summaryrefslogtreecommitdiffstats
path: root/docs/threat_model/threat_model_el3_spm.rst
blob: c3af7a2d86f43098ba7858db3e0e97a2c018697e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
EL3 SPMC Threat Model
*********************

************
Introduction
************
This document provides a threat model for the TF-A `EL3 Secure Partition Manager`_
(EL3 SPM) implementation. The EL3 SPM implementation is based on the
`Arm Firmware Framework for Arm A-profile`_ specification.

********************
Target of Evaluation
********************
In this threat model, the target of evaluation is the ``Secure Partition Manager Core``
component (SPMC) within the EL3 firmware.
The monitor and SPMD at EL3 are covered by the `Generic TF-A threat model`_.

The scope for this threat model is:

- The TF-A implementation for the EL3 SPMC
- The implementation complies with the FF-A v1.1 specification.
- Secure partition is statically provisioned at boot time.
- Focus on the run-time part of the life-cycle (no specific emphasis on boot
  time, factory firmware provisioning, firmware udpate etc.)
- Not covering advanced or invasive physical attacks such as decapsulation,
  FIB etc.

Data Flow Diagram
=================
Figure 1 shows a high-level data flow diagram for the SPM split into an SPMD
and SPMC component at EL3. The SPMD mostly acts as a relayer/pass-through between
the normal world and the secure world. It is assumed to expose small attack surface.

A description of each diagram element is given in Table 1. In the diagram, the
red broken lines indicate trust boundaries.

Components outside of the broken lines are considered untrusted.

.. uml:: ../resources/diagrams/plantuml/el3_spm_dfd.puml
  :caption: Figure 1: EL3 SPMC Data Flow Diagram

.. table:: Table 1: EL3 SPMC Data Flow Diagram Description

  +---------------------+--------------------------------------------------------+
  | Diagram Element     | Description                                            |
  +=====================+========================================================+
  | DF1                 | SP to SPMC communication. FF-A function invocation or  |
  |                     | implementation-defined Hypervisor call.                |
  |                     |                                                        |
  |                     | Note:- To communicate with LSP, SP1 performs a direct  |
  |                     | message request to SPMC targeting LSP as destination.  |
  +---------------------+--------------------------------------------------------+
  | DF2                 | SPMC to SPMD communication.                            |
  +---------------------+--------------------------------------------------------+
  | DF3                 | SPMD to NS forwarding.                                 |
  +---------------------+--------------------------------------------------------+
  | DF4                 | SPMC to LSP communication.                             |
  |                     | NWd to LSP communication happens through SPMC.         |
  |                     | LSP can send direct response SP1 or NWd through SPMC.  |
  +---------------------+--------------------------------------------------------+
  | DF5                 | HW control.                                            |
  +---------------------+--------------------------------------------------------+
  | DF6                 | Bootloader image loading.                              |
  +---------------------+--------------------------------------------------------+
  | DF7                 | External memory access.                                |
  +---------------------+--------------------------------------------------------+


***************
Threat Analysis
***************

This threat model follows a similar methodology to the `Generic TF-A threat model`_.
The following sections define:

- Trust boundaries
- Assets
- Theat agents
- Threat types

Trust boundaries
================

- Normal world is untrusted.
- Secure world and normal world are separate trust boundaries.
- EL3 monitor, SPMD and SPMC are trusted.
- Bootloaders (in particular BL1/BL2 if using TF-A) and run-time BL31 are
  implicitely trusted by the usage of trusted boot.
- EL3 monitor, SPMD, SPMC do not trust SPs.

Assets
======

The following assets are identified:

- SPMC state.
- SP state.
- Information exchange between endpoints (partition messages).
- SPMC secrets (e.g. pointer authentication key when enabled)
- SP secrets (e.g. application keys).
- Scheduling cycles.
- Shared memory.

Threat Agents
=============

The following threat agents are identified:

- Non-secure endpoint (referred NS-Endpoint later): normal world client at
  NS-EL2 (Hypervisor) or NS-EL1 (VM or OS kernel).
- Secure endpoint (referred as S-Endpoint later): typically a secure partition.
- Hardware attacks (non-invasive) requiring a physical access to the device,
  such as bus probing or DRAM stress.

