@ -36,7 +36,8 @@ The scope for this threat model is:
running in the secure world of TrustZone (at S-EL2 exception level).
The threat model is not related to the normal world Hypervisor or VMs.
The S-EL1 SPMC solution is not covered.
- The implementation complies with the FF-A v1.0 specification.
- The implementation complies with the FF-A v1.0 specification, and a few
features of FF-A v1.1 specification.
- Secure partitions are statically provisioned at boot time.
- Focus on the run-time part of the life-cycle (no specific emphasis on boot
time, factory firmware provisioning, firmware udpate etc.)
@ -477,7 +478,7 @@ element of the data flow diagram.
+------------------------+------------------+---------------+-----------------+
| `` Total Risk Rating `` | Medium (6) | Medium (6) | |
+------------------------+------------------+---------------+-----------------+
| `` Mitigations `` | For the specific case of direct requests targett ing|
| `` Mitigations `` | For the specific case of direct requests targeting |
| | the SPMC, the latter is hardened to prevent |
| | its internal state or the state of an SP to be |
| | revealed through a direct message response. |
@ -572,7 +573,7 @@ element of the data flow diagram.
| ID | 11 |
+========================+====================================================+
| `` Threat `` | **A malicious endpoint may attempt flooding the |
| | SPMC with requests targett ing a service within an |
| | SPMC with requests targeting a service within an |
| | endpoint such that it denies another endpoint to |
| | access this service.** |
| | Similarly, the malicious endpoint may target a |
@ -607,7 +608,281 @@ element of the data flow diagram.
| | in a limited timeframe. |
+------------------------+----------------------------------------------------+
--------------
+------------------------+----------------------------------------------------+
| ID | 12 |
+========================+====================================================+
| `` Threat `` | **A malicious endpoint may attempt to allocate |
| | notifications bitmaps in the SPMC, through the |
| | FFA_NOTIFICATION_BITMAP_CREATE.** |
| | This might be an attempt to exhaust SPMC's memory, |
| | or to allocate a bitmap for a VM that was not |
| | intended to receive notifications from SPs. Thus |
| | creating the possibility for a channel that was not|
| | meant to exist. |
+------------------------+----------------------------------------------------+
| `` Diagram Elements `` | DF1, DF2, DF3 |
+------------------------+----------------------------------------------------+
| `` Affected TF-A | SPMC |
| Components`` | |
+------------------------+----------------------------------------------------+
| `` Assets `` | SPMC state |
+------------------------+----------------------------------------------------+
| `` Threat Agent `` | NS-Endpoint, S-Endpoint |
+------------------------+----------------------------------------------------+
| `` Threat Type `` | Denial of service, Spoofing |
+------------------------+------------------+-----------------+---------------+
| `` Application `` | `` Server `` | `` Mobile `` | |
+------------------------+------------------+-----------------+---------------+
| `` Impact `` | Medium(3) | Medium(3) | |
+------------------------+------------------+-----------------+---------------+
| `` Likelihood `` | Medium(3) | Medium(3) | |
+------------------------+------------------+-----------------+---------------+
| `` Total Risk Rating `` | Medium(9) | Medium(9) | |
+------------------------+------------------+-----------------+---------------+
| `` Mitigations `` | The TF-A SPMC mitigates this threat by defining a |
| | a fixed size pool for bitmap allocation. |
| | It also limits the designated FF-A calls to be used|
| | from NWd endpoints. |
| | In the NWd the hypervisor is supposed to limit the |
| | access to the designated FF-A call. |
+------------------------+----------------------------------------------------+
+------------------------+----------------------------------------------------+
| ID | 13 |
+========================+====================================================+
| `` Threat `` | **A malicious endpoint may attempt to destroy the |
| | notifications bitmaps in the SPMC, through the |
| | FFA_NOTIFICATION_BITMAP_DESTROY.** |
| | This might be an attempt to tamper with the SPMC |
| | state such that a partition isn't able to receive |
| | notifications. |
+------------------------+----------------------------------------------------+
| `` Diagram Elements `` | DF1, DF2, DF3 |
+------------------------+----------------------------------------------------+
| `` Affected TF-A | SPMC |
| Components`` | |
+------------------------+----------------------------------------------------+
| `` Assets `` | SPMC state |
+------------------------+----------------------------------------------------+
| `` Threat Agent `` | NS-Endpoint, S-Endpoint |
+------------------------+----------------------------------------------------+
| `` Threat Type `` | Tampering |
+------------------------+------------------+-----------------+---------------+
| `` Application `` | `` Server `` | `` Mobile `` | |
+------------------------+------------------+-----------------+---------------+
| `` Impact `` | Low(2) | Low(2) | |
+------------------------+------------------+-----------------+---------------+
| `` Likelihood `` | Low(2) | Low(2) | |
+------------------------+------------------+-----------------+---------------+
| `` Total Risk Rating `` | Low(4) | Low(4) | |
+------------------------+------------------+-----------------+---------------+
| `` Mitigations `` | The TF-A SPMC mitigates this issue by limiting the |
