TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / trusted-firmware-m / 6ea898f991631b2203f09e8721a1f4e885f2e00e / . / docs / security / threat_models / generic_threat_model.rst
blob: 6f419a43ed9ec4ee06ff27fca91e2df2219c9f5a [file] [log] [blame]
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1#######################################
2Trusted Firmware-M Generic Threat Model
3#######################################
4
5************
6Introduction
7************
8
shejia0144764cb2021-05-26 16:48:06 +0800[diff] [blame]9This document introduces a generic threat model of Trusted Firmware-M (TF-M).
10This generic threat model provides an overall analysis of TF-M implementation
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]11and identifies general threats and mitigation.
12
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]13There is also a dedicated document for physical attack mitigations which can be found
Anton Komlevff7cbae2023-01-12 16:28:26 +0000[diff] [blame]14:doc:`here </design_docs/tfm_physical_attack_mitigation>`.
Kevin Pengf6eb1302022-09-05 10:01:36 +0800[diff] [blame]15
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]16.. note::
17
18 If you think a security vulnerability is found, please follow
19 Trustedfirmware.org [Security-Incident-Process]_ to contact TF-M security
20 team.
21
22Scope
23=====
24
25TF-M supports diverse models and topologies. It also implements multiple
26isolation levels. Each case may focus on different target of evaluation (TOE)
27and identify different assets and threats.
28TF-M implementation consists of several secure services, defined as
29Root of Trust (RoT) service. Those RoT services belong to diverse RoT
30(Application RoT or PSA RoT) and access different assets and hardware. Therefore
31each RoT service may require a dedicated threat model.
32
33The analysis on specific models, topologies or RoT services may be covered in
shejia0144764cb2021-05-26 16:48:06 +0800[diff] [blame]34dedicated threat model documents. Those threat models are out of the scope of
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]35this document.
36
37Methodology
38===========
39
40The threat modeling in this document follows the process listed below to
41build up the threat model.
42
43- Target of Evaluation (TOE)
44- Assets identification
45- Data Flow Diagram (DFD)
46- Threats Prioritization
47- Threats identification
48
49TOE is the entity on which threat modeling is performed. The logic behind this
50process is to firstly investigate the TOE which could be a system, solution or
51use case. This first step helps to identify the assets to be protected in TOE.
52
53According to TOE and assets, Trust Boundaries can be determined. The Data Flow
54Diagram (DFD) across Trust Boundaries is then defined to help identify the
55threats.
56
57Those threats should be prioritized based on a specific group of principals and
58metrics. The principals and metrics should also be specified.
59
60********************
61Target of Evaluation
62********************
63
64A typical TF-M system diagram from a high-level overview is shown below. TF-M is
65running in the Secure Processing Environment (SPE) and NS software is running in
Nicola Mazzucato2d620742024-08-02 17:24:48 +0100[diff] [blame]66Non-Secure Processing Environment (NSPE). For more details, please refer to
Kevin Peng4cdb2082022-03-25 17:53:03 +0800[diff] [blame]67Platform Security Architecture Firmware Framework for M (FF-M) [FF-M]_ and
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]68FF-M 1.1 Extensions [FF-M-1.1-Extensions]_.
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]69
70.. figure:: TF-M-block-diagram.png
71
72The TOE in this general model is the SPE, including TF-M and other components
73running in SPE.
74
75The TOE can vary in different TF-M models, RoT services and usage scenarios.
shejia0144764cb2021-05-26 16:48:06 +0800[diff] [blame]76Refer to dedicated threat models for the specific TOE definitions.
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]77
78********************
79Asset identification
80********************
81
82In this threat model, assets include the general items listed below:
83
84- Hardware Root of Trust data, e.g.
85
86 - Hardware Unique Key (HUK)
87 - Root authentication key
88 - Other embedded root keys
89
90- Software RoT data, e.g.
91
92 - Secure Partition Manager (SPM) code and data
93 - Secure partition code and data
94 - NSPE data stored in SPE
95 - Data generated in SPE as requested by NSPE
96
97- Availability of entire RoT service
98
99- Secure logs, including event logs
100
101Assets may vary in different use cases and implementations. Additional assets
102can be defined in an actual usage scenario and a dedicated threat model.
103
104For example, in a network camera use case, the following data can be defined as
105assets too:
106
107- Certificate for connecting to cloud
108- Session keys for encryption/decryption in the communication with cloud
109- Keys to encrypt/decrypt the videos and photos
110
111*****************
112Data Flow Diagram
113*****************
114
115The Trust Boundary isolates SPE from NSPE, according to the TOE definition in
116`Target of Evaluation`_. The Trust Boundary mapped to block diagram is shown
117in the figure below. Other modules inside SPE stay in the same TOE as TF-M does.
118
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]119Valid data flows across the Trust Boundary are also shown in the figure below.
shejia0144764cb2021-05-26 16:48:06 +0800[diff] [blame]120This threat model only focuses on the data flows related to TF-M.
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]121
122.. figure:: overall-DFD.png
123
124More details of data flows are listed below.
125
126.. _data-flow-table:
127
128.. table:: TF-M Data Flows between NSPE and SPE
129
130 +-----------+----------------------------------------------------------------+
131 | Data flow | Description |
132 +===========+================================================================+
133 | ``DF1`` | TF-M initializes NS entry and activates NSPE. |
134 | | |
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]135 | | - On Armv8-M platforms with TrustZone, TF-M will hand over the |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]136 | | control to Non-secure state. |
137 | | - On dual-cpu platforms, Secure core starts NS core booting. |
138 +-----------+----------------------------------------------------------------+
139 | ``DF2`` | NSPE requests TF-M RoT services. |
140 | | |
Kevin Penge2834952022-11-21 17:17:51 +0800[diff] [blame]141 | | NSPE requests RoT services via PSA Client APIs defined in |
142 | | [FF-M]_. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]143 | | |
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]144 | | In Armv8-M TrustZone scenarios, SG instruction is executed in |
145 | | a Non-secure Callable region to trigger a transition from |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]146 | | Non-secure state to Secure state. |
147 | | |
148 | | On dual-cpu platforms, non-secure core sends PSA Client calls |
149 | | to secure core via mailbox. |
150 +-----------+----------------------------------------------------------------+
151 | ``DF3`` | Secure Partitions fetch input data from NS and write back |
152 | | output data to NS. |
153 | | |
Kevin Penge2834952022-11-21 17:17:51 +0800[diff] [blame]154 | | As required in [FF-M]_, Secure Partitions should not directly |
155 | | access NSPE memory. Instead, RoT services relies on TF-M SPM |
156 | | to access NSPE memory. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]157 +-----------+----------------------------------------------------------------+
158 | ``DF4`` | TF-M returns RoT service results to NSPE after NS request to |
159 | | RoT service is completed. |
160 | | |
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]161 | | In Armv8-M TrustZone scenarios, it also triggers a transition |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]162 | | from Secure state back to Non-secure state. |
163 | | |
164 | | On dual-cpu platforms, secure core returns the result to |
165 | | non-secure core via mailbox. |
166 +-----------+----------------------------------------------------------------+
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]167 | ``DF5`` | Non-secure interrupts preempt SPE execution in Armv8-M |
168 | | TrustZone scenarios. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]169 +-----------+----------------------------------------------------------------+
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]170 | ``DF6`` | Secure interrupts preempt NSPE execution in Armv8-M TrustZone |
171 | | scenarios. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]172 +-----------+----------------------------------------------------------------+
173
174.. note::
175
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]176 All the other data flows across the Trust Boundary besides the valid ones
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]177 mentioned above should be prohibited by default.
