11.2. EL3 SPMC Threat Model

11.2.1. Introduction

This document provides a threat model for the TF-A EL3 Secure Partition Manager (EL3 SPM) implementation. The EL3 SPM implementation is based on the Arm Firmware Framework for Arm A-profile specification.

11.2.2. Target of Evaluation

In this threat model, the target of evaluation is the Secure Partition Manager Core component (SPMC) within the EL3 firmware. The monitor and SPMD at EL3 are covered by the Generic TF-A threat model.

The scope for this threat model is:

  • The TF-A implementation for the EL3 SPMC

  • The implementation complies with the FF-A v1.1 specification.

  • Secure partition is statically provisioned at boot time.

  • Focus on the run-time part of the life-cycle (no specific emphasis on boot time, factory firmware provisioning, firmware udpate etc.)

  • Not covering advanced or invasive physical attacks such as decapsulation, FIB etc.

11.2.2.1. Data Flow Diagram

Figure 1 shows a high-level data flow diagram for the SPM split into an SPMD and SPMC component at EL3. The SPMD mostly acts as a relayer/pass-through between the normal world and the secure world. It is assumed to expose small attack surface.

A description of each diagram element is given in Table 1. In the diagram, the red broken lines indicate trust boundaries.

Components outside of the broken lines are considered untrusted.

/'
 ' Copyright (c) 2022, Arm Limited. All rights reserved.
 '
 ' SPDX-License-Identifier: BSD-3-Clause
 '/

/'
TF-A EL3 SPMC Data Flow Diagram
'/

@startuml
digraph tfa_el3_dfd {

    # Allow arrows to end on cluster boundaries
    compound=true
    concentrate=false
    newrank=true

    # Default settings for edges and nodes
    edge [minlen=2 color="#8c1b07"]
    node [fillcolor="#ffb866" style=filled shape=box fixedsize=true width=1.6 height=0.7]

    # Nodes outside of the trust boundary
    nsec [label="NS Client"]
    ddr  [label="External memory (DDR)"]

    {rank="same" smmu, spmd}
    # Trust boundary cluster
    subgraph cluster_trusted {
        graph [style=dashed color="#f22430"]
        concentrate=false

        # HW IPs cluster
        subgraph cluster_ip {
            label ="Hardware IPs";
            graph [style=filled color="#000000" fillcolor="#ffd29e"]

            rank="same"
            gic [label="GIC" width=1.2 height=0.5]
            smmu [label="SMMU" width=1.2 height=0.5]
            uart [label="UART" width=1.2 height=0.5]
            pe [label="PE" width=1.2 height=0.5]
        }

        # TF-A cluster
        subgraph cluster_tfa {
            label ="EL3 monitor";
            graph [style=filled color="#000000" fillcolor="#faf9cd"]
            {rank="same" spmc, bl31}
            {rank="same" spmd, lsp}
            spmc [label="SPMC" fillcolor="#ddffb3"]
            bl31 [label="BL31" fillcolor="#ddffb3"];
            spmd [label="SPMD" fillcolor="#ddffb3"]
            lsp[label="LSP1" fillcolor="#ddffb3"]
        }
        bl2 [label="BL2" width=1.2 height=0.5]
    }

    # Secure Partitions cluster
    subgraph cluster_sp {
        label ="Secure Partitions";
        graph [style=filled color="#000000" fillcolor="#faf9cd"]

        sp1 [label="SP1" fillcolor="#ddffb3"]
    }

    sp1 -> spmc [dir="both" label="DF1"]
    lsp -> spmc [dir="both" label="DF4"]
    spmc -> spmd [dir="both" label="DF2"]
    spmd -> nsec [dir="both" label="DF3"]
    spmc -> smmu [lhead=cluster_spmc label="DF5"]
    bl2 -> spmc [lhead=cluster_spmc label="DF6"]
    bl2 -> sp1 [lhead=cluster_spmc label="DF6"]
    sp1 -> ddr [dir="both"  label="DF7"]
    spmc -> ddr [dir="both"  label="DF7"]
}

@enduml

Figure 1: EL3 SPMC Data Flow Diagram

Table 1: EL3 SPMC Data Flow Diagram Description

Diagram Element

Description

DF1

SP to SPMC communication. FF-A function invocation or implementation-defined Hypervisor call.

Note:- To communicate with LSP, SP1 performs a direct message request to SPMC targeting LSP as destination.

DF2

SPMC to SPMD communication.

