blob: 24a115bfafe281e1d6998065fe303f3f74c5586b [file] [log] [blame]
Gary Morrisond4d951a2021-11-10 14:40:15 -06001SPMC Threat Model
Olivier Deprez86d1ffd2021-06-01 15:37:16 +02002*****************
3
4************************
5Introduction
6************************
Thaddeus Serna8709cc92023-08-14 13:28:59 -05007This document provides a threat model for the TF-A :ref:`Secure Partition Manager`
Olivier Deprez86d1ffd2021-06-01 15:37:16 +02008(SPM) implementation or more generally the S-EL2 reference firmware running on
9systems implementing the FEAT_SEL2 (formerly Armv8.4 Secure EL2) architecture
10extension. The SPM implementation is based on the `Arm Firmware Framework for
Olivier Deprez2b0be752021-09-01 10:25:21 +020011Arm A-profile`_ specification.
Olivier Deprez86d1ffd2021-06-01 15:37:16 +020012
13In brief, the broad FF-A specification and S-EL2 firmware implementation
14provide:
15
16- Isolation of mutually mistrusting SW components, or endpoints in the FF-A
17 terminology.
18- Distinct sandboxes in the secure world called secure partitions. This permits
19 isolation of services from multiple vendors.
20- A standard protocol for communication and memory sharing between FF-A
21 endpoints.
22- Mutual isolation of the normal world and the secure world (e.g. a Trusted OS
23 is prevented to map an arbitrary NS physical memory region such as the kernel
24 or the Hypervisor).
25
26************************
27Target of Evaluation
28************************
29In this threat model, the target of evaluation is the S-EL2 firmware or the
30``Secure Partition Manager Core`` component (SPMC).
Thaddeus Serna8709cc92023-08-14 13:28:59 -050031The monitor and SPMD at EL3 are covered by the :ref:`Generic TF-A threat model
32<threat_analysis>`.
Olivier Deprez86d1ffd2021-06-01 15:37:16 +020033
34The scope for this threat model is:
35
36- The TF-A implementation for the S-EL2 SPMC based on the Hafnium hypervisor
37 running in the secure world of TrustZone (at S-EL2 exception level).
38 The threat model is not related to the normal world Hypervisor or VMs.
J-Alves3e793032022-12-05 18:37:06 +000039 The S-EL1 and EL3 SPMC solutions are not covered.
J-Alvesfce56802021-11-11 17:23:53 +000040- The implementation complies with the FF-A v1.0 specification, and a few
41 features of FF-A v1.1 specification.
Olivier Deprez86d1ffd2021-06-01 15:37:16 +020042- Secure partitions are statically provisioned at boot time.
43- Focus on the run-time part of the life-cycle (no specific emphasis on boot
44 time, factory firmware provisioning, firmware udpate etc.)
45- Not covering advanced or invasive physical attacks such as decapsulation,
46 FIB etc.
47- Assumes secure boot or in particular TF-A trusted boot (TBBR or dual CoT) is
48 enabled. An attacker cannot boot arbitrary images that are not approved by the
49 SiP or platform providers.
50
51Data Flow Diagram
52======================
53Figure 1 shows a high-level data flow diagram for the SPM split into an SPMD
54component at EL3 and an SPMC component at S-EL2. The SPMD mostly acts as a
55relayer/pass-through between the normal world and the secure world. It is
56assumed to expose small attack surface.
57
58A description of each diagram element is given in Table 1. In the diagram, the
59red broken lines indicate trust boundaries.
60
61Components outside of the broken lines are considered untrusted.
62
63.. uml:: ../resources/diagrams/plantuml/spm_dfd.puml
64 :caption: Figure 1: SPMC Data Flow Diagram
65
66.. table:: Table 1: SPMC Data Flow Diagram Description
67
68 +---------------------+--------------------------------------------------------+
69 | Diagram Element | Description |
70 +=====================+========================================================+
71 | ``DF1`` | SP to SPMC communication. FF-A function invocation or |
72 | | implementation-defined Hypervisor call. |
73 +---------------------+--------------------------------------------------------+
74 | ``DF2`` | SPMC to SPMD FF-A call. |
75 +---------------------+--------------------------------------------------------+
76 | ``DF3`` | SPMD to NS forwarding. |
77 +---------------------+--------------------------------------------------------+
78 | ``DF4`` | SP to SP FF-A direct message request/response. |
79 | | Note as a matter of simplifying the diagram |
80 | | the SP to SP communication happens through the SPMC |
81 | | (SP1 performs a direct message request to the |
82 | | SPMC targeting SP2 as destination. And similarly for |
83 | | the direct message response from SP2 to SP1). |
84 +---------------------+--------------------------------------------------------+
85 | ``DF5`` | HW control. |
86 +---------------------+--------------------------------------------------------+
87 | ``DF6`` | Bootloader image loading. |
88 +---------------------+--------------------------------------------------------+
89 | ``DF7`` | External memory access. |
90 +---------------------+--------------------------------------------------------+
91
92*********************
93Threat Analysis
94*********************
95
Thaddeus Serna8709cc92023-08-14 13:28:59 -050096This threat model follows a similar methodology to the :ref:`Generic TF-A threat model
97<threat_analysis>`.
Olivier Deprez86d1ffd2021-06-01 15:37:16 +020098The following sections define:
99
100- Trust boundaries
101- Assets
102- Theat agents
103- Threat types
104
105Trust boundaries
106============================
107
108- Normal world is untrusted.
109- Secure world and normal world are separate trust boundaries.
110- EL3 monitor, SPMD and SPMC are trusted.
111- Bootloaders (in particular BL1/BL2 if using TF-A) and run-time BL31 are
112 implicitely trusted by the usage of secure boot.
113- EL3 monitor, SPMD, SPMC do not trust SPs.
114
115.. figure:: ../resources/diagrams/spm-threat-model-trust-boundaries.png
116
117 Figure 2: Trust boundaries
118
119Assets
120============================
121
122The following assets are identified:
123
124- SPMC state.
125- SP state.
126- Information exchange between endpoints (partition messages).
127- SPMC secrets (e.g. pointer authentication key when enabled)
128- SP secrets (e.g. application keys).
129- Scheduling cycles.
130- Shared memory.
131
132Threat Agents
133============================
134
135The following threat agents are identified:
136
137- NS-Endpoint identifies a non-secure endpoint: normal world client at NS-EL2
138 (Hypervisor) or NS-EL1 (VM or OS kernel).
139- S-Endpoint identifies a secure endpoint typically a secure partition.
140- Hardware attacks (non-invasive) requiring a physical access to the device,
141 such as bus probing or DRAM stress.
142
143Threat types
144============================
145
Thaddeus Serna8709cc92023-08-14 13:28:59 -0500146The following threat categories as exposed in the :ref:`Generic TF-A threat model
147<threat_analysis>`
Olivier Deprez86d1ffd2021-06-01 15:37:16 +0200148are re-used:
149
150- Spoofing
151- Tampering
152- Repudiation
153- Information disclosure
154- Denial of service
155- Elevation of privileges
156
157Similarly this threat model re-uses the same threat risk ratings. The risk
158analysis is evaluated based on the environment being ``Server`` or ``Mobile``.
159
160Threat Assessment
161============================
162
163The following threats are identified by applying STRIDE analysis on each diagram
164element of the data flow diagram.
