1*91f16700SchasingluluEL3 SPMC Threat Model 2*91f16700Schasinglulu********************* 3*91f16700Schasinglulu 4*91f16700Schasinglulu************ 5*91f16700SchasingluluIntroduction 6*91f16700Schasinglulu************ 7*91f16700SchasingluluThis document provides a threat model for the TF-A :ref:`EL3 Secure Partition Manager` 8*91f16700Schasinglulu(EL3 SPM) implementation. The EL3 SPM implementation is based on the 9*91f16700Schasinglulu`Arm Firmware Framework for Arm A-profile`_ specification. 10*91f16700Schasinglulu 11*91f16700Schasinglulu******************** 12*91f16700SchasingluluTarget of Evaluation 13*91f16700Schasinglulu******************** 14*91f16700SchasingluluIn this threat model, the target of evaluation is the ``Secure Partition Manager Core`` 15*91f16700Schasinglulucomponent (SPMC) within the EL3 firmware. 16*91f16700SchasingluluThe monitor and SPMD at EL3 are covered by the :ref:`Generic TF-A threat model 17*91f16700Schasinglulu<threat_analysis>`. 18*91f16700Schasinglulu 19*91f16700SchasingluluThe scope for this threat model is: 20*91f16700Schasinglulu 21*91f16700Schasinglulu- The TF-A implementation for the EL3 SPMC 22*91f16700Schasinglulu- The implementation complies with the FF-A v1.1 specification. 23*91f16700Schasinglulu- Secure partition is statically provisioned at boot time. 24*91f16700Schasinglulu- Focus on the run-time part of the life-cycle (no specific emphasis on boot 25*91f16700Schasinglulu time, factory firmware provisioning, firmware udpate etc.) 26*91f16700Schasinglulu- Not covering advanced or invasive physical attacks such as decapsulation, 27*91f16700Schasinglulu FIB etc. 28*91f16700Schasinglulu 29*91f16700SchasingluluData Flow Diagram 30*91f16700Schasinglulu================= 31*91f16700SchasingluluFigure 1 shows a high-level data flow diagram for the SPM split into an SPMD 32*91f16700Schasingluluand SPMC component at EL3. The SPMD mostly acts as a relayer/pass-through between 33*91f16700Schasingluluthe normal world and the secure world. It is assumed to expose small attack surface. 34*91f16700Schasinglulu 35*91f16700SchasingluluA description of each diagram element is given in Table 1. In the diagram, the 36*91f16700Schasinglulured broken lines indicate trust boundaries. 37*91f16700Schasinglulu 38*91f16700SchasingluluComponents outside of the broken lines are considered untrusted. 39*91f16700Schasinglulu 40*91f16700Schasinglulu.. uml:: ../resources/diagrams/plantuml/el3_spm_dfd.puml 41*91f16700Schasinglulu :caption: Figure 1: EL3 SPMC Data Flow Diagram 42*91f16700Schasinglulu 43*91f16700Schasinglulu.. table:: Table 1: EL3 SPMC Data Flow Diagram Description 44*91f16700Schasinglulu 45*91f16700Schasinglulu +---------------------+--------------------------------------------------------+ 46*91f16700Schasinglulu | Diagram Element | Description | 47*91f16700Schasinglulu +=====================+========================================================+ 48*91f16700Schasinglulu | DF1 | SP to SPMC communication. FF-A function invocation or | 49*91f16700Schasinglulu | | implementation-defined Hypervisor call. | 50*91f16700Schasinglulu | | | 51*91f16700Schasinglulu | | Note:- To communicate with LSP, SP1 performs a direct | 52*91f16700Schasinglulu | | message request to SPMC targeting LSP as destination. | 53*91f16700Schasinglulu +---------------------+--------------------------------------------------------+ 54*91f16700Schasinglulu | DF2 | SPMC to SPMD communication. | 55*91f16700Schasinglulu +---------------------+--------------------------------------------------------+ 56*91f16700Schasinglulu | DF3 | SPMD to NS forwarding. | 57*91f16700Schasinglulu +---------------------+--------------------------------------------------------+ 58*91f16700Schasinglulu | DF4 | SPMC to LSP communication. | 59*91f16700Schasinglulu | | NWd to LSP communication happens through SPMC. | 60*91f16700Schasinglulu | | LSP can send direct response SP1 or NWd through SPMC. | 61*91f16700Schasinglulu +---------------------+--------------------------------------------------------+ 62*91f16700Schasinglulu | DF5 | HW control. | 63*91f16700Schasinglulu +---------------------+--------------------------------------------------------+ 64*91f16700Schasinglulu | DF6 | Bootloader image loading. | 65*91f16700Schasinglulu +---------------------+--------------------------------------------------------+ 66*91f16700Schasinglulu | DF7 | External memory access. | 67*91f16700Schasinglulu +---------------------+--------------------------------------------------------+ 68*91f16700Schasinglulu 69*91f16700Schasinglulu 70*91f16700Schasinglulu*************** 71*91f16700SchasingluluThreat Analysis 72*91f16700Schasinglulu*************** 73*91f16700Schasinglulu 74*91f16700SchasingluluThis threat model follows a similar methodology to the :ref:`Generic TF-A threat model 75*91f16700Schasinglulu<threat_analysis>`. The following sections define: 76*91f16700Schasinglulu 77*91f16700Schasinglulu- Trust boundaries 78*91f16700Schasinglulu- Assets 79*91f16700Schasinglulu- Theat agents 80*91f16700Schasinglulu- Threat types 81*91f16700Schasinglulu 82*91f16700SchasingluluTrust boundaries 83*91f16700Schasinglulu================ 84*91f16700Schasinglulu 85*91f16700Schasinglulu- Normal world is untrusted. 