Hello Brian, 

The reason that ITS could not use the crypto partition to encrypt its data is that the crypto partition uses the ITS to store keys with persistent lifetime. As a result, using the PSA crypto partition from inside ITS will have introduced the circular dependency: crypto -> ITS -> crypto 

That was not acceptable, so it was decided to use a HAL API in order to avoid this. 

Regards, 

GEORGIOS VASILAKIS | R&D Engineer

M +47 93 97 24 90 | Trondheim, Norway

nordicsemi.com | devzone.nordicsemi.com

 

Nordic_logo_signature

 

From: Quach, Brian via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Tuesday, February 27, 2024 6:51 PM
To: tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.org>
Subject: [TF-M] ITS encryption
 
Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hi,

 

It appears that ITS encryption would be required for PSA Certified Level 3.   I’m seeing that this would required a platform specific HAL implementation.   Is there some reason PSA Crypto APIs were not used like they were for attestation?

 

Encryption in ITS

=================

 

The ITS can optionally be configured to encrypt the internal trusted storage

data.

To support encryption in ITS the target platform must provide an

implementation of the APIs defined in ``platform/include/tfm_hal_its_encryption.h``::

 

    enum tfm_hal_status_t tfm_hal_its_aead_generate_nonce(uint8_t *nonce,

                                                          const size_t nonce_size);

 

    enum tfm_hal_status_t tfm_hal_its_aead_encrypt(

                                         struct tfm_hal_its_auth_crypt_ctx *ctx,

                                         const uint8_t *plaintext,

                                         const size_t plaintext_size,

                                         uint8_t *ciphertext,

                                         const size_t ciphertext_size,

                                         uint8_t *tag,

                                         const size_t tag_size);

 

    enum tfm_hal_status_t tfm_hal_its_aead_decrypt(

                                         struct tfm_hal_its_auth_crypt_ctx *ctx,

                                         const uint8_t *ciphertext,

                                         const size_t ciphertext_size,

                                         uint8_t *tag,

                                         const size_t tag_size,

                                         uint8_t *plaintext,

                                         const size_t plaintext_size);

 

 

Regards,

 

Brian Quach

SimpleLink MCU

Texas Instruments Inc.

12500 TI Blvd, MS F-4000

Dallas, TX 75243

214-479-4076