1SPMC threat model
2*****************
3
4************************
5Introduction
6************************
7This document provides a threat model for the TF-A `Secure Partition Manager`_
8(SPM) implementation or more generally the S-EL2 reference firmware running on
9systems implementing the FEAT_SEL2 (formerly Armv8.4 Secure EL2) architecture
10extension. The SPM implementation is based on the `Arm Firmware Framework for
11Arm A-profile`_ specification.
12
13In brief, the broad FF-A specification and S-EL2 firmware implementation
14provide:
15
16- Isolation of mutually mistrusting SW components, or endpoints in the FF-A
17  terminology.
18- Distinct sandboxes in the secure world called secure partitions. This permits
19  isolation of services from multiple vendors.
20- A standard protocol for communication and memory sharing between FF-A
21  endpoints.
22- Mutual isolation of the normal world and the secure world (e.g. a Trusted OS
23  is prevented to map an arbitrary NS physical memory region such as the kernel
24  or the Hypervisor).
25
26************************
27Target of Evaluation
28************************
29In this threat model, the target of evaluation is the S-EL2 firmware or the
30``Secure Partition Manager Core`` component (SPMC).
31The monitor and SPMD at EL3 are covered by the `Generic TF-A threat model`_.
32
33The scope for this threat model is:
34
35- The TF-A implementation for the S-EL2 SPMC based on the Hafnium hypervisor
36  running in the secure world of TrustZone (at S-EL2 exception level).
37  The threat model is not related to the normal world Hypervisor or VMs.
38  The S-EL1 SPMC solution is not covered.
39- The implementation complies with the FF-A v1.0 specification.
40- Secure partitions are statically provisioned at boot time.
41- Focus on the run-time part of the life-cycle (no specific emphasis on boot
42  time, factory firmware provisioning, firmware udpate etc.)
43- Not covering advanced or invasive physical attacks such as decapsulation,
44  FIB etc.
45- Assumes secure boot or in particular TF-A trusted boot (TBBR or dual CoT) is
46  enabled. An attacker cannot boot arbitrary images that are not approved by the
47  SiP or platform providers.
48
49Data Flow Diagram
50======================
51Figure 1 shows a high-level data flow diagram for the SPM split into an SPMD
52component at EL3 and an SPMC component at S-EL2. The SPMD mostly acts as a
53relayer/pass-through between the normal world and the secure world. It is
54assumed to expose small attack surface.
55
56A description of each diagram element is given in Table 1. In the diagram, the
57red broken lines indicate trust boundaries.
58
59Components outside of the broken lines are considered untrusted.
60
61.. uml:: ../resources/diagrams/plantuml/spm_dfd.puml
62  :caption: Figure 1: SPMC Data Flow Diagram
63
64.. table:: Table 1: SPMC Data Flow Diagram Description
65
66  +---------------------+--------------------------------------------------------+
67  | Diagram Element     | Description                                            |
68  +=====================+========================================================+
69  | ``DF1``             | SP to SPMC communication. FF-A function invocation or  |
70  |                     | implementation-defined Hypervisor call.                |
71  +---------------------+--------------------------------------------------------+
72  | ``DF2``             | SPMC to SPMD FF-A call.                                |
73  +---------------------+--------------------------------------------------------+
74  | ``DF3``             | SPMD to NS forwarding.                                 |
75  +---------------------+--------------------------------------------------------+
76  | ``DF4``             | SP to SP FF-A direct message request/response.         |
77  |                     | Note as a matter of simplifying the diagram            |
78  |                     | the SP to SP communication happens through the SPMC    |
79  |                     | (SP1 performs a direct message request to the          |
80  |                     | SPMC targeting SP2 as destination. And similarly for   |
81  |                     | the direct message response from SP2 to SP1).          |
82  +---------------------+--------------------------------------------------------+
83  | ``DF5``             | HW control.                                            |
84  +---------------------+--------------------------------------------------------+
85  | ``DF6``             | Bootloader image loading.                              |
86  +---------------------+--------------------------------------------------------+
87  | ``DF7``             | External memory access.                                |
88  +---------------------+--------------------------------------------------------+
89
90*********************
91Threat Analysis
92*********************
93
94This threat model follows a similar methodology to the `Generic TF-A threat model`_.
