TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / trusted-firmware-m / 3356ba34d233be196aa3ccbe42f9177735ce3bc8 / . / docs / security / threat_models / generic_threat_model.rst
blob: 02293c0fe229cd99f0245209035a8a16e3ec774f [file] [log] [blame]
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1#######################################
2Trusted Firmware-M Generic Threat Model
3#######################################
4
5************
6Introduction
7************
8
shejia0144764cb2021-05-26 16:48:06 +0800[diff] [blame]9This document introduces a generic threat model of Trusted Firmware-M (TF-M).
10This generic threat model provides an overall analysis of TF-M implementation
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]11and identifies general threats and mitigation.
12
13.. note::
14
15 If you think a security vulnerability is found, please follow
16 Trustedfirmware.org [Security-Incident-Process]_ to contact TF-M security
17 team.
18
19Scope
20=====
21
22TF-M supports diverse models and topologies. It also implements multiple
23isolation levels. Each case may focus on different target of evaluation (TOE)
24and identify different assets and threats.
25TF-M implementation consists of several secure services, defined as
26Root of Trust (RoT) service. Those RoT services belong to diverse RoT
27(Application RoT or PSA RoT) and access different assets and hardware. Therefore
28each RoT service may require a dedicated threat model.
29
30The analysis on specific models, topologies or RoT services may be covered in
shejia0144764cb2021-05-26 16:48:06 +0800[diff] [blame]31dedicated threat model documents. Those threat models are out of the scope of
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]32this document.
33
34Methodology
35===========
36
37The threat modeling in this document follows the process listed below to
38build up the threat model.
39
40- Target of Evaluation (TOE)
41- Assets identification
42- Data Flow Diagram (DFD)
43- Threats Prioritization
44- Threats identification
45
46TOE is the entity on which threat modeling is performed. The logic behind this
47process is to firstly investigate the TOE which could be a system, solution or
48use case. This first step helps to identify the assets to be protected in TOE.
49
50According to TOE and assets, Trust Boundaries can be determined. The Data Flow
51Diagram (DFD) across Trust Boundaries is then defined to help identify the
52threats.
53
54Those threats should be prioritized based on a specific group of principals and
55metrics. The principals and metrics should also be specified.
56
57********************
58Target of Evaluation
59********************
60
61A typical TF-M system diagram from a high-level overview is shown below. TF-M is
62running in the Secure Processing Environment (SPE) and NS software is running in
63Non-secure Processing Environment (NSPE). For more details, please refer to
Kevin Peng4cdb2082022-03-25 17:53:03 +0800[diff] [blame]64Platform Security Architecture Firmware Framework for M (FF-M) [FF-M]_ and
65FF-M 1.1 Extensions [FF-M 1.1 Extensions]_.
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]66
67.. figure:: TF-M-block-diagram.png
68
69The TOE in this general model is the SPE, including TF-M and other components
70running in SPE.
71
72The TOE can vary in different TF-M models, RoT services and usage scenarios.
shejia0144764cb2021-05-26 16:48:06 +0800[diff] [blame]73Refer to dedicated threat models for the specific TOE definitions.
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]74
75********************
76Asset identification
77********************
78
79In this threat model, assets include the general items listed below:
80
81- Hardware Root of Trust data, e.g.
82
83 - Hardware Unique Key (HUK)
84 - Root authentication key
85 - Other embedded root keys
86
87- Software RoT data, e.g.
88
89 - Secure Partition Manager (SPM) code and data
90 - Secure partition code and data
91 - NSPE data stored in SPE
92 - Data generated in SPE as requested by NSPE
93
94- Availability of entire RoT service
95
96- Secure logs, including event logs
97
98Assets may vary in different use cases and implementations. Additional assets
99can be defined in an actual usage scenario and a dedicated threat model.
100
101For example, in a network camera use case, the following data can be defined as
102assets too:
103
104- Certificate for connecting to cloud
105- Session keys for encryption/decryption in the communication with cloud
106- Keys to encrypt/decrypt the videos and photos
107
108*****************
109Data Flow Diagram
110*****************
111
112The Trust Boundary isolates SPE from NSPE, according to the TOE definition in
113`Target of Evaluation`_. The Trust Boundary mapped to block diagram is shown
114in the figure below. Other modules inside SPE stay in the same TOE as TF-M does.
115
116Valid Data flows across the Trust Boundary are also shown in the figure below.
shejia0144764cb2021-05-26 16:48:06 +0800[diff] [blame]117This threat model only focuses on the data flows related to TF-M.
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]118
119.. figure:: overall-DFD.png
120
121More details of data flows are listed below.
122
123.. _data-flow-table:
124
125.. table:: TF-M Data Flows between NSPE and SPE
126
127 +-----------+----------------------------------------------------------------+
128 | Data flow | Description |
129 +===========+================================================================+
130 | ``DF1`` | TF-M initializes NS entry and activates NSPE. |
131 | | |
132 | | - On single Armv8-M core platforms, TF-M will hand over the |
133 | | control to Non-secure state. |
134 | | - On dual-cpu platforms, Secure core starts NS core booting. |
135 +-----------+----------------------------------------------------------------+
136 | ``DF2`` | NSPE requests TF-M RoT services. |
137 | | |
138 | | - In TF-M Library model, NS invokes Secure Function calls |
139 | | - In TF-M IPC model, NS invokes PSA Client calls based on IPC |
140 | | protocol defined in [FF-M]_. |
141 | | |
142 | | In single Armv8-M core scenarios, SG instruction is executed |
143 | | in Non-secure Callable region to trigger a transition from |
144 | | Non-secure state to Secure state. |
145 | | |
146 | | On dual-cpu platforms, non-secure core sends PSA Client calls |
147 | | to secure core via mailbox. |
148 +-----------+----------------------------------------------------------------+
149 | ``DF3`` | Secure Partitions fetch input data from NS and write back |
150 | | output data to NS. |
151 | | |
152 | | In TF-M IPC model, as required in [FF-M]_, Secure Partitions |
153 | | should not directly access NSPE memory. Instead, RoT services |
154 | | relies on TF-M SPM to access NSPE memory. |
155 +-----------+----------------------------------------------------------------+
156 | ``DF4`` | TF-M returns RoT service results to NSPE after NS request to |
157 | | RoT service is completed. |
158 | | |
159 | | In single Armv8-M core scenarios, it also trigger a transition |
160 | | from Secure state back to Non-secure state. |
161 | | |
162 | | On dual-cpu platforms, secure core returns the result to |
163 | | non-secure core via mailbox. |
164 +-----------+----------------------------------------------------------------+
165 | ``DF5`` | Non-secure interrupts preempt SPE execution in single Armv8-M |
166 | | core scenarios. |
167 +-----------+----------------------------------------------------------------+
168 | ``DF6`` | Secure interrupts preempt NSPE execution in single Armv8-M |
169 | | core scenarios. |
170 +-----------+----------------------------------------------------------------+
171
172.. note::
173
174 All the other data flows across the Trusted Boundary besides the valid ones
175 mentioned above should be prohibited by default.
