From bb4d7d71956d1365eb2d616a44a8155e68d5ca9d Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Tue, 2 Jan 2024 13:53:58 +0000 Subject: [PATCH] docs(threat-model): add threat model for PSA FWU and TBBR FWU(recovery) Added a threat model for PSA firmware update as well as TBBR FWU aka firmware recovery. Change-Id: I2396e13144076d7294f61f6817e1a8646225c6c2 Signed-off-by: Manish V Badarkhe --- docs/threat_model/index.rst | 1 + .../threat_model_fw_update_and_recovery.rst | 103 ++++++++++++++++++ 2 files changed, 104 insertions(+) create mode 100644 docs/threat_model/threat_model_fw_update_and_recovery.rst diff --git a/docs/threat_model/index.rst b/docs/threat_model/index.rst index e22378b0b..234c2f4ed 100644 --- a/docs/threat_model/index.rst +++ b/docs/threat_model/index.rst @@ -35,6 +35,7 @@ data flow diagram, as well as a list of threats we have identified using the threat_model_fvp_r threat_model_rss_interface threat_model_arm_cca + threat_model_fw_update_and_recovery -------------- diff --git a/docs/threat_model/threat_model_fw_update_and_recovery.rst b/docs/threat_model/threat_model_fw_update_and_recovery.rst new file mode 100644 index 000000000..7b55c7469 --- /dev/null +++ b/docs/threat_model/threat_model_fw_update_and_recovery.rst @@ -0,0 +1,103 @@ +Threat Model for TF-A with PSA FWU or TBBR FWU support +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Introduction +************ + +This document provides a threat model of TF-A firmware for platforms with +the feature PSA firmware update or TBBR firmware update or both enabled. +To understand the design of the firmware update refer +:ref:`Firmware Update (FWU)`. + +Although it is a separate document, it references the :ref:`Generic Threat +Model` in a number of places, as some of the contents are applicable to this +threat model. + +Target of Evaluation +******************** + +In this threat model, the target of evaluation is the Trusted Firmware for +A-class Processors (TF-A) when PSA FWU support is enabled or TBBR FWU mode +is enabled. This includes the boot ROM (BL1), the trusted boot firmware (BL2). + +Threat Assessment +***************** + +For this section, please reference the Threat Assessment under the +:ref:`Generic Threat Model`. Here only the differences are highlighted. + +PSA FWU +******* + +Threats to be Mitigated by the Boot Firmware +-------------------------------------------- + +The following table analyses the :ref:`Boot Firmware Threats` in the context +of this threat model. Only additional details are pointed out. + ++----+-------------+-------------------------------------------------------+ +| ID | Applicable? | Comments | ++====+=============+=======================================================+ +| 01 | Yes | | Attacker can use arbitrary images to update the | +| | | system. | ++----+-------------+-------------------------------------------------------+ +| 02 | Yes | | Attacker tries to update the system with the | +| | | vulnerable/older firmware. | ++----+-------------+-------------------------------------------------------+ +| 03 | Yes | | ++----+-------------+-------------------------------------------------------+ +| 04 | Yes | | ++----+-------------+-------------------------------------------------------+ + + +Threats to be mitigated by platform design +------------------------------------------ + +PSA FWU is driven by metadata stored in non-volatile storage. This metadata +is not cryptographically signed. Also, depending on the hardware design, +it may be stored in untrusted storage, which makes it possible for software +outside of TF-A security boundary or for a physical attacker to modify it +in order to change the behaviour of the FWU process. + +Below we provide some possible FWU metadata corruption scenarios: + +1. The FWU metadata includes the firmware bank for booting; the attacker + tries to modify it to prevent the execution of the updated firmware. +2. The FWU metadata features a field indicating the firmware's status, either + in trial run or accepted run. The attacker tries to manipulate this field, + ensuring the updated firmware consistently runs in trial mode, with the + intention of preventing the anti-rollback update. + +By design, no software mitigations exist to prevent this. The safeguarding +of FWU metadata relies on the platform's hardware design to mitigate potential +attacks on it, if this is a concern in the platform's threat model. +For example, FWU metadata may be stored in secure storage under exclusive +access from secure software, protecting it from physical, unauthenticated +accesses and from non-secure software accesses. + +TBBR FWU - Firmware Recovery +**************************** + +Threats to be Mitigated by the Boot Firmware +-------------------------------------------- + +The following table analyses the :ref:`Boot Firmware Threats` in the context +of this threat model. Only additional details are pointed out. + ++----+-------------+-------------------------------------------------------+ +| ID | Applicable? | Comments | ++====+=============+=======================================================+ +| 01 | Yes | | Attacker can use arbitrary images to recover the | +| | | system. | ++----+-------------+-------------------------------------------------------+ +| 02 | Yes | | Attacker tries to recover the system with the | +| | | vulnerable/older firmware. | ++----+-------------+-------------------------------------------------------+ +| 03 | Yes | | ++----+-------------+-------------------------------------------------------+ +| 04 | Yes | | ++----+-------------+-------------------------------------------------------+ + +-------------- + +*Copyright (c) 2024, Arm Limited. All rights reserved.*