178 Proper isolation must be configured to prevent NSPE directly accessing SPE.
179
180 Threats irrelevant to data flows in
181 :ref:`TF-M Data Flows between NSPE and SPE <data-flow-table>` may be specified
182 in `Miscellaneous threats`_.
183
184Data flows inside SPE (informative)
185===================================
186
187Since all the SPE components stay in the TOE within the same Trust Boundary in
188this threat model, the data flows between SPE components are not covered in this
189threat model. Instead, those data flows and corresponding threats will be
190identified in the dedicated threat model documents of TF-M RoT services and
191usage scenarios.
192
193Those data flows inside SPE include following examples:
194
195- Data flows between TF-M and BL2
196- Data flows between RoT services and SPM
197- Data flows between RoT services and corresponding secure hardware and assets,
198 such as secure storage device, crypto hardware accelerator and Hardware Unique
199 Key (HUK).
200
201*********************
202Threat identification
203*********************
204
205Threat priority
206===============
207
208Threat priority is indicated by the score calculated via Common Vulnerability
209Scoring System (CVSS) Version 3.1 [CVSS]_. The higher the threat scores, the
210greater severity the threat is with and the higher the priority is.
211
212CVSS scores can be mapped to qualitative severity ratings defined in CVSS 3.1
213specification [CVSS_SPEC]_. This threat model follows the same mapping between
214CVSS scores and threat priority rating.
215
216As a generic threat model, this document focuses on *Base Score* which reflects
217the constant and general severity of a threat according to its intrinsic
218characteristics.
219
220The *Impacted Component* defined in [CVSS_SPEC]_ refers to the assets listed in
221`Asset identification`_.
222
223Threats and mitigation list
224===========================
225
226This section lists generic threats and corresponding mitigation, based on the
227the analysis of data flows in `Data Flow Diagram`_.
228
229Threats are identified following ``STRIDE`` model. Please refer to [STRIDE]_ for
230more details.
231
232The field ``CVSS Score`` reflects the threat priority defined in
233`Threat priority`_. The field ``CVSS Vector String`` contains the textual
234representation of the CVSS metric values used to score the threat. Refer to
235[CVSS_SPEC]_ for more details of CVSS vector string.
236
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]237For each threat, a mitigation strategy is determined:
238
239- **Controlled**: a mitigation has been implemented by TF-M.
240
241- **Accepted**: no mitigation is currently implemented as the risk is
242 acceptable, and the mitigation description justifies the acceptance.
243
244- **Suppressed**: the feature can be disabled to remove the threat.
245
246- **Transferred**: the threat cannot be fully mitigated within the scope of
247 TF-M. The threat must be handled by downstream users for their specific
248 platform.
249
250- **Out-of-scope**: some threats are out-of-scope and so do not have a
251 mitigation but are included for completeness.
252
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]253.. note::
254
255 A generic threat may have different behaviors and therefore require different
256 mitigation, in diverse TF-M models and usage scenarios.
257
258 This threat model document focuses on general analysis of the following
259 threats. For the details in a specific configuration and usage scenario,
260 please refer to the dedicated threat model document.
261
262NS entry initialization
263-----------------------
264
265This section identifies threats on ``DF1`` defined in `Data Flow Diagram`_.
266
267.. table:: TFM-GENERIC-NS-INIT-T-1
268 :widths: 10 50
269
270 +---------------+------------------------------------------------------------+
271 | Index | **TFM-GENERIC-NS-INIT-T-1** |
272 +---------------+------------------------------------------------------------+
273 | Description | The NS image can be tampered by an attacker |
274 +---------------+------------------------------------------------------------+
275 | Justification | An attack may tamper the NS image to inject malicious code |
276 +---------------+------------------------------------------------------------+
277 | Category | Tampering |
278 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]279 | Mitigation | **Controlled**: TF-M BL2 uses MCUBoot to validate the |
280 | | integrity and authenticity of the NS image during secure |
281 | | boot, before the Secure firmware jumps to the NS entry or |
282 | | boots up the NS core. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]283 | | Refer to [SECURE-BOOT]_ for more details. |
284 | | |
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]285 | | Platforms may replace the TF-M Chain of Trust (CoT) |
286 | | implementation, in which case this threat is |
287 | | **transferred**. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]288 +---------------+------------------------------------------------------------+
289 | CVSS Score | 3.5 (Low) |
290 +---------------+------------------------------------------------------------+
291 | CVSS Vector | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
292 | String | |
293 +---------------+------------------------------------------------------------+
294
295.. table:: TFM-GENERIC-NS-INIT-T-2
296 :widths: 10 50
297
298 +---------------+------------------------------------------------------------+
299 | Index | **TFM-GENERIC-NS-INIT-T-2** |
300 +---------------+------------------------------------------------------------+
301 | Description | An attacker may replace the current NS image with an older |
302 | | version. |
303 +---------------+------------------------------------------------------------+
304 | Justification | The attacker downgrades the NS image with an older version |
305 | | which has been deprecated due to known security issues. |
306 | | |
307 | | The older version image can pass the image signature |
308 | | validation and its vulnerabilities can be exploited by |
309 | | attackers. |
310 +---------------+------------------------------------------------------------+
311 | Category | Tampering |
312 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]313 | Mitigation | **Controlled**: TF-M relies on MCUBoot to perform |
314 | | anti-rollback checks. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]315 | | |
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]316 | | **Transferred**: TF-M defines a non-volatile counter API |
317 | | to support anti-rollback. Each platform must implement it |
318 | | using specific trusted hardware non-volatile counters. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]319 | | For more details, refer to [ROLLBACK-PROTECT]_. |
320 | | |
321 | | The anti-rollback protection implementation can vary on |
322 | | diverse platforms. |
323 +---------------+------------------------------------------------------------+
324 | CVSS Score | 3.5 (Low) |
325 +---------------+------------------------------------------------------------+
326 | CVSS Vector | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
327 | String | |
328 +---------------+------------------------------------------------------------+
329
330.. table:: TFM-GENERIC-NS-INIT-T-I-1
331 :widths: 10 50
332
333 +---------------+------------------------------------------------------------+
334 | Index | **TFM-GENERIC-NS-INIT-T-I-1** |
335 +---------------+------------------------------------------------------------+