165
166+------------------------+----------------------------------------------------+
167| ID | 01 |
168+========================+====================================================+
169| ``Threat`` | **An endpoint impersonates the sender or receiver |
170| | FF-A ID in a direct request/response invocation.** |
171+------------------------+----------------------------------------------------+
172| ``Diagram Elements`` | DF1, DF2, DF3, DF4 |
173+------------------------+----------------------------------------------------+
174| ``Affected TF-A | SPMD, SPMC |
175| Components`` | |
176+------------------------+----------------------------------------------------+
177| ``Assets`` | SP state |
178+------------------------+----------------------------------------------------+
179| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
180+------------------------+----------------------------------------------------+
181| ``Threat Type`` | Spoofing |
182+------------------------+------------------+-----------------+---------------+
183| ``Application`` | ``Server`` | ``Mobile`` | |
184+------------------------+------------------++----------------+---------------+
185| ``Impact`` | Critical(5) | Critical(5) | |
186+------------------------+------------------++----------------+---------------+
187| ``Likelihood`` | Critical(5) | Critical(5) | |
188+------------------------+------------------++----------------+---------------+
189| ``Total Risk Rating`` | Critical(25) | Critical(25) | |
190+------------------------+------------------+-----------------+---------------+
191| ``Mitigations`` | The TF-A SPMC does not mitigate this threat. |
192| | The guidance below is left for a system integrator |
193| | to implemented as necessary. |
194| | The SPMC must enforce checks in the direct message |
195| | request/response interfaces such an endpoint cannot|
196| | spoof the origin and destination worlds (e.g. a NWd|
197| | originated message directed to the SWd cannot use a|
198| | SWd ID as the sender ID). |
199| | Additionally a software component residing in the |
200| | SPMC can be added for the purpose of direct |
201| | request/response filtering. |
202| | It can be configured with the list of known IDs |
203| | and about which interaction can occur between one |
204| | and another endpoint (e.g. which NWd endpoint ID |
205| | sends a direct request to which SWd endpoint ID). |
206| | This component checks the sender/receiver fields |
207| | for a legitimate communication between endpoints. |
208| | A similar component can exist in the OS kernel |
209| | driver, or Hypervisor although it remains untrusted|
210| | by the SPMD/SPMC. |
211+------------------------+----------------------------------------------------+
212
213+------------------------+----------------------------------------------------+
214| ID | 02 |
215+========================+====================================================+
216| ``Threat`` | **Tampering with memory shared between an endpoint |
217| | and the SPMC.** |
218| | A malicious endpoint may attempt tampering with its|
219| | RX/TX buffer contents while the SPMC is processing |
220| | it (TOCTOU). |
221+------------------------+----------------------------------------------------+
222| ``Diagram Elements`` | DF1, DF3, DF4, DF7 |
223+------------------------+----------------------------------------------------+
224| ``Affected TF-A | SPMC |
225| Components`` | |
226+------------------------+----------------------------------------------------+
227| ``Assets`` | Shared memory, Information exchange |
228+------------------------+----------------------------------------------------+
229| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
230+------------------------+----------------------------------------------------+
231| ``Threat Type`` | Tampering |
232+------------------------+------------------+-----------------+---------------+
233| ``Application`` | ``Server`` | ``Mobile`` | |
234+------------------------+------------------+-----------------+---------------+
235| ``Impact`` | High (4) | High (4) | |
236+------------------------+------------------+-----------------+---------------+
237| ``Likelihood`` | High (4) | High (4) | |
238+------------------------+------------------+-----------------+---------------+
239| ``Total Risk Rating`` | High (16) | High (16) | |
240+------------------------+------------------+-----------------+---------------+
J-Alves3e793032022-12-05 18:37:06 +0000241| ``Mitigations`` | In context of FF-A v1.0 and v1.1 this is the case |
242| | of sharing the RX/TX buffer pair and usage in the |
Olivier Deprez86d1ffd2021-06-01 15:37:16 +0200243| | PARTITION_INFO_GET or mem sharing primitives. |
244| | The SPMC must copy the contents of the TX buffer |
245| | to an internal temporary buffer before processing |
246| | its contents. The SPMC must implement hardened |
247| | input validation on data transmitted through the TX|
248| | buffer by an untrusted endpoint. |
249| | The TF-A SPMC mitigates this threat by enforcing |
250| | checks on data transmitted through RX/TX buffers. |
251+------------------------+----------------------------------------------------+
252
253+------------------------+----------------------------------------------------+
254| ID | 03 |
255+========================+====================================================+
256| ``Threat`` | **An endpoint may tamper with its own state or the |
257| | state of another endpoint.** |
258| | A malicious endpoint may attempt violating: |
259| | - its own or another SP state by using an unusual |
260| | combination (or out-of-order) FF-A function |
261| | invocations. |
262| | This can also be an endpoint emitting |
263| | FF-A function invocations to another endpoint while|
Madhukar Pappireddyce246f62022-10-14 16:06:00 -0500264| | the latter is not in a state to receive it (e.g. a |
Olivier Deprez86d1ffd2021-06-01 15:37:16 +0200265| | SP sends a direct request to the normal world early|
266| | while the normal world is not booted yet). |
267| | - the SPMC state itself by employing unexpected |
268| | transitions in FF-A memory sharing, direct requests|
269| | and responses, or handling of interrupts. |
270| | This can be led by random stimuli injection or |
271| | fuzzing. |
272+------------------------+----------------------------------------------------+
273| ``Diagram Elements`` | DF1, DF2, DF3, DF4 |
274+------------------------+----------------------------------------------------+
275| ``Affected TF-A | SPMD, SPMC |
276| Components`` | |
277+------------------------+----------------------------------------------------+
278| ``Assets`` | SP state, SPMC state |
279+------------------------+----------------------------------------------------+
280| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
281+------------------------+----------------------------------------------------+
282| ``Threat Type`` | Tampering |
283+------------------------+------------------+-----------------+---------------+
284| ``Application`` | ``Server`` | ``Mobile`` | |
285+------------------------+------------------+-----------------+---------------+
286| ``Impact`` | High (4) | High (4) | |
287+------------------------+------------------+-----------------+---------------+
288| ``Likelihood`` | Medium (3) | Medium (3) | |
289+------------------------+------------------+-----------------+---------------+
290| ``Total Risk Rating`` | High (12) | High (12) | |
291+------------------------+------------------+-----------------+---------------+
Madhukar Pappireddyce246f62022-10-14 16:06:00 -0500292| ``Mitigations`` | The TF-A SPMC provides mitigation against such |
293| | threat by following the guidance for partition |
294| | runtime models as described in FF-A v1.1 EAC0 spec.|
295| | The SPMC performs numerous checks in runtime to |
296| | prevent illegal state transitions by adhering to |
297| | the partition runtime model. |
Olivier Deprez86d1ffd2021-06-01 15:37:16 +0200298+------------------------+----------------------------------------------------+
299
300+------------------------+----------------------------------------------------+
301| ID | 04 |
302+========================+====================================================+
303| ``Threat`` | *An attacker may attempt injecting errors by the |
304| | use of external DRAM stress techniques.** |
305| | A malicious agent may attempt toggling an SP |
306| | Stage-2 MMU descriptor bit within the page tables |
307| | that the SPMC manages. This can happen in Rowhammer|
308| | types of attack. |
309+------------------------+----------------------------------------------------+
310| ``Diagram Elements`` | DF7 |
311+------------------------+----------------------------------------------------+
312| ``Affected TF-A | SPMC |
313| Components`` | |
314+------------------------+----------------------------------------------------+
315| ``Assets`` | SP or SPMC state |
316+------------------------+----------------------------------------------------+
317| ``Threat Agent`` | Hardware attack |
318+------------------------+----------------------------------------------------+
319| ``Threat Type`` | Tampering |
320+------------------------+------------------+---------------+-----------------+
321| ``Application`` | ``Server`` | ``Mobile`` | |
322+------------------------+------------------+---------------+-----------------+
323| ``Impact`` | High (4) | High (4) | |
324+------------------------+------------------+---------------+-----------------+
325| ``Likelihood`` | Low (2) | Medium (3) | |
326+------------------------+------------------+---------------+-----------------+
327| ``Total Risk Rating`` | Medium (8) | High (12) | |
328+------------------------+------------------+---------------+-----------------+
329| ``Mitigations`` | The TF-A SPMC does not provide mitigations to this |
330| | type of attack. It can be addressed by the use of |
331| | dedicated HW circuity or hardening at the chipset |
