commit ab7e557388cdfebae3980aa8c68dca6c6f593a95
author Jeffrey Kardatzke <jkardatzke@google.com> Thu Feb 09 11:03:17 2023 -0800
committer Jeffrey Kardatzke <jkardatzke@google.com> Thu Feb 09 13:27:36 2023 -0800
tree 1eae9f1dc8d01151be11c8940dfc1d8261417ffb
parent e87d85613348cc2f71e504ddf3ff56bbe751fd70

fix(optee): address late comments and fix bad rc

There were some late comments to the prior change (18635) which are
address in this commit. There was also an invalid return value check
which was changed and the wrong result was being returned via the SMC
call for loading OP-TEE which is now fixed.

Signed-off-by: Jeffrey Kardatzke <jkardatzke@google.com>
Change-Id: I883ddf966662549a3ef9c801a2d4f47709422332

docs/threat_model/threat_model.rst

diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst
index 0e967ba..940cad5 100644
--- a/docs/threat_model/threat_model.rst
+++ b/docs/threat_model/threat_model.rst
@@ -921,16 +921,16 @@
 +------------------------+-----------------------------------------------------+
 | ID                     | 14                                                  |
 +========================+=====================================================+
-| Threat                 | | **Security vulnerabilities in the Non-secure OS   |
-|                        |   can lead to secure world compromise if the option |
-|                        |   OPTEE_ALLOW_SMC_LOAD is enabled.**                |
+| Threat                 | | **Attacker wants to execute an arbitrary or       |
+|                        |   untrusted binary as the secure OS.**              |
 |                        |                                                     |
-|                        | | This option trusts the non-secure world up until  |
-|                        |   the point it issues the SMC call to load the      |
-|                        |   Secure BL32 payload. If a compromise occurs       |
-|                        |   before the SMC call is invoked, then arbitrary    |
-|                        |   code execution in S-EL1 can occur or arbitrary    |
-|                        |   memory in EL3 can be overwritten.                 |
+|                        | | When the option OPTEE_ALLOW_SMC_LOAD is enabled,  |
+|                        |   this trusts the non-secure world up until the     |
+|                        |   point it issues the SMC call to load the Secure   |
+|                        |   BL32 payload. If a compromise occurs before the   |
+|                        |   SMC call is invoked, then arbitrary code execution|
+|                        |   in S-EL1 can occur or arbitrary memory in EL3 can |
+|                        |   be overwritten.                                   |
 +------------------------+-----------------------------------------------------+
 | Diagram Elements       | DF5                                                 |
 +------------------------+-----------------------------------------------------+
@@ -948,9 +948,9 @@
 +------------------------+-----------------+-----------------+-----------------+
 | Impact                 | Critical (5)    | Critical (5)    | Critical (5)    |
 +------------------------+-----------------+-----------------+-----------------+
-| Likelihood             | Low (2)         | Low (2)         | Low (2)         |
+| Likelihood             | High (4)        | High (4)        | High (4)        |
 +------------------------+-----------------+-----------------+-----------------+
-| Total Risk Rating      | Medium (10)     | Medium (10)     | Medium (10)     |
+| Total Risk Rating      | Critical (20)   | Critical (20)   | Critical (20)   |
 +------------------------+-----------------+-----------------+-----------------+
 | Mitigations            | When enabling the option OPTEE_ALLOW_SMC_LOAD,      |
 |                        | the non-secure OS must be considered a closed       |