1b908814cSlaurenw-armTF-A Supply Chain Threat Model 2b908814cSlaurenw-arm~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3b908814cSlaurenw-arm 4b908814cSlaurenw-armIntroduction 5b908814cSlaurenw-arm************ 6b908814cSlaurenw-arm 7b908814cSlaurenw-armSoftware supply chain attacks aim to inject malicious code into a software 8b908814cSlaurenw-armproduct. There are several ways a malicious code can be injected into a 9b908814cSlaurenw-armsoftware product (open-source project). These include: 10b908814cSlaurenw-arm 11b908814cSlaurenw-arm- Malicious code commits: This attack directly injects code into a project 12b908814cSlaurenw-arm repository. This can happen for example through developer/maintainer 13b908814cSlaurenw-arm credential hijacks, or malicious external contributors. 14b908814cSlaurenw-arm 15b908814cSlaurenw-arm- Malicious dependencies: In this case malicious code is introduced into a 16b908814cSlaurenw-arm project through other piece of code or packages the project depends on. This 17b908814cSlaurenw-arm can happen through for example typosquatting attack where an attacker creates 18b908814cSlaurenw-arm a malicious package with a very similar name to a popular package and hosts 19b908814cSlaurenw-arm it on popular package repositories. 20b908814cSlaurenw-arm 21b908814cSlaurenw-arm- Malicious toolchains: This involves malicious code introduced by compromised 22b908814cSlaurenw-arm resources used throughout the development and/or build process such as 23b908814cSlaurenw-arm compilers and IDEs. 24b908814cSlaurenw-arm 25b908814cSlaurenw-armThis document provides analysis of software supply chain attack threats for the 26b908814cSlaurenw-armTF-A project. 27b908814cSlaurenw-arm 28b908814cSlaurenw-armTF-A Overview 29b908814cSlaurenw-arm************* 30b908814cSlaurenw-arm 31b908814cSlaurenw-armFigure 1 shows the different software components surrounding the TF-A project. 32b908814cSlaurenw-armA brief description of each component is provided below. 33b908814cSlaurenw-arm 34b908814cSlaurenw-armTF-A Repository 35b908814cSlaurenw-arm=============== 36b908814cSlaurenw-arm 37b908814cSlaurenw-armThe TF-A repository contains generic and platform code contributed by TF-A 38b908814cSlaurenw-armcontributors as well as libraries imported from other open-source projects, 39b908814cSlaurenw-armreferred to as internal dependencies on Figure 1. These libraries include: 40b908814cSlaurenw-arm 41b908814cSlaurenw-arm- *libfdt*: libfdt is a utility library for reading and manipulating Device 42b908814cSlaurenw-arm Tree Binary (DTB) files. It is part of the Device Tree Compiler (DTC) 43b908814cSlaurenw-arm toolchain [1]_. DTC is used as part of the build process on the host machine 44b908814cSlaurenw-arm to build DTB files. libfdt is used to parse the DTB files at boot time. 45b908814cSlaurenw-arm 46b908814cSlaurenw-arm- *zlib*: zlib is a data compression library imported from [2]_. 47b908814cSlaurenw-arm 48b908814cSlaurenw-arm- *compiler-rt*: This is a collection of runtime libraries from the LLVM 49b908814cSlaurenw-arm compiler infrastructure project [3]_. We import the builtins library which 50b908814cSlaurenw-arm provides low-level, target-specific compiler builtins from compiler-rt. 51b908814cSlaurenw-arm 52b908814cSlaurenw-armThe TF-A repository also includes source code for host tools that supplement 53b908814cSlaurenw-armthe TF-A build process. These tools include: 54b908814cSlaurenw-arm 55b908814cSlaurenw-arm- *fiptool*: This tool is used to create a Firmware Image Package (FIP) which 56b908814cSlaurenw-arm allows for packing bootloader images into a single archive that can be 57b908814cSlaurenw-arm loaded by TF-A from non-volatile platform storage. 58b908814cSlaurenw-arm 59b908814cSlaurenw-arm- *cert_create*: This tool is used to generate certificates for binary images. 60b908814cSlaurenw-arm 61b908814cSlaurenw-arm- *encrypt_fw*: This tool takes the plain firmware image as input and generates 62b908814cSlaurenw-arm the encrypted firmware image which can then be passed as input to the fiptool 63b908814cSlaurenw-arm utility for creating the FIP. 64b908814cSlaurenw-arm 65b908814cSlaurenw-arm- *sptool*: This tool is used to build the secure partition packages. 66b908814cSlaurenw-arm 67b908814cSlaurenw-arm|TF-A System Diagram| 68b908814cSlaurenw-arm*Figure 1: TF-A System Diagram* 69b908814cSlaurenw-arm 70b908814cSlaurenw-armExternal Dependencies 71b908814cSlaurenw-arm===================== 72b908814cSlaurenw-arm 73b908814cSlaurenw-armThese are software components that are not part of the TF-A repository but are 74b908814cSlaurenw-armrequired to build TF-A binaries and host tools. 75b908814cSlaurenw-arm 76b908814cSlaurenw-arm- *Mbed TLS Library*: This is a cryptography library from trustedfirmware.org 77b908814cSlaurenw-arm (tf.org). It is required to build TF-A binaries where cryptography features 78b908814cSlaurenw-arm are needed, such as Trusted Board Boot (TBB). 79b908814cSlaurenw-arm 80b908814cSlaurenw-arm- *OpenSSL Library*: This is another cryptography library used by TF-A host 81b908814cSlaurenw-arm tools: fiptool, cert_create, and encrypt_fw. 82b908814cSlaurenw-arm 83b908814cSlaurenw-armThe following table lists TF-A dependencies including the sources of the 84b908814cSlaurenw-armdependencies. 85b908814cSlaurenw-arm 86b908814cSlaurenw-arm.. table:: Table 1: TF-A Dependencies 87b908814cSlaurenw-arm 88b908814cSlaurenw-arm +-------------+------------------------+------------------------------------+ 89b908814cSlaurenw-arm | Dependency | Location of Dependency | Original Source | 90b908814cSlaurenw-arm +=============+========================+====================================+ 91b908814cSlaurenw-arm | libfdt | Local copy | [1]_ | 92b908814cSlaurenw-arm +-------------+------------------------+------------------------------------+ 93b908814cSlaurenw-arm | zlib | Local copy | [2]_ | 94b908814cSlaurenw-arm +-------------+------------------------+------------------------------------+ 95b908814cSlaurenw-arm | compiler-rt | Local copy | [3]_ | 96b908814cSlaurenw-arm +-------------+------------------------+------------------------------------+ 97b908814cSlaurenw-arm | Mbed TLS | External | [4]_ | 98b908814cSlaurenw-arm +-------------+------------------------+------------------------------------+ 99b908814cSlaurenw-arm | OpenSSL | External | [5]_ | 100b908814cSlaurenw-arm +-------------+------------------------+------------------------------------+ 101b908814cSlaurenw-arm 102b908814cSlaurenw-armSupplementary Binaries 103b908814cSlaurenw-arm====================== 104b908814cSlaurenw-arm 105b908814cSlaurenw-armThese are binaries used to test TF-A based systems. Below is a brief 106b908814cSlaurenw-armdescription of each component and where they are sourced from. 107b908814cSlaurenw-arm 108b908814cSlaurenw-arm- *SCP-firmware*: For our tests, we use SCP-firmware binaries supplied by the 109b908814cSlaurenw-arm Arm SCP team built from the source from the GitHub repository [6]_. 