| Manish V Badarkhe | dbabd1a | 2024-01-02 13:53:58 +0000 | [diff] [blame] | 1 | Threat Model for TF-A with PSA FWU or TBBR FWU support |
| 2 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 3 | |
| 4 | Introduction |
| 5 | ************ |
| 6 | |
| 7 | This document provides a threat model of TF-A firmware for platforms with |
| 8 | the feature PSA firmware update or TBBR firmware update or both enabled. |
| 9 | To understand the design of the firmware update refer |
| 10 | :ref:`Firmware Update (FWU)`. |
| 11 | |
| 12 | Although it is a separate document, it references the :ref:`Generic Threat |
| 13 | Model` in a number of places, as some of the contents are applicable to this |
| 14 | threat model. |
| 15 | |
| 16 | Target of Evaluation |
| 17 | ******************** |
| 18 | |
| 19 | In this threat model, the target of evaluation is the Trusted Firmware for |
| 20 | A-class Processors (TF-A) when PSA FWU support is enabled or TBBR FWU mode |
| 21 | is enabled. This includes the boot ROM (BL1), the trusted boot firmware (BL2). |
| 22 | |
| 23 | Threat Assessment |
| 24 | ***************** |
| 25 | |
| 26 | For this section, please reference the Threat Assessment under the |
| 27 | :ref:`Generic Threat Model`. Here only the differences are highlighted. |
| 28 | |
| 29 | PSA FWU |
| 30 | ******* |
| 31 | |
| 32 | Threats to be Mitigated by the Boot Firmware |
| 33 | -------------------------------------------- |
| 34 | |
| 35 | The following table analyses the :ref:`Boot Firmware Threats` in the context |
| 36 | of this threat model. Only additional details are pointed out. |
| 37 | |
| 38 | +----+-------------+-------------------------------------------------------+ |
| 39 | | ID | Applicable? | Comments | |
| 40 | +====+=============+=======================================================+ |
| 41 | | 01 | Yes | | Attacker can use arbitrary images to update the | |
| 42 | | | | system. | |
| 43 | +----+-------------+-------------------------------------------------------+ |
| 44 | | 02 | Yes | | Attacker tries to update the system with the | |
| 45 | | | | vulnerable/older firmware. | |
| 46 | +----+-------------+-------------------------------------------------------+ |
| 47 | | 03 | Yes | | |
| 48 | +----+-------------+-------------------------------------------------------+ |
| 49 | | 04 | Yes | | |
| 50 | +----+-------------+-------------------------------------------------------+ |
| 51 | |
| 52 | |
| 53 | Threats to be mitigated by platform design |
| 54 | ------------------------------------------ |
| 55 | |
| 56 | PSA FWU is driven by metadata stored in non-volatile storage. This metadata |
| 57 | is not cryptographically signed. Also, depending on the hardware design, |
| 58 | it may be stored in untrusted storage, which makes it possible for software |
| 59 | outside of TF-A security boundary or for a physical attacker to modify it |
| 60 | in order to change the behaviour of the FWU process. |
| 61 | |
| 62 | Below we provide some possible FWU metadata corruption scenarios: |
| 63 | |
| 64 | 1. The FWU metadata includes the firmware bank for booting; the attacker |
| 65 | tries to modify it to prevent the execution of the updated firmware. |
| 66 | 2. The FWU metadata features a field indicating the firmware's status, either |
| 67 | in trial run or accepted run. The attacker tries to manipulate this field, |
| 68 | ensuring the updated firmware consistently runs in trial mode, with the |
| 69 | intention of preventing the anti-rollback update. |
| 70 | |
| 71 | By design, no software mitigations exist to prevent this. The safeguarding |
| 72 | of FWU metadata relies on the platform's hardware design to mitigate potential |
| 73 | attacks on it, if this is a concern in the platform's threat model. |
| 74 | For example, FWU metadata may be stored in secure storage under exclusive |
| 75 | access from secure software, protecting it from physical, unauthenticated |
| 76 | accesses and from non-secure software accesses. |
| 77 | |
| 78 | TBBR FWU - Firmware Recovery |
| 79 | **************************** |
| 80 | |
| 81 | Threats to be Mitigated by the Boot Firmware |
| 82 | -------------------------------------------- |
| 83 | |
| 84 | The following table analyses the :ref:`Boot Firmware Threats` in the context |
| 85 | of this threat model. Only additional details are pointed out. |
| 86 | |
| 87 | +----+-------------+-------------------------------------------------------+ |
| 88 | | ID | Applicable? | Comments | |
| 89 | +====+=============+=======================================================+ |
| 90 | | 01 | Yes | | Attacker can use arbitrary images to recover the | |
| 91 | | | | system. | |
| 92 | +----+-------------+-------------------------------------------------------+ |
| 93 | | 02 | Yes | | Attacker tries to recover the system with the | |
| 94 | | | | vulnerable/older firmware. | |
| 95 | +----+-------------+-------------------------------------------------------+ |
| 96 | | 03 | Yes | | |
| 97 | +----+-------------+-------------------------------------------------------+ |
| 98 | | 04 | Yes | | |
| 99 | +----+-------------+-------------------------------------------------------+ |
| 100 | |
| 101 | -------------- |
| 102 | |
| 103 | *Copyright (c) 2024, Arm Limited. All rights reserved.* |