docs(threat model): add TF-A threat model

This is the first release of the public Trusted
Firmware A class threat model. This release
provides the baseline for future updates to be
applied as required by developments to the
TF-A code base.

Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
Change-Id: I3c9aadc46196837679f0b1377bec9ed4fc42ff11
diff --git a/docs/_static/css/custom.css b/docs/_static/css/custom.css
new file mode 100644
index 0000000..f6f5fa0
--- /dev/null
+++ b/docs/_static/css/custom.css
@@ -0,0 +1,15 @@
+/*
+ * Copyright (c) 2021, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+/*
+ * Set the white-space property of tables to normal.
+ * With this setting sequences of whitespace inside
+ * a table will collapse into a single whitespace,
+ * and text will wrap when necessary.
+ */
+.wy-table-responsive table td {
+white-space: normal;
+}
diff --git a/docs/conf.py b/docs/conf.py
index a100241..356be99 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (c) 2019, Arm Limited. All rights reserved.
+# Copyright (c) 2019-2021, Arm Limited. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -76,6 +76,14 @@
     'style_external_links': True # Display an icon next to external links
 }
 
+# Path to _static directory
+html_static_path = ['_static']
+
+# Path to css file relative to html_static_path
+html_css_files = [
+    'css/custom.css',
+]
+
 # -- Options for autosectionlabel --------------------------------------------
 
 # Only generate automatic section labels for document titles
diff --git a/docs/index.rst b/docs/index.rst
index cb53127..3760855 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -15,6 +15,7 @@
    perf/index
    security_advisories/index
    design_documents/index
+   threat_model/index
    change-log
    change-log-upcoming
    glossary
@@ -83,7 +84,7 @@
 
 --------------
 
-*Copyright (c) 2013-2020, Arm Limited and Contributors. All rights reserved.*
+*Copyright (c) 2013-2021, Arm Limited and Contributors. All rights reserved.*
 
 .. _Armv7-A and Armv8-A: https://developer.arm.com/products/architecture/a-profile
 .. _Secure Monitor: http://www.arm.com/products/processors/technologies/trustzone/tee-smc.php
diff --git a/docs/resources/diagrams/plantuml/tfa_dfd.puml b/docs/resources/diagrams/plantuml/tfa_dfd.puml
new file mode 100644
index 0000000..0007911
--- /dev/null
+++ b/docs/resources/diagrams/plantuml/tfa_dfd.puml
@@ -0,0 +1,66 @@
+/'
+ ' Copyright (c) 2021, Arm Limited. All rights reserved.
+ '
+ ' SPDX-License-Identifier: BSD-3-Clause
+ '/
+
+/'
+TF-A Data Flow Diagram
+'/
+
+@startuml
+digraph tfa_dfd {
+
+    # Arrange nodes from left to right
+    rankdir="LR"
+
+    # Allow arrows to end on cluster boundaries
+    compound=true
+
+    # Default settings for edges and nodes
+    edge [minlen=2 color="#8c1b07"]
+    node [fillcolor="#ffb866" style=filled shape=box fixedsize=true width=1.6 height=0.7]
+
+    # Nodes outside of the trust boundary
+    nsec [label="Non-secure\nClients"]
+    sec [label="Secure\nClients"]
+    dbg [label="Debug & Trace"]
+    logs [label="Logs\n(UART)"]
+    nvm [label="Non-volatile\nMemory"]
+
+    # Trust boundary cluster
+    subgraph cluster_trusted{
+        graph [style=dashed color="#f22430"]
+
+        # HW IPs cluster
+        subgraph cluster_ip{
+            label ="Hardware IPs";
+            graph [style=filled color="#000000" fillcolor="#ffd29e"]
+
+            rank="same"
+            gic [label="GIC" width=1.2 height=0.5]
+            tzc [label="TZ\nController" width=1.2 height=0.5]
+            etc [label="..." shape=none style=none height=0.5]
+        }
+
+        # TF-A cluster
+        subgraph cluster_tfa{
+            label ="TF-A";
+            graph [style=filled color="#000000" fillcolor="#faf9cd"]
+
+            bl1 [label="Boot ROM\n(BL1)" fillcolor="#ddffb3"];
+            bl2 [label="Trusted Boot\nFirmware\n(BL2)" fillcolor="#ddffb3" height=1]
+            bl31 [label="TF-A Runtime\n(BL31)" fillcolor="#ddffb3"]
+        }
+    }
+
+    # Interactions between nodes
+    nvm -> bl31 [lhead=cluster_tfa label="DF1"]
+    logs -> bl31 [dir="back" lhead=cluster_tfa label="DF2"]
+    dbg -> bl2 [dir="both" lhead=cluster_tfa label="DF3"]
+    sec -> bl2 [dir="both" lhead=cluster_tfa label="DF4"]
+    nsec -> bl1 [dir="both" lhead=cluster_tfa, label="DF5"]
+    bl2 ->  tzc [dir="both" ltail=cluster_tfa lhead=cluster_ip label="DF6" minlen=1]
+}
+
+@enduml
diff --git a/docs/threat_model/index.rst b/docs/threat_model/index.rst
new file mode 100644
index 0000000..e8f09b9
--- /dev/null
+++ b/docs/threat_model/index.rst
@@ -0,0 +1,13 @@
+Threat Model
+=============
+
+.. toctree::
+   :maxdepth: 1
+   :caption: Contents
+   :numbered:
+
+   threat_model
+
+--------------
+
+*Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.*
diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst
new file mode 100644
index 0000000..9cee104
--- /dev/null
+++ b/docs/threat_model/threat_model.rst
@@ -0,0 +1,784 @@
+*****************
+Introduction
+*****************
+Threat modeling is an important part of Secure Development Lifecycle (SDL)
+that helps us identify potential threats and mitigations affecting a system.
