docs(spm): update threat model with FF-A v1.1
Update SPM's threat model to contain threats related to notifications
feature, compliant with FF-A v1.1 spec.
Change-Id: I4a825be5dd14137a0d04d532adfe5343714794c5
Signed-off-by: J-Alves <joao.alves@arm.com>
diff --git a/docs/threat_model/threat_model_spm.rst b/docs/threat_model/threat_model_spm.rst
index 82f9916..4db4c66 100644
--- a/docs/threat_model/threat_model_spm.rst
+++ b/docs/threat_model/threat_model_spm.rst
@@ -36,7 +36,8 @@
running in the secure world of TrustZone (at S-EL2 exception level).
The threat model is not related to the normal world Hypervisor or VMs.
The S-EL1 SPMC solution is not covered.
-- The implementation complies with the FF-A v1.0 specification.
+- The implementation complies with the FF-A v1.0 specification, and a few
+ features of FF-A v1.1 specification.
- Secure partitions are statically provisioned at boot time.
- Focus on the run-time part of the life-cycle (no specific emphasis on boot
time, factory firmware provisioning, firmware udpate etc.)
@@ -477,7 +478,7 @@
+------------------------+------------------+---------------+-----------------+
| ``Total Risk Rating`` | Medium (6) | Medium (6) | |
+------------------------+------------------+---------------+-----------------+
-| ``Mitigations`` | For the specific case of direct requests targetting|
+| ``Mitigations`` | For the specific case of direct requests targeting |
| | the SPMC, the latter is hardened to prevent |
| | its internal state or the state of an SP to be |
| | revealed through a direct message response. |
@@ -572,7 +573,7 @@
| ID | 11 |
+========================+====================================================+
| ``Threat`` | **A malicious endpoint may attempt flooding the |
-| | SPMC with requests targetting a service within an |
+| | SPMC with requests targeting a service within an |
| | endpoint such that it denies another endpoint to |
| | access this service.** |
| | Similarly, the malicious endpoint may target a |
@@ -607,7 +608,281 @@
| | in a limited timeframe. |
+------------------------+----------------------------------------------------+
---------------
++------------------------+----------------------------------------------------+
+| ID | 12 |
++========================+====================================================+
+| ``Threat`` | **A malicious endpoint may attempt to allocate |
+| | notifications bitmaps in the SPMC, through the |
+| | FFA_NOTIFICATION_BITMAP_CREATE.** |
+| | This might be an attempt to exhaust SPMC's memory, |
+| | or to allocate a bitmap for a VM that was not |
+| | intended to receive notifications from SPs. Thus |
+| | creating the possibility for a channel that was not|
+| | meant to exist. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF2, DF3 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SPMC state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Denial of service, Spoofing |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+-----------------+---------------+
+| ``Impact`` | Medium(3) | Medium(3) | |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood`` | Medium(3) | Medium(3) | |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating`` | Medium(9) | Medium(9) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | The TF-A SPMC mitigates this threat by defining a |
+| | a fixed size pool for bitmap allocation. |
+| | It also limits the designated FF-A calls to be used|
+| | from NWd endpoints. |
+| | In the NWd the hypervisor is supposed to limit the |
+| | access to the designated FF-A call. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 13 |
++========================+====================================================+
+| ``Threat`` | **A malicious endpoint may attempt to destroy the |
+| | notifications bitmaps in the SPMC, through the |
+| | FFA_NOTIFICATION_BITMAP_DESTROY.** |
+| | This might be an attempt to tamper with the SPMC |
+| | state such that a partition isn't able to receive |
+| | notifications. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF2, DF3 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SPMC state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Tampering |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+-----------------+---------------+
+| ``Impact`` | Low(2) | Low(2) | |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood`` | Low(2) | Low(2) | |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating`` | Low(4) | Low(4) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | The TF-A SPMC mitigates this issue by limiting the |
+| | designated FF-A call to be issued by the NWd. |
+| | Also, the notifications bitmap can't be destroyed |
+| | if there are pending notifications. |
+| | In the NWd, the hypervisor must restrict the |
+| | NS-endpoints that can issue the designated call. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 14 |
++========================+====================================================+
+| ``Threat`` | **A malicious endpoint might attempt to give |
+| | permissions to an unintended sender to set |
+| | notifications targeting another receiver using the |
+| | FF-A call FFA_NOTIFICATION_BIND.** |
+| | This might be an attempt to tamper with the SPMC |
+| | state such that an unintended, and possibly |
+| | malicious, communication channel is established. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF2, DF3 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SPMC state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Tampering, Spoofing |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+-----------------+---------------+
+| ``Impact`` | Low(2) | Low(2) | |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood`` | Medium(3) | Medium(3) | |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating`` | Medium(6) | Medium(6) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | The TF-A SPMC mitigates this by restricting |
+| | designated FFA_NOTIFICATION_BIND call to be issued |
+| | by the receiver only. The receiver is responsible |