176 Proper isolation must be configured to prevent NSPE directly accessing SPE.
177
178 Threats irrelevant to data flows in
179 :ref:`TF-M Data Flows between NSPE and SPE <data-flow-table>` may be specified
180 in `Miscellaneous threats`_.
181
182Data flows inside SPE (informative)
183===================================
184
185Since all the SPE components stay in the TOE within the same Trust Boundary in
186this threat model, the data flows between SPE components are not covered in this
187threat model. Instead, those data flows and corresponding threats will be
188identified in the dedicated threat model documents of TF-M RoT services and
189usage scenarios.
190
191Those data flows inside SPE include following examples:
192
193- Data flows between TF-M and BL2
194- Data flows between RoT services and SPM
195- Data flows between RoT services and corresponding secure hardware and assets,
196 such as secure storage device, crypto hardware accelerator and Hardware Unique
197 Key (HUK).
198
199*********************
200Threat identification
201*********************
202
203Threat priority
204===============
205
206Threat priority is indicated by the score calculated via Common Vulnerability
207Scoring System (CVSS) Version 3.1 [CVSS]_. The higher the threat scores, the
208greater severity the threat is with and the higher the priority is.
209
210CVSS scores can be mapped to qualitative severity ratings defined in CVSS 3.1
211specification [CVSS_SPEC]_. This threat model follows the same mapping between
212CVSS scores and threat priority rating.
213
214As a generic threat model, this document focuses on *Base Score* which reflects
215the constant and general severity of a threat according to its intrinsic
216characteristics.
217
218The *Impacted Component* defined in [CVSS_SPEC]_ refers to the assets listed in
219`Asset identification`_.
220
221Threats and mitigation list
222===========================
223
224This section lists generic threats and corresponding mitigation, based on the
225the analysis of data flows in `Data Flow Diagram`_.
226
227Threats are identified following ``STRIDE`` model. Please refer to [STRIDE]_ for
228more details.
229
230The field ``CVSS Score`` reflects the threat priority defined in
231`Threat priority`_. The field ``CVSS Vector String`` contains the textual
232representation of the CVSS metric values used to score the threat. Refer to
233[CVSS_SPEC]_ for more details of CVSS vector string.
234
235.. note::
236
237 A generic threat may have different behaviors and therefore require different
238 mitigation, in diverse TF-M models and usage scenarios.
239
240 This threat model document focuses on general analysis of the following
241 threats. For the details in a specific configuration and usage scenario,
242 please refer to the dedicated threat model document.
243
244NS entry initialization
245-----------------------
246
247This section identifies threats on ``DF1`` defined in `Data Flow Diagram`_.
248
249.. table:: TFM-GENERIC-NS-INIT-T-1
250 :widths: 10 50
251
252 +---------------+------------------------------------------------------------+
253 | Index | **TFM-GENERIC-NS-INIT-T-1** |
254 +---------------+------------------------------------------------------------+
255 | Description | The NS image can be tampered by an attacker |
256 +---------------+------------------------------------------------------------+
257 | Justification | An attack may tamper the NS image to inject malicious code |
258 +---------------+------------------------------------------------------------+
259 | Category | Tampering |
260 +---------------+------------------------------------------------------------+
261 | Mitigation | By default TF-M relies on MCUBoot to validate NS image. |
262 | | The validation of NS image integrity and authenticity is |
263 | | completed in secure boot before jumping to NS entry or |
264 | | booting up NS core. |
265 | | Refer to [SECURE-BOOT]_ for more details. |
266 | | |
267 | | The validation may vary in diverse vendor platforms |
268 | | specific Chain of Trust (CoT) implementation. |
269 +---------------+------------------------------------------------------------+
270 | CVSS Score | 3.5 (Low) |
271 +---------------+------------------------------------------------------------+
272 | CVSS Vector | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
273 | String | |
274 +---------------+------------------------------------------------------------+
275
276.. table:: TFM-GENERIC-NS-INIT-T-2
277 :widths: 10 50
278
279 +---------------+------------------------------------------------------------+
280 | Index | **TFM-GENERIC-NS-INIT-T-2** |
281 +---------------+------------------------------------------------------------+
282 | Description | An attacker may replace the current NS image with an older |
283 | | version. |
284 +---------------+------------------------------------------------------------+
285 | Justification | The attacker downgrades the NS image with an older version |
286 | | which has been deprecated due to known security issues. |
287 | | |
288 | | The older version image can pass the image signature |
289 | | validation and its vulnerabilities can be exploited by |
290 | | attackers. |
291 +---------------+------------------------------------------------------------+
292 | Category | Tampering |
293 +---------------+------------------------------------------------------------+
294 | Mitigation | TF-M relies on MCUBoot to perform anti-rollback |
295 | | protection. |
296 | | |
297 | | TF-M defines a non-volatile counter API to support |
298 | | anti-rollback. Each platform must implement it using |
299 | | specific trusted hardware non-volatile counters. |
300 | | For more details, refer to [ROLLBACK-PROTECT]_. |
301 | | |
302 | | The anti-rollback protection implementation can vary on |
303 | | diverse platforms. |
304 +---------------+------------------------------------------------------------+
305 | CVSS Score | 3.5 (Low) |
306 +---------------+------------------------------------------------------------+
307 | CVSS Vector | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
308 | String | |
309 +---------------+------------------------------------------------------------+
310
311.. table:: TFM-GENERIC-NS-INIT-T-I-1
312 :widths: 10 50
313
314 +---------------+------------------------------------------------------------+
315 | Index | **TFM-GENERIC-NS-INIT-T-I-1** |
316 +---------------+------------------------------------------------------------+
317 | Description | If SPE doesn't complete isolation configuration before |
318 | | NSPE starts, NSPE can access secure regions which it is |
319 | | disallowed to. |
320 +---------------+------------------------------------------------------------+
321 | Justification | Secure data can be tampered or disclosed if NSPE is |
322 | | activated and accesses secure regions before isolation |
323 | | configuration is completed by SPE. |
324 +---------------+------------------------------------------------------------+
325 | Category | Tampering/Information disclosure |
326 +---------------+------------------------------------------------------------+
327 | Mitigation | SPE must complete and enable proper isolation to protect |
328 | | secure regions from being accessed by NSPE, before jumping |
329 | | to NS entry or booting up NS core. |
330 | | |
331 | | TF-M executes isolation configuration at early stage of |
332 | | secure initialization before NS initialization starts. |
333 | | |
334 | | On dual-cpu platform, platform specific initialization |
335 | | must halt NS core until isolation is completed, as defined |
336 | | in [DUAL-CPU-BOOT]_. |
337 | | |
338 | | TF-M defines isolation configuration HALs for platform |
339 | | implementation. The specific isolation configuration |
340 | | depends on platform specific implementation. |
341 +---------------+------------------------------------------------------------+
342 | CVSS Score | 9.0 (Critical) |