336 | Description | If SPE doesn't complete isolation configuration before |
337 | | NSPE starts, NSPE can access secure regions which it is |
338 | | disallowed to. |
339 +---------------+------------------------------------------------------------+
340 | Justification | Secure data can be tampered or disclosed if NSPE is |
341 | | activated and accesses secure regions before isolation |
342 | | configuration is completed by SPE. |
343 +---------------+------------------------------------------------------------+
344 | Category | Tampering/Information disclosure |
345 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]346 | Mitigation | **Transferred**: TF-M defines isolation configuration |
347 | | HALs, which platforms must implement using platform- |
348 | | specific isolation hardware. TF-M provides a reference |
349 | | implementation of the isolation HAL for Armv8-M platforms |
350 | | with TrustZone. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]351 | | |
352 | | On dual-cpu platform, platform specific initialization |
353 | | must halt NS core until isolation is completed, as defined |
354 | | in [DUAL-CPU-BOOT]_. |
355 | | |
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]356 | | TF-M executes isolation configuration at an early stage of |
357 | | secure initialization before starting NS execution. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]358 +---------------+------------------------------------------------------------+
359 | CVSS Score | 9.0 (Critical) |
360 +---------------+------------------------------------------------------------+
361 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |
362 | String | |
363 +---------------+------------------------------------------------------------+
364
365.. table:: TFM-GENERIC-NS-INIT-T-I-2
366 :widths: 10 50
367
368 +---------------+------------------------------------------------------------+
369 | Index | **TFM-GENERIC-NS-INIT-T-I-2** |
370 +---------------+------------------------------------------------------------+
371 | Description | If SPE doesn't complete isolation configuration before |
372 | | NSPE starts, NSPE can control devices or peripherals which |
373 | | it is disallowed to. |
374 +---------------+------------------------------------------------------------+
375 | Justification | On some platforms, devices and peripherals can be |
376 | | configured as Secure state in runtime. If security status |
377 | | configuration of those device and peripherals are not |
378 | | properly completed before NSPE starts, NSPE can control |
379 | | those device and peripherals and may be able to tamper |
380 | | data or access secure data. |
381 +---------------+------------------------------------------------------------+
382 | Category | Tampering/Information disclosure |
383 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]384 | Mitigation | **Transferred**: Platforms must implement the TF-M |
385 | | isolation HALs to complete and enable proper configuration |
386 | | and isolation to protect critical devices and peripherals |
387 | | from being accessed by the NSPE. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]388 | | |
389 | | TF-M executes isolation configuration of devices and |
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]390 | | peripherals at an early stage of secure initialization, |
391 | | before jumping to NS entry or booting up NS core. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]392 +---------------+------------------------------------------------------------+
393 | CVSS Score | 9.0 (Critical) |
394 +---------------+------------------------------------------------------------+
395 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |
396 | String | |
397 +---------------+------------------------------------------------------------+
398
399.. table:: TFM-GENERIC-NS-INIT-I-2
400 :widths: 10 50
401
402 +---------------+------------------------------------------------------------+
403 | Index | **TFM-GENERIC-NS-INIT-I-2** |
404 +---------------+------------------------------------------------------------+
405 | Description | If SPE leaves some SPE information in non-secure memory |
406 | | or shared registers when NSPE starts, NSPE may access |
407 | | those SPE information. |
408 +---------------+------------------------------------------------------------+
409 | Justification | If NSPE can access those SPE information from shared |
410 | | registers or non-secure memory, secure information may be |
411 | | disclosed. |
412 +---------------+------------------------------------------------------------+
413 | Category | Information disclosure |
414 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]415 | Mitigation | **Controlled**: TF-M clears registers that are not banked |
416 | | between security states before handing over execution to |
417 | | the NSPE on Armv8-M platforms with TrustZone. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]418 | | |
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]419 | | TF-M does not store SPE information in Non-secure memory. |
420 | | |
421 | | **Transferred**: Platform-specific code in the SPE must |
422 | | not store SPE information in Non-secure memory. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]423 | | |
424 | | On dual-cpu platforms, shared registers are implementation |
425 | | defined, such as Inter-Processor Communication registers. |
426 | | Dual-cpu platforms must not store any data which may |
427 | | disclose secure information in the shared registers. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]428 +---------------+------------------------------------------------------------+
429 | CVSS Score | 4.3 (Medium) |
430 +---------------+------------------------------------------------------------+
431 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
432 | String | |
433 +---------------+------------------------------------------------------------+
434
435.. table:: TFM-GENERIC-NS-INIT-D-1
436 :widths: 10 50
437
438 +---------------+------------------------------------------------------------+
439 | Index | **TFM-GENERIC-NS-INIT-D-1** |
440 +---------------+------------------------------------------------------------+
441 | Description | An attacker may block NS to boot up |
442 +---------------+------------------------------------------------------------+
443 | Justification | An attacker may block NS to boot up, such as by corrupting |
444 | | NS image, to stop the whole system from performing normal |
445 | | functionalities. |
446 +---------------+------------------------------------------------------------+
447 | Category | Denial of service |
448 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]449 | Mitigation | **Out-of-scope**: No SPE information will be disclosed and |
450 | | TF-M won't be directly impacted. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]451 | | |
452 | | It relies on NSPE and platform specific implementation to |
453 | | mitigate this threat. It is out of scope of this threat |
454 | | model. |
455 +---------------+------------------------------------------------------------+
456 | CVSS Score | 4.0 (Medium) |
457 +---------------+------------------------------------------------------------+
458 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
459 | String | |
460 +---------------+------------------------------------------------------------+
461
462NSPE requests TF-M secure service
463---------------------------------
464
465This section identifies threats on ``DF2`` defined in `Data Flow Diagram`_.