Threat types
============

The following threat categories as exposed in the `Generic TF-A threat model`_
are re-used:

- Spoofing
- Tampering
- Repudiation
- Information disclosure
- Denial of service
- Elevation of privileges

Similarly this threat model re-uses the same threat risk ratings. The risk
analysis is evaluated based on the environment being ``Server`` or ``Mobile``.
IOT is not evaluated as the EL3 SPMC is primarily meant for use in Client.

Threat Assessment
=================

The following threats are identified by applying STRIDE analysis on each diagram
element of the data flow diagram.

+------------------------+----------------------------------------------------+
| ID                     | 01                                                 |
+========================+====================================================+
| Threat                 | **An endpoint impersonates the sender              |
|                        | FF-A ID in a direct request/response invocation.** |
+------------------------+----------------------------------------------------+
| Diagram Elements       | DF1, DF2, DF3, DF4                                 |
+------------------------+----------------------------------------------------+
| Affected TF-A          | SPMD, SPMC                                         |
| Components             |                                                    |
+------------------------+----------------------------------------------------+
| Assets                 | SP state                                           |
+------------------------+----------------------------------------------------+
| Threat Agent           | NS-Endpoint, S-Endpoint                            |
+------------------------+----------------------------------------------------+
| Threat Type            | Spoofing                                           |
+------------------------+--------------------------+-------------------------+
| Application            |   Server                 |  Mobile                 |
+------------------------+--------------------------++------------------------+
| Impact                 | Critical(5)              | Critical(5)             |
+------------------------+--------------------------++------------------------+
| Likelihood             | Critical(5)              | Critical(5)             |
+------------------------+--------------------------++------------------------+
| Total Risk Rating      | Critical(25)             | Critical(25)            |
+------------------------+--------------------------+-------------------------+
| Mitigations            | SPMC must be able to correctly identify an         |
|                        | endpoint and enforce checks to disallow spoofing.  |
+------------------------+----------------------------------------------------+
| Mitigations            | Yes.                                               |
| implemented?           | The SPMC enforces checks in the direct message     |
|                        | request/response interfaces such an endpoint cannot|
|                        | spoof the origin and destination worlds (e.g. a NWd|
|                        | originated message directed to the SWd cannot use a|
|                        | SWd ID as the sender ID).                          |
|                        | Also enforces check for direct response being sent |
|                        | only to originator of request.                     |
+------------------------+----------------------------------------------------+

+------------------------+----------------------------------------------------+
| ID                     | 02                                                 |
+========================+====================================================+
| Threat                 | **An endpoint impersonates the receiver            |
|                        | FF-A ID in a direct request/response invocation.** |
+------------------------+----------------------------------------------------+
| Diagram Elements       | DF1, DF2, DF3, DF4                                 |
+------------------------+----------------------------------------------------+
| Affected TF-A          | SPMD, SPMC                                         |
| Components             |                                                    |
+------------------------+----------------------------------------------------+
| Assets                 | SP state                                           |
+------------------------+----------------------------------------------------+
| Threat Agent           | NS-Endpoint, S-Endpoint                            |
+------------------------+----------------------------------------------------+
| Threat Type            | Spoofing, Denial of Service                        |
+------------------------+--------------------------+-------------------------+
| Application            |   Server                 |  Mobile                 |
+------------------------+--------------------------++------------------------+
| Impact                 | Critical(5)              | Critical(5)             |
+------------------------+--------------------------++------------------------+
| Likelihood             | Critical(5)              | Critical(5)             |
+------------------------+--------------------------++------------------------+
| Total Risk Rating      | Critical(25)             | Critical(25)            |
+------------------------+--------------------------+-------------------------+
| Mitigations            | Validate if endpoind has permission to send        |
|                        | request to other endpoint by implementation        |
|                        | defined means.                                     |
+------------------------+----------------------------------------------------+
| Mitigations            | Platform specific.                                 |
| implemented?           |                                                    |
|                        | The guidance below is left for a system integrator |
|                        | to implement as necessary.                         |
|                        |                                                    |
|                        | Additionally a software component residing in the  |
|                        | SPMC can be added for the purpose of direct        |
|                        | request/response filtering.                        |
|                        |                                                    |
|                        | It can be configured with the list of known IDs    |
|                        | and about which interaction can occur between one  |
|                        | and another endpoint (e.g. which NWd endpoint ID   |
|                        | sends a direct request to which SWd endpoint ID).  |
|                        |                                                    |
|                        | This component checks the sender/receiver fields   |
|                        | for a legitimate communication between endpoints.  |
|                        |                                                    |
|                        | A similar component can exist in the OS kernel     |
|                        | driver, or Hypervisor although it remains untrusted|
|                        | by the SPMD/SPMC.                                  |
+------------------------+----------------------------------------------------+