86*91f16700Schasinglulu- Secure world and normal world are separate trust boundaries. 87*91f16700Schasinglulu- EL3 monitor, SPMD and SPMC are trusted. 88*91f16700Schasinglulu- Bootloaders (in particular BL1/BL2 if using TF-A) and run-time BL31 are 89*91f16700Schasinglulu implicitely trusted by the usage of trusted boot. 90*91f16700Schasinglulu- EL3 monitor, SPMD, SPMC do not trust SPs. 91*91f16700Schasinglulu 92*91f16700SchasingluluAssets 93*91f16700Schasinglulu====== 94*91f16700Schasinglulu 95*91f16700SchasingluluThe following assets are identified: 96*91f16700Schasinglulu 97*91f16700Schasinglulu- SPMC state. 98*91f16700Schasinglulu- SP state. 99*91f16700Schasinglulu- Information exchange between endpoints (partition messages). 100*91f16700Schasinglulu- SPMC secrets (e.g. pointer authentication key when enabled) 101*91f16700Schasinglulu- SP secrets (e.g. application keys). 102*91f16700Schasinglulu- Scheduling cycles. 103*91f16700Schasinglulu- Shared memory. 104*91f16700Schasinglulu 105*91f16700SchasingluluThreat Agents 106*91f16700Schasinglulu============= 107*91f16700Schasinglulu 108*91f16700SchasingluluThe following threat agents are identified: 109*91f16700Schasinglulu 110*91f16700Schasinglulu- Non-secure endpoint (referred NS-Endpoint later): normal world client at 111*91f16700Schasinglulu NS-EL2 (Hypervisor) or NS-EL1 (VM or OS kernel). 112*91f16700Schasinglulu- Secure endpoint (referred as S-Endpoint later): typically a secure partition. 113*91f16700Schasinglulu- Hardware attacks (non-invasive) requiring a physical access to the device, 114*91f16700Schasinglulu such as bus probing or DRAM stress. 115*91f16700Schasinglulu 116*91f16700SchasingluluThreat types 117*91f16700Schasinglulu============ 118*91f16700Schasinglulu 119*91f16700SchasingluluThe following threat categories as exposed in the :ref:`Generic TF-A threat model 120*91f16700Schasinglulu<threat_analysis>` 121*91f16700Schasingluluare re-used: 122*91f16700Schasinglulu 123*91f16700Schasinglulu- Spoofing 124*91f16700Schasinglulu- Tampering 125*91f16700Schasinglulu- Repudiation 126*91f16700Schasinglulu- Information disclosure 127*91f16700Schasinglulu- Denial of service 128*91f16700Schasinglulu- Elevation of privileges 129*91f16700Schasinglulu 130*91f16700SchasingluluSimilarly this threat model re-uses the same threat risk ratings. The risk 131*91f16700Schasingluluanalysis is evaluated based on the environment being ``Server`` or ``Mobile``. 132*91f16700SchasingluluIOT is not evaluated as the EL3 SPMC is primarily meant for use in Client. 133*91f16700Schasinglulu 134*91f16700SchasingluluThreat Assessment 135*91f16700Schasinglulu================= 136*91f16700Schasinglulu 137*91f16700SchasingluluThe following threats are identified by applying STRIDE analysis on each diagram 138*91f16700Schasingluluelement of the data flow diagram. 139*91f16700Schasinglulu 140*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 141*91f16700Schasinglulu| ID | 01 | 142*91f16700Schasinglulu+========================+====================================================+ 143*91f16700Schasinglulu| Threat | **An endpoint impersonates the sender | 144*91f16700Schasinglulu| | FF-A ID in a direct request/response invocation.** | 145*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 146*91f16700Schasinglulu| Diagram Elements | DF1, DF2, DF3, DF4 | 147*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 148*91f16700Schasinglulu| Affected TF-A | SPMD, SPMC | 149*91f16700Schasinglulu| Components | | 150*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 151*91f16700Schasinglulu| Assets | SP state | 152*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 153*91f16700Schasinglulu| Threat Agent | NS-Endpoint, S-Endpoint | 154*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 155*91f16700Schasinglulu| Threat Type | Spoofing | 156*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 157*91f16700Schasinglulu| Application | Server | Mobile | 158*91f16700Schasinglulu+------------------------+--------------------------++------------------------+ 159*91f16700Schasinglulu| Impact | Critical(5) | Critical(5) | 160*91f16700Schasinglulu+------------------------+--------------------------++------------------------+ 161*91f16700Schasinglulu| Likelihood | Critical(5) | Critical(5) | 162*91f16700Schasinglulu+------------------------+--------------------------++------------------------+ 163*91f16700Schasinglulu| Total Risk Rating | Critical(25) | Critical(25) | 164*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 165*91f16700Schasinglulu| Mitigations | SPMC must be able to correctly identify an | 166*91f16700Schasinglulu| | endpoint and enforce checks to disallow spoofing. | 167*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 168*91f16700Schasinglulu| Mitigations | Yes. | 169*91f16700Schasinglulu| implemented? | The