343 +---------------+------------------------------------------------------------+
344 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |
345 | String | |
346 +---------------+------------------------------------------------------------+
347
348.. table:: TFM-GENERIC-NS-INIT-T-I-2
349 :widths: 10 50
350
351 +---------------+------------------------------------------------------------+
352 | Index | **TFM-GENERIC-NS-INIT-T-I-2** |
353 +---------------+------------------------------------------------------------+
354 | Description | If SPE doesn't complete isolation configuration before |
355 | | NSPE starts, NSPE can control devices or peripherals which |
356 | | it is disallowed to. |
357 +---------------+------------------------------------------------------------+
358 | Justification | On some platforms, devices and peripherals can be |
359 | | configured as Secure state in runtime. If security status |
360 | | configuration of those device and peripherals are not |
361 | | properly completed before NSPE starts, NSPE can control |
362 | | those device and peripherals and may be able to tamper |
363 | | data or access secure data. |
364 +---------------+------------------------------------------------------------+
365 | Category | Tampering/Information disclosure |
366 +---------------+------------------------------------------------------------+
367 | Mitigation | SPE must complete and enable proper configuration and |
368 | | isolation to protect critical devices and peripherals from |
369 | | being accessed by NSPE, before jumping to NS entry or |
370 | | booting up NS core. |
371 | | |
372 | | TF-M executes isolation configuration of devices and |
373 | | peripherals at early stage of secure initialization before |
374 | | NS initialization starts. |
375 | | |
376 | | The specific isolation configuration depends on platform |
377 | | specific implementation. |
378 +---------------+------------------------------------------------------------+
379 | CVSS Score | 9.0 (Critical) |
380 +---------------+------------------------------------------------------------+
381 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |
382 | String | |
383 +---------------+------------------------------------------------------------+
384
385.. table:: TFM-GENERIC-NS-INIT-I-2
386 :widths: 10 50
387
388 +---------------+------------------------------------------------------------+
389 | Index | **TFM-GENERIC-NS-INIT-I-2** |
390 +---------------+------------------------------------------------------------+
391 | Description | If SPE leaves some SPE information in non-secure memory |
392 | | or shared registers when NSPE starts, NSPE may access |
393 | | those SPE information. |
394 +---------------+------------------------------------------------------------+
395 | Justification | If NSPE can access those SPE information from shared |
396 | | registers or non-secure memory, secure information may be |
397 | | disclosed. |
398 +---------------+------------------------------------------------------------+
399 | Category | Information disclosure |
400 +---------------+------------------------------------------------------------+
401 | Mitigation | SPE must clean up the secure information from shared |
402 | | registers before NS starts. |
403 | | |
404 | | TF-M invalidates registers not banked before handing over |
405 | | the system to NSPE on single Armv8-M platform. |
406 | | |
407 | | On dual-cpu platforms, shared registers are implementation |
408 | | defined, such as Inter-Processor Communication registers. |
409 | | Dual-cpu platforms must not store any data which may |
410 | | disclose secure information in the shared registers. |
411 | | |
412 | | SPE must avoid storing SPE information in non-secure |
413 | | memory. |
414 +---------------+------------------------------------------------------------+
415 | CVSS Score | 4.3 (Medium) |
416 +---------------+------------------------------------------------------------+
417 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
418 | String | |
419 +---------------+------------------------------------------------------------+
420
421.. table:: TFM-GENERIC-NS-INIT-D-1
422 :widths: 10 50
423
424 +---------------+------------------------------------------------------------+
425 | Index | **TFM-GENERIC-NS-INIT-D-1** |
426 +---------------+------------------------------------------------------------+
427 | Description | An attacker may block NS to boot up |
428 +---------------+------------------------------------------------------------+
429 | Justification | An attacker may block NS to boot up, such as by corrupting |
430 | | NS image, to stop the whole system from performing normal |
431 | | functionalities. |
432 +---------------+------------------------------------------------------------+
433 | Category | Denial of service |
434 +---------------+------------------------------------------------------------+
435 | Mitigation | No SPE information will be disclosed and TF-M won't be |
436 | | directly impacted. |
437 | | |
438 | | It relies on NSPE and platform specific implementation to |
439 | | mitigate this threat. It is out of scope of this threat |
440 | | model. |
441 +---------------+------------------------------------------------------------+
442 | CVSS Score | 4.0 (Medium) |
443 +---------------+------------------------------------------------------------+
444 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
445 | String | |
446 +---------------+------------------------------------------------------------+
447
448NSPE requests TF-M secure service
449---------------------------------
450
451This section identifies threats on ``DF2`` defined in `Data Flow Diagram`_.
452
453.. table:: TFM-GENERIC-REQUEST-SERVICE-S-1
454 :widths: 10 50
455
456 +---------------+------------------------------------------------------------+
457 | Index | **TFM-GENERIC-REQUEST-SERVICE-S-1** |
458 +---------------+------------------------------------------------------------+
459 | Description | A malicious NS application may pretend as a secure client |
460 | | to access secure data which NSPE must not directly access. |
461 +---------------+------------------------------------------------------------+
462 | Justification | [FF-M]_ defines ``Client ID`` to distinguish clients which |
463 | | request RoT services. Secure clients are assigned with |
464 | | positive IDs and non-secure clients are assigned with |
465 | | negative ones. |
466 | | |
467 | | A malicious NS application may provide a positive |
468 | | ``Client ID`` to pretend as a secure client to access |
469 | | secure data. |
470 +---------------+------------------------------------------------------------+
471 | Category | Spoofing |
472 +---------------+------------------------------------------------------------+
473 | Mitigation | TF-M checks the ``Client ID`` from NSPE. If the NS |
474 | | ``Client ID`` is not a valid one, TF-M will report this as |
475 | | a security error. |
476 +---------------+------------------------------------------------------------+
477 | CVSS Score | 8.4 (High) |
478 +---------------+------------------------------------------------------------+
479 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
480 | String | |
481 +---------------+------------------------------------------------------------+
482
483.. table:: TFM-GENERIC-REQUEST-SERVICE-T-1
484 :widths: 10 50
485
486 +---------------+------------------------------------------------------------+
487 | Index | **TFM-GENERIC-REQUEST-SERVICE-T-1** |
488 +---------------+------------------------------------------------------------+
489 | Description | An attacker in NSPE may tamper the service request input |
490 | | or output vectors between check and use |
491 | | (Time-Of-Check-to-Time-Of-Use (TOCTOU)). |
492 +---------------+------------------------------------------------------------+
493 | Justification | If SPE validates the content in input/output vectors |
