Hi Hao,
Any version of TF-M is eligible for PSA certification. The LTS branches help reduce the overhead of platform re-certification if a security vulnerability is found and fixed in a platform-independent code as described here: https://trustedfirmware-m.readthedocs.io/en/latest/releases/release_process....
Best regards, Anton
From: Zhang, Hao via TF-M tf-m@lists.trustedfirmware.org Sent: Thursday, October 3, 2024 4:05 PM To: Fontanilles, Tomi tomi.fontanilles@nordicsemi.no; tf-m@lists.trustedfirmware.org Subject: [TF-M] Re: PSA Certification for TF-M
Hi Tomi,
Yes, that I know. Thank you for your information. I am mainly concerned about whether using TF-M main from Zephyr side would affect certification process. Thank you again!
Best regards,
Hao
________________________________ From: Fontanilles, Tomi <tomi.fontanilles@nordicsemi.nomailto:tomi.fontanilles@nordicsemi.no> Sent: Thursday, October 3, 2024 10:40 AM To: Zhang, Hao <Hao.Zhang@analog.commailto:Hao.Zhang@analog.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Subject: Re: [TF-M] PSA Certification for TF-M
[External]
Hey Hao,
Just to comment on the Zephyr side. Both v3.7 and main are very closely following TF-M v2.1. Some patches are applied on top of the upstream, unmodified TF-M, but only for compatibility with Zephyr. They are very minor modifications.
On Thu, 2024-10-03 at 14:28 +0000, Zhang, Hao via TF-M wrote: Hi TF-M committee,
I have a question regarding PSA certification. Am I understanding correctly that if a platform wants to be ported to TF-M and the product wants to pass PSA certified, the TF-M version needs to come from a certain LTS tag release (e.g.TF-M v2.1.0https://urldefense.com/v3/__https:/github.com/TrustedFirmware-M/trusted-firmware-m/tree/TF-Mv2.1.0__;!!A3Ni8CS0y2Y!5bj4wL6XvGK3baw9QBX47rjOvQ3Pccu62ZdbCxcuYXDjQEu0Lni2tYWjh67GzmYZYTXqVjUqZgxRxHNtURZt34ncbrPmsBKd$ with commit 0c4c99bhttps://urldefense.com/v3/__https:/github.com/TrustedFirmware-M/trusted-firmware-m/commit/0c4c99ba33b3e66deea070e149279278dc7647f4__;!!A3Ni8CS0y2Y!5bj4wL6XvGK3baw9QBX47rjOvQ3Pccu62ZdbCxcuYXDjQEu0Lni2tYWjh67GzmYZYTXqVjUqZgxRxHNtURZt34ncbqApBms0$ that was pushed 5 months ago). However, Zephyr v3.7.0 is using TF-M versionhttps://urldefense.com/v3/__https:/github.com/zephyrproject-rtos/zephyr/blob/v3.7.0/west.yml*L330C17-L330C57__;Iw!!A3Ni8CS0y2Y!5bj4wL6XvGK3baw9QBX47rjOvQ3Pccu62ZdbCxcuYXDjQEu0Lni2tYWjh67GzmYZYTXqVjUqZgxRxHNtURZt34ncbmWVpn-q$ that is updated after TF-M v2.1.0. Does that means efforts need to be done to manually modify west.yml in Zephyr to roll back to the tag release of v2.1.0 for PSA certification?
Thank you very much,
Best, [https://opengraph.githubassets.com/f92ee5eaaedaf25d7ae17b5e8fc073a1573b0f314...]https://urldefense.com/v3/__https:/github.com/zephyrproject-rtos/zephyr/blob/v3.7.0/west.yml*L330C17-L330C57__;Iw!!A3Ni8CS0y2Y!5bj4wL6XvGK3baw9QBX47rjOvQ3Pccu62ZdbCxcuYXDjQEu0Lni2tYWjh67GzmYZYTXqVjUqZgxRxHNtURZt34ncbmWVpn-q$ zephyr/west.yml at v3.7.0 * zephyrproject-rtos/zephyrhttps://urldefense.com/v3/__https:/github.com/zephyrproject-rtos/zephyr/blob/v3.7.0/west.yml*L330C17-L330C57__;Iw!!A3Ni8CS0y2Y!5bj4wL6XvGK3baw9QBX47rjOvQ3Pccu62ZdbCxcuYXDjQEu0Lni2tYWjh67GzmYZYTXqVjUqZgxRxHNtURZt34ncbmWVpn-q$ Primary Git Repository for the Zephyr Project. Zephyr is a new generation, scalable, optimized, secure RTOS for multiple hardware architectures. - zephyrproject-rtos/zephyr github.com
[https://opengraph.githubassets.com/685e753ecccd8431b5e0c4ed32fb794a49e2bcb30...]https://urldefense.com/v3/__https:/github.com/TrustedFirmware-M/trusted-firmware-m/tree/TF-Mv2.1.0__;!!A3Ni8CS0y2Y!5bj4wL6XvGK3baw9QBX47rjOvQ3Pccu62ZdbCxcuYXDjQEu0Lni2tYWjh67GzmYZYTXqVjUqZgxRxHNtURZt34ncbrPmsBKd$ GitHub - TrustedFirmware-M/trusted-firmware-m at TF-Mv2.1.0https://urldefense.com/v3/__https:/github.com/TrustedFirmware-M/trusted-firmware-m/tree/TF-Mv2.1.0__;!!A3Ni8CS0y2Y!5bj4wL6XvGK3baw9QBX47rjOvQ3Pccu62ZdbCxcuYXDjQEu0Lni2tYWjh67GzmYZYTXqVjUqZgxRxHNtURZt34ncbrPmsBKd$ Read-only mirror for Trusted Firmware-M. Contribute to TrustedFirmware-M/trusted-firmware-m development by creating an account on GitHub. github.com
Best regards,
Hao