HI Andy,

Thank you for explaining,

psa-arch-test(psa certified api compliance) testsuite currently used with TFM +MbedTLS environment as a release gate, and there is trusted service team whom were running the psa-arch-test package on arm-A class devices.

Coming back to the question related to psa-arch-test, the current available package should suffice to check the compliance of crypto necessary tasks/functinoality, fyi we have already validated the latest psa-arch-test repo with the mbedtls 3.6.

So I would not be more concern about the psa-arch-test being compliant to latest 1.2.1 spec. because between 1.1.0 and 1.2.1 there were minimal changes which is not showstopper for the psa certified api certification.

Regards,

From: Andy Chen <andychen@pufsecurity.com>
Date: Thursday, 25 July 2024 at 5:30 AM
To: Jothikumar Mani <Jothikumar.Mani@arm.com>, Manish Badarkhe <Manish.Badarkhe@arm.com>, tf-a@lists.trustedfirmware.org <tf-a@lists.trustedfirmware.org>
Cc: Diya Soubra <Diya.Soubra@arm.com>, Victoria Lee <victorialee@pufsecurity.com>, Andrew <andrewirvin@pufsecurity.com>
Subject: 回覆: Integrate TF-A and PSA Crypto API with PUFcc

Hi Jothikumar and Manish,

It's great to discuss with you and thanks.

Sure, it's more clarity with usage scenarios:

As a Security IP provider, our PUFcc functions as a Hardware Root of Trust.
However, mbedTLS currently doesn't fully support HRoT. Therefore, we are integrating directly into the PSA Crypto API, which permits customization.

While working on PSA L3 or L2R, we frequently face version conflicts. That why, in this project, we aim to confirm these version issues (including the dev. and test bench).

This also means that both TF-A and TF-M support PSA Crypto API, so we can also support both through this package.

There is our PSA Software Package with PUFcc. We try to find the best way to support cryptographic tasks.

Additionally, we plan to use the same development platform as ARM to ensure optimal compatibility for our customers.
It means we would try to know the FPV, although I'm not sure if we can add external IPs.

If I misunderstood or you have any ideas, please feel free to tell me.

Have a Nice Day,
Andy

寄件者: Jothikumar Mani <Jothikumar.Mani@arm.com>
寄件日期: 2024年7月24日下午 11:48
收件者: Andy Chen <andychen@pufsecurity.com>; Manish Badarkhe <Manish.Badarkhe@arm.com>; tf-a@lists.trustedfirmware.org <tf-a@lists.trustedfirmware.org>
副本: Diya Soubra <Diya.Soubra@arm.com>; Victoria Lee <victorialee@pufsecurity.com>; Andrew <andrewirvin@pufsecurity.com>
主旨: RE: Integrate TF-A and PSA Crypto API with PUFcc

Hi Andy,

Please find my reply in the previous mail.

Regards,

From: Andy Chen <andychen@pufsecurity.com>
Sent: Wednesday, July 24, 2024 8:11 PM
To: Manish Badarkhe <Manish.Badarkhe@arm.com>; Jothikumar Mani <Jothikumar.Mani@arm.com>; tf-a@lists.trustedfirmware.org
Cc: Diya Soubra <Diya.Soubra@arm.com>; Victoria Lee <victorialee@pufsecurity.com>; Andrew <andrewirvin@pufsecurity.com>
Subject: 回覆: Integrate TF-A and PSA Crypto API with PUFcc

Hi Manish,

Thanks for your information.

We need to integrate our hardware Crypto IP (PUFcc). And it seems that FVP cannot add custom IP, so we are planning to purchase an FPGA with the A53 - AXU9EGB for our needs. And we need to make sure it is compatible with TF-A lts-v2.10.5.

Thanks.

Hi Jothikumar,

We would try to integrate with PSA Crypto API, and we need a test bench for v1.2.1.

Please feel free to let me know if you have any suggestions.

[JK] : may I know what the intent is to requesting the crypto v1.2.1 spec compliance suites?, if you are looking for the PSA Certified APIs compliance for your product then the currently available testsuite is more than sufficient. Also, the mbedTLS version mentioned also only supports psa-crypto spec v1.1.0. I am trying to under the end goal of the psa certified api compliance suite usage with your product. Answer to this question will help me to give better suggestion.

