docs(threat-model): add a threat model for TF-A with Arm CCA
Arm Confidential Compute Architecture (Arm CCA) support, underpinned by
Arm Realm Management Extension (RME) support, brings in a few important
software and hardware architectural changes in TF-A, which warrants a
new security analysis of the code base. Results of this analysis are
captured in a new threat model document, provided in this patch.
The main changes introduced in TF-A to support Arm CCA / RME are:
- Presence of a new threat agent: realm world clients.
- Availability of Arm CCA Hardware Enforced Security (HES) to support
measured boot and trusted boot.
- Configuration of the Granule Protection Tables (GPT) for
inter-world memory protection.
This is only an initial version of the threat model and we expect to
enrich it in the future.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Co-authored-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Iab84dc724df694511508f90dc76b6d469c4cccd5
diff --git a/docs/threat_model/threat_model_arm_cca.rst b/docs/threat_model/threat_model_arm_cca.rst
new file mode 100644
index 0000000..fbf3327
--- /dev/null
+++ b/docs/threat_model/threat_model_arm_cca.rst
@@ -0,0 +1,225 @@
+Threat Model for TF-A with Arm CCA support
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Introduction
+************
+
+This document provides a threat model of TF-A firmware for platforms with Arm
+Realm Management Extension (RME) support which implement Arm Confidential
+Compute Architecture (Arm CCA).
+
+Although it is a separate document, it references the :ref:`Generic Threat
+Model` in a number of places, as some of the contents is commonly applicable to
+TF-A with or without Arm CCA support.
+
+Target of Evaluation
+********************
+
+In this threat model, the target of evaluation is the Trusted Firmware for
+A-class Processors (TF-A) with RME support and Arm CCA support. This includes
+the boot ROM (BL1), the trusted boot firmware (BL2) and the runtime EL3 firmware
+(BL31).
+
+Assumptions
+===========
+
+We make the following assumptions:
+
+- :ref:`Realm Management Extension (RME)` is enabled on the platform.
+
+- Arm CCA Hardware Enforced Security (HES) is available on the platform, as
+ recommended by `Arm CCA security model`_:
+
+ *[R0004] Arm strongly recommends that all implementations of CCA utilize*
+ *hardware enforced security (CCA HES).*
+
+- All TF-A images run from on-chip memory. Data used by these images also live
+ in on-chip memory. This means TF-A is not vulnerable to an attacker that can
+ probe or tamper with off-chip memory.
+
+ These are requirements of the `Arm CCA security model`_:
+
+ *[R0147] Monitor code executes entirely from on-chip memory.*
+
+ *[R0149] Any monitor data that may affect the CCA security guarantee, other*
+ *than GPT, is either held in on-chip memory, or in external memory but with*
+ *additional integrity protection.*
+
+ Note that this threat model hardens *[R0149]* requirement by forbidding to
+ hold data in external memory, even if it is integrity-protected - except for
+ GPT data.
+
+- TF-A BL1 image is immutable and thus implicitly trusted. It runs from
+ read-only memory or write-protected memory. This could be on-chip ROM, on-chip
+ OTP, locked on-chip flash, or write-protected on-chip RAM for example.
+
+ This is a requirement of the `Arm CCA security model`_:
+
+ *[R0158] Arm recommends that all initial boot code is immutable on a*
+ *secured system.*
+
+ *[R0050] If all or part of initial boot code is instantiated in on-chip*
+ *memory then other trusted subsystems or application PE cannot modify that*
+ *code before it has been executed.*
+
+- Trusted boot and measured boot are enabled. This means an attacker can't boot
+ arbitrary images that are not approved by platform providers.
+
+ These are requirements of the `Arm CCA security model`_:
+
+ *[R0048] A secured system can only load authorized CCA firmware.*
+
+ *[R0079] All Monitor firmware loaded by PE initial boot is measured and*
+ *verified as outlined in Verified boot.*
+
+- No experimental features are enabled. These are typically incomplete features,
+ which need more time to stabilize. Thus, we do not consider threats that may
+ come from them. It is not recommended to use these features in production
+ builds.
+
+Data Flow Diagram
+=================
+
+Figure 1 shows a high-level data flow diagram for TF-A. The diagram shows a
+model of the different components of a TF-A-based system and their interactions
+with TF-A. A description of each diagram element is given on Table 1. On the
+diagram, the red broken lines indicate trust boundaries. Components outside of
+the broken lines are considered untrusted by TF-A.