+
+This document provides a generic threat model for TF-A firmware. In the
+next sections, we first give a description of the target of evaluation
+using a data flow diagram. Then we provide a list of threats we have
+identified based on the data flow diagram and potential threat mitigations.
+
+************************
+Target of Evaluation
+************************
+In this threat model, the target of evaluation is the Trusted
+Firmware for A-class Processors (TF-A). This includes the boot ROM (BL1),
+the trusted boot firmware (BL2) and the runtime EL3 firmware (BL31) as
+shown on Figure 1. Everything else on Figure 1 is outside of the scope of
+the evaluation.
+
+TF-A can be configured in various ways. In this threat model we consider
+only the most basic configuration. To that end we make the following
+assumptions:
+
+- All TF-A images are run from either ROM or on-chip trusted SRAM. This means
+  TF-A is not vulnerable to an attacker that can probe or tamper with off-chip
+  memory.
+- Trusted boot is enabled. This means an attacker can't boot arbitrary images
+  that are not approved by platform providers.
+- There is no Secure-EL2. We don't consider threats that may come with
+  Secure-EL2 software.
+
+Data Flow Diagram
+======================
+Figure 1 shows a high-level data flow diagram for TF-A. The diagram
+shows a model of the different components of a TF-A-based system and
+their interactions with TF-A. A description of each diagram element
+is given on Table 1. On the diagram, the red broken lines indicate
+trust boundaries. Components outside of the broken lines
+are considered untrusted by TF-A.
+
+.. uml:: ../resources/diagrams/plantuml/tfa_dfd.puml
+  :caption: Figure 1: TF-A Data Flow Diagram
+
+.. table:: Table 1: TF-A Data Flow Diagram Description
+
+  +-----------------+--------------------------------------------------------+
+  | Diagram Element | Description                                            |
+  +=================+========================================================+
+  |       ``DF1``   | | At boot time, images are loaded from non-volatile    |
+  |                 |   memory and verified by TF-A boot firmware. These     |
+  |                 |   images include TF-A BL2 and BL31 images, as well as  |
+  |                 |   other secure and non-secure images.                  |
+  +-----------------+--------------------------------------------------------+
+  |       ``DF2``   | | TF-A log system framework outputs debug messages     |
+  |                 |   over a UART interface.                               |
+  +-----------------+--------------------------------------------------------+
+  |       ``DF3``   | | Debug and trace IP on a platform can allow access    |
+  |                 |   to registers and memory of TF-A.                     |
+  +-----------------+--------------------------------------------------------+
+  |       ``DF4``   | | Secure world software (e.g. trusted OS) interact     |
+  |                 |   with TF-A through SMC call interface and/or shared   |
+  |                 |   memory.                                              |
+  +-----------------+--------------------------------------------------------+
+  |       ``DF5``   | | Non-secure world software (e.g. rich OS) interact    |
+  |                 |   with TF-A through SMC call interface and/or shared   |
+  |                 |   memory.                                              |
+  +-----------------+--------------------------------------------------------+
+  |       ``DF6``   | | This path represents the interaction between TF-A and|
+  |                 |   various hardware IPs such as TrustZone controller    |
+  |                 |   and GIC. At boot time TF-A configures/initializes the|
+  |                 |   IPs and interacts with them at runtime through       |
+  |                 |   interrupts and registers.                            |
+  +-----------------+--------------------------------------------------------+
+
+
+*********************
+Threat Analysis
+*********************
+In this section we identify and provide assessment of potential threats to TF-A
+firmware. The threats are identified for each diagram element on the
+data flow diagram above.
+
+For each threat, we identify the *asset* that is under threat, the
+*threat agent* and the *threat type*. Each threat is given a *risk rating*
+that represents the impact and likelihood of that threat. We also discuss
+potential mitigations.
+
+Assets
+==================
+We have identified the following assets for TF-A:
+
+.. table:: Table 2: TF-A Assets
+
+  +--------------------+---------------------------------------------------+
+  | Asset              | Description                                       |
+  +====================+===================================================+
+  | ``Sensitive Data`` | | These include sensitive data that an attacker   |
+  |                    |   must not be able to tamper with (e.g. the Root  |
+  |                    |   of Trust Public Key) or see (e.g. secure logs,  |
+  |                    |   debugging information such as crash reports).   |
+  +--------------------+---------------------------------------------------+
+  | ``Code Execution`` | | This represents the requirement that the        |
+  |                    |   platform should run only TF-A code approved by  |
+  |                    |   the platform provider.                          |
+  +--------------------+---------------------------------------------------+
+  | ``Availability``   | | This represents the requirement that TF-A       |
+  |                    |   services should always be available for use.    |
+  +--------------------+---------------------------------------------------+
+
+Threat Agents
+=====================
+To understand the attack surface, it is important to identify potential
+attackers, i.e. attack entry points. The following threat agents are
+in scope of this threat model.