SPMC enforces checks in the direct message | 170*91f16700Schasinglulu| | request/response interfaces such an endpoint cannot| 171*91f16700Schasinglulu| | spoof the origin and destination worlds (e.g. a NWd| 172*91f16700Schasinglulu| | originated message directed to the SWd cannot use a| 173*91f16700Schasinglulu| | SWd ID as the sender ID). | 174*91f16700Schasinglulu| | Also enforces check for direct response being sent | 175*91f16700Schasinglulu| | only to originator of request. | 176*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 177*91f16700Schasinglulu 178*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 179*91f16700Schasinglulu| ID | 02 | 180*91f16700Schasinglulu+========================+====================================================+ 181*91f16700Schasinglulu| Threat | **An endpoint impersonates the receiver | 182*91f16700Schasinglulu| | FF-A ID in a direct request/response invocation.** | 183*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 184*91f16700Schasinglulu| Diagram Elements | DF1, DF2, DF3, DF4 | 185*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 186*91f16700Schasinglulu| Affected TF-A | SPMD, SPMC | 187*91f16700Schasinglulu| Components | | 188*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 189*91f16700Schasinglulu| Assets | SP state | 190*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 191*91f16700Schasinglulu| Threat Agent | NS-Endpoint, S-Endpoint | 192*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 193*91f16700Schasinglulu| Threat Type | Spoofing, Denial of Service | 194*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 195*91f16700Schasinglulu| Application | Server | Mobile | 196*91f16700Schasinglulu+------------------------+--------------------------++------------------------+ 197*91f16700Schasinglulu| Impact | Critical(5) | Critical(5) | 198*91f16700Schasinglulu+------------------------+--------------------------++------------------------+ 199*91f16700Schasinglulu| Likelihood | Critical(5) | Critical(5) | 200*91f16700Schasinglulu+------------------------+--------------------------++------------------------+ 201*91f16700Schasinglulu| Total Risk Rating | Critical(25) | Critical(25) | 202*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 203*91f16700Schasinglulu| Mitigations | Validate if endpoind has permission to send | 204*91f16700Schasinglulu| | request to other endpoint by implementation | 205*91f16700Schasinglulu| | defined means. | 206*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 207*91f16700Schasinglulu| Mitigations | Platform specific. | 208*91f16700Schasinglulu| implemented? | | 209*91f16700Schasinglulu| | The guidance below is left for a system integrator | 210*91f16700Schasinglulu| | to implement as necessary. | 211*91f16700Schasinglulu| | | 212*91f16700Schasinglulu| | Additionally a software component residing in the | 213*91f16700Schasinglulu| | SPMC can be added for the purpose of direct | 214*91f16700Schasinglulu| | request/response filtering. | 215*91f16700Schasinglulu| | | 216*91f16700Schasinglulu| | It can be configured with the list of known IDs | 217*91f16700Schasinglulu| | and about which interaction can occur between one | 218*91f16700Schasinglulu| | and another endpoint (e.g. which NWd endpoint ID | 219*91f16700Schasinglulu| | sends a direct request to which SWd endpoint ID). | 220*91f16700Schasinglulu| | | 221*91f16700Schasinglulu| | This component checks the sender/receiver fields | 222*91f16700Schasinglulu| | for a legitimate communication between endpoints. | 223*91f16700Schasinglulu| | | 224*91f16700Schasinglulu| | A similar component can exist in the OS kernel | 225*91f16700Schasinglulu| | driver, or Hypervisor although it remains untrusted| 226*91f16700Schasinglulu| | by the SPMD/SPMC. | 227*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 228*91f16700Schasinglulu 229*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 230*91f16700Schasinglulu| ID | 03 | 231*91f16700Schasinglulu+========================+====================================================+ 232*91f16700Schasinglulu| Threat | **Tampering with memory shared between an endpoint | 233*91f16700Schasinglulu| | and the SPMC.** | 234*91f16700Schasinglulu| | | 235*91f16700Schasinglulu| | A malicious endpoint may attempt tampering with its| 236*91f16700Schasinglulu| | RX/TX buffer contents while the SPMC is processing | 237*91f16700Schasinglulu| | it (TOCTOU). | 238*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 239*91f16700Schasinglulu| Diagram Elements | DF1, DF3, DF7 | 240*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 241*91f16700Schasinglulu| Affected TF-A | SPMC | 242*91f16700Schasinglulu| Components | | 243*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 244*91f16700Schasinglulu| Assets | Shared memory, Information exchange | 245*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 246*91f16700Schasinglulu| Threat Agent | NS-Endpoint, S-Endpoint | 247*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 248*91f16700Schasinglulu| Threat Type | Tampering | 249*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 250*91f16700Schasinglulu| Application | Server | Mobile | 251*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 252*91f16700Schasinglulu| Impact | High (4) | High (4) | 253*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 254*91f16700Schasinglulu| Likelihood | High (4) | High (4) | 255*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 256*91f16700Schasinglulu| Total Risk Rating | High (16) | High (16) | 257*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 258*91f16700Schasinglulu| Mitigations | Validate all inputs, copy before use. | 259*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 260*91f16700Schasinglulu| Mitigations | Yes. In context of FF-A v1.1 this is the case of | 261*91f16700Schasinglulu| implemented? | sharing the RX/TX buffer pair and usage in the | 262*91f16700Schasinglulu| | PARTITION_INFO_GET or memory sharing primitives. | 263*91f16700Schasinglulu| | | 264*91f16700Schasinglulu| | The SPMC copies the contents of the TX buffer | 265*91f16700Schasinglulu| | to an internal temporary buffer before processing | 266*91f16700Schasinglulu| | its contents. The SPMC implements hardened input | 267*91f16700Schasinglulu| | validation on data transmitted through the TX | 268*91f16700Schasinglulu| | buffer by an untrusted endpoint. | 269*91f16700Schasinglulu| | | 270*91f16700Schasinglulu| | The TF-A SPMC enforces | 271*91f16700Schasinglulu| | checks on data transmitted through RX/TX buffers. | 272*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 273*91f16700Schasinglulu 274*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 275*91f16700Schasinglulu| ID | 04 | 276*91f16700Schasinglulu+========================+====================================================+ 277*91f16700Schasinglulu| Threat | **An endpoint may tamper with its own state or the | 278*91f16700Schasinglulu| | state of another endpoint.** | 279*91f16700Schasinglulu| | | 280*91f16700Schasinglulu| | A malicious endpoint may attempt violating: | 281*91f16700Schasinglulu| | | 282*91f16700Schasinglulu| | - its own or another SP state by using an unusual | 283*91f16700Schasinglulu| | combination (or out-of-order) FF-A function | 284*91f16700Schasinglulu| | invocations. | 285*91f16700Schasinglulu| | This can also be an endpoint emitting FF-A | 286*91f16700Schasinglulu| | function invocations to another endpoint while | 287*91f16700Schasinglulu| | the latter in not in a state to receive it (e.g. | 288*91f16700Schasinglulu| | SP sends a direct request to the normal world | 289*91f16700Schasinglulu| | early while the normal world is not booted yet). | 290*91f16700Schasinglulu| | - the SPMC state itself by employing unexpected | 291*91f16700Schasinglulu| | transitions in FF-A memory sharing, direct | 292*91f16700Schasinglulu| | requests and responses, or handling of interrupts| 293*91f16700Schasinglulu| | This can be led by random stimuli injection or | 294*91f16700Schasinglulu| | fuzzing. | 295*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 296*91f16700Schasinglulu| Diagram Elements | DF1, DF2, DF3 | 297*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 298*91f16700Schasinglulu| Affected TF-A | SPMD, SPMC | 299*91f16700Schasinglulu| Components | | 300*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 301*91f16700Schasinglulu| Assets | SP state, SPMC state | 302*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 303*91f16700Schasinglulu| Threat Agent | NS-Endpoint, S-Endpoint | 304*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 305*91f16700Schasinglulu| Threat Type | Tampering | 306*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 307*91f16700Schasinglulu| Application | Server | Mobile | 308*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 309*91f16700Schasinglulu| Impact | High (4) | High (4) | 310*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 311*91f16700Schasinglulu| Likelihood | Medium (3) | Medium (3) | 312*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 313*91f16700Schasinglulu| Total Risk Rating | High (12) | High (12) | 314*91f16700Schasinglulu+------------------------+------------------+-----------------+---------------+ 315*91f16700Schasinglulu| Mitigations | Follow guidelines in FF-A v1.1 specification on | 316*91f16700Schasinglulu| | state transitions (run-time model). | 317*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 318*91f16700Schasinglulu| Mitigations | Yes. The TF-A SPMC is hardened to follow this | 319*91f16700Schasinglulu| implemented? | guidance. | 320*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 321*91f16700Schasinglulu 322*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 323*91f16700Schasinglulu| ID | 05 | 324*91f16700Schasinglulu+========================+====================================================+ 325*91f16700Schasinglulu| Threat | **Replay fragments of past communication between | 326*91f16700Schasinglulu| | endpoints.