Hi George,
The ITS without encryption is not a compromised RoT. In the PSA Secure Storage API spec, the PSA Internal Trust Storage aims at providing a place for devices to store their most intimate secrets. Also “”””””””””””””””””””
1. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from read and modification by attackers with physical access to the device.
2. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from direct read or write access from software partitions outside of the PSA Root of Trust (PRoT). “”””””””””””””””””””
So, for internal trusted storage service, it requires the underlying storage itself should provide being read or write protection. The storage area should be a “trusted” area. Does the storage area on your device meet this requirement? Is the memory physically isolated? If not, I wonder why not uses the Protected Storage service instead?
For the design of adding encryption in ITS, in the PS partition, the `iv` and the encrypted object data are stored with the object file while the tag of each object is stored with the object table file. So, if encrypt the PS object in the ITS file system, how the PS partition get the `tag` of each object? After a rough thought, I think probably a standalone encryption for ITS is more reasonable.
As this is a relatively “big topic”, would you like to hold a discussion on the TF-M Tech forum if it is not limited by confidential information? The next Tech forum will be hold on this Thursday 3:00 PM UTC time.
Regards, Sherry Zhang
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Friday, September 24, 2021 8:52 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for your input!
1. Our threat model is more concerned about attacks which can happen very early in the boot process, I think. A completely compromised RoT is not in our threat model. 2. I see that, ITS is supposed to store small objects. The storage overhead of adding encryption will be probably bigger than 20 bytes I think but the intention is to have this only as a configuration, not as the default option. 3. Agreed, a HAL API should be used for this.
Do you have any opinion on the design of it? Do you think that it adds value to do try to use a common design for the object handling of both PS and ITS or is it better to have it as a standalone thing for the ITS.
Regards, George
________________________________ From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Friday, September 24, 2021 11:58 AM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Some comments from my side:
1. Internal trusted storage is part of the Root of Trust domain. If ITS storage device is attacked, then the code flash where the PSA Rot SP locates may also be attacked. Does the thread model of your system require the encryption in ITS? 2. The ITS service is intended to be used to interface to a small piece of storage. Encryption would increase the context for each ITS file. For example, similarly to PS object context, the `IV` which is used in encryption as well as the generated `tag` should be added into each file context. They total together can be about more than 20 bytes. 3. If the encryption is mandatory/ necessary required by the thread model of your system, as discussed, the PSA crypto service should not be called to avoid the circular. I think a HAL API for encryption may be created in ITS for platform implementation defined encryption/decryption.
Regards,
Sherry Zhang
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Thursday, September 23, 2021 10:47 PM To: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com>; Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com> Cc: nd <nd@arm.commailto:nd@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hey Gyorgy,
These are very valuable comments! I am aware of the circular dependency issue because the PSA apis are using the ITS as a storage backend. This, as you said, can be circumvented by using a software crypto library or an implementation specific API. So, for the encryption a flexible API can be used which can allow externals to use their own function calls.
Regarding the key storage, this is what I had in mind as well, using derived keys from the HUK. So that we don't need to store anything but the crypto metadata. Adding another layer of storage will raise more issues, I think.
________________________________
From: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com> Sent: Thursday, September 23, 2021 4:30 PM To: Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com>; Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org>; nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi,
AFAIK the main reason for ITS not using encryption is the problem of circular dependency. ITS is used by crypto SP for key storage, so how will crypto fetch the key from ITS to decrypt ITS? You could use a software crypto implementation (another mbed-tls instance) in ITS, but where would you safely store the keys? If you have a two layer ITS, one for only storing the keys for the second instance, and a second, encrypted one, then you end up with something like ITS and PS.
You may not need a full blown on-chip FLASH device for ITS. If you have a HUK available, you can derive the same SP specific keys from that at each boot, and store these in RAM backed ITS. You won’t be able to store other keys in ITS in a persistent way of course, but for that you can use PS. Well, something along these lines.
Perhaps the TF-M team could help better if you could share some details on why your customer would need encrypted ITS. (A PSA for Cortex-A (TS) maintainer chiming in to a “not his business” discussion here 😉 )
/George
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Fabian Schmidt via TF-M Sent: September 23, 2021 15:51 To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hi George,
I’m wondering if that would add value. To my understanding, ITS was never designed to be encrypted because of the way it’s supposed to be set up. (It’s Internal Trusted Storage.) I believe best practice is to place it in a “trusted” location, one that is ideally only accessible from Secure world, and also ideally on-die. If you then restrict outside access to the internal flash (JTAG, flash programmer ports,…), you’re pretty golden, in that no unauthorized party should be able to read from or write to the ITS.*
Let me know if I misunderstand anything about ITS or TrustZone, but that’s my view. Maybe I’m painting an idealized picture.
Greetings,
Fabian Schmidt
* at least short of a sophisticated physical attack or finding some loophole in TrustZone…
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Donnerstag, 23. September 2021 15:28 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [EXT] [TF-M] Supporting encryption with ITS
Caution: EXT Email
Hey all,
Lately the requirement for an encrypted ITS solution is being asked from our customers and I would like to have a discussion here on how we can design this in a reasonable way. The first thought that came to my mind was to add the functionality to the ITS flash-fs layer. This layer contains file metadata in the its_file_meta_t structure and it should be possible to expand this to include additional crypto metadata (conditionally). This seems to be the less invasive change to me, even though it will introduce some increased memory usage since supporting encryption will mean that we cannot read the data in chunks anymore, we will have to use static buffers.
At the same time, I looked at the PS partition since I knew that it has support for encryption. I believe that some core concepts of both solutions have similarities even though the code is quite different. For example, a file in ITS is similar to an object in PS and the (linear) list of file metadata in ITS is similar to the concept of the object table in PS. So, I think that it should be possible to design some generic-enough APIs that we can use for both the ITS and PS. Even though this will require some major refactoring in both partitions, it will decrease the code of these services which will probably decrease maintenance later.
What are your thoughts on this?
Regards,
George
Hello Sherry,
Thank you for the feedback!
Does the storage area on your device meet this requirement? Yes, our devices can secure against read and write access through the dedicated peripherals (SPU + MPU).
Is the memory physically isolated? If by that you mean if they are located outside of the chip then it is not. It is part of the package.
If not, I wonder why not uses the Protected Storage service instead? The reason that we cannot use the protected storage service is that it is not supported as a storage backend by the PSA crypto APIs. Storing non-volatile keys right now using the PSA APIs uses ITS as a storage backend.
Your comments regarding storing the IV and the TAG in Protected Storage are, of course, valid. If we decide to use a common code base we will have to do changes in the design of both services to overcome these issues.
Overall, the motivation for encrypted ITS is based on the raising popularity of hardware-based attacks. The fact that right now we provide all the security measures needed does not mean that nothing will get compromised in the future. A security in depth approach seems more reasonable for such sensitive data.
I am happy to join the TF-M Tech forum this Thursday and discuss it further, yes!
Regards, George
________________________________ From: Sherry Zhang Sherry.Zhang2@arm.com Sent: Tuesday, September 28, 2021 12:20 PM To: Vasilakis, Georgios georgios.vasilakis@nordicsemi.no; tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
The ITS without encryption is not a compromised RoT. In the PSA Secure Storage API spec, the PSA Internal Trust Storage aims at providing a place for devices to store their most intimate secrets. Also
“”””””””””””””””””””
1. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from read and modification by attackers with physical access to the device.
2. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from direct read or write access from software partitions outside of the PSA Root of Trust (PRoT).
“”””””””””””””””””””
So, for internal trusted storage service, it requires the underlying storage itself should provide being read or write protection. The storage area should be a “trusted” area. Does the storage area on your device meet this requirement? Is the memory physically isolated? If not, I wonder why not uses the Protected Storage service instead?
For the design of adding encryption in ITS, in the PS partition, the `iv` and the encrypted object data are stored with the object file while the tag of each object is stored with the object table file. So, if encrypt the PS object in the ITS file system, how the PS partition get the `tag` of each object? After a rough thought, I think probably a standalone encryption for ITS is more reasonable.
As this is a relatively “big topic”, would you like to hold a discussion on the TF-M Tech forum if it is not limited by confidential information? The next Tech forum will be hold on this Thursday 3:00 PM UTC time.
Regards,
Sherry Zhang
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Friday, September 24, 2021 8:52 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for your input!
1. Our threat model is more concerned about attacks which can happen very early in the boot process, I think. A completely compromised RoT is not in our threat model. 2. I see that, ITS is supposed to store small objects. The storage overhead of adding encryption will be probably bigger than 20 bytes I think but the intention is to have this only as a configuration, not as the default option. 3. Agreed, a HAL API should be used for this.
Do you have any opinion on the design of it? Do you think that it adds value to do try to use a common design for the object handling of both PS and ITS or is it better to have it as a standalone thing for the ITS.
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Friday, September 24, 2021 11:58 AM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Some comments from my side:
1. Internal trusted storage is part of the Root of Trust domain. If ITS storage device is attacked, then the code flash where the PSA Rot SP locates may also be attacked. Does the thread model of your system require the encryption in ITS? 2. The ITS service is intended to be used to interface to a small piece of storage. Encryption would increase the context for each ITS file. For example, similarly to PS object context, the `IV` which is used in encryption as well as the generated `tag` should be added into each file context. They total together can be about more than 20 bytes. 3. If the encryption is mandatory/ necessary required by the thread model of your system, as discussed, the PSA crypto service should not be called to avoid the circular. I think a HAL API for encryption may be created in ITS for platform implementation defined encryption/decryption.
Regards,
Sherry Zhang
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Thursday, September 23, 2021 10:47 PM To: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com>; Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com> Cc: nd <nd@arm.commailto:nd@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hey Gyorgy,
These are very valuable comments! I am aware of the circular dependency issue because the PSA apis are using the ITS as a storage backend. This, as you said, can be circumvented by using a software crypto library or an implementation specific API. So, for the encryption a flexible API can be used which can allow externals to use their own function calls.
Regarding the key storage, this is what I had in mind as well, using derived keys from the HUK. So that we don't need to store anything but the crypto metadata. Adding another layer of storage will raise more issues, I think.
________________________________
From: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com> Sent: Thursday, September 23, 2021 4:30 PM To: Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com>; Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org>; nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi,
AFAIK the main reason for ITS not using encryption is the problem of circular dependency. ITS is used by crypto SP for key storage, so how will crypto fetch the key from ITS to decrypt ITS? You could use a software crypto implementation (another mbed-tls instance) in ITS, but where would you safely store the keys? If you have a two layer ITS, one for only storing the keys for the second instance, and a second, encrypted one, then you end up with something like ITS and PS.
You may not need a full blown on-chip FLASH device for ITS. If you have a HUK available, you can derive the same SP specific keys from that at each boot, and store these in RAM backed ITS. You won’t be able to store other keys in ITS in a persistent way of course, but for that you can use PS. Well, something along these lines.
Perhaps the TF-M team could help better if you could share some details on why your customer would need encrypted ITS. (A PSA for Cortex-A (TS) maintainer chiming in to a “not his business” discussion here 😉 )
/George
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Fabian Schmidt via TF-M Sent: September 23, 2021 15:51 To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hi George,
I’m wondering if that would add value. To my understanding, ITS was never designed to be encrypted because of the way it’s supposed to be set up. (It’s Internal Trusted Storage.) I believe best practice is to place it in a “trusted” location, one that is ideally only accessible from Secure world, and also ideally on-die. If you then restrict outside access to the internal flash (JTAG, flash programmer ports,…), you’re pretty golden, in that no unauthorized party should be able to read from or write to the ITS.*
Let me know if I misunderstand anything about ITS or TrustZone, but that’s my view. Maybe I’m painting an idealized picture.
Greetings,
Fabian Schmidt
* at least short of a sophisticated physical attack or finding some loophole in TrustZone…
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Donnerstag, 23. September 2021 15:28 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [EXT] [TF-M] Supporting encryption with ITS
Caution: EXT Email
Hey all,
Lately the requirement for an encrypted ITS solution is being asked from our customers and I would like to have a discussion here on how we can design this in a reasonable way. The first thought that came to my mind was to add the functionality to the ITS flash-fs layer. This layer contains file metadata in the its_file_meta_t structure and it should be possible to expand this to include additional crypto metadata (conditionally). This seems to be the less invasive change to me, even though it will introduce some increased memory usage since supporting encryption will mean that we cannot read the data in chunks anymore, we will have to use static buffers.
At the same time, I looked at the PS partition since I knew that it has support for encryption. I believe that some core concepts of both solutions have similarities even though the code is quite different. For example, a file in ITS is similar to an object in PS and the (linear) list of file metadata in ITS is similar to the concept of the object table in PS. So, I think that it should be possible to design some generic-enough APIs that we can use for both the ITS and PS. Even though this will require some major refactoring in both partitions, it will decrease the code of these services which will probably decrease maintenance later.
What are your thoughts on this?
Regards,
George
Hi George,
Your explanation on adding encryption in ITS sounds very reasonable to me. Let’s discuss it on the tech forum today for more opinions.
Another reason I prefer keeping the PS and ITS encryption in their own partition is that the encryption key for PS should belongs to the PS partition. So, if PS object encryption is also done in the ITS partition, which indicates that the ITS partition can access the key which belongs to the PS partition. That would break the isolation.
Regards, Sherry Zhang
From: Vasilakis, Georgios georgios.vasilakis@nordicsemi.no Sent: Wednesday, September 29, 2021 8:04 PM To: Sherry Zhang Sherry.Zhang2@arm.com; tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for the feedback!
Does the storage area on your device meet this requirement? Yes, our devices can secure against read and write access through the dedicated peripherals (SPU + MPU).
Is the memory physically isolated? If by that you mean if they are located outside of the chip then it is not. It is part of the package.
If not, I wonder why not uses the Protected Storage service instead? The reason that we cannot use the protected storage service is that it is not supported as a storage backend by the PSA crypto APIs. Storing non-volatile keys right now using the PSA APIs uses ITS as a storage backend. Your comments regarding storing the IV and the TAG in Protected Storage are, of course, valid. If we decide to use a common code base we will have to do changes in the design of both services to overcome these issues.
Overall, the motivation for encrypted ITS is based on the raising popularity of hardware-based attacks. The fact that right now we provide all the security measures needed does not mean that nothing will get compromised in the future. A security in depth approach seems more reasonable for such sensitive data.
I am happy to join the TF-M Tech forum this Thursday and discuss it further, yes!
Regards, George
________________________________ From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Tuesday, September 28, 2021 12:20 PM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
The ITS without encryption is not a compromised RoT. In the PSA Secure Storage API spec, the PSA Internal Trust Storage aims at providing a place for devices to store their most intimate secrets. Also
“”””””””””””””””””””
1. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from read and modification by attackers with physical access to the device.
2. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from direct read or write access from software partitions outside of the PSA Root of Trust (PRoT).
“”””””””””””””””””””
So, for internal trusted storage service, it requires the underlying storage itself should provide being read or write protection. The storage area should be a “trusted” area. Does the storage area on your device meet this requirement? Is the memory physically isolated? If not, I wonder why not uses the Protected Storage service instead?
For the design of adding encryption in ITS, in the PS partition, the `iv` and the encrypted object data are stored with the object file while the tag of each object is stored with the object table file. So, if encrypt the PS object in the ITS file system, how the PS partition get the `tag` of each object? After a rough thought, I think probably a standalone encryption for ITS is more reasonable.
As this is a relatively “big topic”, would you like to hold a discussion on the TF-M Tech forum if it is not limited by confidential information? The next Tech forum will be hold on this Thursday 3:00 PM UTC time.
Regards,
Sherry Zhang
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Friday, September 24, 2021 8:52 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for your input!
1. Our threat model is more concerned about attacks which can happen very early in the boot process, I think. A completely compromised RoT is not in our threat model. 2. I see that, ITS is supposed to store small objects. The storage overhead of adding encryption will be probably bigger than 20 bytes I think but the intention is to have this only as a configuration, not as the default option. 3. Agreed, a HAL API should be used for this.
Do you have any opinion on the design of it? Do you think that it adds value to do try to use a common design for the object handling of both PS and ITS or is it better to have it as a standalone thing for the ITS.
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Friday, September 24, 2021 11:58 AM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Some comments from my side:
1. Internal trusted storage is part of the Root of Trust domain. If ITS storage device is attacked, then the code flash where the PSA Rot SP locates may also be attacked. Does the thread model of your system require the encryption in ITS? 2. The ITS service is intended to be used to interface to a small piece of storage. Encryption would increase the context for each ITS file. For example, similarly to PS object context, the `IV` which is used in encryption as well as the generated `tag` should be added into each file context. They total together can be about more than 20 bytes. 3. If the encryption is mandatory/ necessary required by the thread model of your system, as discussed, the PSA crypto service should not be called to avoid the circular. I think a HAL API for encryption may be created in ITS for platform implementation defined encryption/decryption.
Regards,
Sherry Zhang
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Thursday, September 23, 2021 10:47 PM To: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com>; Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com> Cc: nd <nd@arm.commailto:nd@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hey Gyorgy,
These are very valuable comments! I am aware of the circular dependency issue because the PSA apis are using the ITS as a storage backend. This, as you said, can be circumvented by using a software crypto library or an implementation specific API. So, for the encryption a flexible API can be used which can allow externals to use their own function calls.
Regarding the key storage, this is what I had in mind as well, using derived keys from the HUK. So that we don't need to store anything but the crypto metadata. Adding another layer of storage will raise more issues, I think.
________________________________
From: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com> Sent: Thursday, September 23, 2021 4:30 PM To: Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com>; Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org>; nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi,
AFAIK the main reason for ITS not using encryption is the problem of circular dependency. ITS is used by crypto SP for key storage, so how will crypto fetch the key from ITS to decrypt ITS? You could use a software crypto implementation (another mbed-tls instance) in ITS, but where would you safely store the keys? If you have a two layer ITS, one for only storing the keys for the second instance, and a second, encrypted one, then you end up with something like ITS and PS.
You may not need a full blown on-chip FLASH device for ITS. If you have a HUK available, you can derive the same SP specific keys from that at each boot, and store these in RAM backed ITS. You won’t be able to store other keys in ITS in a persistent way of course, but for that you can use PS. Well, something along these lines.
