11.1. TF-A Firmware Threat Model

As the TF-A codebase is highly configurable to allow tailoring it best for each platform’s needs, providing a holistic threat model covering all of its features is not necessarily the best approach. Instead, we provide a collection of documents which, together, form the project’s threat model. These are articulated around a core document, called the Generic Threat Model, which focuses on the most common configuration we expect to see. The other documents typically focus on specific features not covered in the core document.

As the TF-A codebase evolves and new features get added, these threat model documents will be updated and extended in parallel to reflect at best the current status of the code from a security standpoint.


Although our aim is eventually to provide threat model material for all features within the project, we have not reached that point yet. We expect to gradually fill these gaps over time.

Each of these documents give a description of the target of evaluation using a data flow diagram, as well as a list of threats we have identified using the STRIDE threat modeling technique and corresponding mitigations.

Copyright (c) 2021-2024, Arm Limited and Contributors. All rights reserved.