332| | or platform level left to the integrator. |
333+------------------------+----------------------------------------------------+
334
335+------------------------+----------------------------------------------------+
336| ID | 05 |
337+========================+====================================================+
338| ``Threat`` | **Protection of the SPMC from a DMA capable device |
339| | upstream to an SMMU.** |
340| | A device may attempt to tamper with the internal |
341| | SPMC code/data sections. |
342+------------------------+----------------------------------------------------+
343| ``Diagram Elements`` | DF5 |
344+------------------------+----------------------------------------------------+
345| ``Affected TF-A | SPMC |
346| Components`` | |
347+------------------------+----------------------------------------------------+
348| ``Assets`` | SPMC or SP state |
349+------------------------+----------------------------------------------------+
350| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
351+------------------------+----------------------------------------------------+
352| ``Threat Type`` | Tampering, Elevation of privileges |
353+------------------------+------------------+---------------+-----------------+
354| ``Application`` | ``Server`` | ``Mobile`` | |
355+------------------------+------------------+---------------+-----------------+
356| ``Impact`` | High (4) | High (4) | |
357+------------------------+------------------+---------------+-----------------+
358| ``Likelihood`` | Medium (3) | Medium (3) | |
359+------------------------+------------------+---------------+-----------------+
360| ``Total Risk Rating`` | High (12) | High (12) | |
361+------------------------+------------------+---------------+-----------------+
362| ``Mitigations`` | A platform may prefer assigning boot time, |
363| | statically alocated memory regions through the SMMU|
364| | configuration and page tables. The FF-A v1.1 |
365| | specification provisions this capability through |
366| | static DMA isolation. |
367| | The TF-A SPMC does not mitigate this threat. |
368| | It will adopt the static DMA isolation approach in |
369| | a future release. |
370+------------------------+----------------------------------------------------+
371
372+------------------------+----------------------------------------------------+
373| ID | 06 |
374+========================+====================================================+
375| ``Threat`` | **Replay fragments of past communication between |
376| | endpoints.** |
377| | A malicious endpoint may replay a message exchange |
378| | that occured between two legitimate endpoint as |
379| | a matter of triggering a malfunction or extracting |
380| | secrets from the receiving endpoint. In particular |
381| | the memory sharing operation with fragmented |
382| | messages between an endpoint and the SPMC may be |
383| | replayed by a malicious agent as a matter of |
384| | getting access or gaining permissions to a memory |
385| | region which does not belong to this agent. |
386+------------------------+----------------------------------------------------+
387| ``Diagram Elements`` | DF2, DF3 |
388+------------------------+----------------------------------------------------+
389| ``Affected TF-A | SPMC |
390| Components`` | |
391+------------------------+----------------------------------------------------+
392| ``Assets`` | Information exchange |
393+------------------------+----------------------------------------------------+
394| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
395+------------------------+----------------------------------------------------+
396| ``Threat Type`` | Repdudiation |
397+------------------------+------------------+---------------+-----------------+
398| ``Application`` | ``Server`` | ``Mobile`` | |
399+------------------------+------------------+---------------+-----------------+
400| ``Impact`` | Medium (3) | Medium (3) | |
401+------------------------+------------------+---------------+-----------------+
402| ``Likelihood`` | High (4) | High (4) | |
403+------------------------+------------------+---------------+-----------------+
404| ``Total Risk Rating`` | High (12) | High (12) | |
405+------------------------+------------------+---------------+-----------------+
406| ``Mitigations`` | The TF-A SPMC does not mitigate this threat. |
407+------------------------+----------------------------------------------------+
408
409+------------------------+----------------------------------------------------+
410| ID | 07 |
411+========================+====================================================+
412| ``Threat`` | **A malicious endpoint may attempt to extract data |
413| | or state information by the use of invalid or |
414| | incorrect input arguments.** |
415| | Lack of input parameter validation or side effects |
416| | of maliciously forged input parameters might affect|
417| | the SPMC. |
418+------------------------+----------------------------------------------------+
419| ``Diagram Elements`` | DF1, DF2, DF3, DF4 |
420+------------------------+----------------------------------------------------+
421| ``Affected TF-A | SPMD, SPMC |
422| Components`` | |
423+------------------------+----------------------------------------------------+
424| ``Assets`` | SP secrets, SPMC secrets, SP state, SPMC state |
425+------------------------+----------------------------------------------------+
426| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
427+------------------------+----------------------------------------------------+
428| ``Threat Type`` | Information discolure |
429+------------------------+------------------+---------------+-----------------+
430| ``Application`` | ``Server`` | ``Mobile`` | |
431+------------------------+------------------+---------------+-----------------+
432| ``Impact`` | High (4) | High (4) | |
433+------------------------+------------------+---------------+-----------------+
434| ``Likelihood`` | Medium (3) | Medium (3) | |
435+------------------------+------------------+---------------+-----------------+
436| ``Total Risk Rating`` | High (12) | High (12) | |
437+------------------------+------------------+---------------+-----------------+
438| ``Mitigations`` | Secure Partitions must follow security standards |
439| | and best practises as a way to mitigate the risk |
440| | of common vulnerabilities to be exploited. |
441| | The use of software (canaries) or hardware |
442| | hardening techniques (XN, WXN, BTI, pointer |
443| | authentication, MTE) helps detecting and stopping |
444| | an exploitation early. |
445| | The TF-A SPMC mitigates this threat by implementing|
446| | stack protector, pointer authentication, BTI, XN, |
447| | WXN, security hardening techniques. |
448+------------------------+----------------------------------------------------+
449
450+------------------------+----------------------------------------------------+
451| ID | 08 |
452+========================+====================================================+
453| ``Threat`` | **A malicious endpoint may forge a direct message |
454| | request such that it reveals the internal state of |
455| | another endpoint through the direct message |
456| | response.** |
457| | The secure partition or SPMC replies to a partition|
458| | message by a direct message response with |
459| | information which may reveal its internal state |
460| | (.e.g. partition message response outside of |
461| | allowed bounds). |
462+------------------------+----------------------------------------------------+
463| ``Diagram Elements`` | DF1, DF2, DF3, DF4 |
464+------------------------+----------------------------------------------------+
465| ``Affected TF-A | SPMC |
466| Components`` | |
467+------------------------+----------------------------------------------------+
468| ``Assets`` | SPMC or SP state |
469+------------------------+----------------------------------------------------+
470| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
471+------------------------+----------------------------------------------------+
472| ``Threat Type`` | Information discolure |
473+------------------------+------------------+---------------+-----------------+
474| ``Application`` | ``Server`` | ``Mobile`` | |
475+------------------------+------------------+---------------+-----------------+
476| ``Impact`` | Medium (3) | Medium (3) | |
477+------------------------+------------------+---------------+-----------------+
478| ``Likelihood`` | Low (2) | Low (2) | |
479+------------------------+------------------+---------------+-----------------+
480| ``Total Risk Rating`` | Medium (6) | Medium (6) | |
481+------------------------+------------------+---------------+-----------------+
J-Alvesfce56802021-11-11 17:23:53 +0000482| ``Mitigations`` | For the specific case of direct requests targeting |
Olivier Deprez86d1ffd2021-06-01 15:37:16 +0200483| | the SPMC, the latter is hardened to prevent |
484| | its internal state or the state of an SP to be |
485| | revealed through a direct message response. |
Madhukar Pappireddyce246f62022-10-14 16:06:00 -0500486| | Further, SPMC performs numerous checks in runtime |
487| | on the basis of the rules established by partition |
488| | runtime models to stop any malicious attempts by |
489| | an endpoint to extract internal state of another |
490| | endpoint. |
Olivier Deprez86d1ffd2021-06-01 15:37:16 +0200491+------------------------+----------------------------------------------------+
492
493+------------------------+----------------------------------------------------+
494| ID | 09 |
495+========================+====================================================+
496| ``Threat`` | **Probing the FF-A communication between |
497| | endpoints.** |
498| | SPMC and SPs are typically loaded to external |
499| | memory (protected by a TrustZone memory |
