Thank you Jamie,
Found in PSA Storage API:
“The PSA Internal Trusted Storage API (PSA ITS) must be implemented in the PSA Root of Trust as described in the
PSA Security Model specification.
If there are no Application Root of Trust (ARoT) services that rely on it, the PSA Protected Storage API (PS API)
may be implemented in the NSPE. Otherwise, the PS API must be implemented in the ARoT.”
From: Jamie Fox <Jamie.Fox@arm.com>
Sent: Thursday, June 18, 2020 11:56 AM
To: Andrej Butok <andrey.butok@nxp.com>; tf-m@lists.trustedfirmware.org
Subject: RE: PS => AP ROT
Hi Andrej,
The PSA Storage spec (available here
https://developer.arm.com/architectures/security-architectures/platform-security-architecture/documentation)
states that the Protected Storage service should be implemented inside the Application Root of Trust.
The principle is that the PSA Root of Trust should be kept as small as possible, to reduce the attack surface of the most privileged part of the system. As Protected Storage neither needs the privileges of the PSA Root
of Trust nor is used by any PSA Root of Trust service, it should be implemented inside the Application Root of Trust.
Kind regards,
Jamie
From: TF-M <tf-m-bounces@lists.trustedfirmware.org>
On Behalf Of Andrej Butok via TF-M
Sent: 18 June 2020 09:16
To: tf-m@lists.trustedfirmware.org
Subject: [TF-M] PS => AP ROT
Hello,
I have just notices that the TFM Protected Storage service partition has been changed from PSA ROT to APP ROT.
Just curious, what is a reason?
May it stay PSA ROT?
Thank you in advance,
Andrej Butok