494 | | locally in NSPE memory, an attacker in NSPE can have a |
495 | | chance to tamper the content after the validation |
496 | | successfully passes. Then SPE will provide RoT service |
497 | | according to the corrupted parameters and it may cause |
498 | | further security issues. |
499 +---------------+------------------------------------------------------------+
500 | Category | Tampering |
501 +---------------+------------------------------------------------------------+
502 | Mitigation | In TF-M implementation, the validation of NS input/output |
503 | | vectors are only executed after those vectors are copied |
504 | | from NSPE into SPE. It prevents an attack from NSPE to |
505 | | tamper those parameters after validation in TF-M. |
506 +---------------+------------------------------------------------------------+
507 | CVSS Score | 7.8 (High) |
508 +---------------+------------------------------------------------------------+
509 | CVSS Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N |
510 | String | |
511 +---------------+------------------------------------------------------------+
512
513.. table:: TFM-GENERIC-REQUEST-SERVICE-T-2
514 :widths: 10 50
515
516 +---------------+------------------------------------------------------------+
517 | Index | **TFM-GENERIC-REQUEST-SERVICE-T-2** |
518 +---------------+------------------------------------------------------------+
519 | Description | A malicious NS application may request to tamper data |
520 | | belonging to SPE. |
521 +---------------+------------------------------------------------------------+
522 | Justification | A malicious NS application may request SPE RoT services to |
523 | | write malicious value to SPE data. The malicious NS |
524 | | application may try to tamper SPE assets, such as keys, or |
525 | | modify configurations in SPE. The SPE data belongs to |
526 | | components in SPE and must not be accessed by NSPE. |
527 +---------------+------------------------------------------------------------+
528 | Category | Tampering |
529 +---------------+------------------------------------------------------------+
530 | Mitigation | TF-M executes memory access check to all the RoT service |
531 | | requests. If a request doesn't have enough permission to |
532 | | access the target memory region, TF-M will refuse this |
533 | | request and assert a security error. |
534 +---------------+------------------------------------------------------------+
535 | CVSS Score | 7.1 (High) |
536 +---------------+------------------------------------------------------------+
537 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N |
538 | String | |
539 +---------------+------------------------------------------------------------+
540
541.. table:: TFM-GENERIC-REQUEST-SERVICE-R-1
542 :widths: 10 50
543
544 +---------------+------------------------------------------------------------+
545 | Index | **TFM-GENERIC-REQUEST-SERVICE-R-1** |
546 +---------------+------------------------------------------------------------+
547 | Description | A NS application may repudiate that it has requested |
548 | | services from a RoT service. |
549 +---------------+------------------------------------------------------------+
550 | Justification | A malicious NS application may call a RoT service to |
551 | | access critical data in SPE, which it is disallowed to, |
552 | | via a non-public vulnerability. It may refuse to admit |
553 | | that it has accessed that data. |
554 +---------------+------------------------------------------------------------+
555 | Category | Repudiation |
556 +---------------+------------------------------------------------------------+
557 | Mitigation | TF-M implements an event logging secure service to record |
558 | | the critical events, such as the access to critical data. |
559 +---------------+------------------------------------------------------------+
560 | CVSS Score | 0.0 (None) |
561 +---------------+------------------------------------------------------------+
562 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N |
563 | String | |
564 +---------------+------------------------------------------------------------+
565
566.. table:: TFM-GENERIC-REQUEST-SERVICE-I-1
567 :widths: 10 50
568
569 +---------------+------------------------------------------------------------+
570 | Index | **TFM-GENERIC-REQUEST-SERVICE-I-1** |
571 +---------------+------------------------------------------------------------+
572 | Description | A malicious NS application may request to read data |
573 | | belonging to SPE. |
574 +---------------+------------------------------------------------------------+
575 | Justification | A malicious NS application may request SPE RoT services to |
576 | | copy SPE data to NS memory. The SPE data belongs to |
577 | | components in SPE and must not be disclosed to NSPE, such |
578 | | as root keys. |
579 +---------------+------------------------------------------------------------+
580 | Category | Information disclosure |
581 +---------------+------------------------------------------------------------+
582 | Mitigation | TF-M executes memory access check to all the RoT service |
583 | | requests. If a request doesn't have enough permission to |
584 | | access the target memory region, TF-M will refuse this |
585 | | request and assert a security error. |
586 +---------------+------------------------------------------------------------+
587 | CVSS Score | 7.1 (High) |
588 +---------------+------------------------------------------------------------+
589 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
590 | String | |
591 +---------------+------------------------------------------------------------+
592
593.. table:: TFM-GENERIC-REQUEST-SERVICE-T-I-1
594 :widths: 10 50
595
596 +---------------+------------------------------------------------------------+
597 | Index | **TFM-GENERIC-REQUEST-SERVICE-T-I-1** |
598 +---------------+------------------------------------------------------------+
599 | Description | A malicious NS application may request to control secure |
600 | | device and peripherals, on which it doesn't have the |
601 | | permission. |
602 +---------------+------------------------------------------------------------+
603 | Justification | A malicious NS application may request RoT services to |
604 | | control secure device and peripherals, on which it doesn't |
605 | | have the permission. |
606 +---------------+------------------------------------------------------------+
607 | Category | Tampering/Information disclose |
608 +---------------+------------------------------------------------------------+
609 | Mitigation | TF-M performs client check to validate whether the client |
610 | | has the permission to access the secure device and |
611 | | peripherals. |
612 +---------------+------------------------------------------------------------+
613 | CVSS Score | 9.0 (Critical) |
614 +---------------+------------------------------------------------------------+
615 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |
616 | String | |
617 +---------------+------------------------------------------------------------+
618
619.. table:: TFM-GENERIC-REQUEST-SERVICE-D-1
620 :widths: 10 50
621
622 +---------------+------------------------------------------------------------+
623 | Index | **TFM-GENERIC-REQUEST-SERVICE-D-1** |
624 +---------------+------------------------------------------------------------+
625 | Description | A Malicious NS applications may frequently call secure |
626 | | services to block secure service requests from other NS |
627 | | applications. |
628 +---------------+------------------------------------------------------------+
629 | Justification | TF-M runs on IoT devices with constrained resource. Even |
630 | | though multiple outstanding NS PSA Client calls can be |
631 | | supported in system, the number of NS PSA client calls |
632 | | served by TF-M simultaneously are still limited. |
633 | | |
