Hi all,

I am sending the email below on behalf on Kenneth Kabogo, who unfortunately is facing issues with the mailing list.

Regards,

Sandrine Afsa

----

Dear TF-A Maintainers,

I am proposing the introduction of a standardized SMC Argument Validation Framework into the TF-A codebase.

Over the past several weeks of security auditing across multiple platform ports, I have identified a recurring architectural failure mode termed "Privilege-Blind Forwarding" (PBF). This occurs when an EL3 handler receives a non-secure physical address and forwards it to a secure memory operation without re-validating the range against the platform's current security state (GPT/RMM).

Furthermore, there is a widespread Structural TOCTOU (Double-Fetch) vulnerability in many SiP ports where handlers validate arguments but later re-fetch them from non-secure memory, allowing a malicious caller to swap addresses mid-execution.

The proposed framework addresses these via an Atomic Shadow-Copy design pattern, requiring all SMC arguments to be unmarshaled into EL3 registers/memory once before validation.

The 3-part prototype and migration guide are available for review on Gerrit:

Framework Hardening (Core Logic): https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/47441

Architectural Guidance (Documentation): https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/47465

Arm Platform Demonstration (Migration Guide): https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/47466

I look forward to the community's feedback on this architectural shift.

Best regards,

Kenneth Kabogo