Thanks Maulik,
I am still wondering if I need the ITS secure service to pass the PSA level 2 certification as our SoC does NOT have internal flash (external flash YES, OTP YES). I understand the Protected Storage PS resides
on off chip flash which our SoC has implemented off chip flash. So no issues on supporting PS secure services.
What I am missing how would I implement TF-M ITS if there is NO internal flash?
Basically, I need to set the TFM_PARTITION_INTERNAL_TRUSTED_STORAGE = OFF in my TF-M setup. Do I pass PSA level-2 certification with no ITS implementation?
BR
Michael
From: Maulik Patel <Maulik.Patel@arm.com>
Sent: Tuesday, May 20, 2025 2:48 AM
To: Antonio De Angelis <Antonio.DeAngelis@arm.com>; tf-m@lists.trustedfirmware.org; Michael Khoyilar <mkhoyilar@innophaseiot.com>
Cc: nd <nd@arm.com>
Subject: Re: Internal Trusted Storage
|
You don't often get email from
maulik.patel@arm.com.
Learn why this is important |
CAUTION:This email originated from outside
of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you suspect that this email may be a phishing attempt, please do not forward it to your colleagues. Instead, report it by forwarding
this email to phishing@innophaseiot.com.
Hello Michael,
Yes, you are right. Flash system code resides in the ITS service, but there has been some work done to compile them as part of PS service when ITS is not enabled. Please see this change:
Ideally the file system code should be part of separate library, but this requires significant changes in the codebase (probably ITS redesign). So above was done as a workaround to allow
the PS access to the flash system code. I acknowledge that it does introduces additional latency by calling ITS via PSA API under the hood.
Regards,
Maulik
From: Michael Khoyilar via TF-M <tf-m@lists.trustedfirmware.org>
Sent: 20 May 2025 10:01 AM
To: Antonio De Angelis <Antonio.DeAngelis@arm.com>;
tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.org>
Cc: nd <nd@arm.com>
Subject: [TF-M] Re: Internal Trusted Storage
Thanks Antonio,
Thanks for the clarification. I still not sure how ITS support is possible if there is no Internal Flash. I looked at the ITS implementation and it requires Flash (file system etc) where our SoC has OTP for secure storage.
Hope someone will clear this one as well.
BR
Michael
From: Antonio De Angelis <Antonio.DeAngelis@arm.com>
Sent: Tuesday, May 20, 2025 1:07 AM
To: tf-m@lists.trustedfirmware.org
Cc: Michael Khoyilar <mkhoyilar@innophaseiot.com>; nd <nd@arm.com>
Subject: Re: Internal Trusted Storage
|
You don't often get email from
antonio.deangelis@arm.com.
Learn why this is important |
CAUTION:This email originated from outside of the organization.
Do not click links or open attachments unless you recognize the sender and know the content is safe. If you suspect that this email may be a phishing attempt, please do not forward it to your colleagues. Instead, report it by forwarding this email to
phishing@innophaseiot.com.
Hi Michael,
TF-M implements the ITS service. That statement is from the original storage design document and was pushed when there was no ITS yet, so it's outdated now. Apologies for the confusion. The level 2 certification
should just require a form of secure storage but it does no have to be strictly ITS based. But I'll leave to others to better comment on this.
Thanks,
Antonio
From: Michael Khoyilar via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Monday, May 19, 2025 23:51
To: tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.org>
Subject: [TF-M] Internal Trusted Storage
Hi team,
Can you help me with this statement that “Currently, the TF-M Secure Storage service implements PSA Protected Storage version 1.0-beta2.
There is not yet an implementation of PSA Internal Trusted Storage in TF-M.”
Our SoC does NOT have internal flash, but we have OTP where we keep the confidential data. Can you help how to handle this ITS situation. I wonder if PSA level-2 certification requires ITS? Thanks
BR
Michael