1*b908814cSlaurenw-armTF-A Supply Chain Threat Model 2*b908814cSlaurenw-arm~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3*b908814cSlaurenw-arm 4*b908814cSlaurenw-armIntroduction 5*b908814cSlaurenw-arm************ 6*b908814cSlaurenw-arm 7*b908814cSlaurenw-armSoftware supply chain attacks aim to inject malicious code into a software 8*b908814cSlaurenw-armproduct. There are several ways a malicious code can be injected into a 9*b908814cSlaurenw-armsoftware product (open-source project). These include: 10*b908814cSlaurenw-arm 11*b908814cSlaurenw-arm- Malicious code commits: This attack directly injects code into a project 12*b908814cSlaurenw-arm repository. This can happen for example through developer/maintainer 13*b908814cSlaurenw-arm credential hijacks, or malicious external contributors. 14*b908814cSlaurenw-arm 15*b908814cSlaurenw-arm- Malicious dependencies: In this case malicious code is introduced into a 16*b908814cSlaurenw-arm project through other piece of code or packages the project depends on. This 17*b908814cSlaurenw-arm can happen through for example typosquatting attack where an attacker creates 18*b908814cSlaurenw-arm a malicious package with a very similar name to a popular package and hosts 19*b908814cSlaurenw-arm it on popular package repositories. 20*b908814cSlaurenw-arm 21*b908814cSlaurenw-arm- Malicious toolchains: This involves malicious code introduced by compromised 22*b908814cSlaurenw-arm resources used throughout the development and/or build process such as 23*b908814cSlaurenw-arm compilers and IDEs. 24*b908814cSlaurenw-arm 25*b908814cSlaurenw-armThis document provides analysis of software supply chain attack threats for the 26*b908814cSlaurenw-armTF-A project. 27*b908814cSlaurenw-arm 28*b908814cSlaurenw-armTF-A Overview 29*b908814cSlaurenw-arm************* 30*b908814cSlaurenw-arm 31*b908814cSlaurenw-armFigure 1 shows the different software components surrounding the TF-A project. 32*b908814cSlaurenw-armA brief description of each component is provided below. 33*b908814cSlaurenw-arm 34*b908814cSlaurenw-armTF-A Repository 35*b908814cSlaurenw-arm=============== 36*b908814cSlaurenw-arm 37*b908814cSlaurenw-armThe TF-A repository contains generic and platform code contributed by TF-A 38*b908814cSlaurenw-armcontributors as well as libraries imported from other open-source projects, 39*b908814cSlaurenw-armreferred to as internal dependencies on Figure 1. These libraries include: 40*b908814cSlaurenw-arm 41*b908814cSlaurenw-arm- *libfdt*: libfdt is a utility library for reading and manipulating Device 42*b908814cSlaurenw-arm Tree Binary (DTB) files. It is part of the Device Tree Compiler (DTC) 43*b908814cSlaurenw-arm toolchain [1]_. DTC is used as part of the build process on the host machine 44*b908814cSlaurenw-arm to build DTB files. libfdt is used to parse the DTB files at boot time. 45*b908814cSlaurenw-arm 46*b908814cSlaurenw-arm- *zlib*: zlib is a data compression library imported from [2]_. 47*b908814cSlaurenw-arm 48*b908814cSlaurenw-arm- *compiler-rt*: This is a collection of runtime libraries from the LLVM 49*b908814cSlaurenw-arm compiler infrastructure project [3]_. We import the builtins library which 50*b908814cSlaurenw-arm provides low-level, target-specific compiler builtins from compiler-rt. 51*b908814cSlaurenw-arm 52*b908814cSlaurenw-armThe TF-A repository also includes source code for host tools that supplement 53*b908814cSlaurenw-armthe TF-A build process. These tools include: 54*b908814cSlaurenw-arm 55*b908814cSlaurenw-arm- *fiptool*: This tool is used to create a Firmware Image Package (FIP) which 56*b908814cSlaurenw-arm allows for packing bootloader images into a single archive that can be 57*b908814cSlaurenw-arm loaded by TF-A from non-volatile platform storage. 58*b908814cSlaurenw-arm 59*b908814cSlaurenw-arm- *cert_create*: This tool is used to generate certificates for binary images. 60*b908814cSlaurenw-arm 61*b908814cSlaurenw-arm- *encrypt_fw*: This tool takes the plain firmware image as input and generates 62*b908814cSlaurenw-arm the encrypted firmware image which can then be passed as input to the fiptool 63*b908814cSlaurenw-arm utility for creating the FIP. 64*b908814cSlaurenw-arm 65*b908814cSlaurenw-arm- *sptool*: This tool is used to build the secure partition packages. 66*b908814cSlaurenw-arm 67*b908814cSlaurenw-arm|TF-A System Diagram| 68*b908814cSlaurenw-arm*Figure 1: TF-A System Diagram* 69*b908814cSlaurenw-arm 70*b908814cSlaurenw-armExternal Dependencies 71*b908814cSlaurenw-arm===================== 72*b908814cSlaurenw-arm 73*b908814cSlaurenw-armThese are software components that are not part of the TF-A repository but are 74*b908814cSlaurenw-armrequired to build TF-A binaries and host tools. 75*b908814cSlaurenw-arm 76*b908814cSlaurenw-arm- *Mbed TLS Library*: This is a cryptography library from trustedfirmware.org 77*b908814cSlaurenw-arm (tf.org). It is required to build TF-A binaries where cryptography features 78*b908814cSlaurenw-arm are needed, such as Trusted Board Boot (TBB). 79*b908814cSlaurenw-arm 80*b908814cSlaurenw-arm- *OpenSSL Library*: This is another cryptography library used by TF-A host 81*b908814cSlaurenw-arm tools: fiptool, cert_create, and encrypt_fw. 82*b908814cSlaurenw-arm 83*b908814cSlaurenw-armThe following table lists TF-A dependencies including the sources of the 84*b908814cSlaurenw-armdependencies. 85*b908814cSlaurenw-arm 86*b908814cSlaurenw-arm.. table:: Table 1: TF-A Dependencies 87*b908814cSlaurenw-arm 88*b908814cSlaurenw-arm +-------------+------------------------+------------------------------------+ 89*b908814cSlaurenw-arm | Dependency | Location of Dependency | Original Source | 90*b908814cSlaurenw-arm +=============+========================+====================================+ 91*b908814cSlaurenw-arm | libfdt | Local copy | [1]_ | 92*b908814cSlaurenw-arm +-------------+------------------------+------------------------------------+ 93*b908814cSlaurenw-arm | zlib | Local copy | [2]_ | 94*b908814cSlaurenw-arm +-------------+------------------------+------------------------------------+ 95*b908814cSlaurenw-arm | compiler-rt | Local copy | [3]_ | 96*b908814cSlaurenw-arm +-------------+------------------------+------------------------------------+ 97*b908814cSlaurenw-arm | Mbed TLS | External | [4]_ | 98*b908814cSlaurenw-arm +-------------+------------------------+------------------------------------+ 99*b908814cSlaurenw-arm | OpenSSL | External | [5]_ | 100*b908814cSlaurenw-arm +-------------+------------------------+------------------------------------+ 101*b908814cSlaurenw-arm 102*b908814cSlaurenw-armSupplementary Binaries 103*b908814cSlaurenw-arm====================== 104*b908814cSlaurenw-arm 105*b908814cSlaurenw-armThese are binaries used to test TF-A based systems. Below is a brief 106*b908814cSlaurenw-armdescription of each component and where they are sourced from. 107*b908814cSlaurenw-arm 108*b908814cSlaurenw-arm- *SCP-firmware*: For our tests, we use SCP-firmware binaries supplied by the 109*b908814cSlaurenw-arm Arm SCP team built from the source from the GitHub repository [6]_. 