95The following sections define:
96
97- Trust boundaries
98- Assets
99- Theat agents
100- Threat types
101
102Trust boundaries
103============================
104
105- Normal world is untrusted.
106- Secure world and normal world are separate trust boundaries.
107- EL3 monitor, SPMD and SPMC are trusted.
108- Bootloaders (in particular BL1/BL2 if using TF-A) and run-time BL31 are
109  implicitely trusted by the usage of secure boot.
110- EL3 monitor, SPMD, SPMC do not trust SPs.
111
112.. figure:: ../resources/diagrams/spm-threat-model-trust-boundaries.png
113
114    Figure 2: Trust boundaries
115
116Assets
117============================
118
119The following assets are identified:
120
121- SPMC state.
122- SP state.
123- Information exchange between endpoints (partition messages).
124- SPMC secrets (e.g. pointer authentication key when enabled)
125- SP secrets (e.g. application keys).
126- Scheduling cycles.
127- Shared memory.
128
129Threat Agents
130============================
131
132The following threat agents are identified:
133
134- NS-Endpoint identifies a non-secure endpoint: normal world client at NS-EL2
135  (Hypervisor) or NS-EL1 (VM or OS kernel).
136- S-Endpoint identifies a secure endpoint typically a secure partition.
137- Hardware attacks (non-invasive) requiring a physical access to the device,
138  such as bus probing or DRAM stress.
139
140Threat types
141============================
142
143The following threat categories as exposed in the `Generic TF-A threat model`_
144are re-used:
145
146- Spoofing
147- Tampering
148- Repudiation
149- Information disclosure
150- Denial of service
151- Elevation of privileges
152
153Similarly this threat model re-uses the same threat risk ratings. The risk
154analysis is evaluated based on the environment being ``Server`` or ``Mobile``.
155
156Threat Assessment
157============================
158
159The following threats are identified by applying STRIDE analysis on each diagram
160element of the data flow diagram.
161
162+------------------------+----------------------------------------------------+
163| ID                     | 01                                                 |
164+========================+====================================================+
165| ``Threat``             | **An endpoint impersonates the sender or receiver  |
166|                        | FF-A ID in a direct request/response invocation.** |
167+------------------------+----------------------------------------------------+
168| ``Diagram Elements``   | DF1, DF2, DF3, DF4                                 |
169+------------------------+----------------------------------------------------+
170| ``Affected TF-A        | SPMD, SPMC                                         |
171| Components``           |                                                    |
172+------------------------+----------------------------------------------------+
173| ``Assets``             | SP state                                           |
174+------------------------+----------------------------------------------------+
175| ``Threat Agent``       | NS-Endpoint, S-Endpoint                            |
176+------------------------+----------------------------------------------------+
177| ``Threat Type``        | Spoofing                                           |
178+------------------------+------------------+-----------------+---------------+
179| ``Application``        |   ``Server``     |   ``Mobile``    |               |
180+------------------------+------------------++----------------+---------------+
181| ``Impact``             | Critical(5)      | Critical(5)     |               |
182+------------------------+------------------++----------------+---------------+
183| ``Likelihood``         | Critical(5)      | Critical(5)     |               |
184+------------------------+------------------++----------------+---------------+
185| ``Total Risk Rating``  | Critical(25)     | Critical(25)    |               |
186+------------------------+------------------+-----------------+---------------+
187| ``Mitigations``        | The TF-A SPMC does not mitigate this threat.       |
188|                        | The guidance below is left for a system integrator |
189|                        | to implemented as necessary.                       |
190|                        | The SPMC must enforce checks in the direct message |
191|                        | request/response interfaces such an endpoint cannot|
192|                        | spoof the origin and destination worlds (e.g. a NWd|
193|                        | originated message directed to the SWd cannot use a|
194|                        | SWd ID as the sender ID).                          |
195|                        | Additionally a software component residing in the  |
196|                        | SPMC can be added for the purpose of direct        |
197|                        | request/response filtering.                        |
198|                        | It can be configured with the list of known IDs    |
199|                        | and about which interaction can occur between one  |
200|                        | and another endpoint (e.g. which NWd endpoint ID   |
201|                        | sends a direct request to which SWd endpoint ID).  |
202|                        | This component checks the sender/receiver fields   |
203|                        | for a legitimate communication between endpoints.  |