Perhaps the TF-M team could help better if you could share some details on why your customer would need encrypted ITS. (A PSA for Cortex-A (TS) maintainer chiming in to a “not his business” discussion here 😉 )
/George
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Fabian Schmidt via TF-M Sent: September 23, 2021 15:51 To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hi George,
I’m wondering if that would add value. To my understanding, ITS was never designed to be encrypted because of the way it’s supposed to be set up. (It’s Internal Trusted Storage.) I believe best practice is to place it in a “trusted” location, one that is ideally only accessible from Secure world, and also ideally on-die. If you then restrict outside access to the internal flash (JTAG, flash programmer ports,…), you’re pretty golden, in that no unauthorized party should be able to read from or write to the ITS.*
Let me know if I misunderstand anything about ITS or TrustZone, but that’s my view. Maybe I’m painting an idealized picture.
Greetings,
Fabian Schmidt
* at least short of a sophisticated physical attack or finding some loophole in TrustZone…
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Donnerstag, 23. September 2021 15:28 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [EXT] [TF-M] Supporting encryption with ITS
Caution: EXT Email
Hey all,
Lately the requirement for an encrypted ITS solution is being asked from our customers and I would like to have a discussion here on how we can design this in a reasonable way. The first thought that came to my mind was to add the functionality to the ITS flash-fs layer. This layer contains file metadata in the its_file_meta_t structure and it should be possible to expand this to include additional crypto metadata (conditionally). This seems to be the less invasive change to me, even though it will introduce some increased memory usage since supporting encryption will mean that we cannot read the data in chunks anymore, we will have to use static buffers.
At the same time, I looked at the PS partition since I knew that it has support for encryption. I believe that some core concepts of both solutions have similarities even though the code is quite different. For example, a file in ITS is similar to an object in PS and the (linear) list of file metadata in ITS is similar to the concept of the object table in PS. So, I think that it should be possible to design some generic-enough APIs that we can use for both the ITS and PS. Even though this will require some major refactoring in both partitions, it will decrease the code of these services which will probably decrease maintenance later.
What are your thoughts on this?
Regards,
George
Hello all,
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch) Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them. Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level. The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
Regards, George
________________________________ From: Vasilakis, Georgios georgios.vasilakis@nordicsemi.no Sent: Wednesday, September 29, 2021 2:04 PM To: Sherry Zhang Sherry.Zhang2@arm.com; tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for the feedback!
Does the storage area on your device meet this requirement? Yes, our devices can secure against read and write access through the dedicated peripherals (SPU + MPU).
Is the memory physically isolated? If by that you mean if they are located outside of the chip then it is not. It is part of the package.
If not, I wonder why not uses the Protected Storage service instead? The reason that we cannot use the protected storage service is that it is not supported as a storage backend by the PSA crypto APIs. Storing non-volatile keys right now using the PSA APIs uses ITS as a storage backend.
Your comments regarding storing the IV and the TAG in Protected Storage are, of course, valid. If we decide to use a common code base we will have to do changes in the design of both services to overcome these issues.
Overall, the motivation for encrypted ITS is based on the raising popularity of hardware-based attacks. The fact that right now we provide all the security measures needed does not mean that nothing will get compromised in the future. A security in depth approach seems more reasonable for such sensitive data.
I am happy to join the TF-M Tech forum this Thursday and discuss it further, yes!
Regards, George
________________________________ From: Sherry Zhang Sherry.Zhang2@arm.com Sent: Tuesday, September 28, 2021 12:20 PM To: Vasilakis, Georgios georgios.vasilakis@nordicsemi.no; tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
The ITS without encryption is not a compromised RoT. In the PSA Secure Storage API spec, the PSA Internal Trust Storage aims at providing a place for devices to store their most intimate secrets. Also
“”””””””””””””””””””
1. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from read and modification by attackers with physical access to the device.
2. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from direct read or write access from software partitions outside of the PSA Root of Trust (PRoT).
“”””””””””””””””””””
So, for internal trusted storage service, it requires the underlying storage itself should provide being read or write protection. The storage area should be a “trusted” area. Does the storage area on your device meet this requirement? Is the memory physically isolated? If not, I wonder why not uses the Protected Storage service instead?
For the design of adding encryption in ITS, in the PS partition, the `iv` and the encrypted object data are stored with the object file while the tag of each object is stored with the object table file. So, if encrypt the PS object in the ITS file system, how the PS partition get the `tag` of each object? After a rough thought, I think probably a standalone encryption for ITS is more reasonable.
As this is a relatively “big topic”, would you like to hold a discussion on the TF-M Tech forum if it is not limited by confidential information? The next Tech forum will be hold on this Thursday 3:00 PM UTC time.
Regards,
Sherry Zhang
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Friday, September 24, 2021 8:52 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for your input!
1. Our threat model is more concerned about attacks which can happen very early in the boot process, I think. A completely compromised RoT is not in our threat model. 2. I see that, ITS is supposed to store small objects. The storage overhead of adding encryption will be probably bigger than 20 bytes I think but the intention is to have this only as a configuration, not as the default option. 3. Agreed, a HAL API should be used for this.
Do you have any opinion on the design of it? Do you think that it adds value to do try to use a common design for the object handling of both PS and ITS or is it better to have it as a standalone thing for the ITS.
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Friday, September 24, 2021 11:58 AM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Some comments from my side:
1. Internal trusted storage is part of the Root of Trust domain. If ITS storage device is attacked, then the code flash where the PSA Rot SP locates may also be attacked. Does the thread model of your system require the encryption in ITS? 2. The ITS service is intended to be used to interface to a small piece of storage. Encryption would increase the context for each ITS file. For example, similarly to PS object context, the `IV` which is used in encryption as well as the generated `tag` should be added into each file context. They total together can be about more than 20 bytes. 3. If the encryption is mandatory/ necessary required by the thread model of your system, as discussed, the PSA crypto service should not be called to avoid the circular. I think a HAL API for encryption may be created in ITS for platform implementation defined encryption/decryption.
Regards,
Sherry Zhang
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Thursday, September 23, 2021 10:47 PM To: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com>; Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com> Cc: nd <nd@arm.commailto:nd@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hey Gyorgy,
These are very valuable comments! I am aware of the circular dependency issue because the PSA apis are using the ITS as a storage backend. This, as you said, can be circumvented by using a software crypto library or an implementation specific API. So, for the encryption a flexible API can be used which can allow externals to use their own function calls.
Regarding the key storage, this is what I had in mind as well, using derived keys from the HUK. So that we don't need to store anything but the crypto metadata. Adding another layer of storage will raise more issues, I think.
________________________________
From: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com> Sent: Thursday, September 23, 2021 4:30 PM To: Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com>; Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org>; nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi,
AFAIK the main reason for ITS not using encryption is the problem of circular dependency. ITS is used by crypto SP for key storage, so how will crypto fetch the key from ITS to decrypt ITS? You could use a software crypto implementation (another mbed-tls instance) in ITS, but where would you safely store the keys? If you have a two layer ITS, one for only storing the keys for the second instance, and a second, encrypted one, then you end up with something like ITS and PS.
You may not need a full blown on-chip FLASH device for ITS. If you have a HUK available, you can derive the same SP specific keys from that at each boot, and store these in RAM backed ITS. You won’t be able to store other keys in ITS in a persistent way of course, but for that you can use PS. Well, something along these lines.
Perhaps the TF-M team could help better if you could share some details on why your customer would need encrypted ITS. (A PSA for Cortex-A (TS) maintainer chiming in to a “not his business” discussion here 😉 )
/George
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Fabian Schmidt via TF-M Sent: September 23, 2021 15:51 To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hi George,
I’m wondering if that would add value. To my understanding, ITS was never designed to be encrypted because of the way it’s supposed to be set up. (It’s Internal Trusted Storage.) I believe best practice is to place it in a “trusted” location, one that is ideally only accessible from Secure world, and also ideally on-die. If you then restrict outside access to the internal flash (JTAG, flash programmer ports,…), you’re pretty golden, in that no unauthorized party should be able to read from or write to the ITS.*
Let me know if I misunderstand anything about ITS or TrustZone, but that’s my view. Maybe I’m painting an idealized picture.
Greetings,
Fabian Schmidt
* at least short of a sophisticated physical attack or finding some loophole in TrustZone…
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Donnerstag, 23. September 2021 15:28 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [EXT] [TF-M] Supporting encryption with ITS
Caution: EXT Email
Hey all,
Lately the requirement for an encrypted ITS solution is being asked from our customers and I would like to have a discussion here on how we can design this in a reasonable way. The first thought that came to my mind was to add the functionality to the ITS flash-fs layer. This layer contains file metadata in the its_file_meta_t structure and it should be possible to expand this to include additional crypto metadata (conditionally). This seems to be the less invasive change to me, even though it will introduce some increased memory usage since supporting encryption will mean that we cannot read the data in chunks anymore, we will have to use static buffers.
At the same time, I looked at the PS partition since I knew that it has support for encryption. I believe that some core concepts of both solutions have similarities even though the code is quite different. For example, a file in ITS is similar to an object in PS and the (linear) list of file metadata in ITS is similar to the concept of the object table in PS. So, I think that it should be possible to design some generic-enough APIs that we can use for both the ITS and PS. Even though this will require some major refactoring in both partitions, it will decrease the code of these services which will probably decrease maintenance later.
What are your thoughts on this?
Regards,
George
Hello again, sorry for the second email by my formatting got lost in the first one unfortunately. Let me include the formatted context below:
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
1)Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
2)Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
3)Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
________________________________ From: Vasilakis, Georgios georgios.vasilakis@nordicsemi.no Sent: Tuesday, October 19, 2021 3:18 PM To: tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] Supporting encryption with ITS
Hello all,
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch) Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them. Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level. The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
Regards, George
________________________________ From: Vasilakis, Georgios georgios.vasilakis@nordicsemi.no Sent: Wednesday, September 29, 2021 2:04 PM To: Sherry Zhang Sherry.Zhang2@arm.com; tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for the feedback!
Does the storage area on your device meet this requirement? Yes, our devices can secure against read and write access through the dedicated peripherals (SPU + MPU).
Is the memory physically isolated? If by that you mean if they are located outside of the chip then it is not. It is part of the package.
If not, I wonder why not uses the Protected Storage service instead? The reason that we cannot use the protected storage service is that it is not supported as a storage backend by the PSA crypto APIs. Storing non-volatile keys right now using the PSA APIs uses ITS as a storage backend.
Your comments regarding storing the IV and the TAG in Protected Storage are, of course, valid. If we decide to use a common code base we will have to do changes in the design of both services to overcome these issues.
Overall, the motivation for encrypted ITS is based on the raising popularity of hardware-based attacks. The fact that right now we provide all the security measures needed does not mean that nothing will get compromised in the future. A security in depth approach seems more reasonable for such sensitive data.
I am happy to join the TF-M Tech forum this Thursday and discuss it further, yes!
Regards, George
________________________________ From: Sherry Zhang Sherry.Zhang2@arm.com Sent: Tuesday, September 28, 2021 12:20 PM To: Vasilakis, Georgios georgios.vasilakis@nordicsemi.no; tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
The ITS without encryption is not a compromised RoT. In the PSA Secure Storage API spec, the PSA Internal Trust Storage aims at providing a place for devices to store their most intimate secrets. Also
“”””””””””””””””””””
1. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from read and modification by attackers with physical access to the device.
2. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from direct read or write access from software partitions outside of the PSA Root of Trust (PRoT).
“”””””””””””””””””””
So, for internal trusted storage service, it requires the underlying storage itself should provide being read or write protection. The storage area should be a “trusted” area. Does the storage area on your device meet this requirement? Is the memory physically isolated? If not, I wonder why not uses the Protected Storage service instead?
For the design of adding encryption in ITS, in the PS partition, the `iv` and the encrypted object data are stored with the object file while the tag of each object is stored with the object table file. So, if encrypt the PS object in the ITS file system, how the PS partition get the `tag` of each object? After a rough thought, I think probably a standalone encryption for ITS is more reasonable.
As this is a relatively “big topic”, would you like to hold a discussion on the TF-M Tech forum if it is not limited by confidential information? The next Tech forum will be hold on this Thursday 3:00 PM UTC time.
Regards,
Sherry Zhang
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Friday, September 24, 2021 8:52 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for your input!
1. Our threat model is more concerned about attacks which can happen very early in the boot process, I think. A completely compromised RoT is not in our threat model. 2. I see that, ITS is supposed to store small objects. The storage overhead of adding encryption will be probably bigger than 20 bytes I think but the intention is to have this only as a configuration, not as the default option. 3. Agreed, a HAL API should be used for this.
Do you have any opinion on the design of it? Do you think that it adds value to do try to use a common design for the object handling of both PS and ITS or is it better to have it as a standalone thing for the ITS.
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Friday, September 24, 2021 11:58 AM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Some comments from my side:
1. Internal trusted storage is part of the Root of Trust domain. If ITS storage device is attacked, then the code flash where the PSA Rot SP locates may also be attacked. Does the thread model of your system require the encryption in ITS? 2. The ITS service is intended to be used to interface to a small piece of storage. Encryption would increase the context for each ITS file. For example, similarly to PS object context, the `IV` which is used in encryption as well as the generated `tag` should be added into each file context. They total together can be about more than 20 bytes. 3. If the encryption is mandatory/ necessary required by the thread model of your system, as discussed, the PSA crypto service should not be called to avoid the circular. I think a HAL API for encryption may be created in ITS for platform implementation defined encryption/decryption.
Regards,
Sherry Zhang
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Thursday, September 23, 2021 10:47 PM To: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com>; Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com> Cc: nd <nd@arm.commailto:nd@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hey Gyorgy,
These are very valuable comments! I am aware of the circular dependency issue because the PSA apis are using the ITS as a storage backend. This, as you said, can be circumvented by using a software crypto library or an implementation specific API. So, for the encryption a flexible API can be used which can allow externals to use their own function calls.
Regarding the key storage, this is what I had in mind as well, using derived keys from the HUK. So that we don't need to store anything but the crypto metadata. Adding another layer of storage will raise more issues, I think.
________________________________
From: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com> Sent: Thursday, September 23, 2021 4:30 PM To: Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com>; Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org>; nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi,
AFAIK the main reason for ITS not using encryption is the problem of circular dependency. ITS is used by crypto SP for key storage, so how will crypto fetch the key from ITS to decrypt ITS? You could use a software crypto implementation (another mbed-tls instance) in ITS, but where would you safely store the keys? If you have a two layer ITS, one for only storing the keys for the second instance, and a second, encrypted one, then you end up with something like ITS and PS.
You may not need a full blown on-chip FLASH device for ITS. If you have a HUK available, you can derive the same SP specific keys from that at each boot, and store these in RAM backed ITS. You won’t be able to store other keys in ITS in a persistent way of course, but for that you can use PS. Well, something along these lines.
Perhaps the TF-M team could help better if you could share some details on why your customer would need encrypted ITS. (A PSA for Cortex-A (TS) maintainer chiming in to a “not his business” discussion here 😉 )
/George
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Fabian Schmidt via TF-M Sent: September 23, 2021 15:51 To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hi George,
I’m wondering if that would add value. To my understanding, ITS was never designed to be encrypted because of the way it’s supposed to be set up. (It’s Internal Trusted Storage.) I believe best practice is to place it in a “trusted” location, one that is ideally only accessible from Secure world, and also ideally on-die. If you then restrict outside access to the internal flash (JTAG, flash programmer ports,…), you’re pretty golden, in that no unauthorized party should be able to read from or write to the ITS.*
Let me know if I misunderstand anything about ITS or TrustZone, but that’s my view. Maybe I’m painting an idealized picture.
Greetings,
Fabian Schmidt
* at least short of a sophisticated physical attack or finding some loophole in TrustZone…
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Donnerstag, 23. September 2021 15:28 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [EXT] [TF-M] Supporting encryption with ITS
Caution: EXT Email
Hey all,
Lately the requirement for an encrypted ITS solution is being asked from our customers and I would like to have a discussion here on how we can design this in a reasonable way. The first thought that came to my mind was to add the functionality to the ITS flash-fs layer. This layer contains file metadata in the its_file_meta_t structure and it should be possible to expand this to include additional crypto metadata (conditionally). This seems to be the less invasive change to me, even though it will introduce some increased memory usage since supporting encryption will mean that we cannot read the data in chunks anymore, we will have to use static buffers.
At the same time, I looked at the PS partition since I knew that it has support for encryption. I believe that some core concepts of both solutions have similarities even though the code is quite different. For example, a file in ITS is similar to an object in PS and the (linear) list of file metadata in ITS is similar to the concept of the object table in PS. So, I think that it should be possible to design some generic-enough APIs that we can use for both the ITS and PS. Even though this will require some major refactoring in both partitions, it will decrease the code of these services which will probably decrease maintenance later.
What are your thoughts on this?
Regards,
George
Hi George,
Sorry I didn’t fully understand solution 2. How can the crypto partition call itself to do encryption? And does ITS partition need to call crypto partition to do the encryption or the user should call the crypto partition to encrypt the data before calling the ITS service to store it? Can you explain more on solution 2?
Thanks,
Regards, Sherry
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Vasilakis, Georgios via TF-M Sent: Tuesday, October 19, 2021 9:31 PM To: tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] Supporting encryption with ITS
Hello again, sorry for the second email by my formatting got lost in the first one unfortunately. Let me include the formatted context below:
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
1)Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
2)Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
3)Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
________________________________ From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Tuesday, October 19, 2021 3:18 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello all,
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch) Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them. Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level. The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
Regards, George
________________________________ From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Wednesday, September 29, 2021 2:04 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for the feedback!
Does the storage area on your device meet this requirement? Yes, our devices can secure against read and write access through the dedicated peripherals (SPU + MPU).
Is the memory physically isolated? If by that you mean if they are located outside of the chip then it is not. It is part of the package.
If not, I wonder why not uses the Protected Storage service instead? The reason that we cannot use the protected storage service is that it is not supported as a storage backend by the PSA crypto APIs. Storing non-volatile keys right now using the PSA APIs uses ITS as a storage backend. Your comments regarding storing the IV and the TAG in Protected Storage are, of course, valid. If we decide to use a common code base we will have to do changes in the design of both services to overcome these issues.
Overall, the motivation for encrypted ITS is based on the raising popularity of hardware-based attacks. The fact that right now we provide all the security measures needed does not mean that nothing will get compromised in the future. A security in depth approach seems more reasonable for such sensitive data.
I am happy to join the TF-M Tech forum this Thursday and discuss it further, yes!