** | 327*91f16700Schasinglulu| | | 328*91f16700Schasinglulu| | A malicious endpoint may replay a message exchange | 329*91f16700Schasinglulu| | that occurred between two legitimate endpoints as | 330*91f16700Schasinglulu| | a matter of triggering a malfunction or extracting | 331*91f16700Schasinglulu| | secrets from the receiving endpoint. In particular | 332*91f16700Schasinglulu| | the memory sharing operation with fragmented | 333*91f16700Schasinglulu| | messages between an endpoint and the SPMC may be | 334*91f16700Schasinglulu| | replayed by a malicious agent as a matter of | 335*91f16700Schasinglulu| | getting access or gaining permissions to a memory | 336*91f16700Schasinglulu| | region which does not belong to this agent. | 337*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 338*91f16700Schasinglulu| Diagram Elements | DF2, DF3 | 339*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 340*91f16700Schasinglulu| Affected TF-A | SPMC | 341*91f16700Schasinglulu| Components | | 342*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 343*91f16700Schasinglulu| Assets | Information exchange | 344*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 345*91f16700Schasinglulu| Threat Agent | NS-Endpoint, S-Endpoint | 346*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 347*91f16700Schasinglulu| Threat Type | Repudiation | 348*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 349*91f16700Schasinglulu| Application | Server | Mobile | 350*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 351*91f16700Schasinglulu| Impact | Medium (3) | Medium (3) | 352*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 353*91f16700Schasinglulu| Likelihood | High (4) | High (4) | 354*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 355*91f16700Schasinglulu| Total Risk Rating | High (12) | High (12) | 356*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 357*91f16700Schasinglulu| Mitigations | Strict input validation and state tracking. | 358*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 359*91f16700Schasinglulu| Mitigations | Platform specific. | 360*91f16700Schasinglulu| implemented? | | 361*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 362*91f16700Schasinglulu 363*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 364*91f16700Schasinglulu| ID | 06 | 365*91f16700Schasinglulu+========================+====================================================+ 366*91f16700Schasinglulu| Threat | **A malicious endpoint may attempt to extract data | 367*91f16700Schasinglulu| | or state information by the use of invalid or | 368*91f16700Schasinglulu| | incorrect input arguments.** | 369*91f16700Schasinglulu| | | 370*91f16700Schasinglulu| | Lack of input parameter validation or side effects | 371*91f16700Schasinglulu| | of maliciously forged input parameters might affect| 372*91f16700Schasinglulu| | the SPMC. | 373*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 374*91f16700Schasinglulu| Diagram Elements | DF1, DF2, DF3 | 375*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 376*91f16700Schasinglulu| Affected TF-A | SPMD, SPMC | 377*91f16700Schasinglulu| Components | | 378*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 379*91f16700Schasinglulu| Assets | SP secrets, SPMC secrets, SP state, SPMC state | 380*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 381*91f16700Schasinglulu| Threat Agent | NS-Endpoint, S-Endpoint | 382*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 383*91f16700Schasinglulu| Threat Type | Information discolure | 384*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 385*91f16700Schasinglulu| Application | Server | Mobile | 386*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 387*91f16700Schasinglulu| Impact | High (4) | High (4) | 388*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 389*91f16700Schasinglulu| Likelihood | Medium (3) | Medium (3) | 390*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 391*91f16700Schasinglulu| Total Risk Rating | High (12) | High (12) | 392*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 393*91f16700Schasinglulu| Mitigations | SPMC must be prepared to receive incorrect input | 394*91f16700Schasinglulu| | data from secure partitions and reject them | 395*91f16700Schasinglulu| | appropriately. | 396*91f16700Schasinglulu| | The use of software (canaries) or hardware | 397*91f16700Schasinglulu| | hardening techniques (XN, WXN, pointer | 398*91f16700Schasinglulu| | authentication) helps detecting and stopping | 399*91f16700Schasinglulu| | an exploitation early. | 400*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 401*91f16700Schasinglulu| Mitigations | Yes. The TF-A SPMC mitigates this threat by | 402*91f16700Schasinglulu| implemented? | implementing stack protector, pointer | 403*91f16700Schasinglulu| | authentication, XN, WXN, security hardening | 404*91f16700Schasinglulu| | techniques. | 405*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 406*91f16700Schasinglulu 407*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 408*91f16700Schasinglulu| ID | 07 | 409*91f16700Schasinglulu+========================+====================================================+ 410*91f16700Schasinglulu| Threat | **A malicious endpoint may forge a direct message | 411*91f16700Schasinglulu| | request such that it reveals the internal state of | 412*91f16700Schasinglulu| | another endpoint through the direct message | 413*91f16700Schasinglulu| | response.