threat_model_spm.rst - OpenGrok cross reference for /arm-trusted-firmware-2.8.0/docs/threat_model/threat_model

Lines Matching refs:secure
18 - Distinct sandboxes in the secure world called secure partitions. This permits
22 - Mutual isolation of the normal world and the secure world (e.g. a Trusted OS
36   running in the secure world of TrustZone (at S-EL2 exception level).
46 - Assumes secure boot or in particular TF-A trusted boot (TBBR or dual CoT) is
54 relayer/pass-through between the normal world and the secure world. It is
110   implicitely trusted by the usage of secure boot.
135 - NS-Endpoint identifies a non-secure endpoint: normal world client at NS-EL2
137 - S-Endpoint identifies a secure endpoint typically a secure partition.
454 |                        | The secure partition or SPMC replies to a partition|
970 |                        | communicate a pending secure interrupt triggered   |
977 | ``Threat``             | **A malicious secure endpoint might deactivate a   |
978 |                        | (virtual) secure interrupt that was not originally |
985 |                        | Similarly, a malicious secure endpoint might invoke|
986 |                        | the deactivation ABI more than once for a secure   |
987 |                        | interrupt. Moreover, a malicious secure endpoint   |
988 |                        | might attempt to deactivate a (virtual) secure     |
990 |                        | execution context by the SPMC even before secure   |
1015 |                        | secure physical interrupts. The TF-A SPMC provides |
1019 |                        |   signaled to an execution context of a secure     |
1020 |                        |   secure partition.                                |
1032 | ``Threat``             | **A malicious secure endpoint might not deactivate |
1034 |                        | perform secure interrupt signal completion. This   |
1038 |                        | Similarly, a malicious secure endpoint could       |
1041 |                        | the SPMC can only process one secure interrupt at a|
1074 | ``Threat``             | **A malicious endpoint could leverage non-secure   |
1075 |                        | interrupts to preempt a secure endpoint, thereby   |
1076 |                        | attempting to render it unable to handle a secure  |
1078 |                        | to priority inversion as secure virtual interrupts |
1079 |                        | are kept pending while non-secure interrupts are   |
1106 |                        | action towards non-secure interrupt with the help  |
1114 | ``Threat``             | **A secure endpoint depends on primary scheduler   |
1116 |                        | the secure endpoint from being scheduled. Secure   |
1143 |                        | provisions CPU cycles to run a secure endpoint     |
1145 |                        | cannot be preempted by a non-secure interrupt.     |
1148 |                        | interrupts are masked until pending secure virtual |
1159 .. _Secure Partition Manager: ../components/secure-partition-manager.html