Sorry Andrew I was not precise enough. Maybe you can clarify again.

I was referring to the Code Protection between "PSA Root of Trust" and the "Secure Services".

From my understanding, in isolation level 2 code of the PSA Root of Trust should be not accessible by Secure Services.

This creates the practical problem that library code cannot be shared.

Table 5 in PSA-FF describes "Optional Isolation Rules". Is my understanding correct that PSA-FF does not require code execution protection between "PSA Root of Trust" and the "Secure Services".

Reinhard