+------------------------+----------------------------------------------------+
| ID                     | 03                                                 |
+========================+====================================================+
| Threat                 | **Tampering with memory shared between an endpoint |
|                        | and the SPMC.**                                    |
|                        |                                                    |
|                        | A malicious endpoint may attempt tampering with its|
|                        | RX/TX buffer contents while the SPMC is processing |
|                        | it (TOCTOU).                                       |
+------------------------+----------------------------------------------------+
| Diagram Elements       | DF1, DF3, DF7                                      |
+------------------------+----------------------------------------------------+
| Affected TF-A          | SPMC                                               |
| Components             |                                                    |
+------------------------+----------------------------------------------------+
| Assets                 | Shared memory, Information exchange                |
+------------------------+----------------------------------------------------+
| Threat Agent           | NS-Endpoint, S-Endpoint                            |
+------------------------+----------------------------------------------------+
| Threat Type            | Tampering                                          |
+------------------------+--------------------------+-------------------------+
| Application            |   Server                 |    Mobile               |
+------------------------+--------------------------+-------------------------+
| Impact                 | High (4)                 | High (4)                |
+------------------------+--------------------------+-------------------------+
| Likelihood             | High (4)                 | High (4)                |
+------------------------+--------------------------+-------------------------+
| Total Risk Rating      | High (16)                | High (16)               |
+------------------------+--------------------------+-------------------------+
| Mitigations            | Validate all inputs, copy before use.              |
+------------------------+----------------------------------------------------+
| Mitigations            | Yes. In context of FF-A v1.1 this is the case of   |
| implemented?           | sharing the RX/TX buffer pair and usage in the     |
|                        | PARTITION_INFO_GET or memory sharing primitives.   |
|                        |                                                    |
|                        | The SPMC copies the contents of the TX buffer      |
|                        | to an internal temporary buffer before processing  |
|                        | its contents. The SPMC implements hardened input   |
|                        | validation on data transmitted through the TX      |
|                        | buffer by an untrusted endpoint.                   |
|                        |                                                    |
|                        | The TF-A SPMC enforces                             |
|                        | checks on data transmitted through RX/TX buffers.  |
+------------------------+----------------------------------------------------+

+------------------------+----------------------------------------------------+
| ID                     | 04                                                 |
+========================+====================================================+
| Threat                 | **An endpoint may tamper with its own state or the |
|                        | state of another endpoint.**                       |
|                        |                                                    |
|                        | A malicious endpoint may attempt violating:        |
|                        |                                                    |
|                        | - its own or another SP state by using an unusual  |
|                        |   combination (or out-of-order) FF-A function      |
|                        |   invocations.                                     |
|                        |   This can also be an endpoint emitting FF-A       |
|                        |   function invocations to another endpoint while   |
|                        |   the latter in not in a state to receive it (e.g. |
|                        |   SP sends a direct request to the normal world    |
|                        |   early while the normal world is not booted yet). |
|                        | - the SPMC state itself by employing unexpected    |
|                        |   transitions in FF-A memory sharing, direct       |
|                        |   requests and responses, or handling of interrupts|
|                        |   This can be led by random stimuli injection or   |
|                        |   fuzzing.                                         |
+------------------------+----------------------------------------------------+
| Diagram Elements       | DF1, DF2, DF3                                      |
+------------------------+----------------------------------------------------+
| Affected TF-A          | SPMD, SPMC                                         |
| Components             |                                                    |
+------------------------+----------------------------------------------------+
| Assets                 | SP state, SPMC state                               |
+------------------------+----------------------------------------------------+
| Threat Agent           | NS-Endpoint, S-Endpoint                            |
+------------------------+----------------------------------------------------+
| Threat Type            | Tampering                                          |
+------------------------+--------------------------+-------------------------+
| Application            |   Server                 |   Mobile                |
+------------------------+--------------------------+-------------------------+
| Impact                 | High (4)                 | High (4)                |
+------------------------+--------------------------+-------------------------+
| Likelihood             | Medium (3)               | Medium (3)              |
+------------------------+--------------------------+-------------------------+
| Total Risk Rating      | High (12)                | High (12)               |
+------------------------+------------------+-----------------+---------------+
| Mitigations            | Follow guidelines in FF-A v1.1 specification on    |
|                        | state transitions (run-time model).                |
+------------------------+----------------------------------------------------+
| Mitigations            | Yes. The TF-A SPMC is hardened to follow this      |
| implemented?           | guidance.                                          |
+------------------------+----------------------------------------------------+

