Hi Sandeep,

First of all, i would like to clarify about "BL2_AT_EL3" macro, the name is bit misleading. The purpose of this macro is for platforms which does not have TF-A BL1, and the execution starts from EL3. The RME enablement has piggy backed on it. Ideally BL2_AT_EL3 should be decoupled from RME, and it should be re-named something more meaningful e.g., BL2_WITHOUT_BL1 or something similar.
The existing name is more suitable for configuration where the platform has BL1 in it and BL2 can run at EL3 instead of S-EL1. This configuration is currently not available in TF-A but having this flexibility is not a bad idea and it can be platform's choice. But the default configuration still would be BL2 running at S-EL1.

To answer your queries,
1. Is BL2 running at_EL3 is equally secure (or vulnerable !) as BL2 at S-EL1 system?
  - There are implications if EL3 registers to be accessed from BL2, this will cause a gap in BL31, and we need to re-initialize EL3 registers to their correct values as BL2 can execute various programs(drivers, DDR Phy) before jumping back to EL3(BL31).
2. One of the reasons to not run BL2 at EL3 is, it cannot access EL3 registers, if secure services are compromised what's the benefit of guarding EL3?
  - There is a theoretical scenario where EL3 can disable secure world (disable secure interrupts/SMCs) and just run NS side.

Thanks
Manish


From: sandeep tripathy via TF-A <tf-a@lists.trustedfirmware.org>
Sent: 21 September 2022 13:03
To: tf-a@lists.trustedfirmware.org <tf-a@lists.trustedfirmware.org>
Subject: [TF-A] Re: security: BL2 at EL3 on v8a based system
 
Hi Manish,
BL2 at EL3 vs BL2 at S_EL1 for a V8 system does not make any difference security point of view with the current TBBR / tf-a reference implementation. There has to be a significantly different design and refactor to TBBR implementation and additional responsibility to EL3 firmware to take advantage of the EL3 root world in v9 (miniscule or maybe none? on v8 if at all). With the current tf-a design can we say that BL2_AT_EL3 is equally secure (or vulnerable !) as BL2 at S_EL1 system.

 Since with v9 consciously tf-a could move to run BL2 at EL3 (root world really high privilege and RPAS unlike v8 El3 runtime with no PAS isolation from S_ELx) I think its contradicting to think running BL2 at S_EL3 is less secure in a v8 system. Because all that (BL2 large attack surface ..more drivers) apply to current tf-a on v9.

Anyway I am more concerned about only v8 right now.
 >>S-EL1 cannot access EL3 registers
Agree, but what would be the motivation to access those when you have S-EL1 in control. All secure services are compromised. eg: the secure os  S_EL2  S_EL1  What is the benefit to guard EL3 on v8.
 
Thanks
Sandeep
--
TF-A mailing list -- tf-a@lists.trustedfirmware.org
To unsubscribe send an email to tf-a-leave@lists.trustedfirmware.org