466
467.. table:: TFM-GENERIC-REQUEST-SERVICE-S-1
468 :widths: 10 50
469
470 +---------------+------------------------------------------------------------+
471 | Index | **TFM-GENERIC-REQUEST-SERVICE-S-1** |
472 +---------------+------------------------------------------------------------+
473 | Description | A malicious NS application may pretend as a secure client |
474 | | to access secure data which NSPE must not directly access. |
475 +---------------+------------------------------------------------------------+
476 | Justification | [FF-M]_ defines ``Client ID`` to distinguish clients which |
477 | | request RoT services. Secure clients are assigned with |
478 | | positive IDs and non-secure clients are assigned with |
479 | | negative ones. |
480 | | |
481 | | A malicious NS application may provide a positive |
482 | | ``Client ID`` to pretend as a secure client to access |
483 | | secure data. |
484 +---------------+------------------------------------------------------------+
485 | Category | Spoofing |
486 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]487 | Mitigation | **Controlled**: TF-M checks the ``Client ID`` from NSPE. |
488 | | If the NS ``Client ID`` is not a valid one, TF-M will |
489 | | report this as a security error. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]490 +---------------+------------------------------------------------------------+
491 | CVSS Score | 8.4 (High) |
492 +---------------+------------------------------------------------------------+
493 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
494 | String | |
495 +---------------+------------------------------------------------------------+
496
497.. table:: TFM-GENERIC-REQUEST-SERVICE-T-1
498 :widths: 10 50
499
500 +---------------+------------------------------------------------------------+
501 | Index | **TFM-GENERIC-REQUEST-SERVICE-T-1** |
502 +---------------+------------------------------------------------------------+
503 | Description | An attacker in NSPE may tamper the service request input |
504 | | or output vectors between check and use |
505 | | (Time-Of-Check-to-Time-Of-Use (TOCTOU)). |
506 +---------------+------------------------------------------------------------+
507 | Justification | If SPE validates the content in input/output vectors |
508 | | locally in NSPE memory, an attacker in NSPE can have a |
509 | | chance to tamper the content after the validation |
510 | | successfully passes. Then SPE will provide RoT service |
511 | | according to the corrupted parameters and it may cause |
512 | | further security issues. |
513 +---------------+------------------------------------------------------------+
514 | Category | Tampering |
515 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]516 | Mitigation | **Controlled**: In TF-M implementation, the validation of |
517 | | NS input/output vectors are only executed after those |
518 | | vectors are copied from NSPE into SPE. It prevents an |
519 | | attack from NSPE to tamper those parameters after |
520 | | validation in TF-M. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]521 +---------------+------------------------------------------------------------+
522 | CVSS Score | 7.8 (High) |
523 +---------------+------------------------------------------------------------+
524 | CVSS Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N |
525 | String | |
526 +---------------+------------------------------------------------------------+
527
528.. table:: TFM-GENERIC-REQUEST-SERVICE-T-2
529 :widths: 10 50
530
531 +---------------+------------------------------------------------------------+
532 | Index | **TFM-GENERIC-REQUEST-SERVICE-T-2** |
533 +---------------+------------------------------------------------------------+
534 | Description | A malicious NS application may request to tamper data |
535 | | belonging to SPE. |
536 +---------------+------------------------------------------------------------+
537 | Justification | A malicious NS application may request SPE RoT services to |
538 | | write malicious value to SPE data. The malicious NS |
539 | | application may try to tamper SPE assets, such as keys, or |
540 | | modify configurations in SPE. The SPE data belongs to |
541 | | components in SPE and must not be accessed by NSPE. |
542 +---------------+------------------------------------------------------------+
543 | Category | Tampering |
544 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]545 | Mitigation | **Controlled**: TF-M executes memory access check to all |
546 | | the RoT service requests. If a request doesn't have enough |
547 | | permission to access the target memory region, TF-M will |
548 | | refuse this request and assert a security error. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]549 +---------------+------------------------------------------------------------+
550 | CVSS Score | 7.1 (High) |
551 +---------------+------------------------------------------------------------+
552 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N |
553 | String | |
554 +---------------+------------------------------------------------------------+
555
556.. table:: TFM-GENERIC-REQUEST-SERVICE-R-1
557 :widths: 10 50
558
559 +---------------+------------------------------------------------------------+
560 | Index | **TFM-GENERIC-REQUEST-SERVICE-R-1** |
561 +---------------+------------------------------------------------------------+
562 | Description | A NS application may repudiate that it has requested |
563 | | services from a RoT service. |
564 +---------------+------------------------------------------------------------+
565 | Justification | A malicious NS application may call a RoT service to |
566 | | access critical data in SPE, which it is disallowed to, |
567 | | via a non-public vulnerability. It may refuse to admit |
568 | | that it has accessed that data. |
569 +---------------+------------------------------------------------------------+
570 | Category | Repudiation |
571 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]572 | Mitigation | **Transferred**: This threat can be mitigated with an |
573 | | audit logging secure service that records significant |
574 | | security events, such as access to sensitive data. If this |
575 | | threat is in-scope for a particular integration, then the |
576 | | system integrator must implement the mitigation. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]577 +---------------+------------------------------------------------------------+
578 | CVSS Score | 0.0 (None) |
579 +---------------+------------------------------------------------------------+
580 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N |
581 | String | |
582 +---------------+------------------------------------------------------------+
583
584.. table:: TFM-GENERIC-REQUEST-SERVICE-I-1
585 :widths: 10 50
586
587 +---------------+------------------------------------------------------------+
588 | Index | **TFM-GENERIC-REQUEST-SERVICE-I-1** |
589 +---------------+------------------------------------------------------------+
590 | Description | A malicious NS application may request to read data |
591 | | belonging to SPE. |
592 +---------------+------------------------------------------------------------+
593 | Justification | A malicious NS application may request SPE RoT services to |
594 | | copy SPE data to NS memory. The SPE data belongs to |
595 | | components in SPE and must not be disclosed to NSPE, such |
596 | | as root keys. |
597 +---------------+------------------------------------------------------------+
598 | Category | Information disclosure |
599 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]600 | Mitigation | **Controlled**: TF-M executes memory access checks for all |
601 | | the RoT service requests. If a request doesn't have enough |
602 | | permission to access the target memory region, TF-M will |
603 | | refuse the request and assert a security error. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]604 +---------------+------------------------------------------------------------+
605 | CVSS Score | 7.1 (High) |
606 +---------------+------------------------------------------------------------+
607 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
608 | String | |
609 +---------------+------------------------------------------------------------+
610
611.. table:: TFM-GENERIC-REQUEST-SERVICE-T-I-1
612 :widths: 10 50
613
614 +---------------+------------------------------------------------------------+
615 | Index | **TFM-GENERIC-REQUEST-SERVICE-T-I-1** |
616 +---------------+------------------------------------------------------------+
617 | Description | A malicious NS application may request to control secure |
618 | | device and peripherals, on which it doesn't have the |
619 | | permission. |
620 +---------------+------------------------------------------------------------+
621 | Justification | A malicious NS application may request RoT services to |
622 | | control secure device and peripherals, on which it doesn't |
623 | | have the permission. |
624 +---------------+------------------------------------------------------------+
625 | Category | Tampering/Information disclose |
626 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]627 | Mitigation | **Controlled**: TF-M performs client check to validate |
628 | | whether the client has the permission to access the secure |
629 | | device and peripherals. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]630 +---------------+------------------------------------------------------------+
631 | CVSS Score | 9.0 (Critical) |
632 +---------------+------------------------------------------------------------+
633 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N |
634 | String | |
635 +---------------+------------------------------------------------------------+
636
637.. table:: TFM-GENERIC-REQUEST-SERVICE-D-1
638 :widths: 10 50
639
640 +---------------+------------------------------------------------------------+
641 | Index | **TFM-GENERIC-REQUEST-SERVICE-D-1** |
642 +---------------+------------------------------------------------------------+
643 | Description | A Malicious NS applications may frequently call secure |
644 | | services to block secure service requests from other NS |
645 | | applications. |
646 +---------------+------------------------------------------------------------+
647 | Justification | TF-M runs on IoT devices with constrained resource. Even |
648 | | though multiple outstanding NS PSA Client calls can be |
649 | | supported in system, the number of NS PSA client calls |