Regards, George
________________________________ From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Tuesday, September 28, 2021 12:20 PM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
The ITS without encryption is not a compromised RoT. In the PSA Secure Storage API spec, the PSA Internal Trust Storage aims at providing a place for devices to store their most intimate secrets. Also
“”””””””””””””””””””
1. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from read and modification by attackers with physical access to the device.
2. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from direct read or write access from software partitions outside of the PSA Root of Trust (PRoT).
“”””””””””””””””””””
So, for internal trusted storage service, it requires the underlying storage itself should provide being read or write protection. The storage area should be a “trusted” area. Does the storage area on your device meet this requirement? Is the memory physically isolated? If not, I wonder why not uses the Protected Storage service instead?
For the design of adding encryption in ITS, in the PS partition, the `iv` and the encrypted object data are stored with the object file while the tag of each object is stored with the object table file. So, if encrypt the PS object in the ITS file system, how the PS partition get the `tag` of each object? After a rough thought, I think probably a standalone encryption for ITS is more reasonable.
As this is a relatively “big topic”, would you like to hold a discussion on the TF-M Tech forum if it is not limited by confidential information? The next Tech forum will be hold on this Thursday 3:00 PM UTC time.
Regards,
Sherry Zhang
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Friday, September 24, 2021 8:52 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for your input!
1. Our threat model is more concerned about attacks which can happen very early in the boot process, I think. A completely compromised RoT is not in our threat model. 2. I see that, ITS is supposed to store small objects. The storage overhead of adding encryption will be probably bigger than 20 bytes I think but the intention is to have this only as a configuration, not as the default option. 3. Agreed, a HAL API should be used for this.
Do you have any opinion on the design of it? Do you think that it adds value to do try to use a common design for the object handling of both PS and ITS or is it better to have it as a standalone thing for the ITS.
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Friday, September 24, 2021 11:58 AM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Some comments from my side:
1. Internal trusted storage is part of the Root of Trust domain. If ITS storage device is attacked, then the code flash where the PSA Rot SP locates may also be attacked. Does the thread model of your system require the encryption in ITS? 2. The ITS service is intended to be used to interface to a small piece of storage. Encryption would increase the context for each ITS file. For example, similarly to PS object context, the `IV` which is used in encryption as well as the generated `tag` should be added into each file context. They total together can be about more than 20 bytes. 3. If the encryption is mandatory/ necessary required by the thread model of your system, as discussed, the PSA crypto service should not be called to avoid the circular. I think a HAL API for encryption may be created in ITS for platform implementation defined encryption/decryption.
Regards,
Sherry Zhang
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Thursday, September 23, 2021 10:47 PM To: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com>; Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com> Cc: nd <nd@arm.commailto:nd@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hey Gyorgy,
These are very valuable comments! I am aware of the circular dependency issue because the PSA apis are using the ITS as a storage backend. This, as you said, can be circumvented by using a software crypto library or an implementation specific API. So, for the encryption a flexible API can be used which can allow externals to use their own function calls.
Regarding the key storage, this is what I had in mind as well, using derived keys from the HUK. So that we don't need to store anything but the crypto metadata. Adding another layer of storage will raise more issues, I think.
________________________________
From: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com> Sent: Thursday, September 23, 2021 4:30 PM To: Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com>; Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org>; nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi,
AFAIK the main reason for ITS not using encryption is the problem of circular dependency. ITS is used by crypto SP for key storage, so how will crypto fetch the key from ITS to decrypt ITS? You could use a software crypto implementation (another mbed-tls instance) in ITS, but where would you safely store the keys? If you have a two layer ITS, one for only storing the keys for the second instance, and a second, encrypted one, then you end up with something like ITS and PS.
You may not need a full blown on-chip FLASH device for ITS. If you have a HUK available, you can derive the same SP specific keys from that at each boot, and store these in RAM backed ITS. You won’t be able to store other keys in ITS in a persistent way of course, but for that you can use PS. Well, something along these lines.
Perhaps the TF-M team could help better if you could share some details on why your customer would need encrypted ITS. (A PSA for Cortex-A (TS) maintainer chiming in to a “not his business” discussion here 😉 )
/George
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Fabian Schmidt via TF-M Sent: September 23, 2021 15:51 To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hi George,
I’m wondering if that would add value. To my understanding, ITS was never designed to be encrypted because of the way it’s supposed to be set up. (It’s Internal Trusted Storage.) I believe best practice is to place it in a “trusted” location, one that is ideally only accessible from Secure world, and also ideally on-die. If you then restrict outside access to the internal flash (JTAG, flash programmer ports,…), you’re pretty golden, in that no unauthorized party should be able to read from or write to the ITS.*
Let me know if I misunderstand anything about ITS or TrustZone, but that’s my view. Maybe I’m painting an idealized picture.
Greetings,
Fabian Schmidt
* at least short of a sophisticated physical attack or finding some loophole in TrustZone…
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Donnerstag, 23. September 2021 15:28 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [EXT] [TF-M] Supporting encryption with ITS
Caution: EXT Email
Hey all,
Lately the requirement for an encrypted ITS solution is being asked from our customers and I would like to have a discussion here on how we can design this in a reasonable way. The first thought that came to my mind was to add the functionality to the ITS flash-fs layer. This layer contains file metadata in the its_file_meta_t structure and it should be possible to expand this to include additional crypto metadata (conditionally). This seems to be the less invasive change to me, even though it will introduce some increased memory usage since supporting encryption will mean that we cannot read the data in chunks anymore, we will have to use static buffers.
At the same time, I looked at the PS partition since I knew that it has support for encryption. I believe that some core concepts of both solutions have similarities even though the code is quite different. For example, a file in ITS is similar to an object in PS and the (linear) list of file metadata in ITS is similar to the concept of the object table in PS. So, I think that it should be possible to design some generic-enough APIs that we can use for both the ITS and PS. Even though this will require some major refactoring in both partitions, it will decrease the code of these services which will probably decrease maintenance later.
What are your thoughts on this?
Regards,
George
Hey Sherry,
Sure, let me explain a bit further.
Right now the PSA APIs use the ITS as a backend for the storage of persistent keys. When someone calls a cryptographic function using a persistent key they will end up calling ITS APIs to fetch the info and the data of the key (as done in the psa_load_persistent_key). What I am proposing is to have an encryption abstraction implemented(optionally) in this level. An encryption abstraction will only define the encryption functions signatures and each provider will have to provide their own custom crypto implementation in this scope. Then the encryption/decryption of the key material will be done to the PSA funtions (like the psa_load_persistent_key) and the ITS will be unaware of the whole operation.
So to answer the first question, we will not call PSA crypto from inside of the PSA crypto. We will call a different crypto abstraction which will be implemented by each platform. The encryption will be transparent to the users. Also the ITS will not have to know anything about it, all the logic can be implemented in the PSA APIs.
To make the scheme more clear I uploaded an image with the current and the proposed method here: https://ibb.co/Bgrq1K3 [https://i.ibb.co/wKwMvrg/encrypted-key-storage.png]https://ibb.co/Bgrq1K3 encrypted-key-storagehttps://ibb.co/Bgrq1K3 Image encrypted-key-storage hosted in ImgBB ibb.co
Regards, George
________________________________ From: Sherry Zhang Sherry.Zhang2@arm.com Sent: Wednesday, October 20, 2021 5:45 AM To: Vasilakis, Georgios georgios.vasilakis@nordicsemi.no; tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Sorry I didn’t fully understand solution 2. How can the crypto partition call itself to do encryption? And does ITS partition need to call crypto partition to do the encryption or the user should call the crypto partition to encrypt the data before calling the ITS service to store it? Can you explain more on solution 2?
Thanks,
Regards,
Sherry
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Vasilakis, Georgios via TF-M Sent: Tuesday, October 19, 2021 9:31 PM To: tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] Supporting encryption with ITS
Hello again, sorry for the second email by my formatting got lost in the first one unfortunately. Let me include the formatted context below:
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
1)Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
2)Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
3)Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
________________________________
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Tuesday, October 19, 2021 3:18 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello all,
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
Regards,
George
________________________________
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Wednesday, September 29, 2021 2:04 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for the feedback!
Does the storage area on your device meet this requirement?
Yes, our devices can secure against read and write access through the dedicated peripherals (SPU + MPU).
Is the memory physically isolated?
If by that you mean if they are located outside of the chip then it is not. It is part of the package.
If not, I wonder why not uses the Protected Storage service instead?
The reason that we cannot use the protected storage service is that it is not supported as a storage backend by the PSA crypto APIs. Storing non-volatile keys right now using the PSA APIs uses ITS as a storage backend.
Your comments regarding storing the IV and the TAG in Protected Storage are, of course, valid. If we decide to use a common code base we will have to do changes in the design of both services to overcome these issues.
Overall, the motivation for encrypted ITS is based on the raising popularity of hardware-based attacks. The fact that right now we provide all the security measures needed does not mean that nothing will get compromised in the future. A security in depth approach seems more reasonable for such sensitive data.
I am happy to join the TF-M Tech forum this Thursday and discuss it further, yes!
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Tuesday, September 28, 2021 12:20 PM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
The ITS without encryption is not a compromised RoT. In the PSA Secure Storage API spec, the PSA Internal Trust Storage aims at providing a place for devices to store their most intimate secrets. Also
“”””””””””””””””””””
1. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from read and modification by attackers with physical access to the device.
2. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from direct read or write access from software partitions outside of the PSA Root of Trust (PRoT).
“”””””””””””””””””””
So, for internal trusted storage service, it requires the underlying storage itself should provide being read or write protection. The storage area should be a “trusted” area. Does the storage area on your device meet this requirement? Is the memory physically isolated? If not, I wonder why not uses the Protected Storage service instead?
For the design of adding encryption in ITS, in the PS partition, the `iv` and the encrypted object data are stored with the object file while the tag of each object is stored with the object table file. So, if encrypt the PS object in the ITS file system, how the PS partition get the `tag` of each object? After a rough thought, I think probably a standalone encryption for ITS is more reasonable.
As this is a relatively “big topic”, would you like to hold a discussion on the TF-M Tech forum if it is not limited by confidential information? The next Tech forum will be hold on this Thursday 3:00 PM UTC time.
Regards,
Sherry Zhang
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Friday, September 24, 2021 8:52 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for your input!
1. Our threat model is more concerned about attacks which can happen very early in the boot process, I think. A completely compromised RoT is not in our threat model. 2. I see that, ITS is supposed to store small objects. The storage overhead of adding encryption will be probably bigger than 20 bytes I think but the intention is to have this only as a configuration, not as the default option. 3. Agreed, a HAL API should be used for this.
Do you have any opinion on the design of it? Do you think that it adds value to do try to use a common design for the object handling of both PS and ITS or is it better to have it as a standalone thing for the ITS.
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Friday, September 24, 2021 11:58 AM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Some comments from my side:
1. Internal trusted storage is part of the Root of Trust domain. If ITS storage device is attacked, then the code flash where the PSA Rot SP locates may also be attacked. Does the thread model of your system require the encryption in ITS? 2. The ITS service is intended to be used to interface to a small piece of storage. Encryption would increase the context for each ITS file. For example, similarly to PS object context, the `IV` which is used in encryption as well as the generated `tag` should be added into each file context. They total together can be about more than 20 bytes. 3. If the encryption is mandatory/ necessary required by the thread model of your system, as discussed, the PSA crypto service should not be called to avoid the circular. I think a HAL API for encryption may be created in ITS for platform implementation defined encryption/decryption.
Regards,
Sherry Zhang
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Thursday, September 23, 2021 10:47 PM To: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com>; Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com> Cc: nd <nd@arm.commailto:nd@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hey Gyorgy,
These are very valuable comments! I am aware of the circular dependency issue because the PSA apis are using the ITS as a storage backend. This, as you said, can be circumvented by using a software crypto library or an implementation specific API. So, for the encryption a flexible API can be used which can allow externals to use their own function calls.
Regarding the key storage, this is what I had in mind as well, using derived keys from the HUK. So that we don't need to store anything but the crypto metadata. Adding another layer of storage will raise more issues, I think.
________________________________
From: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com> Sent: Thursday, September 23, 2021 4:30 PM To: Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com>; Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org>; nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi,
AFAIK the main reason for ITS not using encryption is the problem of circular dependency. ITS is used by crypto SP for key storage, so how will crypto fetch the key from ITS to decrypt ITS? You could use a software crypto implementation (another mbed-tls instance) in ITS, but where would you safely store the keys? If you have a two layer ITS, one for only storing the keys for the second instance, and a second, encrypted one, then you end up with something like ITS and PS.
You may not need a full blown on-chip FLASH device for ITS. If you have a HUK available, you can derive the same SP specific keys from that at each boot, and store these in RAM backed ITS. You won’t be able to store other keys in ITS in a persistent way of course, but for that you can use PS. Well, something along these lines.
Perhaps the TF-M team could help better if you could share some details on why your customer would need encrypted ITS. (A PSA for Cortex-A (TS) maintainer chiming in to a “not his business” discussion here 😉 )
/George
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Fabian Schmidt via TF-M Sent: September 23, 2021 15:51 To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hi George,
I’m wondering if that would add value. To my understanding, ITS was never designed to be encrypted because of the way it’s supposed to be set up. (It’s Internal Trusted Storage.) I believe best practice is to place it in a “trusted” location, one that is ideally only accessible from Secure world, and also ideally on-die. If you then restrict outside access to the internal flash (JTAG, flash programmer ports,…), you’re pretty golden, in that no unauthorized party should be able to read from or write to the ITS.*
Let me know if I misunderstand anything about ITS or TrustZone, but that’s my view. Maybe I’m painting an idealized picture.
Greetings,
Fabian Schmidt
* at least short of a sophisticated physical attack or finding some loophole in TrustZone…
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Donnerstag, 23. September 2021 15:28 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [EXT] [TF-M] Supporting encryption with ITS
Caution: EXT Email
Hey all,
Lately the requirement for an encrypted ITS solution is being asked from our customers and I would like to have a discussion here on how we can design this in a reasonable way. The first thought that came to my mind was to add the functionality to the ITS flash-fs layer. This layer contains file metadata in the its_file_meta_t structure and it should be possible to expand this to include additional crypto metadata (conditionally). This seems to be the less invasive change to me, even though it will introduce some increased memory usage since supporting encryption will mean that we cannot read the data in chunks anymore, we will have to use static buffers.
At the same time, I looked at the PS partition since I knew that it has support for encryption. I believe that some core concepts of both solutions have similarities even though the code is quite different. For example, a file in ITS is similar to an object in PS and the (linear) list of file metadata in ITS is similar to the concept of the object table in PS. So, I think that it should be possible to design some generic-enough APIs that we can use for both the ITS and PS. Even though this will require some major refactoring in both partitions, it will decrease the code of these services which will probably decrease maintenance later.
What are your thoughts on this?
Regards,
George
Hi George,
Thanks for the explanation. It really helps me understand your opinion. If anyway platform specific crypto API should be used to encrypt the data, why not add the encryption layer directly in the ITS partition as you proposed at the very beginning? A further question about the key metadata confidentiality protection.: In the function psa_crypto_storage_store, if we encrypt the psa_persistent_key_storage_format data(key metadata) together with the key material, isn’t the key metadata confidentiality also protected just like the confidentiality of the key material?
Another comment is that the TF-M crypto partition calls the mbedtls library for the PSA crypto API implementation. So, the main work of your proposal is probably contributing to mbedtls project.
Regards, Sherry
From: Vasilakis, Georgios georgios.vasilakis@nordicsemi.no Sent: Wednesday, October 20, 2021 9:11 PM To: Sherry Zhang Sherry.Zhang2@arm.com; tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] Supporting encryption with ITS
Hey Sherry,
Sure, let me explain a bit further.
Right now the PSA APIs use the ITS as a backend for the storage of persistent keys. When someone calls a cryptographic function using a persistent key they will end up calling ITS APIs to fetch the info and the data of the key (as done in the psa_load_persistent_key). What I am proposing is to have an encryption abstraction implemented(optionally) in this level. An encryption abstraction will only define the encryption functions signatures and each provider will have to provide their own custom crypto implementation in this scope. Then the encryption/decryption of the key material will be done to the PSA funtions (like the psa_load_persistent_key) and the ITS will be unaware of the whole operation.
So to answer the first question, we will not call PSA crypto from inside of the PSA crypto. We will call a different crypto abstraction which will be implemented by each platform. The encryption will be transparent to the users. Also the ITS will not have to know anything about it, all the logic can be implemented in the PSA APIs.
To make the scheme more clear I uploaded an image with the current and the proposed method here: https://ibb.co/Bgrq1K3
Regards, George
________________________________ From: Sherry Zhang Sherry.Zhang2@arm.com Sent: Wednesday, October 20, 2021 5:45 AM To: Vasilakis, Georgios georgios.vasilakis@nordicsemi.no; tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Sorry I didn’t fully understand solution 2. How can the crypto partition call itself to do encryption? And does ITS partition need to call crypto partition to do the encryption or the user should call the crypto partition to encrypt the data before calling the ITS service to store it? Can you explain more on solution 2?
Thanks,
Regards,
Sherry
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Vasilakis, Georgios via TF-M Sent: Tuesday, October 19, 2021 9:31 PM To: tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] Supporting encryption with ITS
Hello again, sorry for the second email by my formatting got lost in the first one unfortunately. Let me include the formatted context below:
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
1)Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
2)Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
3)Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
________________________________
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Tuesday, October 19, 2021 3:18 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello all,
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
Regards,
George
________________________________
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Wednesday, September 29, 2021 2:04 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for the feedback!
Does the storage area on your device meet this requirement?
Yes, our devices can secure against read and write access through the dedicated peripherals (SPU + MPU).
Is the memory physically isolated?
If by that you mean if they are located outside of the chip then it is not. It is part of the package.
If not, I wonder why not uses the Protected Storage service instead?
The reason that we cannot use the protected storage service is that it is not supported as a storage backend by the PSA crypto APIs. Storing non-volatile keys right now using the PSA APIs uses ITS as a storage backend.
Your comments regarding storing the IV and the TAG in Protected Storage are, of course, valid. If we decide to use a common code base we will have to do changes in the design of both services to overcome these issues.
Overall, the motivation for encrypted ITS is based on the raising popularity of hardware-based attacks. The fact that right now we provide all the security measures needed does not mean that nothing will get compromised in the future. A security in depth approach seems more reasonable for such sensitive data.
