Hi Antonio,

 

I figured it out.  I wasn’t including secure_fw/partitions/crypto/tfm_mbedcrypto_include.h properly so attestation was linking directly to the PSA Crypto function implementation instead of the client interface.  I’m surprised it did not complain about a symbol collision without having the mbedcrypto__ prefix.   The PSA crypto API implementation source files were “PRIVATE” so I’m not sure how attestation was able to link to them at all.

 

Regards,
Brian

 

From: Antonio De Angelis <Antonio.DeAngelis@arm.com>
Sent: Thursday, May 8, 2025 9:42 AM
To: Quach, Brian <brian@ti.com>; Mudit Sharma <Mudit.Sharma@arm.com>; tf-m@lists.trustedfirmware.org
Subject: Re: [EXTERNAL] Re: [TF-M] Attestation calls to PSA Crypto

 

Hi Brian, we can't reproduce exactly that mixture easily but I don't think that should affect how the partition code gets linked to the interface code. Regardless of the type of partition (SFN/IPC) the linking of the interfaces should remain

ZjQcmQRYFpfptBannerStart

This message was sent from outside of Texas Instruments.

Do not click links or open attachments unless you recognize the source of this email and know the content is safe.

    Report Suspicious    ‌

ZjQcmQRYFpfptBannerEnd

Hi Brian,

 

we can't reproduce exactly that mixture easily but I don't think that should affect how the partition code gets linked to the interface code. Regardless of the type of partition (SFN/IPC) the linking of the interfaces should remain the same, i.e. your setup should not be able to link at all directly with the crypto library that provides the PSA Crypto APIs.

 

Thanks, Antonio

 

From: Quach, Brian
Sent: Thursday, May 08, 2025 15:29
To: Mudit Sharma; tf-m@lists.trustedfirmware.org
Cc: Antonio De Angelis
Subject: RE: [EXTERNAL] Re: [TF-M] Attestation calls to PSA Crypto

 

Hi Mudit,

 

Thanks for checking.   Is the build you tested using the same mix of SFN and IPC as I was? 

 

Regards,
Brian

 

From: Mudit Sharma <mudit.sharma@arm.com>
Sent: Thursday, May 8, 2025 5:21 AM
To: Quach, Brian <brian@ti.com>; tf-m@lists.trustedfirmware.org
Cc: Antonio.DeAngelis@arm.com
Subject: [EXTERNAL] Re: [TF-M] Attestation calls to PSA Crypto

 

Hi Brian, We built secure world TF-M test for AN521 platform: ``` cmake -S spe -B build_spe -DTFM_PLATFORM=arm/mps2/an521 \ -DCONFIG_TFM_SOURCE_PATH="$TFM_SOURCE_DIR" \ -DCMAKE_BUILD_TYPE=Debug \ -DTEST_S=ON -DTEST_NS=OFF ``` We ran this test

ZjQcmQRYFpfptBannerStart

This message was sent from outside of Texas Instruments.

Do not click links or open attachments unless you recognize the source of this email and know the content is safe.

    Report Suspicious    ‌

ZjQcmQRYFpfptBannerEnd

Hi Brian,
 
We built secure world TF-M test for AN521 platform:
 
```
cmake -S spe -B build_spe -DTFM_PLATFORM=arm/mps2/an521 \
       -DCONFIG_TFM_SOURCE_PATH="$TFM_SOURCE_DIR" \
       -DCMAKE_BUILD_TYPE=Debug \
       -DTEST_S=ON -DTEST_NS=OFF
```
 
We ran this test on a FVP model and stepped through 
`tfm_attest_test_1001`. Please find attached a screenshot of the call stack.
 
Function in `attest_core` (in the Attestation partition) invokes 
function in the `tfm_crypto_api`. This request is routed by the Secure 
Partition Manager (SPM) into the Crypto partition via `psa_call()`.
 
 
On 5/6/25 00:33, Quach, Brian wrote:
> 
> Is my configuration valid?   How should it work?
> 
Any time you call a function across partitions, regardless of isolation 
level, the SPM forwards it to the target partition using `psa_call()`
> 
 
Best regards,
Mudit Sharma