For TF-A, we plan to integrate with:

TF-A lts-v2.10.5

PSA Crypto API - v1.1.0 >>> v1.2.1

PSA Certified APIs Architecture Test Suite - v1.6

Thank you very much.

Have a Nice Day,
Andy

寄件者: Manish Badarkhe <Manish.Badarkhe@arm.com>
寄件日期: 2024年7月24日下午 06:12
收件者: tf-a@lists.trustedfirmware.org <tf-a@lists.trustedfirmware.org>; Andy Chen <andychen@pufsecurity.com>; Jothikumar Mani <Jothikumar.Mani@arm.com>
副本: Diya Soubra <Diya.Soubra@arm.com>; Victoria Lee <victorialee@pufsecurity.com>; Andrew <andrewirvin@pufsecurity.com>
主旨: Re: Integrate TF-A and PSA Crypto API with PUFcc

Hi Andy

Please see my replies inline. Adding Jothikumar Mani for PSA Certified APIs Architecture Test Suite.

Thanks,
Manish Badarkhe

From: Andy Chen via TF-A <tf-a@lists.trustedfirmware.org>
Sent: 23 July 2024 09:55
To: tf-a@lists.trustedfirmware.org <tf-a@lists.trustedfirmware.org>
Cc: Diya Soubra <Diya.Soubra@arm.com>; Victoria Lee <victorialee@pufsecurity.com>; Andrew <andrewirvin@pufsecurity.com>
Subject: [TF-A] Integrate TF-A and PSA Crypto API with PUFcc

Hi TF-A teams,

This is Andy from PUFsecurity, and we have a project with ARM.

We try to integrate the PSA Crypto API with PUFcc (Our Crypto Engine) on TF-A.

However, there are multiple versions included, and we need your assistance for specification clarification.

Please ensure the versions match your recommendations.

For TF-A, we plan to integrate with:

TF-A lts-v2.10.5

PSA Crypto API - v1.1.0

PSA Certified APIs Architecture Test Suite - v1.6

[MB]: This looks fine. As TF-A lts-v2.10.5 using mbedTLS v3.6.0 which is compliance with PSA Crypto API - v1.1.0 but mbedTLS team can provide more detailed answer on this and also on test suite PSA Certified APIs Architecture Test Suite - v1.6.

TF-A

It would be beneficial to use the same hardware (FPGA) and tools as the ARM development team.

If we can confirm which models are used for TF-A , scripts or details with the ARM hardware That would be grateful.

[MB]: We are using FVP AEM model i.e. FVP_Base_RevC-2xAEMvA (Model version: 11.26, Build: 11). Test Run with PSA Crypto

you can find here: https://ci.trustedfirmware.org/job/tf-a-builder/4029201/ (today's daily run)

PSA Crypto API -

The test bench is using the PSA Crypto API v1.1.0, and it is published in 2022.

And Now is v1.2.1 in March 2024. I not sure it is a good choose or not.

[MB]: It looks like arch-test is not upgraded to use v1.2.1 PSA Crypto API. Added Jothikumar Mani, he may have idea about this.

Test Bench -

For the "PSA Certified APIs Architecture Test Suite - v1.6," we would like to identify which test codes (test_c001 to test_c067) are relevant for TF-A.

[MB]: Again, TF-A is not using this test suite, so we don't have any insights unless we review all these tests. TF-A mainly uses the following PSA_* APIs for signature verification, hash calculation, and hash comparison.

psa_crypto_init

mbedtls_md_psa_alg_from_type

psa_set_key_algorithm

psa_set_key_type

psa_set_key_usage_flags

psa_import_key

psa_destroy_key

psa_verify_message

psa_hash_compute

psa_hash_compare

Thank you very much!!!

Have a Nice Day,
Andy

熵碼科技股份有限公司

Tel: 886-3-5601010 #2119
Email: andychen@pufsecurity.com
Website: https://www.pufsecurity.com/

-------- Disclaimer: This e-mail is from PUFsecurity Corporation. This e-mail may contain privileged and confidential information. It is intended for the named recipient(s) only. Disclosure, copying, distribution, or use of the contents of this e-mail by persons other than the intended recipient may violate applicable laws. If you are not an intended recipient, please notify us immediately (by reply e-mail) and delete this e-mail from your system. Our postal address is 8F-1, No. 5, Tai-Yuan 1st St., Jhubei City, Hsinchu County 302082, Taiwan.--------