| Gabor Toth | 3fa2bb5 | 2024-12-11 14:24:36 +0100 | [diff] [blame] | 1 | SmmGW SP |
| 2 | ======== |
| 3 | |
| 4 | |
| 5 | Scope of evaluation |
| 6 | ------------------- |
| 7 | |
| 8 | This assessment makes the following assumptions: |
| 9 | |
| 10 | - The SmmGW service is deployed to a dedicated S-EL0 SP, and its execution context is physically isolated. |
| 11 | - The SP uses the PSA PS SP for storing persistent data. |
| 12 | - The solution uses the Logging SP, or the FF-A logging API provided by the SPMC. |
| 13 | - The SmmGW uses a PSA Crypto implementation for executing cryptographic operations. |
| 14 | |
| 15 | - This implementation can be built-in and running within the isolation boundary of the SP. |
| 16 | - The PSA Crypto implementation can be external and may run in another SP. |
| 17 | |
| 18 | Assessment Results |
| 19 | ------------------ |
| 20 | |
| 21 | This section specializes the threats identified in the Generic Threat Model for the SmmGW service where applicable. |
| 22 | Threats not listed here are mitigated as described in the :doc:`/security/threat-models/generic-threat-model`. |
| 23 | |
| 24 | - :ref:`GEN05 <generic_threat_5>` "External devices connected to the system storing sensitive data." |
| 25 | |
| 26 | The SmmGW SP does not require any external devices for its operation, even when the built-in PSA Crypto is used. |
| 27 | Therefore, this threat is considered out of scope. |
| 28 | |
| 29 | - :ref:`GEN06 <generic_threat_6>` "State of external devices connected to the system might be modified by an |
| 30 | attacker." |
| 31 | |
| 32 | The SmmGW SP does not require any external devices for its operation, even when the built-in PSA Crypto is used. |
| 33 | Therefore, this threat is considered out of scope. |
| 34 | |
| 35 | - :ref:`GEN07 <generic_threat_7>` "Invalid or conflicting access to shared hardware." |
| 36 | |
| 37 | The SmmGW SP does not require any external devices for its operation, even when the built-in PSA Crypto is used. |
| 38 | Therefore, this threat is considered out of scope. |
| 39 | |
| 40 | - :ref:`GEN08 <generic_threat_8>` "Unauthenticated access to hardware." |
| 41 | |
| 42 | The SmmGW SP does not require any external devices for its operation, even when the built-in PSA Crypto is used. |
| 43 | Therefore, this threat is considered out of scope. |
| 44 | |
| 45 | - :ref:`GEN09 <generic_threat_9>` "Unauthenticated access to sensitive data." |
| 46 | |
| 47 | The UEFI Variable Service is designed to present a uniform view to all clients, so SmmGW does not need to enforce |
| 48 | client isolation itself. |
| 49 | |
| 50 | The SmmGW SP requires PSA PS and the PSA Crypto SPs to enforce client isolation and prevent other FF-A endpoints |
| 51 | to access its assets. |
| 52 | |
| 53 | - :ref:`GEN10 <generic_threat_10>` "Time-of-Check to Time-of-Use (TOCTTOU) attack through shared memory." |
| 54 | |
| 55 | The SmmGW service provider must ensure data is copied to a secure memory buffer before calling the psa crypto |
| 56 | implementation to execute sensitive operations. |
| 57 | |
| 58 | -------------- |
| 59 | |
| 60 | *Copyright (c) 2025, Arm Limited and Contributors. All rights reserved.* |
| 61 | |
| 62 | SPDX-License-Identifier: BSD-3-Clause |