634 | | Therefore, if a malicious NS application or multiple |
635 | | malicious NS applications continue calling TF-M secure |
636 | | services frequently, it may block other NS applications to |
637 | | request secure service from TF-M. |
638 +---------------+------------------------------------------------------------+
639 | Category | Denial of service |
640 +---------------+------------------------------------------------------------+
641 | Mitigation | TF-M is unable to manage behavior of NS applications. |
642 | | Assets are not disclosed and TF-M is neither directly |
643 | | impacted in this threat. |
644 | | |
645 | | It relies on NS OS to enhance scheduling policy and |
646 | | prevent a single NS application to occupy entire CPU time. |
647 | | It is beyond the scope of this threat model. |
648 +---------------+------------------------------------------------------------+
649 | CVSS Score | 4.0 (Medium) |
650 +---------------+------------------------------------------------------------+
651 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
652 | String | |
653 +---------------+------------------------------------------------------------+
654
655.. table:: TFM-GENERIC-REQUEST-SERVICE-D-2
656 :widths: 10 50
657
658 +---------------+------------------------------------------------------------+
659 | Index | **TFM-GENERIC-REQUEST-SERVICE-D-2** |
660 +---------------+------------------------------------------------------------+
661 | Description | A malicious NS application may provide invalid NS memory |
662 | | addresses as the addresses of input and output data in RoT |
663 | | service requests. |
664 +---------------+------------------------------------------------------------+
665 | Justification | SPE may be unable to achieve full knowledge of NS memory |
666 | | mapping. SPE may fail to capture those invalid NS memory |
667 | | addresses during memory access check since those invalid |
668 | | addresses may not be included in isolation configuration. |
669 | | |
670 | | In that case, SPE will access those invalid NS memory |
671 | | addresses later to read or write data. It may trigger a |
672 | | system error to crash the whole system immediately. |
673 | | |
674 | | The malicious NS application may be blocked by NS MPU from |
675 | | directly accessing that invalid NS memory address. But it |
676 | | may manipulate SPE to access that address instead. |
677 +---------------+------------------------------------------------------------+
678 | Category | Denial of service |
679 +---------------+------------------------------------------------------------+
680 | Mitigation | TF-M executes memory access check to the memory addresses |
681 | | in all the NS requests. |
682 | | |
683 | | On single Armv8-M core platforms, TF-M invokes ``TT`` |
684 | | instructions to execute memory address check. If a NS |
685 | | memory area is not matched in any valid SAU or MPU region, |
686 | | it will be marked as invalid and any access permission is |
687 | | disallowed. Therefore, SPM will reject any NS request |
688 | | containing invalid NS memory addresses and reports it as |
689 | | as a security error. |
690 | | |
691 | | On dual-core platforms, TF-M implements a default memory |
692 | | access check. If a NS memory area is not found in any |
693 | | memory region configured for isolation, it will be marked |
694 | | as invalid and therefore SPM will reject the corresponding |
695 | | NS request. It will be reported as a security error. |
696 | | |
697 | | Dual-core platforms may implement platform specific memory |
698 | | check to replace the default one. It relies on platform |
699 | | specific implementation to capture invalid memory address. |
700 | | It is out of the scope of this document. |
701 +---------------+------------------------------------------------------------+
702 | CVSS Score | 3.2 (Low) |
703 +---------------+------------------------------------------------------------+
704 | CVSS Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L |
705 | String | |
706 +---------------+------------------------------------------------------------+
707
708RoT services read and write NS data
709-----------------------------------
710
711This section identifies threats on ``DF3`` defined in `Data Flow Diagram`_.
712
Kevin Peng4cdb2082022-03-25 17:53:03 +0800[diff] [blame]713In Library model, RoT services directly read and write NS memory to simplify
714the implementation and decrease latency.
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]715
Kevin Peng4cdb2082022-03-25 17:53:03 +0800[diff] [blame]716In TF-M IPC model, RoT services can either directly access NS memory or rely on
717TF-M SPM to obtain NS input data and send response data back to NS memory.
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]718
719.. _TFM-GENERIC-SECURE-SERVICE-RW-T-1:
720
721.. table:: TFM-GENERIC-SECURE-SERVICE-RW-T-1
722 :widths: 10 50
723
724 +---------------+------------------------------------------------------------+
725 | Index | **TFM-GENERIC-SECURE-SERVICE-RW-T-1** |
726 +---------------+------------------------------------------------------------+
727 | Description | An attacker may tamper NS input data while the RoT service |
728 | | is processing those data. |
729 +---------------+------------------------------------------------------------+
730 | Justification | A RoT service may access NS input data multiple times |
731 | | during its data processing. For example, it may validate |
732 | | or authenticate the NS input data before it performs |
733 | | further processing. |
734 | | |
735 | | If the NS input data remains in NSPE memory during the RoT |
736 | | service execution, an attacker may tamper the NS input |
737 | | data in NSPE memory after the validation passes. |
738 +---------------+------------------------------------------------------------+
739 | Category | Tampering |
740 +---------------+------------------------------------------------------------+
Kevin Peng4cdb2082022-03-25 17:53:03 +0800[diff] [blame]741 | Mitigation | In TF-M IPC model, if RoT services request SPM to read and |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]742 | | write NS data. TF-M SPM follows [FF-M]_ to copy the NS |
743 | | input data into SPE memory region owned by the RoT |
744 | | service, before the RoT service processes the data. |
745 | | Therefore, the NS input data is protected during the RoT |
746 | | service execution from being tampered. |
747 | | |
Kevin Peng4cdb2082022-03-25 17:53:03 +0800[diff] [blame]748 | | If RoT services can directly access NS memory and read NS |
749 | | input data multiple times during data processing, it is |
750 | | required to review and confirm the implementation of the |
751 | | RoT service copies NS input data into SPE memory area |
752 | | before it processes the data. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]753 +---------------+------------------------------------------------------------+
754 | CVSS Score | 3.2 (Low) |
755 +---------------+------------------------------------------------------------+
756 | CVSS Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N |
757 | String | |
758 +---------------+------------------------------------------------------------+
759
760.. _TFM-GENERIC-SECURE-SERVICE-RW-T-2:
761
762.. table:: TFM-GENERIC-SECURE-SERVICE-RW-T-2
763 :widths: 10 50
764
765 +---------------+------------------------------------------------------------+
766 | Index | **TFM-GENERIC-SECURE-SERVICE-RW-T-2** |
767 +---------------+------------------------------------------------------------+
768 | Description | A malicious NS application may embed secure memory |
769 | | addresses into a structure in RoT service request input |
770 | | vectors, to tamper secure memory which the NS application |
771 | | must not access. |
772 +---------------+------------------------------------------------------------+
773 | Justification | [FF-M]_ limits the total number of input/output vectors to |