110b908814cSlaurenw-arm 111b908814cSlaurenw-arm- *OP-TEE*: Trusted Execution Environment (TEE) from tf.org that runs as 112b908814cSlaurenw-arm Secure EL1. We use OP-TEE built from source or binaries supplied with Arm 113b908814cSlaurenw-arm Reference Platforms depending on the test configuration. 114b908814cSlaurenw-arm 115b908814cSlaurenw-arm- *EDK2 UEFI*: Normal world bootloader from the EDK2 project [7]_. We use EDK2 116b908814cSlaurenw-arm UEFI binaries hosted on tf.org servers for testing [8]_. 117b908814cSlaurenw-arm 118624c9a0bSTamas BanOther software components used to test TF-A include U-Boot, Linux kernel, RSE, 119b908814cSlaurenw-armMCP, and file systems, all sourced from the Arm Reference Platforms teams. 120b908814cSlaurenw-arm 121b908814cSlaurenw-armTF-A Toolchain 122b908814cSlaurenw-arm============== 123b908814cSlaurenw-arm 124b908814cSlaurenw-armThe TF-A project uses several tools to build, analyze and test the TF-A source 125b908814cSlaurenw-armcode. 126b908814cSlaurenw-arm 127b908814cSlaurenw-armNode.js Tools 128b908814cSlaurenw-arm------------- 129b908814cSlaurenw-arm 130b908814cSlaurenw-armThese are optional quality assurance and developer utility tools that are 131b908814cSlaurenw-arminstalled through the use of the Node.js package manager. They are pinned to 132b908814cSlaurenw-armspecific versions described by the package.json file in the root of the TF-A 133b908814cSlaurenw-armrepository, and their dependencies are downloaded from the internet at the 134b908814cSlaurenw-armpoint of installation. These tools may be installed locally on the developer 135b908814cSlaurenw-armmachine and are installed within a Docker container in certain CI jobs. At 136b908814cSlaurenw-armpresent, these are: 137b908814cSlaurenw-arm 138b908814cSlaurenw-arm- Commitlint 139b908814cSlaurenw-arm 140b908814cSlaurenw-arm- Commitizen 141b908814cSlaurenw-arm 142b908814cSlaurenw-arm- Husky 143b908814cSlaurenw-arm 144b908814cSlaurenw-armInfrastructure 145b908814cSlaurenw-arm============== 146b908814cSlaurenw-arm 147b908814cSlaurenw-armTF-A uses trustedfirmware.org (tf.org) and Arm infrastructures to host the 148b908814cSlaurenw-armsource code, review code and run tests. Appendix A provides a security analysis 149b908814cSlaurenw-armof tf.org infrastructure. 150b908814cSlaurenw-arm 151b908814cSlaurenw-armTF-A Data Flow 152b908814cSlaurenw-arm************** 153b908814cSlaurenw-arm 154b908814cSlaurenw-armFigure 2 below shows the data flow diagram for TF-A. The broken red lines 155b908814cSlaurenw-armindicate trust boundaries. 156b908814cSlaurenw-arm 157b908814cSlaurenw-arm|TF-A Data Flow Diagram| 158b908814cSlaurenw-arm*Figure 2: TF-A Data Flow Diagram* 159b908814cSlaurenw-arm 160b908814cSlaurenw-armAttack Tree 161b908814cSlaurenw-arm*********** 162b908814cSlaurenw-arm 163b908814cSlaurenw-arm|TF-A Attack Tree| 164b908814cSlaurenw-arm*Figure 3: TF-A Attack Tree* 165b908814cSlaurenw-arm 166b908814cSlaurenw-armThreat Assessment and Mitigations 167b908814cSlaurenw-arm********************************* 168b908814cSlaurenw-arm 169b908814cSlaurenw-armImpact and Likelihood Ratings 170b908814cSlaurenw-arm============================= 171b908814cSlaurenw-arm 172b908814cSlaurenw-arm +--------+------------------------------+-----------------------------------+ 173b908814cSlaurenw-arm | Rating | Impact | Likelihood | 174b908814cSlaurenw-arm +========+==============================+===================================+ 175b908814cSlaurenw-arm | HIGH | Major impact to entire | Threat is relatively easy to | 176b908814cSlaurenw-arm | | organization or single line | exploit by an attacker with | 177b908814cSlaurenw-arm | | of business if exploited. | little effort and skill. | 178b908814cSlaurenw-arm +--------+------------------------------+-----------------------------------+ 179b908814cSlaurenw-arm | MEDIUM | Noticeable impact to line of | An expert attacker could exploit | 180b908814cSlaurenw-arm | | business if exploited. | the threat without much | 181b908814cSlaurenw-arm | | | difficulty. | 182b908814cSlaurenw-arm +--------+------------------------------+-----------------------------------+ 183b908814cSlaurenw-arm | LOW | Minor damage if exploited or | Exploiting the threat would | 184b908814cSlaurenw-arm | | could be used in conjunction | require considerable effort and | 185b908814cSlaurenw-arm | | with other vulnerabilities | resources. | 186b908814cSlaurenw-arm | | to perform a more serious | | 187b908814cSlaurenw-arm | | attack. | | 188b908814cSlaurenw-arm +--------+------------------------------+-----------------------------------+ 189b908814cSlaurenw-arm 190b908814cSlaurenw-armThreats and Mitigations 191b908814cSlaurenw-arm======================= 192b908814cSlaurenw-arm 193b908814cSlaurenw-armThreat naming convention key 194b908814cSlaurenw-arm 195b908814cSlaurenw-arm- SC – Supply Chain 196b908814cSlaurenw-arm 197b908814cSlaurenw-arm- SRC – Source 198b908814cSlaurenw-arm 199b908814cSlaurenw-arm- DEP – Dependency 200b908814cSlaurenw-arm 201b908814cSlaurenw-arm- TOOL – Toolchain 202b908814cSlaurenw-arm 203b908814cSlaurenw-arm- REPO – Repository 204b908814cSlaurenw-arm 205b908814cSlaurenw-arm- MAIN – Maintainer 206b908814cSlaurenw-arm 207b908814cSlaurenw-arm- CONT – Contributor 208b908814cSlaurenw-arm 209b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 210b908814cSlaurenw-arm | Threat: TFA-SC-SRC-MAIN-01 | 211b908814cSlaurenw-arm +=============+=============================================================+ 