** | 414*91f16700Schasinglulu| | | 415*91f16700Schasinglulu| | The secure partition or SPMC replies to a partition| 416*91f16700Schasinglulu| | message by a direct message response with | 417*91f16700Schasinglulu| | information which may reveal its internal state | 418*91f16700Schasinglulu| | (e.g. partition message response outside of | 419*91f16700Schasinglulu| | allowed bounds). | 420*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 421*91f16700Schasinglulu| Diagram Elements | DF1, DF2, DF3 | 422*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 423*91f16700Schasinglulu| Affected TF-A | SPMC | 424*91f16700Schasinglulu| Components | | 425*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 426*91f16700Schasinglulu| Assets | SPMC or SP state | 427*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 428*91f16700Schasinglulu| Threat Agent | NS-Endpoint, S-Endpoint | 429*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 430*91f16700Schasinglulu| Threat Type | Information discolure | 431*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 432*91f16700Schasinglulu| Application | Server | Mobile | 433*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 434*91f16700Schasinglulu| Impact | Medium (3) | Medium (3) | 435*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 436*91f16700Schasinglulu| Likelihood | Low (2) | Low (2) | 437*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 438*91f16700Schasinglulu| Total Risk Rating | Medium (6) | Medium (6) | 439*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 440*91f16700Schasinglulu| Mitigations | Follow FF-A specification about state transitions, | 441*91f16700Schasinglulu| | run time model, do input validation. | 442*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 443*91f16700Schasinglulu| Mitigations | Yes. For the specific case of direct requests | 444*91f16700Schasinglulu| implemented? | targeting the SPMC, the latter is hardened to | 445*91f16700Schasinglulu| | prevent its internal state or the state of an SP | 446*91f16700Schasinglulu| | to be revealed through a direct message response. | 447*91f16700Schasinglulu| | Further FF-A v1.1 guidance about run time models | 448*91f16700Schasinglulu| | and partition states is followed. | 449*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 450*91f16700Schasinglulu 451*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 452*91f16700Schasinglulu| ID | 08 | 453*91f16700Schasinglulu+========================+====================================================+ 454*91f16700Schasinglulu| Threat | **Probing the FF-A communication between | 455*91f16700Schasinglulu| | endpoints.** | 456*91f16700Schasinglulu| | | 457*91f16700Schasinglulu| | SPMC and SPs are typically loaded to external | 458*91f16700Schasinglulu| | memory (protected by a TrustZone memory | 459*91f16700Schasinglulu| | controller). A malicious agent may use non invasive| 460*91f16700Schasinglulu| | methods to probe the external memory bus and | 461*91f16700Schasinglulu| | extract the traffic between an SP and the SPMC or | 462*91f16700Schasinglulu| | among SPs when shared buffers are held in external | 463*91f16700Schasinglulu| | memory. | 464*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 465*91f16700Schasinglulu| Diagram Elements | DF7 | 466*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 467*91f16700Schasinglulu| Affected TF-A | SPMC | 468*91f16700Schasinglulu| Components | | 469*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 470*91f16700Schasinglulu| Assets | SP/SPMC state, SP/SPMC secrets | 471*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 472*91f16700Schasinglulu| Threat Agent | Hardware attack | 473*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 474*91f16700Schasinglulu| Threat Type | Information disclosure | 475*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 476*91f16700Schasinglulu| Application | Server | Mobile | 477*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 478*91f16700Schasinglulu| Impact | Medium (3) | Medium (3) | 479*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 480*91f16700Schasinglulu| Likelihood | Low (2) | Medium (3) | 481*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 482*91f16700Schasinglulu| Total Risk Rating | Medium (6) | Medium (9) | 483*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 484*91f16700Schasinglulu| Mitigations | Implement DRAM protection techniques using | 485*91f16700Schasinglulu| | hardware countermeasures at platform or chip level.