500| | controller). A malicious agent may use non invasive|
501| | methods to probe the external memory bus and |
502| | extract the traffic between an SP and the SPMC or |
503| | among SPs when shared buffers are held in external |
504| | memory. |
505+------------------------+----------------------------------------------------+
506| ``Diagram Elements`` | DF7 |
507+------------------------+----------------------------------------------------+
508| ``Affected TF-A | SPMC |
509| Components`` | |
510+------------------------+----------------------------------------------------+
511| ``Assets`` | SP/SPMC state, SP/SPMC secrets |
512+------------------------+----------------------------------------------------+
513| ``Threat Agent`` | Hardware attack |
514+------------------------+----------------------------------------------------+
515| ``Threat Type`` | Information disclosure |
516+------------------------+------------------+-----------------+---------------+
517| ``Application`` | ``Server`` | ``Mobile`` | |
518+------------------------+------------------+-----------------+---------------+
519| ``Impact`` | Medium (3) | Medium (3) | |
520+------------------------+------------------+-----------------+---------------+
521| ``Likelihood`` | Low (2) | Medium (3) | |
522+------------------------+------------------+-----------------+---------------+
523| ``Total Risk Rating`` | Medium (6) | Medium (9) | |
524+------------------------+------------------+-----------------+---------------+
525| ``Mitigations`` | It is expected the platform or chipset provides |
526| | guarantees in protecting the DRAM contents. |
527| | The TF-A SPMC does not mitigate this class of |
528| | attack and this is left to the integrator. |
529+------------------------+----------------------------------------------------+
530
531+------------------------+----------------------------------------------------+
532| ID | 10 |
533+========================+====================================================+
534| ``Threat`` | **A malicious agent may attempt revealing the SPMC |
535| | state or secrets by the use of software-based cache|
536| | side-channel attack techniques.** |
537+------------------------+----------------------------------------------------+
538| ``Diagram Elements`` | DF7 |
539+------------------------+----------------------------------------------------+
540| ``Affected TF-A | SPMC |
541| Components`` | |
542+------------------------+----------------------------------------------------+
543| ``Assets`` | SP or SPMC state |
544+------------------------+----------------------------------------------------+
545| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
546+------------------------+----------------------------------------------------+
547| ``Threat Type`` | Information disclosure |
548+------------------------+------------------+-----------------+---------------+
549| ``Application`` | ``Server`` | ``Mobile`` | |
550+------------------------+------------------+-----------------+---------------+
551| ``Impact`` | Medium (3) | Medium (3) | |
552+------------------------+------------------+-----------------+---------------+
553| ``Likelihood`` | Low (2) | Low (2) | |
554+------------------------+------------------+-----------------+---------------+
555| ``Total Risk Rating`` | Medium (6) | Medium (6) | |
556+------------------------+------------------+-----------------+---------------+
557| ``Mitigations`` | From an integration perspective it is assumed |
558| | platforms consuming the SPMC component at S-EL2 |
559| | (hence implementing the Armv8.4 FEAT_SEL2 |
560| | architecture extension) implement mitigations to |
561| | Spectre, Meltdown or other cache timing |
562| | side-channel type of attacks. |
563| | The TF-A SPMC implements one mitigation (barrier |
564| | preventing speculation past exeception returns). |
565| | The SPMC may be hardened further with SW |
566| | mitigations (e.g. speculation barriers) for the |
567| | cases not covered in HW. Usage of hardened |
568| | compilers and appropriate options, code inspection |
569| | are recommended ways to mitigate Spectre types of |
570| | attacks. For non-hardened cores, the usage of |
571| | techniques such a kernel page table isolation can |
572| | help mitigating Meltdown type of attacks. |
573+------------------------+----------------------------------------------------+
574
575+------------------------+----------------------------------------------------+
576| ID | 11 |
577+========================+====================================================+
578| ``Threat`` | **A malicious endpoint may attempt flooding the |
J-Alvesfce56802021-11-11 17:23:53 +0000579| | SPMC with requests targeting a service within an |
Olivier Deprez86d1ffd2021-06-01 15:37:16 +0200580| | endpoint such that it denies another endpoint to |
581| | access this service.** |
582| | Similarly, the malicious endpoint may target a |
583| | a service within an endpoint such that the latter |
584| | is unable to request services from another |
585| | endpoint. |
586+------------------------+----------------------------------------------------+
587| ``Diagram Elements`` | DF1, DF2, DF3, DF4 |
588+------------------------+----------------------------------------------------+
589| ``Affected TF-A | SPMC |
590| Components`` | |
591+------------------------+----------------------------------------------------+
592| ``Assets`` | SPMC state |
593+------------------------+----------------------------------------------------+
594| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
595+------------------------+----------------------------------------------------+
596| ``Threat Type`` | Denial of service |
597+------------------------+------------------+-----------------+---------------+
598| ``Application`` | ``Server`` | ``Mobile`` | |
599+------------------------+------------------+-----------------+---------------+
600| ``Impact`` | Medium (3) | Medium (3) | |
601+------------------------+------------------+-----------------+---------------+
602| ``Likelihood`` | Medium (3) | Medium (3) | |
603+------------------------+------------------+-----------------+---------------+
604| ``Total Risk Rating`` | Medium (9) | Medium (9) | |
605+------------------------+------------------+-----------------+---------------+
606| ``Mitigations`` | The TF-A SPMC does not mitigate this threat. |
607| | Bounding the time for operations to complete can |
608| | be achieved by the usage of a trusted watchdog. |
609| | Other quality of service monitoring can be achieved|
610| | in the SPMC such as counting a number of operations|
611| | in a limited timeframe. |
612+------------------------+----------------------------------------------------+
613
J-Alvesfce56802021-11-11 17:23:53 +0000614+------------------------+----------------------------------------------------+
615| ID | 12 |
616+========================+====================================================+
617| ``Threat`` | **A malicious endpoint may attempt to allocate |
618| | notifications bitmaps in the SPMC, through the |
619| | FFA_NOTIFICATION_BITMAP_CREATE.** |
620| | This might be an attempt to exhaust SPMC's memory, |
621| | or to allocate a bitmap for a VM that was not |
622| | intended to receive notifications from SPs. Thus |
623| | creating the possibility for a channel that was not|
624| | meant to exist. |
625+------------------------+----------------------------------------------------+
626| ``Diagram Elements`` | DF1, DF2, DF3 |
627+------------------------+----------------------------------------------------+
628| ``Affected TF-A | SPMC |
629| Components`` | |
630+------------------------+----------------------------------------------------+
631| ``Assets`` | SPMC state |
632+------------------------+----------------------------------------------------+
633| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
634+------------------------+----------------------------------------------------+
635| ``Threat Type`` | Denial of service, Spoofing |
636+------------------------+------------------+-----------------+---------------+
637| ``Application`` | ``Server`` | ``Mobile`` | |
638+------------------------+------------------+-----------------+---------------+
639| ``Impact`` | Medium(3) | Medium(3) | |
640+------------------------+------------------+-----------------+---------------+
641| ``Likelihood`` | Medium(3) | Medium(3) | |
642+------------------------+------------------+-----------------+---------------+
643| ``Total Risk Rating`` | Medium(9) | Medium(9) | |
644+------------------------+------------------+-----------------+---------------+
645| ``Mitigations`` | The TF-A SPMC mitigates this threat by defining a |
646| | a fixed size pool for bitmap allocation. |
647| | It also limits the designated FF-A calls to be used|
648| | from NWd endpoints. |
649| | In the NWd the hypervisor is supposed to limit the |
650| | access to the designated FF-A call. |
651+------------------------+----------------------------------------------------+
652
653+------------------------+----------------------------------------------------+
654| ID | 13 |
655+========================+====================================================+
656| ``Threat`` | **A malicious endpoint may attempt to destroy the |
657| | notifications bitmaps in the SPMC, through the |
658| | FFA_NOTIFICATION_BITMAP_DESTROY.** |
659| | This might be an attempt to tamper with the SPMC |
660| | state such that a partition isn't able to receive |
661| | notifications. |
662+------------------------+----------------------------------------------------+
663| ``Diagram Elements`` | DF1, DF2, DF3 |
664+------------------------+----------------------------------------------------+
665| ``Affected TF-A | SPMC |
666| Components`` | |
667+------------------------+----------------------------------------------------+
668| ``Assets`` | SPMC state |
669+------------------------+----------------------------------------------------+
670| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
671+------------------------+----------------------------------------------------+
672| ``Threat Type`` | Tampering |
673+------------------------+------------------+-----------------+---------------+
674| ``Application`` | ``Server`` | ``Mobile`` | |
675+------------------------+------------------+-----------------+---------------+
676| ``Impact`` | Low(2) | Low(2) | |
677+------------------------+------------------+-----------------+---------------+
678| ``Likelihood`` | Low(2) | Low(2) | |
679+------------------------+------------------+-----------------+---------------+
680| ``Total Risk Rating`` | Low(4) | Low(4) | |
681+------------------------+------------------+-----------------+---------------+
682| ``Mitigations`` | The TF-A SPMC mitigates this issue by limiting the |
683| | designated FF-A call to be issued by the NWd. |
684| | Also, the notifications bitmap can't be destroyed |
685| | if there are pending notifications. |
686| | In the NWd, the hypervisor must restrict the |
687| | NS-endpoints that can issue the designated call. |
688+------------------------+----------------------------------------------------+
689
690+------------------------+----------------------------------------------------+
691| ID | 14 |
692+========================+====================================================+
693| ``Threat`` | **A malicious endpoint might attempt to give |
694| | permissions to an unintended sender to set |
695| | notifications targeting another receiver using the |
696| | FF-A call FFA_NOTIFICATION_BIND.** |
697| | This might be an attempt to tamper with the SPMC |
698| | state such that an unintended, and possibly |
699| | malicious, communication channel is established. |
700+------------------------+----------------------------------------------------+
701| ``Diagram Elements`` | DF1, DF2, DF3 |
702+------------------------+----------------------------------------------------+
703| ``Affected TF-A | SPMC |
704| Components`` | |
705+------------------------+----------------------------------------------------+
706| ``Assets`` | SPMC state |
707+------------------------+----------------------------------------------------+
708| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
709+------------------------+----------------------------------------------------+
710| ``Threat Type`` | Tampering, Spoofing |
711+------------------------+------------------+-----------------+---------------+
712| ``Application`` | ``Server`` | ``Mobile`` | |
713+------------------------+------------------+-----------------+---------------+
714| ``Impact`` | Low(2) | Low(2) | |
715+------------------------+------------------+-----------------+---------------+
716| ``Likelihood`` | Medium(3) | Medium(3) | |
717+------------------------+------------------+-----------------+---------------+
718| ``Total Risk Rating`` | Medium(6) | Medium(6) | |
719+------------------------+------------------+-----------------+---------------+
720| ``Mitigations`` | The TF-A SPMC mitigates this by restricting |
721| | designated FFA_NOTIFICATION_BIND call to be issued |
722| | by the receiver only. The receiver is responsible |
723| | for allocating the notifications IDs to one |
724| | specific partition. |
725| | Also, receivers that are not meant to receive |
726| | notifications, must have notifications receipt |
727| | disabled in the respective partition's manifest. |
728| | As for calls coming from NWd, if the NWd VM has had|
729| | its bitmap allocated at initialization, the TF-A |
730| | SPMC can't guarantee this threat won't happen. |
731| | The Hypervisor must mitigate in the NWd, similarly |
732| | to SPMC for calls in SWd. Though, if the Hypervisor|
733| | has been compromised, the SPMC won't be able to |
734| | mitigate it for calls forwarded from NWd. |
735+------------------------+----------------------------------------------------+
736
737+------------------------+----------------------------------------------------+
738| ID | 15 |
739+========================+====================================================+
740| ``Threat`` | **A malicious partition endpoint might attempt to |
741| | set notifications that are not bound to it.** |
742+------------------------+----------------------------------------------------+
743| ``Diagram Elements`` | DF1, DF2, DF3 |
744+------------------------+----------------------------------------------------+
745| ``Affected TF-A | SPMC |
746| Components`` | |
747+------------------------+----------------------------------------------------+
748| ``Assets`` | SPMC state |
749+------------------------+----------------------------------------------------+
750| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
751+------------------------+----------------------------------------------------+
752| ``Threat Type`` | Spoofing |
753+------------------------+------------------+-----------------+---------------+
754| ``Application`` | ``Server`` | ``Mobile`` | |
755+------------------------+------------------+-----------------+---------------+
756| ``Impact`` | Low(2) | Low(2) | |
757+------------------------+------------------+-----------------+---------------+
758| ``Likelihood`` | Low(2) | Low(2) | |
759+------------------------+------------------+-----------------+---------------+
760| ``Total Risk Rating`` | Low(4) | Low(4) | |
761+------------------------+------------------+-----------------+---------------+
762| ``Mitigations`` | The TF-A SPMC mitigates this by checking the |
763| | sender's ID provided in the input to the call |
764| | FFA_NOTIFICATION_SET. The SPMC keeps track of which|
765| | notifications are bound to which sender, for a |
766| | given receiver. If the sender is an SP, the |
767| | provided sender ID must match the ID of the |
768| | currently running partition. |
769+------------------------+----------------------------------------------------+
770
771+------------------------+----------------------------------------------------+
772| ID | 16 |
773+========================+====================================================+
774| ``Threat`` | **A malicious partition endpoint might attempt to |
775| | get notifications that are not targeted to it.** |
776+------------------------+----------------------------------------------------+
777| ``Diagram Elements`` | DF1, DF2, DF3 |
778+------------------------+----------------------------------------------------+
779| ``Affected TF-A | SPMC |
780| Components`` | |
781+------------------------+----------------------------------------------------+
782| ``Assets`` | SPMC state |
783+------------------------+----------------------------------------------------+
784| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
785+------------------------+----------------------------------------------------+
786| ``Threat Type`` | Spoofing |
787+------------------------+------------------+-----------------+---------------+
788| ``Application`` | ``Server`` | ``Mobile`` | |
789+------------------------+------------------+-----------------+---------------+
790| ``Impact`` | Informational(1) | Informational(1)| |
791+------------------------+------------------+-----------------+---------------+
792| ``Likelihood`` | Low(2) | Low(2) | |
793+------------------------+------------------+-----------------+---------------+
794| ``Total Risk Rating`` | Low(2) | Low(2) | |
795+------------------------+------------------+-----------------+---------------+
796| ``Mitigations`` | The TF-A SPMC mitigates this by checking the |
797| | receiver's ID provided in the input to the call |
798| | FFA_NOTIFICATION_GET. The SPMC keeps track of which|
799| | notifications are pending for each receiver. |
800| | The provided receiver ID must match the ID of the |
801| | currently running partition, if it is an SP. |
802| | For calls forwarded from NWd, the SPMC will return |
803| | the pending notifications if the receiver had its |
804| | bitmap created, and has pending notifications. |
805| | If Hypervisor or OS kernel are compromised, the |
806| | SPMC won't be able to mitigate calls from rogue NWd|
807| | endpoints. |
808+------------------------+----------------------------------------------------+
809
810+------------------------+----------------------------------------------------+
811| ID | 17 |
812+========================+====================================================+
813| ``Threat`` | **A malicious partition endpoint might attempt to |
814| | get the information about pending notifications, |
815| | through the FFA_NOTIFICATION_INFO_GET call.** |
816| | This call is meant to be used by the NWd FF-A |
817| | driver. |
818+------------------------+----------------------------------------------------+
819| ``Diagram Elements`` | DF1, DF2, DF3 |
820+------------------------+----------------------------------------------------+
821| ``Affected TF-A | SPMC |
822| Components`` | |
823+------------------------+----------------------------------------------------+
824| ``Assets`` | SPMC state |
825+------------------------+----------------------------------------------------+
826| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
827+------------------------+----------------------------------------------------+
828| ``Threat Type`` | Information disclosure |
829+------------------------+------------------+-----------------+---------------+
830| ``Application`` | ``Server`` | ``Mobile`` | |
831+------------------------+------------------+-----------------+---------------+
832| ``Impact`` | Low(2) | Low(2) | |
833+------------------------+------------------+-----------------+---------------+
834| ``Likelihood`` | Medium(3) | Medium(3) | |
835+------------------------+------------------+-----------------+---------------+
836| ``Total Risk Rating`` | Medium(6) | Medium(6) | |
837+------------------------+------------------+-----------------+---------------+