650 | | served by TF-M simultaneously are still limited. |
651 | | |
652 | | Therefore, if a malicious NS application or multiple |
653 | | malicious NS applications continue calling TF-M secure |
654 | | services frequently, it may block other NS applications to |
655 | | request secure service from TF-M. |
656 +---------------+------------------------------------------------------------+
657 | Category | Denial of service |
658 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]659 | Mitigation | **Out-of-scope**: TF-M is unable to manage behavior of NS |
660 | | applications. Assets are not disclosed and neither is TF-M |
661 | | directly impacted in this threat. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]662 | | |
663 | | It relies on NS OS to enhance scheduling policy and |
664 | | prevent a single NS application to occupy entire CPU time. |
665 | | It is beyond the scope of this threat model. |
666 +---------------+------------------------------------------------------------+
667 | CVSS Score | 4.0 (Medium) |
668 +---------------+------------------------------------------------------------+
669 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
670 | String | |
671 +---------------+------------------------------------------------------------+
672
673.. table:: TFM-GENERIC-REQUEST-SERVICE-D-2
674 :widths: 10 50
675
676 +---------------+------------------------------------------------------------+
677 | Index | **TFM-GENERIC-REQUEST-SERVICE-D-2** |
678 +---------------+------------------------------------------------------------+
679 | Description | A malicious NS application may provide invalid NS memory |
680 | | addresses as the addresses of input and output data in RoT |
681 | | service requests. |
682 +---------------+------------------------------------------------------------+
683 | Justification | SPE may be unable to achieve full knowledge of NS memory |
684 | | mapping. SPE may fail to capture those invalid NS memory |
685 | | addresses during memory access check since those invalid |
686 | | addresses may not be included in isolation configuration. |
687 | | |
688 | | In that case, SPE will access those invalid NS memory |
689 | | addresses later to read or write data. It may trigger a |
690 | | system error to crash the whole system immediately. |
691 | | |
692 | | The malicious NS application may be blocked by NS MPU from |
693 | | directly accessing that invalid NS memory address. But it |
694 | | may manipulate SPE to access that address instead. |
695 +---------------+------------------------------------------------------------+
696 | Category | Denial of service |
697 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]698 | Mitigation | **Controlled**: TF-M executes memory access check to the |
699 | | memory addresses in all the NS requests. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]700 | | |
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]701 | | On Armv8-M platforms with TrustZone, TF-M invokes ``TT`` |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]702 | | instructions to execute memory address check. If a NS |
703 | | memory area is not matched in any valid SAU or MPU region, |
704 | | it will be marked as invalid and any access permission is |
705 | | disallowed. Therefore, SPM will reject any NS request |
706 | | containing invalid NS memory addresses and reports it as |
707 | | as a security error. |
708 | | |
709 | | On dual-core platforms, TF-M implements a default memory |
710 | | access check. If a NS memory area is not found in any |
711 | | memory region configured for isolation, it will be marked |
712 | | as invalid and therefore SPM will reject the corresponding |
713 | | NS request. It will be reported as a security error. |
714 | | |
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]715 | | **Transferred**: Dual-core platforms may implement |
716 | | platform specific memory check to replace the default one. |
717 | | It relies on platform specific implementation to capture |
718 | | invalid memory address. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]719 +---------------+------------------------------------------------------------+
720 | CVSS Score | 3.2 (Low) |
721 +---------------+------------------------------------------------------------+
722 | CVSS Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L |
723 | String | |
724 +---------------+------------------------------------------------------------+
725
726RoT services read and write NS data
727-----------------------------------
728
729This section identifies threats on ``DF3`` defined in `Data Flow Diagram`_.
730
Kevin Penge2834952022-11-21 17:17:51 +0800[diff] [blame]731RoT services can either directly access NS memory or rely on TF-M SPM to obtain NS input data and
732send response data back to NS memory.
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]733
734.. _TFM-GENERIC-SECURE-SERVICE-RW-T-1:
735
736.. table:: TFM-GENERIC-SECURE-SERVICE-RW-T-1
737 :widths: 10 50
738
739 +---------------+------------------------------------------------------------+
740 | Index | **TFM-GENERIC-SECURE-SERVICE-RW-T-1** |
741 +---------------+------------------------------------------------------------+
742 | Description | An attacker may tamper NS input data while the RoT service |
743 | | is processing those data. |
744 +---------------+------------------------------------------------------------+
745 | Justification | A RoT service may access NS input data multiple times |
746 | | during its data processing. For example, it may validate |
747 | | or authenticate the NS input data before it performs |
748 | | further processing. |
749 | | |
750 | | If the NS input data remains in NSPE memory during the RoT |
751 | | service execution, an attacker may tamper the NS input |
752 | | data in NSPE memory after the validation passes. |
753 +---------------+------------------------------------------------------------+
754 | Category | Tampering |
755 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]756 | Mitigation | **Controlled**: If RoT services request SPM to read and |
757 | | write NS data, SPM follows [FF-M]_ to copy the NS input |
758 | | data into SPE memory region owned by the RoT service, |
759 | | before the RoT service processes the data. Therefore, the |
760 | | NS input data is protected during the RoT service |
761 | | execution from being tampered. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]762 | | |
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]763 | | **Transferred**: If RoT services can directly access NS |
764 | | memory and read NS input data multiple times during data |
765 | | processing, then the RoT service implementor must review |
766 | | and confirm the implementation of the RoT service copies |
767 | | NS input data into SPE memory area before it processes the |
768 | | data. TF-M-provided RoT services implement this |
769 | | mitigation. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]770 +---------------+------------------------------------------------------------+
771 | CVSS Score | 3.2 (Low) |
772 +---------------+------------------------------------------------------------+
773 | CVSS Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N |
774 | String | |
775 +---------------+------------------------------------------------------------+
776
777.. _TFM-GENERIC-SECURE-SERVICE-RW-T-2:
778
779.. table:: TFM-GENERIC-SECURE-SERVICE-RW-T-2
780 :widths: 10 50
781
782 +---------------+------------------------------------------------------------+
783 | Index | **TFM-GENERIC-SECURE-SERVICE-RW-T-2** |
784 +---------------+------------------------------------------------------------+
785 | Description | A malicious NS application may embed secure memory |
786 | | addresses into a structure in RoT service request input |
787 | | vectors, to tamper secure memory which the NS application |
788 | | must not access. |
789 +---------------+------------------------------------------------------------+
790 | Justification | [FF-M]_ limits the total number of input/output vectors to |
791 | | 4. If a RoT service requires more input/output vectors, it |
792 | | may define a parameter structure which embeds multiple |
793 | | input/output buffers addresses. |
794 | | |
795 | | However, as a potential security risk, a malicious NS |
796 | | application can put secure memory addresses into a valid |
797 | | parameter structure to bypass TF-M validation on those |
798 | | memory addresses. |
799 | | |
800 | | The parameter structure can pass TF-M memory access check |
801 | | since itself is valid. However, if the RoT service parses |
802 | | the structure and directly write malicious data from NSPE |
803 | | to the secure memory addresses in parameter structure, the |
804 | | secure data will be tampered. |
805 +---------------+------------------------------------------------------------+
806 | Category | Tampering |
807 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]808 | Mitigation | **Transferred**: The RoT service implementor must not |
809 | | embed memory addresses into a single input/output vector. |
810 | | If more than 4 memory addresses are required in a RoT |
811 | | service request, it is recommended to split this request |
812 | | into two or multiple service calls and therefore each |
813 | | service call requires no more than 4 input/output vectors. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]814 | | |
Nicola Mazzucato2d620742024-08-02 17:24:48 +0100[diff] [blame]815 | | If RoT services request SPM to read and write NS data, |
Kevin Penge2834952022-11-21 17:17:51 +0800[diff] [blame]816 | | SPM will validate the target addresses and can detect the |
817 | | invalid addresses to mitigate this threat. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]818 | | |
Kevin Peng4cdb2082022-03-25 17:53:03 +0800[diff] [blame]819 | | If RoT services can directly access NS memory, it is |
820 | | required to review and confirm the implementation of RoT |
821 | | service request doesn't embed memory addresses. |
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]822 | | |
823 | | TF-M-provided RoT services implement these mitigations. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]824 +---------------+------------------------------------------------------------+
David Hu4a741da2021-03-16 11:44:31 +0800[diff] [blame]825 | CVSS Score | 7.1 (High) |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]826 +---------------+------------------------------------------------------------+