774 | | 4. If a RoT service requires more input/output vectors, it |
775 | | may define a parameter structure which embeds multiple |
776 | | input/output buffers addresses. |
777 | | |
778 | | However, as a potential security risk, a malicious NS |
779 | | application can put secure memory addresses into a valid |
780 | | parameter structure to bypass TF-M validation on those |
781 | | memory addresses. |
782 | | |
783 | | The parameter structure can pass TF-M memory access check |
784 | | since itself is valid. However, if the RoT service parses |
785 | | the structure and directly write malicious data from NSPE |
786 | | to the secure memory addresses in parameter structure, the |
787 | | secure data will be tampered. |
788 +---------------+------------------------------------------------------------+
789 | Category | Tampering |
790 +---------------+------------------------------------------------------------+
791 | Mitigation | It should be avoided to embed memory addresses into a |
792 | | single input/output vector. If more than 4 memory |
793 | | addresses are required in a RoT service request, it is |
794 | | recommended to split this request into two or multiple |
795 | | service calls and therefore each service call requires no |
796 | | more than 4 input/output vectors. |
797 | | |
Kevin Peng4cdb2082022-03-25 17:53:03 +0800[diff] [blame]798 | | In TF-M IPC model, if RoT services request SPM to read and |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]799 | | write NS data. SPM will validate the target addresses and |
800 | | can detect the invalid addresses to mitigate this threat. |
801 | | |
Kevin Peng4cdb2082022-03-25 17:53:03 +0800[diff] [blame]802 | | If RoT services can directly access NS memory, it is |
803 | | required to review and confirm the implementation of RoT |
804 | | service request doesn't embed memory addresses. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]805 +---------------+------------------------------------------------------------+
David Hu4a741da2021-03-16 11:44:31 +0800[diff] [blame]806 | CVSS Score | 7.1 (High) |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]807 +---------------+------------------------------------------------------------+
David Hu4a741da2021-03-16 11:44:31 +0800[diff] [blame]808 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]809 | String | |
810 +---------------+------------------------------------------------------------+
811
812.. table:: TFM-GENERIC-SECURE-SERVICE-RW-I-1
813 :widths: 10 50
814
815 +---------------+------------------------------------------------------------+
816 | Index | **TFM-GENERIC-SECURE-SERVICE-RW-I-1** |
817 +---------------+------------------------------------------------------------+
818 | Description | Similar to TFM-GENERIC-SECURE-SERVICE-RW-T-2_, a malicious |
819 | | NS application can embed secure memory addresses in a |
820 | | parameter structure in RoT service request input vectors, |
821 | | to read secure data which the NS application must not |
822 | | access. |
823 +---------------+------------------------------------------------------------+
824 | Justification | Similar to the description in |
825 | | TFM-GENERIC-SECURE-SERVICE-RW-T-2_, the secure memory |
826 | | addresses hidden in the RoT service input/output vector |
827 | | structure may bypass TF-M validation. Without a proper |
828 | | check, the RoT service may copy secure data to NSPE |
829 | | according to the secure memory addresses in structure, |
830 | | secure information can be disclosed. |
831 +---------------+------------------------------------------------------------+
832 | Category | Information disclosure |
833 +---------------+------------------------------------------------------------+
834 | Mitigation | It should be avoided to embed memory addresses into a |
835 | | single input/output vector. If more than 4 memory |
836 | | addresses are required in a RoT service request, it is |
837 | | recommended to split this request into two or multiple |
838 | | service calls and therefore each service call requires no |
839 | | more than 4 input/output vectors. |
840 | | |
Kevin Peng4cdb2082022-03-25 17:53:03 +0800[diff] [blame]841 | | In TF-M IPC model, if RoT services request SPM to read and |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]842 | | write NS data. SPM will validate the target addresses and |
843 | | can detect the invalid addresses to mitigate this threat. |
844 | | |
Kevin Peng4cdb2082022-03-25 17:53:03 +0800[diff] [blame]845 | | If RoT services can directly access NS memory, it is |
846 | | required to review and confirm the implementation of RoT |
847 | | service request doesn't embed memory addresses. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]848 +---------------+------------------------------------------------------------+
David Hu4a741da2021-03-16 11:44:31 +0800[diff] [blame]849 | CVSS Score | 7.1 (High) |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]850 +---------------+------------------------------------------------------------+
David Hu4a741da2021-03-16 11:44:31 +0800[diff] [blame]851 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]852 | String | |
853 +---------------+------------------------------------------------------------+
854
855TF-M returns secure service result
856----------------------------------
857
858This section identifies threats on ``DF4`` defined in `Data Flow Diagram`_.
859
860When RoT service completes the request from NSPE, TF-M returns the success or
861failure error code to NS application.
862
863In single Armv8-M core scenario, TF-M writes the return code value in the
864general purpose register and returns to Non-secure state.
865
866On dual-cpu platforms, TF-M writes the return code to NSPE mailbox message queue
867via mailbox.
868
869.. table:: TFM-GENERIC-RETURN-CODE-I-1
870 :widths: 10 50
871
872 +---------------+------------------------------------------------------------+
873 | Index | **TFM-GENERIC-RETURN-CODE-I-1** |
874 +---------------+------------------------------------------------------------+
875 | Description | SPE may leave secure data in the registers not banked |
876 | | after the SPE completes PSA Client calls and executes |
877 | | ``BXNS`` to switch Armv8-M back to Non-secure state. |
878 +---------------+------------------------------------------------------------+
879 | Justification | If SPE doesn't clean up the secure data in registers not |
880 | | banked before switching into NSPE in Armv8-M core, NSPE |
881 | | can read the SPE context from those registers. |
882 +---------------+------------------------------------------------------------+
883 | Category | Information disclosure |
884 +---------------+------------------------------------------------------------+
885 | Mitigation | In single Armv8-M core scenario, TF-M cleans general |
886 | | purpose registers not banked before switching into NSPE to |
887 | | prevent NSPE probing secure context from the registers. |
888 | | |
Feder Liang9b532c92021-12-09 16:03:18 +0800[diff] [blame]889 | | When FPU is enabled in TF-M, secure FP context belonging to|
890 | | a secure partition will be saved on this partition's stack |
891 | | and cleaned by hardware during context switching. Also TF-M|
892 | | cleans secure FP context in FP registers before switching |
893 | | into NSPE to prevent NSPE from probing secure FP context. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]894 +---------------+------------------------------------------------------------+
895 | CVSS Score | 4.3 (Medium) |
896 +---------------+------------------------------------------------------------+
897 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
898 | String | |
899 +---------------+------------------------------------------------------------+
900
901NS interrupts preempts SPE execution
902------------------------------------
903
904This section identifies threats on ``DF5`` defined in `Data Flow Diagram`_.
