Trusted Firmware-M (TF-M) was launched in March 2018, as the open source reference implementation of Arm Platform Security Architecture (PSA). As TF-M is heading towards its first anniversary, the project has achieved a significant milestone - v1.0-Beta enabling silicon platforms and Real Time Operating Systems (RTOSes) using TF-M to achieve PSA Certified™ Level 1 Security and Functional API certification under the newly launched PSA Certified programme.
TF-M v1.0-Beta tag made on 18th February provides the following functionality:
- Secure Boot ensuring integrity of Secure and Non-Secure images.
- PSA Level 1 Isolation separating Secure Processing Environment (SPE) from Non-Secure Processing Environment (NSPE).
- Secure Storage protecting the integrity and confidentiality of the sensitive assets in the system.
- Cryptographic Service providing cryptographic function to applications.
- Attestation Service providing a token formatted according to the IETF Entity Attestation Token (EAT) consisting of a series of claims enabling a relying party to determine the exact implementation of the PSA Root of Trust (PSA RoT) and its security state.
As shown in the TF-M Diagram below, Secure Storage, Crypto and Attestation Services can be availed through a set of PSA Developer APIs. This makes it easier for applications to make use of secure services across different PSA/TF-M enabled platforms using these PSA Developer APIs.
Obtaining PSA Functional API Certification involves running the PSA Developer API Test Suite on MuscaB1 against TF-M v1.0-Beta tag and passing all the secure storage, crypto and Attestation tests. PSA Level1 Certification involved answering the PSA Level 1 Questionnaire and submitting to one of the PSA Joint Stakeholder Agreement certification labs.
Arm’s IoT Reference Platform – Musca-B1 has got PSA Functional API certification and PSA Level 1 Security certification by using TF-M v1.0-Beta as the PSA Root Of Trust (RoT). TF-M and Musca-B1 were awarded the PSA Certified Trophy.
Author: Shebu Varghese Kuriakose
