docs(threat-model): cover threats inherent to receiving data over UART
TF-A supports reading input data from UART interfaces. This opens up
an attack vector for arbitrary data to be injected into TF-A, which is
not covered in the threat model right now.
Fill this gap by:
- Updating the data flow diagrams. Data may flow from the UART into
TF-A (and not only the other way around).
- Documenting the threats inherent to reading untrusted data from a
UART.
Change-Id: I508da5d2f7ad5d20717b958d76ab9337c5eca50f
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
diff --git a/docs/resources/diagrams/plantuml/tfa_rss_dfd.puml b/docs/resources/diagrams/plantuml/tfa_rss_dfd.puml
index 23f5b17..a7e0ce5 100644
--- a/docs/resources/diagrams/plantuml/tfa_rss_dfd.puml
+++ b/docs/resources/diagrams/plantuml/tfa_rss_dfd.puml
@@ -25,7 +25,7 @@
nsec [label="Non-secure\nClients"]
sec [label="Secure\nClients"]
dbg [label="Debug & Trace"]
- logs [label="Logs\n(UART)"]
+ uart [label="UART"]
nvm [label="Non-volatile\nMemory"]
@@ -65,7 +65,7 @@
# Interactions between nodes
nvm -> bl31 [lhead=cluster_tfa label="DF1"]
- logs -> bl31 [dir="back" lhead=cluster_tfa label="DF2"]
+ uart -> bl31 [dir="both" lhead=cluster_tfa label="DF2"]
dbg -> bl2 [dir="both" lhead=cluster_tfa label="DF3"]
sec -> bl2 [dir="both" lhead=cluster_tfa label="DF4"]
nsec -> bl1 [dir="both" lhead=cluster_tfa, label="DF5"]