As an added benefit, that would eliminate the overhead of PSA calls from Crypto to ITS for key storage.
Regards,
Brian
From: Andrej Butok <andrey.butok@nxp.com>
Sent: Monday, March 4, 2024 5:03 AM
To: Quach, Brian <brian@ti.com>; Vasilakis, Georgios <georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.org
Subject: [EXTERNAL] RE: ITS encryption
Hi all, It should be a good idea to combine Crypto and ITS to one partition. Both are RoT PSA Services, so the isolation is not really required. Best regards, Andrej
Butok From: Quach, Brian via TF-M <tf-m@ lists. trustedfirmware. org> Sent:
ZjQcmQRYFpfptBannerStart
|
ZjQcmQRYFpfptBannerEnd
Hi all,
It should be a good idea to combine Crypto and ITS to one partition.
Both are RoT PSA Services, so the isolation is not really required.
Best regards,
Andrej Butok
From: Quach, Brian via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Thursday, February 29, 2024 9:57 PM
To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.no>;
tf-m@lists.trustedfirmware.org
Subject: [TF-M] Re: ITS encryption
Thanks for the explanation Georgios! I suppose combining the crypto and ITS into a single partition would work around this but reduce the isolation.
Regards,
Brian
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.no>
Sent: Wednesday, February 28, 2024 2:14 AM
To: tf-m@lists.trustedfirmware.org; Quach, Brian <brian@ti.com>
Subject: [EXTERNAL] Re: ITS encryption
Hello Brian, The reason that ITS could not use the crypto partition to encrypt its data is that the crypto partition uses the ITS to store keys with persistent
lifetime. As a result, using the PSA crypto partition from inside ITS will have
ZjQcmQRYFpfptBannerStart
|
ZjQcmQRYFpfptBannerEnd
Hello Brian,
The reason that ITS could not use the crypto partition to encrypt its data is that the crypto partition uses the ITS to store keys with persistent lifetime. As a result, using the PSA crypto partition from inside ITS will have introduced the circular dependency:
crypto -> ITS -> crypto
That was not acceptable, so it was decided to use a HAL API in order to avoid this.
Regards,
GEORGIOS VASILAKIS | R&D Engineer
M
+47 93 97 24 90 | Trondheim, Norway
nordicsemi.com |
devzone.nordicsemi.com
From: Quach, Brian via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Tuesday, February 27, 2024 6:51 PM
To: tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.org>
Subject: [TF-M] ITS encryption
Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content
is safe. |
Hi,
It appears that ITS encryption would be required for PSA Certified Level 3. I’m seeing that this would required a platform specific HAL implementation. Is there some reason PSA Crypto APIs were not used
like they were for attestation?
Encryption in ITS
=================
The ITS can optionally be configured to encrypt the internal trusted storage
data.
To support encryption in ITS the target platform must provide an
implementation of the APIs defined in
``platform/include/tfm_hal_its_encryption.h``::
enum tfm_hal_status_t tfm_hal_its_aead_generate_nonce(uint8_t *nonce,
const size_t nonce_size);
enum tfm_hal_status_t tfm_hal_its_aead_encrypt(
struct tfm_hal_its_auth_crypt_ctx *ctx,
const uint8_t *plaintext,
const size_t plaintext_size,
uint8_t *ciphertext,
const size_t ciphertext_size,
uint8_t *tag,
const size_t tag_size);
enum tfm_hal_status_t tfm_hal_its_aead_decrypt(
struct tfm_hal_its_auth_crypt_ctx *ctx,
const uint8_t *ciphertext,
const size_t ciphertext_size,
uint8_t *tag,
const size_t tag_size,
uint8_t *plaintext,
const size_t plaintext_size);
Regards,
Brian Quach
SimpleLink MCU
Texas Instruments Inc.
12500 TI Blvd, MS F-4000
Dallas, TX 75243
214-479-4076