diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst index 611e8a108..2e11a9479 100644 --- a/docs/threat_model/threat_model.rst +++ b/docs/threat_model/threat_model.rst @@ -36,6 +36,9 @@ assumptions: - There is no Secure-EL2. We don't consider threats that may come with Secure-EL2 software. +- Measured boot is disabled. We do not consider the threats nor the mitigations + that may come with it. + - No experimental features are enabled. We do not consider threats that may come from them. @@ -617,19 +620,18 @@ each diagram element of the data flow diagram. | Threat | | **Improperly handled SMC calls can leak register | | | contents** | | | | -| | | When switching between secure and non-secure | -| | states, register contents of Secure world or | -| | register contents of other normal world clients | -| | can be leaked. | +| | | When switching between worlds, TF-A register state | +| | can leak to software in different security | +| | contexts. | +------------------------+------------------------------------------------------+ -| Diagram Elements | DF5 | +| Diagram Elements | DF4, DF5 | +------------------------+------------------------------------------------------+ | Affected TF-A | BL31 | | Components | | +------------------------+------------------------------------------------------+ | Assets | Sensitive Data | +------------------------+------------------------------------------------------+ -| Threat Agent | NSCode | +| Threat Agent | NSCode, SecCode | +------------------------+------------------------------------------------------+ | Threat Type | Information Disclosure | +------------------------+-------------------+----------------+-----------------+