Hi Ken,

Based on your idea, several fundamental countermeasures against physical attacks will be removed.

Double checking return value
Execution flow counters
Structured variables with initial failure values

Mitigation to physical attacks is required in PSA Level 3 certify. It is crucial for TF-M to provide reasonable physical attack mitigations.

Please provide proper justifications to prove that removal of those countermeasures above won’t weaken existing protection against physical attacks.

On the other hand, even if those countermeasures above are removed now, it will still affect the HAL updates when they are “recovered back”.

So why not solve the development difficulty at this moment?

Best regards,

Hu Ziji

From: TF-M <tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Ken Liu via TF-M
Sent: Monday, August 9, 2021 10:18 AM
To: tf-m@lists.trustedfirmware.org
Cc: nd <nd@arm.com>
Subject: [TF-M] [Question] FIH usage in platforms

Hi,

Is there anyone enables FIH when developing or releasing?

Background:

We got a couple of HAL updates during feature development and found FIH affects the development progress much, as we need to provide two sets of prototypes and implementation for involved functions, this doubles the efforts on debugging or coding.

So a draft idea in my mind is to shut down part of the functionalities during this update stage and recover them back if FIH still can prove its importance later.

These functionalities are KEPT during the update stage:

- FIH delay, which makes it harder to find the exact time point.

- Protection unit validation, ensures the protection unit is initialized as expected.

Please provide your feedback about the usage and the idea. For platforms that are applying this feature, we need to find out a trade-off way.

Thanks.

/Ken