DF3

SPMD to NS forwarding.

DF4

SPMC to LSP communication. NWd to LSP communication happens through SPMC. LSP can send direct response SP1 or NWd through SPMC.

DF5

HW control.

DF6

Bootloader image loading.

DF7

External memory access.

11.2.3. Threat Analysis

This threat model follows a similar methodology to the Generic TF-A threat model. The following sections define:

  • Trust boundaries

  • Assets

  • Theat agents

  • Threat types

11.2.3.1. Trust boundaries

  • Normal world is untrusted.

  • Secure world and normal world are separate trust boundaries.

  • EL3 monitor, SPMD and SPMC are trusted.

  • Bootloaders (in particular BL1/BL2 if using TF-A) and run-time BL31 are implicitely trusted by the usage of trusted boot.

  • EL3 monitor, SPMD, SPMC do not trust SPs.

11.2.3.2. Assets

The following assets are identified:

  • SPMC state.

  • SP state.

  • Information exchange between endpoints (partition messages).

  • SPMC secrets (e.g. pointer authentication key when enabled)

  • SP secrets (e.g. application keys).

  • Scheduling cycles.

  • Shared memory.

11.2.3.3. Threat Agents

The following threat agents are identified:

  • Non-secure endpoint (referred NS-Endpoint later): normal world client at NS-EL2 (Hypervisor) or NS-EL1 (VM or OS kernel).

  • Secure endpoint (referred as S-Endpoint later): typically a secure partition.

  • Hardware attacks (non-invasive) requiring a physical access to the device, such as bus probing or DRAM stress.

11.2.3.4. Threat types

The following threat categories as exposed in the Generic TF-A threat model are re-used:

  • Spoofing

  • Tampering

  • Repudiation

  • Information disclosure

  • Denial of service

  • Elevation of privileges

Similarly this threat model re-uses the same threat risk ratings. The risk analysis is evaluated based on the environment being Server or Mobile. IOT is not evaluated as the EL3 SPMC is primarily meant for use in Client.

11.2.3.5. Threat Assessment

The following threats are identified by applying STRIDE analysis on each diagram element of the data flow diagram.

ID

01

Threat

An endpoint impersonates the sender FF-A ID in a direct request/response invocation.

Diagram Elements

DF1, DF2, DF3, DF4

Affected TF-A Components

SPMD, SPMC

Assets

SP state

Threat Agent

NS-Endpoint, S-Endpoint

Threat Type

Spoofing

Application

Server

Mobile

Impact

Critical(5)

Critical(5)

Likelihood

Critical(5)

Critical(5)

Total Risk Rating

Critical(25)

Critical(25)

Mitigations

SPMC must be able to correctly identify an endpoint and enforce checks to disallow spoofing.

Mitigations implemented?

Yes. The SPMC enforces checks in the direct message request/response interfaces such an endpoint cannot spoof the origin and destination worlds (e.g. a NWd originated message directed to the SWd cannot use a SWd ID as the sender ID). Also enforces check for direct response being sent only to originator of request.

ID

02

Threat

An endpoint impersonates the receiver FF-A ID in a direct request/response invocation.

Diagram Elements

DF1, DF2, DF3, DF4

Affected TF-A Components

SPMD, SPMC

Assets

SP state

Threat Agent

NS-Endpoint, S-Endpoint

Threat Type

Spoofing, Denial of Service

Application

Server

Mobile

Impact

Critical(5)

Critical(5)

Likelihood

Critical(5)

Critical(5)

Total Risk Rating

Critical(25)

Critical(25)

Mitigations

Validate if endpoind has permission to send request to other endpoint by implementation defined means.

Mitigations implemented?

Platform specific.

The guidance below is left for a system integrator to implement as necessary.

Additionally a software component residing in the SPMC can be added for the purpose of direct request/response filtering.

It can be configured with the list of known IDs and about which interaction can occur between one and another endpoint (e.g. which NWd endpoint ID sends a direct request to which SWd endpoint ID).

This component checks the sender/receiver fields for a legitimate communication between endpoints.

A similar component can exist in the OS kernel driver, or Hypervisor although it remains untrusted by the SPMD/SPMC.

ID

03

Threat

Tampering with memory shared between an endpoint and the SPMC.

A malicious endpoint may attempt tampering with its RX/TX buffer contents while the SPMC is processing it (TOCTOU).

