Hi Brian,

The pre-provisioned keys are highly platform dependent. TF-M just provide an API to access them, but currently we have no standard/general solution to storing them.

There was question a few weeks ago related to same topic. I just copied Shebu’s past answer here:

“Provisioning was added as a future roadmap item in anticipation of a PSA Provisioning Specification. The Specification (Factory or application specific) hasn't happened so far.

There is no active work ongoing in TF-M around provisioning. TF-M using provisioned keys in CC-312 on MuscaB1 platform is available as an example. See details here under CC312 heading.

In TrustedFirmware TSC, provisioning has been a discussion topic sometime back. Search for provisioning in the minutes below.

https://github.com/microbuilder/certificate_chains/blob/master/rfc_tfm.md is an RFC that Kevin prepared during those discussions for TF-M devices to use certificate chain.

”

I hope this helps!

Tamas

From: TF-M <tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Ken Liu via TF-M
Sent: 27 May 2020 03:41
To: tf-m@lists.trustedfirmware.org; Quach, Brian <brian@ti.com>
Cc: nd <nd@arm.com>
Subject: [TF-M] FW: Pre-provisioned keys

Hi Folks,

Brian got one question about pre-provisioned keys, anyone could reply?

Hi Brian, you can subscribe the mailing list here: https://lists.trustedfirmware.org/mailman/listinfo/tf-m

Thanks.

/Ken

From: Quach, Brian <brian@ti.com>
Sent: Wednesday, May 27, 2020 6:36 AM
Subject: Pre-provisioned keys

Hi Ken,

Does TF-M have a plan for storing and accessing persistent keys (such as HUK) installed to flash at the factory prior to provisioning of the device? I had seen these as being stored outside of ITS flash in some compile time defined location and being read-only.

Regards,

Brian