Lines Matching refs:A
7 This document provides a threat model for the TF-A `Secure Partition Manager`_
11 Arm A-profile`_ specification.
13 In brief, the broad FF-A specification and S-EL2 firmware implementation
16 - Isolation of mutually mistrusting SW components, or endpoints in the FF-A
20 - A standard protocol for communication and memory sharing between FF-A
31 The monitor and SPMD at EL3 are covered by the `Generic TF-A threat model`_.
35 - The TF-A implementation for the S-EL2 SPMC based on the Hafnium hypervisor
39 - The implementation complies with the FF-A v1.0 specification.
45 - Assumes secure boot or in particular TF-A trusted boot (TBBR or dual CoT) is
56 A description of each diagram element is given in Table 1. In the diagram, the
69 | ``DF1`` | SP to SPMC communication. FF-A function invocation or |
72 | ``DF2`` | SPMC to SPMD FF-A call. |
76 | ``DF4`` | SP to SP FF-A direct message request/response. |
94 This threat model follows a similar methodology to the `Generic TF-A threat model`_.
108 - Bootloaders (in particular BL1/BL2 if using TF-A) and run-time BL31 are
143 The following threat categories as exposed in the `Generic TF-A threat model`_
166 | | FF-A ID in a direct request/response invocation.** |
170 | ``Affected TF-A | SPMD, SPMC |
187 | ``Mitigations`` | The TF-A SPMC does not mitigate this threat. |
204 | | A similar component can exist in the OS kernel |
214 | | A malicious endpoint may attempt tampering with its|
220 | ``Affected TF-A | SPMC |
237 | ``Mitigations`` | In context of FF-A v1.0 this is the case of sharing|
245 | | The TF-A SPMC mitigates this threat by enforcing |
254 | | A malicious endpoint may attempt violating: |
256 | | combination (or out-of-order) FF-A function |
259 | | FF-A function invocations to another endpoint while|
264 | | transitions in FF-A memory sharing, direct requests|
271 | ``Affected TF-A | SPMD, SPMC |
290 | | state. The FF-A v1.1 specification provides a |
292 | | model). The TF-A SPMC will be hardened in future |
294 | | Additionally The TF-A SPMC mitigates the threat by |
295 | | runs of the Arm `FF-A ACS`_ compliance test suite. |
303 | | A malicious agent may attempt toggling an SP |
310 | ``Affected TF-A | SPMC |
327 | ``Mitigations`` | The TF-A SPMC does not provide mitigations to this |
338 | | A device may attempt to tamper with the internal |
343 | ``Affected TF-A | SPMC |
360 | ``Mitigations`` | A platform may prefer assigning boot time, |
362 | | configuration and page tables. The FF-A v1.1 |
365 | | The TF-A SPMC does not mitigate this threat. |
375 | | A malicious endpoint may replay a message exchange |
387 | ``Affected TF-A | SPMC |
404 | ``Mitigations`` | The TF-A SPMC does not mitigate this threat. |
410 | ``Threat`` | **A malicious endpoint may attempt to extract data |
419 | ``Affected TF-A | SPMD, SPMC |
443 | | The TF-A SPMC mitigates this threat by implementing|
451 | ``Threat`` | **A malicious endpoint may forge a direct message |
463 | ``Affected TF-A | SPMC |
484 | | Further FF-A v1.1 guidance about run time models |
486 | | TF-A SPMC releases. |
492 | ``Threat`` | **Probing the FF-A communication between |
496 | | controller). A malicious agent may use non invasive|
504 | ``Affected TF-A | SPMC |
523 | | The TF-A SPMC does not mitigate this class of |
530 | ``Threat`` | **A malicious agent may attempt revealing the SPMC |
536 | ``Affected TF-A | SPMC |
559 | | The TF-A SPMC implements one mitigation (barrier |
574 | ``Threat`` | **A malicious endpoint may attempt flooding the |
585 | ``Affected TF-A | SPMC |
602 | ``Mitigations`` | The TF-A SPMC does not mitigate this threat. |
614 .. _Arm Firmware Framework for Arm A-profile: https://developer.arm.com/docs/den0077/latest
616 .. _Generic TF-A threat model: ./threat_model.html#threat-analysis
617 .. _FF-A ACS: https://github.com/ARM-software/ff-a-acs/releases