I am happy to join the TF-M Tech forum this Thursday and discuss it further, yes!
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Tuesday, September 28, 2021 12:20 PM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
The ITS without encryption is not a compromised RoT. In the PSA Secure Storage API spec, the PSA Internal Trust Storage aims at providing a place for devices to store their most intimate secrets. Also
“”””””””””””””””””””
1. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from read and modification by attackers with physical access to the device.
2. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from direct read or write access from software partitions outside of the PSA Root of Trust (PRoT).
“”””””””””””””””””””
So, for internal trusted storage service, it requires the underlying storage itself should provide being read or write protection. The storage area should be a “trusted” area. Does the storage area on your device meet this requirement? Is the memory physically isolated? If not, I wonder why not uses the Protected Storage service instead?
For the design of adding encryption in ITS, in the PS partition, the `iv` and the encrypted object data are stored with the object file while the tag of each object is stored with the object table file. So, if encrypt the PS object in the ITS file system, how the PS partition get the `tag` of each object? After a rough thought, I think probably a standalone encryption for ITS is more reasonable.
As this is a relatively “big topic”, would you like to hold a discussion on the TF-M Tech forum if it is not limited by confidential information? The next Tech forum will be hold on this Thursday 3:00 PM UTC time.
Regards,
Sherry Zhang
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Friday, September 24, 2021 8:52 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for your input!
1. Our threat model is more concerned about attacks which can happen very early in the boot process, I think. A completely compromised RoT is not in our threat model. 2. I see that, ITS is supposed to store small objects. The storage overhead of adding encryption will be probably bigger than 20 bytes I think but the intention is to have this only as a configuration, not as the default option. 3. Agreed, a HAL API should be used for this.
Do you have any opinion on the design of it? Do you think that it adds value to do try to use a common design for the object handling of both PS and ITS or is it better to have it as a standalone thing for the ITS.
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Friday, September 24, 2021 11:58 AM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Some comments from my side:
1. Internal trusted storage is part of the Root of Trust domain. If ITS storage device is attacked, then the code flash where the PSA Rot SP locates may also be attacked. Does the thread model of your system require the encryption in ITS? 2. The ITS service is intended to be used to interface to a small piece of storage. Encryption would increase the context for each ITS file. For example, similarly to PS object context, the `IV` which is used in encryption as well as the generated `tag` should be added into each file context. They total together can be about more than 20 bytes. 3. If the encryption is mandatory/ necessary required by the thread model of your system, as discussed, the PSA crypto service should not be called to avoid the circular. I think a HAL API for encryption may be created in ITS for platform implementation defined encryption/decryption.
Regards,
Sherry Zhang
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Thursday, September 23, 2021 10:47 PM To: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com>; Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com> Cc: nd <nd@arm.commailto:nd@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hey Gyorgy,
These are very valuable comments! I am aware of the circular dependency issue because the PSA apis are using the ITS as a storage backend. This, as you said, can be circumvented by using a software crypto library or an implementation specific API. So, for the encryption a flexible API can be used which can allow externals to use their own function calls.
Regarding the key storage, this is what I had in mind as well, using derived keys from the HUK. So that we don't need to store anything but the crypto metadata. Adding another layer of storage will raise more issues, I think.
________________________________
From: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com> Sent: Thursday, September 23, 2021 4:30 PM To: Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com>; Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org>; nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi,
AFAIK the main reason for ITS not using encryption is the problem of circular dependency. ITS is used by crypto SP for key storage, so how will crypto fetch the key from ITS to decrypt ITS? You could use a software crypto implementation (another mbed-tls instance) in ITS, but where would you safely store the keys? If you have a two layer ITS, one for only storing the keys for the second instance, and a second, encrypted one, then you end up with something like ITS and PS.
You may not need a full blown on-chip FLASH device for ITS. If you have a HUK available, you can derive the same SP specific keys from that at each boot, and store these in RAM backed ITS. You won’t be able to store other keys in ITS in a persistent way of course, but for that you can use PS. Well, something along these lines.
Perhaps the TF-M team could help better if you could share some details on why your customer would need encrypted ITS. (A PSA for Cortex-A (TS) maintainer chiming in to a “not his business” discussion here 😉 )
/George
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Fabian Schmidt via TF-M Sent: September 23, 2021 15:51 To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hi George,
I’m wondering if that would add value. To my understanding, ITS was never designed to be encrypted because of the way it’s supposed to be set up. (It’s Internal Trusted Storage.) I believe best practice is to place it in a “trusted” location, one that is ideally only accessible from Secure world, and also ideally on-die. If you then restrict outside access to the internal flash (JTAG, flash programmer ports,…), you’re pretty golden, in that no unauthorized party should be able to read from or write to the ITS.*
Let me know if I misunderstand anything about ITS or TrustZone, but that’s my view. Maybe I’m painting an idealized picture.
Greetings,
Fabian Schmidt
* at least short of a sophisticated physical attack or finding some loophole in TrustZone…
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Donnerstag, 23. September 2021 15:28 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [EXT] [TF-M] Supporting encryption with ITS
Caution: EXT Email
Hey all,
Lately the requirement for an encrypted ITS solution is being asked from our customers and I would like to have a discussion here on how we can design this in a reasonable way. The first thought that came to my mind was to add the functionality to the ITS flash-fs layer. This layer contains file metadata in the its_file_meta_t structure and it should be possible to expand this to include additional crypto metadata (conditionally). This seems to be the less invasive change to me, even though it will introduce some increased memory usage since supporting encryption will mean that we cannot read the data in chunks anymore, we will have to use static buffers.
At the same time, I looked at the PS partition since I knew that it has support for encryption. I believe that some core concepts of both solutions have similarities even though the code is quite different. For example, a file in ITS is similar to an object in PS and the (linear) list of file metadata in ITS is similar to the concept of the object table in PS. So, I think that it should be possible to design some generic-enough APIs that we can use for both the ITS and PS. Even though this will require some major refactoring in both partitions, it will decrease the code of these services which will probably decrease maintenance later.
What are your thoughts on this?
Regards,
George
If you are using an AEAD scheme for the encrypted material, it would be sufficient to describe the metadata as associated (authenticated) data. The integrity for both the metadata and the encrypted key material would then be provided via a MAC.
We are aiming for a scheme that diversifies the encryption key further than just having one static Key-Encryption-Key. We can do this with information in the metadata, but in this case it needs to be unencrypted to use it.
There is a big benefit in doing the encryption in PSA Crypto scope (or any scope higher than PSA ITS): When you encrypt the data you are growing the stored data, and this is easier to do before you reach PSA ITS. The write operation to PSA ITS is much easier with known on-disk-sizes.
We would like to have a seperation between the PSA PS and the PSA ITS when it comes to the encryption key used. If we add encryption in PSA ITS we either encrypt things twice for PSA PS or we only use one key for both.
It is unfortunate that the encryption for PSA PS wasn't designed more modular. There aren't many options for code reuse without major redesign.
As a last point: There is a benefit of doing this in mbed TLS scope. The feature would be available by single-core devices that doesn't have TrustZone.
We can move this conversation to the mbed TLS mailing list, if this scope is better suited...
Regards Frank Audun Kvamtrø ________________________________ Fra: TF-M tf-m-bounces@lists.trustedfirmware.org på vegne av Sherry Zhang via TF-M tf-m@lists.trustedfirmware.org Sendt: torsdag 21. oktober 2021 11:09 Til: tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Kopi: nd nd@arm.com Emne: Re: [TF-M] Supporting encryption with ITS
Hi George,
Thanks for the explanation. It really helps me understand your opinion.
If anyway platform specific crypto API should be used to encrypt the data, why not add the encryption layer directly in the ITS partition as you proposed at the very beginning?
A further question about the key metadata confidentiality protection.: In the function psa_crypto_storage_store, if we encrypt the psa_persistent_key_storage_format data(key metadata) together with the key material, isn’t the key metadata confidentiality also protected just like the confidentiality of the key material?
Another comment is that the TF-M crypto partition calls the mbedtls library for the PSA crypto API implementation. So, the main work of your proposal is probably contributing to mbedtls project.
Regards,
Sherry
From: Vasilakis, Georgios georgios.vasilakis@nordicsemi.no Sent: Wednesday, October 20, 2021 9:11 PM To: Sherry Zhang Sherry.Zhang2@arm.com; tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] Supporting encryption with ITS
Hey Sherry,
Sure, let me explain a bit further.
Right now the PSA APIs use the ITS as a backend for the storage of persistent keys. When someone calls a cryptographic function using a persistent key they will end up calling ITS APIs to fetch the info and the data of the key (as done in the psa_load_persistent_key). What I am proposing is to have an encryption abstraction implemented(optionally) in this level. An encryption abstraction will only define the encryption functions signatures and each provider will have to provide their own custom crypto implementation in this scope. Then the encryption/decryption of the key material will be done to the PSA funtions (like the psa_load_persistent_key) and the ITS will be unaware of the whole operation.
So to answer the first question, we will not call PSA crypto from inside of the PSA crypto. We will call a different crypto abstraction which will be implemented by each platform. The encryption will be transparent to the users. Also the ITS will not have to know anything about it, all the logic can be implemented in the PSA APIs.
To make the scheme more clear I uploaded an image with the current and the proposed method here: https://ibb.co/Bgrq1K3https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fibb.co%2FBgrq1K3&data=04%7C01%7Cfrank.kvamtro%40nordicsemi.no%7C069335f0a674476e596608d994916f03%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C637704174638141758%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=b6uP8c91DYykY0PN5yaI3Pk4DrZ%2BfSktgAvBvMYOsk0%3D&reserved=0
Regards,
George
________________________________
From: Sherry Zhang Sherry.Zhang2@arm.com Sent: Wednesday, October 20, 2021 5:45 AM To: Vasilakis, Georgios georgios.vasilakis@nordicsemi.no; tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Sorry I didn’t fully understand solution 2. How can the crypto partition call itself to do encryption? And does ITS partition need to call crypto partition to do the encryption or the user should call the crypto partition to encrypt the data before calling the ITS service to store it? Can you explain more on solution 2?
Thanks,
Regards,
Sherry
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Vasilakis, Georgios via TF-M Sent: Tuesday, October 19, 2021 9:31 PM To: tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] Supporting encryption with ITS
Hello again, sorry for the second email by my formatting got lost in the first one unfortunately. Let me include the formatted context below:
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
1)Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
2)Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
3)Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
________________________________
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Tuesday, October 19, 2021 3:18 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello all,
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
Regards,
George
________________________________
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Wednesday, September 29, 2021 2:04 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for the feedback!
Does the storage area on your device meet this requirement?
Yes, our devices can secure against read and write access through the dedicated peripherals (SPU + MPU).
Is the memory physically isolated?
If by that you mean if they are located outside of the chip then it is not. It is part of the package.
If not, I wonder why not uses the Protected Storage service instead?
The reason that we cannot use the protected storage service is that it is not supported as a storage backend by the PSA crypto APIs. Storing non-volatile keys right now using the PSA APIs uses ITS as a storage backend.
Your comments regarding storing the IV and the TAG in Protected Storage are, of course, valid. If we decide to use a common code base we will have to do changes in the design of both services to overcome these issues.
Overall, the motivation for encrypted ITS is based on the raising popularity of hardware-based attacks. The fact that right now we provide all the security measures needed does not mean that nothing will get compromised in the future. A security in depth approach seems more reasonable for such sensitive data.
I am happy to join the TF-M Tech forum this Thursday and discuss it further, yes!
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Tuesday, September 28, 2021 12:20 PM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
The ITS without encryption is not a compromised RoT. In the PSA Secure Storage API spec, the PSA Internal Trust Storage aims at providing a place for devices to store their most intimate secrets. Also
“”””””””””””””””””””
1. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from read and modification by attackers with physical access to the device.
2. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from direct read or write access from software partitions outside of the PSA Root of Trust (PRoT).
“”””””””””””””””””””
So, for internal trusted storage service, it requires the underlying storage itself should provide being read or write protection. The storage area should be a “trusted” area. Does the storage area on your device meet this requirement? Is the memory physically isolated? If not, I wonder why not uses the Protected Storage service instead?
For the design of adding encryption in ITS, in the PS partition, the `iv` and the encrypted object data are stored with the object file while the tag of each object is stored with the object table file. So, if encrypt the PS object in the ITS file system, how the PS partition get the `tag` of each object? After a rough thought, I think probably a standalone encryption for ITS is more reasonable.
As this is a relatively “big topic”, would you like to hold a discussion on the TF-M Tech forum if it is not limited by confidential information? The next Tech forum will be hold on this Thursday 3:00 PM UTC time.
Regards,
Sherry Zhang
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Friday, September 24, 2021 8:52 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for your input!
1. Our threat model is more concerned about attacks which can happen very early in the boot process, I think. A completely compromised RoT is not in our threat model. 2. I see that, ITS is supposed to store small objects. The storage overhead of adding encryption will be probably bigger than 20 bytes I think but the intention is to have this only as a configuration, not as the default option. 3. Agreed, a HAL API should be used for this.
Do you have any opinion on the design of it? Do you think that it adds value to do try to use a common design for the object handling of both PS and ITS or is it better to have it as a standalone thing for the ITS.
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Friday, September 24, 2021 11:58 AM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Some comments from my side:
1. Internal trusted storage is part of the Root of Trust domain. If ITS storage device is attacked, then the code flash where the PSA Rot SP locates may also be attacked. Does the thread model of your system require the encryption in ITS? 2. The ITS service is intended to be used to interface to a small piece of storage. Encryption would increase the context for each ITS file. For example, similarly to PS object context, the `IV` which is used in encryption as well as the generated `tag` should be added into each file context. They total together can be about more than 20 bytes. 3. If the encryption is mandatory/ necessary required by the thread model of your system, as discussed, the PSA crypto service should not be called to avoid the circular. I think a HAL API for encryption may be created in ITS for platform implementation defined encryption/decryption.
Regards,
Sherry Zhang
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Thursday, September 23, 2021 10:47 PM To: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com>; Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com> Cc: nd <nd@arm.commailto:nd@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hey Gyorgy,
These are very valuable comments! I am aware of the circular dependency issue because the PSA apis are using the ITS as a storage backend. This, as you said, can be circumvented by using a software crypto library or an implementation specific API. So, for the encryption a flexible API can be used which can allow externals to use their own function calls.
Regarding the key storage, this is what I had in mind as well, using derived keys from the HUK. So that we don't need to store anything but the crypto metadata. Adding another layer of storage will raise more issues, I think.
________________________________
From: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com> Sent: Thursday, September 23, 2021 4:30 PM To: Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com>; Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org>; nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi,
AFAIK the main reason for ITS not using encryption is the problem of circular dependency. ITS is used by crypto SP for key storage, so how will crypto fetch the key from ITS to decrypt ITS? You could use a software crypto implementation (another mbed-tls instance) in ITS, but where would you safely store the keys? If you have a two layer ITS, one for only storing the keys for the second instance, and a second, encrypted one, then you end up with something like ITS and PS.
You may not need a full blown on-chip FLASH device for ITS. If you have a HUK available, you can derive the same SP specific keys from that at each boot, and store these in RAM backed ITS. You won’t be able to store other keys in ITS in a persistent way of course, but for that you can use PS. Well, something along these lines.
Perhaps the TF-M team could help better if you could share some details on why your customer would need encrypted ITS. (A PSA for Cortex-A (TS) maintainer chiming in to a “not his business” discussion here ?? )
/George
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Fabian Schmidt via TF-M Sent: September 23, 2021 15:51 To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hi George,
I’m wondering if that would add value. To my understanding, ITS was never designed to be encrypted because of the way it’s supposed to be set up. (It’s Internal Trusted Storage.) I believe best practice is to place it in a “trusted” location, one that is ideally only accessible from Secure world, and also ideally on-die. If you then restrict outside access to the internal flash (JTAG, flash programmer ports,…), you’re pretty golden, in that no unauthorized party should be able to read from or write to the ITS.*
Let me know if I misunderstand anything about ITS or TrustZone, but that’s my view. Maybe I’m painting an idealized picture.
Greetings,
Fabian Schmidt
* at least short of a sophisticated physical attack or finding some loophole in TrustZone…
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Donnerstag, 23. September 2021 15:28 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [EXT] [TF-M] Supporting encryption with ITS
Caution: EXT Email
Hey all,
Lately the requirement for an encrypted ITS solution is being asked from our customers and I would like to have a discussion here on how we can design this in a reasonable way. The first thought that came to my mind was to add the functionality to the ITS flash-fs layer. This layer contains file metadata in the its_file_meta_t structure and it should be possible to expand this to include additional crypto metadata (conditionally). This seems to be the less invasive change to me, even though it will introduce some increased memory usage since supporting encryption will mean that we cannot read the data in chunks anymore, we will have to use static buffers.
At the same time, I looked at the PS partition since I knew that it has support for encryption. I believe that some core concepts of both solutions have similarities even though the code is quite different. For example, a file in ITS is similar to an object in PS and the (linear) list of file metadata in ITS is similar to the concept of the object table in PS. So, I think that it should be possible to design some generic-enough APIs that we can use for both the ITS and PS. Even though this will require some major refactoring in both partitions, it will decrease the code of these services which will probably decrease maintenance later.
What are your thoughts on this?
Regards,
George
Hi Georgios,
Thanks for the illustration of your proposal.
From a PSA architectural perspective, the concern with this design is that:
* The key store does not consider that PSA ITS is secure enough to store key material without additional cryptographic protection * Other clients of the PSA ITS service assume that it already provides confidentiality, integrity and rollback protection for its contents.
So either the ITS service provides the required security properties, and then the key store does not need to do additional cryptographic protection; OR the ITS service does not meet the PSA ITS security requirements, and should not be using the PSA ITS API.
[I realise that this is a fairly long post, but I wanted to try and provide an outline of some possible design solutions that do not result in an inadequate ITS service.]
If the storage used for ITS in a system does not provide the required security properties, then ideally, we do not redefine the security of ITS. Instead, either (a) we add the cryptographic protection within the ITS service (so ITS now matches the security requirements), or (b) we rename the storage service used by the key store for this platform (i.e. not psa_its_*), make the key store encrypt data before storage, and then provide a compliant ITS service that also encrypts before using the underlying not-secure-enough storage service.
