Hello,
The next Technical Forum is planned on Thursday, January 21 at 15:00-16:00 UTC (US time zone).
Please reply on this email with your proposals for agenda topics.
Recording and slides of previous meetings are here:
https://www.trustedfirmware.org/meetings/tf-m-technical-forum/
Best regards,
Anton
Hi everyone
I'd like to request comments on an upcoming change to the linker scripts.
Because of some recent changes to the memory layout for level 1 and level 2 isolation, it's now possible to avoid the generation step via tfm_parse_manifest_lists.py for those linker files. This means that the files are static and have been committed into the source tree (as they used to be).
We anticipate this change will make integrating TF-M into non-cmake buildsystems easier, as it will avoid one of the places where files need to be generated at build-time.
The reason this is an RFC is that it is a potentially breaking change, but only for integrators _not_ using the cmake buildsystem.
Currently the linker uses a large variety of pattern matches to organise the partition symbols, with these patterns being defined in the tfm_manifest_list.yaml. After this change, the linker will only look for two patterns:
`*app_rot_partition*` and `*psa_rot_partition*`
With the intention that the secure partitions will be compiled into a static library, where the filename is (for example) `libtfm_psa_rot_partition_crypto.a`. The cmake buildsystem will be updated to generate these filenames, but other integrators will need to adjust their compilation steps else the linking will fail.
Any comments or concerns would be appreciated.
Patches can be found at:
https://review.trustedfirmware.org/q/topic:%23static_linker_scripts%22
Raef
Hi all,
I made a patch<https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/7817> to refine the variable naming in manifest tooling, specifically the "manifest.manifest" in templates.
I'm changing it to "partition.manifest" which should be more accurate and easy understanding.
Broadcasting here for anyone has out-of-tree templates.
And any comments are welcome.
Best Regards,
Kevin
Hi Antonio,
Thanks a lot for reviewing the threat model and bringing up this topic.
To fully mitigate the threat you mentioned, NSPE shall enforce NS tasks isolation and assign/manage NS identifications. IMHO, It mainly relies on non-secure side implementation.
Therefore that threat can be covered in the scope of another threat model against NS side.
TF-M is trying to figure out how to assist NSPE to manage and transfer NS identifications. Any suggestion or comment is welcome and helpful! 😊
Best regards,
Hu Ziji
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Antonio Ken IANNILLO via TF-M
Sent: Wednesday, December 30, 2020 7:13 PM
To: tf-m(a)lists.trustedfirmware.org
Subject: Re: [TF-M] TF-M generic threat model
Hi Hu,
I read the threat model and I have a question regarding a potential threat.
I’m not sure it should belong to this generic threat model or it is already included in one of those presented.
The scenario is the following: a NS App X uses a RoT Service that store data private to X. Another NS App Y can fool the SPE to impersonate X and retrieve its private data. For example, X save a value in the secure storage and Y retrieves this value. TF-M prevents this using non secure client identification mechanism. This is a classic confused deputy problem.
Can this be considered a threat in this model or should it belong to another model/TOE?
Best,
--
Antonio Ken Iannillo
Research Scientist – SEDAN group
SnT – Interdisciplinary Centre for Security, Reliability and Trust
UNIVERSITÉ DU LUXEMBOURG
CAMPUS KIRCHBERG
29, avenue John F. Kennedy
L-1855 Luxembourg Kirchberg
T +352 46 66 44 9660
https://akiannillo.github.io/
Hi Anton,
I'd like to give a brief introduction to TF-M generic threat model.
Best regards,
Hu Ziji
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Anton Komlev via TF-M
Sent: Monday, January 4, 2021 5:30 PM
To: 'tf-m(a)lists.trustedfirmware.org' <tf-m(a)lists.trustedfirmware.org>
Cc: nd <nd(a)arm.com>
Subject: [TF-M] Technical Forum call - Jan 7
Hello,
The next Technical Forum is planned on Thursday, January 7 at 6:00-07:00 UTC (Asia time zone).
Please reply on this email with your proposals for agenda topics.