110*b908814cSlaurenw-arm 111*b908814cSlaurenw-arm- *OP-TEE*: Trusted Execution Environment (TEE) from tf.org that runs as 112*b908814cSlaurenw-arm Secure EL1. We use OP-TEE built from source or binaries supplied with Arm 113*b908814cSlaurenw-arm Reference Platforms depending on the test configuration. 114*b908814cSlaurenw-arm 115*b908814cSlaurenw-arm- *EDK2 UEFI*: Normal world bootloader from the EDK2 project [7]_. We use EDK2 116*b908814cSlaurenw-arm UEFI binaries hosted on tf.org servers for testing [8]_. 117*b908814cSlaurenw-arm 118*b908814cSlaurenw-armOther software components used to test TF-A include U-Boot, Linux kernel, RSS, 119*b908814cSlaurenw-armMCP, and file systems, all sourced from the Arm Reference Platforms teams. 120*b908814cSlaurenw-arm 121*b908814cSlaurenw-armTF-A Toolchain 122*b908814cSlaurenw-arm============== 123*b908814cSlaurenw-arm 124*b908814cSlaurenw-armThe TF-A project uses several tools to build, analyze and test the TF-A source 125*b908814cSlaurenw-armcode. 126*b908814cSlaurenw-arm 127*b908814cSlaurenw-armNode.js Tools 128*b908814cSlaurenw-arm------------- 129*b908814cSlaurenw-arm 130*b908814cSlaurenw-armThese are optional quality assurance and developer utility tools that are 131*b908814cSlaurenw-arminstalled through the use of the Node.js package manager. They are pinned to 132*b908814cSlaurenw-armspecific versions described by the package.json file in the root of the TF-A 133*b908814cSlaurenw-armrepository, and their dependencies are downloaded from the internet at the 134*b908814cSlaurenw-armpoint of installation. These tools may be installed locally on the developer 135*b908814cSlaurenw-armmachine and are installed within a Docker container in certain CI jobs. At 136*b908814cSlaurenw-armpresent, these are: 137*b908814cSlaurenw-arm 138*b908814cSlaurenw-arm- Commitlint 139*b908814cSlaurenw-arm 140*b908814cSlaurenw-arm- Commitizen 141*b908814cSlaurenw-arm 142*b908814cSlaurenw-arm- Husky 143*b908814cSlaurenw-arm 144*b908814cSlaurenw-armInfrastructure 145*b908814cSlaurenw-arm============== 146*b908814cSlaurenw-arm 147*b908814cSlaurenw-armTF-A uses trustedfirmware.org (tf.org) and Arm infrastructures to host the 148*b908814cSlaurenw-armsource code, review code and run tests. Appendix A provides a security analysis 149*b908814cSlaurenw-armof tf.org infrastructure. 150*b908814cSlaurenw-arm 151*b908814cSlaurenw-armTF-A Data Flow 152*b908814cSlaurenw-arm************** 153*b908814cSlaurenw-arm 154*b908814cSlaurenw-armFigure 2 below shows the data flow diagram for TF-A. The broken red lines 155*b908814cSlaurenw-armindicate trust boundaries. 156*b908814cSlaurenw-arm 157*b908814cSlaurenw-arm|TF-A Data Flow Diagram| 158*b908814cSlaurenw-arm*Figure 2: TF-A Data Flow Diagram* 159*b908814cSlaurenw-arm 160*b908814cSlaurenw-armAttack Tree 161*b908814cSlaurenw-arm*********** 162*b908814cSlaurenw-arm 163*b908814cSlaurenw-arm|TF-A Attack Tree| 164*b908814cSlaurenw-arm*Figure 3: TF-A Attack Tree* 165*b908814cSlaurenw-arm 166*b908814cSlaurenw-armThreat Assessment and Mitigations 167*b908814cSlaurenw-arm********************************* 168*b908814cSlaurenw-arm 169*b908814cSlaurenw-armImpact and Likelihood Ratings 170*b908814cSlaurenw-arm============================= 171*b908814cSlaurenw-arm 172*b908814cSlaurenw-arm +--------+------------------------------+-----------------------------------+ 173*b908814cSlaurenw-arm | Rating | Impact | Likelihood | 174*b908814cSlaurenw-arm +========+==============================+===================================+ 175*b908814cSlaurenw-arm | HIGH | Major impact to entire | Threat is relatively easy to | 176*b908814cSlaurenw-arm | | organization or single line | exploit by an attacker with | 177*b908814cSlaurenw-arm | | of business if exploited. | little effort and skill. | 178*b908814cSlaurenw-arm +--------+------------------------------+-----------------------------------+ 179*b908814cSlaurenw-arm | MEDIUM | Noticeable impact to line of | An expert attacker could exploit | 180*b908814cSlaurenw-arm | | business if exploited. | the threat without much | 181*b908814cSlaurenw-arm | | | difficulty. | 182*b908814cSlaurenw-arm +--------+------------------------------+-----------------------------------+ 183*b908814cSlaurenw-arm | LOW | Minor damage if exploited or | Exploiting the threat would | 184*b908814cSlaurenw-arm | | could be used in conjunction | require considerable effort and | 185*b908814cSlaurenw-arm | | with other vulnerabilities | resources. | 186*b908814cSlaurenw-arm | | to perform a more serious | | 187*b908814cSlaurenw-arm | | attack. | | 188*b908814cSlaurenw-arm +--------+------------------------------+-----------------------------------+ 189*b908814cSlaurenw-arm 190*b908814cSlaurenw-armThreats and Mitigations 191*b908814cSlaurenw-arm======================= 192*b908814cSlaurenw-arm 193*b908814cSlaurenw-armThreat naming convention key 194*b908814cSlaurenw-arm 195*b908814cSlaurenw-arm- SC – Supply Chain 196*b908814cSlaurenw-arm 197*b908814cSlaurenw-arm- SRC – Source 198*b908814cSlaurenw-arm 199*b908814cSlaurenw-arm- DEP – Dependency 200*b908814cSlaurenw-arm 201*b908814cSlaurenw-arm- TOOL – Toolchain 202*b908814cSlaurenw-arm 203*b908814cSlaurenw-arm- REPO – Repository 204*b908814cSlaurenw-arm 205*b908814cSlaurenw-arm- MAIN – Maintainer 206*b908814cSlaurenw-arm 207*b908814cSlaurenw-arm- CONT – Contributor 208*b908814cSlaurenw-arm 209*b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 210*b908814cSlaurenw-arm | Threat: TFA-SC-SRC-MAIN-01 | 211*b908814cSlaurenw-arm +=============+=============================================================+ 