Option (a) involves breaking the Crypto-key-store -> ITS -> Crypto dependency cycle by removing the ITS->PSA Crypto link. Some techniques have already been suggested:
1. Have the ITS implementation use its own [copy of the] cryptographic algorithms that are needed 2. Implement the ITS and Crypto services in a single partition: have the key load and store operations use an internal ITS interface (not the psa_its_*() functions that dispatch through the SPM), and the ITS read and write operations use an internal Crypto API for encryption and decryption (not the PSA Crypto API that dispatches through the SPM)
Option (b) breaks the Crypto->ITS->Crypto cycle a third way:
1. Renaming the underlying storage service, and removing the Crypto->ITS dependency, replacing it with Crypto->Storage, and ITS->Crypto and ITS->Storage dependencies. This requires changes to the key store load/unload functions, and not just introducing an extra (optional) call
These options impact the existing TF-M service code in different ways:
Option 1 only requires changes in the ITS service implementation. Depending on the cryptographic protection required this might just be encryption and decryption of each data item content, but not ITS metadata protection (this is equivalent to the proposed change to the key load/store functions), cryptographic protection of storage metadata requires a solution that looks more like the PS use of cryptography. Option 2 requires flexibility in the partition assignment of services, and the ability to use internal APIs between the services (for this configuration) instead of the normal PSA APIs. Option 3 requires the ability to change the key load and store functions at the back-end of the PSA Crypto service, to not use PSA ITS. It might also benefit from an ability to split ITS into a back-end storage engine (may not be secure enough), and the service API front-end.
All of the options need some cryptography design to decide how to manage and store or derive the keys used for encryption.
None of these appear as simple as the encryption hooks in the encrypted-key-storage graphic, but that design fails to provide an ITS service that meets the security requirements.
Regards, Andrew
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Vasilakis, Georgios via TF-M Sent: 20 October 2021 14:11 To: Sherry Zhang Sherry.Zhang2@arm.com; tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] Supporting encryption with ITS
Hey Sherry,
Sure, let me explain a bit further.
Right now the PSA APIs use the ITS as a backend for the storage of persistent keys. When someone calls a cryptographic function using a persistent key they will end up calling ITS APIs to fetch the info and the data of the key (as done in the psa_load_persistent_key). What I am proposing is to have an encryption abstraction implemented(optionally) in this level. An encryption abstraction will only define the encryption functions signatures and each provider will have to provide their own custom crypto implementation in this scope. Then the encryption/decryption of the key material will be done to the PSA funtions (like the psa_load_persistent_key) and the ITS will be unaware of the whole operation.
So to answer the first question, we will not call PSA crypto from inside of the PSA crypto. We will call a different crypto abstraction which will be implemented by each platform. The encryption will be transparent to the users. Also the ITS will not have to know anything about it, all the logic can be implemented in the PSA APIs.
To make the scheme more clear I uploaded an image with the current and the proposed method here: https://ibb.co/Bgrq1K3 [Image removed by sender.]https://ibb.co/Bgrq1K3 encrypted-key-storagehttps://ibb.co/Bgrq1K3 Image encrypted-key-storage hosted in ImgBB ibb.co
Regards, George
________________________________ From: Sherry Zhang Sherry.Zhang2@arm.com Sent: Wednesday, October 20, 2021 5:45 AM To: Vasilakis, Georgios georgios.vasilakis@nordicsemi.no; tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Sorry I didn’t fully understand solution 2. How can the crypto partition call itself to do encryption? And does ITS partition need to call crypto partition to do the encryption or the user should call the crypto partition to encrypt the data before calling the ITS service to store it? Can you explain more on solution 2?
Thanks,
Regards,
Sherry
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Vasilakis, Georgios via TF-M Sent: Tuesday, October 19, 2021 9:31 PM To: tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] Supporting encryption with ITS
Hello again, sorry for the second email by my formatting got lost in the first one unfortunately. Let me include the formatted context below:
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
1)Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
2)Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
3)Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
________________________________
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Tuesday, October 19, 2021 3:18 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello all,
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
Regards,
George
________________________________
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Wednesday, September 29, 2021 2:04 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for the feedback!
Does the storage area on your device meet this requirement?
Yes, our devices can secure against read and write access through the dedicated peripherals (SPU + MPU).
Is the memory physically isolated?
If by that you mean if they are located outside of the chip then it is not. It is part of the package.
If not, I wonder why not uses the Protected Storage service instead?
The reason that we cannot use the protected storage service is that it is not supported as a storage backend by the PSA crypto APIs. Storing non-volatile keys right now using the PSA APIs uses ITS as a storage backend.
Your comments regarding storing the IV and the TAG in Protected Storage are, of course, valid. If we decide to use a common code base we will have to do changes in the design of both services to overcome these issues.
Overall, the motivation for encrypted ITS is based on the raising popularity of hardware-based attacks. The fact that right now we provide all the security measures needed does not mean that nothing will get compromised in the future. A security in depth approach seems more reasonable for such sensitive data.
I am happy to join the TF-M Tech forum this Thursday and discuss it further, yes!
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Tuesday, September 28, 2021 12:20 PM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
The ITS without encryption is not a compromised RoT. In the PSA Secure Storage API spec, the PSA Internal Trust Storage aims at providing a place for devices to store their most intimate secrets. Also
“”””””””””””””””””””
1. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from read and modification by attackers with physical access to the device.
2. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from direct read or write access from software partitions outside of the PSA Root of Trust (PRoT).
“”””””””””””””””””””
So, for internal trusted storage service, it requires the underlying storage itself should provide being read or write protection. The storage area should be a “trusted” area. Does the storage area on your device meet this requirement? Is the memory physically isolated? If not, I wonder why not uses the Protected Storage service instead?
For the design of adding encryption in ITS, in the PS partition, the `iv` and the encrypted object data are stored with the object file while the tag of each object is stored with the object table file. So, if encrypt the PS object in the ITS file system, how the PS partition get the `tag` of each object? After a rough thought, I think probably a standalone encryption for ITS is more reasonable.
As this is a relatively “big topic”, would you like to hold a discussion on the TF-M Tech forum if it is not limited by confidential information? The next Tech forum will be hold on this Thursday 3:00 PM UTC time.
Regards,
Sherry Zhang
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Friday, September 24, 2021 8:52 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for your input!
1. Our threat model is more concerned about attacks which can happen very early in the boot process, I think. A completely compromised RoT is not in our threat model. 2. I see that, ITS is supposed to store small objects. The storage overhead of adding encryption will be probably bigger than 20 bytes I think but the intention is to have this only as a configuration, not as the default option. 3. Agreed, a HAL API should be used for this.
Do you have any opinion on the design of it? Do you think that it adds value to do try to use a common design for the object handling of both PS and ITS or is it better to have it as a standalone thing for the ITS.
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Friday, September 24, 2021 11:58 AM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Some comments from my side:
1. Internal trusted storage is part of the Root of Trust domain. If ITS storage device is attacked, then the code flash where the PSA Rot SP locates may also be attacked. Does the thread model of your system require the encryption in ITS? 2. The ITS service is intended to be used to interface to a small piece of storage. Encryption would increase the context for each ITS file. For example, similarly to PS object context, the `IV` which is used in encryption as well as the generated `tag` should be added into each file context. They total together can be about more than 20 bytes. 3. If the encryption is mandatory/ necessary required by the thread model of your system, as discussed, the PSA crypto service should not be called to avoid the circular. I think a HAL API for encryption may be created in ITS for platform implementation defined encryption/decryption.
Regards,
Sherry Zhang
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Thursday, September 23, 2021 10:47 PM To: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com>; Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com> Cc: nd <nd@arm.commailto:nd@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hey Gyorgy,
These are very valuable comments! I am aware of the circular dependency issue because the PSA apis are using the ITS as a storage backend. This, as you said, can be circumvented by using a software crypto library or an implementation specific API. So, for the encryption a flexible API can be used which can allow externals to use their own function calls.
Regarding the key storage, this is what I had in mind as well, using derived keys from the HUK. So that we don't need to store anything but the crypto metadata. Adding another layer of storage will raise more issues, I think.
________________________________
From: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com> Sent: Thursday, September 23, 2021 4:30 PM To: Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com>; Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org>; nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi,
AFAIK the main reason for ITS not using encryption is the problem of circular dependency. ITS is used by crypto SP for key storage, so how will crypto fetch the key from ITS to decrypt ITS? You could use a software crypto implementation (another mbed-tls instance) in ITS, but where would you safely store the keys? If you have a two layer ITS, one for only storing the keys for the second instance, and a second, encrypted one, then you end up with something like ITS and PS.
You may not need a full blown on-chip FLASH device for ITS. If you have a HUK available, you can derive the same SP specific keys from that at each boot, and store these in RAM backed ITS. You won’t be able to store other keys in ITS in a persistent way of course, but for that you can use PS. Well, something along these lines.
Perhaps the TF-M team could help better if you could share some details on why your customer would need encrypted ITS. (A PSA for Cortex-A (TS) maintainer chiming in to a “not his business” discussion here 😉 )
/George
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Fabian Schmidt via TF-M Sent: September 23, 2021 15:51 To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hi George,
I’m wondering if that would add value. To my understanding, ITS was never designed to be encrypted because of the way it’s supposed to be set up. (It’s Internal Trusted Storage.) I believe best practice is to place it in a “trusted” location, one that is ideally only accessible from Secure world, and also ideally on-die. If you then restrict outside access to the internal flash (JTAG, flash programmer ports,…), you’re pretty golden, in that no unauthorized party should be able to read from or write to the ITS.*
Let me know if I misunderstand anything about ITS or TrustZone, but that’s my view. Maybe I’m painting an idealized picture.
Greetings,
Fabian Schmidt
* at least short of a sophisticated physical attack or finding some loophole in TrustZone…
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Donnerstag, 23. September 2021 15:28 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [EXT] [TF-M] Supporting encryption with ITS
Caution: EXT Email
Hey all,
Lately the requirement for an encrypted ITS solution is being asked from our customers and I would like to have a discussion here on how we can design this in a reasonable way. The first thought that came to my mind was to add the functionality to the ITS flash-fs layer. This layer contains file metadata in the its_file_meta_t structure and it should be possible to expand this to include additional crypto metadata (conditionally). This seems to be the less invasive change to me, even though it will introduce some increased memory usage since supporting encryption will mean that we cannot read the data in chunks anymore, we will have to use static buffers.
At the same time, I looked at the PS partition since I knew that it has support for encryption. I believe that some core concepts of both solutions have similarities even though the code is quite different. For example, a file in ITS is similar to an object in PS and the (linear) list of file metadata in ITS is similar to the concept of the object table in PS. So, I think that it should be possible to design some generic-enough APIs that we can use for both the ITS and PS. Even though this will require some major refactoring in both partitions, it will decrease the code of these services which will probably decrease maintenance later.
What are your thoughts on this?
Regards,
George
Hello Andrew,
Thank you for the useful considerations!
I agree with you that we have a benefit to have ITS with clearly defined security requirements. So, I see the benefit of not including the encryption scheme in the key storage itself since it can result in confusion for the users.
The spec states clearly in the requirements that ITS may or may not provide confidentiality/integrity (section 2.2, p 4,5). Since this is not a strict requirement, I don't believe that we can say that PSA is not "secure enough". Being secure enough, in my opinion, requires fulfilling the minimum set of requirements and these do not include any cryptography. This is the reason that currently we can say that the current implementation is compliant with the spec even though it does not provide any encryption/integrity features. Still, we need to be careful to avoid confusion for the users.
In my opinion what we need in the PSA level is a configurable flag which states the supported features of ITS which platforms must include in their configuration file. This will make the ITS supported features clear to the users independently of how we will decide to do it in the end.
Now regarding the implementations, you made a valuable comment which I think that it needs to be more highlighted. The storage used for ITS may or may not provide confidentiality/integrity in the hardware level (I am assuming that secure elements might be added later). This means that we need to have a way to inform the ITS service of which optional features are supported in the hardware level (in the "flash" folder of the ITS partition). Then the ITS codebase can decide if it needs to add encryption in the software level or not.
Regarding the proposed solutions:
1. Encrypt each ITS object using platform specific APIs: this solution is fairly like the proposed one, as you stated, with the main disadvantage being that will result in dual encryption for the PS in some cases. 2. Implement the ITS and Crypto services in a single partition: This solution breaks the separation of concern of these two services. They are both in the PRoT, but I think it is preferable not to merge them. They have clearly different scopes and merging them can be confusing. 3. Renaming the underlying storage service: This solution I am not sure that I understand fully. If we decouple the ITS backend as a storage solution and the PSA keystore uses the storage it will not be possible to have encrypted key storage if the hardware backend does not support, it, right? So, what is the advantage of having an encrypted ITS if the PSA keystore does not use it?
In my opinion option 1 along with the addition of some headers with the supported features of the ITS backends is a clean solution which follows the security requirements of the spec.
Regards, Georgios
________________________________ From: Andrew Thoelke Andrew.Thoelke@arm.com Sent: Thursday, October 21, 2021 4:40 PM To: Vasilakis, Georgios georgios.vasilakis@nordicsemi.no; tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: RE: [TF-M] Supporting encryption with ITS
Hi Georgios,
Thanks for the illustration of your proposal.
From a PSA architectural perspective, the concern with this design is that:
* The key store does not consider that PSA ITS is secure enough to store key material without additional cryptographic protection * Other clients of the PSA ITS service assume that it already provides confidentiality, integrity and rollback protection for its contents.
So either the ITS service provides the required security properties, and then the key store does not need to do additional cryptographic protection; OR the ITS service does not meet the PSA ITS security requirements, and should not be using the PSA ITS API.
[I realise that this is a fairly long post, but I wanted to try and provide an outline of some possible design solutions that do not result in an inadequate ITS service.]
If the storage used for ITS in a system does not provide the required security properties, then ideally, we do not redefine the security of ITS. Instead, either (a) we add the cryptographic protection within the ITS service (so ITS now matches the security requirements), or (b) we rename the storage service used by the key store for this platform (i.e. not psa_its_*), make the key store encrypt data before storage, and then provide a compliant ITS service that also encrypts before using the underlying not-secure-enough storage service.
Option (a) involves breaking the Crypto-key-store -> ITS -> Crypto dependency cycle by removing the ITS->PSA Crypto link. Some techniques have already been suggested:
1. Have the ITS implementation use its own [copy of the] cryptographic algorithms that are needed 2. Implement the ITS and Crypto services in a single partition: have the key load and store operations use an internal ITS interface (not the psa_its_*() functions that dispatch through the SPM), and the ITS read and write operations use an internal Crypto API for encryption and decryption (not the PSA Crypto API that dispatches through the SPM)
Option (b) breaks the Crypto->ITS->Crypto cycle a third way:
1. Renaming the underlying storage service, and removing the Crypto->ITS dependency, replacing it with Crypto->Storage, and ITS->Crypto and ITS->Storage dependencies. This requires changes to the key store load/unload functions, and not just introducing an extra (optional) call
These options impact the existing TF-M service code in different ways:
Option 1 only requires changes in the ITS service implementation. Depending on the cryptographic protection required this might just be encryption and decryption of each data item content, but not ITS metadata protection (this is equivalent to the proposed change to the key load/store functions), cryptographic protection of storage metadata requires a solution that looks more like the PS use of cryptography.
Option 2 requires flexibility in the partition assignment of services, and the ability to use internal APIs between the services (for this configuration) instead of the normal PSA APIs.
Option 3 requires the ability to change the key load and store functions at the back-end of the PSA Crypto service, to not use PSA ITS. It might also benefit from an ability to split ITS into a back-end storage engine (may not be secure enough), and the service API front-end.
All of the options need some cryptography design to decide how to manage and store or derive the keys used for encryption.
None of these appear as simple as the encryption hooks in the encrypted-key-storage graphic, but that design fails to provide an ITS service that meets the security requirements.
Regards,
Andrew
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Vasilakis, Georgios via TF-M Sent: 20 October 2021 14:11 To: Sherry Zhang Sherry.Zhang2@arm.com; tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] Supporting encryption with ITS
Hey Sherry,
Sure, let me explain a bit further.
Right now the PSA APIs use the ITS as a backend for the storage of persistent keys. When someone calls a cryptographic function using a persistent key they will end up calling ITS APIs to fetch the info and the data of the key (as done in the psa_load_persistent_key). What I am proposing is to have an encryption abstraction implemented(optionally) in this level. An encryption abstraction will only define the encryption functions signatures and each provider will have to provide their own custom crypto implementation in this scope. Then the encryption/decryption of the key material will be done to the PSA funtions (like the psa_load_persistent_key) and the ITS will be unaware of the whole operation.
So to answer the first question, we will not call PSA crypto from inside of the PSA crypto. We will call a different crypto abstraction which will be implemented by each platform. The encryption will be transparent to the users. Also the ITS will not have to know anything about it, all the logic can be implemented in the PSA APIs.
To make the scheme more clear I uploaded an image with the current and the proposed method here: https://ibb.co/Bgrq1K3https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fibb.co%2FBgrq1K3&data=04%7C01%7Cgeorgios.vasilakis%40nordicsemi.no%7C43db78682d4845858bdb08d994a0c54d%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C637704240506383555%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fd04KqKUSaKzqAVCIVhGY3bSuvTkbhENh1%2FX44wvPxE%3D&reserved=0
Image encrypted-key-storage hosted in ImgBB
ibb.co
Regards,
George
________________________________
From: Sherry Zhang Sherry.Zhang2@arm.com Sent: Wednesday, October 20, 2021 5:45 AM To: Vasilakis, Georgios georgios.vasilakis@nordicsemi.no; tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Sorry I didn’t fully understand solution 2. How can the crypto partition call itself to do encryption? And does ITS partition need to call crypto partition to do the encryption or the user should call the crypto partition to encrypt the data before calling the ITS service to store it? Can you explain more on solution 2?
Thanks,
Regards,
Sherry
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Vasilakis, Georgios via TF-M Sent: Tuesday, October 19, 2021 9:31 PM To: tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] Supporting encryption with ITS
Hello again, sorry for the second email by my formatting got lost in the first one unfortunately. Let me include the formatted context below:
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
1)Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
2)Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
3)Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
________________________________
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Tuesday, October 19, 2021 3:18 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello all,
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
Regards,
George
________________________________
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Wednesday, September 29, 2021 2:04 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for the feedback!
Does the storage area on your device meet this requirement?
Yes, our devices can secure against read and write access through the dedicated peripherals (SPU + MPU).