Recording and slides of previous meetings are here:
https://www.trustedfirmware.org/meetings/tf-m-technical-forum/
Best regards,
Anton
Hello,
The next Technical Forum is planned on Thursday, January 7 at 6:00-07:00 UTC (Asia time zone).
Please reply on this email with your proposals for agenda topics.
Recording and slides of previous meetings are here:
https://www.trustedfirmware.org/meetings/tf-m-technical-forum/
Best regards,
Anton
Hi,
The existing section 'TFM_UNPRIV_DATA' now holds nothing - it was designed for holding some data belong to the unprivileged code block, while now the unprivileged code is required as read-only and no place for its read-write data.
Remove this section as it is unused; also remove those code objects exists in the unprivileged code section but has read-write data: 'platform_retarget_dev.o' and 'device_definition.o'.
This patch changes some sources inside the platforms, so the platform owner please help to check if that matters:
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/7754
Thanks.
/Ken
Hi Hu,
I read the threat model and I have a question regarding a potential threat.
I’m not sure it should belong to this generic threat model or it is already included in one of those presented.
The scenario is the following: a NS App X uses a RoT Service that store data private to X. Another NS App Y can fool the SPE to impersonate X and retrieve its private data. For example, X save a value in the secure storage and Y retrieves this value. TF-M prevents this using non secure client identification mechanism. This is a classic confused deputy problem.
Can this be considered a threat in this model or should it belong to another model/TOE?
Best,
--
Antonio Ken Iannillo
Research Scientist – SEDAN group
SnT – Interdisciplinary Centre for Security, Reliability and Trust
UNIVERSITÉ DU LUXEMBOURG
CAMPUS KIRCHBERG
29, avenue John F. Kennedy
L-1855 Luxembourg Kirchberg
T +352 46 66 44 9660
https://akiannillo.github.io/
Hi Raef,
Please merge this patch for CI together with your patches.
https://review.trustedfirmware.org/c/ci/tf-m-ci-scripts/+/7755
BR,
Xinyu
-----Original Message-----
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Raef Coles via TF-M
Sent: Tuesday, December 29, 2020 7:56 PM
To: tf-m(a)lists.trustedfirmware.org
Cc: nd <nd(a)arm.com>
Subject: [TF-M] RFC on changes to install directory structure
Hi everyone
I'd like to request for comment on some changes to the TF-M installed files.
Since this is an interface change (though minor), changes to it might cause issues with existing TF-M integrations.
The current install directory looks like:
install
├── export
│ └── tfm
└── outputs
This doesn't give any useful information about what is contained in each directory. The proposed replacement is:
install
├── image_signing
├── interface
└── outputs
Where the contents of `export/tfm` have been moved into `interface`, which better captures the contents of that directory.
`image_signing` is new in the patchset, and contains the scripts, layouts and keys needed to sign an NS image.
The final improvement in the patchset is the ability to control the location of the `install` directory via TFM_INSTALL_PATH which could be useful for integrators.
Feedback would be appreciated if you feel that these new directory names could be improved, or if this change would cause significant breakage for your TF-M integration.
Patchset here:
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/7398/6
Raef
--
TF-M mailing list
TF-M(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-m
Hi everyone
I'd like to request for comment on some changes to the TF-M installed files.
Since this is an interface change (though minor), changes to it might cause
issues with existing TF-M integrations.
The current install directory looks like:
install
├── export
│ └── tfm
└── outputs
This doesn't give any useful information about what is contained in each
directory. The proposed replacement is:
install
├── image_signing
├── interface
└── outputs
Where the contents of `export/tfm` have been moved into `interface`, which
better captures the contents of that directory.
`image_signing` is new in the patchset, and contains the scripts, layouts and
keys needed to sign an NS image.
The final improvement in the patchset is the ability to control the location of
the `install` directory via TFM_INSTALL_PATH which could be useful for
integrators.
Feedback would be appreciated if you feel that these new directory names could
be improved, or if this change would cause significant breakage for your TF-M
integration.
Patchset here:
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/7398/6
Raef