| | designated FF-A call to be issued by the NWd. |
| | Also, the notifications bitmap can't be destroyed |
| | if there are pending notifications. |
| | In the NWd, the hypervisor must restrict the |
| | NS-endpoints that can issue the designated call. |
+------------------------+----------------------------------------------------+
+------------------------+----------------------------------------------------+
| ID | 14 |
+========================+====================================================+
| `` Threat `` | **A malicious endpoint might attempt to give |
| | permissions to an unintended sender to set |
| | notifications targeting another receiver using the |
| | FF-A call FFA_NOTIFICATION_BIND.** |
| | This might be an attempt to tamper with the SPMC |
| | state such that an unintended, and possibly |
| | malicious, communication channel is established. |
+------------------------+----------------------------------------------------+
| `` Diagram Elements `` | DF1, DF2, DF3 |
+------------------------+----------------------------------------------------+
| `` Affected TF-A | SPMC |
| Components`` | |
+------------------------+----------------------------------------------------+
| `` Assets `` | SPMC state |
+------------------------+----------------------------------------------------+
| `` Threat Agent `` | NS-Endpoint, S-Endpoint |
+------------------------+----------------------------------------------------+
| `` Threat Type `` | Tampering, Spoofing |
+------------------------+------------------+-----------------+---------------+
| `` Application `` | `` Server `` | `` Mobile `` | |
+------------------------+------------------+-----------------+---------------+
| `` Impact `` | Low(2) | Low(2) | |
+------------------------+------------------+-----------------+---------------+
| `` Likelihood `` | Medium(3) | Medium(3) | |
+------------------------+------------------+-----------------+---------------+
| `` Total Risk Rating `` | Medium(6) | Medium(6) | |
+------------------------+------------------+-----------------+---------------+
| `` Mitigations `` | The TF-A SPMC mitigates this by restricting |
| | designated FFA_NOTIFICATION_BIND call to be issued |
| | by the receiver only. The receiver is responsible |
| | for allocating the notifications IDs to one |
| | specific partition. |
| | Also, receivers that are not meant to receive |
| | notifications, must have notifications receipt |
| | disabled in the respective partition's manifest. |
| | As for calls coming from NWd, if the NWd VM has had|
| | its bitmap allocated at initialization, the TF-A |
| | SPMC can't guarantee this threat won't happen. |
| | The Hypervisor must mitigate in the NWd, similarly |
| | to SPMC for calls in SWd. Though, if the Hypervisor|
| | has been compromised, the SPMC won't be able to |
| | mitigate it for calls forwarded from NWd. |
+------------------------+----------------------------------------------------+
+------------------------+----------------------------------------------------+
| ID | 15 |
+========================+====================================================+
| `` Threat `` | **A malicious partition endpoint might attempt to |
| | set notifications that are not bound to it.** |
+------------------------+----------------------------------------------------+
| `` Diagram Elements `` | DF1, DF2, DF3 |
+------------------------+----------------------------------------------------+
| `` Affected TF-A | SPMC |
| Components`` | |
+------------------------+----------------------------------------------------+
| `` Assets `` | SPMC state |
+------------------------+----------------------------------------------------+
| `` Threat Agent `` | NS-Endpoint, S-Endpoint |
+------------------------+----------------------------------------------------+
| `` Threat Type `` | Spoofing |
+------------------------+------------------+-----------------+---------------+
| `` Application `` | `` Server `` | `` Mobile `` | |
+------------------------+------------------+-----------------+---------------+
| `` Impact `` | Low(2) | Low(2) | |
+------------------------+------------------+-----------------+---------------+
| `` Likelihood `` | Low(2) | Low(2) | |
+------------------------+------------------+-----------------+---------------+
| `` Total Risk Rating `` | Low(4) | Low(4) | |
+------------------------+------------------+-----------------+---------------+
| `` Mitigations `` | The TF-A SPMC mitigates this by checking the |
| | sender's ID provided in the input to the call |
| | FFA_NOTIFICATION_SET. The SPMC keeps track of which|
| | notifications are bound to which sender, for a |
| | given receiver. If the sender is an SP, the |
| | provided sender ID must match the ID of the |
| | currently running partition. |
+------------------------+----------------------------------------------------+
+------------------------+----------------------------------------------------+
| ID | 16 |
+========================+====================================================+
| `` Threat `` | **A malicious partition endpoint might attempt to |
| | get notifications that are not targeted to it.** |
+------------------------+----------------------------------------------------+
| `` Diagram Elements `` | DF1, DF2, DF3 |
+------------------------+----------------------------------------------------+
| `` Affected TF-A | SPMC |
| Components`` | |
+------------------------+----------------------------------------------------+
| `` Assets `` | SPMC state |
+------------------------+----------------------------------------------------+
| `` Threat Agent `` | NS-Endpoint, S-Endpoint |
+------------------------+----------------------------------------------------+
