mirror of
https://github.com/ARM-software/arm-trusted-firmware.git
synced 2025-04-26 14:55:16 +00:00
446354122c
Arm Confidential Compute Architecture (Arm CCA) support, underpinned by Arm Realm Management Extension (RME) support, brings in a few important software and hardware architectural changes in TF-A, which warrants a new security analysis of the code base. Results of this analysis are captured in a new threat model document, provided in this patch. The main changes introduced in TF-A to support Arm CCA / RME are: - Presence of a new threat agent: realm world clients. - Availability of Arm CCA Hardware Enforced Security (HES) to support measured boot and trusted boot. - Configuration of the Granule Protection Tables (GPT) for inter-world memory protection. This is only an initial version of the threat model and we expect to enrich it in the future. Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com> Co-authored-by: Manish Pandey <manish.pandey2@arm.com> Change-Id: Iab84dc724df694511508f90dc76b6d469c4cccd5
44 lines
1.7 KiB
ReStructuredText
44 lines
1.7 KiB
ReStructuredText
Threat Model
|
|
============
|
|
|
|
Threat modeling is an important part of Secure Development Lifecycle (SDL)
|
|
that helps us identify potential threats and mitigations affecting a system.
|
|
|
|
As the TF-A codebase is highly configurable to allow tailoring it best for each
|
|
platform's needs, providing a holistic threat model covering all of its features
|
|
is not necessarily the best approach. Instead, we provide a collection of
|
|
documents which, together, form the project's threat model. These are
|
|
articulated around a core document, called the :ref:`Generic Threat Model`,
|
|
which focuses on the most common configuration we expect to see. The other
|
|
documents typically focus on specific features not covered in the core document.
|
|
|
|
As the TF-A codebase evolves and new features get added, these threat model
|
|
documents will be updated and extended in parallel to reflect at best the
|
|
current status of the code from a security standpoint.
|
|
|
|
.. note::
|
|
|
|
Although our aim is eventually to provide threat model material for all
|
|
features within the project, we have not reached that point yet. We expect
|
|
to gradually fill these gaps over time.
|
|
|
|
Each of these documents give a description of the target of evaluation using a
|
|
data flow diagram, as well as a list of threats we have identified using the
|
|
`STRIDE threat modeling technique`_ and corresponding mitigations.
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
:caption: Contents
|
|
|
|
threat_model
|
|
threat_model_spm
|
|
threat_model_el3_spm
|
|
threat_model_fvp_r
|
|
threat_model_rss_interface
|
|
threat_model_arm_cca
|
|
|
|
--------------
|
|
|
|
*Copyright (c) 2021-2023, Arm Limited and Contributors. All rights reserved.*
|
|
|
|
.. _STRIDE threat modeling technique: https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats#stride-model
|