docs: Add SMM Gateway SP security assessment
Add security assessment of the SMM Gateway SP.
Change-Id: I200657f55a7509c44945206fa29c069fe40d140c
Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
diff --git a/docs/security/threat-assessment/index.rst b/docs/security/threat-assessment/index.rst
index 5c34cb9..1c1a440 100644
--- a/docs/security/threat-assessment/index.rst
+++ b/docs/security/threat-assessment/index.rst
@@ -9,6 +9,8 @@
psa-storage-threat-assessment
crypto-service-threat-assessment
+ smmgw-threat-assessment
+
--------------
diff --git a/docs/security/threat-assessment/smmgw-threat-assessment.rst b/docs/security/threat-assessment/smmgw-threat-assessment.rst
new file mode 100644
index 0000000..0f45c1a
--- /dev/null
+++ b/docs/security/threat-assessment/smmgw-threat-assessment.rst
@@ -0,0 +1,62 @@
+SmmGW SP
+========
+
+
+Scope of evaluation
+-------------------
+
+This assessment makes the following assumptions:
+
+ - The SmmGW service is deployed to a dedicated S-EL0 SP, and its execution context is physically isolated.
+ - The SP uses the PSA PS SP for storing persistent data.
+ - The solution uses the Logging SP, or the FF-A logging API provided by the SPMC.
+ - The SmmGW uses a PSA Crypto implementation for executing cryptographic operations.
+
+ - This implementation can be built-in and running within the isolation boundary of the SP.
+ - The PSA Crypto implementation can be external and may run in another SP.
+
+Assessment Results
+------------------
+
+This section specializes the threats identified in the Generic Threat Model for the SmmGW service where applicable.
+Threats not listed here are mitigated as described in the :doc:`/security/threat-models/generic-threat-model`.
+
+ - :ref:`GEN05 <generic_threat_5>` "External devices connected to the system storing sensitive data."
+
+ The SmmGW SP does not require any external devices for its operation, even when the built-in PSA Crypto is used.
+ Therefore, this threat is considered out of scope.
+
+ - :ref:`GEN06 <generic_threat_6>` "State of external devices connected to the system might be modified by an
+ attacker."
+
+ The SmmGW SP does not require any external devices for its operation, even when the built-in PSA Crypto is used.
+ Therefore, this threat is considered out of scope.
+
+ - :ref:`GEN07 <generic_threat_7>` "Invalid or conflicting access to shared hardware."
+
+ The SmmGW SP does not require any external devices for its operation, even when the built-in PSA Crypto is used.
+ Therefore, this threat is considered out of scope.
+
+ - :ref:`GEN08 <generic_threat_8>` "Unauthenticated access to hardware."
+
+ The SmmGW SP does not require any external devices for its operation, even when the built-in PSA Crypto is used.
+ Therefore, this threat is considered out of scope.
+
+ - :ref:`GEN09 <generic_threat_9>` "Unauthenticated access to sensitive data."
+
+ The UEFI Variable Service is designed to present a uniform view to all clients, so SmmGW does not need to enforce
+ client isolation itself.
+
+ The SmmGW SP requires PSA PS and the PSA Crypto SPs to enforce client isolation and prevent other FF-A endpoints
+ to access its assets.
+
+ - :ref:`GEN10 <generic_threat_10>` "Time-of-Check to Time-of-Use (TOCTTOU) attack through shared memory."
+
+ The SmmGW service provider must ensure data is copied to a secure memory buffer before calling the psa crypto
+ implementation to execute sensitive operations.
+
+--------------
+
+*Copyright (c) 2025, Arm Limited and Contributors. All rights reserved.*
+
+SPDX-License-Identifier: BSD-3-Clause