• State Not Answered
  • Replies 11 replies
  • Subscribers 74 subscribers
  • Views 1484 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 309945
Options

Any example of how to add functionality to the TF-M secure zone?

Anthony Ambuehl

I am working on a security focused project.  This project has some specific cryptographic operations which are to be performed using secrets stored within the secure zone. 

These secrets will be either stored directly in UICR using the KMU, or stored in the TF-M PSA Internal Trusted Storage.  These secrets should never be allowed to exit the secure zone therefore the crypto operations should be completed performed within the secure zone and the results passed back into the NS application.

Is there any existing sample/example/test that demonstrates how to add an custom external API functionality to the TF-M?

Is it possible to add source files into the secure application via the Cmakefile?  

  • 0 in reply to Anthony Ambuehl
    Hi Anthony,
    Apologies for the delayed response as many of our experts are on summer vacations and we have huge inflow of tickets. Nonetheless, thank you for your patience, and please find below the response I received regarding your queries:
    "For the secure services, the client id is basically the partition ID. That is when a partition calls another partition inside the TF-M. When an application calls a secure service in TF-M, the client ID is the same for all non-secure applications by default. There is a configuration option to allow the non-secure applications to have different client ids (TFM_NS_MANAGE_NSID Cmake Option in TF-M ) but we don't support it yet.
    You can find some information about the subject in here:
    The client id enforcing is happening in the Secure Partition Manager of TF-M and it is following the PSA Firmware Framework (FF-M) which is also referenced in the documentation. Now the Partition ID (PID) can either be set explicitly in the yaml mainfest file:
    In our sample one can edit this file and add a "pid" field with the number that they want. In the documentation, you can see the range of valid PIDs.
    If someone doesn't explicitly set the PID TF-M will just give the next available PID. To check what PID a partition got you can search in the build folder for the file:
    ./build/tfm/generated/interface/include/psa_manifest/pid.h
    Having said all of that I want to make sure that let me clarify something.
    If the only thing that the customer wants is to store key material in the secure side the best way of doing that is to just use the PSA crypto APIs and store the key as persistent.
    We have a sample for this here:
    In this example we generate an AES key which can be used for encryption and description. The persistent keys are stored internally in the ITS partition by the Crypto partition (so the client_id of the ITS calls will be the crypto partition PID). That means in our example the key material itself can never be read by the non-secure application. The non-secure application can request to encrypt/decrypt data with the key but it cannot access the key material.
    Even though the non-secure application has access to the ITS if it tries to read the key material directly it will not have the correct client id so the ITS will not allow it to happen."
    Moreover, for the definition of the secure services, the header files are located here:
    Regards,
    Naeem
Related
Terms of service