+
+.. table:: Table 3: Threat Agents
+
+  +-------------------+-------------------------------------------------------+
+  | Threat Agent      | Description                                           |
+  +===================+=======================================================+
+  |   ``NSCode``      | | Malicious or faulty code running in the Non-secure  |
+  |                   |   world, including NS-EL0 NS-EL1 and NS-EL2 levels    |
+  +-------------------+-------------------------------------------------------+
+  |   ``SecCode``     | | Malicious or faulty code running in the secure      |
+  |                   |   world, including S-EL0 and S-EL1 levels             |
+  +-------------------+-------------------------------------------------------+
+  |   ``AppDebug``    | | Physical attacker using  debug signals to access    |
+  |                   |   TF-A resources                                      |
+  +-------------------+-------------------------------------------------------+
+  | ``PhysicalAccess``| | Physical attacker having access to external device  |
+  |                   |   communication bus and to external flash             |
+  |                   |   communication bus using common hardware             |
+  +-------------------+-------------------------------------------------------+
+
+.. note::
+
+  In this threat model an advanced physical attacker that has the capability
+  to tamper with a hardware (e.g. "rewiring" a chip using a focused
+  ion beam (FIB) workstation or decapsulate the chip using chemicals) is
+  considered out-of-scope.
+
+Threat Types
+========================
+In this threat model we categorize threats using the `STRIDE threat
+analysis technique`_. In this technique a threat is categorized as one
+or more of these types: ``Spoofing``, ``Tampering``, ``Repudiation``,
+``Information disclosure``, ``Denial of service`` or
+``Elevation of privilege``.
+
+Threat Risk Ratings
+========================
+For each threat identified, a risk rating that ranges
+from *informational* to *critical* is given based on the likelihood of the
+threat occuring if a mitigation is not in place, and the impact of the
+threat (i.e. how severe the consequences could be). Table 4 explains each
+rating in terms of score, impact and likelihood.
+
+.. table:: Table 4: Rating and score as applied to impact and likelihood
+
+  +-----------------------+-------------------------+---------------------------+
+  | **Rating (Score)**    | **Impact**              | **Likelihood**            |
+  +=======================+=========================+===========================+
+  | ``Critical (5)``      | | Extreme impact to     | | Threat is almost        |
+  |                       |   entire organization   |   certain to be exploited.|
+  |                       |   if exploited.         |                           |
+  |                       |                         | | Knowledge of the threat |
+  |                       |                         |   and how to exploit it   |
+  |                       |                         |   are in the public       |
+  |                       |                         |   domain.                 |
+  +-----------------------+-------------------------+---------------------------+
+  | ``High (4)``          | | Major impact to entire| | Threat is relatively    |
+  |                       |   organization or single|   easy to detect and      |
+  |                       |   line of business if   |   exploit by an attacker  |
+  |                       |   exploited             |   with little skill.      |
+  +-----------------------+-------------------------+---------------------------+
+  | ``Medium (3)``        | | Noticeable impact to  | | A knowledgeable insider |
+  |                       |   line of business if   |   or expert attacker could|
+  |                       |   exploited.            |   exploit the threat      |
+  |                       |                         |   without much difficulty.|
+  +-----------------------+-------------------------+---------------------------+
+  | ``Low (2)``           | | Minor damage if       | | Exploiting the threat   |
+  |                       |   exploited or could    |   would require           |
+  |                       |   be used in conjunction|   considerable expertise  |
+  |                       |   with other            |   and resources           |
+  |                       |   vulnerabilities to    |                           |
+  |                       |   perform a more serious|                           |
+  |                       |   attack                |                           |
+  +-----------------------+-------------------------+---------------------------+
+  | ``Informational (1)`` | | Poor programming      | | Threat is not likely    |
+  |                       |   practice or poor      |   to be exploited on its  |
+  |                       |   design decision that  |   own, but may be used to |
+  |                       |   may not represent an  |   gain information for    |
+  |                       |   immediate risk on its |   launching another       |
+  |                       |   own, but may have     |   attack                  |
+  |                       |   security implications |                           |
+  |                       |   if multiplied and/or  |                           |
+  |                       |   combined with other   |                           |
+  |                       |   threats.              |                           |
+  +-----------------------+-------------------------+---------------------------+
+
+Aggregate risk scores are assigned to identified threats;
+specifically, the impact score multiplied by the likelihood score.
+For example, a threat with high likelihood and low impact would have an
+aggregate risk score of eight (8); that is, four (4) for high likelihood
+multiplied by two (2) for low impact. The aggregate risk score determines
+the finding's overall risk level, as shown in the following table.
+
+.. table:: Table 5: Overall risk levels and corresponding aggregate scores
+
+  +---------------------+-----------------------------------+
+  | Overall Risk Level  | Aggregate Risk Score              |
+  |                     | (Impact multiplied by Likelihood) |
+  +=====================+===================================+
+  | Critical            | 20–25                             |
+  +---------------------+-----------------------------------+
+  | High                | 12–19                             |
+  +---------------------+-----------------------------------+
+  | Medium              | 6–11                              |
+  +---------------------+-----------------------------------+
+  | Low                 | 2–5                               |
+  +---------------------+-----------------------------------+
+  | Informational       | 1                                 |
+  +---------------------+-----------------------------------+
+
+The likelihood and impact of a threat depends on the
+target environment in which TF-A is running. For example, attacks
+that require physical access are unlikely in server environments while
+they are more common in Internet of Things(IoT) environments.
+In this threat model we consider three target environments:
+``Internet of Things(IoT)``, ``Mobile`` and ``Server``.
+
+Threat Assessment
+============================
+The following threats were identified by applying STRIDE analysis on
+each diagram element of the data flow diagram.