204|                        | A similar component can exist in the OS kernel     |
205|                        | driver, or Hypervisor although it remains untrusted|
206|                        | by the SPMD/SPMC.                                  |
207+------------------------+----------------------------------------------------+
208
209+------------------------+----------------------------------------------------+
210| ID                     | 02                                                 |
211+========================+====================================================+
212| ``Threat``             | **Tampering with memory shared between an endpoint |
213|                        | and the SPMC.**                                    |
214|                        | A malicious endpoint may attempt tampering with its|
215|                        | RX/TX buffer contents while the SPMC is processing |
216|                        | it (TOCTOU).                                       |
217+------------------------+----------------------------------------------------+
218| ``Diagram Elements``   | DF1, DF3, DF4, DF7                                 |
219+------------------------+----------------------------------------------------+
220| ``Affected TF-A        | SPMC                                               |
221| Components``           |                                                    |
222+------------------------+----------------------------------------------------+
223| ``Assets``             | Shared memory, Information exchange                |
224+------------------------+----------------------------------------------------+
225| ``Threat Agent``       | NS-Endpoint, S-Endpoint                            |
226+------------------------+----------------------------------------------------+
227| ``Threat Type``        | Tampering                                          |
228+------------------------+------------------+-----------------+---------------+
229| ``Application``        |   ``Server``     |   ``Mobile``    |               |
230+------------------------+------------------+-----------------+---------------+
231| ``Impact``             | High (4)         | High (4)        |               |
232+------------------------+------------------+-----------------+---------------+
233| ``Likelihood``         | High (4)         | High (4)        |               |
234+------------------------+------------------+-----------------+---------------+
235| ``Total Risk Rating``  | High (16)        | High (16)       |               |
236+------------------------+------------------+-----------------+---------------+
237| ``Mitigations``        | In context of FF-A v1.0 this is the case of sharing|
238|                        | the RX/TX buffer pair and usage in the             |
239|                        | PARTITION_INFO_GET or mem sharing primitives.      |
240|                        | The SPMC must copy the contents of the TX buffer   |
241|                        | to an internal temporary buffer before processing  |
242|                        | its contents. The SPMC must implement hardened     |
243|                        | input validation on data transmitted through the TX|
244|                        | buffer by an untrusted endpoint.                   |
245|                        | The TF-A SPMC mitigates this threat by enforcing   |
246|                        | checks on data transmitted through RX/TX buffers.  |
247+------------------------+----------------------------------------------------+
248
249+------------------------+----------------------------------------------------+
250| ID                     | 03                                                 |
251+========================+====================================================+
252| ``Threat``             | **An endpoint may tamper with its own state or the |
253|                        | state of another endpoint.**                       |
254|                        | A malicious endpoint may attempt violating:        |
255|                        | - its own or another SP state by using an unusual  |
256|                        | combination (or out-of-order) FF-A function        |
257|                        | invocations.                                       |
258|                        | This can also be an endpoint emitting              |
259|                        | FF-A function invocations to another endpoint while|
260|                        | the latter in not in a state to receive it (e.g. a |
261|                        | SP sends a direct request to the normal world early|
262|                        | while the normal world is not booted yet).         |
263|                        | - the SPMC state itself by employing unexpected    |
264|                        | transitions in FF-A memory sharing, direct requests|
265|                        | and responses, or handling of interrupts.          |
266|                        | This can be led by random stimuli injection or     |
267|                        | fuzzing.                                           |
268+------------------------+----------------------------------------------------+
269| ``Diagram Elements``   | DF1, DF2, DF3, DF4                                 |
270+------------------------+----------------------------------------------------+
271| ``Affected TF-A        | SPMD, SPMC                                         |
272| Components``           |                                                    |