212b908814cSlaurenw-arm | Description | An attacker can submit and merge malicious code by posing | 213b908814cSlaurenw-arm | | as a maintainer after compromising maintainers’ | 214b908814cSlaurenw-arm | | credentials. | 215b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 216b908814cSlaurenw-arm | Impact | HIGH | 217b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 218b908814cSlaurenw-arm | Likelihood | MEDIUM | 219b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 220b908814cSlaurenw-arm | Threat and | | In the TF-A code review process all submitted changes | 221b908814cSlaurenw-arm | impact | undergo review by a code owner and a maintainer. If the | 222b908814cSlaurenw-arm | | change is accepted, it will be merged (integrated) into | 223b908814cSlaurenw-arm | | an integration branch by a maintainer. A maintainer has | 224b908814cSlaurenw-arm | | the right to give a code owner review, a maintainer | 225b908814cSlaurenw-arm | | review and merge the submitted change. | 226b908814cSlaurenw-arm | | | 227b908814cSlaurenw-arm | | | tf.org users (including maintainers) are authenticated | 228b908814cSlaurenw-arm | | through GitHub. The likelihood of a credential compromise | 229b908814cSlaurenw-arm | | depends on multiple factors. The authentication mechanism | 230b908814cSlaurenw-arm | | of GitHub is strong if the recommended best practices are | 231b908814cSlaurenw-arm | | followed [9]_ making credential compromise unlikely. | 232b908814cSlaurenw-arm | | GitHub (therefore tf.org) allows logins with two-factor | 233b908814cSlaurenw-arm | | authentication, requiring both a password and access to | 234b908814cSlaurenw-arm | | the user's authentication code. Depending on the strength | 235b908814cSlaurenw-arm | | of the password and factors such as whether the | 236b908814cSlaurenw-arm | | maintainer reuses passwords across services, the | 237b908814cSlaurenw-arm | | likelihood of a compromise can be higher. | 238b908814cSlaurenw-arm | | | 239b908814cSlaurenw-arm | | | If an attacker manages to compromise a maintainer’s | 240b908814cSlaurenw-arm | | credentials, posing as the maintainer, they can in theory | 241b908814cSlaurenw-arm | | submit a malicious change (as a maintainer or as a | 242b908814cSlaurenw-arm | | contributor), give all the necessary reviews and merge | 243b908814cSlaurenw-arm | | the change. | 244b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 245b908814cSlaurenw-arm | Mitigations | | - Enforce best practices recommended by GitHub [9]_ | 246b908814cSlaurenw-arm | | | 247b908814cSlaurenw-arm | | | - Not allowing a committer to both self-review and merge | 248b908814cSlaurenw-arm | | patches they have submitted. To achieve the commit the | 249b908814cSlaurenw-arm | | attacker would be required to compromise at least two | 250b908814cSlaurenw-arm | | credentials (reviewers and maintainer). | 251b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 252b908814cSlaurenw-arm | Mitigations | We have not disallowed self-review/merge of patches | 253b908814cSlaurenw-arm | implemented?| | 254b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 255b908814cSlaurenw-arm 256b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 257b908814cSlaurenw-arm | Threat: TFA-SC-SRC-MAIN-02 | 258b908814cSlaurenw-arm +=============+=============================================================+ 259b908814cSlaurenw-arm | Description | An attacker can submit and merge malicious code after | 260b908814cSlaurenw-arm | | becoming a maintainer through social engineering | 261b908814cSlaurenw-arm | | techniques. | 262b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 263b908814cSlaurenw-arm | Impact | HIGH | 264b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 265b908814cSlaurenw-arm | Likelihood | LOW | 266b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 267b908814cSlaurenw-arm | Threat and | | According to the TF project maintenance process [10]_, | 268b908814cSlaurenw-arm | impact | maintainers of TF-A are selected by their peers based on | 269b908814cSlaurenw-arm | | merit. Some of the criteria of becoming a maintainer | 270b908814cSlaurenw-arm | | include being an active member of the project for a | 271b908814cSlaurenw-arm | | minimum duration and contributing a substantial number of | 272b908814cSlaurenw-arm | | non-trivial and high-quality patches. However, there are | 273b908814cSlaurenw-arm | | some weaknesses in the process: | 274b908814cSlaurenw-arm | | | 275b908814cSlaurenw-arm | | | - There is no structured mechanism to establish trust | 276b908814cSlaurenw-arm | | with a maintainer other than the recommendations by | 277b908814cSlaurenw-arm | | peers | 278b908814cSlaurenw-arm | | | - There is no continuous monitoring of the status of a | 279b908814cSlaurenw-arm | | maintainer (e.g. maintainer can move from one | 280b908814cSlaurenw-arm | | organization to another) | 281b908814cSlaurenw-arm | | | 282b908814cSlaurenw-arm | | | To perform such an attack, in addition to becoming a | 283b908814cSlaurenw-arm | | maintainer, an attacker also must deal with all | 284b908814cSlaurenw-arm | | restrictions put on maintainers. | 285b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 286b908814cSlaurenw-arm | Mitigations | | - Structured mechanism to establish trust with | 287b908814cSlaurenw-arm | | maintainers | 288b908814cSlaurenw-arm | | | 289b908814cSlaurenw-arm | | | - Not allowing a committer to both self-review and merge | 290b908814cSlaurenw-arm | | patches they have submitted. To achieve the commit the | 291b908814cSlaurenw-arm | | attacker would be required to compromise at least two | 292b908814cSlaurenw-arm | | credentials (reviewers and maintainer). | 293b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 294b908814cSlaurenw-arm | Mitigations | There is a structured mechanism to establish trust with | 295b908814cSlaurenw-arm | implemented?