• State Not Answered
  • Replies 11 replies
  • Subscribers 74 subscribers
  • Views 1476 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 309945
Options

Any example of how to add functionality to the TF-M secure zone?

Anthony Ambuehl

I am working on a security focused project.  This project has some specific cryptographic operations which are to be performed using secrets stored within the secure zone. 

These secrets will be either stored directly in UICR using the KMU, or stored in the TF-M PSA Internal Trusted Storage.  These secrets should never be allowed to exit the secure zone therefore the crypto operations should be completed performed within the secure zone and the results passed back into the NS application.

Is there any existing sample/example/test that demonstrates how to add an custom external API functionality to the TF-M?

Is it possible to add source files into the secure application via the Cmakefile?  

Parents
  • 0

    Hi Anthony,

    Thank you for contacting DevZone at NordicSemi.

    I am not an expert on the topic, but I would to point to Nordic blog about TF-M

    Intro to Trusted Firmware-M

    Please have a look at it and its related documentation / samples discussed, and see if it answers your question.

    If not, then let me know and I will ask you query internally.


    Regards,
    Naeem

  • 0 in reply to Naeem Maroof

    Thanks for the link Naeem. 

    I'm looking for a test or sample that demonstrates passing data from the NS application to a secure service in the Application RoT and for the secure service to reply with some other data. 

    The closes example I've found is the secure peripheral partition which uses psa_call without any parameters.

    I expect that the psa_call can pass pointers to memory where the input and output buffers are located, but it would be really helpful if there were a working demonstration of how it is intended to work..

    Also is there any way to get VSCode to show the TF-M secure partition generated code or at least have it show the input files to TF-M process?

    Also where can I find documentation for the the tfm_manifest_list.yaml.in and the manifest_list and referenced manifests within it? 

    Also I'm wondering how I can set up my secure partition to be able to utilize functions from 

    #include <hw_unique_key.h>
    #include <nrf_cc3xx_platform_identity_key.h>

    These libraries are found in nrfxlib/crypto  but I don't know how to include them into the build of the secure partition.

    Is it possible to use data stored in the identity keys in a tf-m secure partition or am I limited to only using PSA supported features like the internal trusted storage?

  • 0 in reply to Anthony Ambuehl

    Hi Anthony,

    I am not sure how closely these samples are to what you want to achieve, but we have several samples that I believe you can test and modify according to your needs:
    TF-M Secure Partition Sample (Zephyr Sample)

    TF-M Platform Security Architecture Test Sample (Zephyr Sample)

    TF-M IPC (Zephyr Sample)

    TF-M PSA template (Nordic Sample)

    TF-M Secure Peripheral Partition (Nordic Sample)

    Some of these sample demonstrate the use of communication between Secure and NS domains. 

    As you have mentioned, looking at secure_peripheral_partition, it is calling psa_call(), which under-the-hood, calls the tfm functionality. Nonetheless, if you look at its prototype, you can pass input and receive output using pointers in_vec and out_vec respectively.

    psa_status_t psa_call(psa_handle_t handle, int32_t type,
                    const psa_invec *in_vec,
                    size_t in_len,
                    psa_outvec *out_vec,
                    size_t out_len)

    Anthony Ambuehl said:
    Also is there any way to get VSCode to show the TF-M secure partition generated code or at least have it show the input files to TF-M process?

    I am not sure what you mean by this, but you can explore the files in the build folder ./build/secure_peripheral_partition/auto_generated.

    Anthony Ambuehl said:
    Also where can I find documentation for the the tfm_manifest_list.yaml.in and the manifest_list and referenced manifests within it? 

    Please have a look TFM Manifest User Guide.

    Crypto Service Integration guide describes the use of cryptography primitives within TFM.

    I do not have any example, other than what has been mentioned, for using those libraries. 

    BR,

    Naeem

  • 0 in reply to Naeem Maroof

    Thanks these docs are definitey helping. 

    For this specific project, the intention was for the secret data to be stored in the UICR and stored and retrieved using the KMU.  I built some libraries based on the nrf_cc3xx_platform_identity_key library, they have been tested in non-TF-M secure environment.  

    Now I am trying to build this functionality into a TF-M secure partition, but the nrf_cc3xx_platform_identity key libraries are not available in the TF-M build environment.  The KConfig specifically disables NRF_CC3XX_PLATFORM  when BUILD_WITH_TFM=y.   

    Is there any way to still utilize the HUK and keys stored in the UICR/KMU like in the identity key library?

    I see the PSA ITS as an alternative, however it is inferior since the according to the design documents the ITS data is not stored encrypted:

    This is the description of ITS from the design document:

    Compared to Protected Storage, encryption, authentication and rollback protection are not required, so the SST encrypted object layer and the crypto and NV counter interfaces are not required

  • 0 in reply to Anthony Ambuehl

    Hello,

    I have asked internally, and they have mentioned that there is an option to turn n the encryption for ITS.

    Though that is not enabled by default, as it is sill experimental.

    Please check about these configs:

    CONFIG_PSA_ITS_ENCRYPTED

    CONFIG_TFM_ITS_ENCRYPTED

     

    Regards,

Reply Children
Related
Terms of service