Arm Confidential Compute Architecture (Arm CCA) support, underpinned by
Arm Realm Management Extension (RME) support, brings in a few important
software and hardware architectural changes in TF-A, which warrants a
new security analysis of the code base. Results of this analysis are
captured in a new threat model document, provided in this patch.
The main changes introduced in TF-A to support Arm CCA / RME are:
- Presence of a new threat agent: realm world clients.
- Availability of Arm CCA Hardware Enforced Security (HES) to support
measured boot and trusted boot.
- Configuration of the Granule Protection Tables (GPT) for
inter-world memory protection.
This is only an initial version of the threat model and we expect to
enrich it in the future.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Iab84dc724df694511508f90dc76b6d469c4cccd5
TF-A supports reading input data from UART interfaces. This opens up
an attack vector for arbitrary data to be injected into TF-A, which is
not covered in the threat model right now.
Fill this gap by:
- Updating the data flow diagrams. Data may flow from the UART into
TF-A (and not only the other way around).
- Documenting the threats inherent to reading untrusted data from a
UART.
Change-Id: I508da5d2f7ad5d20717b958d76ab9337c5eca50f
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
set_fw_config_info() interface got renamed into set_config_info() as
part of commit f441718936 ("lib/fconf:
Update 'set_fw_config_info' function"). Rename a few left-overs of the
old name.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I119719cd7f3ba544e0c4c438e5341d35c7b5bdc2
Threat model for EL3 SPMC.
The mitigations are based on the guidance
provided in FF-A v1.1 EAC0 spec.
Signed-off-by: Shruti Gupta <shruti.gupta@arm.com>
Change-Id: I7f4c9370b6eefe6d1a7d1afac27e8b3a7b476072
This is the first release of the public Trusted
Firmware A class threat model. This release
provides the baseline for future updates to be
applied as required by developments to the
TF-A code base.
Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I3c9aadc46196837679f0b1377bec9ed4fc42ff11
Updated the documentation for the FIP generation process using
SP images.
Change-Id: I4df7f379f08f33adba6f5c82904291576972e106
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Former EL3 Secure Partition Manager using MM protocol is renamed
Secure Partition Manager (MM).
A new Secure Partition Manager document covers TF-A support for the
PSA FF-A compliant implementation.
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: I9763359c2e96181e1726c8ad72738de293b80eb4
Updated the document for BL1 and BL2 boot flow to capture
below changes made in FCONF
1. Loading of fw_config and tb_fw_config images by BL1.
2. Population of fw_config and tb_fw_config by BL2.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: Ifea5c61d520ff1de834c279ce1759b53448303ba
Update the plantuml diagrams to match the latest modification in fconf.
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Change-Id: I90f55bba0fd039a3f7e1bd39661cf849fccd64f5
Some of the plantuml diagrams in the I/O storage abstraction layer
documentation are absent from the rendered version of the porting
guide. The build log (see [1] for example) reports a syntax error in
these files. This is due to the usage of the 'order' keyword on the
participants list, which does not seem to be supported by the version
of plantuml installed on the ReadTheDocs server.
Fix these syntax errors by removing the 'order' keyword altogether. We
simply rely on the participants being declared in the desired order,
which will be the order of display, according to the plantuml
documentation.
[1] https://readthedocs.org/api/v2/build/9870345.txt
Change-Id: Ife35c74cb2f1dac28bda07df395244639a8d6a2b
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Add uml sequence and class diagram to illustrate the behavior of the
storage abstraction layer.
Change-Id: I338262729f8034cc3d3eea1d0ce19cca973a91bb
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
Currently we have some pre-rendered versions of certain diagrams
in SVG format. These diagrams have corresponding PlantUML source
that can be rendered automatically as part of the documentation
build, removing the need for any intermediate files.
This patch adds the Sphinx "plantuml" extension, replaces
references to the pre-rendered SVG files within the documents,
and finally removes the SVG files and helper script.
New requirements for building the docs are the
"sphinxcontrib-plantuml" Python module (added to the pip
requirements.txt file) and the Graphviz package (provides the
"dot" binary) which is in the Ubuntu package repositories.
Change-Id: I24b52ee40ff79676212ed7cff350294945f1b50d
Signed-off-by: Paul Beesley <paul.beesley@arm.com>
