[TF-M] Re: Internal Trusted Storage

Hi Michael,

One possible way of using external flash device is encrypting a content. You can refer to this example-though if I recall correctly, it uses a proprietary flash chip. https://git.trustedfirmware.org/plugins/gitiles/TF-M/tf-m-extras/+/refs/head... Another example is rpi/rp2350 platform in TF-M which uses encrypted ITS with system flash to protect secrets. The encrypted ITS implementation is here: https://git.trustedfirmware.org/plugins/gitiles/TF-M/trusted-firmware-m.git/...

Hope that helps, Anton

From: Michael Khoyilar via TF-M tf-m@lists.trustedfirmware.org Sent: Tuesday, May 20, 2025 10:02 AM To: Antonio De Angelis Antonio.DeAngelis@arm.com; tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: [TF-M] Re: Internal Trusted Storage

Thanks Antonio,

Thanks for the clarification. I still not sure how ITS support is possible if there is no Internal Flash. I looked at the ITS implementation and it requires Flash (file system etc) where our SoC has OTP for secure storage. Hope someone will clear this one as well.

BR

Michael

From: Antonio De Angelis <Antonio.DeAngelis@arm.commailto:Antonio.DeAngelis@arm.com> Sent: Tuesday, May 20, 2025 1:07 AM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: Michael Khoyilar <mkhoyilar@innophaseiot.commailto:mkhoyilar@innophaseiot.com>; nd <nd@arm.commailto:nd@arm.com> Subject: Re: Internal Trusted Storage

You don't often get email from antonio.deangelis@arm.commailto:antonio.deangelis@arm.com. Learn why this is importanthttps://aka.ms/LearnAboutSenderIdentification CAUTION:This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you suspect that this email may be a phishing attempt, please do not forward it to your colleagues. Instead, report it by forwarding this email to phishing@innophaseiot.commailto:phishing@innophaseiot.com. Hi Michael,

TF-M implements the ITS service. That statement is from the original storage design document and was pushed when there was no ITS yet, so it's outdated now. Apologies for the confusion. The level 2 certification should just require a form of secure storage but it does no have to be strictly ITS based. But I'll leave to others to better comment on this.

Thanks, Antonio ________________________________ From: Michael Khoyilar via TF-M <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Sent: Monday, May 19, 2025 23:51 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Subject: [TF-M] Internal Trusted Storage

Hi team,

Can you help me with this statement that "Currently, the TF-M Secure Storage service implements PSA Protected Storage version 1.0-beta2. There is not yet an implementation of PSA Internal Trusted Storage in TF-M."

Our SoC does NOT have internal flash, but we have OTP where we keep the confidential data. Can you help how to handle this ITS situation. I wonder if PSA level-2 certification requires ITS? Thanks

BR

Michael