11.1.4. Threat Model for RSS - AP interface
This document is an extension for the general TF-A threat-model. It considers those platforms where a Runtime Security Subsystem (RSS) is included in the SoC next to the Application Processor (AP).
188.8.131.52. Target of Evaluation
The scope of this threat model only includes the interface between the RSS and AP. Otherwise, the TF-A Generic Threat Model document is applicable for the AP core. The threat model for the RSS firmware will be provided by the RSS firmware project in the future.
184.108.40.206.1. Data Flow Diagram
This diagram is different only from the general TF-A data flow diagram in that it includes the RSS and highlights the interface between the AP and the RSS cores. The interface description only focuses on the AP-RSS interface the rest is the same as in the general TF-A threat-model document.
Boot images interact with RSS over a communication channel to record boot measurements and get image verification keys. At runtime, BL31 obtains the realm world attestation signing key from RSS.
220.127.116.11.2. Threat Assessment
For this section, please reference the Threat Assessment under the general TF-A threat-model document, Generic Threat Model. All the threats listed there are applicable for the AP core, here only the differences are highlighted.
ID 11: The access to the communication interface between AP and RSS is allowed only for firmware running at EL3. Accidentally exposing this interface to NSCode can allow malicious code to interact with RSS and gain access to sensitive data.
ID 13: Relevant in the context of the realm attestation key, which can be retrieved by BL31 through DF7. The RSS communication protocol layer mitigates against this by clearing its internal buffer when reply is received. The caller of the API must do the same if data is not needed anymore.
Copyright (c) 2022-2024, Arm Limited. All rights reserved.