Threat Model for RSE - AP interface
***********************************

************
Introduction
************
This document is an extension for the general TF-A threat-model. It considers
those platforms where a Runtime Security Engine (RSE) is included in the SoC
next to the Application Processor (AP).

********************
Target of Evaluation
********************
The scope of this threat model only includes the interface between the RSE and
AP. Otherwise, the TF-A :ref:`Generic Threat Model` document is applicable for
the AP core. The threat model for the RSE firmware will be provided by the RSE
firmware project in the future.


Data Flow Diagram
=================
This diagram is different only from the general TF-A data flow diagram in that
it includes the RSE and highlights the interface between the AP and the RSE
cores. The interface description only focuses on the AP-RSE interface the rest
is the same as in the general TF-A threat-model document.

.. uml:: ../../resources/diagrams/plantuml/tfa_rse_dfd.puml
  :caption: Figure 1: TF-A Data Flow Diagram including RSE

.. table:: Table 1: TF-A - RSE data flow diagram

  +-----------------+--------------------------------------------------------+
  | Diagram Element | Description                                            |
  +=================+========================================================+
  |       DF7       | | Boot images interact with RSE over a communication   |
  |                 |   channel to record boot measurements and get image    |
  |                 |   verification keys. At runtime, BL31 obtains the      |
  |                 |   realm world attestation signing key from RSE.        |
  +-----------------+--------------------------------------------------------+

Threat Assessment
=================
For this section, please reference the Threat Assessment under the general TF-A
threat-model document, :ref:`Generic Threat Model`. All the threats listed there
are applicable for the AP core, here only the differences are highlighted.

    - ID 11: The access to the communication interface between AP and RSE is
      allowed only for firmware running at EL3. Accidentally exposing this
      interface to NSCode can allow malicious code to interact with RSE and
      gain access to sensitive data.
    - ID 13: Relevant in the context of the realm attestation key, which can be
      retrieved by BL31 through DF7. The RSE communication protocol layer
      mitigates against this by clearing its internal buffer when reply is
      received. The caller of the API must do the same if data is not needed
      anymore.

--------------

*Copyright (c) 2022-2024, Arm Limited. All rights reserved.*