Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / 545f4b6233618876df50f56c1ed6a40f968bb2e0^! / . / docs / threat_model / threat_model.rst
commit545f4b6233618876df50f56c1ed6a40f968bb2e0[log] [tgz]
authorSandrine Bailleux <sandrine.bailleux@arm.com>Wed Sep 06 16:11:12 2023 +0200
committerSandrine Bailleux <sandrine.bailleux@arm.com>Tue Nov 14 09:21:31 2023 +0100
tree0e537c20b05402d02bc76b04b9eaf819f1cf39a2
parentc0c0a29c83c6149bfad0de0fb25f511596406f23 [diff] [blame]
docs(threat-model): add a threat model for TF-A with Arm CCA

Arm Confidential Compute Architecture (Arm CCA) support, underpinned by
Arm Realm Management Extension (RME) support, brings in a few important
software and hardware architectural changes in TF-A, which warrants a
new security analysis of the code base. Results of this analysis are
captured in a new threat model document, provided in this patch.

The main changes introduced in TF-A to support Arm CCA / RME are:

 - Presence of a new threat agent: realm world clients.

 - Availability of Arm CCA Hardware Enforced Security (HES) to support
   measured boot and trusted boot.

 - Configuration of the Granule Protection Tables (GPT) for
   inter-world memory protection.

This is only an initial version of the threat model and we expect to
enrich it in the future.

Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Iab84dc724df694511508f90dc76b6d469c4cccd5

diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst
index d1a77f5..0da2558 100644
--- a/docs/threat_model/threat_model.rst
+++ b/docs/threat_model/threat_model.rst

@@ -36,6 +36,9 @@
 - There are no Root and Realm worlds. These are introduced by :ref:`Realm
   Management Extension (RME)`.
 
+  The :ref:`Threat Model for TF-A with Arm CCA support` covers these types of
+  configurations.
+
 - No experimental features are enabled. We do not consider threats that may come
   from them.
 
@@ -274,6 +277,8 @@
 them. To help developers implement mitigations in the right place, threats below
 are categorized based on the firmware image that should mitigate them.
 
+.. _General Threats:
+
 General Threats for All Firmware Images
 ---------------------------------------
 
@@ -608,6 +613,8 @@
 +------------------------+-----------------------------------------------------+
 
 
+.. _Boot Firmware Threats:
+
 Threats to be Mitigated by the Boot Firmware
 --------------------------------------------
 
@@ -842,6 +849,8 @@
  since the |SRTM| includes all secure world components.
 
 
+.. _Runtime Firmware Threats:
+
 Threats to be Mitigated by the Runtime EL3 Firmware
 ---------------------------------------------------