+
++------------------------+----------------------------------------------------+
+| ID                     | 01                                                 |
++========================+====================================================+
+| ``Threat``             | | **An attacker can mangle firmware images to      |
+|                        |   execute arbitrary code**                         |
+|                        |                                                    |
+|                        | | Some TF-A images are loaded from external        |
+|                        |   storage. It is possible for an attacker to access|
+|                        |   the external flash memory and change its contents|
+|                        |   physically, through the Rich OS, or using the    |
+|                        |   updating mechanism to modify the non-volatile    |
+|                        |   images to execute arbitrary code.                |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements``   | DF1, DF4, DF5                                      |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A        | BL2, BL31                                          |
+| Components``           |                                                    |
++------------------------+----------------------------------------------------+
+| ``Assets``             | Code Execution                                     |
++------------------------+----------------------------------------------------+
+| ``Threat Agent``       | PhysicalAccess, NSCode, SecCode                    |
++------------------------+----------------------------------------------------+
+| ``Threat Type``        | Tampering, Elevation of Privilege                  |
++------------------------+------------------+-----------------+---------------+
+| ``Application``        | ``Server``       | ``IoT``         | ``Mobile``    |
++------------------------+------------------+-----------------+---------------+
+| ``Impact``             | Critical (5)     | Critical (5)    | Critical (5)  |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood``         | Critical (5)     | Critical (5)    | Critical (5)  |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating``  | Critical (25)    | Critical (25)   | Critical (25) |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations``        | | TF-A implements the `Trusted Board Boot (TBB)`_  |
+|                        |   feature which prevents malicious firmware from   |
+|                        |   running on the platform by authenticating all    |
+|                        |   firmware images. In addition to this, the TF-A   |
+|                        |   boot firmware performs extra checks on           |
+|                        |   unauthenticated data, such as FIP metadata, prior|
+|                        |   to use.                                          |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID                     | 02                                                 |
++========================+====================================================+
+| ``Threat``             | | **An attacker may attempt to boot outdated,      |
+|                        |   potentially vulnerable firmware image**          |
+|                        |                                                    |
+|                        | | When updating firmware, an attacker may attempt  |
+|                        |   to rollback to an older version that has unfixed |
+|                        |   vulnerabilities.                                 |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements``   | DF1, DF4, DF5                                      |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A        | BL2, BL31                                          |
+| Components``           |                                                    |
++------------------------+----------------------------------------------------+
+| ``Assets``             | Code Execution                                     |
++------------------------+----------------------------------------------------+
+| ``Threat Agent``       | PhysicalAccess, NSCode, SecCode                    |
++------------------------+----------------------------------------------------+
+| ``Threat Type``        | Tampering                                          |
++------------------------+------------------+-----------------+---------------+
+| ``Application``        | ``Server``       | ``IoT``         | ``Mobile``    |
++------------------------+------------------+-----------------+---------------+
+| ``Impact``             | Critical (5)     | Critical (5)    | Critical (5)  |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood``         | Critical (5)     | Critical (5)    | Critical (5)  |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating``  | Critical (25)    | Critical (25)   | Critical (25) |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations``        | | TF-A supports anti-rollback protection using     |
+|                        |   non-volatile counters (NV counters) as required  |
+|                        |   by `TBBR-Client specification`_. After a firmware|
+|                        |   image is validated, the image revision number    |
+|                        |   taken from a certificate extension field is      |
+|                        |   compared with the corresponding NV counter stored|
+|                        |   in hardware to make sure the new counter value is|
+|                        |   larger or equal to the current counter value.    |
+|                        |   Platforms must implement this protection using   |
+|                        |   platform specific hardware NV counters.          |
++------------------------+----------------------------------------------------+
+
++------------------------+-------------------------------------------------------+
+| ID                     | 03                                                    |
++========================+=======================================================+
+| ``Threat``             | |  **An attacker can use Time-of-Check-Time-of-Use    |
+|                        |   (TOCTOU) attack to bypass image authentication      |
+|                        |   during the boot process**                           |
+|                        |                                                       |
+|                        | | Time-of-Check-Time-of-Use (TOCTOU) threats occur    |
+|                        |   when the security check is produced before the time |
+|                        |   the resource is accessed. If an attacker is sitting |
+|                        |   in the middle of the off-chip images, they could    |
+|                        |   change the binary containing executable code right  |
+|                        |   after the integrity and authentication check has    |
+|                        |   been performed.                                     |
++------------------------+-------------------------------------------------------+
+| ``Diagram Elements``   | DF1                                                   |
++------------------------+-------------------------------------------------------+
+| ``Affected TF-A        | BL1, BL2                                              |
+| Components``           |                                                       |
++------------------------+-------------------------------------------------------+
+| ``Assets``             | Code Execution, Sensitive Data                        |
++------------------------+-------------------------------------------------------+
+| ``Threat Agent``       | PhysicalAccess                                        |
++------------------------+-------------------------------------------------------+
+| ``Threat Type``        | Elevation of Privilege                                |
++------------------------+---------------------+-----------------+---------------+
+| ``Application``        | ``Server``          | ``IoT``         | ``Mobile``    |
++------------------------+---------------------+-----------------+---------------+
+| ``Impact``             | N/A                 | Critical (5)    | Critical (5)  |
++------------------------+---------------------+-----------------+---------------+
+| ``Likelihood``         | N/A                 | Medium (3)      | Medium (3)    |
++------------------------+---------------------+-----------------+---------------+