838| ``Mitigations`` | The TF-A SPMC mitigates this by returning error to |
839| | calls made by SPs to FFA_NOTIFICATION_INFO_GET. |
840| | If Hypervisor or OS kernel are compromised, the |
841| | SPMC won't be able mitigate calls from rogue NWd |
842| | endpoints. |
843+------------------------+----------------------------------------------------+
844
845+------------------------+----------------------------------------------------+
846| ID | 18 |
847+========================+====================================================+
848| ``Threat`` | **A malicious partition endpoint might attempt to |
849| | flood another partition endpoint with notifications|
850| | hindering its operation.** |
851| | The intent of the malicious endpoint could be to |
852| | interfere with both the receiver's and/or primary |
853| | endpoint execution, as they can both be preempted |
854| | by the NPI and SRI, respectively. |
855+------------------------+----------------------------------------------------+
856| ``Diagram Elements`` | DF1, DF2, DF3, DF4 |
857+------------------------+----------------------------------------------------+
858| ``Affected TF-A | SPMC |
859| Components`` | |
860+------------------------+----------------------------------------------------+
861| ``Assets`` | SPMC state, SP state, CPU cycles |
862+------------------------+----------------------------------------------------+
863| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
864+------------------------+----------------------------------------------------+
865| ``Threat Type`` | DoS |
866+------------------------+------------------+-----------------+---------------+
867| ``Application`` | ``Server`` | ``Mobile`` | |
868+------------------------+------------------+-----------------+---------------+
869| ``Impact`` | Low(2) | Low(2) | |
870+------------------------+------------------+-----------------+---------------+
871| ``Likelihood`` | Medium(3) | Medium(3) | |
872+------------------------+------------------+-----------------+---------------+
873| ``Total Risk Rating`` | Medium(6) | Medium(6) | |
874+------------------------+------------------+-----------------+---------------+
875| ``Mitigations`` | The TF-A SPMC does not mitigate this threat. |
876| | However, the impact is limited due to the |
877| | architecture: |
878| | - Notifications are not queued, one that has been |
879| | signaled needs to be retrieved by the receiver, |
880| | until it can be sent again. |
881| | - Both SRI and NPI can't be pended until handled |
882| | which limits the amount of spurious interrupts. |
883| | - A given receiver could only bind a maximum number|
884| | of notifications to a given sender, within a given |
885| | execution context. |
886+------------------------+----------------------------------------------------+
887
Madhukar Pappireddyce246f62022-10-14 16:06:00 -0500888+------------------------+----------------------------------------------------+
889| ID | 19 |
890+========================+====================================================+
891| ``Threat`` | **A malicious endpoint may abuse FFA_RUN call to |
892| | resume or turn on other endpoint execution |
893| | contexts, attempting to alter the internal state of|
894| | SPMC and SPs, potentially leading to illegal state |
895| | transitions and deadlocks.** |
896| | An endpoint can call into another endpoint |
897| | execution context using FFA_MSG_SEND_DIRECT_REQ |
898| | ABI to create a call chain. A malicious endpoint |
899| | could abuse this to form loops in a call chain that|
900| | could lead to potential deadlocks. |
901+------------------------+----------------------------------------------------+
902| ``Diagram Elements`` | DF1, DF2, DF4 |
903+------------------------+----------------------------------------------------+
904| ``Affected TF-A | SPMC, SPMD |
905| Components`` | |
906+------------------------+----------------------------------------------------+
907| ``Assets`` | SPMC state, SP state, Scheduling cycles |
908+------------------------+----------------------------------------------------+
909| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
910+------------------------+----------------------------------------------------+
911| ``Threat Type`` | Tampering, Denial of Service |
912+------------------------+------------------+-----------------+---------------+
913| ``Application`` | ``Server`` | ``Mobile`` | |
914+------------------------+------------------+-----------------+---------------+
915| ``Impact`` | Medium (3) | Medium (3) | |
916+------------------------+------------------+-----------------+---------------+
917| ``Likelihood`` | Medium (3) | Medium (3) | |
918+------------------------+------------------+-----------------+---------------+
919| ``Total Risk Rating`` | Medium (9) | Medium (9) | |
920+------------------------+------------------+-----------------+---------------+
921| ``Mitigations`` | The TF-A SPMC provides mitigation against such |
922| | threats by following the guidance for partition |
923| | runtime models as described in FF-A v1.1 EAC0 spec.|
924| | The SPMC performs numerous checks in runtime to |
925| | prevent illegal state transitions by adhering to |
926| | the partition runtime model. Further, if the |
927| | receiver endpoint is a predecessor of current |
928| | endpoint in the present call chain, the SPMC denies|
929| | any attempts to form loops by returning FFA_DENIED |
930| | error code. Only the primary scheduler is allowed |
931| | to turn on execution contexts of other partitions |
932| | though SPMC does not have the ability to |
933| | scrutinize its identity. Secure partitions have |
934| | limited ability to resume execution contexts of |
935| | other partitions based on the runtime model. Such |
936| | attempts cannot compromise the integrity of the |
937| | SPMC. |
938+------------------------+----------------------------------------------------+
939
940+------------------------+----------------------------------------------------+
941| ID | 20 |
942+========================+====================================================+
943| ``Threat`` | **A malicious endpoint can perform a |
944| | denial-of-service attack by using FFA_INTERRUPT |
945| | call that could attempt to cause the system to |
946| | crash or enter into an unknown state as no physical|
947| | interrupt could be pending for it to be handled in |
948| | the SPMC.** |
949+------------------------+----------------------------------------------------+
950| ``Diagram Elements`` | DF1, DF2, DF5 |
951+------------------------+----------------------------------------------------+
952| ``Affected TF-A | SPMC, SPMD |
953| Components`` | |
954+------------------------+----------------------------------------------------+
955| ``Assets`` | SPMC state, SP state, Scheduling cycles |
956+------------------------+----------------------------------------------------+
957| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
958+------------------------+----------------------------------------------------+
959| ``Threat Type`` | Tampering, Denial of Service |
960+------------------------+------------------+-----------------+---------------+
961| ``Application`` | ``Server`` | ``Mobile`` | |
962+------------------------+------------------+-----------------+---------------+
963| ``Impact`` | Medium (3) | Medium (3) | |
964+------------------------+------------------+-----------------+---------------+
965| ``Likelihood`` | Medium (3) | Medium (3) | |
966+------------------------+------------------+-----------------+---------------+
967| ``Total Risk Rating`` | Medium (9) | Medium (9) | |
968+------------------------+------------------+-----------------+---------------+
969| ``Mitigations`` | The TF-A SPMC provides mitigation against such |
970| | attack by detecting invocations from partitions |
971| | and simply returning FFA_ERROR status interface. |
972| | SPMC only allows SPMD to use FFA_INTERRUPT ABI to |
973| | communicate a pending secure interrupt triggered |
974| | while execution was in normal world. |
975+------------------------+----------------------------------------------------+
976
977+------------------------+----------------------------------------------------+
978| ID | 21 |
979+========================+====================================================+
980| ``Threat`` | **A malicious secure endpoint might deactivate a |
981| | (virtual) secure interrupt that was not originally |
982| | signaled by SPMC, thereby attempting to alter the |
983| | state of the SPMC and potentially lead to system |
984| | crash.** |
985| | SPMC maps the virtual interrupt ids to the physical|
986| | interrupt ids to keep the implementation of virtual|
987| | interrupt driver simple. |
988| | Similarly, a malicious secure endpoint might invoke|
989| | the deactivation ABI more than once for a secure |
990| | interrupt. Moreover, a malicious secure endpoint |
991| | might attempt to deactivate a (virtual) secure |
992| | interrupt that was signaled to another endpoint |
993| | execution context by the SPMC even before secure |
994| | interrupt was handled. |
995+------------------------+----------------------------------------------------+
996| ``Diagram Elements`` | DF1, DF5 |
997+------------------------+----------------------------------------------------+
998| ``Affected TF-A | SPMC |
999| Components`` | |
1000+------------------------+----------------------------------------------------+
1001| ``Assets`` | SPMC state, SP state |
1002+------------------------+----------------------------------------------------+
1003| ``Threat Agent`` | S-Endpoint |
1004+------------------------+----------------------------------------------------+
1005| ``Threat Type`` | Tampering |
1006+------------------------+------------------+-----------------+---------------+
1007| ``Application`` | ``Server`` | ``Mobile`` | |
1008+------------------------+------------------+-----------------+---------------+