Is the memory physically isolated?
If by that you mean if they are located outside of the chip then it is not. It is part of the package.
If not, I wonder why not uses the Protected Storage service instead?
The reason that we cannot use the protected storage service is that it is not supported as a storage backend by the PSA crypto APIs. Storing non-volatile keys right now using the PSA APIs uses ITS as a storage backend.
Your comments regarding storing the IV and the TAG in Protected Storage are, of course, valid. If we decide to use a common code base we will have to do changes in the design of both services to overcome these issues.
Overall, the motivation for encrypted ITS is based on the raising popularity of hardware-based attacks. The fact that right now we provide all the security measures needed does not mean that nothing will get compromised in the future. A security in depth approach seems more reasonable for such sensitive data.
I am happy to join the TF-M Tech forum this Thursday and discuss it further, yes!
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Tuesday, September 28, 2021 12:20 PM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
The ITS without encryption is not a compromised RoT. In the PSA Secure Storage API spec, the PSA Internal Trust Storage aims at providing a place for devices to store their most intimate secrets. Also
“”””””””””””””””””””
1. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from read and modification by attackers with physical access to the device.
2. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from direct read or write access from software partitions outside of the PSA Root of Trust (PRoT).
“”””””””””””””””””””
So, for internal trusted storage service, it requires the underlying storage itself should provide being read or write protection. The storage area should be a “trusted” area. Does the storage area on your device meet this requirement? Is the memory physically isolated? If not, I wonder why not uses the Protected Storage service instead?
For the design of adding encryption in ITS, in the PS partition, the `iv` and the encrypted object data are stored with the object file while the tag of each object is stored with the object table file. So, if encrypt the PS object in the ITS file system, how the PS partition get the `tag` of each object? After a rough thought, I think probably a standalone encryption for ITS is more reasonable.
As this is a relatively “big topic”, would you like to hold a discussion on the TF-M Tech forum if it is not limited by confidential information? The next Tech forum will be hold on this Thursday 3:00 PM UTC time.
Regards,
Sherry Zhang
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Friday, September 24, 2021 8:52 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for your input!
1. Our threat model is more concerned about attacks which can happen very early in the boot process, I think. A completely compromised RoT is not in our threat model. 2. I see that, ITS is supposed to store small objects. The storage overhead of adding encryption will be probably bigger than 20 bytes I think but the intention is to have this only as a configuration, not as the default option. 3. Agreed, a HAL API should be used for this.
Do you have any opinion on the design of it? Do you think that it adds value to do try to use a common design for the object handling of both PS and ITS or is it better to have it as a standalone thing for the ITS.
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Friday, September 24, 2021 11:58 AM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Some comments from my side:
1. Internal trusted storage is part of the Root of Trust domain. If ITS storage device is attacked, then the code flash where the PSA Rot SP locates may also be attacked. Does the thread model of your system require the encryption in ITS? 2. The ITS service is intended to be used to interface to a small piece of storage. Encryption would increase the context for each ITS file. For example, similarly to PS object context, the `IV` which is used in encryption as well as the generated `tag` should be added into each file context. They total together can be about more than 20 bytes. 3. If the encryption is mandatory/ necessary required by the thread model of your system, as discussed, the PSA crypto service should not be called to avoid the circular. I think a HAL API for encryption may be created in ITS for platform implementation defined encryption/decryption.
Regards,
Sherry Zhang
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Thursday, September 23, 2021 10:47 PM To: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com>; Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com> Cc: nd <nd@arm.commailto:nd@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hey Gyorgy,
These are very valuable comments! I am aware of the circular dependency issue because the PSA apis are using the ITS as a storage backend. This, as you said, can be circumvented by using a software crypto library or an implementation specific API. So, for the encryption a flexible API can be used which can allow externals to use their own function calls.
Regarding the key storage, this is what I had in mind as well, using derived keys from the HUK. So that we don't need to store anything but the crypto metadata. Adding another layer of storage will raise more issues, I think.
________________________________
From: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com> Sent: Thursday, September 23, 2021 4:30 PM To: Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com>; Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org>; nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi,
AFAIK the main reason for ITS not using encryption is the problem of circular dependency. ITS is used by crypto SP for key storage, so how will crypto fetch the key from ITS to decrypt ITS? You could use a software crypto implementation (another mbed-tls instance) in ITS, but where would you safely store the keys? If you have a two layer ITS, one for only storing the keys for the second instance, and a second, encrypted one, then you end up with something like ITS and PS.
You may not need a full blown on-chip FLASH device for ITS. If you have a HUK available, you can derive the same SP specific keys from that at each boot, and store these in RAM backed ITS. You won’t be able to store other keys in ITS in a persistent way of course, but for that you can use PS. Well, something along these lines.
Perhaps the TF-M team could help better if you could share some details on why your customer would need encrypted ITS. (A PSA for Cortex-A (TS) maintainer chiming in to a “not his business” discussion here ?? )
/George
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Fabian Schmidt via TF-M Sent: September 23, 2021 15:51 To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hi George,
I’m wondering if that would add value. To my understanding, ITS was never designed to be encrypted because of the way it’s supposed to be set up. (It’s Internal Trusted Storage.) I believe best practice is to place it in a “trusted” location, one that is ideally only accessible from Secure world, and also ideally on-die. If you then restrict outside access to the internal flash (JTAG, flash programmer ports,…), you’re pretty golden, in that no unauthorized party should be able to read from or write to the ITS.*
Let me know if I misunderstand anything about ITS or TrustZone, but that’s my view. Maybe I’m painting an idealized picture.
Greetings,
Fabian Schmidt
* at least short of a sophisticated physical attack or finding some loophole in TrustZone…
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Donnerstag, 23. September 2021 15:28 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [EXT] [TF-M] Supporting encryption with ITS
Caution: EXT Email
Hey all,
Lately the requirement for an encrypted ITS solution is being asked from our customers and I would like to have a discussion here on how we can design this in a reasonable way. The first thought that came to my mind was to add the functionality to the ITS flash-fs layer. This layer contains file metadata in the its_file_meta_t structure and it should be possible to expand this to include additional crypto metadata (conditionally). This seems to be the less invasive change to me, even though it will introduce some increased memory usage since supporting encryption will mean that we cannot read the data in chunks anymore, we will have to use static buffers.
At the same time, I looked at the PS partition since I knew that it has support for encryption. I believe that some core concepts of both solutions have similarities even though the code is quite different. For example, a file in ITS is similar to an object in PS and the (linear) list of file metadata in ITS is similar to the concept of the object table in PS. So, I think that it should be possible to design some generic-enough APIs that we can use for both the ITS and PS. Even though this will require some major refactoring in both partitions, it will decrease the code of these services which will probably decrease maintenance later.
What are your thoughts on this?
Regards,
George
Hi Georgios,
The spec states clearly in the requirements that ITS may or may not provide confidentiality/integrity (section 2.2, p 4,5). Since this is not a strict requirement, I don't believe that we can say that PSA is not "secure enough". Being secure enough, in my opinion, requires fulfilling the minimum set of requirements and these do not include any cryptography. This is the reason that currently we can say that the current implementation is compliant with the spec even though it does not provide any encryption/integrity features. Still, we need to be careful to avoid confusion for the users.
I need to clarify what the spec (https://developer.arm.com/-/media/Files/pdf/PlatformSecurityArchitecture/Imp...https://developer.arm.com/-/media/Files/pdf/PlatformSecurityArchitecture/Implement/IHI0087-PSA_Storage_API-1.0.0.pdf?revision=810a2412-bca0-46e1-a801-f48729a32e47) does and does not say (or intend to say) are the requirements of ITS.
Section §2.2 PSA Internal Trusted Storage Requirements agrees with §1.4 The PSA Internal Trusted Storage API, in requiring that all data stored by ITS is protected from disclosure and tampering. The last paragraph in §1.4 says
As the Internal Storage is implicitly confidential and protected from replay …
Requirements 1 and 2 in §2.2 state this explicitly:
1. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from read and modification by attackers with physical access to the device. 2. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from direct read or write access from software partitions outside of the PSA Root of Trust (PRoT).
The optionality that is expressed by requirements 4 and 5 in §2.2 is specifically about the use of cryptography to provide or enhance the protection required by 1 and 2:
4. The PSA Internal Trusted Storage Service MAY provide confidentiality using cryptographic ciphers. 5. The PSA Internal Trusted Storage Service MAY provide integrity protection using cryptographic Message Authentication Codes (MAC) or signatures.
Perhaps these requirements should be rewritten to ensure that they are unambiguous. They are intended to be read as “MAY provide (confidentiality using cryptographic ciphers)” rather than “(MAY provide confidentiality) (using cryptographic ciphers)”. The latter obviously contradicts requirement 1, but potentially ambiguous requirements are never a good idea.
In my opinion what we need in the PSA level is a configurable flag which states the supported features of ITS which platforms must include in their configuration file. This will make the ITS supported features clear to the users independently of how we will decide to do it in the end.
Given the intention of the specification of ITS, this is not required at the PSA API level – ITS needs to provide this protection. However, configurability might be a good way to make the existing ITS service implementation code be capable of using completely secure flash when available (the current assumption of this code I believe), or using cryptographic protection when the underlying storage hardware does not provide sufficient security for ITS.
The ‘double encryption’ depends on the implementation of PS. A trivial implementation that maps all calls to PS onto calls to ITS, but encrypts data on the way, doesn’t make much sense from a security perspective: if PS is directly using ITS for storage, then ITS already has the security properties required by PS. I wouldn’t expect this implementation to be used in devices with larger NS flash memories, as ITS is expected to be very limited in capacity. I am not familiar with the TF-M implementation of PS, so cannot comment on this issue with regards to what happens in TF-M.
I agree from an ideal architecture point of view, and from a reliable/robust software engineering perspective – separation of the services makes for cleaner code, which is more easily tested and audited, and can expose implementation errors more easily or quickly. However, for small footprint devices, the additional separation (suggested by solution 1) adds cost, particularly when considering a possible need to duplicate parts of the cryptographic library, or try and share this code (and data?) without undermining the separation of the services. So for some systems, this might be the most appropriate design solution (this might not be your system).
Let me try and describe this more clearly then:
* My assumption is that the platform has some semi-secure non-volatile storage, which does not have all the desired properties for ITS. For example, imagine that it is possible to prevent erase/write operations from outside of the PSA RoT, but someone with physical access to the device may be able to read the contents – so we have integrity protection, but not confidentiality. * Create a private key-value storage service (KVS) that uses this NVM in a very similar manner to the current ITS API. * In the implementation of the PSA Crypto service, the storage of keys is done by (a) wrapping the key data using an internal-to-crypto API (e.g. using AEAD with keys suitably derived from the HUK or other device-specific secret), and then (b) using KVS to store this data in NVM. Key loading reverses the processes and verifies that the data loaded from KVS is authentic. * In the implementation of the PSA ITS service, the storage of a data item is done by (a) encrypting to data value using the PSA Crypto API (using suitably derived keys etc), and then (b) using KVS to store this data in NVM. Data retrieval reverses the processes and verifies that the data loaded from KVS is authentic. * Some KVS design issues: * It would be valuable to prevent use of KVS from other services. * KVS should separate KV pairs stored by Crypto from that stored by ITS – so that Crypto and ITS do not need to maintain exclusive key ranges for their own data. * ITS needs to separate the data of its clients, and PSA Crypto the keys of its clients, so it will be useful for a KVS ‘key’ to be large enough to include an ITS client Id and the ITS client’s own item Id; or the Crypto client ID and the Crypto client’s key id. Otherwise ITS and Crypto both need to maintain their own indirection (index) from their client’s items to the KVS storage keys – and that indirection table must itself be stored in KVS, or recoverable by iterating through all of KVS at service initialisation.
I am happy if solution 1 is the best fit for your platform, but it is worth considering that this might not be an optimal solution for all systems that do not have the security properties required by ITS in the hardware itself.
Regards, Andrew
From: Vasilakis, Georgios georgios.vasilakis@nordicsemi.no Sent: 22 October 2021 13:13 To: Andrew Thoelke Andrew.Thoelke@arm.com; tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] Supporting encryption with ITS
Hello Andrew,
Thank you for the useful considerations! I agree with you that we have a benefit to have ITS with clearly defined security requirements. So, I see the benefit of not including the encryption scheme in the key storage itself since it can result in confusion for the users.
The spec states clearly in the requirements that ITS may or may not provide confidentiality/integrity (section 2.2, p 4,5). Since this is not a strict requirement, I don't believe that we can say that PSA is not "secure enough". Being secure enough, in my opinion, requires fulfilling the minimum set of requirements and these do not include any cryptography. This is the reason that currently we can say that the current implementation is compliant with the spec even though it does not provide any encryption/integrity features. Still, we need to be careful to avoid confusion for the users.
In my opinion what we need in the PSA level is a configurable flag which states the supported features of ITS which platforms must include in their configuration file. This will make the ITS supported features clear to the users independently of how we will decide to do it in the end.
Now regarding the implementations, you made a valuable comment which I think that it needs to be more highlighted. The storage used for ITS may or may not provide confidentiality/integrity in the hardware level (I am assuming that secure elements might be added later). This means that we need to have a way to inform the ITS service of which optional features are supported in the hardware level (in the "flash" folder of the ITS partition). Then the ITS codebase can decide if it needs to add encryption in the software level or not.
Regarding the proposed solutions:
1. Encrypt each ITS object using platform specific APIs: this solution is fairly like the proposed one, as you stated, with the main disadvantage being that will result in dual encryption for the PS in some cases. 2. Implement the ITS and Crypto services in a single partition: This solution breaks the separation of concern of these two services. They are both in the PRoT, but I think it is preferable not to merge them. They have clearly different scopes and merging them can be confusing. 3. Renaming the underlying storage service: This solution I am not sure that I understand fully. If we decouple the ITS backend as a storage solution and the PSA keystore uses the storage it will not be possible to have encrypted key storage if the hardware backend does not support, it, right? So, what is the advantage of having an encrypted ITS if the PSA keystore does not use it?
In my opinion option 1 along with the addition of some headers with the supported features of the ITS backends is a clean solution which follows the security requirements of the spec.
Regards, Georgios
________________________________ From: Andrew Thoelke <Andrew.Thoelke@arm.commailto:Andrew.Thoelke@arm.com> Sent: Thursday, October 21, 2021 4:40 PM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi Georgios,
Thanks for the illustration of your proposal.
From a PSA architectural perspective, the concern with this design is that:
* The key store does not consider that PSA ITS is secure enough to store key material without additional cryptographic protection * Other clients of the PSA ITS service assume that it already provides confidentiality, integrity and rollback protection for its contents.
So either the ITS service provides the required security properties, and then the key store does not need to do additional cryptographic protection; OR the ITS service does not meet the PSA ITS security requirements, and should not be using the PSA ITS API.
[I realise that this is a fairly long post, but I wanted to try and provide an outline of some possible design solutions that do not result in an inadequate ITS service.]
If the storage used for ITS in a system does not provide the required security properties, then ideally, we do not redefine the security of ITS. Instead, either (a) we add the cryptographic protection within the ITS service (so ITS now matches the security requirements), or (b) we rename the storage service used by the key store for this platform (i.e. not psa_its_*), make the key store encrypt data before storage, and then provide a compliant ITS service that also encrypts before using the underlying not-secure-enough storage service.
Option (a) involves breaking the Crypto-key-store -> ITS -> Crypto dependency cycle by removing the ITS->PSA Crypto link. Some techniques have already been suggested:
1. Have the ITS implementation use its own [copy of the] cryptographic algorithms that are needed 2. Implement the ITS and Crypto services in a single partition: have the key load and store operations use an internal ITS interface (not the psa_its_*() functions that dispatch through the SPM), and the ITS read and write operations use an internal Crypto API for encryption and decryption (not the PSA Crypto API that dispatches through the SPM)
Option (b) breaks the Crypto->ITS->Crypto cycle a third way:
1. Renaming the underlying storage service, and removing the Crypto->ITS dependency, replacing it with Crypto->Storage, and ITS->Crypto and ITS->Storage dependencies. This requires changes to the key store load/unload functions, and not just introducing an extra (optional) call
These options impact the existing TF-M service code in different ways:
Option 1 only requires changes in the ITS service implementation. Depending on the cryptographic protection required this might just be encryption and decryption of each data item content, but not ITS metadata protection (this is equivalent to the proposed change to the key load/store functions), cryptographic protection of storage metadata requires a solution that looks more like the PS use of cryptography.
Option 2 requires flexibility in the partition assignment of services, and the ability to use internal APIs between the services (for this configuration) instead of the normal PSA APIs.
Option 3 requires the ability to change the key load and store functions at the back-end of the PSA Crypto service, to not use PSA ITS. It might also benefit from an ability to split ITS into a back-end storage engine (may not be secure enough), and the service API front-end.
All of the options need some cryptography design to decide how to manage and store or derive the keys used for encryption.
None of these appear as simple as the encryption hooks in the encrypted-key-storage graphic, but that design fails to provide an ITS service that meets the security requirements.
Regards,
Andrew
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: 20 October 2021 14:11 To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hey Sherry,
Sure, let me explain a bit further.
Right now the PSA APIs use the ITS as a backend for the storage of persistent keys. When someone calls a cryptographic function using a persistent key they will end up calling ITS APIs to fetch the info and the data of the key (as done in the psa_load_persistent_key). What I am proposing is to have an encryption abstraction implemented(optionally) in this level. An encryption abstraction will only define the encryption functions signatures and each provider will have to provide their own custom crypto implementation in this scope. Then the encryption/decryption of the key material will be done to the PSA funtions (like the psa_load_persistent_key) and the ITS will be unaware of the whole operation.
So to answer the first question, we will not call PSA crypto from inside of the PSA crypto. We will call a different crypto abstraction which will be implemented by each platform. The encryption will be transparent to the users. Also the ITS will not have to know anything about it, all the logic can be implemented in the PSA APIs.
To make the scheme more clear I uploaded an image with the current and the proposed method here: https://ibb.co/Bgrq1K3https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fibb.co%2FBgrq1K3&data=04%7C01%7Cgeorgios.vasilakis%40nordicsemi.no%7C43db78682d4845858bdb08d994a0c54d%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C637704240506383555%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fd04KqKUSaKzqAVCIVhGY3bSuvTkbhENh1%2FX44wvPxE%3D&reserved=0
Image encrypted-key-storage hosted in ImgBB
ibb.co
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Wednesday, October 20, 2021 5:45 AM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Sorry I didn’t fully understand solution 2. How can the crypto partition call itself to do encryption? And does ITS partition need to call crypto partition to do the encryption or the user should call the crypto partition to encrypt the data before calling the ITS service to store it? Can you explain more on solution 2?