273+------------------------+----------------------------------------------------+
274| ``Assets``             | SP state, SPMC state                               |
275+------------------------+----------------------------------------------------+
276| ``Threat Agent``       | NS-Endpoint, S-Endpoint                            |
277+------------------------+----------------------------------------------------+
278| ``Threat Type``        | Tampering                                          |
279+------------------------+------------------+-----------------+---------------+
280| ``Application``        |   ``Server``     |   ``Mobile``    |               |
281+------------------------+------------------+-----------------+---------------+
282| ``Impact``             | High (4)         | High (4)        |               |
283+------------------------+------------------+-----------------+---------------+
284| ``Likelihood``         | Medium (3)       | Medium (3)      |               |
285+------------------------+------------------+-----------------+---------------+
286| ``Total Risk Rating``  | High (12)        | High (12)       |               |
287+------------------------+------------------+-----------------+---------------+
288| ``Mitigations``        | The SPMC may be vulnerable to invalid state        |
289|                        | transitions for itself or while handling an SP     |
290|                        | state. The FF-A v1.1 specification provides a      |
291|                        | guidance on those state transitions (run-time      |
292|                        | model). The TF-A SPMC will be hardened in future   |
293|                        | releases to follow this guidance.                  |
294|                        | Additionally The TF-A SPMC mitigates the threat by |
295|                        | runs of the Arm `FF-A ACS`_ compliance test suite. |
296+------------------------+----------------------------------------------------+
297
298+------------------------+----------------------------------------------------+
299| ID                     | 04                                                 |
300+========================+====================================================+
301| ``Threat``             | *An attacker may attempt injecting errors by the   |
302|                        | use of external DRAM stress techniques.**          |
303|                        | A malicious agent may attempt toggling an SP       |
304|                        | Stage-2 MMU descriptor bit within the page tables  |
305|                        | that the SPMC manages. This can happen in Rowhammer|
306|                        | types of attack.                                   |
307+------------------------+----------------------------------------------------+
308| ``Diagram Elements``   | DF7                                                |
309+------------------------+----------------------------------------------------+
310| ``Affected TF-A        | SPMC                                               |
311| Components``           |                                                    |
312+------------------------+----------------------------------------------------+
313| ``Assets``             | SP or SPMC state                                   |
314+------------------------+----------------------------------------------------+
315| ``Threat Agent``       | Hardware attack                                    |
316+------------------------+----------------------------------------------------+
317| ``Threat Type``        | Tampering                                          |
318+------------------------+------------------+---------------+-----------------+
319| ``Application``        |   ``Server``     |  ``Mobile``   |                 |
320+------------------------+------------------+---------------+-----------------+
321| ``Impact``             | High (4)         | High (4)	    |                 |
322+------------------------+------------------+---------------+-----------------+
323| ``Likelihood``         | Low (2)          | Medium (3)    |                 |
324+------------------------+------------------+---------------+-----------------+
325| ``Total Risk Rating``  | Medium (8)       | High (12)	    |                 |
326+------------------------+------------------+---------------+-----------------+
327| ``Mitigations``        | The TF-A SPMC does not provide mitigations to this |
328|                        | type of attack. It can be addressed by the use of  |
329|                        | dedicated HW circuity or hardening at the chipset  |
330|                        | or platform level left to the integrator.          |
331+------------------------+----------------------------------------------------+
332
333+------------------------+----------------------------------------------------+
334| ID                     | 05                                                 |
335+========================+====================================================+
336| ``Threat``             | **Protection of the SPMC from a DMA capable device |
337|                        | upstream to an SMMU.**                             |
338|                        | A device may attempt to tamper with the internal   |
339|                        | SPMC code/data sections.                           |
340+------------------------+----------------------------------------------------+
341| ``Diagram Elements``   | DF5                                                |