1009| ``Impact`` | Medium (3) | Medium (3) | |
1010+------------------------+------------------+-----------------+---------------+
1011| ``Likelihood`` | Medium (3) | Medium (3) | |
1012+------------------------+------------------+-----------------+---------------+
1013| ``Total Risk Rating`` | Medium (9) | Medium (9) | |
1014+------------------------+------------------+-----------------+---------------+
1015| ``Mitigations`` | At initialization, the TF-A SPMC parses the |
1016| | partition manifests to find the target execution |
1017| | context responsible for handling the various |
1018| | secure physical interrupts. The TF-A SPMC provides |
1019| | mitigation against above mentioned threats by: |
1020| | |
1021| | - Keeping track of each pending virtual interrupt |
1022| | signaled to an execution context of a secure |
1023| | secure partition. |
1024| | - Denying any deactivation call from SP if there is|
1025| | no pending physical interrupt mapped to the |
1026| | given virtual interrupt. |
1027| | - Denying any deactivation call from SP if the |
1028| | virtual interrupt has not been signaled to the |
1029| | current execution context. |
1030+------------------------+----------------------------------------------------+
1031
1032+------------------------+----------------------------------------------------+
1033| ID | 22 |
1034+========================+====================================================+
1035| ``Threat`` | **A malicious secure endpoint might not deactivate |
1036| | a virtual interrupt signaled to it by the SPMC but |
1037| | perform secure interrupt signal completion. This |
1038| | attempt to corrupt the internal state of the SPMC |
1039| | could lead to an unknown state and further lead to |
1040| | system crash.** |
1041| | Similarly, a malicious secure endpoint could |
1042| | deliberately not perform either interrupt |
1043| | deactivation or interrupt completion signal. Since,|
1044| | the SPMC can only process one secure interrupt at a|
1045| | time, this could choke the system where all |
1046| | interrupts are indefinitely masked which could |
1047| | potentially lead to system crash or reboot. |
1048+------------------------+----------------------------------------------------+
1049| ``Diagram Elements`` | DF1, DF5 |
1050+------------------------+----------------------------------------------------+
1051| ``Affected TF-A | SPMC |
1052| Components`` | |
1053+------------------------+----------------------------------------------------+
1054| ``Assets`` | SPMC state, SP state, Scheduling cycles |
1055+------------------------+----------------------------------------------------+
1056| ``Threat Agent`` | S-Endpoint |
1057+------------------------+----------------------------------------------------+
1058| ``Threat Type`` | Tampering, Denial of Service |
1059+------------------------+------------------+-----------------+---------------+
1060| ``Application`` | ``Server`` | ``Mobile`` | |
1061+------------------------+------------------+-----------------+---------------+
1062| ``Impact`` | Medium (3) | Medium (3) | |
1063+------------------------+------------------+-----------------+---------------+
1064| ``Likelihood`` | Medium (3) | Medium (3) | |
1065+------------------------+------------------+-----------------+---------------+
1066| ``Total Risk Rating`` | Medium (9) | Medium (9) | |
1067+------------------------+------------------+-----------------+---------------+
1068| ``Mitigations`` | The TF-A SPMC does not provide mitigation against |
1069| | such threat. This is a limitation of the current |
1070| | SPMC implementation and needs to be handled in the |
1071| | future releases. |
1072+------------------------+----------------------------------------------------+
1073
1074+------------------------+----------------------------------------------------+
1075| ID | 23 |
1076+========================+====================================================+
1077| ``Threat`` | **A malicious endpoint could leverage non-secure |
1078| | interrupts to preempt a secure endpoint, thereby |
1079| | attempting to render it unable to handle a secure |
1080| | virtual interrupt targetted for it. This could lead|
1081| | to priority inversion as secure virtual interrupts |
1082| | are kept pending while non-secure interrupts are |
1083| | handled by normal world VMs.** |
1084+------------------------+----------------------------------------------------+
1085| ``Diagram Elements`` | DF1, DF2, DF3, DF5 |
1086+------------------------+----------------------------------------------------+
1087| ``Affected TF-A | SPMC, SPMD |
1088| Components`` | |
1089+------------------------+----------------------------------------------------+
1090| ``Assets`` | SPMC state, SP state, Scheduling cycles |
1091+------------------------+----------------------------------------------------+
1092| ``Threat Agent`` | NS-Endpoint |
1093+------------------------+----------------------------------------------------+
1094| ``Threat Type`` | Denial of Service |
1095+------------------------+------------------+-----------------+---------------+
1096| ``Application`` | ``Server`` | ``Mobile`` | |
1097+------------------------+------------------+-----------------+---------------+
1098| ``Impact`` | Medium (3) | Medium (3) | |
1099+------------------------+------------------+-----------------+---------------+
1100| ``Likelihood`` | Medium (3) | Medium (3) | |
1101+------------------------+------------------+-----------------+---------------+
1102| ``Total Risk Rating`` | Medium (9) | Medium (9) | |
1103+------------------------+------------------+-----------------+---------------+
1104| ``Mitigations`` | The TF-A SPMC alone does not provide mitigation |
1105| | against such threats. System integrators must take |
1106| | necessary high level design decisions that takes |
1107| | care of interrupt prioritization. The SPMC performs|
1108| | its role of enabling SPs to specify appropriate |
1109| | action towards non-secure interrupt with the help |
1110| | of partition manifest based on the guidance in the |
1111| | FF-A v1.1 EAC0 specification. |
1112+------------------------+----------------------------------------------------+
1113
1114+------------------------+----------------------------------------------------+
1115| ID | 24 |
1116+========================+====================================================+
1117| ``Threat`` | **A secure endpoint depends on primary scheduler |
1118| | for CPU cycles. A malicious endpoint could delay |
1119| | the secure endpoint from being scheduled. Secure |
1120| | interrupts, if not handled timely, could compromise|
1121| | the state of SP and SPMC, thereby rendering the |
1122| | system unresponsive.** |
1123+------------------------+----------------------------------------------------+
1124| ``Diagram Elements`` | DF1, DF2, DF3, DF5 |
1125+------------------------+----------------------------------------------------+
1126| ``Affected TF-A | SPMC, SPMD |
1127| Components`` | |
1128+------------------------+----------------------------------------------------+
1129| ``Assets`` | SPMC state, SP state, Scheduling cycles |
1130+------------------------+----------------------------------------------------+
1131| ``Threat Agent`` | NS-Endpoint |
1132+------------------------+----------------------------------------------------+
1133| ``Threat Type`` | Denial of Service |
1134+------------------------+------------------+-----------------+---------------+
1135| ``Application`` | ``Server`` | ``Mobile`` | |
1136+------------------------+------------------+-----------------+---------------+
1137| ``Impact`` | Medium (3) | Medium (3) | |
1138+------------------------+------------------+-----------------+---------------+
1139| ``Likelihood`` | Medium (3) | Medium (3) | |
1140+------------------------+------------------+-----------------+---------------+
1141| ``Total Risk Rating`` | Medium (9) | Medium (9) | |
1142+------------------------+------------------+-----------------+---------------+
1143| ``Mitigations`` | The TF-A SPMC does not provide full mitigation |
1144| | against such threats. However, based on the |
1145| | guidance provided in the FF-A v1.1 EAC0 spec, SPMC |
1146| | provisions CPU cycles to run a secure endpoint |
1147| | execution context in SPMC schedule mode which |
1148| | cannot be preempted by a non-secure interrupt. |
1149| | This reduces the dependency on primary scheduler |
1150| | for cycle allocation. Moreover, all further |
1151| | interrupts are masked until pending secure virtual |
1152| | interrupt on current CPU is handled. This allows SP|
1153| | execution context to make progress even upon being |
1154| | interrupted. |
1155+------------------------+----------------------------------------------------+
1156
J-Alves3e793032022-12-05 18:37:06 +00001157+------------------------+----------------------------------------------------+
1158| ID | 25 |
1159+========================+====================================================+
1160| ``Threat`` | **A rogue FF-A endpoint can use memory sharing |
1161| | calls to exhaust SPMC resources.** |
1162| | For each on-going operation that involves an SP, |
1163| | the SPMC allocates resources to track its state. |
1164| | If the operation is never concluded, the resources |
1165| | are never freed. |
1166| | In the worst scenario, multiple operations that |
1167| | never conclude may exhaust the SPMC resources to a |
1168| | point in which renders memory sharing operations |
1169| | impossible. This could affect other, non-harmful |
1170| | FF-A endpoints, from legitimately using memory |
1171| | share functionality. The intent might even be |
1172| | to cause the SPMC to consume excessive CPU cycles, |
1173| | attempting to make it deny its service to the NWd. |
1174+------------------------+----------------------------------------------------+
1175| ``Diagram Elements`` | DF1, DF2 |
