Identify the source of a given handle to know if it is malicious
Open, NormalPublic

Description

Identity the source of a given handle to know if it is an NSPE handle or SP handle. This avoids malicious NSPE thread peek information from secure side.

KenLSoft created this task.Jan 24 2019, 7:17 AM
KenLSoft triaged this task as Normal priority.
KenLSoft created this object with edit policy "Subscribers".
alzix added a subscriber: alzix.EditedJan 27 2019, 8:40 PM

isolation level 3 assumes mutual distrust between secure partitions.
we need to save connection "owner" client ID and not only secure domain origin.

consider following use case:

  • there is a long lived connection between two secure services. It is created during initialization sequence.
  • connection policy is validated upon connection creation - ns_caller && !service->service_db->non_secure_client
  • offending NSPE client guesses a connection handle for secure->secure service connection mentioned above. This is probably not to hard given handles are just indexes in array without random factor.
  • offending NSPE client performs psa_call.

TF-M must assert that the connection is "owned" by the caller.