Hi Hu,
thank you for your reply.
My doubt came from the “asset identification” section that listed also “NSPE data stored in SPE”.
Why is that there? NSPE data stored in SPE don’t need protection from NSPE since it’s the owner of such data, right?
Probably, should this line be removed in this model?
Regarding “how to assist NSPE to manage and transfer NS identifications”, I’m working on an idea (on paper for now) I’d like to share with you by the end of this week.
Best,
--
Antonio Ken Iannillo
https://akiannillo.github.io/
From: David Hu
David.Hu@arm.com
Date: Monday, 4 January 2021 at 08:21
To: Antonio Ken IANNILLO
antonioken.iannillo@uni.lu
Cc: "tf-m@lists.trustedfirmware.org"
tf-m@lists.trustedfirmware.org, nd
nd@arm.com
Subject: RE: [TF-M] TF-M generic threat model
Hi Antonio,
Thanks a lot for reviewing the threat model and bringing up this topic.
To fully mitigate the threat you mentioned, NSPE shall enforce NS tasks isolation and assign/manage NS identifications. IMHO, It mainly relies on non-secure side implementation.
Therefore that threat can be covered in the scope of another threat model against NS side.
TF-M is trying to figure out how to assist NSPE to manage and transfer NS identifications. Any suggestion or comment is welcome and helpful! 😊
Best regards,
Hu Ziji
From: TF-M
tf-m-bounces@lists.trustedfirmware.org On Behalf Of Antonio Ken IANNILLO via TF-M
Sent: Wednesday, December 30, 2020 7:13 PM
To: tf-m@lists.trustedfirmware.org
Subject: Re: [TF-M] TF-M generic threat model
Hi Hu,
I read the threat model and I have a question regarding a potential threat.
I’m not sure it should belong to this generic threat model or it is already included in one of those presented.
The scenario is the following: a NS App X uses a RoT Service that store data private to X. Another NS App Y can fool the SPE to impersonate X and retrieve its private data. For example, X save a value in the secure storage and Y retrieves this value. TF-M prevents this using non secure client identification mechanism. This is a classic confused deputy problem.
Can this be considered a threat in this model or should it belong to another model/TOE?
Best,
--
Antonio Ken Iannillo
Research Scientist – SEDAN group
SnT – Interdisciplinary Centre for Security, Reliability and Trust
UNIVERSITÉ DU LUXEMBOURG
CAMPUS KIRCHBERG
29, avenue John F. Kennedy
L-1855 Luxembourg Kirchberg
T +352 46 66 44 9660
https://akiannillo.github.io/