Thanks,
Regards,
Sherry
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Tuesday, October 19, 2021 9:31 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello again, sorry for the second email by my formatting got lost in the first one unfortunately. Let me include the formatted context below:
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
1)Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
2)Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
3)Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
________________________________
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Tuesday, October 19, 2021 3:18 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello all,
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
Regards,
George
________________________________
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Wednesday, September 29, 2021 2:04 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for the feedback!
Does the storage area on your device meet this requirement?
Yes, our devices can secure against read and write access through the dedicated peripherals (SPU + MPU).
Is the memory physically isolated?
If by that you mean if they are located outside of the chip then it is not. It is part of the package.
If not, I wonder why not uses the Protected Storage service instead?
The reason that we cannot use the protected storage service is that it is not supported as a storage backend by the PSA crypto APIs. Storing non-volatile keys right now using the PSA APIs uses ITS as a storage backend.
Your comments regarding storing the IV and the TAG in Protected Storage are, of course, valid. If we decide to use a common code base we will have to do changes in the design of both services to overcome these issues.
Overall, the motivation for encrypted ITS is based on the raising popularity of hardware-based attacks. The fact that right now we provide all the security measures needed does not mean that nothing will get compromised in the future. A security in depth approach seems more reasonable for such sensitive data.
I am happy to join the TF-M Tech forum this Thursday and discuss it further, yes!
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Tuesday, September 28, 2021 12:20 PM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
The ITS without encryption is not a compromised RoT. In the PSA Secure Storage API spec, the PSA Internal Trust Storage aims at providing a place for devices to store their most intimate secrets. Also
“”””””””””””””””””””
1. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from read and modification by attackers with physical access to the device.
2. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from direct read or write access from software partitions outside of the PSA Root of Trust (PRoT).
“”””””””””””””””””””
So, for internal trusted storage service, it requires the underlying storage itself should provide being read or write protection. The storage area should be a “trusted” area. Does the storage area on your device meet this requirement? Is the memory physically isolated? If not, I wonder why not uses the Protected Storage service instead?
For the design of adding encryption in ITS, in the PS partition, the `iv` and the encrypted object data are stored with the object file while the tag of each object is stored with the object table file. So, if encrypt the PS object in the ITS file system, how the PS partition get the `tag` of each object? After a rough thought, I think probably a standalone encryption for ITS is more reasonable.
As this is a relatively “big topic”, would you like to hold a discussion on the TF-M Tech forum if it is not limited by confidential information? The next Tech forum will be hold on this Thursday 3:00 PM UTC time.
Regards,
Sherry Zhang
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Friday, September 24, 2021 8:52 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for your input!
1. Our threat model is more concerned about attacks which can happen very early in the boot process, I think. A completely compromised RoT is not in our threat model. 2. I see that, ITS is supposed to store small objects. The storage overhead of adding encryption will be probably bigger than 20 bytes I think but the intention is to have this only as a configuration, not as the default option. 3. Agreed, a HAL API should be used for this.
Do you have any opinion on the design of it? Do you think that it adds value to do try to use a common design for the object handling of both PS and ITS or is it better to have it as a standalone thing for the ITS.
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Friday, September 24, 2021 11:58 AM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Some comments from my side:
1. Internal trusted storage is part of the Root of Trust domain. If ITS storage device is attacked, then the code flash where the PSA Rot SP locates may also be attacked. Does the thread model of your system require the encryption in ITS? 2. The ITS service is intended to be used to interface to a small piece of storage. Encryption would increase the context for each ITS file. For example, similarly to PS object context, the `IV` which is used in encryption as well as the generated `tag` should be added into each file context. They total together can be about more than 20 bytes. 3. If the encryption is mandatory/ necessary required by the thread model of your system, as discussed, the PSA crypto service should not be called to avoid the circular. I think a HAL API for encryption may be created in ITS for platform implementation defined encryption/decryption.
Regards,
Sherry Zhang
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Thursday, September 23, 2021 10:47 PM To: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com>; Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com> Cc: nd <nd@arm.commailto:nd@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hey Gyorgy,
These are very valuable comments! I am aware of the circular dependency issue because the PSA apis are using the ITS as a storage backend. This, as you said, can be circumvented by using a software crypto library or an implementation specific API. So, for the encryption a flexible API can be used which can allow externals to use their own function calls.
Regarding the key storage, this is what I had in mind as well, using derived keys from the HUK. So that we don't need to store anything but the crypto metadata. Adding another layer of storage will raise more issues, I think.
________________________________
From: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com> Sent: Thursday, September 23, 2021 4:30 PM To: Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com>; Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org>; nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi,
AFAIK the main reason for ITS not using encryption is the problem of circular dependency. ITS is used by crypto SP for key storage, so how will crypto fetch the key from ITS to decrypt ITS? You could use a software crypto implementation (another mbed-tls instance) in ITS, but where would you safely store the keys? If you have a two layer ITS, one for only storing the keys for the second instance, and a second, encrypted one, then you end up with something like ITS and PS.
You may not need a full blown on-chip FLASH device for ITS. If you have a HUK available, you can derive the same SP specific keys from that at each boot, and store these in RAM backed ITS. You won’t be able to store other keys in ITS in a persistent way of course, but for that you can use PS. Well, something along these lines.
Perhaps the TF-M team could help better if you could share some details on why your customer would need encrypted ITS. (A PSA for Cortex-A (TS) maintainer chiming in to a “not his business” discussion here 😉 )
/George
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Fabian Schmidt via TF-M Sent: September 23, 2021 15:51 To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hi George,
I’m wondering if that would add value. To my understanding, ITS was never designed to be encrypted because of the way it’s supposed to be set up. (It’s Internal Trusted Storage.) I believe best practice is to place it in a “trusted” location, one that is ideally only accessible from Secure world, and also ideally on-die. If you then restrict outside access to the internal flash (JTAG, flash programmer ports,…), you’re pretty golden, in that no unauthorized party should be able to read from or write to the ITS.*
Let me know if I misunderstand anything about ITS or TrustZone, but that’s my view. Maybe I’m painting an idealized picture.
Greetings,
Fabian Schmidt
* at least short of a sophisticated physical attack or finding some loophole in TrustZone…
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Donnerstag, 23. September 2021 15:28 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [EXT] [TF-M] Supporting encryption with ITS
Caution: EXT Email
Hey all,
Lately the requirement for an encrypted ITS solution is being asked from our customers and I would like to have a discussion here on how we can design this in a reasonable way. The first thought that came to my mind was to add the functionality to the ITS flash-fs layer. This layer contains file metadata in the its_file_meta_t structure and it should be possible to expand this to include additional crypto metadata (conditionally). This seems to be the less invasive change to me, even though it will introduce some increased memory usage since supporting encryption will mean that we cannot read the data in chunks anymore, we will have to use static buffers.
At the same time, I looked at the PS partition since I knew that it has support for encryption. I believe that some core concepts of both solutions have similarities even though the code is quite different. For example, a file in ITS is similar to an object in PS and the (linear) list of file metadata in ITS is similar to the concept of the object table in PS. So, I think that it should be possible to design some generic-enough APIs that we can use for both the ITS and PS. Even though this will require some major refactoring in both partitions, it will decrease the code of these services which will probably decrease maintenance later.
What are your thoughts on this?
Regards,
George
Hi Georgios,
I’m interested in this feature and I find this modification from you, https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/15096/4. I wonder that is there any plan for the update of this commit??
Regards, James
Hello James,
This is planned for the Q4 of the year yes. I don't have an exact timeline of when it will be ready though, this now needs a major rewrite to incorporate the new changes. I will probably also wait until this is merged: https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/16214
In order to start again on it to avoid solving the merge conflict overhead.
Regards, Georgios ________________________________ From: lbj79928--- via TF-M tf-m@lists.trustedfirmware.org Sent: Wednesday, September 14, 2022 10:46 AM To: tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Subject: [TF-M] Re: Supporting encryption with ITS
Hi Georgios,
I’m interested in this feature and I find this modification from you, https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.tru.... I wonder that is there any plan for the update of this commit??
Regards, James -- TF-M mailing list -- tf-m@lists.trustedfirmware.org To unsubscribe send an email to tf-m-leave@lists.trustedfirmware.org
I’m not very familiar with the crypto side of things in TF-M, but would option 3 also facilitate the storage of keys somewhere other than ITS (for example, in a hardware crypto block)? Or is that something that can/will be done through the mbedcrypto layer?
Chris
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Vasilakis, Georgios via TF-M Sent: Friday, October 22, 2021 5:13 AM To: Andrew Thoelke Andrew.Thoelke@arm.com; tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] Supporting encryption with ITS
Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safehttps://intranet-content.infineon.com/explore/aboutinfineon/rules/informationsecurity/ug/SocialEngineering/Pages/SocialEngineeringElements_en.aspx.
Hello Andrew,
Thank you for the useful considerations! I agree with you that we have a benefit to have ITS with clearly defined security requirements. So, I see the benefit of not including the encryption scheme in the key storage itself since it can result in confusion for the users.
The spec states clearly in the requirements that ITS may or may not provide confidentiality/integrity (section 2.2, p 4,5). Since this is not a strict requirement, I don't believe that we can say that PSA is not "secure enough". Being secure enough, in my opinion, requires fulfilling the minimum set of requirements and these do not include any cryptography. This is the reason that currently we can say that the current implementation is compliant with the spec even though it does not provide any encryption/integrity features. Still, we need to be careful to avoid confusion for the users.
In my opinion what we need in the PSA level is a configurable flag which states the supported features of ITS which platforms must include in their configuration file. This will make the ITS supported features clear to the users independently of how we will decide to do it in the end.
Now regarding the implementations, you made a valuable comment which I think that it needs to be more highlighted. The storage used for ITS may or may not provide confidentiality/integrity in the hardware level (I am assuming that secure elements might be added later). This means that we need to have a way to inform the ITS service of which optional features are supported in the hardware level (in the "flash" folder of the ITS partition). Then the ITS codebase can decide if it needs to add encryption in the software level or not.
Regarding the proposed solutions:
1. Encrypt each ITS object using platform specific APIs: this solution is fairly like the proposed one, as you stated, with the main disadvantage being that will result in dual encryption for the PS in some cases. 2. Implement the ITS and Crypto services in a single partition: This solution breaks the separation of concern of these two services. They are both in the PRoT, but I think it is preferable not to merge them. They have clearly different scopes and merging them can be confusing. 3. Renaming the underlying storage service: This solution I am not sure that I understand fully. If we decouple the ITS backend as a storage solution and the PSA keystore uses the storage it will not be possible to have encrypted key storage if the hardware backend does not support, it, right? So, what is the advantage of having an encrypted ITS if the PSA keystore does not use it?
In my opinion option 1 along with the addition of some headers with the supported features of the ITS backends is a clean solution which follows the security requirements of the spec.
Regards, Georgios
________________________________ From: Andrew Thoelke <Andrew.Thoelke@arm.commailto:Andrew.Thoelke@arm.com> Sent: Thursday, October 21, 2021 4:40 PM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi Georgios,
Thanks for the illustration of your proposal.
From a PSA architectural perspective, the concern with this design is that:
* The key store does not consider that PSA ITS is secure enough to store key material without additional cryptographic protection * Other clients of the PSA ITS service assume that it already provides confidentiality, integrity and rollback protection for its contents.
So either the ITS service provides the required security properties, and then the key store does not need to do additional cryptographic protection; OR the ITS service does not meet the PSA ITS security requirements, and should not be using the PSA ITS API.
[I realise that this is a fairly long post, but I wanted to try and provide an outline of some possible design solutions that do not result in an inadequate ITS service.]
If the storage used for ITS in a system does not provide the required security properties, then ideally, we do not redefine the security of ITS. Instead, either (a) we add the cryptographic protection within the ITS service (so ITS now matches the security requirements), or (b) we rename the storage service used by the key store for this platform (i.e. not psa_its_*), make the key store encrypt data before storage, and then provide a compliant ITS service that also encrypts before using the underlying not-secure-enough storage service.
Option (a) involves breaking the Crypto-key-store -> ITS -> Crypto dependency cycle by removing the ITS->PSA Crypto link. Some techniques have already been suggested:
1. Have the ITS implementation use its own [copy of the] cryptographic algorithms that are needed 2. Implement the ITS and Crypto services in a single partition: have the key load and store operations use an internal ITS interface (not the psa_its_*() functions that dispatch through the SPM), and the ITS read and write operations use an internal Crypto API for encryption and decryption (not the PSA Crypto API that dispatches through the SPM)
Option (b) breaks the Crypto->ITS->Crypto cycle a third way:
1. Renaming the underlying storage service, and removing the Crypto->ITS dependency, replacing it with Crypto->Storage, and ITS->Crypto and ITS->Storage dependencies. This requires changes to the key store load/unload functions, and not just introducing an extra (optional) call
These options impact the existing TF-M service code in different ways:
Option 1 only requires changes in the ITS service implementation. Depending on the cryptographic protection required this might just be encryption and decryption of each data item content, but not ITS metadata protection (this is equivalent to the proposed change to the key load/store functions), cryptographic protection of storage metadata requires a solution that looks more like the PS use of cryptography.
Option 2 requires flexibility in the partition assignment of services, and the ability to use internal APIs between the services (for this configuration) instead of the normal PSA APIs.
Option 3 requires the ability to change the key load and store functions at the back-end of the PSA Crypto service, to not use PSA ITS. It might also benefit from an ability to split ITS into a back-end storage engine (may not be secure enough), and the service API front-end.
All of the options need some cryptography design to decide how to manage and store or derive the keys used for encryption.
None of these appear as simple as the encryption hooks in the encrypted-key-storage graphic, but that design fails to provide an ITS service that meets the security requirements.
Regards,
Andrew
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: 20 October 2021 14:11 To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hey Sherry,
Sure, let me explain a bit further.
Right now the PSA APIs use the ITS as a backend for the storage of persistent keys. When someone calls a cryptographic function using a persistent key they will end up calling ITS APIs to fetch the info and the data of the key (as done in the psa_load_persistent_key). What I am proposing is to have an encryption abstraction implemented(optionally) in this level. An encryption abstraction will only define the encryption functions signatures and each provider will have to provide their own custom crypto implementation in this scope. Then the encryption/decryption of the key material will be done to the PSA funtions (like the psa_load_persistent_key) and the ITS will be unaware of the whole operation.
So to answer the first question, we will not call PSA crypto from inside of the PSA crypto. We will call a different crypto abstraction which will be implemented by each platform. The encryption will be transparent to the users. Also the ITS will not have to know anything about it, all the logic can be implemented in the PSA APIs.
To make the scheme more clear I uploaded an image with the current and the proposed method here: https://ibb.co/Bgrq1K3https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fibb.co%2FBgrq1K3&data=04%7C01%7Cgeorgios.vasilakis%40nordicsemi.no%7C43db78682d4845858bdb08d994a0c54d%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C637704240506383555%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fd04KqKUSaKzqAVCIVhGY3bSuvTkbhENh1%2FX44wvPxE%3D&reserved=0
Image encrypted-key-storage hosted in ImgBB
ibb.co
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Wednesday, October 20, 2021 5:45 AM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Sorry I didn’t fully understand solution 2. How can the crypto partition call itself to do encryption? And does ITS partition need to call crypto partition to do the encryption or the user should call the crypto partition to encrypt the data before calling the ITS service to store it? Can you explain more on solution 2?
Thanks,
Regards,
Sherry
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Tuesday, October 19, 2021 9:31 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello again, sorry for the second email by my formatting got lost in the first one unfortunately. Let me include the formatted context below:
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
1)Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
2)Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
3)Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
________________________________
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Tuesday, October 19, 2021 3:18 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello all,
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
Regards,
George
________________________________
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Wednesday, September 29, 2021 2:04 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for the feedback!
Does the storage area on your device meet this requirement?
Yes, our devices can secure against read and write access through the dedicated peripherals (SPU + MPU).
Is the memory physically isolated?
If by that you mean if they are located outside of the chip then it is not. It is part of the package.
If not, I wonder why not uses the Protected Storage service instead?
The reason that we cannot use the protected storage service is that it is not supported as a storage backend by the PSA crypto APIs. Storing non-volatile keys right now using the PSA APIs uses ITS as a storage backend.
Your comments regarding storing the IV and the TAG in Protected Storage are, of course, valid. If we decide to use a common code base we will have to do changes in the design of both services to overcome these issues.
Overall, the motivation for encrypted ITS is based on the raising popularity of hardware-based attacks. The fact that right now we provide all the security measures needed does not mean that nothing will get compromised in the future. A security in depth approach seems more reasonable for such sensitive data.
I am happy to join the TF-M Tech forum this Thursday and discuss it further, yes!
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Tuesday, September 28, 2021 12:20 PM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
The ITS without encryption is not a compromised RoT. In the PSA Secure Storage API spec, the PSA Internal Trust Storage aims at providing a place for devices to store their most intimate secrets. Also
“”””””””””””””””””””
1. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from read and modification by attackers with physical access to the device.
2. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from direct read or write access from software partitions outside of the PSA Root of Trust (PRoT).
“”””””””””””””””””””
So, for internal trusted storage service, it requires the underlying storage itself should provide being read or write protection. The storage area should be a “trusted” area. Does the storage area on your device meet this requirement? Is the memory physically isolated? If not, I wonder why not uses the Protected Storage service instead?
For the design of adding encryption in ITS, in the PS partition, the `iv` and the encrypted object data are stored with the object file while the tag of each object is stored with the object table file. So, if encrypt the PS object in the ITS file system, how the PS partition get the `tag` of each object? After a rough thought, I think probably a standalone encryption for ITS is more reasonable.
As this is a relatively “big topic”, would you like to hold a discussion on the TF-M Tech forum if it is not limited by confidential information? The next Tech forum will be hold on this Thursday 3:00 PM UTC time.
Regards,
Sherry Zhang
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Friday, September 24, 2021 8:52 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for your input!