| maintainers, but self-review/merge of patches is not | 296b908814cSlaurenw-arm | | disallowed | 297b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 298b908814cSlaurenw-arm 299b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 300b908814cSlaurenw-arm | Threat: TFA-SC-SRC-CONT-01 | 301b908814cSlaurenw-arm +=============+=============================================================+ 302b908814cSlaurenw-arm | Description | An attacker can submit malicious code patch as a | 303b908814cSlaurenw-arm | | contributor. | 304b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 305b908814cSlaurenw-arm | Impact | HIGH | 306b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 307b908814cSlaurenw-arm | Likelihood | LOW | 308b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 309b908814cSlaurenw-arm | Threat and | | TF-A accepts external contributions to both the generic | 310b908814cSlaurenw-arm | impact | and platform code. Unlike maintainers, contributors do | 311b908814cSlaurenw-arm | | not have maintainer review or merging privileges, | 312b908814cSlaurenw-arm | | therefore the likelihood of injecting malicious code as a | 313b908814cSlaurenw-arm | | contributor is lower. However, even though unlikely, it | 314b908814cSlaurenw-arm | | is still possible for a malicious commit to go unnoticed | 315b908814cSlaurenw-arm | | through the code review and verification processes. | 316b908814cSlaurenw-arm | | | 317b908814cSlaurenw-arm | | | If successful, the impact can range from low to high | 318b908814cSlaurenw-arm | | depending on the injected code. For example, an attacker | 319b908814cSlaurenw-arm | | can potentially deliberately insert a memory corruption | 320b908814cSlaurenw-arm | | vulnerability that is hard to notice on code review and | 321b908814cSlaurenw-arm | | will not be detected by the verification process. This | 322b908814cSlaurenw-arm | | vulnerability by itself may have a low impact but can | 323b908814cSlaurenw-arm | | have a major impact if used in combination with other | 324b908814cSlaurenw-arm | | vulnerabilities. | 325b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 326b908814cSlaurenw-arm | Proposed | - Code review and verification | 327b908814cSlaurenw-arm | Mitigations | - Static analysis to try to pick up issues that typically | 328b908814cSlaurenw-arm | | end in some form of attack vector | 329b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 330b908814cSlaurenw-arm | Mitigations | Yes, contributions go through the thorough review, | 331b908814cSlaurenw-arm | implemented?| verification, and static analysis process automated through | 332b908814cSlaurenw-arm | | CI | 333b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 334b908814cSlaurenw-arm 335b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 336b908814cSlaurenw-arm | Threat: TFA-SC-DEP-01 | 337b908814cSlaurenw-arm +=============+=============================================================+ 338b908814cSlaurenw-arm | Description | An attacker can inject malicious code into TF-A internal | 339b908814cSlaurenw-arm | | dependencies. | 340b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 341b908814cSlaurenw-arm | Impact | HIGH | 342b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 343b908814cSlaurenw-arm | Likelihood | LOW | 344b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 345b908814cSlaurenw-arm | Threat and | | TF-A has two types of dependencies: those that are copied | 346b908814cSlaurenw-arm | impact | into the TF-A repository and shipped as part of TF-A code | 347b908814cSlaurenw-arm | | (referred to as *internal dependencies* here) and those | 348b908814cSlaurenw-arm | | that are downloaded from external repositories and used | 349b908814cSlaurenw-arm | | when building TF-A (referred to as | 350b908814cSlaurenw-arm | | *external dependencies* here). | 351b908814cSlaurenw-arm | | | 352b908814cSlaurenw-arm | | | Currently TF-A has three internal dependencies: *libfdt* | 353b908814cSlaurenw-arm | | [1]_, *zlib* [2]_ and *compiler-rt* [3]_ libraries. These | 354b908814cSlaurenw-arm | | libraries are periodically updated by copying them from | 355b908814cSlaurenw-arm | | their source repositories. Although unlikely, it is | 356b908814cSlaurenw-arm | | possible for a contributor to copy the libraries from the | 357b908814cSlaurenw-arm | | wrong (and potentially malicious) repositories. For | 358b908814cSlaurenw-arm | | example, there are already multiple forks of *libfdt* | 359b908814cSlaurenw-arm | | (DTC) on GitHub. In addition to this, the official | 360b908814cSlaurenw-arm | | repositories are not immune to threats described above | 361b908814cSlaurenw-arm | | (TFA-SC-SRC-MAIN-01, TFA-SC-SRC-MAIN-02 and | 362b908814cSlaurenw-arm | | TFA-SC-SRC-CONT-01). | 363b908814cSlaurenw-arm | | | 364b908814cSlaurenw-arm | | | The likelihood of an attack on TF-A through internal | 365b908814cSlaurenw-arm | | dependencies is lower than external dependencies for the | 366b908814cSlaurenw-arm | | following reasons: | 367b908814cSlaurenw-arm | | | 368b908814cSlaurenw-arm | | | - Internal dependencies go through the normal code review | 369b908814cSlaurenw-arm | | process during upgrade | 370b908814cSlaurenw-arm | | | - Once upgraded internal dependencies stay unchanged | 371b908814cSlaurenw-arm | | until the next upgrade. The upgrade window is typically | 372b908814cSlaurenw-arm | | long (for example *libfdt* has only changed 4 times | 373b908814cSlaurenw-arm | | over the past 4 years). This reduces the window of | 374b908814cSlaurenw-arm | | opportunity for an attacker to inject malicious code | 375b908814cSlaurenw-arm | | into the dependencies | 376b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 377b908814cSlaurenw-arm | Proposed | - Explicitly document versions and official sources of | 378b908814cSlaurenw-arm | Mitigations | dependencies | 379b908814cSlaurenw-arm | | - Keep a copy of a pinned version of the source code inside | 380b908814cSlaurenw-arm | | the TF-A tree so that the risk of getting malicious code | 381b908814cSlaurenw-arm | | from dependencies only arises when we upgrade them | 382b908814cSlaurenw-arm | | - Monitor alerts for vulnerable dependencies from GitHub | 383b908814cSlaurenw-arm | | [11]_ | 384b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 385b908814cSlaurenw-arm | Mitigations | Yes, we explicitly document versions and official sources | 386b908814cSlaurenw-arm | implemented?