+| ``Total Risk Rating``  | N/A                 | High (15)       | High (15)     |
++------------------------+---------------------+-----------------+---------------+
+| ``Mitigations``        | | TF-A boot firmware copies image to on-chip          |
+|                        |   memory before authenticating an image.              |
++------------------------+-------------------------------------------------------+
+
++------------------------+-------------------------------------------------------+
+| ID                     | 04                                                    |
++========================+=======================================================+
+| ``Threat``             | | **An attacker with physical access can execute      |
+|                        |   arbitrary image by bypassing the signature          |
+|                        |   verification stage using glitching techniques**     |
+|                        |                                                       |
+|                        | | Glitching (Fault injection) attacks attempt to put  |
+|                        |   a hardware into a undefined state by manipulating an|
+|                        |   environmental variable such as power supply.        |
+|                        |                                                       |
+|                        | | TF-A relies on a chain of trust that starts with the|
+|                        |   ROTPK, which is the key stored inside the chip and  |
+|                        |   the root of all validation processes. If an attacker|
+|                        |   can break this chain of trust, they could execute   |
+|                        |   arbitrary code on the device. This could be         |
+|                        |   achieved with physical access to the device by      |
+|                        |   attacking the normal execution flow of the          |
+|                        |   process using glitching techniques that target      |
+|                        |   points where the image is validated against the     |
+|                        |   signature.                                          |
++------------------------+-------------------------------------------------------+
+| ``Diagram Elements``   | DF1                                                   |
++------------------------+-------------------------------------------------------+
+| ``Affected TF-A        | BL1, BL2                                              |
+| Components``           |                                                       |
++------------------------+-------------------------------------------------------+
+| ``Assets``             | Code Execution                                        |
++------------------------+-------------------------------------------------------+
+| ``Threat Agent``       | PhysicalAccess                                        |
++------------------------+-------------------------------------------------------+
+| ``Threat Type``        | Tampering, Elevation of Privilege                     |
++------------------------+---------------------+-----------------+---------------+
+| ``Application``        | ``Server``          | ``IoT``         | ``Mobile``    |
++------------------------+---------------------+-----------------+---------------+
+| ``Impact``             | N/A                 | Critical (5)    | Critical (5)  |
++------------------------+---------------------+-----------------+---------------+
+| ``Likelihood``         | N/A                 | Medium (3)      | Medium (3)    |
++------------------------+---------------------+-----------------+---------------+
+| ``Total Risk Rating``  | N/A                 | High (15)       | High (15)     |
++------------------------+---------------------+-----------------+---------------+
+| ``Mitigations``        | | The most effective mitigation is adding glitching   |
+|                        |   detection and mitigation circuit at the hardware    |
+|                        |   level. However, software techniques,                |
+|                        |   such as adding redundant checks when performing     |
+|                        |   conditional branches that are security sensitive,   |
+|                        |   can be used to harden TF-A against such attacks.    |
+|                        |   **At the moment TF-A doesn't implement such         |
+|                        |   mitigations.**                                      |
++------------------------+-------------------------------------------------------+
+
++------------------------+---------------------------------------------------+
+| ID                     | 05                                                |
++========================+===================================================+
+| ``Threat``             | | **Information leak via UART logs such as        |
+|                        |   crashes**                                       |
+|                        |                                                   |
+|                        | | During the development stages of software it is |
+|                        |   common to include crash reports with detailed   |
+|                        |   information of the CPU state including current  |
+|                        |   values of the registers, privilege level and    |
+|                        |   stack dumps. This information is useful when    |
+|                        |   debugging problems before releasing the         |
+|                        |   production version, but it could be used by an  |
+|                        |   attacker to develop a working exploit if left   |
+|                        |   in the production version.                      |
++------------------------+---------------------------------------------------+
+| ``Diagram Elements``   | DF2                                               |
++------------------------+---------------------------------------------------+
+| ``Affected TF-A        | BL1, BL2, BL31                                    |
+| Components``           |                                                   |
++------------------------+---------------------------------------------------+
+| ``Assets``             | Sensitive Data                                    |
++------------------------+---------------------------------------------------+
+| ``Threat Agent``       | AppDebug                                          |
++------------------------+---------------------------------------------------+
+| ``Threat Type``        | Information Disclosure                            |
++------------------------+------------------+----------------+---------------+
+| ``Application``        | ``Server``       | ``IoT``        | ``Mobile``    |
++------------------------+------------------+----------------+---------------+
+| ``Impact``             | N/A              | Low (2)        | Low (2)       |
++------------------------+------------------+----------------+---------------+
+| ``Likelihood``         | N/A              | High (4)       | High (4)      |
++------------------------+------------------+----------------+---------------+
+| ``Total Risk Rating``  | N/A              | Medium (8)     | Medium (8)    |
++------------------------+------------------+----------------+---------------+
+| ``Mitigations``        | | In TF-A, crash reporting is only enabled for    |
+|                        |   debug builds by default. Alternatively, the log |
+|                        |   level can be tuned at build time (from verbose  |
+|                        |   to no output at all), independently of the      |
+|                        |   build type.                                     |
++------------------------+---------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID                     | 06                                                 |
++========================+====================================================+
+| ``Threat``             | | **An attacker can read sensitive data and        |
+|                        |   execute arbitrary code through the external      |
+|                        |   debug and trace interface**                      |
+|                        |                                                    |
+|                        | | Arm processors include hardware-assisted debug   |
+|                        |   and trace features that can be controlled without|