| 486*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 487*91f16700Schasinglulu| Mitigations | Platform specific. | 488*91f16700Schasinglulu| implemented? | | 489*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 490*91f16700Schasinglulu 491*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 492*91f16700Schasinglulu| ID | 09 | 493*91f16700Schasinglulu+========================+====================================================+ 494*91f16700Schasinglulu| Threat | **A malicious agent may attempt revealing the SPMC | 495*91f16700Schasinglulu| | state or secrets by the use of software-based cache| 496*91f16700Schasinglulu| | side-channel attack techniques.** | 497*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 498*91f16700Schasinglulu| Diagram Elements | DF7 | 499*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 500*91f16700Schasinglulu| Affected TF-A | SPMC | 501*91f16700Schasinglulu| Components | | 502*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 503*91f16700Schasinglulu| Assets | SP or SPMC state | 504*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 505*91f16700Schasinglulu| Threat Agent | NS-Endpoint, S-Endpoint | 506*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 507*91f16700Schasinglulu| Threat Type | Information disclosure | 508*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 509*91f16700Schasinglulu| Application | Server | Mobile | 510*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 511*91f16700Schasinglulu| Impact | Medium (3) | Medium (3) | 512*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 513*91f16700Schasinglulu| Likelihood | Low (2) | Low (2) | 514*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 515*91f16700Schasinglulu| Total Risk Rating | Medium (6) | Medium (6) | 516*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 517*91f16700Schasinglulu| Mitigations | The SPMC may be hardened further with SW | 518*91f16700Schasinglulu| | mitigations (e.g. speculation barriers) for the | 519*91f16700Schasinglulu| | cases not covered in HW. Usage of hardened | 520*91f16700Schasinglulu| | compilers and appropriate options, code inspection | 521*91f16700Schasinglulu| | are recommended ways to mitigate Spectre types of | 522*91f16700Schasinglulu| | attacks. | 523*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 524*91f16700Schasinglulu| Mitigations | No. | 525*91f16700Schasinglulu| implemented? | | 526*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 527*91f16700Schasinglulu 528*91f16700Schasinglulu 529*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 530*91f16700Schasinglulu| ID | 10 | 531*91f16700Schasinglulu+========================+====================================================+ 532*91f16700Schasinglulu| Threat | **A malicious endpoint may attempt flooding the | 533*91f16700Schasinglulu| | SPMC with requests targeting a service within an | 534*91f16700Schasinglulu| | endpoint such that it denies another endpoint to | 535*91f16700Schasinglulu| | access this service.** | 536*91f16700Schasinglulu| | | 537*91f16700Schasinglulu| | Similarly, the malicious endpoint may target a | 538*91f16700Schasinglulu| | a service within an endpoint such that the latter | 539*91f16700Schasinglulu| | is unable to request services from another | 540*91f16700Schasinglulu| | endpoint. | 541*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 542*91f16700Schasinglulu| Diagram Elements | DF1, DF2, DF3 | 543*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 544*91f16700Schasinglulu| Affected TF-A | SPMC | 545*91f16700Schasinglulu| Components | | 546*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 547*91f16700Schasinglulu| Assets | SPMC state, Scheduling cycles | 548*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 549*91f16700Schasinglulu| Threat Agent | NS-Endpoint, S-Endpoint | 550*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 551*91f16700Schasinglulu| Threat Type | Denial of service | 552*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 553*91f16700Schasinglulu| Application | Server | Mobile | 554*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 555*91f16700Schasinglulu| Impact | Medium (3) | Medium (3) | 556*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 557*91f16700Schasinglulu| Likelihood | Medium (3) | Medium (3) | 558*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 559*91f16700Schasinglulu| Total Risk Rating | Medium (9) | Medium (9) | 560*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 561*91f16700Schasinglulu| Mitigations | Bounding the time for operations to complete can | 562*91f16700Schasinglulu| | be achieved by the usage of a trusted watchdog. | 563*91f16700Schasinglulu| | Other quality of service monitoring can be achieved| 564*91f16700Schasinglulu| | in the SPMC such as counting a number of operations| 565*91f16700Schasinglulu| | in a limited timeframe. | 566*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 567*91f16700Schasinglulu| Mitigations | Platform specific. | 568*91f16700Schasinglulu| implemented? | | 569*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 570*91f16700Schasinglulu 571*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 572*91f16700Schasinglulu| ID | 11 | 573*91f16700Schasinglulu+========================+====================================================+ 574*91f16700Schasinglulu| Threat | **Denying a lender endpoint to make progress if | 575*91f16700Schasinglulu| | borrower endpoint encountered a fatal exception. | 576*91f16700Schasinglulu| | Denying a new sender endpoint to make progress | 577*91f16700Schasinglulu| | if receiver encountered a fatal exception.