| Imre Kis | f3fd946 | 2025-01-07 17:22:20 +0100 | [diff] [blame] | 1 | PSA Crypto SP |
| 2 | ============= |
| 3 | |
| 4 | |
| 5 | Scope of evaluation |
| 6 | ------------------- |
| 7 | |
| 8 | This assessment makes the following assumptions: |
| 9 | |
| 10 | - The PSA Crypto service is deployed to a dedicated S-EL0 SP, and its execution context is physically isolated. |
| 11 | - The SP has exclusive access to a TRNG device and to the crypto accelerator if present the system. |
| 12 | - The SP has exclusive access to the HUK (Hardware Unique Key) if present in the system. This is represented as a |
| 13 | PSA key with built-in key type. |
| 14 | - The SP relies on the PSA ITS SP for storing persistent data. |
| 15 | - The SP uses the Logging SP, or the FF-A logging API provided by the SPMC. |
| 16 | |
| 17 | Assessment Results |
| 18 | ------------------ |
| 19 | |
| 20 | This section specializes the threats identified in the Generic Threat Model for the crypto service where applicable. |
| 21 | Threats not listed here are mitigated as described in the :doc:`/security/threat-models/generic-threat-model`. |
| 22 | |
| 23 | - :ref:`GEN05 <generic_threat_5>` "External devices connected to the system storing sensitive data." |
| 24 | |
| 25 | Both hardware devices used by the Crypto SP are assumed to be internal, and thus this threat is considered out of |
| 26 | scope. |
| 27 | |
| 28 | - :ref:`GEN06 <generic_threat_6>` "State of external devices connected to the system might be modified by an |
| 29 | attacker." |
| 30 | |
| 31 | Both hardware devices used by the Crypto SP are assumed to be internal, and thus this threat is considered out of |
| 32 | scope. |
| 33 | |
| 34 | - :ref:`GEN07 <generic_threat_7>` "Invalid or conflicting access to shared hardware." |
| 35 | |
| 36 | This threat is considered out of scope due to the defined scope of evaluation. |
| 37 | |
| 38 | - :ref:`GEN08 <generic_threat_8>` "Unauthenticated access to hardware." |
| 39 | |
| 40 | This threat is considered out of scope as shared use of hardware is excluded by the scope of evaluation. |
| 41 | |
| 42 | - :ref:`GEN09 <generic_threat_9>` "Unauthenticated access to sensitive data." |
| 43 | |
| 44 | The PSA Crypto SP isolates its clients at the FF-A level and each FF-A endpoint is restricted to its own asset |
| 45 | namespace. |
| 46 | |
| 47 | The Crypto SP requires PSA ITS to enforce client isolation and prevent access to its assets from any other |
| 48 | FF-A endpoint. |
| 49 | |
| 50 | - :ref:`GEN10 <generic_threat_10>` "Time-of-Check to Time-of-Use (TOCTTOU) attack through shared memory." |
| 51 | |
| 52 | The PSA Crypto service provider must ensure data is copied to a secure memory buffer before calling the crypto |
| 53 | backend to execute sensitive operations. |
| 54 | |
| 55 | -------------- |
| 56 | |
| 57 | *Copyright (c) 2025, Arm Limited and Contributors. All rights reserved.* |
| 58 | |
| 59 | SPDX-License-Identifier: BSD-3-Clause |