Change-Id: I5f746a3de035d8ac59eec0af491c187bfe86dad7
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Threat model for the current, BL1-only R-class support.
Signed-off-by: Gary Morrison <gary.morrison@arm.com>
Change-Id: I8479d5cb30f3cf3919281cc8dc1f21cada9511e0
Update SPM's threat model to contain threats related to notifications
feature, compliant with FF-A v1.1 spec.
Change-Id: I4a825be5dd14137a0d04d532adfe5343714794c5
Signed-off-by: J-Alves <joao.alves@arm.com>
This patch expands the RME documentation with description of TF-A
changes for RME. It also modifies some other parts of TF-A documentation
to account for RME changes.
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I9e6feeee235f0ba4b767d239f15840f1e0c540bb
Rename the FF-A specification to:
Arm Firmware Framework for Arm A-profile
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I4f9d29409d048e7a49832b95d39d2583c1fb5792
This is the first release of the public Trusted
Firmware A class threat model. This release
provides the baseline for future updates to be
applied as required by developments to the
TF-A code base.
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I3c9aadc46196837679f0b1377bec9ed4fc42ff11