212*b908814cSlaurenw-arm | Description | An attacker can submit and merge malicious code by posing | 213*b908814cSlaurenw-arm | | as a maintainer after compromising maintainers’ | 214*b908814cSlaurenw-arm | | credentials. | 215*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 216*b908814cSlaurenw-arm | Impact | HIGH | 217*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 218*b908814cSlaurenw-arm | Likelihood | MEDIUM | 219*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 220*b908814cSlaurenw-arm | Threat and | | In the TF-A code review process all submitted changes | 221*b908814cSlaurenw-arm | impact | undergo review by a code owner and a maintainer. If the | 222*b908814cSlaurenw-arm | | change is accepted, it will be merged (integrated) into | 223*b908814cSlaurenw-arm | | an integration branch by a maintainer. A maintainer has | 224*b908814cSlaurenw-arm | | the right to give a code owner review, a maintainer | 225*b908814cSlaurenw-arm | | review and merge the submitted change. | 226*b908814cSlaurenw-arm | | | 227*b908814cSlaurenw-arm | | | tf.org users (including maintainers) are authenticated | 228*b908814cSlaurenw-arm | | through GitHub. The likelihood of a credential compromise | 229*b908814cSlaurenw-arm | | depends on multiple factors. The authentication mechanism | 230*b908814cSlaurenw-arm | | of GitHub is strong if the recommended best practices are | 231*b908814cSlaurenw-arm | | followed [9]_ making credential compromise unlikely. | 232*b908814cSlaurenw-arm | | GitHub (therefore tf.org) allows logins with two-factor | 233*b908814cSlaurenw-arm | | authentication, requiring both a password and access to | 234*b908814cSlaurenw-arm | | the user's authentication code. Depending on the strength | 235*b908814cSlaurenw-arm | | of the password and factors such as whether the | 236*b908814cSlaurenw-arm | | maintainer reuses passwords across services, the | 237*b908814cSlaurenw-arm | | likelihood of a compromise can be higher. | 238*b908814cSlaurenw-arm | | | 239*b908814cSlaurenw-arm | | | If an attacker manages to compromise a maintainer’s | 240*b908814cSlaurenw-arm | | credentials, posing as the maintainer, they can in theory | 241*b908814cSlaurenw-arm | | submit a malicious change (as a maintainer or as a | 242*b908814cSlaurenw-arm | | contributor), give all the necessary reviews and merge | 243*b908814cSlaurenw-arm | | the change. | 244*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 245*b908814cSlaurenw-arm | Mitigations | | - Enforce best practices recommended by GitHub [9]_ | 246*b908814cSlaurenw-arm | | | 247*b908814cSlaurenw-arm | | | - Not allowing a committer to both self-review and merge | 248*b908814cSlaurenw-arm | | patches they have submitted. To achieve the commit the | 249*b908814cSlaurenw-arm | | attacker would be required to compromise at least two | 250*b908814cSlaurenw-arm | | credentials (reviewers and maintainer). | 251*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 252*b908814cSlaurenw-arm | Mitigations | We have not disallowed self-review/merge of patches | 253*b908814cSlaurenw-arm | implemented?| | 254*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 255*b908814cSlaurenw-arm 256*b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 257*b908814cSlaurenw-arm | Threat: TFA-SC-SRC-MAIN-02 | 258*b908814cSlaurenw-arm +=============+=============================================================+ 259*b908814cSlaurenw-arm | Description | An attacker can submit and merge malicious code after | 260*b908814cSlaurenw-arm | | becoming a maintainer through social engineering | 261*b908814cSlaurenw-arm | | techniques. | 262*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 263*b908814cSlaurenw-arm | Impact | HIGH | 264*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 265*b908814cSlaurenw-arm | Likelihood | LOW | 266*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 267*b908814cSlaurenw-arm | Threat and | | According to the TF project maintenance process [10]_, | 268*b908814cSlaurenw-arm | impact | maintainers of TF-A are selected by their peers based on | 269*b908814cSlaurenw-arm | | merit. Some of the criteria of becoming a maintainer | 270*b908814cSlaurenw-arm | | include being an active member of the project for a | 271*b908814cSlaurenw-arm | | minimum duration and contributing a substantial number of | 272*b908814cSlaurenw-arm | | non-trivial and high-quality patches. However, there are | 273*b908814cSlaurenw-arm | | some weaknesses in the process: | 274*b908814cSlaurenw-arm | | | 275*b908814cSlaurenw-arm | | | - There is no structured mechanism to establish trust | 276*b908814cSlaurenw-arm | | with a maintainer other than the recommendations by | 277*b908814cSlaurenw-arm | | peers | 278*b908814cSlaurenw-arm | | | - There is no continuous monitoring of the status of a | 279*b908814cSlaurenw-arm | | maintainer (e.g. maintainer can move from one | 280*b908814cSlaurenw-arm | | organization to another) | 281*b908814cSlaurenw-arm | | | 282*b908814cSlaurenw-arm | | | To perform such an attack, in addition to becoming a | 283*b908814cSlaurenw-arm | | maintainer, an attacker also must deal with all | 284*b908814cSlaurenw-arm | | restrictions put on maintainers. | 285*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 286*b908814cSlaurenw-arm | Mitigations | | - Structured mechanism to establish trust with | 287*b908814cSlaurenw-arm | | maintainers | 288*b908814cSlaurenw-arm | | | 289*b908814cSlaurenw-arm | | | - Not allowing a committer to both self-review and merge | 290*b908814cSlaurenw-arm | | patches they have submitted. To achieve the commit the | 291*b908814cSlaurenw-arm | | attacker would be required to compromise at least two | 292*b908814cSlaurenw-arm | | credentials (reviewers and maintainer). | 293*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 294*b908814cSlaurenw-arm | Mitigations | There is a structured mechanism to establish trust with | 295*b908814cSlaurenw-arm | implemented?