Hey Brian, 

Combining the crypto and ITS partition together is a possible solution indeed since both crypto and ITS are PRoT partitions. Separation of concern is always a good idea, but this doesn't technically break the security requirements. 

It was in fact discussed here in the mailing list in the ITS encryption thread:

https://lists.trustedfirmware.org/archives/list/tf-m@lists.trustedfirmware.org/thread/OBGISK556QX4A2NGIIVTLLCMN57S2UXH/

The decision was to go with the simpler solution which follows the security requirements and has minimal impact on the partitions. 

Regards,

GEORGIOS VASILAKIS | R&D Engineer

M +47 93 97 24 90 | Trondheim, Norway

nordicsemi.com | devzone.nordicsemi.com

 

Nordic_logo_signature

 

From: Quach, Brian <brian@ti.com>
Sent: Thursday, February 29, 2024 9:57 PM
To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.org>
Subject: RE: ITS encryption
 
You don't often get email from brian@ti.com. Learn why this is important
Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Thanks for the explanation Georgios!  I suppose combining the crypto and ITS into a single partition would work around this but reduce the isolation.

 

Regards,
Brian

 

From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.no>
Sent: Wednesday, February 28, 2024 2:14 AM
To: tf-m@lists.trustedfirmware.org; Quach, Brian <brian@ti.com>
Subject: [EXTERNAL] Re: ITS encryption

 

Hello Brian, The reason that ITS could not use the crypto partition to encrypt its data is that the crypto partition uses the ITS to store keys with persistent lifetime. As a result, using the PSA crypto partition from inside ITS will have

ZjQcmQRYFpfptBannerStart

This message was sent from outside of Texas Instruments.

Do not click links or open attachments unless you recognize the source of this email and know the content is safe.

ZjQcmQRYFpfptBannerEnd

Hello Brian, 


The reason that ITS could not use the crypto partition to encrypt its data is that the crypto partition uses the ITS to store keys with persistent lifetime. As a result, using the PSA crypto partition from inside ITS will have introduced the circular dependency: crypto -> ITS -> crypto 


That was not acceptable, so it was decided to use a HAL API in order to avoid this. 

 

Regards, 

GEORGIOS VASILAKIS | R&D Engineer

M +47 93 97 24 90 | Trondheim, Norway

nordicsemi.com | devzone.nordicsemi.com

 

Nordic_logo_signature

 

From: Quach, Brian via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Tuesday, February 27, 2024 6:51 PM
To: tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.org>
Subject: [TF-M] ITS encryption

 

Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

Hi,

 

It appears that ITS encryption would be required for PSA Certified Level 3.   I’m seeing that this would required a platform specific HAL implementation.   Is there some reason PSA Crypto APIs were not used like they were for attestation?

 

Encryption in ITS

=================

 

The ITS can optionally be configured to encrypt the internal trusted storage

data.

To support encryption in ITS the target platform must provide an

implementation of the APIs defined in ``platform/include/tfm_hal_its_encryption.h``::

 

    enum tfm_hal_status_t tfm_hal_its_aead_generate_nonce(uint8_t *nonce,

                                                          const size_t nonce_size);

 

    enum tfm_hal_status_t tfm_hal_its_aead_encrypt(

                                         struct tfm_hal_its_auth_crypt_ctx *ctx,

                                         const uint8_t *plaintext,

                                         const size_t plaintext_size,

                                         uint8_t *ciphertext,

                                         const size_t ciphertext_size,

                                         uint8_t *tag,

                                         const size_t tag_size);

 

    enum tfm_hal_status_t tfm_hal_its_aead_decrypt(

                                         struct tfm_hal_its_auth_crypt_ctx *ctx,

                                         const uint8_t *ciphertext,

                                         const size_t ciphertext_size,

                                         uint8_t *tag,

                                         const size_t tag_size,

                                         uint8_t *plaintext,

                                         const size_t plaintext_size);

 

 

Regards,

 

Brian Quach

SimpleLink MCU

Texas Instruments Inc.

12500 TI Blvd, MS F-4000

Dallas, TX 75243

214-479-4076