** | 578*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 579*91f16700Schasinglulu| Diagram Elements | DF1, DF2, DF3 | 580*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 581*91f16700Schasinglulu| Affected TF-A | SPMC | 582*91f16700Schasinglulu| Components | | 583*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 584*91f16700Schasinglulu| Assets | Shared resources, Scheduling cycles. | 585*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 586*91f16700Schasinglulu| Threat Agent | NS-Endpoint, S-Endpoint | 587*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 588*91f16700Schasinglulu| Threat Type | Denial of service | 589*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 590*91f16700Schasinglulu| Application | Server | Mobile | 591*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 592*91f16700Schasinglulu| Impact | Medium (3) | Medium (3) | 593*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 594*91f16700Schasinglulu| Likelihood | Medium (3) | Medium (3) | 595*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 596*91f16700Schasinglulu| Total Risk Rating | Medium (9) | Medium (9) | 597*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 598*91f16700Schasinglulu| Mitigations | SPMC must be able to detect fatal error in SP and | 599*91f16700Schasinglulu| | take ownership of shared resources. It should | 600*91f16700Schasinglulu| | be able to relinquish the access to shared memory | 601*91f16700Schasinglulu| | regions to allow lender to proceed. | 602*91f16700Schasinglulu| | SPMC must return ABORTED if new direct requests are| 603*91f16700Schasinglulu| | targeted to SP which has had a fatal error. | 604*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 605*91f16700Schasinglulu| Mitigations | Platform specific. | 606*91f16700Schasinglulu| implemented? | | 607*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 608*91f16700Schasinglulu 609*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 610*91f16700Schasinglulu| ID | 12 | 611*91f16700Schasinglulu+========================+====================================================+ 612*91f16700Schasinglulu| Threat | **A malicious endpoint may attempt to donate, | 613*91f16700Schasinglulu| | share, lend, relinquish or reclaim unauthorized | 614*91f16700Schasinglulu| | memory region.** | 615*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 616*91f16700Schasinglulu| Diagram Elements | DF1, DF2, DF3 | 617*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 618*91f16700Schasinglulu| Affected TF-A | SPMC | 619*91f16700Schasinglulu| Components | | 620*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 621*91f16700Schasinglulu| Assets | SP secrets, SPMC secrets, SP state, SPMC state | 622*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 623*91f16700Schasinglulu| Threat Agent | NS-Endpoint, S-Endpoint | 624*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 625*91f16700Schasinglulu| Threat Type | Elevation of Privilege | 626*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 627*91f16700Schasinglulu| Application | Server | Mobile | 628*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 629*91f16700Schasinglulu| Impact | High (4) | High (4) | 630*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 631*91f16700Schasinglulu| Likelihood | High (4) | High (4) | 632*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 633*91f16700Schasinglulu| Total Risk Rating | High (16) | High (16) | 634*91f16700Schasinglulu+------------------------+--------------------------+-------------------------+ 635*91f16700Schasinglulu| Mitigations | Follow FF-A specification guidelines | 636*91f16700Schasinglulu| | on Memory management transactions. | 637*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 638*91f16700Schasinglulu| Mitigations | Yes. The SPMC tracks ownership and access state | 639*91f16700Schasinglulu| implemented? | for memory transactions appropriately, and | 640*91f16700Schasinglulu| | validating the same for all operations. | 641*91f16700Schasinglulu| | SPMC follows FF-A v1.1 | 642*91f16700Schasinglulu| | guidance for memory transaction lifecycle. | 643*91f16700Schasinglulu+------------------------+----------------------------------------------------+ 644*91f16700Schasinglulu 645*91f16700Schasinglulu--------------- 646*91f16700Schasinglulu 647*91f16700Schasinglulu*Copyright (c) 2022-2023, Arm Limited. All rights reserved.* 648*91f16700Schasinglulu 649*91f16700Schasinglulu.. _Arm Firmware Framework for Arm A-profile: https://developer.arm.com/docs/den0077/latest 650*91f16700Schasinglulu.. _FF-A ACS: https://github.com/ARM-software/ff-a-acs/releases 651