+------------------------+----------------------------------------------------+
| ID                     | 05                                                 |
+========================+====================================================+
| Threat                 | **Replay fragments of past communication between   |
|                        | endpoints.**                                       |
|                        |                                                    |
|                        | A malicious endpoint may replay a message exchange |
|                        | that occurred between two legitimate endpoints as  |
|                        | a matter of triggering a malfunction or extracting |
|                        | secrets from the receiving endpoint. In particular |
|                        | the memory sharing operation with fragmented       |
|                        | messages between an endpoint and the SPMC may be   |
|                        | replayed by a malicious agent as a matter of       |
|                        | getting access or gaining permissions to a memory  |
|                        | region which does not belong to this agent.        |
+------------------------+----------------------------------------------------+
| Diagram Elements       | DF2, DF3                                           |
+------------------------+----------------------------------------------------+
| Affected TF-A          | SPMC                                               |
| Components             |                                                    |
+------------------------+----------------------------------------------------+
| Assets                 | Information exchange                               |
+------------------------+----------------------------------------------------+
| Threat Agent           | NS-Endpoint, S-Endpoint                            |
+------------------------+----------------------------------------------------+
| Threat Type            | Repudiation                                        |
+------------------------+--------------------------+-------------------------+
| Application            |     Server               |    Mobile               |
+------------------------+--------------------------+-------------------------+
| Impact                 | Medium (3)               | Medium (3)              |
+------------------------+--------------------------+-------------------------+
| Likelihood             | High (4)                 | High (4)	              |
+------------------------+--------------------------+-------------------------+
| Total Risk Rating      | High (12)                | High (12)               |
+------------------------+--------------------------+-------------------------+
| Mitigations            | Strict input validation and state tracking.        |
+------------------------+----------------------------------------------------+
| Mitigations            | Platform specific.                                 |
| implemented?           |                                                    |
+------------------------+----------------------------------------------------+

+------------------------+----------------------------------------------------+
| ID                     | 06                                                 |
+========================+====================================================+
| Threat                 | **A malicious endpoint may attempt to extract data |
|                        | or state information by the use of invalid or      |
|                        | incorrect input arguments.**                       |
|                        |                                                    |
|                        | Lack of input parameter validation or side effects |
|                        | of maliciously forged input parameters might affect|
|                        | the SPMC.                                          |
+------------------------+----------------------------------------------------+
| Diagram Elements       | DF1, DF2, DF3                                      |
+------------------------+----------------------------------------------------+
| Affected TF-A          | SPMD, SPMC                                         |
| Components             |                                                    |
+------------------------+----------------------------------------------------+
| Assets                 | SP secrets, SPMC secrets, SP state, SPMC state     |
+------------------------+----------------------------------------------------+
| Threat Agent           | NS-Endpoint, S-Endpoint                            |
+------------------------+----------------------------------------------------+
| Threat Type            | Information discolure                              |
+------------------------+--------------------------+-------------------------+
| Application            |   Server                 |  Mobile                 |
+------------------------+--------------------------+-------------------------+
| Impact                 | High (4)                 | High (4)                |
+------------------------+--------------------------+-------------------------+
| Likelihood             | Medium (3)               | Medium (3)              |
+------------------------+--------------------------+-------------------------+
| Total Risk Rating      | High (12)                | High (12)               |
+------------------------+--------------------------+-------------------------+
| Mitigations            | SPMC must be prepared to receive incorrect input   |
|                        | data from secure partitions and reject them        |
|                        | appropriately.                                     |
|                        | The use of software (canaries) or hardware         |
|                        | hardening techniques (XN, WXN, pointer             |
|                        | authentication) helps detecting and stopping       |
|                        | an exploitation early.                             |
+------------------------+----------------------------------------------------+
| Mitigations            | Yes. The TF-A SPMC mitigates this threat by        |
| implemented?           | implementing stack protector, pointer              |
|                        | authentication, XN, WXN, security hardening        |
|                        | techniques.                                        |
+------------------------+----------------------------------------------------+