Diagram Elements

DF1, DF3, DF7

Affected TF-A Components

SPMC

Assets

Shared memory, Information exchange

Threat Agent

NS-Endpoint, S-Endpoint

Threat Type

Tampering

Application

Server

Mobile

Impact

High (4)

High (4)

Likelihood

High (4)

High (4)

Total Risk Rating

High (16)

High (16)

Mitigations

Validate all inputs, copy before use.

Mitigations implemented?

Yes. In context of FF-A v1.1 this is the case of sharing the RX/TX buffer pair and usage in the PARTITION_INFO_GET or memory sharing primitives.

The SPMC copies the contents of the TX buffer to an internal temporary buffer before processing its contents. The SPMC implements hardened input validation on data transmitted through the TX buffer by an untrusted endpoint.

The TF-A SPMC enforces checks on data transmitted through RX/TX buffers.

ID

04

Threat

An endpoint may tamper with its own state or the state of another endpoint.

A malicious endpoint may attempt violating:

  • its own or another SP state by using an unusual combination (or out-of-order) FF-A function invocations. This can also be an endpoint emitting FF-A function invocations to another endpoint while the latter in not in a state to receive it (e.g. SP sends a direct request to the normal world early while the normal world is not booted yet).

  • the SPMC state itself by employing unexpected transitions in FF-A memory sharing, direct requests and responses, or handling of interrupts This can be led by random stimuli injection or fuzzing.

Diagram Elements

DF1, DF2, DF3

Affected TF-A Components

SPMD, SPMC

Assets

SP state, SPMC state

Threat Agent

NS-Endpoint, S-Endpoint

Threat Type

Tampering

Application

Server

Mobile

Impact

High (4)

High (4)

Likelihood

Medium (3)

Medium (3)

Total Risk Rating

High (12) | High (12)

Mitigations

Follow guidelines in FF-A v1.1 specification on state transitions (run-time model).

Mitigations implemented?

Yes. The TF-A SPMC is hardened to follow this guidance.

ID

05

Threat

Replay fragments of past communication between endpoints.

A malicious endpoint may replay a message exchange that occurred between two legitimate endpoints as a matter of triggering a malfunction or extracting secrets from the receiving endpoint. In particular the memory sharing operation with fragmented messages between an endpoint and the SPMC may be replayed by a malicious agent as a matter of getting access or gaining permissions to a memory region which does not belong to this agent.

Diagram Elements

DF2, DF3

Affected TF-A Components

SPMC

Assets

Information exchange

Threat Agent

NS-Endpoint, S-Endpoint

Threat Type

Repudiation

Application

Server

Mobile

Impact

Medium (3)

Medium (3)

Likelihood

High (4)

High (4)

Total Risk Rating

High (12)

High (12)

Mitigations

Strict input validation and state tracking.

Mitigations implemented?

Platform specific.

ID

06

Threat

A malicious endpoint may attempt to extract data or state information by the use of invalid or incorrect input arguments.

Lack of input parameter validation or side effects of maliciously forged input parameters might affect the SPMC.

Diagram Elements

DF1, DF2, DF3

Affected TF-A Components

SPMD, SPMC

Assets

SP secrets, SPMC secrets, SP state, SPMC state

Threat Agent

NS-Endpoint, S-Endpoint

Threat Type

Information discolure

Application

Server

Mobile

Impact

High (4)

High (4)

Likelihood

Medium (3)

Medium (3)

Total Risk Rating

High (12)

High (12)

Mitigations

SPMC must be prepared to receive incorrect input data from secure partitions and reject them appropriately. The use of software (canaries) or hardware hardening techniques (XN, WXN, pointer authentication) helps detecting and stopping an exploitation early.

Mitigations implemented?

Yes. The TF-A SPMC mitigates this threat by implementing stack protector, pointer authentication, XN, WXN, security hardening techniques.

ID

07

Threat

A malicious endpoint may forge a direct message request such that it reveals the internal state of another endpoint through the direct message response.

The secure partition or SPMC replies to a partition message by a direct message response with information which may reveal its internal state (e.g. partition message response outside of allowed bounds).

Diagram Elements

DF1, DF2, DF3

Affected TF-A Components

SPMC

Assets

SPMC or SP state

Threat Agent

NS-Endpoint, S-Endpoint

Threat Type

Information discolure

Application

Server

Mobile

Impact

Medium (3)

Medium (3)

Likelihood

Low (2)

Low (2)

Total Risk Rating

Medium (6)

Medium (6)

Mitigations

Follow FF-A specification about state transitions, run time model, do input validation.

