Sorry Andrew I was not precise enough. Maybe you can clarify again.
I was referring to the Code Protection between "PSA Root of Trust" and the "Secure Services".
From my understanding, in isolation level 2 code of the PSA Root of Trust should be not accessible by Secure Services.
This creates the practical problem that library code cannot be shared.
Table 5 in PSA-FF describes "Optional Isolation Rules". Is my understanding correct that PSA-FF does not require code execution protection between "PSA Root of Trust" and the "Secure Services".
Reinhard