+|                        |   the need for software operating on the platform. |
+|                        |   If left enabled without authentication, this     |
+|                        |   feature can be used by an attacker to inspect and|
+|                        |   modify TF-A registers and memory allowing the    |
+|                        |   attacker to read sensitive data and execute      |
+|                        |   arbitrary code.                                  |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements``   | DF3                                                |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A        | BL1, BL2, BL31                                     |
+| Components``           |                                                    |
++------------------------+----------------------------------------------------+
+| ``Assets``             | Code Execution, Sensitive Data                     |
++------------------------+----------------------------------------------------+
+| ``Threat Agent``       | AppDebug                                           |
++------------------------+----------------------------------------------------+
+| ``Threat Type``        | Tampering, Information Disclosure,                 |
+|                        | Elevation of privilege                             |
++------------------------+------------------+---------------+-----------------+
+| ``Application``        | ``Server``       | ``IoT``       | ``Mobile``      |
++------------------------+------------------+---------------+-----------------+
+| ``Impact``             | N/A              | High (4)      | High (4)        |
++------------------------+------------------+---------------+-----------------+
+| ``Likelihood``         | N/A              | Critical (5)  | Critical (5)    |
++------------------------+------------------+---------------+-----------------+
+| ``Total Risk Rating``  | N/A              | Critical (20) | Critical (20)   |
++------------------------+------------------+---------------+-----------------+
+| ``Mitigations``        | | Configuration of debug and trace capabilities is |
+|                        |   platform specific. Therefore, platforms must     |
+|                        |   disable the debug and trace capability for       |
+|                        |   production releases or enable proper debug       |
+|                        |   authentication as recommended by [`DEN0034`_].   |
++------------------------+----------------------------------------------------+
+
++------------------------+------------------------------------------------------+
+| ID                     | 07                                                   |
++========================+======================================================+
+| ``Threat``             | | **An attacker can perform a denial-of-service      |
+|                        |   attack by using a broken SMC call that causes the  |
+|                        |   system to reboot or enter into unknown state.**    |
+|                        |                                                      |
+|                        | | Secure and non-secure clients access TF-A services |
+|                        |   through SMC calls. Malicious code can attempt to   |
+|                        |   place the TF-A runtime into an inconsistent state  |
+|                        |   by calling unimplemented SMC call or by passing    |
+|                        |   invalid arguments.                                 |
++------------------------+------------------------------------------------------+
+| ``Diagram Elements``   | DF4, DF5                                             |
++------------------------+------------------------------------------------------+
+| ``Affected TF-A        | BL31                                                 |
+| Components``           |                                                      |
++------------------------+------------------------------------------------------+
+| ``Assets``             | Availability                                         |
++------------------------+------------------------------------------------------+
+| ``Threat Agent``       | NSCode, SecCode                                      |
++------------------------+------------------------------------------------------+
+| ``Threat Type``        | Denial of Service                                    |
++------------------------+-------------------+----------------+-----------------+
+| ``Application``        | ``Server``        | ``IoT``        | ``Mobile``      |
++------------------------+-------------------+----------------+-----------------+
+| ``Impact``             | Medium (3)        | Medium (3)     | Medium (3)      |
++------------------------+-------------------+----------------+-----------------+
+| ``Likelihood``         | High (4)          | High (4)       | High (4)        |
++------------------------+-------------------+----------------+-----------------+
+| ``Total Risk Rating``  | High (12)         | High (12)      | High (12)       |
++------------------------+-------------------+----------------+-----------------+
+| ``Mitigations``        | | The generic TF-A code validates SMC function ids   |
+|                        |   and arguments before using them.                   |
+|                        |   Platforms that implement SiP services must also    |
+|                        |   validate SMC call arguments.                       |
++------------------------+------------------------------------------------------+
+
++------------------------+------------------------------------------------------+
+| ID                     | 08                                                   |
++========================+======================================================+
+| ``Threat``             | | **Memory corruption due to memory overflows and    |
+|                        |   lack of boundary checking when accessing resources |
+|                        |   could allow an attacker to execute arbitrary code, |
+|                        |   modify some state variable to change the normal    |
+|                        |   flow of the program, or leak sensitive             |
+|                        |   information**                                      |
+|                        |                                                      |
+|                        | | Like in other software, the Trusted Firmware has   |
+|                        |   multiple points where memory corruption security   |
+|                        |   errors can arise. Memory corruption is a dangerous |
+|                        |   security issue since it could allow an attacker    |
+|                        |   to execute arbitrary code, modify some state       |
+|                        |   variable to change the normal flow of the program, |
+|                        |   or leak sensitive information.                     |
+|                        |                                                      |
+|                        | | Some of the errors include integer overflow,       |
+|                        |   buffer overflow, incorrect array boundary checks,  |
+|                        |   and incorrect error management.                    |
+|                        |   Improper use of asserts instead of proper input    |
+|                        |   validations might also result in these kinds of    |
+|                        |   errors in release builds.                          |
++------------------------+------------------------------------------------------+
+| ``Diagram Elements``   | DF4, DF5                                             |
++------------------------+------------------------------------------------------+
+| ``Affected TF-A        | BL1, BL2, BL31                                       |
+| Components``           |                                                      |
++------------------------+------------------------------------------------------+
+| ``Assets``             | Code Execution, Sensitive Data                       |
++------------------------+------------------------------------------------------+
+| ``Threat Agent``       | NSCode, SecCode                                      |
++------------------------+------------------------------------------------------+
+| ``Threat Type``        | Tampering, Information Disclosure,                   |