| of dependencies, keep a copy of pinned versions of the | 387b908814cSlaurenw-arm | | source code, and monitor alerts for vulnerable dependencies | 388b908814cSlaurenw-arm | | for Python and Node.js, but we aren't able to do this for C | 389b908814cSlaurenw-arm | | dependencies | 390b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 391b908814cSlaurenw-arm 392b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 393b908814cSlaurenw-arm | Threat: TFA-SC-DEP-02 | 394b908814cSlaurenw-arm +=============+=============================================================+ 395b908814cSlaurenw-arm | Description | An attacker can inject malicious code into TF-A external | 396b908814cSlaurenw-arm | | dependencies. | 397b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 398b908814cSlaurenw-arm | Impact | HIGH | 399b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 400b908814cSlaurenw-arm | Likelihood | MEDIUM | 401b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 402b908814cSlaurenw-arm | Threat and | | Unlike internal dependencies, external dependencies are | 403b908814cSlaurenw-arm | impact | downloaded from external repositories by end-users. | 404b908814cSlaurenw-arm | | Although the TF-A documentation provides information | 405b908814cSlaurenw-arm | | about the versions of dependencies used for testing and | 406b908814cSlaurenw-arm | | links to repositories, it is up to the end-user to decide | 407b908814cSlaurenw-arm | | where to get the dependencies from. As such, the | 408b908814cSlaurenw-arm | | likelihood of an attack through an external dependency is | 409b908814cSlaurenw-arm | | higher compared to an internal dependency. | 410b908814cSlaurenw-arm | | | 411b908814cSlaurenw-arm | | | The impact of an attack ranges from low to critical | 412b908814cSlaurenw-arm | | depending on which dependency and what part of the | 413b908814cSlaurenw-arm | | dependency is affected. For example, a malicious code | 414b908814cSlaurenw-arm | | that affects the signature verification functions in | 415b908814cSlaurenw-arm | | MbedTLS is considered critical as it can be used to | 416b908814cSlaurenw-arm | | bypass the TBB process of TF-A. | 417b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 418b908814cSlaurenw-arm | Proposed | - Explicitly document versions and official sources of | 419b908814cSlaurenw-arm | Mitigations | dependencies | 420b908814cSlaurenw-arm | | - Provide scripts and build options to automatically fetch | 421b908814cSlaurenw-arm | | the latest stable release of external dependencies | 422b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 423b908814cSlaurenw-arm | Mitigations | We explicitly document versions and official sources of | 424b908814cSlaurenw-arm | implemented?| dependencies, but do not yet provide scripts and build | 425b908814cSlaurenw-arm | | options to automatically fetch the latest stable release of | 426b908814cSlaurenw-arm | | external dependencies | 427b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 428b908814cSlaurenw-arm 429b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 430b908814cSlaurenw-arm | Threat: TFA-SC-REPO-01 | 431b908814cSlaurenw-arm +=============+=============================================================+ 432b908814cSlaurenw-arm | Description | An attacker can upload malicious versions of TF-A by | 433b908814cSlaurenw-arm | | compromising credentials of administrator accounts on | 434b908814cSlaurenw-arm | | tf.org or GitHub. | 435b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 436b908814cSlaurenw-arm | Impact | HIGH | 437b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 438b908814cSlaurenw-arm | Likelihood | LOW | 439b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 440b908814cSlaurenw-arm | Threat and | | This attack is like TFA-SC-SRC-MAIN-01, but the | 441b908814cSlaurenw-arm | impact | likelihood and impact of the two attacks are different. | 442b908814cSlaurenw-arm | | | 443b908814cSlaurenw-arm | | | The likelihood of compromising administrator credentials | 444b908814cSlaurenw-arm | | is lower than that of a maintainer’s (assuming both use | 445b908814cSlaurenw-arm | | authentication methods of similar strength) as there are | 446b908814cSlaurenw-arm | | smaller number of administrators than maintainers. On the | 447b908814cSlaurenw-arm | | other hand, the impact is higher since an administrator | 448b908814cSlaurenw-arm | | has more privileges than a maintainer: | 449b908814cSlaurenw-arm | | | 450b908814cSlaurenw-arm | | | - An administrator can upload a malicious TF-A | 451b908814cSlaurenw-arm | | contribution unnoticed by other reviewers | 452b908814cSlaurenw-arm | | - An administrator can potentially rewrite the history of | 453b908814cSlaurenw-arm | | the repository to evade detection | 454b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 455b908814cSlaurenw-arm | Proposed | Strong authentication (Follow best practices recommended by | 456b908814cSlaurenw-arm | Mitigations | GitHub [9]_) | 457b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 458b908814cSlaurenw-arm | Mitigations | Yes, strong authentication is implemented through | 459b908814cSlaurenw-arm | implemented?| recommended best practices | 460b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 461b908814cSlaurenw-arm 462b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 463b908814cSlaurenw-arm | Threat: TFA-SC-REPO-02 | 464b908814cSlaurenw-arm +=============+=============================================================+ 465b908814cSlaurenw-arm | Description | An attacker can upload malicious versions of TF-A after | 466b908814cSlaurenw-arm | | getting write access to the repository by exploiting a | 467b908814cSlaurenw-arm | | vulnerability on tf.org or GitHub. | 468b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 469b908814cSlaurenw-arm | Impact | HIGH | 470b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 471b908814cSlaurenw-arm | Likelihood | LOW | 472b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 473b908814cSlaurenw-arm | Threat and | | There are no reports of someone exploiting a | 474b908814cSlaurenw-arm | impact | vulnerability on GitHub or tf.org to upload malicious | 475b908814cSlaurenw-arm | | contributions. However, there are examples of | 476b908814cSlaurenw-arm | | vulnerabilities that allowed arbitrary code execution on | 477b908814cSlaurenw-arm | | popular hosting services [12]_. Such vulnerabilities can | 478b908814cSlaurenw-arm | | potentially be used to upload malicious packages. In | 479b908814cSlaurenw-arm | | addition to being hard to exploit, vulnerabilities on | 480b908814cSlaurenw-arm | | popular hosting sites such as GitHub are typically | 481b908814cSlaurenw-arm | | detected quickly, making the window of opportunity for | 482b908814cSlaurenw-arm | | such attack small. | 483b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 484b908814cSlaurenw-arm | Proposed | - Monitor alerts of any vulnerabilities that might affect | 485b908814cSlaurenw-arm | Mitigations | TF-A repository | 486b908814cSlaurenw-arm | | - Ensure tf.org is up to date with latest security patches | 487b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 488b908814cSlaurenw-arm | Mitigations | Yes, alerts of vulnerabilities are monitored and tf.org is | 489b908814cSlaurenw-arm | implemented?