| maintainers, but self-review/merge of patches is not | 296*b908814cSlaurenw-arm | | disallowed | 297*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 298*b908814cSlaurenw-arm 299*b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 300*b908814cSlaurenw-arm | Threat: TFA-SC-SRC-CONT-01 | 301*b908814cSlaurenw-arm +=============+=============================================================+ 302*b908814cSlaurenw-arm | Description | An attacker can submit malicious code patch as a | 303*b908814cSlaurenw-arm | | contributor. | 304*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 305*b908814cSlaurenw-arm | Impact | HIGH | 306*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 307*b908814cSlaurenw-arm | Likelihood | LOW | 308*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 309*b908814cSlaurenw-arm | Threat and | | TF-A accepts external contributions to both the generic | 310*b908814cSlaurenw-arm | impact | and platform code. Unlike maintainers, contributors do | 311*b908814cSlaurenw-arm | | not have maintainer review or merging privileges, | 312*b908814cSlaurenw-arm | | therefore the likelihood of injecting malicious code as a | 313*b908814cSlaurenw-arm | | contributor is lower. However, even though unlikely, it | 314*b908814cSlaurenw-arm | | is still possible for a malicious commit to go unnoticed | 315*b908814cSlaurenw-arm | | through the code review and verification processes. | 316*b908814cSlaurenw-arm | | | 317*b908814cSlaurenw-arm | | | If successful, the impact can range from low to high | 318*b908814cSlaurenw-arm | | depending on the injected code. For example, an attacker | 319*b908814cSlaurenw-arm | | can potentially deliberately insert a memory corruption | 320*b908814cSlaurenw-arm | | vulnerability that is hard to notice on code review and | 321*b908814cSlaurenw-arm | | will not be detected by the verification process. This | 322*b908814cSlaurenw-arm | | vulnerability by itself may have a low impact but can | 323*b908814cSlaurenw-arm | | have a major impact if used in combination with other | 324*b908814cSlaurenw-arm | | vulnerabilities. | 325*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 326*b908814cSlaurenw-arm | Proposed | - Code review and verification | 327*b908814cSlaurenw-arm | Mitigations | - Static analysis to try to pick up issues that typically | 328*b908814cSlaurenw-arm | | end in some form of attack vector | 329*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 330*b908814cSlaurenw-arm | Mitigations | Yes, contributions go through the thorough review, | 331*b908814cSlaurenw-arm | implemented?| verification, and static analysis process automated through | 332*b908814cSlaurenw-arm | | CI | 333*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 334*b908814cSlaurenw-arm 335*b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 336*b908814cSlaurenw-arm | Threat: TFA-SC-DEP-01 | 337*b908814cSlaurenw-arm +=============+=============================================================+ 338*b908814cSlaurenw-arm | Description | An attacker can inject malicious code into TF-A internal | 339*b908814cSlaurenw-arm | | dependencies. | 340*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 341*b908814cSlaurenw-arm | Impact | HIGH | 342*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 343*b908814cSlaurenw-arm | Likelihood | LOW | 344*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 345*b908814cSlaurenw-arm | Threat and | | TF-A has two types of dependencies: those that are copied | 346*b908814cSlaurenw-arm | impact | into the TF-A repository and shipped as part of TF-A code | 347*b908814cSlaurenw-arm | | (referred to as *internal dependencies* here) and those | 348*b908814cSlaurenw-arm | | that are downloaded from external repositories and used | 349*b908814cSlaurenw-arm | | when building TF-A (referred to as | 350*b908814cSlaurenw-arm | | *external dependencies* here). | 351*b908814cSlaurenw-arm | | | 352*b908814cSlaurenw-arm | | | Currently TF-A has three internal dependencies: *libfdt* | 353*b908814cSlaurenw-arm | | [1]_, *zlib* [2]_ and *compiler-rt* [3]_ libraries. These | 354*b908814cSlaurenw-arm | | libraries are periodically updated by copying them from | 355*b908814cSlaurenw-arm | | their source repositories. Although unlikely, it is | 356*b908814cSlaurenw-arm | | possible for a contributor to copy the libraries from the | 357*b908814cSlaurenw-arm | | wrong (and potentially malicious) repositories. For | 358*b908814cSlaurenw-arm | | example, there are already multiple forks of *libfdt* | 359*b908814cSlaurenw-arm | | (DTC) on GitHub. In addition to this, the official | 360*b908814cSlaurenw-arm | | repositories are not immune to threats described above | 361*b908814cSlaurenw-arm | | (TFA-SC-SRC-MAIN-01, TFA-SC-SRC-MAIN-02 and | 362*b908814cSlaurenw-arm | | TFA-SC-SRC-CONT-01). | 363*b908814cSlaurenw-arm | | | 364*b908814cSlaurenw-arm | | | The likelihood of an attack on TF-A through internal | 365*b908814cSlaurenw-arm | | dependencies is lower than external dependencies for the | 366*b908814cSlaurenw-arm | | following reasons: | 367*b908814cSlaurenw-arm | | | 368*b908814cSlaurenw-arm | | | - Internal dependencies go through the normal code review | 369*b908814cSlaurenw-arm | | process during upgrade | 370*b908814cSlaurenw-arm | | | - Once upgraded internal dependencies stay unchanged | 371*b908814cSlaurenw-arm | | until the next upgrade. The upgrade window is typically | 372*b908814cSlaurenw-arm | | long (for example *libfdt* has only changed 4 times | 373*b908814cSlaurenw-arm | | over the past 4 years). This reduces the window of | 374*b908814cSlaurenw-arm | | opportunity for an attacker to inject malicious code | 375*b908814cSlaurenw-arm | | into the dependencies | 376*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 377*b908814cSlaurenw-arm | Proposed | - Explicitly document versions and official sources of | 378*b908814cSlaurenw-arm | Mitigations | dependencies | 379*b908814cSlaurenw-arm | | - Keep a copy of a pinned version of the source code inside | 380*b908814cSlaurenw-arm | | the TF-A tree so that the risk of getting malicious code | 381*b908814cSlaurenw-arm | | from dependencies only arises when we upgrade them | 382*b908814cSlaurenw-arm | | - Monitor alerts for vulnerable dependencies from GitHub | 383*b908814cSlaurenw-arm | | [11]_ | 384*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 385*b908814cSlaurenw-arm | Mitigations | Yes, we explicitly document versions and official sources | 386*b908814cSlaurenw-arm | implemented?