11.1.4. Threat Model for RSE - AP interface Introduction

This document is an extension for the general TF-A threat-model. It considers those platforms where a Runtime Security Engine (RSE) is included in the SoC next to the Application Processor (AP). Target of Evaluation

The scope of this threat model only includes the interface between the RSE and AP. Otherwise, the TF-A Generic Threat Model document is applicable for the AP core. The threat model for the RSE firmware will be provided by the RSE firmware project in the future. Data Flow Diagram

This diagram is different only from the general TF-A data flow diagram in that it includes the RSE and highlights the interface between the AP and the RSE cores. The interface description only focuses on the AP-RSE interface the rest is the same as in the general TF-A threat-model document.

 ' Copyright (c) 2021-2022, Arm Limited. All rights reserved.
 ' SPDX-License-Identifier: BSD-3-Clause

TF-A Data Flow Diagram including RSE

digraph tfa_dfd {

    # Arrange nodes from left to right

    # Allow arrows to end on cluster boundaries

    # Default settings for edges and nodes
    edge [minlen=2 color="#8c1b07"]
    node [fillcolor="#ffb866" style=filled shape=box fixedsize=true width=1.6 height=0.7]

    # Nodes outside of the trust boundary
    nsec [label="Non-secure\nClients"]
    sec [label="Secure\nClients"]
    dbg [label="Debug & Trace"]
    uart [label="UART"]
    nvm [label="Non-volatile\nMemory"]

    # Trust boundary cluster
    subgraph cluster_trusted{
        graph [style=dashed color="#f22430"]

        # HW IPs cluster
        subgraph cluster_ip{
            label ="Hardware IPs";
            graph [style=filled color="#000000" fillcolor="#ffd29e"]

            gic [label="GIC" width=1.2 height=0.5]
            tzc [label="TZ\nController" width=1.2 height=0.5]
            etc [label="..." shape=none style=none height=0.5]

        # TF-A cluster
        subgraph cluster_tfa{
            label ="TF-A";
            graph [style=filled color="#000000" fillcolor="#faf9cd"]

            bl1 [label="Boot ROM\n(BL1)" fillcolor="#ddffb3"];
            bl2 [label="Trusted Boot\nFirmware\n(BL2)" fillcolor="#ddffb3" height=1]
            bl31 [label="TF-A Runtime\n(BL31)" fillcolor="#ddffb3"]

        # RSE cluster
        subgraph cluster_rse{
            label ="RSE";
            graph [style=filled color="#000000" fillcolor="#faf9cd"]

            rse [label="Runtime Security\n\ Subsystem\n\ (RSE)" fillcolor="#ddffb3"]

    # Interactions between nodes
    nvm -> bl31 [lhead=cluster_tfa label="DF1"]
    uart -> bl31 [dir="both" lhead=cluster_tfa label="DF2"]
    dbg -> bl2 [dir="both" lhead=cluster_tfa label="DF3"]
    sec -> bl2 [dir="both" lhead=cluster_tfa label="DF4"]
    nsec -> bl1 [dir="both" lhead=cluster_tfa, label="DF5"]
    bl2 ->  tzc [dir="both" ltail=cluster_tfa lhead=cluster_ip label="DF6" minlen=1]
    bl31 -> rse [dir="both" ltail=cluster_tfa lhead=cluster_rse label="DF7" minlen=1]



Figure 1: TF-A Data Flow Diagram including RSE

Table 1: TF-A - RSE data flow diagram

Diagram Element



Boot images interact with RSE over a communication channel to record boot measurements and get image verification keys. At runtime, BL31 obtains the realm world attestation signing key from RSE. Threat Assessment

For this section, please reference the Threat Assessment under the general TF-A threat-model document, Generic Threat Model. All the threats listed there are applicable for the AP core, here only the differences are highlighted.

  • ID 11: The access to the communication interface between AP and RSE is allowed only for firmware running at EL3. Accidentally exposing this interface to NSCode can allow malicious code to interact with RSE and gain access to sensitive data.

  • ID 13: Relevant in the context of the realm attestation key, which can be retrieved by BL31 through DF7. The RSE communication protocol layer mitigates against this by clearing its internal buffer when reply is received. The caller of the API must do the same if data is not needed anymore.

Copyright (c) 2022-2024, Arm Limited. All rights reserved.