| ensured to be up to date with the latest security patches | 490b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 491b908814cSlaurenw-arm 492b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 493b908814cSlaurenw-arm | Threat: TFA-SC-REPO-03 | 494b908814cSlaurenw-arm +=============+=============================================================+ 495b908814cSlaurenw-arm | Description | An attacker can host a malicious version of TF-A on an | 496b908814cSlaurenw-arm | | attacker-controlled repository, and trick end-users into | 497b908814cSlaurenw-arm | | downloading from that repository. | 498b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 499b908814cSlaurenw-arm | Impact | HIGH | 500b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 501b908814cSlaurenw-arm | Likelihood | MEDIUM | 502b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 503b908814cSlaurenw-arm | Threat and | | It is not difficult for an attacker to create a website | 504b908814cSlaurenw-arm | impact | with a similar domain name and look as tf.org (website | 505b908814cSlaurenw-arm | | spoofing) and host a malicious TF-A source repository. | 506b908814cSlaurenw-arm | | Similarly, an attacker can create a mirror of the TF-A | 507b908814cSlaurenw-arm | | repository on GitHub with malicious code in it. However, | 508b908814cSlaurenw-arm | | for this attack to succeed the attacker needs to trick | 509b908814cSlaurenw-arm | | the end-user into using the attacker-controlled | 510b908814cSlaurenw-arm | | repositories. | 511b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 512b908814cSlaurenw-arm | Proposed | - Users should carefully check the URL of the website | 513b908814cSlaurenw-arm | Mitigations | before visiting it and the URL of the repository before | 514b908814cSlaurenw-arm | | checking it out | 515b908814cSlaurenw-arm | | - Accept reports of spoofing attacks on tf.org and | 516b908814cSlaurenw-arm | | broadcast a warning to partners | 517b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 518b908814cSlaurenw-arm | Mitigations | We accept reports of spoofing attacks on tf.org and will | 519b908814cSlaurenw-arm | implemented?| broadcast a warning to partners | 520b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 521b908814cSlaurenw-arm 522b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 523b908814cSlaurenw-arm | Threat: TFA-SC-TOOL-01 | 524b908814cSlaurenw-arm +=============+=============================================================+ 525b908814cSlaurenw-arm | Description | Malicious code can be injected at build time through | 526b908814cSlaurenw-arm | | malicious tools. | 527b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 528b908814cSlaurenw-arm | Impact | HIGH | 529b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 530b908814cSlaurenw-arm | Likelihood | LOW | 531b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 532b908814cSlaurenw-arm | Threat and | | End-users of TF-A use make (or cmake), compilers and | 533b908814cSlaurenw-arm | impact | linkers (armgcc, armclang or LLVM) to build TF-A | 534b908814cSlaurenw-arm | | binaries. Although TF-A documentation specifies versions | 535b908814cSlaurenw-arm | | and official sources of tools used to build TF-A, users | 536b908814cSlaurenw-arm | | can potentially be tricked into using unofficial, | 537b908814cSlaurenw-arm | | malicious toolchains. Similar attacks have been used in | 538b908814cSlaurenw-arm | | the past to inject malicious code into final products | 539b908814cSlaurenw-arm | | [13]_. | 540b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 541b908814cSlaurenw-arm | Proposed | - Explicitly document versions and official sources of | 542b908814cSlaurenw-arm | Mitigations | toolchains | 543b908814cSlaurenw-arm | | - Provide scripts to automatically fetch the latest stable | 544b908814cSlaurenw-arm | | release of toolchains | 545b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 546b908814cSlaurenw-arm | Mitigations | We explicitly document versions and official sources of | 547b908814cSlaurenw-arm | implemented?| toolchains, but have not yet provided scripts to | 548b908814cSlaurenw-arm | | automatically fetch the latest stable release of toolchains | 549b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 550b908814cSlaurenw-arm 551b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 552b908814cSlaurenw-arm | Threat: TFA-SC-TOOL-02 | 553b908814cSlaurenw-arm +=============+=============================================================+ 554b908814cSlaurenw-arm | Description | Malicious code can be executed by developer’s tools at | 555b908814cSlaurenw-arm | | installation time through malicious Node.js dependencies. | 556b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 557b908814cSlaurenw-arm | Impact | HIGH | 558b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 559b908814cSlaurenw-arm | Likelihood | LOW | 560b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 561b908814cSlaurenw-arm | Threat and | | Users of the Node.js tools, including the CI, may be | 562b908814cSlaurenw-arm | impact | exposed to malicious dependencies that have been missed | 563b908814cSlaurenw-arm | | by the Node.js dependency auditor. Users of these tools | 564b908814cSlaurenw-arm | | could potentially be executing malicious code when using | 565b908814cSlaurenw-arm | | these tools, which