David Hu4a741da2021-03-16 11:44:31 +0800[diff] [blame]827 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]828 | String | |
829 +---------------+------------------------------------------------------------+
830
831.. table:: TFM-GENERIC-SECURE-SERVICE-RW-I-1
832 :widths: 10 50
833
834 +---------------+------------------------------------------------------------+
835 | Index | **TFM-GENERIC-SECURE-SERVICE-RW-I-1** |
836 +---------------+------------------------------------------------------------+
837 | Description | Similar to TFM-GENERIC-SECURE-SERVICE-RW-T-2_, a malicious |
838 | | NS application can embed secure memory addresses in a |
839 | | parameter structure in RoT service request input vectors, |
840 | | to read secure data which the NS application must not |
841 | | access. |
842 +---------------+------------------------------------------------------------+
843 | Justification | Similar to the description in |
844 | | TFM-GENERIC-SECURE-SERVICE-RW-T-2_, the secure memory |
845 | | addresses hidden in the RoT service input/output vector |
846 | | structure may bypass TF-M validation. Without a proper |
847 | | check, the RoT service may copy secure data to NSPE |
848 | | according to the secure memory addresses in structure, |
849 | | secure information can be disclosed. |
850 +---------------+------------------------------------------------------------+
851 | Category | Information disclosure |
852 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]853 | Mitigation | **Transferred**: The RoT service implementor must not |
854 | | embed memory addresses into a single input/output vector. |
855 | | If more than 4 memory addresses are required in a RoT |
856 | | service request, it is recommended to split this request |
857 | | into two or multiple service calls and therefore each |
858 | | service call requires no more than 4 input/output vectors. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]859 | | |
Nicola Mazzucato2d620742024-08-02 17:24:48 +0100[diff] [blame]860 | | If RoT services request SPM to read and write NS data, |
Kevin Penge2834952022-11-21 17:17:51 +0800[diff] [blame]861 | | SPM will validate the target addresses and can detect the |
862 | | invalid addresses to mitigate this threat. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]863 | | |
Kevin Peng4cdb2082022-03-25 17:53:03 +0800[diff] [blame]864 | | If RoT services can directly access NS memory, it is |
865 | | required to review and confirm the implementation of RoT |
866 | | service request doesn't embed memory addresses. |
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]867 | | |
868 | | TF-M-provided RoT services implement these mitigations. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]869 +---------------+------------------------------------------------------------+
David Hu4a741da2021-03-16 11:44:31 +0800[diff] [blame]870 | CVSS Score | 7.1 (High) |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]871 +---------------+------------------------------------------------------------+
David Hu4a741da2021-03-16 11:44:31 +0800[diff] [blame]872 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]873 | String | |
874 +---------------+------------------------------------------------------------+
875
876TF-M returns secure service result
877----------------------------------
878
879This section identifies threats on ``DF4`` defined in `Data Flow Diagram`_.
880
881When RoT service completes the request from NSPE, TF-M returns the success or
882failure error code to NS application.
883
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]884In Armv8-M TrustZone scenarios, TF-M writes the return code value in the general
885purpose register and returns to Non-secure state.
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]886
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]887On dual-cpu platforms, TF-M writes the return code to NS mailbox message queue
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]888via mailbox.
889
890.. table:: TFM-GENERIC-RETURN-CODE-I-1
891 :widths: 10 50
892
893 +---------------+------------------------------------------------------------+
894 | Index | **TFM-GENERIC-RETURN-CODE-I-1** |
895 +---------------+------------------------------------------------------------+
896 | Description | SPE may leave secure data in the registers not banked |
897 | | after the SPE completes PSA Client calls and executes |
898 | | ``BXNS`` to switch Armv8-M back to Non-secure state. |
899 +---------------+------------------------------------------------------------+
900 | Justification | If SPE doesn't clean up the secure data in registers not |
901 | | banked before switching into NSPE in Armv8-M core, NSPE |
902 | | can read the SPE context from those registers. |
903 +---------------+------------------------------------------------------------+
904 | Category | Information disclosure |
905 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]906 | Mitigation | **Controlled**: In Armv8-M TrustZone scenarios, TF-M |
907 | | cleans general purpose registers not banked before |
908 | | switching into NSPE to prevent NSPE probing secure context |
909 | | from the registers. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]910 | | |
Feder Liang9b532c92021-12-09 16:03:18 +0800[diff] [blame]911 | | When FPU is enabled in TF-M, secure FP context belonging to|
912 | | a secure partition will be saved on this partition's stack |
913 | | and cleaned by hardware during context switching. Also TF-M|
914 | | cleans secure FP context in FP registers before switching |
915 | | into NSPE to prevent NSPE from probing secure FP context. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]916 +---------------+------------------------------------------------------------+
917 | CVSS Score | 4.3 (Medium) |
918 +---------------+------------------------------------------------------------+
919 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
920 | String | |
921 +---------------+------------------------------------------------------------+
922
923NS interrupts preempts SPE execution
924------------------------------------
925
926This section identifies threats on ``DF5`` defined in `Data Flow Diagram`_.
927
928.. table:: TFM-GENERIC-NS-INTERRUPT-I-1
929 :widths: 10 50
930
931 +---------------+------------------------------------------------------------+
932 | Index | **TFM-GENERIC-NS-INTERRUPT-I-1** |
933 +---------------+------------------------------------------------------------+
934 | Description | Shared registers may contain secure data when NS |
935 | | interrupts occur. |
936 +---------------+------------------------------------------------------------+
937 | Justification | The secure data in shared registers should be cleaned up |
938 | | before NSPE can access shared registers. Otherwise, secure |
939 | | data leakage may occur. |
940 +---------------+------------------------------------------------------------+
941 | Category | Information disclosure |
942 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]943 | Mitigation | **Controlled**: On Armv8-M processors with TrustZone, |
944 | | Armv8-M architecture automatically cleans up the registers |
945 | | not banked before switching to Non-secure state when |
946 | | taking NS interrupts. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]947 | | |
Feder Liang9b532c92021-12-09 16:03:18 +0800[diff] [blame]948 | | When FPU is enabled in TF-M, with setting of FPCCR_S.TS = 1|
949 | | besides secure FP context in FP caller registers, FP |
950 | | context in FP callee registers will also be cleaned by |
951 | | hardware automatically when NS interrupts occur, to prevent|
952 | | NSPE from probing secure FP context in FP registers. Refer |
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]953 | | to Armv8-M Architecture Reference Manual [Arm-ARM]_ for |
Feder Liang9b532c92021-12-09 16:03:18 +0800[diff] [blame]954 | | details. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]955 | | |
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]956 | | **Transferred**: On dual-cpu platforms, shared registers |
957 | | are implementation defined, such as Inter-Processor |
958 | | Communication registers. Dual-cpu platforms must not store |
959 | | any data which may disclose secure information in the |
960 | | shared registers. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]961 +---------------+------------------------------------------------------------+
962 | CVSS Score | 4.3 (Medium) |
963 +---------------+------------------------------------------------------------+
964 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
965 | String | |
966 +---------------+------------------------------------------------------------+
967
968.. table:: TFM-GENERIC-NS-INTERRUPT-D-1
969 :widths: 10 50
970
971 +---------------+------------------------------------------------------------+
972 | Index | **TFM-GENERIC-NS-INTERRUPT-D-1** |
973 +---------------+------------------------------------------------------------+
974 | Description | An attacker may trigger spurious NS interrupts frequently |
975 | | to block SPE execution. |
976 +---------------+------------------------------------------------------------+
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]977 | Justification | On Armv8-M processors with TrustZone, an attacker may |
978 | | inject a malicious NS application or hijack a NS hardware |
979 | | to frequently trigger spurious NS interrupts to keep |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]980 | | preempting SPE and block SPE to perform normal secure |
981 | | execution. |
982 +---------------+------------------------------------------------------------+
983 | Category | Denial of service |
984 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]985 | Mitigation | **Out-of-scope**: Availability of the whole system is out |
986 | | of scope of TF-M. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]987 | | |
988 | | Assets protected by TF-M won't be leaked. TF-M won't be |
989 | | directly impacted. |
990 +---------------+------------------------------------------------------------+
991 | CVSS Score | 4.0 (Medium) |
992 +---------------+------------------------------------------------------------+
993 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
994 | String | |
995 +---------------+------------------------------------------------------------+
996
997Secure interrupts preempts NSPE execution
998-----------------------------------------
999
1000This section identifies threats on ``DF6`` defined in `Data Flow Diagram`_.