342+------------------------+----------------------------------------------------+
343| ``Affected TF-A        | SPMC                                               |
344| Components``           |                                                    |
345+------------------------+----------------------------------------------------+
346| ``Assets``             | SPMC or SP state                                   |
347+------------------------+----------------------------------------------------+
348| ``Threat Agent``       | NS-Endpoint, S-Endpoint                            |
349+------------------------+----------------------------------------------------+
350| ``Threat Type``        | Tampering, Elevation of privileges                 |
351+------------------------+------------------+---------------+-----------------+
352| ``Application``        |   ``Server``     |  ``Mobile``   |                 |
353+------------------------+------------------+---------------+-----------------+
354| ``Impact``             | High (4)         | High (4)      |                 |
355+------------------------+------------------+---------------+-----------------+
356| ``Likelihood``         | Medium (3)       | Medium (3)    |                 |
357+------------------------+------------------+---------------+-----------------+
358| ``Total Risk Rating``  | High (12)        | High (12)     |                 |
359+------------------------+------------------+---------------+-----------------+
360| ``Mitigations``        | A platform may prefer assigning boot time,         |
361|                        | statically alocated memory regions through the SMMU|
362|                        | configuration and page tables. The FF-A v1.1       |
363|                        | specification provisions this capability through   |
364|                        | static DMA isolation.                              |
365|                        | The TF-A SPMC does not mitigate this threat.       |
366|                        | It will adopt the static DMA isolation approach in |
367|                        | a future release.                                  |
368+------------------------+----------------------------------------------------+
369
370+------------------------+----------------------------------------------------+
371| ID                     | 06                                                 |
372+========================+====================================================+
373| ``Threat``             | **Replay fragments of past communication between   |
374|                        | endpoints.**                                       |
375|                        | A malicious endpoint may replay a message exchange |
376|                        | that occured between two legitimate endpoint as    |
377|                        | a matter of triggering a malfunction or extracting |
378|                        | secrets from the receiving endpoint. In particular |
379|                        | the memory sharing operation with fragmented       |
380|                        | messages between an endpoint and the SPMC may be   |
381|                        | replayed by a malicious agent as a matter of       |
382|                        | getting access or gaining permissions to a memory  |
383|                        | region which does not belong to this agent.        |
384+------------------------+----------------------------------------------------+
385| ``Diagram Elements``   | DF2, DF3                                           |
386+------------------------+----------------------------------------------------+
387| ``Affected TF-A        | SPMC                                               |
388| Components``           |                                                    |
389+------------------------+----------------------------------------------------+
390| ``Assets``             | Information exchange                               |
391+------------------------+----------------------------------------------------+
392| ``Threat Agent``       | NS-Endpoint, S-Endpoint                            |
393+------------------------+----------------------------------------------------+
394| ``Threat Type``        | Repdudiation                                       |
395+------------------------+------------------+---------------+-----------------+
396| ``Application``        |   ``Server``     |  ``Mobile``   |                 |
397+------------------------+------------------+---------------+-----------------+
398| ``Impact``             | Medium (3)       | Medium (3)    |                 |
399+------------------------+------------------+---------------+-----------------+
400| ``Likelihood``         | High (4)         | High (4)	    |                 |
401+------------------------+------------------+---------------+-----------------+
402| ``Total Risk Rating``  | High (12)        | High (12)     |                 |
403+------------------------+------------------+---------------+-----------------+
404| ``Mitigations``        | The TF-A SPMC does not mitigate this threat.       |
405+------------------------+----------------------------------------------------+
406
407+------------------------+----------------------------------------------------+
408| ID                     | 07                                                 |
409+========================+====================================================+