could potentially allow a malicious | 566b908814cSlaurenw-arm | | actor to make silent modifications to the repository or | 567b908814cSlaurenw-arm | | enable retrieval of user credentials. | 568b908814cSlaurenw-arm | | | 569b908814cSlaurenw-arm | | | If successful, the impact can range from low to high | 570b908814cSlaurenw-arm | | depending on the user's credentials. If the user is an | 571b908814cSlaurenw-arm | | administrator, this could imply TFA-SC-REPO-01. | 572b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 573b908814cSlaurenw-arm | Proposed | - Limit Node.js tools to a minimal set of trusted packages | 574b908814cSlaurenw-arm | Mitigations | - Pin Node.js packages to known versions | 575b908814cSlaurenw-arm | | - Update dependencies for which Node.js’s auditor reports | 576b908814cSlaurenw-arm | | known CVEs | 577b908814cSlaurenw-arm | | - Execute Node.js tools in the CI only from within a | 578b908814cSlaurenw-arm | | trusted container | 579b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 580b908814cSlaurenw-arm | Mitigations | Yes, Node.js tools are limited to a minimal set of trusted | 581b908814cSlaurenw-arm | implemented?| packages, packages are pinned to known versions, | 582b908814cSlaurenw-arm | | dependencies are updated when there are known CVEs | 583b908814cSlaurenw-arm | | reported, and Node.js tools are only executed within a | 584b908814cSlaurenw-arm | | trusted container in CI | 585b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 586b908814cSlaurenw-arm 587b908814cSlaurenw-armAppendix A 588b908814cSlaurenw-arm********** 589b908814cSlaurenw-arm 590b908814cSlaurenw-armSummary of trustedfirmware.org security: 591b908814cSlaurenw-arm 592b908814cSlaurenw-arm.. table:: Table 2: Security information of trustedfirmware.org 593b908814cSlaurenw-arm 594b908814cSlaurenw-arm +------------+--------------------+--------------------+--------------------+ 595b908814cSlaurenw-arm | Software/ | Source and | Credential and | Security incident | 596b908814cSlaurenw-arm | System | integrity | permission | response plan | 597b908814cSlaurenw-arm | | | management | | 598b908814cSlaurenw-arm +============+====================+====================+====================+ 599b908814cSlaurenw-arm | Jenkins | - Jenkins is built | - Use oauth from | - Monitor CVE’s | 600b908814cSlaurenw-arm | (including | using Dockerfile | Github only | and update | 601b908814cSlaurenw-arm | plugins) | which is based | - The password | Jenkins LTS on a | 602b908814cSlaurenw-arm | | on the official | strength follows | monthly cycle | 603b908814cSlaurenw-arm | | Jenkins docker | Github policy | - Keep plugins up- | 604b908814cSlaurenw-arm | | image | - Do not enforce | to-date. But it | 605b908814cSlaurenw-arm | | - Jenkins plugins | using two-factor | is up to the | 606b908814cSlaurenw-arm | | are built using | authentication | plugin owner to | 607b908814cSlaurenw-arm | | the official | - Jenkins uses | maintain said | 608b908814cSlaurenw-arm | | install- | matrix auth | plugin | 609b908814cSlaurenw-arm | | plugins.sh | which allows | | 610b908814cSlaurenw-arm | | | users to manage | | 611b908814cSlaurenw-arm | | | "job" level ACL | | 612b908814cSlaurenw-arm | | | using Jenkins | | 613b908814cSlaurenw-arm | | | Job Builder | | 614b908814cSlaurenw-arm | | | - No API token | | 615b908814cSlaurenw-arm | | | enabled | | 616b908814cSlaurenw-arm | | | - Jenkins uses the | | 617b908814cSlaurenw-arm | | | inbuilt | | 618b908814cSlaurenw-arm | | | credential store | | 619b908814cSlaurenw-arm | | | where we store | | 620b908814cSlaurenw-arm | | | credentials for | | 621b908814cSlaurenw-arm | | | LAVA, Jenkins | | 622b908814cSlaurenw-arm | | | Job Builder, | | 623b908814cSlaurenw-arm | | | DockerHub, AWS | | 624b908814cSlaurenw-arm | | | and Gerrit | | 625b908814cSlaurenw-arm | | | tokens. The | | 626b908814cSlaurenw-arm | | | credentials are | | 627b908814cSlaurenw-arm | | | stored as a | | 628b908814cSlaurenw-arm | | | secret in | | 629b908814cSlaurenw-arm | | | Jenkins | | 630b908814cSlaurenw-arm | | | credential | | 631b908814cSlaurenw-arm | | | store. These | | 632b908814cSlaurenw-arm | | | credentials | | 633b908814cSlaurenw-arm | | | can be accessed | | 634b908814cSlaurenw-arm | | | via a Jenkins | | 635b908814cSlaurenw-arm | | | job, but someone | | 636b908814cSlaurenw-arm | | | would have to | | 637b908814cSlaurenw-arm | | | push a Jenkins | | 638b908814cSlaurenw-arm | | | Job through a | | 639b908814cSlaurenw-arm | | | Gerrit review to | | 640b908814cSlaurenw-arm | | | do this. Gerrit | | 641b908814cSlaurenw-arm | | | maintains the | | 642b908814cSlaurenw-arm | | | ACL for this and | | 643b908814cSlaurenw-arm | | | only admins and | | 644b908814cSlaurenw-arm | | | project approver | | 645b908814cSlaurenw-arm | | | can +2 a review. | | 646b908814cSlaurenw-arm +------------+--------------------+--------------------+--------------------+ 647b908814cSlaurenw-arm | Gerrit | - Gerrit package | - Use oauth from | - Keep plugins up- | 648b908814cSlaurenw-arm | (including | is installed | Github only | to-date. But it | 649b908814cSlaurenw-arm | plugins) | from Linaro top | - The password | is up to the | 650b908814cSlaurenw-arm | | level role, | strength follows | plugin owner to | 651b908814cSlaurenw-arm | | which has a | Github policy | maintain said | 652b908814cSlaurenw-arm | | md5sum check | - Do not enforce | plugin | 653b908814cSlaurenw-arm | | - Gerrit Plugins | using two-factor | | 654b908814cSlaurenw-arm | | are installed | authentication | | 655b908814cSlaurenw-arm | | from Ansible | - Gerrit has ACL | | 656b908814cSlaurenw-arm | | playbook, from | setup within the | | 657b908814cSlaurenw-arm | | the official | UI per-project | | 658b908814cSlaurenw-arm | | Gerrit CI. The | level | | 659b908814cSlaurenw-arm | | plugins are | - No API token | | 660b908814cSlaurenw-arm | | downloaded from | enabled | | 661*854d199bSGovindraj Raja | | [14]_ | - A ci-bot-user | | 662*854d199bSGovindraj Raja | | - Do not check | created for | | 663*854d199bSGovindraj Raja | | md5sum for every | getting comments | | 664*854d199bSGovindraj Raja | | plugin | from Jenkins | | 665b908814cSlaurenw-arm +------------+--------------------+--------------------+--------------------+ 