| `` Threat Type `` | Spoofing |
+------------------------+------------------+-----------------+---------------+
| `` Application `` | `` Server `` | `` Mobile `` | |
+------------------------+------------------+-----------------+---------------+
| `` Impact `` | Informational(1) | Informational(1)| |
+------------------------+------------------+-----------------+---------------+
| `` Likelihood `` | Low(2) | Low(2) | |
+------------------------+------------------+-----------------+---------------+
| `` Total Risk Rating `` | Low(2) | Low(2) | |
+------------------------+------------------+-----------------+---------------+
| `` Mitigations `` | The TF-A SPMC mitigates this by checking the |
| | receiver's ID provided in the input to the call |
| | FFA_NOTIFICATION_GET. The SPMC keeps track of which|
| | notifications are pending for each receiver. |
| | The provided receiver ID must match the ID of the |
| | currently running partition, if it is an SP. |
| | For calls forwarded from NWd, the SPMC will return |
| | the pending notifications if the receiver had its |
| | bitmap created, and has pending notifications. |
| | If Hypervisor or OS kernel are compromised, the |
| | SPMC won't be able to mitigate calls from rogue NWd|
| | endpoints. |
+------------------------+----------------------------------------------------+
+------------------------+----------------------------------------------------+
| ID | 17 |
+========================+====================================================+
| `` Threat `` | **A malicious partition endpoint might attempt to |
| | get the information about pending notifications, |
| | through the FFA_NOTIFICATION_INFO_GET call.** |
| | This call is meant to be used by the NWd FF-A |
| | driver. |
+------------------------+----------------------------------------------------+
| `` Diagram Elements `` | DF1, DF2, DF3 |
+------------------------+----------------------------------------------------+
| `` Affected TF-A | SPMC |
| Components`` | |
+------------------------+----------------------------------------------------+
| `` Assets `` | SPMC state |
+------------------------+----------------------------------------------------+
| `` Threat Agent `` | NS-Endpoint, S-Endpoint |
+------------------------+----------------------------------------------------+
| `` Threat Type `` | Information disclosure |
+------------------------+------------------+-----------------+---------------+
| `` Application `` | `` Server `` | `` Mobile `` | |
+------------------------+------------------+-----------------+---------------+
| `` Impact `` | Low(2) | Low(2) | |
+------------------------+------------------+-----------------+---------------+
| `` Likelihood `` | Medium(3) | Medium(3) | |
+------------------------+------------------+-----------------+---------------+
| `` Total Risk Rating `` | Medium(6) | Medium(6) | |
+------------------------+------------------+-----------------+---------------+
| `` Mitigations `` | The TF-A SPMC mitigates this by returning error to |
| | calls made by SPs to FFA_NOTIFICATION_INFO_GET. |
| | If Hypervisor or OS kernel are compromised, the |
| | SPMC won't be able mitigate calls from rogue NWd |
| | endpoints. |
+------------------------+----------------------------------------------------+
+------------------------+----------------------------------------------------+
| ID | 18 |
+========================+====================================================+
| `` Threat `` | **A malicious partition endpoint might attempt to |
| | flood another partition endpoint with notifications|
| | hindering its operation.** |
| | The intent of the malicious endpoint could be to |
| | interfere with both the receiver's and/or primary |
| | endpoint execution, as they can both be preempted |
| | by the NPI and SRI, respectively. |
+------------------------+----------------------------------------------------+
| `` Diagram Elements `` | DF1, DF2, DF3, DF4 |
+------------------------+----------------------------------------------------+
| `` Affected TF-A | SPMC |
| Components`` | |
+------------------------+----------------------------------------------------+
| `` Assets `` | SPMC state, SP state, CPU cycles |
+------------------------+----------------------------------------------------+
| `` Threat Agent `` | NS-Endpoint, S-Endpoint |
+------------------------+----------------------------------------------------+
| `` Threat Type `` | DoS |
+------------------------+------------------+-----------------+---------------+
| `` Application `` | `` Server `` | `` Mobile `` | |
+------------------------+------------------+-----------------+---------------+
| `` Impact `` | Low(2) | Low(2) | |
+------------------------+------------------+-----------------+---------------+
| `` Likelihood `` | Medium(3) | Medium(3) | |
+------------------------+------------------+-----------------+---------------+
| `` Total Risk Rating `` | Medium(6) | Medium(6) | |
+------------------------+------------------+-----------------+---------------+
| `` Mitigations `` | The TF-A SPMC does not mitigate this threat. |
| | However, the impact is limited due to the |
| | architecture: |
| | - Notifications are not queued, one that has been |
| | signaled needs to be retrieved by the receiver, |
| | until it can be sent again. |
| | - Both SRI and NPI can't be pended until handled |
| | which limits the amount of spurious interrupts. |
| | - A given receiver could only bind a maximum number|
| | of notifications to a given sender, within a given |
| | execution context. |
+------------------------+----------------------------------------------------+
---------------
*Copyright (c) 2021, Arm Limited. All rights reserved.*