TF-M Profile Medium-ARoT-less is a reference implementation to align with security requirements defined in PSA Certified ARoT-less Level 2 protection profile (PSA Certified ARoT-less)1.
TF-M Profile Medium-ARoT-less is defined based on TF-M Profile Medium2, which aligns with PSA Certified Level 2 Protection Profile3.
TF-M Profile Medium-ARoT-less defines the following feature set:
Firmware Framework
- Internal Trusted Storage (ITS)
Crypto
- Support both symmetric cryptography and asymmetric cryptography
Asymmetric key based cipher suite suggested in TLS/DTLS profiles for IoT6 and CoAP7, including
- Authenticated Encryption with Associated Data (AEAD) algorithm
- Asymmetric key algorithm based signature and verification
- Public-key cryptography based key exchange
- Hash function
- HMAC for default Pseudorandom Function (PRF)
- Asymmetric digital signature and verification for Initial Attestation Token (IAT)
Initial Attestation
- Asymmetric key algorithm based Initial Attestation
Lightweight boot
- Anti-rollback protection
- Multiple image boot
- Firmware Update (FWU) RoT Service
Most of design in Profile Medium-ARoT-less is identical to that in Profile Medium. Refer to Profile Medium document8 for details. Only the differences between Profile Medium-ARoT-less and Profile Medium are specified below.
PSA Certified ARoT-less9 is only applicable to devices that don’t support Application RoT (ARoT) services. The platform only consists of PSA RoT domain(s) in SPE making it unnecessary to implement the isolation between ARoT and PSA RoT. Therefore, this profile selects isolation level 1 to simplify implementation and optimize memory footprint and performance.
Since only isolation level 1 is required, this profile enables SFN model rather than IPC mode for further simplification.
Protected Storage (PS) is implemented as an Application RoT service in TF-M by default. Therefore, PS is disabled by default in this profile.
As PSA Certified ARoT-less requests, FWU RoT Service is enabled by default to support secure update of platform if the platform supports FWU.
The basic idea is to add dedicated profile CMake configuration files config/profile/profile_medium_arotless for this profile default configuration.
This top-level config file collects all the fundamental configuration flags and set them to default values, to explicitly configured the features required in this profile, during TF-M build.
A platform/use case overwrite the default settings to configure this profile.
The behavior of the build flow (particularly the order of configuration loading and overriding) can be found at tfm_cmake_configuration.
The default configurations in config/profile/profile_medium_arotless are shown below.
| Configs | Default value | Descriptions |
|---|---|---|
TFM_ISOLATION_LEVEL |
1 |
Select level 1 isolation |
CONFIG_TFM_SPM_BACKEND |
SFN |
Select SFN model |
TFM_PARTITION_INTERNAL_TRUSTED_STORAGE |
ON |
Enable ITS SP |
ITS_BUF_SIZE |
32 |
ITS internal transient buffer size |
TFM_PARTITION_CRYPTO |
ON |
Enable Crypto service |
CRYPTO_ASYM_ENCRYPT_MODULE_ENABLED |
OFF |
Enable Crypto asymmetric encryption operations |
TFM_MBEDCRYPTO_CONFIG_PATH |
${CMAKE_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h |
Re-use Profile Medium configuration |
TFM_MBEDCRYPTO_PSA_CRYPTO_CONFIG_PATH |
${CMAKE_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/crypto_config_profile_medium.h |
Re-use Profile Medium configuration |
TFM_PARTITION_INITIAL_ATTESTATION |
ON |
Enable Initial Attestation service |
TFM_PARTITION_FIRMWARE_UPDATE |
ON |
Enable Firmware Update service |
TFM_PARTITION_PROTECTED_STORAGE |
OFF |
Disable PS service |
TFM_PARTITION_PLATFORM |
ON |
Enable TF-M Platform SP |
Note
Where a configuration is the same as the default in config/config_default.cmake, it might be omitted from the profile configuration file.
Note
Implementation note
If the platform doesn't support secure update functionalities, FWU service will be disabled automatically. A warning will be thrown out during build.
FWU regression tests and SFN regression tests are selected by default when regression tests are enabled. Other implementations are the same as those in Profile Medium.
To enable Profile Medium-ARoT-less on a platform, the platform specific CMake file should be added into the platform support list in top-level Profile Medium-ARoT-less CMake config file.
To build Profile Medium-ARoT-less, argument TFM_PROFILE in build command line should be set to profile_medium_arotless.
Take Musca-B1 as an example. The following commands build Profile Medium-ARoT-less without test cases on Musca-B1 with build type MinSizeRel, built by Armclang.
cd <TFM root dir>
mkdir build && cd build
cmake -DTFM_PLATFORM=musca-b1 \
-DTFM_TOOLCHAIN_FILE=../toolchain_ARMCLANG.cmake \
-DTFM_PROFILE=profile_medium_arotless \
-DCMAKE_BUILD_TYPE=MinSizeRel \
../
cmake --build ./ -- installThe following commands build Profile Medium-ARoT-less with regression test cases on Musca-B1 with build type MinSizeRel, built by Armclang.
cd <TFM root dir>
mkdir build && cd build
cmake -DTFM_PLATFORM=musca-b1 \
-DTFM_TOOLCHAIN_FILE=../toolchain_ARMCLANG.cmake \
-DTFM_PROFILE=profile_medium_arotless \
-DCMAKE_BUILD_TYPE=MinSizeRel \
-DTEST_S=ON -DTEST_NS=ON \
../
cmake --build ./ -- installNote
- For devices with more constrained memory and flash requirements, it is possible to build with either only TEST_S enabled or only TEST_NS enabled. This will decrease the size of the test images. Note that both test suites must still be run to ensure correct operation.
More details of building instructions and parameters can be found TF-M build instruction guide10.
Copyright (c) 2020-2023, Arm Limited. All rights reserved.
Trusted Firmware-M Profile Medium Design </configuration/profiles/tfm_profile_medium>↩Transport Layer Security (TLS) / Datagram Transport Layer Security (DTLS) Profiles for the Internet of Things↩
Trusted Firmware-M Profile Medium Design </configuration/profiles/tfm_profile_medium>↩TF-M build instruction </building/tfm_build_instruction>↩