+------------------------+----------------------------------------------------+
| ID                     | 07                                                 |
+========================+====================================================+
| Threat                 | **A malicious endpoint may forge a direct message  |
|                        | request such that it reveals the internal state of |
|                        | another endpoint through the direct message        |
|                        | response.**                                        |
|                        |                                                    |
|                        | The secure partition or SPMC replies to a partition|
|                        | message by a direct message response with          |
|                        | information which may reveal its internal state    |
|                        | (e.g. partition message response outside of        |
|                        | allowed bounds).                                   |
+------------------------+----------------------------------------------------+
| Diagram Elements       | DF1, DF2, DF3                                      |
+------------------------+----------------------------------------------------+
| Affected TF-A          | SPMC                                               |
| Components             |                                                    |
+------------------------+----------------------------------------------------+
| Assets                 | SPMC or SP state                                   |
+------------------------+----------------------------------------------------+
| Threat Agent           | NS-Endpoint, S-Endpoint                            |
+------------------------+----------------------------------------------------+
| Threat Type            | Information discolure                              |
+------------------------+--------------------------+-------------------------+
| Application            |   Server                 |  Mobile                 |
+------------------------+--------------------------+-------------------------+
| Impact                 | Medium (3)               | Medium (3)              |
+------------------------+--------------------------+-------------------------+
| Likelihood             | Low (2)                  | Low (2)	              |
+------------------------+--------------------------+-------------------------+
| Total Risk Rating      | Medium (6)               | Medium (6)              |
+------------------------+--------------------------+-------------------------+
| Mitigations            | Follow FF-A specification about state transitions, |
|                        | run time model, do input validation.               |
+------------------------+----------------------------------------------------+
| Mitigations            | Yes. For the specific case of direct requests      |
| implemented?           | targeting the SPMC, the latter is hardened to      |
|                        | prevent its internal state or the state of an SP   |
|                        | to be revealed through a direct message response.  |
|                        | Further FF-A v1.1 guidance about run time models   |
|                        | and partition states is followed.                  |
+------------------------+----------------------------------------------------+

+------------------------+----------------------------------------------------+
| ID                     | 08                                                 |
+========================+====================================================+
| Threat                 | **Probing the FF-A communication between           |
|                        | endpoints.**                                       |
|                        |                                                    |
|                        | SPMC and SPs are typically loaded to external      |
|                        | memory (protected by a TrustZone memory            |
|                        | controller). A malicious agent may use non invasive|
|                        | methods to probe the external memory bus and       |
|                        | extract the traffic between an SP and the SPMC or  |
|                        | among SPs when shared buffers are held in external |
|                        | memory.                                            |
+------------------------+----------------------------------------------------+
| Diagram Elements       | DF7                                                |
+------------------------+----------------------------------------------------+
| Affected TF-A          | SPMC                                               |
| Components             |                                                    |
+------------------------+----------------------------------------------------+
| Assets                 | SP/SPMC state, SP/SPMC secrets                     |
+------------------------+----------------------------------------------------+
| Threat Agent           | Hardware attack                                    |
+------------------------+----------------------------------------------------+
| Threat Type            | Information disclosure                             |
+------------------------+--------------------------+-------------------------+
| Application            |   Server                 |   Mobile                |
+------------------------+--------------------------+-------------------------+
| Impact                 | Medium (3)               | Medium (3)              |
+------------------------+--------------------------+-------------------------+
| Likelihood             | Low (2)                  | Medium (3)              |
+------------------------+--------------------------+-------------------------+
| Total Risk Rating      | Medium (6)               | Medium (9)              |
+------------------------+--------------------------+-------------------------+
| Mitigations            | Implement DRAM protection techniques using         |
|                        | hardware countermeasures at platform or chip level.|
+------------------------+--------------------------+-------------------------+
| Mitigations            | Platform specific.                                 |
| implemented?           |                                                    |
+------------------------+----------------------------------------------------+