1001
1002.. table:: TFM-GENERIC-S-INTERRUPT-I-1
1003 :widths: 10 50
1004
1005 +---------------+------------------------------------------------------------+
1006 | Index | **TFM-GENERIC-S-INTERRUPT-I-1** |
1007 +---------------+------------------------------------------------------------+
1008 | Description | Shared registers may contain secure data when Armv8-M core |
1009 | | switches back to Non-secure state on Secure interrupt |
1010 | | return. |
1011 +---------------+------------------------------------------------------------+
1012 | Justification | Armv8-M architecture doesn't automatically clean up shared |
1013 | | registers while returning to Non-secure state during |
1014 | | Secure interrupt return. |
1015 | | |
1016 | | If SPE leaves critical data in the Armv8-M registers not |
1017 | | banked, NSPE can read secure context from those registers |
1018 | | and secure data leakage may occur. |
1019 +---------------+------------------------------------------------------------+
1020 | Category | Information disclosure |
1021 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]1022 | Mitigation | **Controlled**: TF-M saves NSPE context in general purpose |
1023 | | registers R4~R11 into secure stack during secure interrupt |
1024 | | entry. After secure interrupt handling completes, TF-M |
1025 | | unstacks NSPE context from secure stack to overwrite |
1026 | | secure context in R4~R11 before secure interrupt return. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1027 | | |
1028 | | Armv8-M architecture will automatically unstack NSPE |
1029 | | context from non-secure stack to overwrite other registers |
1030 | | not banked, such as R0~R3 and R12, during secure interrupt |
1031 | | return, before NSPE software can access those registers. |
1032 | | |
Feder Liang9b532c92021-12-09 16:03:18 +0800[diff] [blame]1033 | | When FPU is enabled in TF-M, with setting of |
1034 | | FPCCR_S.TS = 1 and FPCCR_S.CLRONRET = 1, besides secure FP |
1035 | | context in FP caller registers, FP context in callee |
1036 | | registers will also be cleaned by hardware automatically |
1037 | | during S exception return, to prevent NSPE from probing |
1038 | | secure FP context in FP registers. Refer to Armv8-M |
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]1039 | | Architecture Reference Manual [Arm-ARM]_ for details. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1040 +---------------+------------------------------------------------------------+
1041 | CVSS Score | 4.3 (Medium) |
1042 +---------------+------------------------------------------------------------+
1043 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
1044 | String | |
1045 +---------------+------------------------------------------------------------+
1046
1047Miscellaneous threats
1048---------------------
1049
1050This section collects threats irrelevant to the valid TF-M data flows shown
1051above.
1052
1053.. table:: TFM-GENERIC-STACK-SEAL
1054 :widths: 10 50
1055
1056 +---------------+------------------------------------------------------------+
1057 | Index | **TFM-GENERIC-STACK_SEAL** |
1058 +---------------+------------------------------------------------------------+
1059 | Description | Armv8-M processor Secure software Stack Sealing |
1060 | | vulnerability. |
1061 +---------------+------------------------------------------------------------+
1062 | Justification | On Armv8-M based processors with TrustZone, if Secure |
1063 | | software does not properly manage the Secure stacks when |
1064 | | the stacks are created, or when performing non-standard |
1065 | | transitioning between states or modes, for example, |
1066 | | creating a fake exception return stack frame to |
1067 | | de-privilege an interrupt, it is possible for Non-secure |
1068 | | world software to manipulate the Secure Stacks, and |
1069 | | potentially influence Secure control flow. |
1070 | | |
1071 | | Refer to [STACK-SEAL]_ for details. |
1072 +---------------+------------------------------------------------------------+
1073 | Category | Elevation of privilege |
1074 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]1075 | Mitigation | **Controlled**: TF-M has implemented a common mitigation |
1076 | | against the stack seal vulnerability. |
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1077 | | |
1078 | | Refer to [ADVISORY-TFMV-1]_ for details on analysis and |
1079 | | mitigation in TF-M. |
1080 +---------------+------------------------------------------------------------+
1081 | CVSS Score | 5.3 (Medium) |
1082 +---------------+------------------------------------------------------------+
1083 | CVSS Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L |
1084 | String | |
1085 +---------------+------------------------------------------------------------+
1086
David Hu4a741da2021-03-16 11:44:31 +0800[diff] [blame]1087.. table:: TFM-GENERIC-SVC-CALL-SP-FETCH
1088 :widths: 10 50
1089
1090 +---------------+------------------------------------------------------------+
1091 | Index | **TFM-GENERIC-SVC-CALL-SP-FETCH** |
1092 +---------------+------------------------------------------------------------+
1093 | Description | Invoking Secure functions from handler mode may cause TF-M |
1094 | | IPC model to behave unexpectedly. |
1095 +---------------+------------------------------------------------------------+
1096 | Justification | On Armv8-M based processors with TrustZone, if NSPE calls |
1097 | | a secure function via Secure Gateway (SG) from non-secure |
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]1098 | | Handler mode, TF-M selects secure process stack by mistake |
1099 | | for SVC handling. |
David Hu4a741da2021-03-16 11:44:31 +0800[diff] [blame]1100 | | It will most likely trigger a crash in secure world or |
1101 | | reset the whole system, with a very low likelihood of |
1102 | | overwriting some memory contents. |
1103 +---------------+------------------------------------------------------------+
1104 | Category | Denial of service/Tampering |
1105 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]1106 | Mitigation | **Controlled**: TF-M has enhanced implementation to |
1107 | | mitigate this vulnerability. |
David Hu4a741da2021-03-16 11:44:31 +0800[diff] [blame]1108 | | |
1109 | | Refer to [ADVISORY-TFMV-2]_ for details on analysis and |
1110 | | mitigation in TF-M. |
1111 +---------------+------------------------------------------------------------+
1112 | CVSS Score | 4.5 (Medium) |
1113 +---------------+------------------------------------------------------------+
1114 | CVSS Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L |
1115 | String | |
1116 +---------------+------------------------------------------------------------+
1117
Feder Liangc89075b2021-11-24 16:01:45 +0800[diff] [blame]1118.. table:: VLLDM instruction security vulnerability
1119 :widths: 10 50
1120