+|                        | Elevation of Privilege                               |
++------------------------+-------------------+-----------------+----------------+
+| ``Application``        | ``Server``        | ``IoT``         | ``Mobile``     |
++------------------------+-------------------+-----------------+----------------+
+| ``Impact``             | Critical (5)      | Critical (5)    | Critical (5)   |
++------------------------+-------------------+-----------------+----------------+
+| ``Likelihood``         | Medium (3         | Medium (3)      | Medium (3)     |
++------------------------+-------------------+-----------------+----------------+
+| ``Total Risk Rating``  | High (15)         | High (15)       | High (15)      |
++------------------------+-------------------+-----------------+----------------+
+| ``Mitigations``        | | TF-A uses a combination of manual code reviews and |
+|                        |   automated program analysis and testing to detect   |
+|                        |   and fix memory corruption bugs. All TF-A code      |
+|                        |   including platform code go through manual code     |
+|                        |   reviews. Additionally, static code analysis is     |
+|                        |   performed using Coverity Scan on all TF-A code.    |
+|                        |   The code is also tested  with                      |
+|                        |   `Trusted Firmware-A Tests`_ on Juno and FVP        |
+|                        |   platforms.                                         |
+|                        |                                                      |
+|                        | | Data received from normal world, such as addresses |
+|                        |   and sizes identifying memory regions, are          |
+|                        |   sanitized before being used. These security checks |
+|                        |   make sure that the normal world software does not  |
+|                        |   access memory beyond its limit.                    |
+|                        |                                                      |
+|                        | | By default *asserts* are only used to check for    |
+|                        |   programming errors in debug builds. Other types of |
+|                        |   errors are handled through condition checks that   |
+|                        |   remain enabled in release builds. See              |
+|                        |   `TF-A error handling policy`_. TF-A provides an    |
+|                        |   option to use *asserts* in release builds, however |
+|                        |   we recommend using proper runtime checks instead   |
+|                        |   of relying on asserts in release builds.           |
++------------------------+------------------------------------------------------+
+
++------------------------+------------------------------------------------------+
+| ID                     | 09                                                   |
++========================+======================================================+
+| ``Threat``             | | **Improperly handled SMC calls can leak register   |
+|                        |   contents**                                         |
+|                        |                                                      |
+|                        | | When switching between secure and non-secure       |
+|                        |   states, register contents of Secure world or       |
+|                        |   register contents of other normal world clients    |
+|                        |   can be leaked.                                     |
++------------------------+------------------------------------------------------+
+| ``Diagram Elements``   | DF5                                                  |
++------------------------+------------------------------------------------------+
+| ``Affected TF-A        | BL31                                                 |
+| Components``           |                                                      |
++------------------------+------------------------------------------------------+
+| ``Assets``             | Sensitive Data                                       |
++------------------------+------------------------------------------------------+
+| ``Threat Agent``       | NSCode                                               |
++------------------------+------------------------------------------------------+
+| ``Threat Type``        | Information Disclosure                               |
++------------------------+-------------------+----------------+-----------------+
+| ``Application``        | ``Server``        | ``IoT``        | ``Mobile``      |
++------------------------+-------------------+----------------+-----------------+
+| ``Impact``             | Medium (3)        | Medium (3)     | Medium (3)      |
++------------------------+-------------------+----------------+-----------------+
+| ``Likelihood``         | High (4)          | High (4)       | High (4)        |
++------------------------+-------------------+----------------+-----------------+
+| ``Total Risk Rating``  | High (12)         | High (12)      | High (12)       |
++------------------------+-------------------+----------------+-----------------+
+| ``Mitigations``        | | TF-A saves and restores registers                  |
+|                        |   by default when switching contexts. Build options  |
+|                        |   are also provided to save/restore additional       |
+|                        |   registers such as floating-point registers.        |
++------------------------+------------------------------------------------------+
+
++------------------------+-----------------------------------------------------+
+| ID                     | 10                                                  |
++========================+=====================================================+
+| ``Threat``             | | **SMC calls can leak sensitive information from   |
+|                        |   TF-A memory via microarchitectural side channels**|
+|                        |                                                     |
+|                        | | Microarchitectural side-channel attacks such as   |
+|                        |   `Spectre`_ can be used to leak data across        |
+|                        |   security boundaries. An attacker might attempt to |
+|                        |   use this kind of attack to leak sensitive         |
+|                        |   data from TF-A memory.                            |
++------------------------+-----------------------------------------------------+
+| ``Diagram Elements``   | DF4, DF5                                            |
++------------------------+-----------------------------------------------------+
+| ``Affected TF-A        | BL31                                                |
+| Components``           |                                                     |
++------------------------+-----------------------------------------------------+
+| ``Assets``             | Sensitive Data                                      |
++------------------------+-----------------------------------------------------+
+| ``Threat Agent``       | SecCode, NSCode                                     |
++------------------------+-----------------------------------------------------+
+| ``Threat Type``        | Information Disclosure                              |
++------------------------+-------------------+----------------+----------------+
+| ``Application``        | ``Server``        | ``IoT``        | ``Mobile``     |
++------------------------+-------------------+----------------+----------------+
+| ``Impact``             | Medium (3)        | Medium (3)     | Medium (3)     |
++------------------------+-------------------+----------------+----------------+
+| ``Likelihood``         | Medium (3)        | Medium (3)     | Medium (3)     |
++------------------------+-------------------+----------------+----------------+
+| ``Total Risk Rating``  | Medium (9)        | Medium (9)     | Medium (9)     |
++------------------------+-------------------+----------------+----------------+
+| ``Mitigations``        | | TF-A implements software mitigations for Spectre  |
+|                        |   type attacks as recommended by `Cache Speculation |
+|                        |   Side-channels`_ for the generic code. SiPs should |