+------------------------+----------------------------------------------------+
| ID                     | 09                                                 |
+========================+====================================================+
| Threat                 | **A malicious agent may attempt revealing the SPMC |
|                        | state or secrets by the use of software-based cache|
|                        | side-channel attack techniques.**                  |
+------------------------+----------------------------------------------------+
| Diagram Elements       | DF7                                                |
+------------------------+----------------------------------------------------+
| Affected TF-A          | SPMC                                               |
| Components             |                                                    |
+------------------------+----------------------------------------------------+
| Assets                 | SP or SPMC state                                   |
+------------------------+----------------------------------------------------+
| Threat Agent           | NS-Endpoint, S-Endpoint                            |
+------------------------+----------------------------------------------------+
| Threat Type            | Information disclosure                             |
+------------------------+--------------------------+-------------------------+
| Application            |   Server                 |   Mobile                |
+------------------------+--------------------------+-------------------------+
| Impact                 | Medium (3)               | Medium (3)              |
+------------------------+--------------------------+-------------------------+
| Likelihood             | Low (2)                  | Low (2)                 |
+------------------------+--------------------------+-------------------------+
| Total Risk Rating      | Medium (6)               | Medium (6)              |
+------------------------+--------------------------+-------------------------+
| Mitigations            | The SPMC may be hardened further with SW           |
|                        | mitigations (e.g. speculation barriers) for the    |
|                        | cases not covered in HW. Usage of hardened         |
|                        | compilers and appropriate options, code inspection |
|                        | are recommended ways to mitigate Spectre types of  |
|                        | attacks.                                           |
+------------------------+----------------------------------------------------+
| Mitigations            | No.                                                |
| implemented?           |                                                    |
+------------------------+----------------------------------------------------+


+------------------------+----------------------------------------------------+
| ID                     | 10                                                 |
+========================+====================================================+
| Threat                 | **A malicious endpoint may attempt flooding the    |
|                        | SPMC with requests targeting a service within an   |
|                        | endpoint such that it denies another endpoint to   |
|                        | access this service.**                             |
|                        |                                                    |
|                        | Similarly, the malicious endpoint may target a     |
|                        | a service within an endpoint such that the latter  |
|                        | is unable to request services from another         |
|                        | endpoint.                                          |
+------------------------+----------------------------------------------------+
| Diagram Elements       | DF1, DF2, DF3                                      |
+------------------------+----------------------------------------------------+
| Affected TF-A          | SPMC                                               |
| Components             |                                                    |
+------------------------+----------------------------------------------------+
| Assets                 | SPMC state, Scheduling cycles                      |
+------------------------+----------------------------------------------------+
| Threat Agent           | NS-Endpoint, S-Endpoint                            |
+------------------------+----------------------------------------------------+
| Threat Type            | Denial of service                                  |
+------------------------+--------------------------+-------------------------+
| Application            |   Server                 |   Mobile                |
+------------------------+--------------------------+-------------------------+
| Impact                 | Medium (3)               | Medium (3)              |
+------------------------+--------------------------+-------------------------+
| Likelihood             | Medium (3)               | Medium (3)              |
+------------------------+--------------------------+-------------------------+
| Total Risk Rating      | Medium (9)               | Medium (9)              |
+------------------------+--------------------------+-------------------------+
| Mitigations            | Bounding the time for operations to complete can   |
|                        | be achieved by the usage of a trusted watchdog.    |
|                        | Other quality of service monitoring can be achieved|
|                        | in the SPMC such as counting a number of operations|
|                        | in a limited timeframe.                            |
+------------------------+----------------------------------------------------+
| Mitigations            | Platform specific.                                 |
| implemented?           |                                                    |
+------------------------+----------------------------------------------------+