905
906.. table:: TFM-GENERIC-NS-INTERRUPT-I-1
907 :widths: 10 50
908
909 +---------------+------------------------------------------------------------+
910 | Index | **TFM-GENERIC-NS-INTERRUPT-I-1** |
911 +---------------+------------------------------------------------------------+
912 | Description | Shared registers may contain secure data when NS |
913 | | interrupts occur. |
914 +---------------+------------------------------------------------------------+
915 | Justification | The secure data in shared registers should be cleaned up |
916 | | before NSPE can access shared registers. Otherwise, secure |
917 | | data leakage may occur. |
918 +---------------+------------------------------------------------------------+
919 | Category | Information disclosure |
920 +---------------+------------------------------------------------------------+
921 | Mitigation | In single Armv8-M core scenario, Armv8-M architecture |
922 | | automatically cleans up the registers not banked before |
923 | | switching to Non-secure state while taking NS interrupts. |
924 | | |
Feder Liang9b532c92021-12-09 16:03:18 +0800[diff] [blame]925 | | When FPU is enabled in TF-M, with setting of FPCCR_S.TS = 1|
926 | | besides secure FP context in FP caller registers, FP |
927 | | context in FP callee registers will also be cleaned by |
928 | | hardware automatically when NS interrupts occur, to prevent|
929 | | NSPE from probing secure FP context in FP registers. Refer |
930 | | to Armv8-M Architecture Reference Manual[ARM arm]_ for |
931 | | details. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]932 | | |
933 | | On dual-cpu platforms, shared registers are implementation |
934 | | defined, such as Inter-Processor Communication registers. |
935 | | Dual-cpu platforms must not store any data which may |
936 | | disclose secure information in the shared registers. |
937 +---------------+------------------------------------------------------------+
938 | CVSS Score | 4.3 (Medium) |
939 +---------------+------------------------------------------------------------+
940 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
941 | String | |
942 +---------------+------------------------------------------------------------+
943
944.. table:: TFM-GENERIC-NS-INTERRUPT-D-1
945 :widths: 10 50
946
947 +---------------+------------------------------------------------------------+
948 | Index | **TFM-GENERIC-NS-INTERRUPT-D-1** |
949 +---------------+------------------------------------------------------------+
950 | Description | An attacker may trigger spurious NS interrupts frequently |
951 | | to block SPE execution. |
952 +---------------+------------------------------------------------------------+
953 | Justification | In single Armv8-M core scenario, an attacker may inject a |
954 | | malicious NS application or hijack a NS hardware to |
955 | | frequently trigger spurious NS interrupts to keep |
956 | | preempting SPE and block SPE to perform normal secure |
957 | | execution. |
958 +---------------+------------------------------------------------------------+
959 | Category | Denial of service |
960 +---------------+------------------------------------------------------------+
961 | Mitigation | It is out of scope of TF-M. |
962 | | |
963 | | Assets protected by TF-M won't be leaked. TF-M won't be |
964 | | directly impacted. |
965 +---------------+------------------------------------------------------------+
966 | CVSS Score | 4.0 (Medium) |
967 +---------------+------------------------------------------------------------+
968 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
969 | String | |
970 +---------------+------------------------------------------------------------+
971
972Secure interrupts preempts NSPE execution
973-----------------------------------------
974
975This section identifies threats on ``DF6`` defined in `Data Flow Diagram`_.
976
977.. table:: TFM-GENERIC-S-INTERRUPT-I-1
978 :widths: 10 50
979
980 +---------------+------------------------------------------------------------+
981 | Index | **TFM-GENERIC-S-INTERRUPT-I-1** |
982 +---------------+------------------------------------------------------------+
983 | Description | Shared registers may contain secure data when Armv8-M core |
984 | | switches back to Non-secure state on Secure interrupt |
985 | | return. |
986 +---------------+------------------------------------------------------------+
987 | Justification | Armv8-M architecture doesn't automatically clean up shared |
988 | | registers while returning to Non-secure state during |
989 | | Secure interrupt return. |
990 | | |
991 | | If SPE leaves critical data in the Armv8-M registers not |
992 | | banked, NSPE can read secure context from those registers |
993 | | and secure data leakage may occur. |
994 +---------------+------------------------------------------------------------+
995 | Category | Information disclosure |
996 +---------------+------------------------------------------------------------+
997 | Mitigation | TF-M saves NPSE context in general purpose register R4~R11 |
998 | | into secure stack during secure interrupt entry. |
999 | | After secure interrupt handling completes, TF-M unstacks |
1000 | | NSPE context from secure stack to overwrite secure context |
1001 | | in R4~R11 before secure interrupt return. |
1002 | | |
1003 | | Armv8-M architecture will automatically unstack NSPE |
1004 | | context from non-secure stack to overwrite other registers |
1005 | | not banked, such as R0~R3 and R12, during secure interrupt |
1006 | | return, before NSPE software can access those registers. |
1007 | | |
Feder Liang9b532c92021-12-09 16:03:18 +0800[diff] [blame]1008 | | When FPU is enabled in TF-M, with setting of |
1009 | | FPCCR_S.TS = 1 and FPCCR_S.CLRONRET = 1, besides secure FP |
1010 | | context in FP caller registers, FP context in callee |
1011 | | registers will also be cleaned by hardware automatically |
1012 | | during S exception return, to prevent NSPE from probing |
1013 | | secure FP context in FP registers. Refer to Armv8-M |
1014 | | Architecture Reference Manual [ARM arm]_ for details. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1015 +---------------+------------------------------------------------------------+
1016 | CVSS Score | 4.3 (Medium) |
1017 +---------------+------------------------------------------------------------+
1018 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
1019 | String | |
1020 +---------------+------------------------------------------------------------+
1021
1022Miscellaneous threats
1023---------------------
1024
1025This section collects threats irrelevant to the valid TF-M data flows shown
1026above.
1027
1028.. table:: TFM-GENERIC-STACK-SEAL
1029 :widths: 10 50
1030
1031 +---------------+------------------------------------------------------------+
1032 | Index | **TFM-GENERIC-STACK_SEAL** |
1033 +---------------+------------------------------------------------------------+
1034 | Description | Armv8-M processor Secure software Stack Sealing |
1035 | | vulnerability. |
1036 +---------------+------------------------------------------------------------+
1037 | Justification | On Armv8-M based processors with TrustZone, if Secure |
1038 | | software does not properly manage the Secure stacks when |
1039 | | the stacks are created, or when performing non-standard |
1040 | | transitioning between states or modes, for example, |
1041 | | creating a fake exception return stack frame to |
1042 | | de-privilege an interrupt, it is possible for Non-secure |
1043 | | world software to manipulate the Secure Stacks, and |
1044 | | potentially influence Secure control flow. |
1045 | | |
1046 | | Refer to [STACK-SEAL]_ for details. |
1047 +---------------+------------------------------------------------------------+
1048 | Category | Elevation of privilege |
1049 +---------------+------------------------------------------------------------+
1050 | Mitigation | TF-M has implemented common mitigation against stack seal |
1051 | | vulnerability. |