410| ``Threat``             | **A malicious endpoint may attempt to extract data |
411|                        | or state information by the use of invalid or      |
412|                        | incorrect input arguments.**                       |
413|                        | Lack of input parameter validation or side effects |
414|                        | of maliciously forged input parameters might affect|
415|                        | the SPMC.                                          |
416+------------------------+----------------------------------------------------+
417| ``Diagram Elements``   | DF1, DF2, DF3, DF4                                 |
418+------------------------+----------------------------------------------------+
419| ``Affected TF-A        | SPMD, SPMC                                         |
420| Components``           |                                                    |
421+------------------------+----------------------------------------------------+
422| ``Assets``             | SP secrets, SPMC secrets, SP state, SPMC state     |
423+------------------------+----------------------------------------------------+
424| ``Threat Agent``       | NS-Endpoint, S-Endpoint                            |
425+------------------------+----------------------------------------------------+
426| ``Threat Type``        | Information discolure                              |
427+------------------------+------------------+---------------+-----------------+
428| ``Application``        |   ``Server``     |  ``Mobile``   |                 |
429+------------------------+------------------+---------------+-----------------+
430| ``Impact``             | High (4)         | High (4)      |                 |
431+------------------------+------------------+---------------+-----------------+
432| ``Likelihood``         | Medium (3)       | Medium (3)    |                 |
433+------------------------+------------------+---------------+-----------------+
434| ``Total Risk Rating``  | High (12)        | High (12)     |                 |
435+------------------------+------------------+---------------+-----------------+
436| ``Mitigations``        | Secure Partitions must follow security standards   |
437|                        | and best practises as a way to mitigate the risk   |
438|                        | of common vulnerabilities to be exploited.         |
439|                        | The use of software (canaries) or hardware         |
440|                        | hardening techniques (XN, WXN, BTI, pointer        |
441|                        | authentication, MTE) helps detecting and stopping  |
442|                        | an exploitation early.                             |
443|                        | The TF-A SPMC mitigates this threat by implementing|
444|                        | stack protector, pointer authentication, BTI, XN,  |
445|                        | WXN, security hardening techniques.                |
446+------------------------+----------------------------------------------------+
447
448+------------------------+----------------------------------------------------+
449| ID                     | 08                                                 |
450+========================+====================================================+
451| ``Threat``             | **A malicious endpoint may forge a direct message  |
452|                        | request such that it reveals the internal state of |
453|                        | another endpoint through the direct message        |
454|                        | response.**                                        |
455|                        | The secure partition or SPMC replies to a partition|
456|                        | message by a direct message response with          |
457|                        | information which may reveal its internal state    |
458|                        | (.e.g. partition message response outside of       |
459|                        | allowed bounds).                                   |
460+------------------------+----------------------------------------------------+
461| ``Diagram Elements``   | DF1, DF2, DF3, DF4                                 |
462+------------------------+----------------------------------------------------+
463| ``Affected TF-A        | SPMC                                               |
464| Components``           |                                                    |
465+------------------------+----------------------------------------------------+
466| ``Assets``             | SPMC or SP state                                   |
467+------------------------+----------------------------------------------------+
468| ``Threat Agent``       | NS-Endpoint, S-Endpoint                            |
469+------------------------+----------------------------------------------------+
470| ``Threat Type``        | Information discolure                              |
471+------------------------+------------------+---------------+-----------------+
472| ``Application``        |   ``Server``     |  ``Mobile``   |                 |
473+------------------------+------------------+---------------+-----------------+
474| ``Impact``             | Medium (3)       | Medium (3)    |                 |
475+------------------------+------------------+---------------+-----------------+
476| ``Likelihood``         | Low (2)          | Low (2)	    |                 |
477+------------------------+------------------+---------------+-----------------+