+------------------------+----------------------------------------------------+
| ID                     | 11                                                 |
+========================+====================================================+
| Threat                 | **Denying a lender endpoint to make progress if    |
|                        | borrower endpoint encountered a fatal exception.   |
|                        | Denying a new sender endpoint to make progress     |
|                        | if receiver encountered a fatal exception.**       |
+------------------------+----------------------------------------------------+
| Diagram Elements       | DF1, DF2, DF3                                      |
+------------------------+----------------------------------------------------+
| Affected TF-A          | SPMC                                               |
| Components             |                                                    |
+------------------------+----------------------------------------------------+
| Assets                 | Shared resources, Scheduling cycles.               |
+------------------------+----------------------------------------------------+
| Threat Agent           | NS-Endpoint, S-Endpoint                            |
+------------------------+----------------------------------------------------+
| Threat Type            | Denial of service                                  |
+------------------------+--------------------------+-------------------------+
| Application            |   Server                 |   Mobile                |
+------------------------+--------------------------+-------------------------+
| Impact                 | Medium (3)               | Medium (3)              |
+------------------------+--------------------------+-------------------------+
| Likelihood             | Medium (3)               | Medium (3)              |
+------------------------+--------------------------+-------------------------+
| Total Risk Rating      | Medium (9)               | Medium (9)              |
+------------------------+--------------------------+-------------------------+
| Mitigations            | SPMC must be able to detect fatal error in SP and  |
|                        | take ownership of shared resources. It should      |
|                        | be able to relinquish the access to shared memory  |
|                        | regions to allow lender to proceed.                |
|                        | SPMC must return ABORTED if new direct requests are|
|                        | targeted to SP which has had a fatal error.        |
+------------------------+----------------------------------------------------+
| Mitigations            | Platform specific.                                 |
| implemented?           |                                                    |
+------------------------+----------------------------------------------------+

+------------------------+----------------------------------------------------+
| ID                     | 12                                                 |
+========================+====================================================+
| Threat                 | **A malicious endpoint may attempt to donate,      |
|                        | share, lend, relinquish or reclaim unauthorized    |
|                        | memory region.**                                   |
+------------------------+----------------------------------------------------+
| Diagram Elements       | DF1, DF2, DF3                                      |
+------------------------+----------------------------------------------------+
| Affected TF-A          | SPMC                                               |
| Components             |                                                    |
+------------------------+----------------------------------------------------+
| Assets                 |  SP secrets, SPMC secrets, SP state, SPMC state    |
+------------------------+----------------------------------------------------+
| Threat Agent           | NS-Endpoint, S-Endpoint                            |
+------------------------+----------------------------------------------------+
| Threat Type            | Elevation of Privilege                             |
+------------------------+--------------------------+-------------------------+
| Application            |   Server                 |   Mobile                |
+------------------------+--------------------------+-------------------------+
| Impact                 | High (4)                 | High   (4)              |
+------------------------+--------------------------+-------------------------+
| Likelihood             | High (4)                 | High (4)                |
+------------------------+--------------------------+-------------------------+
| Total Risk Rating      | High (16)                | High (16)               |
+------------------------+--------------------------+-------------------------+
| Mitigations            | Follow FF-A specification guidelines               |
|                        | on Memory management transactions.                 |
+------------------------+----------------------------------------------------+
| Mitigations            | Yes. The SPMC tracks ownership and access state    |
| implemented?           | for memory transactions appropriately, and         |
|                        | validating the same for all operations.            |
|                        | SPMC follows FF-A v1.1                             |
|                        | guidance for memory transaction lifecycle.         |
+------------------------+----------------------------------------------------+

---------------

*Copyright (c) 2022, Arm Limited. All rights reserved.*

.. _Arm Firmware Framework for Arm A-profile: https://developer.arm.com/docs/den0077/latest
.. _EL3 Secure Partition Manager: ../components/el3-spmc.html
.. _Generic TF-A threat model: ./threat_model.html#threat-analysis
.. _FF-A ACS: https://github.com/ARM-software/ff-a-acs/releases