1052 | | |
1053 | | Refer to [ADVISORY-TFMV-1]_ for details on analysis and |
1054 | | mitigation in TF-M. |
1055 +---------------+------------------------------------------------------------+
1056 | CVSS Score | 5.3 (Medium) |
1057 +---------------+------------------------------------------------------------+
1058 | CVSS Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L |
1059 | String | |
1060 +---------------+------------------------------------------------------------+
1061
David Hu4a741da2021-03-16 11:44:31 +0800[diff] [blame]1062.. table:: TFM-GENERIC-SVC-CALL-SP-FETCH
1063 :widths: 10 50
1064
1065 +---------------+------------------------------------------------------------+
1066 | Index | **TFM-GENERIC-SVC-CALL-SP-FETCH** |
1067 +---------------+------------------------------------------------------------+
1068 | Description | Invoking Secure functions from handler mode may cause TF-M |
1069 | | IPC model to behave unexpectedly. |
1070 +---------------+------------------------------------------------------------+
1071 | Justification | On Armv8-M based processors with TrustZone, if NSPE calls |
1072 | | a secure function via Secure Gateway (SG) from non-secure |
1073 | | Handler mode , TF-M selects secure process stack by |
1074 | | mistake for SVC handling. |
1075 | | It will most likely trigger a crash in secure world or |
1076 | | reset the whole system, with a very low likelihood of |
1077 | | overwriting some memory contents. |
1078 +---------------+------------------------------------------------------------+
1079 | Category | Denial of service/Tampering |
1080 +---------------+------------------------------------------------------------+
1081 | Mitigation | TF-M has enhanced implementation to mitigate this |
1082 | | vulnerability. |
1083 | | |
1084 | | Refer to [ADVISORY-TFMV-2]_ for details on analysis and |
1085 | | mitigation in TF-M. |
1086 +---------------+------------------------------------------------------------+
1087 | CVSS Score | 4.5 (Medium) |
1088 +---------------+------------------------------------------------------------+
1089 | CVSS Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L |
1090 | String | |
1091 +---------------+------------------------------------------------------------+
1092
Feder Liangc89075b2021-11-24 16:01:45 +0800[diff] [blame]1093.. table:: VLLDM instruction security vulnerability
1094 :widths: 10 50
1095
1096 +---------------+------------------------------------------------------------+
1097 | Index | **TFM-GENERIC-FP-VLLDM** |
1098 +---------------+------------------------------------------------------------+
1099 | Description | Secure data in FP registers may be disclosed to NSPE when |
1100 | | VLLDM instruction is abandoned due to an exception mid-way.|
1101 +---------------+------------------------------------------------------------+
1102 | Justification | Refer to [VLLDM Vulnerability]_ for details. |
1103 +---------------+------------------------------------------------------------+
1104 | Category | Tampering/Information disclosure |
1105 +---------------+------------------------------------------------------------+
1106 | Mitigation | In current TF-M implementation, when FPU is enabled in SPE,|
1107 | | TF-M configures NSACR to disable NSPE to access FPU. |
1108 | | Therefore, secure data in FP registers is protected from |
1109 | | NSPE. |
1110 | | |
1111 | | Refer to [VLLDM Vulnerability]_, for details on analysis |
1112 | | and mitigation. |
1113 +---------------+------------------------------------------------------------+
1114 | CVSS Score | 3.4 (Low) |
1115 +---------------+------------------------------------------------------------+
1116 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N |
1117 | String | |
1118 +---------------+------------------------------------------------------------+
1119
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1120***************
1121Version control
1122***************
1123
1124.. table:: Version control
1125
1126 +---------+--------------------------------------------------+---------------+
1127 | Version | Description | TF-M version |
1128 +=========+==================================================+===============+
1129 | v0.1 | Initial draft | TF-M v1.1 |
1130 +---------+--------------------------------------------------+---------------+
David Hu4a741da2021-03-16 11:44:31 +0800[diff] [blame]1131 | v1.0 | First version | TF-M v1.2.0 |
1132 +---------+--------------------------------------------------+---------------+
Feder Liangc89075b2021-11-24 16:01:45 +0800[diff] [blame]1133 | v1.1 | Update version | TF-M v1.5.0 |
1134 +---------+--------------------------------------------------+---------------+
Feder Liang9b532c92021-12-09 16:03:18 +0800[diff] [blame]1135 | v1.2 | Update details to align FP support in NSPE. | TF-M v1.5.0 |
1136 +---------+--------------------------------------------------+---------------+
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1137
1138*********
1139Reference
1140*********
1141
1142.. [Security-Incident-Process] `Security Incident Process <https://developer.trustedfirmware.org/w/collaboration/security_center/reporting/>`_
1143
1144.. [FF-M] `ArmĀ® Platform Security Architecture Firmware Framework 1.0 <https://developer.arm.com/-/media/Files/pdf/PlatformSecurityArchitecture/Architect/DEN0063-PSA_Firmware_Framework-1.0.0-2.pdf?revision=2d1429fa-4b5b-461a-a60e-4ef3d8f7f4b4>`_
1145
Kevin Peng4cdb2082022-03-25 17:53:03 +0800[diff] [blame]1146.. [FF-M 1.1 Extensions] `ArmĀ® Firmware Framework for M 1.1 Extensions <https://documentation-service.arm.com/static/600067c09b9c2d1bb22cd1c5?token=>`_
1147
Anton Komlev3356ba32022-03-31 22:02:11 +0100[diff] [blame^]1148.. [DUAL-CPU-BOOT] :doc:`Booting a dual core system </technical_references/design_docs/dual-cpu/booting_a_dual_core_system>`
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1149
1150.. [CVSS] `Common Vulnerability Scoring System Version 3.1 Calculator <https://www.first.org/cvss/calculator/3.1>`_
1151
1152.. [CVSS_SPEC] `CVSS v3.1 Specification Document <https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf>`_
1153
1154.. [STRIDE] `The STRIDE Threat Model <https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20)?redirectedfrom=MSDN>`_
1155
Anton Komlev3356ba32022-03-31 22:02:11 +0100[diff] [blame^]1156.. [SECURE-BOOT] :doc:`Secure boot </technical_references/design_docs/tfm_secure_boot>`
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1157
Anton Komlev3356ba32022-03-31 22:02:11 +0100[diff] [blame^]1158.. [ROLLBACK-PROTECT] :doc:`Rollback protection in TF-M secure boot </technical_references/design_docs/secure_boot_rollback_protection>`
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1159
Feder Liang9b532c92021-12-09 16:03:18 +0800[diff] [blame]1160.. [ARM arm] `Armv8-M Architecture Reference Manual <https://developer.arm.com/documentation/ddi0553/latest>`_
1161
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1162.. [STACK-SEAL] `Armv8-M processor Secure software Stack Sealing vulnerability <https://developer.arm.com/support/arm-security-updates/armv8-m-stack-sealing>`_
1163
Anton Komlev3356ba32022-03-31 22:02:11 +0100[diff] [blame^]1164.. [ADVISORY-TFMV-1] :doc:`Advisory TFMV-1 </security/security_advisories/stack_seal_vulnerability>`
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1165
Anton Komlev3356ba32022-03-31 22:02:11 +0100[diff] [blame^]1166.. [ADVISORY-TFMV-2] :doc:`Advisory TFMV-2 </security/security_advisories/svc_caller_sp_fetching_vulnerability>`
David Hu4a741da2021-03-16 11:44:31 +0800[diff] [blame]1167
Feder Liangc89075b2021-11-24 16:01:45 +0800[diff] [blame]1168.. [VLLDM Vulnerability] : `VLLDM instruction Security Vulnerability <https://developer.arm.com/support/arm-security-updates/vlldm-instruction-security-vulnerability>`_
1169
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1170--------------------
1171
Kevin Peng4cdb2082022-03-25 17:53:03 +0800[diff] [blame]1172*Copyright (c) 2020-2022 Arm Limited. All Rights Reserved.*