478| ``Total Risk Rating``  | Medium (6)       | Medium (6)    |                 |
479+------------------------+------------------+---------------+-----------------+
480| ``Mitigations``        | For the specific case of direct requests targetting|
481|                        | the SPMC, the latter is hardened to prevent        |
482|                        | its internal state or the state of an SP to be     |
483|                        | revealed through a direct message response.        |
484|                        | Further FF-A v1.1 guidance about run time models   |
485|                        | and partition states will be implemented in future |
486|                        | TF-A SPMC releases.                                |
487+------------------------+----------------------------------------------------+
488
489+------------------------+----------------------------------------------------+
490| ID                     | 09                                                 |
491+========================+====================================================+
492| ``Threat``             | **Probing the FF-A communication between           |
493|                        | endpoints.**                                       |
494|                        | SPMC and SPs are typically loaded to external      |
495|                        | memory (protected by a TrustZone memory            |
496|                        | controller). A malicious agent may use non invasive|
497|                        | methods to probe the external memory bus and       |
498|                        | extract the traffic between an SP and the SPMC or  |
499|                        | among SPs when shared buffers are held in external |
500|                        | memory.                                            |
501+------------------------+----------------------------------------------------+
502| ``Diagram Elements``   | DF7                                                |
503+------------------------+----------------------------------------------------+
504| ``Affected TF-A        | SPMC                                               |
505| Components``           |                                                    |
506+------------------------+----------------------------------------------------+
507| ``Assets``             | SP/SPMC state, SP/SPMC secrets                     |
508+------------------------+----------------------------------------------------+
509| ``Threat Agent``       | Hardware attack                                    |
510+------------------------+----------------------------------------------------+
511| ``Threat Type``        | Information disclosure                             |
512+------------------------+------------------+-----------------+---------------+
513| ``Application``        |   ``Server``     |   ``Mobile``    |               |
514+------------------------+------------------+-----------------+---------------+
515| ``Impact``             | Medium (3)       | Medium (3)      |               |
516+------------------------+------------------+-----------------+---------------+
517| ``Likelihood``         | Low (2)          | Medium (3)      |               |
518+------------------------+------------------+-----------------+---------------+
519| ``Total Risk Rating``  | Medium (6)       | Medium (9)      |               |
520+------------------------+------------------+-----------------+---------------+
521| ``Mitigations``        | It is expected the platform or chipset provides    |
522|                        | guarantees in protecting the DRAM contents.        |
523|                        | The TF-A SPMC does not mitigate this class of      |
524|                        | attack and this is left to the integrator.         |
525+------------------------+----------------------------------------------------+
526
527+------------------------+----------------------------------------------------+
528| ID                     | 10                                                 |
529+========================+====================================================+
530| ``Threat``             | **A malicious agent may attempt revealing the SPMC |
531|                        | state or secrets by the use of software-based cache|
532|                        | side-channel attack techniques.**                  |
533+------------------------+----------------------------------------------------+
534| ``Diagram Elements``   | DF7                                                |
535+------------------------+----------------------------------------------------+
536| ``Affected TF-A        | SPMC                                               |
537| Components``           |                                                    |
538+------------------------+----------------------------------------------------+
539| ``Assets``             | SP or SPMC state                                   |
540+------------------------+----------------------------------------------------+
541| ``Threat Agent``       | NS-Endpoint, S-Endpoint                            |
542+------------------------+----------------------------------------------------+
543| ``Threat Type``        | Information disclosure                             |
544+------------------------+------------------+-----------------+---------------+
545| ``Application``        |   ``Server``     |   ``Mobile``    |               |
