From 3d6cc210660e239fdb426094e5631f5ebd03cbe8 Mon Sep 17 00:00:00 2001
From: Sandrine Bailleux <sandrine.bailleux@arm.com>
Date: Thu, 12 May 2022 16:37:18 +0200
Subject: [PATCH] docs(threat-model): revamp threat #9

Reword the description of threat #9 to make it more future-proof for
Arm CCA. By avoiding specific references to secure or non-secure
contexts, in favour of "worlds" and "security contexts", we make the
description equally applicable to 2-world and 4-world architectures.

Note that there are other threats that would benefit from such a
similar revamp but this is out of scope of this patch.

Also list malicious secure world code as a potential threat
agent. This seems to be an oversight in the first version of the
threat model (i.e. this change is not related to Arm CCA).

Change-Id: Id8c8424b0a801104c4f3dc70e344ee702d2b259a
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
---
 docs/threat_model/threat_model.rst | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst
index 611e8a108..86b21345f 100644
--- a/docs/threat_model/threat_model.rst
+++ b/docs/threat_model/threat_model.rst
@@ -617,19 +617,18 @@ each diagram element of the data flow diagram.
 | Threat                 | | **Improperly handled SMC calls can leak register   |
 |                        |   contents**                                         |
 |                        |                                                      |
-|                        | | When switching between secure and non-secure       |
-|                        |   states, register contents of Secure world or       |
-|                        |   register contents of other normal world clients    |
-|                        |   can be leaked.                                     |
+|                        | | When switching between worlds, TF-A register state |
+|                        |   can leak to software in different security         |
+|                        |   contexts.                                          |
 +------------------------+------------------------------------------------------+
-| Diagram Elements       | DF5                                                  |
+| Diagram Elements       | DF4, DF5                                             |
 +------------------------+------------------------------------------------------+
 | Affected TF-A          | BL31                                                 |
 | Components             |                                                      |
 +------------------------+------------------------------------------------------+
 | Assets                 | Sensitive Data                                       |
 +------------------------+------------------------------------------------------+
-| Threat Agent           | NSCode                                               |
+| Threat Agent           | NSCode, SecCode                                      |
 +------------------------+------------------------------------------------------+
 | Threat Type            | Information Disclosure                               |
 +------------------------+-------------------+----------------+-----------------+