From 7ccefbca3b09679bb6803a4c4677d2e76ae895d3 Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Mon, 3 Apr 2023 13:50:59 +0100 Subject: [PATCH] docs(threat-model): add a notes related to the Measured Boot TF-A currently does not have any TPM2 driver for extending measurements into a discrete TPM chip. In TPM-based attestation scheme, measurements are just stored into a TCG-compatible event log buffer in secure memory. In light of the fact that Event Log measurements are taken by BL1 and BL2, we need to trust these components to store genuine measurements, and the Generic Threat Model always mitigates against attacks on these components, therefore, there is no explicit document for the Measured Boot threat model at this time is needed. Change-Id: I41b037b2f5956d327b53cd834345e5aefdcfb5ef Signed-off-by: Manish V Badarkhe --- docs/global_substitutions.txt | 3 +++ docs/glossary.rst | 9 +++++++++ docs/threat_model/threat_model.rst | 28 +++++++++++++++++++++++++--- 3 files changed, 37 insertions(+), 3 deletions(-) diff --git a/docs/global_substitutions.txt b/docs/global_substitutions.txt index 0cf294665..9428fe97d 100644 --- a/docs/global_substitutions.txt +++ b/docs/global_substitutions.txt @@ -50,15 +50,18 @@ .. |SP| replace:: :term:`SP` .. |SPD| replace:: :term:`SPD` .. |SPM| replace:: :term:`SPM` +.. |SRTM| replace:: :term:`SRTM` .. |SSBS| replace:: :term:`SSBS` .. |SVE| replace:: :term:`SVE` .. |TBB| replace:: :term:`TBB` .. |TBBR| replace:: :term:`TBBR` +.. |TCG| replace:: :term:`TCG` .. |TEE| replace:: :term:`TEE` .. |TF-A| replace:: :term:`TF-A` .. |TF-M| replace:: :term:`TF-M` .. |TLB| replace:: :term:`TLB` .. |TLK| replace:: :term:`TLK` +.. |TPM| replace:: :term:`TPM` .. |TRNG| replace:: :term:`TRNG` .. |TSP| replace:: :term:`TSP` .. |TZC| replace:: :term:`TZC` diff --git a/docs/glossary.rst b/docs/glossary.rst index e6b023960..57fde2dad 100644 --- a/docs/glossary.rst +++ b/docs/glossary.rst @@ -187,6 +187,9 @@ You can find additional definitions in the `Arm Glossary`_. SPM Secure Partition Manager + SRTM + Static Root of Trust for Measurement + SSBS Speculative Store Bypass Safe. Introduced in Armv8.5, this configuration bit can be set by software to allow or prevent the hardware from @@ -204,6 +207,9 @@ You can find additional definitions in the `Arm Glossary`_. TCB Trusted Compute Base + TCG + Trusted Computing Group + TEE Trusted Execution Environment @@ -219,6 +225,9 @@ You can find additional definitions in the `Arm Glossary`_. TLK Trusted Little Kernel. A Trusted OS from NVIDIA. + TPM + Trusted Platform Module + TRNG True Randon Number Generator (hardware based) diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst index 940cad54f..71ec9b1e6 100644 --- a/docs/threat_model/threat_model.rst +++ b/docs/threat_model/threat_model.rst @@ -36,12 +36,34 @@ assumptions: - There is no Secure-EL2. We don't consider threats that may come with Secure-EL2 software. -- Measured boot is disabled. We do not consider the threats nor the mitigations - that may come with it. - - No experimental features are enabled. We do not consider threats that may come from them. +.. note:: + + In the current Measured Boot design, BL1, BL2, and BL31, as well as the + secure world components, form the |SRTM|. Measurement data is currently + considered an asset to be protected against attack, and this is achieved + by storing them in the Secure Memory. + Beyond the measurements stored inside the TCG-compliant Event Log buffer, + there are no other assets to protect or threats to defend against that + could compromise |TF-A| execution environment's security. + + There are general security assets and threats associated with remote/delegated + attestation. However, these are outside the |TF-A| security boundary and + should be dealt with by the appropriate agent in the platform/system. + Since current Measured Boot design does not use local attestation, there would + be no further assets to protect(like unsealed keys). + + A limitation of the current Measured Boot design is that it is dependent upon + Secure Boot as implementation of Measured Boot does not extend measurements + into a discrete |TPM|, where they would be securely stored and protected + against tampering. This implies that if Secure-Boot is compromised, Measured + Boot may also be compromised. + + Platforms must carefully evaluate the security of the default implementation + since the |SRTM| includes all secure world components. + Data Flow Diagram ================= -- 2.39.5