mirror of
https://github.com/ARM-software/arm-trusted-firmware.git
synced 2025-04-18 02:24:18 +00:00
446354122c
Arm Confidential Compute Architecture (Arm CCA) support, underpinned by Arm Realm Management Extension (RME) support, brings in a few important software and hardware architectural changes in TF-A, which warrants a new security analysis of the code base. Results of this analysis are captured in a new threat model document, provided in this patch. The main changes introduced in TF-A to support Arm CCA / RME are: - Presence of a new threat agent: realm world clients. - Availability of Arm CCA Hardware Enforced Security (HES) to support measured boot and trusted boot. - Configuration of the Granule Protection Tables (GPT) for inter-world memory protection. This is only an initial version of the threat model and we expect to enrich it in the future. Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com> Co-authored-by: Manish Pandey <manish.pandey2@arm.com> Change-Id: Iab84dc724df694511508f90dc76b6d469c4cccd5
82 lines
2.5 KiB
Text
82 lines
2.5 KiB
Text
/'
|
|
' Copyright (c) 2023, Arm Limited. All rights reserved.
|
|
'
|
|
' SPDX-License-Identifier: BSD-3-Clause
|
|
'/
|
|
|
|
/'
|
|
TF-A with Arm CCA Data Flow Diagram
|
|
'/
|
|
|
|
@startuml
|
|
digraph tfa_dfd {
|
|
|
|
# Arrange nodes from left to right
|
|
rankdir="LR"
|
|
|
|
# Allow arrows to end on cluster boundaries
|
|
compound=true
|
|
|
|
# Default settings for edges and nodes
|
|
edge [minlen=2 color="#8c1b07"]
|
|
node [fillcolor="#ffb866" style=filled shape=box fixedsize=true width=1.6 height=0.7]
|
|
|
|
# Nodes outside of the trust boundary
|
|
realm [label="Realm\nClients"]
|
|
nsec [label="Non-secure\nClients"]
|
|
sec [label="Secure\nClients"]
|
|
dbg [label="Debug & Trace"]
|
|
uart [label="UART"]
|
|
nvm [label="Non-volatile\nMemory"]
|
|
|
|
# Trust boundary cluster
|
|
subgraph cluster_trusted{
|
|
graph [style=dashed color="#f22430"]
|
|
|
|
# HW IPs cluster
|
|
subgraph cluster_ip{
|
|
label ="Hardware IPs";
|
|
graph [style=filled color="#000000" fillcolor="#ffd29e"]
|
|
|
|
rank="same"
|
|
gic [label="GIC" width=1.2 height=0.5]
|
|
mmu [label="MMU" width=1.2 height=0.5]
|
|
etc [label="..." shape=none style=none height=0.5]
|
|
}
|
|
|
|
# TF-A cluster
|
|
subgraph cluster_tfa{
|
|
label ="TF-A";
|
|
graph [style=filled color="#000000" fillcolor="#faf9cd"]
|
|
|
|
bl1 [label="Boot ROM\n(BL1)" fillcolor="#ddffb3"];
|
|
bl2 [label="Trusted Boot\nFirmware\n(BL2)" fillcolor="#ddffb3" height=1]
|
|
bl31 [label="TF-A Runtime\n(BL31)" fillcolor="#ddffb3"]
|
|
}
|
|
|
|
# HES cluster
|
|
subgraph cluster_hes{
|
|
label ="Arm CCA HES";
|
|
graph [style=filled color="#000000" fillcolor="#ffd29e"]
|
|
|
|
hes [label="Hardware\nEnforced Security"]
|
|
}
|
|
}
|
|
|
|
# Interactions between nodes
|
|
|
|
# -- The following lines are copied from tfa_dfd.puml and must not be
|
|
# changed, at the risk of invalidating DF* references.
|
|
nvm -> bl31 [lhead=cluster_tfa label="DF1"]
|
|
uart -> bl31 [dir="both" lhead=cluster_tfa label="DF2"]
|
|
dbg -> bl2 [dir="both" lhead=cluster_tfa label="DF3"]
|
|
sec -> bl2 [dir="both" lhead=cluster_tfa label="DF4"]
|
|
nsec -> bl1 [dir="both" lhead=cluster_tfa, label="DF5"]
|
|
bl2 -> mmu [dir="both" ltail=cluster_tfa lhead=cluster_ip label="DF6"]
|
|
|
|
# -- The following lines are new for Arm CCA DFD.
|
|
bl2 -> hes [dir="both" ltail=cluster_tfa lhead=cluster_hes label="DF7"]
|
|
realm -> bl2 [dir="both" lhead=cluster_tfa label="DF8"]
|
|
}
|
|
|
|
@enduml
|