+| | for allocating the notifications IDs to one |
+| | specific partition. |
+| | Also, receivers that are not meant to receive |
+| | notifications, must have notifications receipt |
+| | disabled in the respective partition's manifest. |
+| | As for calls coming from NWd, if the NWd VM has had|
+| | its bitmap allocated at initialization, the TF-A |
+| | SPMC can't guarantee this threat won't happen. |
+| | The Hypervisor must mitigate in the NWd, similarly |
+| | to SPMC for calls in SWd. Though, if the Hypervisor|
+| | has been compromised, the SPMC won't be able to |
+| | mitigate it for calls forwarded from NWd. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 15 |
++========================+====================================================+
+| ``Threat`` | **A malicious partition endpoint might attempt to |
+| | set notifications that are not bound to it.** |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF2, DF3 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SPMC state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Spoofing |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+-----------------+---------------+
+| ``Impact`` | Low(2) | Low(2) | |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood`` | Low(2) | Low(2) | |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating`` | Low(4) | Low(4) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | The TF-A SPMC mitigates this by checking the |
+| | sender's ID provided in the input to the call |
+| | FFA_NOTIFICATION_SET. The SPMC keeps track of which|
+| | notifications are bound to which sender, for a |
+| | given receiver. If the sender is an SP, the |
+| | provided sender ID must match the ID of the |
+| | currently running partition. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 16 |
++========================+====================================================+
+| ``Threat`` | **A malicious partition endpoint might attempt to |
+| | get notifications that are not targeted to it.** |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF2, DF3 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SPMC state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Spoofing |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+-----------------+---------------+
+| ``Impact`` | Informational(1) | Informational(1)| |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood`` | Low(2) | Low(2) | |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating`` | Low(2) | Low(2) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | The TF-A SPMC mitigates this by checking the |
+| | receiver's ID provided in the input to the call |
+| | FFA_NOTIFICATION_GET. The SPMC keeps track of which|
+| | notifications are pending for each receiver. |
+| | The provided receiver ID must match the ID of the |
+| | currently running partition, if it is an SP. |
+| | For calls forwarded from NWd, the SPMC will return |
+| | the pending notifications if the receiver had its |
+| | bitmap created, and has pending notifications. |
+| | If Hypervisor or OS kernel are compromised, the |
+| | SPMC won't be able to mitigate calls from rogue NWd|
+| | endpoints. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 17 |
++========================+====================================================+
+| ``Threat`` | **A malicious partition endpoint might attempt to |
+| | get the information about pending notifications, |
+| | through the FFA_NOTIFICATION_INFO_GET call.** |
+| | This call is meant to be used by the NWd FF-A |
+| | driver. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF2, DF3 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SPMC state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Information disclosure |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+-----------------+---------------+
+| ``Impact`` | Low(2) | Low(2) | |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood`` | Medium(3) | Medium(3) | |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating`` | Medium(6) | Medium(6) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | The TF-A SPMC mitigates this by returning error to |
+| | calls made by SPs to FFA_NOTIFICATION_INFO_GET. |
+| | If Hypervisor or OS kernel are compromised, the |
+| | SPMC won't be able mitigate calls from rogue NWd |
+| | endpoints. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 18 |
++========================+====================================================+
+| ``Threat`` | **A malicious partition endpoint might attempt to |
+| | flood another partition endpoint with notifications|
+| | hindering its operation.** |
+| | The intent of the malicious endpoint could be to |
+| | interfere with both the receiver's and/or primary |
+| | endpoint execution, as they can both be preempted |
+| | by the NPI and SRI, respectively. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF2, DF3, DF4 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SPMC state, SP state, CPU cycles |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | DoS |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+-----------------+---------------+
+| ``Impact`` | Low(2) | Low(2) | |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood`` | Medium(3) | Medium(3) | |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating`` | Medium(6) | Medium(6) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | The TF-A SPMC does not mitigate this threat. |
+| | However, the impact is limited due to the |
+| | architecture: |
+| | - Notifications are not queued, one that has been |
+| | signaled needs to be retrieved by the receiver, |
+| | until it can be sent again. |
+| | - Both SRI and NPI can't be pended until handled |
+| | which limits the amount of spurious interrupts. |
+| | - A given receiver could only bind a maximum number|
+| | of notifications to a given sender, within a given |
+| | execution context. |
++------------------------+----------------------------------------------------+
+
+---------------
*Copyright (c) 2021, Arm Limited. All rights reserved.*