docs(threat-model): scope out availability-only boot failures

Clarify that boot firmware threats affecting availability only are out of scope for the generic TF-A threat model, and that individual platforms are responsible for mitigating such threats where needed. Change-Id: If15261a4b188203cba606ce8a15441692a0d0ca6 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2026-05-07 14:17:53 +01:00 · 2026-05-07 14:17:53 +01:00 · 72db1afe91
commit 72db1afe91
parent d629b4af36
1 changed files with 8 additions and 1 deletions
--- a/docs/threat_model/firmware_threat_model/threat_model.rst
+++ b/docs/threat_model/firmware_threat_model/threat_model.rst
@ -695,6 +695,13 @@ Note, however, that this is not necessarily true on all platforms. Platform
 vendors should review these threats to make sure they cannot be exploited
 nonetheless once execution has reached the runtime EL3 firmware.

+Boot firmware threats that only affect availability, for example persistent
+failure to boot due to corruption of the firmware images on flash, are out
+of scope of this generic threat model. Such threats may be in scope for
+individual platforms, but those platforms are responsible for mitigating
+such threats, for example by protecting against physical access to flash
+or implementing firmware recovery mechanisms.
+
 +------------------------+----------------------------------------------------+
 | ID                     | 01                                                 |
 +========================+====================================================+
@ -1214,7 +1221,7 @@ Threats to be Mitigated by an External Agent Outside of TF-A

 --------------

-*Copyright (c) 2021-2025, Arm Limited. All rights reserved.*
+*Copyright (c) 2021-2026, Arm Limited. All rights reserved.*


 .. _STRIDE threat analysis technique: https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats#stride-model