1176+------------------------+----------------------------------------------------+
1177| ``Affected TF-A | SPMC, SPMD |
1178| Components`` | |
1179+------------------------+----------------------------------------------------+
1180| ``Assets`` | SPMC state |
1181+------------------------+----------------------------------------------------+
1182| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
1183+------------------------+----------------------------------------------------+
1184| ``Threat Type`` | Denial of Service |
1185+------------------------+------------------+-----------------+---------------+
1186| ``Application`` | ``Server`` | ``Mobile`` | |
1187+------------------------+------------------+-----------------+---------------+
1188| ``Impact`` | High (4) | Medium (3) | |
1189+------------------------+------------------+-----------------+---------------+
1190| ``Likelihood`` | High (4) | Medium (3) | |
1191+------------------------+------------------+-----------------+---------------+
1192| ``Total Risk Rating`` | High (16) | Medium (9) | |
1193+------------------------+------------------+-----------------+---------------+
1194| ``Mitigations`` | The TF-A SPMC uses a statically allocated pool of |
1195| | memory to keep track of on-going memory sharing |
1196| | operations. After a possible attack, this could |
1197| | fail due to insufficient memory, and return an |
1198| | error to the caller. At this point, any other |
1199| | endpoint that requires use of memory sharing for |
1200| | its operation could get itself in an unusable |
1201| | state. |
1202| | Regarding CPU cycles starving threat, the SPMC |
1203| | doesn't provide any mitigation for this, as any |
1204| | FF-A endpoint, at the virtual FF-A instance is |
1205| | allowed to invoke memory share/lend/donate. |
1206+------------------------+----------------------------------------------------+
1207
1208+------------------------+----------------------------------------------------+
1209| ID | 26 |
1210+========================+====================================================+
1211| ``Threat`` | **A borrower may interfere with lender's |
1212| | operation, if it terminates due to a fatal error |
1213| | condition without releasing the memory |
1214| | shared/lent.** |
1215| | Such scenario may render the lender inoperable. |
1216+------------------------+----------------------------------------------------+
1217| ``Diagram Elements`` | DF1, DF2 |
1218+------------------------+----------------------------------------------------+
1219| ``Affected TF-A | SPMC |
1220| Components`` | |
1221+------------------------+----------------------------------------------------+
1222| ``Assets`` | SP state |
1223+------------------------+----------------------------------------------------+
1224| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
1225+------------------------+----------------------------------------------------+
1226| ``Threat Type`` | Denial of Service |
1227+------------------------+------------------+-----------------+---------------+
1228| ``Application`` | ``Server`` | ``Mobile`` | |
1229+------------------------+------------------+-----------------+---------------+
1230| ``Impact`` | High (4) | Low (2) | |
1231+------------------------+------------------+-----------------+---------------+
1232| ``Likelihood`` | Medium (3) | Medium (3) | |
1233+------------------------+------------------+-----------------+---------------+
1234| ``Total Risk Rating`` | High (12) | Medium(6) | |
1235+------------------------+------------------+-----------------+---------------+
1236| ``Mitigations`` | The TF-A SPMC does not provide mitigation for such |
1237| | scenario. The FF-A endpoints must attempt to |
1238| | relinquish memory shared/lent themselves in |
1239| | case of failure. The memory used to track the |
1240| | operation in the SPMC will also remain usuable. |
1241+------------------------+----------------------------------------------------+
1242
1243+------------------------+----------------------------------------------------+
1244| ID | 27 |
1245+========================+====================================================+
1246| ``Threat`` | **A rogue FF-A endpoint may attempt to tamper with |
1247| | the content of the memory shared/lent, whilst |
1248| | being accessed by other FF-A endpoints.** |
1249| | It might attempt to do so: using one of the clear |
1250| | flags, when either retrieving or relinquishing |
1251| | access to the memory via the respective FF-A |
1252| | calls; or directly accessing memory without |
1253| | respecting the synchronization protocol between |
1254| | all involved endpoints. |
1255+------------------------+----------------------------------------------------+
1256| ``Diagram Elements`` | DF1, DF2 |
1257+------------------------+----------------------------------------------------+
1258| ``Affected TF-A | SPMC, FF-A endpoint |
1259| Components`` | |
1260+------------------------+----------------------------------------------------+
1261| ``Assets`` | SP state |
1262+------------------------+----------------------------------------------------+
1263| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
1264+------------------------+----------------------------------------------------+
1265| ``Threat Type`` | Denial of Service, Tampering |
1266+------------------------+------------------+-----------------+---------------+
1267| ``Application`` | ``Server`` | ``Mobile`` | |
1268+------------------------+------------------+-----------------+---------------+
1269| ``Impact`` | Low (2) | Low (2) | |
1270+------------------------+------------------+-----------------+---------------+
1271| ``Likelihood`` | Medium (3) | Medium (3) | |
1272+------------------------+------------------+-----------------+---------------+
1273| ``Total Risk Rating`` | Medium (6) | Medium(6) | |
1274+------------------------+------------------+-----------------+---------------+
1275| ``Mitigations`` | The first case defined in the threat, the TF-A |
1276| | SPMC mitigates it, by ensuring a memory is cleared |
1277| | only when all borrowers have relinquished access |
1278| | to the memory, in a scenario involving multiple |
1279| | borrowers. Also, if the receiver is granted RO, |
1280| | permissions, the SPMC will reject any request |
1281| | to clear memory on behalf of the borrower, by |
1282| | returning an error to the respective FF-A call. |
1283| | The second case defined in the threat can't be |
1284| | mitigated by the SPMC. It is up to the NS/S FF-A |
1285| | endpoints to establish a robust protocol for using |
1286| | the shared memory. |
1287+------------------------+----------------------------------------------------+
1288
1289+------------------------+----------------------------------------------------+
1290| ID | 28 |
1291+========================+====================================================+
1292| ``Threat`` | **A rogue FF-A endpoint may attempt to share |
1293| | memory that is not in its translation regime, or |
1294| | attempt to specify attributes more permissive than |
1295| | those it possesses at a given time.** |
1296| | Both ways could be an attempt for escalating its |
1297| | privileges. |
1298+------------------------+----------------------------------------------------+
1299| ``Diagram Elements`` | DF1, DF2 |
1300+------------------------+----------------------------------------------------+
1301| ``Affected TF-A | SPMC, FF-A endpoint |
1302| Components`` | |
1303+------------------------+----------------------------------------------------+
1304| ``Assets`` | SP state |
1305+------------------------+----------------------------------------------------+
1306| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
1307+------------------------+----------------------------------------------------+
1308| ``Threat Type`` | Denial of Service, Tampering |
1309+------------------------+------------------+-----------------+---------------+
1310| ``Application`` | ``Server`` | ``Mobile`` | |
1311+------------------------+------------------+-----------------+---------------+
1312| ``Impact`` | High (4) | Low (2) | |
1313+------------------------+------------------+-----------------+---------------+
1314| ``Likelihood`` | Medium (3) | Low (2) | |
1315+------------------------+------------------+-----------------+---------------+
1316| ``Total Risk Rating`` | High (12) | Low (2) | |
1317+------------------------+------------------+-----------------+---------------+
1318| ``Mitigations`` | The TF-A SPMC mitigates this threat by performing |
1319| | sanity checks to the provided memory region |
1320| | descriptor. |
1321| | For operations at the virtual FF-A instance, and |
1322| | once the full memory descriptor is provided, |
1323| | the SPMC validates that the memory is part of the |
1324| | caller's translation regime. The SPMC also checks |
1325| | that the memory attributes provided are within |
1326| | those the owner possesses, in terms of |
1327| | permissiveness. If more permissive attributes are |
1328| | specified, the SPMC returns an error |
1329| | FFA_INVALID_PARAMETERS. The permissiveness rules |
1330| | are enforced in any call to share/lend or donate |
1331| | the memory, and in retrieve requests. |
1332+------------------------+----------------------------------------------------+
1333
Madhukar Pappireddyce246f62022-10-14 16:06:00 -05001334--------------
Olivier Deprez86d1ffd2021-06-01 15:37:16 +02001335
J-Alves3e793032022-12-05 18:37:06 +00001336*Copyright (c) 2021-2023, Arm Limited. All rights reserved.*
Olivier Deprez86d1ffd2021-06-01 15:37:16 +02001337
Olivier Deprez2b0be752021-09-01 10:25:21 +02001338.. _Arm Firmware Framework for Arm A-profile: https://developer.arm.com/docs/den0077/latest
Olivier Deprez86d1ffd2021-06-01 15:37:16 +02001339.. _FF-A ACS: https://github.com/ARM-software/ff-a-acs/releases
J-Alves3e793032022-12-05 18:37:06 +00001340