Hi Hu,

thank you for your reply.

My doubt came from the “asset identification” section that listed also “NSPE data stored in SPE”.

Why is that there? NSPE data stored in SPE don’t need protection from NSPE since it’s the owner of such data, right?

Probably, should this line be removed in this model?

Regarding “how to assist NSPE to manage and transfer NS identifications”, I’m working on an idea (on paper for now) I’d like to share with you by the end of this week.

Best,

Hi Antonio,

Thanks a lot for reviewing the threat model and bringing up this topic.

To fully mitigate the threat you mentioned, NSPE shall enforce NS tasks isolation and assign/manage NS identifications. IMHO, It mainly relies on non-secure side implementation.

Therefore that threat can be covered in the scope of another threat model against NS side.

TF-M is trying to figure out how to assist NSPE to manage and transfer NS identifications. Any suggestion or comment is welcome and helpful! 😊

Best regards,

Hu Ziji

Hi Hu,

I read the threat model and I have a question regarding a potential threat.

I’m not sure it should belong to this generic threat model or it is already included in one of those presented.

The scenario is the following: a NS App X uses a RoT Service that store data private to X. Another NS App Y can fool the SPE to impersonate X and retrieve its private data. For example, X save a value in the secure storage and Y retrieves this value. TF-M prevents this using non secure client identification mechanism. This is a classic confused deputy problem.  

Can this be considered a threat in this model or should it belong to another model/TOE?

Best,