Hi everyone,

 

When studying FWU service I have noticed that there is a function

psa_status_t psa_fwu_accept(psa_image_id_t image_id)

 

It is used to mark image as accepted, and it works by writing magic number to image trailer.

This function can be used to mark NS or S application as accepted.

 

The first question is: who is responsible for making a call to mark TFM image as accepted ? Is this responsibility of NS application?

 

The second thing I see is write access problem.

TFM can receive a call to mark TFM image as accepted, so this means that TFM must have permission to write in its own  primary slot.

Doesn’t this create a possibility for security violation?

I can imagine that in ideal world TFM would only have Read and Execute mission for its own primary slot. The only thing that should be able to write to TFM primary slot should be bootloader (it need this functionality to swap images). No one else should be able to write into TFM primary slot.

 

Am I missing something?

 

Best regards,

Bohdan Hunko

 

Cypress Semiconductor Ukraine

Engineer

CSUKR CSS ICW SW FW

Mobile: +38099 50 19 714
Bohdan.Hunko@infineon.com