Gary Morrison | d4d951a | 2021-11-10 14:40:15 -0600 | [diff] [blame] | 1 | fvp_r-Platform Threat Model |
| 2 | *************************** |
| 3 | |
| 4 | ************************ |
| 5 | Introduction |
| 6 | ************************ |
| 7 | This document provides a threat model for TF-A fvp_r platform. |
| 8 | |
| 9 | ************************ |
| 10 | Target of Evaluation |
| 11 | ************************ |
| 12 | In this threat model, the target of evaluation is the fvp_r platform of Trusted |
| 13 | Firmware for A-class Processors (TF-A). The fvp_r platform provides limited |
| 14 | support of AArch64 R-class Processors (v8-R64). |
| 15 | |
| 16 | This is a delta document, only pointing out differences from the general TF-A |
| 17 | threat-model document, :ref:`Generic Threat Model` |
| 18 | |
| 19 | BL1 Only |
| 20 | ======== |
| 21 | The most fundamental difference between the threat model for the current fvp_r |
| 22 | implementation compared to the general TF-A threat model, is that fvp_r is |
| 23 | currently limited to BL1 only. Any threats from the general TF-A threat model |
| 24 | unrelated to BL1 are therefore not relevant to the fvp_r implementation. |
| 25 | |
| 26 | The fvp_r BL1 implementation directly loads a customer/partner-defined runtime |
| 27 | system. The threat model for that runtime system, being partner-defined, is |
| 28 | out-of-scope for this threat-model. |
| 29 | |
| 30 | Relatedly, all exceptions, synchronous and asynchronous, are disabled during BL1 |
| 31 | execution. So, any references to exceptions are not relevant. |
| 32 | |
| 33 | EL3 is Unsupported and All Secure |
| 34 | ================================= |
| 35 | v8-R64 cores do not support EL3, and (essentially) all operation is defined as |
| 36 | Secure-mode. Therefore: |
| 37 | |
| 38 | - Any threats regarding NS operation are not relevant. |
| 39 | |
| 40 | - Any mentions of SMCs are also not relevant. |
| 41 | |
| 42 | - Anything otherwise-relevant code running in EL3 is instead run in EL2. |
| 43 | |
| 44 | MPU instead of MMU |
| 45 | ================== |
| 46 | v8-R64 cores, running in EL2, use an MPU for memory management, rather than an |
| 47 | MMU. The MPU in the fvp_r implementation is configured to function effectively |
| 48 | identically with the MMU for the usual BL1 implementation. There are |
| 49 | memory-map differences, but the MPU configuration is functionally equivalent. |
| 50 | |
| 51 | No AArch32 Support |
| 52 | ================== |
| 53 | Another substantial difference between v8-A and v8-R64 cores is that v8-R64 does |
| 54 | not support AArch32. However, this is not believed to have any threat-modeling |
| 55 | ramifications. |
| 56 | |
| 57 | |
| 58 | Threat Assessment |
| 59 | ================= |
| 60 | For this section, please reference the Threat Assessment under the general TF-A |
| 61 | threat-model document, :ref:`Generic Threat Model` |
| 62 | |
| 63 | The following threats from that document are still relevant to the fvp_r |
| 64 | implementation: |
| 65 | |
| 66 | - ID 01: An attacker can mangle firmware images to execute arbitrary code. |
| 67 | |
| 68 | - ID 03: An attacker can use Time-of-Check-Time-of-Use (TOCTOU) attack to |
| 69 | bypass image authentication during the boot process. |
| 70 | |
| 71 | - ID 04: An attacker with physical access can execute arbitrary image by |
| 72 | bypassing the signature verification stage using clock- or power-glitching |
| 73 | techniques. |
| 74 | |
| 75 | - ID 05: Information leak via UART logs such as crashes |
| 76 | |
| 77 | - ID 06: An attacker can read sensitive data and execute arbitrary code |
| 78 | through the external debug and trace interface. |
| 79 | |
| 80 | - ID 08: Memory corruption due to memory overflows and lack of boundary |
| 81 | checking when accessing resources could allow an attacker to execute |
| 82 | arbitrary code, modify some state variable to change the normal flow of |
| 83 | the program, or leak sensitive. |
| 84 | |
| 85 | - ID 11: Misconfiguration of the Memory Protection Unit (MPU) may allow |
| 86 | normal world software to access sensitive data or execute arbitrary code. |
| 87 | Arguably, MPUs having fewer memory regions, there may be a temptation to |
| 88 | share memory regions, making this a greater threat. However, since the |
| 89 | fvp_r implementation is limited to BL1, since BL1's regions are fixed, |
| 90 | and since the MPU configuration is equivalent with that for the fvp |
| 91 | platform and others, this is not expected to be a concern. |
| 92 | |
Sandrine Bailleux | a384672 | 2023-10-11 08:27:43 +0200 | [diff] [blame] | 93 | - ID 15: Improper handling of input data received over a UART interface may |
| 94 | allow an attacker to tamper with TF-A execution environment. |
Gary Morrison | d4d951a | 2021-11-10 14:40:15 -0600 | [diff] [blame] | 95 | |
| 96 | |
| 97 | -------------- |
| 98 | |
Sandrine Bailleux | a384672 | 2023-10-11 08:27:43 +0200 | [diff] [blame] | 99 | *Copyright (c) 2021-2023, Arm Limited. All rights reserved.* |