Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / 9d97122c4d619b7d1e9ae2fe1cb7b36a4e76aa8d^! / . / docs / threat_model / threat_model.rst
commit9d97122c4d619b7d1e9ae2fe1cb7b36a4e76aa8d[log] [tgz]
authorManish V Badarkhe <Manish.Badarkhe@arm.com>Mon Apr 03 13:50:59 2023 +0100
committerManish V Badarkhe <Manish.Badarkhe@arm.com>Wed Apr 19 13:54:52 2023 +0100
treee6c203285c74766377ba0c7c68d2258eb4eb62fc
parent9d6a81766b197299794b6e15499ad6f3de4e0914 [diff] [blame]
docs(threat-model): add a notes related to the Measured Boot

TF-A currently does not have any TPM2 driver for extending
measurements into a discrete TPM chip. In TPM-based attestation
scheme, measurements are just stored into a TCG-compatible event
log buffer in secure memory.

In light of the fact that Event Log measurements are taken by BL1 and
BL2, we need to trust these components to store genuine measurements,
and the Generic Threat Model always mitigates against attacks on these
components, therefore, there is no explicit document for the Measured
Boot threat model at this time is needed.

Change-Id: I41b037b2f5956d327b53cd834345e5aefdcfb5ef
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst
index 940cad5..71ec9b1 100644
--- a/docs/threat_model/threat_model.rst
+++ b/docs/threat_model/threat_model.rst

@@ -36,12 +36,34 @@
 - There is no Secure-EL2. We don't consider threats that may come with
   Secure-EL2 software.
 
-- Measured boot is disabled. We do not consider the threats nor the mitigations
-  that may come with it.
-
 - No experimental features are enabled. We do not consider threats that may come
   from them.
 
+.. note::
+
+ In the current Measured Boot design, BL1, BL2, and BL31, as well as the
+ secure world components, form the |SRTM|. Measurement data is currently
+ considered an asset to be protected against attack, and this is achieved
+ by storing them in the Secure Memory.
+ Beyond the measurements stored inside the TCG-compliant Event Log buffer,
+ there are no other assets to protect or threats to defend against that
+ could compromise |TF-A| execution environment's security.
+
+ There are general security assets and threats associated with remote/delegated
+ attestation. However, these are outside the |TF-A| security boundary and
+ should be dealt with by the appropriate agent in the platform/system.
+ Since current Measured Boot design does not use local attestation, there would
+ be no further assets to protect(like unsealed keys).
+
+ A limitation of the current Measured Boot design is that it is dependent upon
+ Secure Boot as implementation of Measured Boot does not extend measurements
+ into a discrete |TPM|, where they would be securely stored and protected
+ against tampering. This implies that if Secure-Boot is compromised, Measured
+ Boot may also be compromised.
+
+ Platforms must carefully evaluate the security of the default implementation
+ since the |SRTM| includes all secure world components.
+
 Data Flow Diagram
 =================