Mitigations implemented?

Yes. For the specific case of direct requests targeting the SPMC, the latter is hardened to prevent its internal state or the state of an SP to be revealed through a direct message response. Further FF-A v1.1 guidance about run time models and partition states is followed.

ID

08

Threat

Probing the FF-A communication between endpoints.

SPMC and SPs are typically loaded to external memory (protected by a TrustZone memory controller). A malicious agent may use non invasive methods to probe the external memory bus and extract the traffic between an SP and the SPMC or among SPs when shared buffers are held in external memory.

Diagram Elements

DF7

Affected TF-A Components

SPMC

Assets

SP/SPMC state, SP/SPMC secrets

Threat Agent

Hardware attack

Threat Type

Information disclosure

Application

Server

Mobile

Impact

Medium (3)

Medium (3)

Likelihood

Low (2)

Medium (3)

Total Risk Rating

Medium (6)

Medium (9)

Mitigations

Implement DRAM protection techniques using hardware countermeasures at platform or chip level.

Mitigations implemented?

Platform specific.

ID

09

Threat

A malicious agent may attempt revealing the SPMC state or secrets by the use of software-based cache side-channel attack techniques.

Diagram Elements

DF7

Affected TF-A Components

SPMC

Assets

SP or SPMC state

Threat Agent

NS-Endpoint, S-Endpoint

Threat Type

Information disclosure

Application

Server

Mobile

Impact

Medium (3)

Medium (3)

Likelihood

Low (2)

Low (2)

Total Risk Rating

Medium (6)

Medium (6)

Mitigations

The SPMC may be hardened further with SW mitigations (e.g. speculation barriers) for the cases not covered in HW. Usage of hardened compilers and appropriate options, code inspection are recommended ways to mitigate Spectre types of attacks.

Mitigations implemented?

No.

ID

10

Threat

A malicious endpoint may attempt flooding the SPMC with requests targeting a service within an endpoint such that it denies another endpoint to access this service.

Similarly, the malicious endpoint may target a a service within an endpoint such that the latter is unable to request services from another endpoint.

Diagram Elements

DF1, DF2, DF3

Affected TF-A Components

SPMC

Assets

SPMC state, Scheduling cycles

Threat Agent

NS-Endpoint, S-Endpoint

Threat Type

Denial of service

Application

Server

Mobile

Impact

Medium (3)

Medium (3)

Likelihood

Medium (3)

Medium (3)

Total Risk Rating

Medium (9)

Medium (9)

Mitigations

Bounding the time for operations to complete can be achieved by the usage of a trusted watchdog. Other quality of service monitoring can be achieved in the SPMC such as counting a number of operations in a limited timeframe.

Mitigations implemented?

Platform specific.

ID

11

Threat

Denying a lender endpoint to make progress if borrower endpoint encountered a fatal exception. Denying a new sender endpoint to make progress if receiver encountered a fatal exception.

Diagram Elements

DF1, DF2, DF3

Affected TF-A Components

SPMC

Assets

Shared resources, Scheduling cycles.

Threat Agent

NS-Endpoint, S-Endpoint

Threat Type

Denial of service

Application

Server

Mobile

Impact

Medium (3)

Medium (3)

Likelihood

Medium (3)

Medium (3)

Total Risk Rating

Medium (9)

Medium (9)

Mitigations

SPMC must be able to detect fatal error in SP and take ownership of shared resources. It should be able to relinquish the access to shared memory regions to allow lender to proceed. SPMC must return ABORTED if new direct requests are targeted to SP which has had a fatal error.

Mitigations implemented?

Platform specific.

ID

12

Threat

A malicious endpoint may attempt to donate, share, lend, relinquish or reclaim unauthorized memory region.

Diagram Elements

DF1, DF2, DF3

Affected TF-A Components

SPMC

Assets

SP secrets, SPMC secrets, SP state, SPMC state

Threat Agent

NS-Endpoint, S-Endpoint

Threat Type

Elevation of Privilege

Application

Server

Mobile

Impact

High (4)

High (4)

Likelihood

High (4)

High (4)

Total Risk Rating

High (16)

High (16)

Mitigations

Follow FF-A specification guidelines on Memory management transactions.

Mitigations implemented?

Yes. The SPMC tracks ownership and access state for memory transactions appropriately, and validating the same for all operations. SPMC follows FF-A v1.1 guidance for memory transaction lifecycle.


Copyright (c) 2022-2023, Arm Limited. All rights reserved.