+
+.. uml:: ../resources/diagrams/plantuml/tfa_arm_cca_dfd.puml
+ :caption: Figure 1: Data Flow Diagram
+
+.. table:: Table 1: Data Flow Diagram Description
+
+ +-----------------+--------------------------------------------------------+
+ | Diagram Element | Description |
+ +=================+========================================================+
+ | DF1 | | Refer to DF1 description in the |
+ | | :ref:`Generic Threat Model`. Additionally TF-A |
+ | | loads realm images. |
+ +-----------------+--------------------------------------------------------+
+ | DF2-DF6 | | Refer to DF2-DF6 descriptions in the |
+ | | :ref:`Generic Threat Model`. |
+ +-----------------+--------------------------------------------------------+
+ | DF7 | | Boot images interact with Arm CCA HES to record boot |
+ | | measurements and retrieve data used for AP images |
+ | | authentication. |
+ | | |
+ | | | The runtime firmware interacts with Arm CCA HES to |
+ | | obtain sensitive attestation data for the realm |
+ | | world. |
+ +-----------------+--------------------------------------------------------+
+ | DF8 | | Realm world software (e.g. TF-RMM) interact with |
+ | | TF-A through SMC call interface and/or shared |
+ | | memory. |
+ +-----------------+--------------------------------------------------------+
+
+Threat Analysis
+***************
+
+In this threat model, we use the same method to analyse threats as in the
+:ref:`Generic Threat Model`. This section only points out differences where
+applicable.
+
+- There is an additional threat agent: *RealmCode*. It takes the form of
+ malicious or faulty code running in the realm world, including R-EL2, R-EL1
+ and R-EL0 levels.
+
+- At this time we only consider the ``Server`` target environment. New threats
+ identified in this threat model will only be given a risk rating for this
+ environment. Other environments may be added in a future revision
+
+Threat Assessment
+=================
+
+General Threats for All Firmware Images
+---------------------------------------
+
+The following table analyses the :ref:`General Threats` in the context of this
+threat model. Only deltas are pointed out.
+
+ +----+-------------+-------------------------------------------------------+
+ | ID | Applicable? | Comments |
+ +====+=============+=======================================================+
+ | 05 | Yes | |
+ +----+-------------+-------------------------------------------------------+
+ | 06 | Yes | |
+ +----+-------------+-------------------------------------------------------+
+ | 08 | Yes | Additional diagram element: DF8. |
+ | | | |
+ | | | Additional threat agent: RealmCode. |
+ +----+-------------+-------------------------------------------------------+
+ | 11 | Yes | | Misconfiguration of the Memory Management Unit |
+ | | | (MMU) may allow a **normal/secure/realm** world |
+ | | | software to access sensitive data, execute arbitrary|
+ | | | code or access otherwise restricted HW interface. |
+ | | | |
+ | | | | **Note that on RME systems, MMU configuration also |
+ | | | includes Granule Protection Tables (GPT) setup.** |
+ | | | |
+ | | | | Additional diagram elements: DF4, DF7, DF8. |
+ | | | |
+ | | | | Additional threat agents: SecCode, RealmCode. |
+ +----+-------------+-------------------------------------------------------+
+ | 13 | Yes | Additional diagram element: DF8. |
+ | | | |
+ | | | Additional threat agent: RealmCode. |
+ +----+-------------+-------------------------------------------------------+
+ | 15 | Yes | Additional diagram element: DF8. |
+ | | | |
+ | | | Additional threat agent: RealmCode. |
+ +----+-------------+-------------------------------------------------------+
+
+Threats to be Mitigated by the Boot Firmware
+--------------------------------------------
+
+The following table analyses the :ref:`Boot Firmware Threats` in the context of
+this threat model. Only deltas are pointed out.
+
+ +----+-------------+-------------------------------------------------------+
+ | ID | Applicable? | Comments |
+ +====+=============+=======================================================+
+ | 01 | Yes | Additional diagram element: DF8. |
+ | | | |
+ | | | Additional threat agent: RealmCode. |
+ +----+-------------+-------------------------------------------------------+
+ | 02 | Yes | Additional diagram element: DF8. |
+ | | | |
+ | | | Additional threat agent: RealmCode. |
+ +----+-------------+-------------------------------------------------------+
+ | 03 | Yes | |
+ +----+-------------+-------------------------------------------------------+
+ | 04 | Yes | |
+ +----+-------------+-------------------------------------------------------+
+
+Threats to be Mitigated by the Runtime EL3 Firmware
+---------------------------------------------------
+
+The following table analyses the :ref:`Runtime Firmware Threats` in the context
+of this threat model. Only deltas are pointed out.
+
+ +----+-------------+-------------------------------------------------------+
+ | ID | Applicable? | Comments |
+ +====+=============+=======================================================+
+ | 07 | Yes | Additional diagram element: DF8. |
+ | | | |
+ | | | Additional threat agent: RealmCode. |
+ +----+-------------+-------------------------------------------------------+
+ | 09 | Yes | Additional diagram element: DF8. |
+ | | | |
+ | | | Additional threat agent: RealmCode. |
+ +----+-------------+-------------------------------------------------------+
+ | 10 | Yes | Additional diagram element: DF8. |
+ | | | |
+ | | | Additional threat agent: RealmCode. |
+ +----+-------------+-------------------------------------------------------+
+ | 12 | Yes | Additional diagram element: DF8. |
+ | | | |
+ | | | Additional threat agent: RealmCode. |
+ +----+-------------+-------------------------------------------------------+
+ | 14 | Yes | |
+ +----+-------------+-------------------------------------------------------+
+
+*Copyright (c) 2023, Arm Limited. All rights reserved.*
+
+.. _Arm CCA Security Model: https://developer.arm.com/documentation/DEN0096/A_a