Hi Sunguk,
RSS is a particular processor IP from Arm, designed to serve as a SoC Root-of-Trust (RoT) and isolated attestation enclave in Arm's A-profile reference platforms. It's in the same general category of isolated security processors as secure enclaves but targeting more towards the higher-performance end of things. You can see how RSS is integrated into a reference platform here: https://neoverse-reference-design.docs.arm.com/en/latest/platforms/rdfremont...
On your second question, TF-M can be adapted to run on a secure enclave HW IP, but yes the key thing is to have the HW IP that gives you the isolated processing environment. The article you linked at the bottom is referring to the Musca-B1 secure enclave, which was a CryptoIsland-300 IP (though support for the Musca-B1 secure enclave has now been deprecated from TF-M).
Kind regards, Jamie
-----Original Message----- From: Sunguk Bin via TF-M tf-m@lists.trustedfirmware.org Sent: Wednesday, October 25, 2023 3:37 AM To: tf-m@lists.trustedfirmware.org Subject: [TF-M] How is Secure Enclave configured?
I have a few questions regarding RSS and Secure Enclave to see what's required and considered for SoC design to leverage RSS and why we nee to use RSS & TF-M
1. What is the difference between RSS and Secure Enclave? - Is RSS the same as Secure Enclave? - Or is it referring to any subsystem providing runtime crypto service regardless of whether it's a Secure Enclave or not?
Question below is assuming RSS is a Secure Enclave...... 2. What enables TF-M to operate as a Secure Enclave? - To operate as a Secure Enclave, HW support is mandatory? a) If so, we must use a Secure Enclave IP such as cryptoisland(CI-300P-C)? b) Or can we construct a Secure Enclave with some other IPs(LCM, KMU, CryptoCell) metioned RSS doc? (by using TF-M without secure enclave IP) It feels vague whether this can be called a Secure Enclave... https://tf-m-user-guide.trustedfirmware.org/platform/arm/rss/rss_key_managem...
- If HW support is not mandatory, I wonder how TF-M can operate as a Secure Enclave.
- The article below seems to say that TF-M can provide Secure Enclave functionality without HW support. or I may misunderstand. https://developer.nordicsemi.com/nRF_Connect_SDK/doc/2.2.0/tfm/technical_ref... -- TF-M mailing list -- tf-m@lists.trustedfirmware.org To unsubscribe send an email to tf-m-leave@lists.trustedfirmware.org