+|                        |   implement similar mitigations for code that is    |
+|                        |   deemed to be vulnerable to such attacks.          |
++------------------------+-----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID                     | 11                                                 |
++========================+====================================================+
+| ``Threat``             | | **Misconfiguration of the Memory Management Unit |
+|                        |   (MMU) may allow a normal world software to       |
+|                        |   access sensitive data or execute arbitrary       |
+|                        |   code**                                           |
+|                        |                                                    |
+|                        | | A misconfiguration of the MMU could              |
+|                        |   lead to an open door for software running in the |
+|                        |   normal world to access sensitive data or even    |
+|                        |   execute code if the proper security mechanisms   |
+|                        |   are not in place.                                |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements``   | DF5, DF6                                           |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A        | BL1, BL2, BL31                                     |
+| Components``           |                                                    |
++------------------------+----------------------------------------------------+
+| ``Assets``             | Sensitive Data, Code execution                     |
++------------------------+----------------------------------------------------+
+| ``Threat Agent``       | NSCode                                             |
++------------------------+----------------------------------------------------+
+| ``Threat Type``        | Information Disclosure, Elevation of Privilege     |
++------------------------+-----------------+-----------------+----------------+
+| ``Application``        | ``Server``      | ``IoT``         | ``Mobile``     |
++------------------------+-----------------+-----------------+----------------+
+| ``Impact``             | Critical (5)    | Critical (5)    | Critical (5)   |
++------------------------+-----------------+-----------------+----------------+
+| ``Likelihood``         | High (4)        | High (4)        | High (4)       |
++------------------------+-----------------+-----------------+----------------+
+| ``Total Risk Rating``  | Critical (20)   | Critical (20)   | Critical (20)  |
++------------------------+-----------------+-----------------+----------------+
+| ``Mitigations``        | | In TF-A, configuration of the MMU is done        |
+|                        |   through a translation tables library. The        |
+|                        |   library provides APIs to define memory regions   |
+|                        |   and assign attributes including memory types and |
+|                        |   access permissions. Memory configurations are    |
+|                        |   platform specific, therefore platforms need make |
+|                        |   sure the correct attributes are assigned to      |
+|                        |   memory regions. When assigning access            |
+|                        |   permissions, principle of least privilege ought  |
+|                        |   to be enforced, i.e. we should not grant more    |
+|                        |   privileges than strictly needed, e.g. code       |
+|                        |   should be read-only executable, RO data should   |
+|                        |   be read-only XN, and so on.                      |
++------------------------+----------------------------------------------------+
+
++------------------------+-----------------------------------------------------+
+| ID                     | 12                                                  |
++========================+=====================================================+
+| ``Threat``             | | **Incorrect configuration of Performance Monitor  |
+|                        |   Unit (PMU) counters can allow an attacker to      |
+|                        |   mount side-channel attacks using information      |
+|                        |   exposed by the counters**                         |
+|                        |                                                     |
+|                        | | Non-secure software can configure PMU registers   |
+|                        |   to count events at any exception level and in     |
+|                        |   both Secure and Non-secure states. This allows    |
+|                        |   a Non-secure software (or a lower-level Secure    |
+|                        |   software) to potentially  carry out               |
+|                        |   side-channel timing attacks against TF-A.         |
++------------------------+-----------------------------------------------------+
+| ``Diagram Elements``   | DF5, DF6                                            |
++------------------------+-----------------------------------------------------+
+| ``Affected TF-A        | BL31                                                |
+| Components``           |                                                     |
++------------------------+-----------------------------------------------------+
+| ``Assets``             | Sensitive Data                                      |
++------------------------+-----------------------------------------------------+
+| ``Threat Agent``       | NSCode                                              |
++------------------------+-----------------------------------------------------+
+| ``Threat Type``        | Information Disclosure                              |
++------------------------+-------------------+----------------+----------------+
+| ``Impact``             | Medium (3)        | Medium (3)     | Medium (3)     |
++------------------------+-------------------+----------------+----------------+
+| ``Likelihood``         | Low (2)           | Low (2)        | Low (2)        |
++------------------------+-------------------+----------------+----------------+
+| ``Total Risk Rating``  | Medium (6)        | Medium (6)     | Medium (6)     |
++------------------------+-------------------+----------------+----------------+
+| ``Mitigations``        | | TF-A follows mitigation strategies as described   |
+|                        |   in `Secure Development Guidelines`_. General      |
+|                        |   events and cycle counting in the Secure world is  |
+|                        |   prohibited by default when applicable. However,   |
+|                        |   on some implementations (e.g. PMUv3) Secure world |
+|                        |   event counting depends on external debug interface|
+|                        |   signals, i.e. Secure world event counting is      |
+|                        |   enabled if external debug is enabled.             |
+|                        |   Configuration of debug signals is platform        |
+|                        |   specific, therefore platforms need to make sure   |
+|                        |   that external debug is disabled in production or  |
+|                        |   proper debug authentication is in place.          |
++------------------------+-----------------------------------------------------+
+
+--------------
+
+*Copyright (c) 2021, Arm Limited. All rights reserved.*
+
+
+.. _STRIDE threat analysis technique: https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats#stride-model
+.. _DEN0034: https://developer.arm.com/documentation/den0034/latest
+.. _Cache Speculation Side-channels: https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
+.. _Spectre: https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
+.. _TBBR-Client specification: https://developer.arm.com/documentation/den0006/d/
+.. _Trusted Board Boot (TBB): https://trustedfirmware-a.readthedocs.io/en/latest/design/trusted-board-boot.html
+.. _TF-A error handling policy: https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-guidelines.html#error-handling-and-robustness
+.. _Secure Development Guidelines: https://trustedfirmware-a.readthedocs.io/en/latest/process/security-hardening.html#secure-development-guidelines
+.. _Trusted Firmware-A Tests: https://git.trustedfirmware.org/TF-A/tf-a-tests.git/about/
\ No newline at end of file