| of dependencies, keep a copy of pinned versions of the | 387*b908814cSlaurenw-arm | | source code, and monitor alerts for vulnerable dependencies | 388*b908814cSlaurenw-arm | | for Python and Node.js, but we aren't able to do this for C | 389*b908814cSlaurenw-arm | | dependencies | 390*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 391*b908814cSlaurenw-arm 392*b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 393*b908814cSlaurenw-arm | Threat: TFA-SC-DEP-02 | 394*b908814cSlaurenw-arm +=============+=============================================================+ 395*b908814cSlaurenw-arm | Description | An attacker can inject malicious code into TF-A external | 396*b908814cSlaurenw-arm | | dependencies. | 397*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 398*b908814cSlaurenw-arm | Impact | HIGH | 399*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 400*b908814cSlaurenw-arm | Likelihood | MEDIUM | 401*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 402*b908814cSlaurenw-arm | Threat and | | Unlike internal dependencies, external dependencies are | 403*b908814cSlaurenw-arm | impact | downloaded from external repositories by end-users. | 404*b908814cSlaurenw-arm | | Although the TF-A documentation provides information | 405*b908814cSlaurenw-arm | | about the versions of dependencies used for testing and | 406*b908814cSlaurenw-arm | | links to repositories, it is up to the end-user to decide | 407*b908814cSlaurenw-arm | | where to get the dependencies from. As such, the | 408*b908814cSlaurenw-arm | | likelihood of an attack through an external dependency is | 409*b908814cSlaurenw-arm | | higher compared to an internal dependency. | 410*b908814cSlaurenw-arm | | | 411*b908814cSlaurenw-arm | | | The impact of an attack ranges from low to critical | 412*b908814cSlaurenw-arm | | depending on which dependency and what part of the | 413*b908814cSlaurenw-arm | | dependency is affected. For example, a malicious code | 414*b908814cSlaurenw-arm | | that affects the signature verification functions in | 415*b908814cSlaurenw-arm | | MbedTLS is considered critical as it can be used to | 416*b908814cSlaurenw-arm | | bypass the TBB process of TF-A. | 417*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 418*b908814cSlaurenw-arm | Proposed | - Explicitly document versions and official sources of | 419*b908814cSlaurenw-arm | Mitigations | dependencies | 420*b908814cSlaurenw-arm | | - Provide scripts and build options to automatically fetch | 421*b908814cSlaurenw-arm | | the latest stable release of external dependencies | 422*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 423*b908814cSlaurenw-arm | Mitigations | We explicitly document versions and official sources of | 424*b908814cSlaurenw-arm | implemented?| dependencies, but do not yet provide scripts and build | 425*b908814cSlaurenw-arm | | options to automatically fetch the latest stable release of | 426*b908814cSlaurenw-arm | | external dependencies | 427*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 428*b908814cSlaurenw-arm 429*b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 430*b908814cSlaurenw-arm | Threat: TFA-SC-REPO-01 | 431*b908814cSlaurenw-arm +=============+=============================================================+ 432*b908814cSlaurenw-arm | Description | An attacker can upload malicious versions of TF-A by | 433*b908814cSlaurenw-arm | | compromising credentials of administrator accounts on | 434*b908814cSlaurenw-arm | | tf.org or GitHub. | 435*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 436*b908814cSlaurenw-arm | Impact | HIGH | 437*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 438*b908814cSlaurenw-arm | Likelihood | LOW | 439*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 440*b908814cSlaurenw-arm | Threat and | | This attack is like TFA-SC-SRC-MAIN-01, but the | 441*b908814cSlaurenw-arm | impact | likelihood and impact of the two attacks are different. | 442*b908814cSlaurenw-arm | | | 443*b908814cSlaurenw-arm | | | The likelihood of compromising administrator credentials | 444*b908814cSlaurenw-arm | | is lower than that of a maintainer’s (assuming both use | 445*b908814cSlaurenw-arm | | authentication methods of similar strength) as there are | 446*b908814cSlaurenw-arm | | smaller number of administrators than maintainers. On the | 447*b908814cSlaurenw-arm | | other hand, the impact is higher since an administrator | 448*b908814cSlaurenw-arm | | has more privileges than a maintainer: | 449*b908814cSlaurenw-arm | | | 450*b908814cSlaurenw-arm | | | - An administrator can upload a malicious TF-A | 451*b908814cSlaurenw-arm | | contribution unnoticed by other reviewers | 452*b908814cSlaurenw-arm | | - An administrator can potentially rewrite the history of | 453*b908814cSlaurenw-arm | | the repository to evade detection | 454*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 455*b908814cSlaurenw-arm | Proposed | Strong authentication (Follow best practices recommended by | 456*b908814cSlaurenw-arm | Mitigations | GitHub [9]_) | 457*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 458*b908814cSlaurenw-arm | Mitigations | Yes, strong authentication is implemented through | 459*b908814cSlaurenw-arm | implemented?| recommended best practices | 460*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 461*b908814cSlaurenw-arm 462*b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 463*b908814cSlaurenw-arm | Threat: TFA-SC-REPO-02 | 464*b908814cSlaurenw-arm +=============+=============================================================+ 465*b908814cSlaurenw-arm | Description | An attacker can upload malicious versions of TF-A after | 466*b908814cSlaurenw-arm | | getting write access to the repository by exploiting a | 467*b908814cSlaurenw-arm | | vulnerability on tf.org or GitHub. | 468*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 469*b908814cSlaurenw-arm | Impact | HIGH | 470*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 471*b908814cSlaurenw-arm | Likelihood | LOW | 472*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 473*b908814cSlaurenw-arm | Threat and | | There are no reports of someone exploiting a | 474*b908814cSlaurenw-arm | impact | vulnerability on GitHub or tf.org to upload malicious | 475*b908814cSlaurenw-arm | | contributions. However, there are examples of | 476*b908814cSlaurenw-arm | | vulnerabilities that allowed arbitrary code execution on | 477*b908814cSlaurenw-arm | | popular hosting services [12]_. Such vulnerabilities can | 478*b908814cSlaurenw-arm | | potentially be used to upload malicious packages. In | 479*b908814cSlaurenw-arm | | addition to being hard to exploit, vulnerabilities on | 480*b908814cSlaurenw-arm | | popular hosting sites such as GitHub are typically | 481*b908814cSlaurenw-arm | | detected quickly, making the window of opportunity for | 482*b908814cSlaurenw-arm | | such attack small. | 483*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 484*b908814cSlaurenw-arm | Proposed | - Monitor alerts of any vulnerabilities that might affect | 485*b908814cSlaurenw-arm | Mitigations | TF-A repository | 486*b908814cSlaurenw-arm | | - Ensure tf.org is up to date with latest security patches | 487*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 488*b908814cSlaurenw-arm | Mitigations | Yes, alerts of vulnerabilities are monitored and tf.org is | 489*b908814cSlaurenw-arm | implemented?