Hi Max,

Please check this picture [1]. It shows the exception levels on an aarch64 platforms, and typical components executing at each exception level.

TF-A is a Secure Monitor implementation. It is the most privileged component, and its main goal is to route calls between the NWd and SWd. Each call to SWd must go through this component. E.g. if an “aarch64 App” wishes to use a service provided by a Trusted Service, a call has to be made into EL1 (e.g. Linux Kernel), then if a Hypervisor is present to EL2, then to the Monitor at EL3 (TF-A), then to optional S-EL2 (e.g. Hafnium), S-EL1 (e.g. OP_TEE) and finally to S-EL0. TF-A does not implement the PSA APIs.

OP-TEE is a Trusted OS, and a reference implementation of the Global Platforms standards [2]. PSA is not part of GP, and AFAIK there is no TA implementing PSA APIs.

The PSA reference implementation for Cortex-A is developed in the Trusted Services project. The project implements all services required for PSA certification (Crypto, ITS, PS, Attestation) plus a few non-psa ones like Firmware Update Service or UEFI Variable service. We developed a Linux kernel driver called tstee (up-stream since v6.10) , and two shared libraries which can be used by linux user-space applications to access the services. Libts implements service discovery and the TS RPC components, and “libtspsa” carries easy to use PSA client implementations (basically the C PSA API).

Trusted Services follows the Firmware Framework for A-Profile standard (FF-A) which defines a protocol to be used between exception levels and a runtime model. PSA services are deployed to S-EL0 Secure Partitions and need a Secure Partition Manager implementation executing at a higher exception levels. The reference SPMD implementation is part of the TF-A project, the S-EL2 reference SPMC is Hafnium [5], and the S-EL1 reference implementation is OP-TEE SPMC [6]. (Only one SPMC implementation can be present on a system.)

A major difference between the Cortex-M and the Cortex-A ecosystem is the level of diversity. While a Cortex-M stack is typically implemented using components from one or maximum a few stakeholders, a Cortex-A stack is built from components owned by a vast set of owners. As a result, integration of a Cortex-A software stack is much more complex. There are multiple integration systems targeting the problem like Buildroot and Yocto. Trusted Services supports two integration systems currently. The OP-TEE integration system, which is a gnumake and Buildroot based solution (see [7]) and Yocto where the meta-arm layer [8] hosts TS recipes. Please find some TS specific meta-arm documentation here: [9]

For more help and information, about PSA on Cortex-A and TS feel free to drop an email to the TS mailing list [10], and/or to me.

/George

1: https://documentation-service.arm.com/static/63a065c41d698c4dc521cb1b 2: https://globalplatform.org/about-globalplatform/ 3: https://trusted-services.readthedocs.io/en/stable/overview/index.html 4: https://developer.arm.com/architectures/Firmware%20Framework%20for%20A-Profi... 5: https://hafnium.readthedocs.io/en/latest/secure-partition-manager/index.html 6: https://optee.readthedocs.io/en/latest/architecture/spmc.html 7: https://github.com/OP-TEE/build 8: https://git.yoctoproject.org/meta-arm 9: https://git.yoctoproject.org/meta-arm/about/documentation/trusted-services.m... 10: https://lists.trustedfirmware.org/mailman3/lists/trusted-services.lists.trus...

On 2024-12-01, 21:14, "Max Adam via TF-A" tf-a@lists.trustedfirmware.org wrote:

Hello All,

I am coming from the TF-m domain, and now I am struggling with TF-a as I am not a Linux expert.

I am just looking for the interactions with TF-a, such as getting psa attestation token etc.

How can I find example these interactions from NS World (Linux) or lower privilege Secure World Executions such as OP-TEE or OP-TEE TAs?

I suppose there shall be drivers and APIs provided by TF-a?

Thanks

Max