546+------------------------+------------------+-----------------+---------------+
547| ``Impact``             | Medium (3)       | Medium (3)      |               |
548+------------------------+------------------+-----------------+---------------+
549| ``Likelihood``         | Low (2)          | Low (2)         |               |
550+------------------------+------------------+-----------------+---------------+
551| ``Total Risk Rating``  | Medium (6)       | Medium (6)      |               |
552+------------------------+------------------+-----------------+---------------+
553| ``Mitigations``        | From an integration perspective it is assumed      |
554|                        | platforms consuming the SPMC component at S-EL2    |
555|                        | (hence implementing the Armv8.4 FEAT_SEL2          |
556|                        | architecture extension) implement mitigations to   |
557|                        | Spectre, Meltdown or other cache timing            |
558|                        | side-channel type of attacks.                      |
559|                        | The TF-A SPMC implements one mitigation (barrier   |
560|                        | preventing speculation past exeception returns).   |
561|                        | The SPMC may be hardened further with SW           |
562|                        | mitigations (e.g. speculation barriers) for the    |
563|                        | cases not covered in HW. Usage of hardened         |
564|                        | compilers and appropriate options, code inspection |
565|                        | are recommended ways to mitigate Spectre types of  |
566|                        | attacks. For non-hardened cores, the usage of      |
567|                        | techniques such a kernel page table isolation can  |
568|                        | help mitigating Meltdown type of attacks.          |
569+------------------------+----------------------------------------------------+
570
571+------------------------+----------------------------------------------------+
572| ID                     | 11                                                 |
573+========================+====================================================+
574| ``Threat``             | **A malicious endpoint may attempt flooding the    |
575|                        | SPMC with requests targetting a service within an  |
576|                        | endpoint such that it denies another endpoint to   |
577|                        | access this service.**                             |
578|                        | Similarly, the malicious endpoint may target a     |
579|                        | a service within an endpoint such that the latter  |
580|                        | is unable to request services from another         |
581|                        | endpoint.                                          |
582+------------------------+----------------------------------------------------+
583| ``Diagram Elements``   | DF1, DF2, DF3, DF4                                 |
584+------------------------+----------------------------------------------------+
585| ``Affected TF-A        | SPMC                                               |
586| Components``           |                                                    |
587+------------------------+----------------------------------------------------+
588| ``Assets``             | SPMC state                                         |
589+------------------------+----------------------------------------------------+
590| ``Threat Agent``       | NS-Endpoint, S-Endpoint                            |
591+------------------------+----------------------------------------------------+
592| ``Threat Type``        | Denial of service                                  |
593+------------------------+------------------+-----------------+---------------+
594| ``Application``        |   ``Server``     |   ``Mobile``    |               |
595+------------------------+------------------+-----------------+---------------+
596| ``Impact``             | Medium (3)       | Medium (3)      |               |
597+------------------------+------------------+-----------------+---------------+
598| ``Likelihood``         | Medium (3)       | Medium (3)      |               |
599+------------------------+------------------+-----------------+---------------+
600| ``Total Risk Rating``  | Medium (9)       | Medium (9)      |               |
601+------------------------+------------------+-----------------+---------------+
602| ``Mitigations``        | The TF-A SPMC does not mitigate this threat.       |
603|                        | Bounding the time for operations to complete can   |
604|                        | be achieved by the usage of a trusted watchdog.    |
605|                        | Other quality of service monitoring can be achieved|
606|                        | in the SPMC such as counting a number of operations|
607|                        | in a limited timeframe.                            |
608+------------------------+----------------------------------------------------+
609
610--------------
611
612*Copyright (c) 2021, Arm Limited. All rights reserved.*
613
614.. _Arm Firmware Framework for Arm A-profile: https://developer.arm.com/docs/den0077/latest
615.. _Secure Partition Manager: ../components/secure-partition-manager.html
616.. _Generic TF-A threat model: ./threat_model.html#threat-analysis
617.. _FF-A ACS: https://github.com/ARM-software/ff-a-acs/releases
618