docs: Add Block Storage SP security assessment
Add security assessment of the Block Storage SP.
Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Change-Id: I52240fd3fb4422b589ec360f4f5cee7153c475a4
diff --git a/docs/security/threat-assessment/block-storage-assessment.rst b/docs/security/threat-assessment/block-storage-assessment.rst
new file mode 100644
index 0000000..7f32308
--- /dev/null
+++ b/docs/security/threat-assessment/block-storage-assessment.rst
@@ -0,0 +1,56 @@
+Block Storage SP
+================
+
+
+Scope of evaluation
+-------------------
+
+This assessment makes the following assumptions:
+
+ - The Block Storage service is deployed to a dedicated S-EL0 SP, and its execution context is isolated from other
+ services, using |TRUSTZONE|.
+ - The SP owns the storage HW and has exclusive access to it. If not, the storage device must implement
+ authentication and shall deny any write request not originating from the Block Storage SP.
+ - The SP will use the Logging SP, or the FF-A logging API provided by the SPMC.
+
+Assessment Results
+------------------
+
+This section specializes the threats identified in the Generic Threat Model for the storage service where needed.
+Threats not listed here are mitigated as described in the :doc:`/security/threat-models/generic-threat-model`.
+
+ - :ref:`GEN05 <generic_threat_5>` "External devices connected to the system storing sensitive data."
+
+ This threat is in scope if the platform uses an external device as the non-volatile storage for the service. The
+ service must protect data in transit at DF9 and DF11.
+
+ - :ref:`GEN06 <generic_threat_6>` "State of external devices connected to the system might be modified by an attacker."
+
+ This threat is in scope when the platform relies on an external device for non-volatile storage used by the
+ service. To mitigate the risk, the service must implement platform-specific measures to protect the data.
+
+ - :ref:`GEN07 <generic_threat_7>` "Invalid or conflicting access to shared hardware."
+
+ This threat is out of scope due to the scope of evaluation.
+
+ - :ref:`GEN08 <generic_threat_8>` "Unauthenticated access to hardware."
+
+ This threat is out of scope as shared usage of hardware is excluded by the scope of evaluation.
+
+ - :ref:`GEN09 <generic_threat_9>` "Unauthenticated access to sensitive data."
+
+ The Block Storage SP isolates clients at FF-A level and each FF-A endpoint is isolated to its own namespace.
+
+ If the selected storage backed relies on another service like the Block Storage SP, the backend service must
+ implement access control and client isolation too.
+
+ - :ref:`GEN10 <generic_threat_10>` "Time-of-Check to Time-of-Use (TOCTTOU) attack through shared memory."
+
+ The Block Storage service will not read the input data multiple times and thus this threat is mitigated.
+
+
+--------------
+
+*Copyright (c) 2025, Arm Limited and Contributors. All rights reserved.*
+
+SPDX-License-Identifier: BSD-3-Clause
diff --git a/docs/security/threat-assessment/index.rst b/docs/security/threat-assessment/index.rst
index c3190fd..8624b1d 100644
--- a/docs/security/threat-assessment/index.rst
+++ b/docs/security/threat-assessment/index.rst
@@ -11,6 +11,7 @@
crypto-service-threat-assessment
smmgw-threat-assessment
attestation-service-threat-assessment
+ block-storage-assessment