Merge "docs(threat-model): add a notes related to the Measured Boot" into integration
diff --git a/docs/global_substitutions.txt b/docs/global_substitutions.txt
index 0cf2946..9428fe9 100644
--- a/docs/global_substitutions.txt
+++ b/docs/global_substitutions.txt
@@ -50,15 +50,18 @@
.. |SP| replace:: :term:`SP`
.. |SPD| replace:: :term:`SPD`
.. |SPM| replace:: :term:`SPM`
+.. |SRTM| replace:: :term:`SRTM`
.. |SSBS| replace:: :term:`SSBS`
.. |SVE| replace:: :term:`SVE`
.. |TBB| replace:: :term:`TBB`
.. |TBBR| replace:: :term:`TBBR`
+.. |TCG| replace:: :term:`TCG`
.. |TEE| replace:: :term:`TEE`
.. |TF-A| replace:: :term:`TF-A`
.. |TF-M| replace:: :term:`TF-M`
.. |TLB| replace:: :term:`TLB`
.. |TLK| replace:: :term:`TLK`
+.. |TPM| replace:: :term:`TPM`
.. |TRNG| replace:: :term:`TRNG`
.. |TSP| replace:: :term:`TSP`
.. |TZC| replace:: :term:`TZC`
diff --git a/docs/glossary.rst b/docs/glossary.rst
index e6b0239..57fde2d 100644
--- a/docs/glossary.rst
+++ b/docs/glossary.rst
@@ -187,6 +187,9 @@
SPM
Secure Partition Manager
+ SRTM
+ Static Root of Trust for Measurement
+
SSBS
Speculative Store Bypass Safe. Introduced in Armv8.5, this configuration
bit can be set by software to allow or prevent the hardware from
@@ -204,6 +207,9 @@
TCB
Trusted Compute Base
+ TCG
+ Trusted Computing Group
+
TEE
Trusted Execution Environment
@@ -219,6 +225,9 @@
TLK
Trusted Little Kernel. A Trusted OS from NVIDIA.
+ TPM
+ Trusted Platform Module
+
TRNG
True Randon Number Generator (hardware based)
diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst
index 940cad5..71ec9b1 100644
--- a/docs/threat_model/threat_model.rst
+++ b/docs/threat_model/threat_model.rst
@@ -36,12 +36,34 @@
- There is no Secure-EL2. We don't consider threats that may come with
Secure-EL2 software.
-- Measured boot is disabled. We do not consider the threats nor the mitigations
- that may come with it.
-
- No experimental features are enabled. We do not consider threats that may come
from them.
+.. note::
+
+ In the current Measured Boot design, BL1, BL2, and BL31, as well as the
+ secure world components, form the |SRTM|. Measurement data is currently
+ considered an asset to be protected against attack, and this is achieved
+ by storing them in the Secure Memory.
+ Beyond the measurements stored inside the TCG-compliant Event Log buffer,
+ there are no other assets to protect or threats to defend against that
+ could compromise |TF-A| execution environment's security.
+
+ There are general security assets and threats associated with remote/delegated
+ attestation. However, these are outside the |TF-A| security boundary and
+ should be dealt with by the appropriate agent in the platform/system.
+ Since current Measured Boot design does not use local attestation, there would
+ be no further assets to protect(like unsealed keys).
+
+ A limitation of the current Measured Boot design is that it is dependent upon
+ Secure Boot as implementation of Measured Boot does not extend measurements
+ into a discrete |TPM|, where they would be securely stored and protected
+ against tampering. This implies that if Secure-Boot is compromised, Measured
+ Boot may also be compromised.
+
+ Platforms must carefully evaluate the security of the default implementation
+ since the |SRTM| includes all secure world components.
+
Data Flow Diagram
=================