| ensured to be up to date with the latest security patches | 490*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 491*b908814cSlaurenw-arm 492*b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 493*b908814cSlaurenw-arm | Threat: TFA-SC-REPO-03 | 494*b908814cSlaurenw-arm +=============+=============================================================+ 495*b908814cSlaurenw-arm | Description | An attacker can host a malicious version of TF-A on an | 496*b908814cSlaurenw-arm | | attacker-controlled repository, and trick end-users into | 497*b908814cSlaurenw-arm | | downloading from that repository. | 498*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 499*b908814cSlaurenw-arm | Impact | HIGH | 500*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 501*b908814cSlaurenw-arm | Likelihood | MEDIUM | 502*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 503*b908814cSlaurenw-arm | Threat and | | It is not difficult for an attacker to create a website | 504*b908814cSlaurenw-arm | impact | with a similar domain name and look as tf.org (website | 505*b908814cSlaurenw-arm | | spoofing) and host a malicious TF-A source repository. | 506*b908814cSlaurenw-arm | | Similarly, an attacker can create a mirror of the TF-A | 507*b908814cSlaurenw-arm | | repository on GitHub with malicious code in it. However, | 508*b908814cSlaurenw-arm | | for this attack to succeed the attacker needs to trick | 509*b908814cSlaurenw-arm | | the end-user into using the attacker-controlled | 510*b908814cSlaurenw-arm | | repositories. | 511*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 512*b908814cSlaurenw-arm | Proposed | - Users should carefully check the URL of the website | 513*b908814cSlaurenw-arm | Mitigations | before visiting it and the URL of the repository before | 514*b908814cSlaurenw-arm | | checking it out | 515*b908814cSlaurenw-arm | | - Accept reports of spoofing attacks on tf.org and | 516*b908814cSlaurenw-arm | | broadcast a warning to partners | 517*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 518*b908814cSlaurenw-arm | Mitigations | We accept reports of spoofing attacks on tf.org and will | 519*b908814cSlaurenw-arm | implemented?| broadcast a warning to partners | 520*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 521*b908814cSlaurenw-arm 522*b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 523*b908814cSlaurenw-arm | Threat: TFA-SC-TOOL-01 | 524*b908814cSlaurenw-arm +=============+=============================================================+ 525*b908814cSlaurenw-arm | Description | Malicious code can be injected at build time through | 526*b908814cSlaurenw-arm | | malicious tools. | 527*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 528*b908814cSlaurenw-arm | Impact | HIGH | 529*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 530*b908814cSlaurenw-arm | Likelihood | LOW | 531*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 532*b908814cSlaurenw-arm | Threat and | | End-users of TF-A use make (or cmake), compilers and | 533*b908814cSlaurenw-arm | impact | linkers (armgcc, armclang or LLVM) to build TF-A | 534*b908814cSlaurenw-arm | | binaries. Although TF-A documentation specifies versions | 535*b908814cSlaurenw-arm | | and official sources of tools used to build TF-A, users | 536*b908814cSlaurenw-arm | | can potentially be tricked into using unofficial, | 537*b908814cSlaurenw-arm | | malicious toolchains. Similar attacks have been used in | 538*b908814cSlaurenw-arm | | the past to inject malicious code into final products | 539*b908814cSlaurenw-arm | | [13]_. | 540*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 541*b908814cSlaurenw-arm | Proposed | - Explicitly document versions and official sources of | 542*b908814cSlaurenw-arm | Mitigations | toolchains | 543*b908814cSlaurenw-arm | | - Provide scripts to automatically fetch the latest stable | 544*b908814cSlaurenw-arm | | release of toolchains | 545*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 546*b908814cSlaurenw-arm | Mitigations | We explicitly document versions and official sources of | 547*b908814cSlaurenw-arm | implemented?| toolchains, but have not yet provided scripts to | 548*b908814cSlaurenw-arm | | automatically fetch the latest stable release of toolchains | 549*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 550*b908814cSlaurenw-arm 551*b908814cSlaurenw-arm +---------------------------------------------------------------------------+ 552*b908814cSlaurenw-arm | Threat: TFA-SC-TOOL-02 | 553*b908814cSlaurenw-arm +=============+=============================================================+ 554*b908814cSlaurenw-arm | Description | Malicious code can be executed by developer’s tools at | 555*b908814cSlaurenw-arm | | installation time through malicious Node.js dependencies. | 556*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 557*b908814cSlaurenw-arm | Impact | HIGH | 558*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 559*b908814cSlaurenw-arm | Likelihood | LOW | 560*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 561*b908814cSlaurenw-arm | Threat and | | Users of the Node.js tools, including the CI, may be | 562*b908814cSlaurenw-arm | impact | exposed to malicious dependencies that have been missed | 563*b908814cSlaurenw-arm | | by the Node.js dependency auditor. Users of these tools | 564*b908814cSlaurenw-arm | | could potentially be executing malicious code when using | 565*b908814cSlaurenw-arm | | these tools, which could potentially allow a