Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / 1c7d74eb4ab70551aa52d94bcb73cf1c278abfb7^! / .
commit1c7d74eb4ab70551aa52d94bcb73cf1c278abfb7[log] [tgz]
authorSandrine Bailleux <sandrine.bailleux@arm.com>Thu May 12 16:37:18 2022 +0200
committerSandrine Bailleux <sandrine.bailleux@arm.com>Tue May 17 10:01:11 2022 +0200
tree4a7ebe23ce45d60dc0b43b36315926a648dc39a9
parent0b816db1362e6ee04a21f9bbb1905dc7505c33f8 [diff]
docs(threat-model): revamp threat #9

Reword the description of threat #9 to make it more future-proof for
Arm CCA. By avoiding specific references to secure or non-secure
contexts, in favour of "worlds" and "security contexts", we make the
description equally applicable to 2-world and 4-world architectures.

Note that there are other threats that would benefit from such a
similar revamp but this is out of scope of this patch.

Also list malicious secure world code as a potential threat
agent. This seems to be an oversight in the first version of the
threat model (i.e. this change is not related to Arm CCA).

Change-Id: Id8c8424b0a801104c4f3dc70e344ee702d2b259a
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst
index 611e8a1..86b2134 100644
--- a/docs/threat_model/threat_model.rst
+++ b/docs/threat_model/threat_model.rst

@@ -617,19 +617,18 @@
 | Threat                 | | **Improperly handled SMC calls can leak register   |
 |                        |   contents**                                         |
 |                        |                                                      |
-|                        | | When switching between secure and non-secure       |
-|                        |   states, register contents of Secure world or       |
-|                        |   register contents of other normal world clients    |
-|                        |   can be leaked.                                     |
+|                        | | When switching between worlds, TF-A register state |
+|                        |   can leak to software in different security         |
+|                        |   contexts.                                          |
 +------------------------+------------------------------------------------------+
-| Diagram Elements       | DF5                                                  |
+| Diagram Elements       | DF4, DF5                                             |
 +------------------------+------------------------------------------------------+
 | Affected TF-A          | BL31                                                 |
 | Components             |                                                      |
 +------------------------+------------------------------------------------------+
 | Assets                 | Sensitive Data                                       |
 +------------------------+------------------------------------------------------+
-| Threat Agent           | NSCode                                               |
+| Threat Agent           | NSCode, SecCode                                      |
 +------------------------+------------------------------------------------------+
 | Threat Type            | Information Disclosure                               |
 +------------------------+-------------------+----------------+-----------------+