Hi Antonio,

 

Thanks a lot for reviewing the threat model and bringing up this topic.

 

To fully mitigate the threat you mentioned, NSPE shall enforce NS tasks isolation and assign/manage NS identifications. IMHO, It mainly relies on non-secure side implementation.

Therefore that threat can be covered in the scope of another threat model against NS side.

 

TF-M is trying to figure out how to assist NSPE to manage and transfer NS identifications. Any suggestion or comment is welcome and helpful! 😊

 

Best regards,

Hu Ziji

 

 

Hi Hu,

I read the threat model and I have a question regarding a potential threat.

I’m not sure it should belong to this generic threat model or it is already included in one of those presented.

 

The scenario is the following: a NS App X uses a RoT Service that store data private to X. Another NS App Y can fool the SPE to impersonate X and retrieve its private data. For example, X save a value in the secure storage and Y retrieves this value. TF-M prevents this using non secure client identification mechanism. This is a classic confused deputy problem.  

 

Can this be considered a threat in this model or should it belong to another model/TOE?

 

Best,