Any example of how to add functionality to the TF-M secure zone?

Thanks yes I have found the ITS_ENCRYPTED flag.

One issue, is seems that ITS is available in the non-secure app, this would mean the non-secure app could use the ITS interface to request the secret data.  For the security goals of this project we want to prevent the data from every leaving the secure partition. 

Is there anyway to prevent the non-secure region from retrieving data from ITS?

Hi Anthony

The non-secure will not be able to access data from a different client. i.e a secure partition.

Thats good to know. 

I did a superficial review of  

modules/tee/tf-m/trusted-firmware-m/secure_fw/internal_trusted_storage/tfm_its_req_mngr.c

I see the tfm_its_get_req does pair the incoming request with client id from tfm_core_get_caller_client_id.  and this is used to create a unique file id in tfm_its_get when it calls tfm_core_get_caller_client_id, so essentially each client does have its own unique and isolated version of the ITS.

This however leaves me wondering, how are the client id's assigned AND how do I insure my secure partition gets the same client id after a FOTA if for example some secure partitions are added or removed?

Hi Anthony,

Thank you for your patience.

Anthony Ambuehl said:

how are the client id's assigned AND how do I insure my secure partition gets the same client id

"Client Id of secure partitions are assigned in the manifest file of the secure partition.

So the standard ones will not change, and the custom ones they are in charge of themselves."

How do I set the client id in the manifest?  

Where do I find the definitions of the platform RoT services?

I don't see a client id field in the secure_peripheral_partition example, what happens if the yaml doesn't have a client id?