malicious | 566*b908814cSlaurenw-arm | | actor to make silent modifications to the repository or | 567*b908814cSlaurenw-arm | | enable retrieval of user credentials. | 568*b908814cSlaurenw-arm | | | 569*b908814cSlaurenw-arm | | | If successful, the impact can range from low to high | 570*b908814cSlaurenw-arm | | depending on the user's credentials. If the user is an | 571*b908814cSlaurenw-arm | | administrator, this could imply TFA-SC-REPO-01. | 572*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 573*b908814cSlaurenw-arm | Proposed | - Limit Node.js tools to a minimal set of trusted packages | 574*b908814cSlaurenw-arm | Mitigations | - Pin Node.js packages to known versions | 575*b908814cSlaurenw-arm | | - Update dependencies for which Node.js’s auditor reports | 576*b908814cSlaurenw-arm | | known CVEs | 577*b908814cSlaurenw-arm | | - Execute Node.js tools in the CI only from within a | 578*b908814cSlaurenw-arm | | trusted container | 579*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 580*b908814cSlaurenw-arm | Mitigations | Yes, Node.js tools are limited to a minimal set of trusted | 581*b908814cSlaurenw-arm | implemented?| packages, packages are pinned to known versions, | 582*b908814cSlaurenw-arm | | dependencies are updated when there are known CVEs | 583*b908814cSlaurenw-arm | | reported, and Node.js tools are only executed within a | 584*b908814cSlaurenw-arm | | trusted container in CI | 585*b908814cSlaurenw-arm +-------------+-------------------------------------------------------------+ 586*b908814cSlaurenw-arm 587*b908814cSlaurenw-armAppendix A 588*b908814cSlaurenw-arm********** 589*b908814cSlaurenw-arm 590*b908814cSlaurenw-armSummary of trustedfirmware.org security: 591*b908814cSlaurenw-arm 592*b908814cSlaurenw-arm.. table:: Table 2: Security information of trustedfirmware.org 593*b908814cSlaurenw-arm 594*b908814cSlaurenw-arm +------------+--------------------+--------------------+--------------------+ 595*b908814cSlaurenw-arm | Software/ | Source and | Credential and | Security incident | 596*b908814cSlaurenw-arm | System | integrity | permission | response plan | 597*b908814cSlaurenw-arm | | | management | | 598*b908814cSlaurenw-arm +============+====================+====================+====================+ 599*b908814cSlaurenw-arm | Jenkins | - Jenkins is built | - Use oauth from | - Monitor CVE’s | 600*b908814cSlaurenw-arm | (including | using Dockerfile | Github only | and update | 601*b908814cSlaurenw-arm | plugins) | which is based | - The password | Jenkins LTS on a | 602*b908814cSlaurenw-arm | | on the official | strength follows | monthly cycle | 603*b908814cSlaurenw-arm | | Jenkins docker | Github policy | - Keep plugins up- | 604*b908814cSlaurenw-arm | | image | - Do not enforce | to-date. But it | 605*b908814cSlaurenw-arm | | - Jenkins plugins | using two-factor | is up to the | 606*b908814cSlaurenw-arm | | are built using | authentication | plugin owner to | 607*b908814cSlaurenw-arm | | the official | - Jenkins uses | maintain said | 608*b908814cSlaurenw-arm | | install- | matrix auth | plugin | 609*b908814cSlaurenw-arm | | plugins.sh | which allows | | 610*b908814cSlaurenw-arm | | | users to manage | | 611*b908814cSlaurenw-arm | | | "job" level ACL | | 612*b908814cSlaurenw-arm | | | using Jenkins | | 613*b908814cSlaurenw-arm | | | Job Builder | | 614*b908814cSlaurenw-arm | | | - No API token | | 615*b908814cSlaurenw-arm | | | enabled | | 616*b908814cSlaurenw-arm | | | - Jenkins uses the | | 617*b908814cSlaurenw-arm | | | inbuilt | | 618*b908814cSlaurenw-arm | | | credential store | | 619*b908814cSlaurenw-arm | | | where we store | | 620*b908814cSlaurenw-arm | | | credentials for | | 621*b908814cSlaurenw-arm | | | LAVA, Jenkins | | 622*b908814cSlaurenw-arm | | | Job Builder, | | 623*b908814cSlaurenw-arm | | | DockerHub, AWS | | 624*b908814cSlaurenw-arm | | | and Gerrit | | 625*b908814cSlaurenw-arm | | | tokens. The | | 626*b908814cSlaurenw-arm | | | credentials are | | 627*b908814cSlaurenw-arm | | | stored as a | | 628*b908814cSlaurenw-arm | | | secret in | | 629*b908814cSlaurenw-arm | | | Jenkins | | 630*b908814cSlaurenw-arm | | | credential | | 631*b908814cSlaurenw-arm | | | store. These | | 632*b908814cSlaurenw-arm | | | credentials | | 633*b908814cSlaurenw-arm | | | can be accessed | | 634*b908814cSlaurenw-arm | | | via a Jenkins | | 635*b908814cSlaurenw-arm | | | job, but someone | | 636*b908814cSlaurenw-arm | | | would have to | | 637*b908814cSlaurenw-arm | | | push a Jenkins | | 638*b908814cSlaurenw-arm | | | Job through a | | 639*b908814cSlaurenw-arm | | | Gerrit review to | | 640*b908814cSlaurenw-arm | | | do this. Gerrit | | 641*b908814cSlaurenw-arm | | | maintains the | | 642*b908814cSlaurenw-arm | | | ACL for this and | | 643*b908814cSlaurenw-arm | | | only admins and | | 644*b908814cSlaurenw-arm | | | project approver | | 645*b908814cSlaurenw-arm | | | can +2 a review. | | 646*b908814cSlaurenw-arm +------------+--------------------+--------------------+--------------------+ 647*b908814cSlaurenw-arm | Gerrit | - Gerrit package | - Use oauth from | - Keep plugins up- | 648*b908814cSlaurenw-arm | (including | is installed | Github only | to-date. But it | 649*b908814cSlaurenw-arm | plugins) | from Linaro top | - The password | is up to the | 650*b908814cSlaurenw-arm | | level role, | strength follows | plugin owner to | 651*b908814cSlaurenw-arm | | which has a | Github policy | maintain said | 652*b908814cSlaurenw-arm | | md5sum check | - Do not enforce | plugin | 653*b908814cSlaurenw-arm | | - Gerrit Plugins | using two-factor | | 654*b908814cSlaurenw-arm | | are installed | authentication | | 655*b908814cSlaurenw-arm | | from Ansible | - Gerrit has ACL | | 656*b908814cSlaurenw-arm | | playbook, from | setup within the | | 657*b908814cSlaurenw-arm | | the official | UI per-project | | 658*b908814cSlaurenw-arm | | Gerrit CI. The | level | | 659*b908814cSlaurenw-arm | | plugins are | - No API token | | 660*b908814cSlaurenw-arm | | downloaded from | enabled | | 661*b908814cSlaurenw-arm | | https://gerrit- | - A ci-bot-user | | 662*b908814cSlaurenw-arm | | ci.gerritforge. | created for | | 663*b908814cSlaurenw-arm | | com/ | getting comments | | 664*b908814cSlaurenw-arm | | - Do not check | from Jenkins | | 665*b908814cSlaurenw-arm | | md5sum for every | | | 666*b908814cSlaurenw-arm | | plugin | | | 667*b908814cSlaurenw-arm +------------+--------------------+--------------------+--------------------+ 668*b908814cSlaurenw-arm | Git | - Package is from | - All credentials | - Monitor all | 669*b908814cSlaurenw-arm | | Linaro OBS (Open | use GitHub. So | CVE's and apply | 670*b908814cSlaurenw-arm | | Build Service) | password | them immediately | 671*b908814cSlaurenw-arm | | with a couple of | strength etc are | and keep servers | 672*b908814cSlaurenw-arm | | “Linaro | based on GitHub | up-to-date | 673*b908814cSlaurenw-arm | | modifications”. | policy | monthly | 674*b908814cSlaurenw-arm | | (reference: | | - The security | 675*b908814cSlaurenw-arm | | Ansible playbook | | incident | 676*b908814cSlaurenw-arm | | and cgit repo) | | response plan is | 677*b908814cSlaurenw-arm | | - No special | | working in | 678*b908814cSlaurenw-arm | | integrity check | | progress | 679*b908814cSlaurenw-arm +------------+--------------------+--------------------+--------------------+ 680*b908814cSlaurenw-arm | Mailman | - Installed from | - It has | - Plan to monitor | 681*b908814cSlaurenw-arm | | Ubuntu- | administrator | the CVE’s but no | 682*b908814cSlaurenw-arm | | distributed | passwords for | timetable at the | 683*b908814cSlaurenw-arm | | package | the various | moment | 684*b908814cSlaurenw-arm | | - No special | mailing lists | | 685*b908814cSlaurenw-arm | | integrity check | - The password | | 686*b908814cSlaurenw-arm | | (reply on APT | strength is not | | 687*b908814cSlaurenw-arm | | security) | specified | | 688*b908814cSlaurenw-arm +------------+--------------------+--------------------+--------------------+ 689*b908814cSlaurenw-arm | Website | The website is | There are no | - The websites | 690*b908814cSlaurenw-arm | | built on the IT | credentials | themselves are | 691*b908814cSlaurenw-arm | | Services' CI/CD | associated with | static files | 692*b908814cSlaurenw-arm | | server, | the website | hosted on AWS S3 | 693*b908814cSlaurenw-arm | | bamboo.linaro.org, | itself. Any | and cached by | 694*b908814cSlaurenw-arm | | from a Jekyll git | permissions | AWS CloudFront | 695*b908814cSlaurenw-arm | | repository stored | required by bamboo | - The software | 696*b908814cSlaurenw-arm | | on GitHub | to carry out its | used to build | 697*b908814cSlaurenw-arm | | | tasks are provided | the website is | 698*b908814cSlaurenw-arm | | | through AWS | all open source | 699*b908814cSlaurenw-arm | | | instance role | and Linaro | 700*b908814cSlaurenw-arm | | | permissions | occasionally | 701*b908814cSlaurenw-arm | | | | gets reports | 702*b908814cSlaurenw-arm | | | | from GitHub when | 703*b908814cSlaurenw-arm | | | | an issue is | 704*b908814cSlaurenw-arm | | | | detected. Apply | 705*b908814cSlaurenw-arm | | | | a fix if it is | 706*b908814cSlaurenw-arm | | | | available. This | 707*b908814cSlaurenw-arm | | | | includes any | 708*b908814cSlaurenw-arm | | | | Javascript | 709*b908814cSlaurenw-arm | | | | frameworks that | 710*b908814cSlaurenw-arm | | | | might be used | 711*b908814cSlaurenw-arm | | | | within the web | 712*b908814cSlaurenw-arm | | | | pages | 713*b908814cSlaurenw-arm +------------+--------------------+--------------------+--------------------+ 714*b908814cSlaurenw-arm | ReadTheDocs| - One webhook ID | - One TF-A account | - Keep database | 715*b908814cSlaurenw-arm | | per project is | with password | access list up | 716*b908814cSlaurenw-arm | | used by TF CI | stored in | to date | 717*b908814cSlaurenw-arm | | for building | engineering | - Monitor security | 718*b908814cSlaurenw-arm | | documentation | password | advisories | 719*b908814cSlaurenw-arm | | hosted by | database is used | | 720*b908814cSlaurenw-arm | | ReadTheDocs | to manage | | 721*b908814cSlaurenw-arm | | - Secret token | documentation | | 722*b908814cSlaurenw-arm | | supplied as part | - Access request | | 723*b908814cSlaurenw-arm | | of the webhook | is required | | 724*b908814cSlaurenw-arm | | post build | for database | | 725*b908814cSlaurenw-arm | | - Updated content | access | | 726*b908814cSlaurenw-arm | | goes live | - Token for | | 727*b908814cSlaurenw-arm | | automatically | Jenkins webhook | | 728*b908814cSlaurenw-arm | | | for CI uses | | 729*b908814cSlaurenw-arm | | | secret | | 730*b908814cSlaurenw-arm | | | credential | | 731*b908814cSlaurenw-arm | | | storage in | | 732*b908814cSlaurenw-arm | | | internal Jenkins | | 733*b908814cSlaurenw-arm | | | and viewable | | 734*b908814cSlaurenw-arm | | | only through | | 735*b908814cSlaurenw-arm | | | ReadTheDocs | | 736*b908814cSlaurenw-arm | | | admin page | | 737*b908814cSlaurenw-arm +------------+--------------------+--------------------+--------------------+ 738*b908814cSlaurenw-arm 739*b908814cSlaurenw-armReferences 740*b908814cSlaurenw-arm********** 741*b908814cSlaurenw-arm 742*b908814cSlaurenw-arm.. [1] https://git.kernel.org/pub/scm/utils/dtc/dtc.git 743*b908814cSlaurenw-arm.. [2] http://zlib.net/ 744*b908814cSlaurenw-arm.. [3] https://compiler-rt.llvm.org/ 745*b908814cSlaurenw-arm.. [4] https://tls.mbed.org/ 746*b908814cSlaurenw-arm.. [5] https://www.openssl.org/ 747*b908814cSlaurenw-arm.. [6] https://github.com/ARM-software/SCP-firmware 748*b908814cSlaurenw-arm.. [7] https://github.com/tianocore/edk2 749*b908814cSlaurenw-arm.. [8] https://downloads.trustedfirmware.org/tf-a/ 750*b908814cSlaurenw-arm.. [9] https://docs.github.com/en/github/authenticating-to-github/creating-a-strong-password 751*b908814cSlaurenw-arm.. [10] https://trustedfirmware-a.readthedocs.io/en/latest/process/maintenance.html#how-to-become-a-maintainer 752*b908814cSlaurenw-arm.. [11] https://docs.github.com/en/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies 753*b908814cSlaurenw-arm.. [12] "Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks" 754*b908814cSlaurenw-arm.. [13] https://www.wired.com/story/supply-chain-hackers-videogames-asus-ccleaner/ 755*b908814cSlaurenw-arm 756*b908814cSlaurenw-arm*Copyright (c) 2024, Arm Limited. All rights reserved.* 757*b908814cSlaurenw-arm 758*b908814cSlaurenw-arm.. |TF-A System Diagram| image:: ../resources/diagrams/tf-a_system_diagram.png 759*b908814cSlaurenw-arm.. |TF-A Data Flow Diagram| image:: ../resources/diagrams/tf-a_data_flow_diagram.png 760*b908814cSlaurenw-arm.. |TF-A Attack Tree| image:: ../resources/diagrams/tf-a_attack_tree.png 761
