Hi Antonio,
Thanks a lot for reviewing the threat model and bringing up this topic.
To fully mitigate the threat you mentioned, NSPE shall enforce NS tasks isolation and assign/manage NS identifications. IMHO, It mainly relies on non-secure side implementation. Therefore that threat can be covered in the scope of another threat model against NS side.
TF-M is trying to figure out how to assist NSPE to manage and transfer NS identifications. Any suggestion or comment is welcome and helpful! š
Best regards, Hu Ziji
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Antonio Ken IANNILLO via TF-M Sent: Wednesday, December 30, 2020 7:13 PM To: tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] TF-M generic threat model
Hi Hu, I read the threat model and I have a question regarding a potential threat. Iām not sure it should belong to this generic threat model or it is already included in one of those presented.
The scenario is the following: a NS App X uses a RoT Service that store data private to X. Another NS App Y can fool the SPE to impersonate X and retrieve its private data. For example, X save a value in the secure storage and Y retrieves this value. TF-M prevents this using non secure client identification mechanism. This is a classic confused deputy problem.
Can this be considered a threat in this model or should it belong to another model/TOE?
Best, -- Antonio Ken Iannillo Research Scientist ā SEDAN group SnT ā Interdisciplinary Centre for Security, Reliability and Trust
UNIVERSITĆ DU LUXEMBOURG
CAMPUS KIRCHBERG 29, avenue John F. Kennedy L-1855 Luxembourg Kirchberg T +352 46 66 44 9660
Hi Hu,
thank you for your reply.
My doubt came from the āasset identificationā section that listed also āNSPE data stored in SPEā.
Why is that there? NSPE data stored in SPE donāt need protection from NSPE since itās the owner of such data, right?
Probably, should this line be removed in this model?
Regarding āhow to assist NSPE to manage and transfer NS identificationsā, Iām working on an idea (on paper for now) Iād like to share with you by the end of this week.
Best,
Hi Antonio,
That will be great! Iām looking forward to hear the idea from you.!
Regrading āNSPE data stored in SPEā, it is a general requirement. SPE shall properly protect the data stored in SPE side, including the NS data stored as requested by NS clients.
Best regards, Hu Ziji
From: Antonio Ken IANNILLO antonioken.iannillo@uni.lu Sent: Monday, January 4, 2021 5:02 PM To: David Hu David.Hu@arm.com Cc: tf-m@lists.trustedfirmware.org; nd nd@arm.com Subject: Re: [TF-M] TF-M generic threat model
Hi Hu, thank you for your reply. My doubt came from the āasset identificationā section that listed also āNSPE data stored in SPEā. Why is that there? NSPE data stored in SPE donāt need protection from NSPE since itās the owner of such data, right? Probably, should this line be removed in this model?
Regarding āhow to assist NSPE to manage and transfer NS identificationsā, Iām working on an idea (on paper for now) Iād like to share with you by the end of this week.
Best, -- Antonio Ken Iannillo https://akiannillo.github.io/
From: David Hu <David.Hu@arm.commailto:David.Hu@arm.com> Date: Monday, 4 January 2021 at 08:21 To: Antonio Ken IANNILLO <antonioken.iannillo@uni.lumailto:antonioken.iannillo@uni.lu> Cc: "tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org" <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org>, nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] TF-M generic threat model
Hi Antonio,
Thanks a lot for reviewing the threat model and bringing up this topic.
To fully mitigate the threat you mentioned, NSPE shall enforce NS tasks isolation and assign/manage NS identifications. IMHO, It mainly relies on non-secure side implementation. Therefore that threat can be covered in the scope of another threat model against NS side.
TF-M is trying to figure out how to assist NSPE to manage and transfer NS identifications. Any suggestion or comment is welcome and helpful! š
Best regards, Hu Ziji
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Antonio Ken IANNILLO via TF-M Sent: Wednesday, December 30, 2020 7:13 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] TF-M generic threat model
Hi Hu, I read the threat model and I have a question regarding a potential threat. Iām not sure it should belong to this generic threat model or it is already included in one of those presented.
The scenario is the following: a NS App X uses a RoT Service that store data private to X. Another NS App Y can fool the SPE to impersonate X and retrieve its private data. For example, X save a value in the secure storage and Y retrieves this value. TF-M prevents this using non secure client identification mechanism. This is a classic confused deputy problem.
Can this be considered a threat in this model or should it belong to another model/TOE?
Best, -- Antonio Ken Iannillo Research Scientist ā SEDAN group SnT ā Interdisciplinary Centre for Security, Reliability and Trust
UNIVERSITĆ DU LUXEMBOURG
CAMPUS KIRCHBERG 29, avenue John F. Kennedy L-1855 Luxembourg Kirchberg T +352 46 66 44 9660
tf-m@lists.trustedfirmware.org
-
Antonio Ken IANNILLO -
David Hu