Hi Antonio,
Thanks a lot for reviewing the threat model and bringing up this topic.
To fully mitigate the threat you mentioned, NSPE shall enforce NS tasks isolation and assign/manage NS identifications. IMHO, It mainly relies on non-secure side implementation. Therefore that threat can be covered in the scope of another threat model against NS side.
TF-M is trying to figure out how to assist NSPE to manage and transfer NS identifications. Any suggestion or comment is welcome and helpful! 😊
Best regards, Hu Ziji
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Antonio Ken IANNILLO via TF-M Sent: Wednesday, December 30, 2020 7:13 PM To: tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] TF-M generic threat model
Hi Hu, I read the threat model and I have a question regarding a potential threat. I’m not sure it should belong to this generic threat model or it is already included in one of those presented.
The scenario is the following: a NS App X uses a RoT Service that store data private to X. Another NS App Y can fool the SPE to impersonate X and retrieve its private data. For example, X save a value in the secure storage and Y retrieves this value. TF-M prevents this using non secure client identification mechanism. This is a classic confused deputy problem.
Can this be considered a threat in this model or should it belong to another model/TOE?
Best, -- Antonio Ken Iannillo Research Scientist – SEDAN group SnT – Interdisciplinary Centre for Security, Reliability and Trust
UNIVERSITÉ DU LUXEMBOURG
CAMPUS KIRCHBERG 29, avenue John F. Kennedy L-1855 Luxembourg Kirchberg T +352 46 66 44 9660