1121 +---------------+------------------------------------------------------------+
1122 | Index | **TFM-GENERIC-FP-VLLDM** |
1123 +---------------+------------------------------------------------------------+
1124 | Description | Secure data in FP registers may be disclosed to NSPE when |
1125 | | VLLDM instruction is abandoned due to an exception mid-way.|
1126 +---------------+------------------------------------------------------------+
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]1127 | Justification | Refer to [VLLDM-Vulnerability]_ for details. |
Feder Liangc89075b2021-11-24 16:01:45 +0800[diff] [blame]1128 +---------------+------------------------------------------------------------+
1129 | Category | Tampering/Information disclosure |
1130 +---------------+------------------------------------------------------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]1131 | Mitigation | **Controlled**: In the current TF-M implementation, when |
1132 | | FPU is enabled in SPE, TF-M configures NSACR to disable |
1133 | | NSPE to access FPU. Therefore, secure data in FP registers |
1134 | | is protected from NSPE. |
Feder Liangc89075b2021-11-24 16:01:45 +0800[diff] [blame]1135 | | |
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]1136 | | Refer to [VLLDM-Vulnerability]_, for details on analysis |
Feder Liangc89075b2021-11-24 16:01:45 +0800[diff] [blame]1137 | | and mitigation. |
1138 +---------------+------------------------------------------------------------+
1139 | CVSS Score | 3.4 (Low) |
1140 +---------------+------------------------------------------------------------+
1141 | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N |
1142 | String | |
1143 +---------------+------------------------------------------------------------+
1144
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1145***************
1146Version control
1147***************
1148
1149.. table:: Version control
1150
1151 +---------+--------------------------------------------------+---------------+
1152 | Version | Description | TF-M version |
1153 +=========+==================================================+===============+
1154 | v0.1 | Initial draft | TF-M v1.1 |
1155 +---------+--------------------------------------------------+---------------+
David Hu4a741da2021-03-16 11:44:31 +0800[diff] [blame]1156 | v1.0 | First version | TF-M v1.2.0 |
1157 +---------+--------------------------------------------------+---------------+
Feder Liangc89075b2021-11-24 16:01:45 +0800[diff] [blame]1158 | v1.1 | Update version | TF-M v1.5.0 |
1159 +---------+--------------------------------------------------+---------------+
Feder Liang9b532c92021-12-09 16:03:18 +0800[diff] [blame]1160 | v1.2 | Update details to align FP support in NSPE. | TF-M v1.5.0 |
1161 +---------+--------------------------------------------------+---------------+
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]1162 | v1.3 | Update for validity of dual-cpu model Armv8-M | TF-M v2.1.0 |
1163 +---------+--------------------------------------------------+---------------+
Jamie Fox1a7db752024-11-25 18:27:56 +0000[diff] [blame]1164 | v1.4 | Clarify mitigation strategies of threats | TF-M v2.2.0 |
1165 +---------+--------------------------------------------------+---------------+
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1166
Nicola Mazzucato2d620742024-08-02 17:24:48 +0100[diff] [blame]1167**********
1168References
1169**********
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1170
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]1171.. [Security-Incident-Process] `Security Incident Handling Process <https://trusted-firmware-docs.readthedocs.io/en/latest/security_center/incident_handling_process.html>`_
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1172
Elena Uziunaite66461ae2023-11-10 16:51:59 +0000[diff] [blame]1173.. [FF-M] `ArmĀ® Platform Security Architecture Firmware Framework 1.0 <https://developer.arm.com/documentation/den0063/latest/>`_
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1174
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]1175.. [FF-M-1.1-Extensions] `ArmĀ® Firmware Framework for M 1.1 Extensions <https://developer.arm.com/documentation/aes0039/latest/>`_
Kevin Peng4cdb2082022-03-25 17:53:03 +0800[diff] [blame]1176
Anton Komlevff7cbae2023-01-12 16:28:26 +0000[diff] [blame]1177.. [DUAL-CPU-BOOT] :doc:`Booting a dual core system </design_docs/dual-cpu/booting_a_dual_core_system>`
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1178
1179.. [CVSS] `Common Vulnerability Scoring System Version 3.1 Calculator <https://www.first.org/cvss/calculator/3.1>`_
1180
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]1181.. [CVSS_SPEC] `CVSS v3.1 Specification Document <https://www.first.org/cvss/v3.1/specification-document>`_
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1182
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]1183.. [STRIDE] `The STRIDE Threat Model <https://learn.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20)>`_
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1184
Anton Komlevb3f64662023-01-28 11:53:05 +0000[diff] [blame]1185.. [SECURE-BOOT] :doc:`Secure boot </design_docs/booting/tfm_secure_boot>`
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1186
Anton Komlevb3f64662023-01-28 11:53:05 +0000[diff] [blame]1187.. [ROLLBACK-PROTECT] :doc:`Rollback protection in TF-M secure boot </design_docs/booting/secure_boot_rollback_protection>`
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1188
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]1189.. [Arm-ARM] `Armv8-M Architecture Reference Manual <https://developer.arm.com/documentation/ddi0553/latest>`_
Feder Liang9b532c92021-12-09 16:03:18 +0800[diff] [blame]1190
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1191.. [STACK-SEAL] `Armv8-M processor Secure software Stack Sealing vulnerability <https://developer.arm.com/support/arm-security-updates/armv8-m-stack-sealing>`_
1192
Anton Komlev3356ba32022-03-31 22:02:11 +0100[diff] [blame]1193.. [ADVISORY-TFMV-1] :doc:`Advisory TFMV-1 </security/security_advisories/stack_seal_vulnerability>`
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1194
Anton Komlev3356ba32022-03-31 22:02:11 +0100[diff] [blame]1195.. [ADVISORY-TFMV-2] :doc:`Advisory TFMV-2 </security/security_advisories/svc_caller_sp_fetching_vulnerability>`
David Hu4a741da2021-03-16 11:44:31 +0800[diff] [blame]1196
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]1197.. [VLLDM-Vulnerability] `VLLDM instruction Security Vulnerability <https://developer.arm.com/support/arm-security-updates/vlldm-instruction-security-vulnerability>`_
Feder Liangc89075b2021-11-24 16:01:45 +0800[diff] [blame]1198
David Hudb067eb2020-09-18 09:55:11 +0800[diff] [blame]1199--------------------
1200
Jamie Fox1cb5f7c2024-05-09 12:24:07 +0100[diff] [blame]1201*Copyright (c) 2020-2024 Arm Limited. All Rights Reserved.*