666b908814cSlaurenw-arm | Git | - Package is from | - All credentials | - Monitor all | 667b908814cSlaurenw-arm | | Linaro OBS (Open | use GitHub. So | CVE's and apply | 668b908814cSlaurenw-arm | | Build Service) | password | them immediately | 669b908814cSlaurenw-arm | | with a couple of | strength etc are | and keep servers | 670b908814cSlaurenw-arm | | “Linaro | based on GitHub | up-to-date | 671b908814cSlaurenw-arm | | modifications”. | policy | monthly | 672b908814cSlaurenw-arm | | (reference: | | - The security | 673b908814cSlaurenw-arm | | Ansible playbook | | incident | 674b908814cSlaurenw-arm | | and cgit repo) | | response plan is | 675b908814cSlaurenw-arm | | - No special | | working in | 676b908814cSlaurenw-arm | | integrity check | | progress | 677b908814cSlaurenw-arm +------------+--------------------+--------------------+--------------------+ 678b908814cSlaurenw-arm | Mailman | - Installed from | - It has | - Plan to monitor | 679b908814cSlaurenw-arm | | Ubuntu- | administrator | the CVE’s but no | 680b908814cSlaurenw-arm | | distributed | passwords for | timetable at the | 681b908814cSlaurenw-arm | | package | the various | moment | 682b908814cSlaurenw-arm | | - No special | mailing lists | | 683b908814cSlaurenw-arm | | integrity check | - The password | | 684b908814cSlaurenw-arm | | (reply on APT | strength is not | | 685b908814cSlaurenw-arm | | security) | specified | | 686b908814cSlaurenw-arm +------------+--------------------+--------------------+--------------------+ 687b908814cSlaurenw-arm | Website | The website is | There are no | - The websites | 688b908814cSlaurenw-arm | | built on the IT | credentials | themselves are | 689b908814cSlaurenw-arm | | Services' CI/CD | associated with | static files | 690b908814cSlaurenw-arm | | server, | the website | hosted on AWS S3 | 691b908814cSlaurenw-arm | | bamboo.linaro.org, | itself. Any | and cached by | 692b908814cSlaurenw-arm | | from a Jekyll git | permissions | AWS CloudFront | 693b908814cSlaurenw-arm | | repository stored | required by bamboo | - The software | 694b908814cSlaurenw-arm | | on GitHub | to carry out its | used to build | 695b908814cSlaurenw-arm | | | tasks are provided | the website is | 696b908814cSlaurenw-arm | | | through AWS | all open source | 697b908814cSlaurenw-arm | | | instance role | and Linaro | 698b908814cSlaurenw-arm | | | permissions | occasionally | 699b908814cSlaurenw-arm | | | | gets reports | 700b908814cSlaurenw-arm | | | | from GitHub when | 701b908814cSlaurenw-arm | | | | an issue is | 702b908814cSlaurenw-arm | | | | detected. Apply | 703b908814cSlaurenw-arm | | | | a fix if it is | 704b908814cSlaurenw-arm | | | | available. This | 705b908814cSlaurenw-arm | | | | includes any | 706b908814cSlaurenw-arm | | | | Javascript | 707b908814cSlaurenw-arm | | | | frameworks that | 708b908814cSlaurenw-arm | | | | might be used | 709b908814cSlaurenw-arm | | | | within the web | 710b908814cSlaurenw-arm | | | | pages | 711b908814cSlaurenw-arm +------------+--------------------+--------------------+--------------------+ 712b908814cSlaurenw-arm | ReadTheDocs| - One webhook ID | - One TF-A account | - Keep database | 713b908814cSlaurenw-arm | | per project is | with password | access list up | 714b908814cSlaurenw-arm | | used by TF CI | stored in | to date | 715b908814cSlaurenw-arm | | for building | engineering | - Monitor security | 716b908814cSlaurenw-arm | | documentation | password | advisories | 717b908814cSlaurenw-arm | | hosted by | database is used | | 718b908814cSlaurenw-arm | | ReadTheDocs | to manage | | 719b908814cSlaurenw-arm | | - Secret token | documentation | | 720b908814cSlaurenw-arm | | supplied as part | - Access request | | 721b908814cSlaurenw-arm | | of the webhook | is required | | 722b908814cSlaurenw-arm | | post build | for database | | 723b908814cSlaurenw-arm | | - Updated content | access | | 724b908814cSlaurenw-arm | | goes live | - Token for | | 725b908814cSlaurenw-arm | | automatically | Jenkins webhook | | 726b908814cSlaurenw-arm | | | for CI uses | | 727b908814cSlaurenw-arm | | | secret | | 728b908814cSlaurenw-arm | | | credential | | 729b908814cSlaurenw-arm | | | storage in | | 730b908814cSlaurenw-arm | | | internal Jenkins | | 731b908814cSlaurenw-arm | | | and viewable | | 732b908814cSlaurenw-arm | | | only through | | 733b908814cSlaurenw-arm | | | ReadTheDocs | | 734b908814cSlaurenw-arm | | | admin page | | 735b908814cSlaurenw-arm +------------+--------------------+--------------------+--------------------+ 736b908814cSlaurenw-arm 737b908814cSlaurenw-armReferences 738b908814cSlaurenw-arm********** 739b908814cSlaurenw-arm 740b908814cSlaurenw-arm.. [1] https://git.kernel.org/pub/scm/utils/dtc/dtc.git 741b908814cSlaurenw-arm.. [2] http://zlib.net/ 742b908814cSlaurenw-arm.. [3] https://compiler-rt.llvm.org/ 743b908814cSlaurenw-arm.. [4] https://tls.mbed.org/ 744b908814cSlaurenw-arm.. [5] https://www.openssl.org/ 745b908814cSlaurenw-arm.. [6] https://github.com/ARM-software/SCP-firmware 746b908814cSlaurenw-arm.. [7] https://github.com/tianocore/edk2 747b908814cSlaurenw-arm.. [8] https://downloads.trustedfirmware.org/tf-a/ 748b908814cSlaurenw-arm.. [9] https://docs.github.com/en/github/authenticating-to-github/creating-a-strong-password 749b908814cSlaurenw-arm.. [10] https://trustedfirmware-a.readthedocs.io/en/latest/process/maintenance.html#how-to-become-a-maintainer 750b908814cSlaurenw-arm.. [11] https://docs.github.com/en/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies 751b908814cSlaurenw-arm.. [12] "Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks" 752b908814cSlaurenw-arm.. [13] https://www.wired.com/story/supply-chain-hackers-videogames-asus-ccleaner/ 753*854d199bSGovindraj Raja.. [14] https://gerrit-ci.gerritforge.com/plugin-manager/ 754b908814cSlaurenw-arm 755*854d199bSGovindraj Raja*Copyright (c) 2024-2025, Arm Limited. All rights reserved.* 756b908814cSlaurenw-arm 757b908814cSlaurenw-arm.. |TF-A System Diagram| image:: ../resources/diagrams/tf-a_system_diagram.png 758b908814cSlaurenw-arm.. |TF-A Data Flow Diagram| image:: ../resources/diagrams/tf-a_data_flow_diagram.png 759b908814cSlaurenw-arm.. |TF-A Attack Tree| image:: ../resources/diagrams/tf-a_attack_tree.png 760
