Hi Hao,
TF-M is a reference implementation of PSA services on Cortex-M devices. PSA certification is independent of TF-M project and its version. It is possible to apply for PSA certification using TF-M at any phase, even between releases but a released version gives more confidence in quality because of better testing. An LTS version ensures that all issues found during support period (3 years) will be fixed and PSA recertified.
Hope that helps, Anton
From: Zhang, Hao Hao.Zhang@analog.com Sent: Thursday, October 3, 2024 6:43 PM To: Anton Komlev Anton.Komlev@arm.com; tf-m@lists.trustedfirmware.org Subject: RE: [TF-M] Re: PSA Certification for TF-M
Hi Anton,
Thank you! Just to confirm,
1. when you say any version of TF-M, are you referring to any commit of TF-M or it has to be tag release TF-Mv<MAJOR>.<MINOR>.<HOTFIX>. 2. For example, for current Zephyr TF-M port https://github.com/zephyrproject-rtos/trusted-firmware-m, is it eligible to be PSA certified? Thank you so so much!
Best regards,
Hao From: Anton Komlev <Anton.Komlev@arm.commailto:Anton.Komlev@arm.com> Sent: Thursday, October 3, 2024 11:52 AM To: Zhang, Hao <Hao.Zhang@analog.commailto:Hao.Zhang@analog.com>; Fontanilles, Tomi <tomi.fontanilles@nordicsemi.nomailto:tomi.fontanilles@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: RE: [TF-M] Re: PSA Certification for TF-M
[External]
Hi Hao,
Any version of TF-M is eligible for PSA certification. The LTS branches help reduce the overhead of platform re-certification if a security vulnerability is found and fixed in a platform-independent code as described here: https://trustedfirmware-m.readthedocs.io/en/latest/releases/release_process....https://urldefense.com/v3/__https:/trustedfirmware-m.readthedocs.io/en/latest/releases/release_process.html*long-term-support-lts__;Iw!!A3Ni8CS0y2Y!4XVnVRA6fKmnB7bpASl9po8Z3cnI7MQKbUtbXaDPjCDf6sWm5Sq8SWYF0DgAeENFx6pkVJcLpVhIUvEE9TOF$
Best regards, Anton
From: Zhang, Hao via TF-M <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Sent: Thursday, October 3, 2024 4:05 PM To: Fontanilles, Tomi <tomi.fontanilles@nordicsemi.nomailto:tomi.fontanilles@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [TF-M] Re: PSA Certification for TF-M
Hi Tomi,
Yes, that I know. Thank you for your information. I am mainly concerned about whether using TF-M main from Zephyr side would affect certification process. Thank you again!
Best regards,
Hao
________________________________ From: Fontanilles, Tomi <tomi.fontanilles@nordicsemi.nomailto:tomi.fontanilles@nordicsemi.no> Sent: Thursday, October 3, 2024 10:40 AM To: Zhang, Hao <Hao.Zhang@analog.commailto:Hao.Zhang@analog.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Subject: Re: [TF-M] PSA Certification for TF-M
[External]
Hey Hao,
Just to comment on the Zephyr side. Both v3.7 and main are very closely following TF-M v2.1. Some patches are applied on top of the upstream, unmodified TF-M, but only for compatibility with Zephyr. They are very minor modifications.
On Thu, 2024-10-03 at 14:28 +0000, Zhang, Hao via TF-M wrote: Hi TF-M committee,
I have a question regarding PSA certification. Am I understanding correctly that if a platform wants to be ported to TF-M and the product wants to pass PSA certified, the TF-M version needs to come from a certain LTS tag release (e.g.TF-M v2.1.0https://urldefense.com/v3/__https:/github.com/TrustedFirmware-M/trusted-firmware-m/tree/TF-Mv2.1.0__;!!A3Ni8CS0y2Y!5bj4wL6XvGK3baw9QBX47rjOvQ3Pccu62ZdbCxcuYXDjQEu0Lni2tYWjh67GzmYZYTXqVjUqZgxRxHNtURZt34ncbrPmsBKd$ with commit 0c4c99bhttps://urldefense.com/v3/__https:/github.com/TrustedFirmware-M/trusted-firmware-m/commit/0c4c99ba33b3e66deea070e149279278dc7647f4__;!!A3Ni8CS0y2Y!5bj4wL6XvGK3baw9QBX47rjOvQ3Pccu62ZdbCxcuYXDjQEu0Lni2tYWjh67GzmYZYTXqVjUqZgxRxHNtURZt34ncbqApBms0$ that was pushed 5 months ago). However, Zephyr v3.7.0 is using TF-M versionhttps://urldefense.com/v3/__https:/github.com/zephyrproject-rtos/zephyr/blob/v3.7.0/west.yml*L330C17-L330C57__;Iw!!A3Ni8CS0y2Y!5bj4wL6XvGK3baw9QBX47rjOvQ3Pccu62ZdbCxcuYXDjQEu0Lni2tYWjh67GzmYZYTXqVjUqZgxRxHNtURZt34ncbmWVpn-q$ that is updated after TF-M v2.1.0. Does that means efforts need to be done to manually modify west.yml in Zephyr to roll back to the tag release of v2.1.0 for PSA certification?
Thank you very much,
Best, [Image removed by sender.]https://urldefense.com/v3/__https:/github.com/zephyrproject-rtos/zephyr/blob/v3.7.0/west.yml*L330C17-L330C57__;Iw!!A3Ni8CS0y2Y!5bj4wL6XvGK3baw9QBX47rjOvQ3Pccu62ZdbCxcuYXDjQEu0Lni2tYWjh67GzmYZYTXqVjUqZgxRxHNtURZt34ncbmWVpn-q$ zephyr/west.yml at v3.7.0 * zephyrproject-rtos/zephyrhttps://urldefense.com/v3/__https:/github.com/zephyrproject-rtos/zephyr/blob/v3.7.0/west.yml*L330C17-L330C57__;Iw!!A3Ni8CS0y2Y!5bj4wL6XvGK3baw9QBX47rjOvQ3Pccu62ZdbCxcuYXDjQEu0Lni2tYWjh67GzmYZYTXqVjUqZgxRxHNtURZt34ncbmWVpn-q$ Primary Git Repository for the Zephyr Project. Zephyr is a new generation, scalable, optimized, secure RTOS for multiple hardware architectures. - zephyrproject-rtos/zephyr github.com
[Image removed by sender.]https://urldefense.com/v3/__https:/github.com/TrustedFirmware-M/trusted-firmware-m/tree/TF-Mv2.1.0__;!!A3Ni8CS0y2Y!5bj4wL6XvGK3baw9QBX47rjOvQ3Pccu62ZdbCxcuYXDjQEu0Lni2tYWjh67GzmYZYTXqVjUqZgxRxHNtURZt34ncbrPmsBKd$ GitHub - TrustedFirmware-M/trusted-firmware-m at TF-Mv2.1.0https://urldefense.com/v3/__https:/github.com/TrustedFirmware-M/trusted-firmware-m/tree/TF-Mv2.1.0__;!!A3Ni8CS0y2Y!5bj4wL6XvGK3baw9QBX47rjOvQ3Pccu62ZdbCxcuYXDjQEu0Lni2tYWjh67GzmYZYTXqVjUqZgxRxHNtURZt34ncbrPmsBKd$ Read-only mirror for Trusted Firmware-M. Contribute to TrustedFirmware-M/trusted-firmware-m development by creating an account on GitHub. github.com
Best regards,
Hao