1. Our threat model is more concerned about attacks which can happen very early in the boot process, I think. A completely compromised RoT is not in our threat model. 2. I see that, ITS is supposed to store small objects. The storage overhead of adding encryption will be probably bigger than 20 bytes I think but the intention is to have this only as a configuration, not as the default option. 3. Agreed, a HAL API should be used for this.
Do you have any opinion on the design of it? Do you think that it adds value to do try to use a common design for the object handling of both PS and ITS or is it better to have it as a standalone thing for the ITS.
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Friday, September 24, 2021 11:58 AM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Some comments from my side:
1. Internal trusted storage is part of the Root of Trust domain. If ITS storage device is attacked, then the code flash where the PSA Rot SP locates may also be attacked. Does the thread model of your system require the encryption in ITS? 2. The ITS service is intended to be used to interface to a small piece of storage. Encryption would increase the context for each ITS file. For example, similarly to PS object context, the `IV` which is used in encryption as well as the generated `tag` should be added into each file context. They total together can be about more than 20 bytes. 3. If the encryption is mandatory/ necessary required by the thread model of your system, as discussed, the PSA crypto service should not be called to avoid the circular. I think a HAL API for encryption may be created in ITS for platform implementation defined encryption/decryption.
Regards,
Sherry Zhang
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Thursday, September 23, 2021 10:47 PM To: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com>; Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com> Cc: nd <nd@arm.commailto:nd@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hey Gyorgy,
These are very valuable comments! I am aware of the circular dependency issue because the PSA apis are using the ITS as a storage backend. This, as you said, can be circumvented by using a software crypto library or an implementation specific API. So, for the encryption a flexible API can be used which can allow externals to use their own function calls.
Regarding the key storage, this is what I had in mind as well, using derived keys from the HUK. So that we don't need to store anything but the crypto metadata. Adding another layer of storage will raise more issues, I think.
________________________________
From: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com> Sent: Thursday, September 23, 2021 4:30 PM To: Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com>; Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org>; nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi,
AFAIK the main reason for ITS not using encryption is the problem of circular dependency. ITS is used by crypto SP for key storage, so how will crypto fetch the key from ITS to decrypt ITS? You could use a software crypto implementation (another mbed-tls instance) in ITS, but where would you safely store the keys? If you have a two layer ITS, one for only storing the keys for the second instance, and a second, encrypted one, then you end up with something like ITS and PS.
You may not need a full blown on-chip FLASH device for ITS. If you have a HUK available, you can derive the same SP specific keys from that at each boot, and store these in RAM backed ITS. You won’t be able to store other keys in ITS in a persistent way of course, but for that you can use PS. Well, something along these lines.
Perhaps the TF-M team could help better if you could share some details on why your customer would need encrypted ITS. (A PSA for Cortex-A (TS) maintainer chiming in to a “not his business” discussion here 😉 )
/George
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Fabian Schmidt via TF-M Sent: September 23, 2021 15:51 To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hi George,
I’m wondering if that would add value. To my understanding, ITS was never designed to be encrypted because of the way it’s supposed to be set up. (It’s Internal Trusted Storage.) I believe best practice is to place it in a “trusted” location, one that is ideally only accessible from Secure world, and also ideally on-die. If you then restrict outside access to the internal flash (JTAG, flash programmer ports,…), you’re pretty golden, in that no unauthorized party should be able to read from or write to the ITS.*
Let me know if I misunderstand anything about ITS or TrustZone, but that’s my view. Maybe I’m painting an idealized picture.
Greetings,
Fabian Schmidt
* at least short of a sophisticated physical attack or finding some loophole in TrustZone…
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Donnerstag, 23. September 2021 15:28 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [EXT] [TF-M] Supporting encryption with ITS
Caution: EXT Email
Hey all,
Lately the requirement for an encrypted ITS solution is being asked from our customers and I would like to have a discussion here on how we can design this in a reasonable way. The first thought that came to my mind was to add the functionality to the ITS flash-fs layer. This layer contains file metadata in the its_file_meta_t structure and it should be possible to expand this to include additional crypto metadata (conditionally). This seems to be the less invasive change to me, even though it will introduce some increased memory usage since supporting encryption will mean that we cannot read the data in chunks anymore, we will have to use static buffers.
At the same time, I looked at the PS partition since I knew that it has support for encryption. I believe that some core concepts of both solutions have similarities even though the code is quite different. For example, a file in ITS is similar to an object in PS and the (linear) list of file metadata in ITS is similar to the concept of the object table in PS. So, I think that it should be possible to design some generic-enough APIs that we can use for both the ITS and PS. Even though this will require some major refactoring in both partitions, it will decrease the code of these services which will probably decrease maintenance later.
What are your thoughts on this?
Regards,
George
Hello,
Andrew thank you for the clarifying the spec. It is useful to know that confidentiality is a requirement of ITS and we only discuss about how we will accomplish this, either with dedicated hardware or with encryption. I think a clarification on the spec on this matter will improve understanding and avoid misconceptions for integrators.
Given the intention of the specification of ITS, this is not required at the PSA API level – ITS needs to provide this protection. However, configurability might be a good way to make the existing ITS service implementation code be capable of using completely secure flash when available (the current assumption of this code I believe), or using cryptographic protection when the underlying storage hardware does not provide sufficient security for ITS.
This was my point as well. We need to be able to identify which platforms support all the features of ITS (in hardware) and which do not, so that the ITS requirements can be met regardless.
The ‘double encryption’ depends on the implementation of PS. A trivial implementation that maps all calls to PS onto calls to ITS, but encrypts data on the way, doesn’t make much sense from a security perspective: if PS is directly using ITS for storage, then ITS already has the security properties required by PS. I wouldn’t expect this implementation to be used in devices with larger NS flash memories, as ITS is expected to be very limited in capacity. I am not familiar with the TF-M implementation of PS, so cannot comment on this issue with regards to what happens in TF-M.
This is what TF-M is doing now, it redirects PS calls to the ITS (even though it is using a different ITS partition for the PS).
Solution 3 - Renaming the underlying storage service.
I think that I can now fully understand the proposal, thank you for clarifying. My assumption is that the main purpose of ITS is to be used for key storage. This proposal makes me question this assumption though, since it does not use the ITS as a key storage backend. Then the question for me is why we even need the ITS.
I am happy if solution 1 is the best fit for your platform, but it is worth considering that this might not be an optimal solution for all systems that do not have the security properties required by ITS in the hardware itself.
The purpose of this conversation it to discuss and decide on a solution which fits the most platforms using TF-M. When an accepted solution is decided then I am happy to assist with the implementation of it but I would prefer to have some consensus before I proceed.
I think that is valuable to continue this conversation on the TF-M tech forum this week.
I’m not very familiar with the crypto side of things in TF-M, but would option 3 also facilitate the storage of keys somewhere other than ITS (for example, in a hardware crypto block)? Or is that something that can/will be done through the mbedcrypto layer?
By hardware crypto block do you mean a hardware block which does both the crypto operations and key storage? In this case I think that the PSA APIs consider this a secure element and they don't use the ITS at all. If this is the case this conversation should be irrelevant for this use case I think.
I am proposing to raise this topic again in the tech forum this week.
Regards,
Georgios
________________________________ From: Chris.Brand@infineon.com Chris.Brand@infineon.com Sent: Friday, October 22, 2021 5:32 PM To: tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Cc: Vasilakis, Georgios georgios.vasilakis@nordicsemi.no; Andrew.Thoelke@arm.com Andrew.Thoelke@arm.com Subject: RE: [TF-M] Supporting encryption with ITS
I’m not very familiar with the crypto side of things in TF-M, but would option 3 also facilitate the storage of keys somewhere other than ITS (for example, in a hardware crypto block)? Or is that something that can/will be done through the mbedcrypto layer?
Chris
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Vasilakis, Georgios via TF-M Sent: Friday, October 22, 2021 5:13 AM To: Andrew Thoelke Andrew.Thoelke@arm.com; tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] Supporting encryption with ITS
Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safehttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fintranet-content.infineon.com%2Fexplore%2Faboutinfineon%2Frules%2Finformationsecurity%2Fug%2FSocialEngineering%2FPages%2FSocialEngineeringElements_en.aspx&data=04%7C01%7Cgeorgios.vasilakis%40nordicsemi.no%7C5b21811d9e8247c870c808d995712d8a%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C637705135606723122%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=GrVNt7w9DypUKmvZulmTQKqMbHhIE1tiZHDf0cspepA%3D&reserved=0.
Hello Andrew,
Thank you for the useful considerations!
I agree with you that we have a benefit to have ITS with clearly defined security requirements. So, I see the benefit of not including the encryption scheme in the key storage itself since it can result in confusion for the users.
The spec states clearly in the requirements that ITS may or may not provide confidentiality/integrity (section 2.2, p 4,5). Since this is not a strict requirement, I don't believe that we can say that PSA is not "secure enough". Being secure enough, in my opinion, requires fulfilling the minimum set of requirements and these do not include any cryptography. This is the reason that currently we can say that the current implementation is compliant with the spec even though it does not provide any encryption/integrity features. Still, we need to be careful to avoid confusion for the users.
In my opinion what we need in the PSA level is a configurable flag which states the supported features of ITS which platforms must include in their configuration file. This will make the ITS supported features clear to the users independently of how we will decide to do it in the end.
Now regarding the implementations, you made a valuable comment which I think that it needs to be more highlighted. The storage used for ITS may or may not provide confidentiality/integrity in the hardware level (I am assuming that secure elements might be added later). This means that we need to have a way to inform the ITS service of which optional features are supported in the hardware level (in the "flash" folder of the ITS partition). Then the ITS codebase can decide if it needs to add encryption in the software level or not.
Regarding the proposed solutions:
1. Encrypt each ITS object using platform specific APIs: this solution is fairly like the proposed one, as you stated, with the main disadvantage being that will result in dual encryption for the PS in some cases. 2. Implement the ITS and Crypto services in a single partition: This solution breaks the separation of concern of these two services. They are both in the PRoT, but I think it is preferable not to merge them. They have clearly different scopes and merging them can be confusing. 3. Renaming the underlying storage service: This solution I am not sure that I understand fully. If we decouple the ITS backend as a storage solution and the PSA keystore uses the storage it will not be possible to have encrypted key storage if the hardware backend does not support, it, right? So, what is the advantage of having an encrypted ITS if the PSA keystore does not use it?
In my opinion option 1 along with the addition of some headers with the supported features of the ITS backends is a clean solution which follows the security requirements of the spec.
Regards,
Georgios
________________________________
From: Andrew Thoelke <Andrew.Thoelke@arm.commailto:Andrew.Thoelke@arm.com> Sent: Thursday, October 21, 2021 4:40 PM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi Georgios,
Thanks for the illustration of your proposal.
From a PSA architectural perspective, the concern with this design is that:
* The key store does not consider that PSA ITS is secure enough to store key material without additional cryptographic protection * Other clients of the PSA ITS service assume that it already provides confidentiality, integrity and rollback protection for its contents.
So either the ITS service provides the required security properties, and then the key store does not need to do additional cryptographic protection; OR the ITS service does not meet the PSA ITS security requirements, and should not be using the PSA ITS API.
[I realise that this is a fairly long post, but I wanted to try and provide an outline of some possible design solutions that do not result in an inadequate ITS service.]
If the storage used for ITS in a system does not provide the required security properties, then ideally, we do not redefine the security of ITS. Instead, either (a) we add the cryptographic protection within the ITS service (so ITS now matches the security requirements), or (b) we rename the storage service used by the key store for this platform (i.e. not psa_its_*), make the key store encrypt data before storage, and then provide a compliant ITS service that also encrypts before using the underlying not-secure-enough storage service.
Option (a) involves breaking the Crypto-key-store -> ITS -> Crypto dependency cycle by removing the ITS->PSA Crypto link. Some techniques have already been suggested:
1. Have the ITS implementation use its own [copy of the] cryptographic algorithms that are needed 2. Implement the ITS and Crypto services in a single partition: have the key load and store operations use an internal ITS interface (not the psa_its_*() functions that dispatch through the SPM), and the ITS read and write operations use an internal Crypto API for encryption and decryption (not the PSA Crypto API that dispatches through the SPM)
Option (b) breaks the Crypto->ITS->Crypto cycle a third way:
1. Renaming the underlying storage service, and removing the Crypto->ITS dependency, replacing it with Crypto->Storage, and ITS->Crypto and ITS->Storage dependencies. This requires changes to the key store load/unload functions, and not just introducing an extra (optional) call
These options impact the existing TF-M service code in different ways:
Option 1 only requires changes in the ITS service implementation. Depending on the cryptographic protection required this might just be encryption and decryption of each data item content, but not ITS metadata protection (this is equivalent to the proposed change to the key load/store functions), cryptographic protection of storage metadata requires a solution that looks more like the PS use of cryptography.
Option 2 requires flexibility in the partition assignment of services, and the ability to use internal APIs between the services (for this configuration) instead of the normal PSA APIs.
Option 3 requires the ability to change the key load and store functions at the back-end of the PSA Crypto service, to not use PSA ITS. It might also benefit from an ability to split ITS into a back-end storage engine (may not be secure enough), and the service API front-end.
All of the options need some cryptography design to decide how to manage and store or derive the keys used for encryption.
None of these appear as simple as the encryption hooks in the encrypted-key-storage graphic, but that design fails to provide an ITS service that meets the security requirements.
Regards,
Andrew
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: 20 October 2021 14:11 To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hey Sherry,
Sure, let me explain a bit further.
Right now the PSA APIs use the ITS as a backend for the storage of persistent keys. When someone calls a cryptographic function using a persistent key they will end up calling ITS APIs to fetch the info and the data of the key (as done in the psa_load_persistent_key). What I am proposing is to have an encryption abstraction implemented(optionally) in this level. An encryption abstraction will only define the encryption functions signatures and each provider will have to provide their own custom crypto implementation in this scope. Then the encryption/decryption of the key material will be done to the PSA funtions (like the psa_load_persistent_key) and the ITS will be unaware of the whole operation.
So to answer the first question, we will not call PSA crypto from inside of the PSA crypto. We will call a different crypto abstraction which will be implemented by each platform. The encryption will be transparent to the users. Also the ITS will not have to know anything about it, all the logic can be implemented in the PSA APIs.
To make the scheme more clear I uploaded an image with the current and the proposed method here: https://ibb.co/Bgrq1K3https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fibb.co%2FBgrq1K3&data=04%7C01%7Cgeorgios.vasilakis%40nordicsemi.no%7C5b21811d9e8247c870c808d995712d8a%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C637705135606723122%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=S5U5iTQNNYgrF1AfTRsLT345iaTmh%2FWSap3weT%2B3CTs%3D&reserved=0
Image encrypted-key-storage hosted in ImgBB
ibb.co
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Wednesday, October 20, 2021 5:45 AM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Sorry I didn’t fully understand solution 2. How can the crypto partition call itself to do encryption? And does ITS partition need to call crypto partition to do the encryption or the user should call the crypto partition to encrypt the data before calling the ITS service to store it? Can you explain more on solution 2?
Thanks,
Regards,
Sherry
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Tuesday, October 19, 2021 9:31 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello again, sorry for the second email by my formatting got lost in the first one unfortunately. Let me include the formatted context below:
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
1)Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
2)Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
3)Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
________________________________
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Tuesday, October 19, 2021 3:18 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello all,
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
Regards,
George
________________________________
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Wednesday, September 29, 2021 2:04 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for the feedback!
Does the storage area on your device meet this requirement?
Yes, our devices can secure against read and write access through the dedicated peripherals (SPU + MPU).
Is the memory physically isolated?
If by that you mean if they are located outside of the chip then it is not. It is part of the package.
If not, I wonder why not uses the Protected Storage service instead?
The reason that we cannot use the protected storage service is that it is not supported as a storage backend by the PSA crypto APIs. Storing non-volatile keys right now using the PSA APIs uses ITS as a storage backend.
Your comments regarding storing the IV and the TAG in Protected Storage are, of course, valid. If we decide to use a common code base we will have to do changes in the design of both services to overcome these issues.
Overall, the motivation for encrypted ITS is based on the raising popularity of hardware-based attacks. The fact that right now we provide all the security measures needed does not mean that nothing will get compromised in the future. A security in depth approach seems more reasonable for such sensitive data.
I am happy to join the TF-M Tech forum this Thursday and discuss it further, yes!
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Tuesday, September 28, 2021 12:20 PM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
The ITS without encryption is not a compromised RoT. In the PSA Secure Storage API spec, the PSA Internal Trust Storage aims at providing a place for devices to store their most intimate secrets. Also
“”””””””””””””””””””
1. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from read and modification by attackers with physical access to the device.
2. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from direct read or write access from software partitions outside of the PSA Root of Trust (PRoT).
“”””””””””””””””””””
So, for internal trusted storage service, it requires the underlying storage itself should provide being read or write protection. The storage area should be a “trusted” area. Does the storage area on your device meet this requirement? Is the memory physically isolated? If not, I wonder why not uses the Protected Storage service instead?
For the design of adding encryption in ITS, in the PS partition, the `iv` and the encrypted object data are stored with the object file while the tag of each object is stored with the object table file. So, if encrypt the PS object in the ITS file system, how the PS partition get the `tag` of each object? After a rough thought, I think probably a standalone encryption for ITS is more reasonable.
As this is a relatively “big topic”, would you like to hold a discussion on the TF-M Tech forum if it is not limited by confidential information? The next Tech forum will be hold on this Thursday 3:00 PM UTC time.
Regards,
Sherry Zhang
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Friday, September 24, 2021 8:52 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for your input!
1. Our threat model is more concerned about attacks which can happen very early in the boot process, I think. A completely compromised RoT is not in our threat model. 2. I see that, ITS is supposed to store small objects. The storage overhead of adding encryption will be probably bigger than 20 bytes I think but the intention is to have this only as a configuration, not as the default option. 3. Agreed, a HAL API should be used for this.
Do you have any opinion on the design of it? Do you think that it adds value to do try to use a common design for the object handling of both PS and ITS or is it better to have it as a standalone thing for the ITS.
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Friday, September 24, 2021 11:58 AM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Some comments from my side:
1. Internal trusted storage is part of the Root of Trust domain. If ITS storage device is attacked, then the code flash where the PSA Rot SP locates may also be attacked. Does the thread model of your system require the encryption in ITS? 2. The ITS service is intended to be used to interface to a small piece of storage. Encryption would increase the context for each ITS file. For example, similarly to PS object context, the `IV` which is used in encryption as well as the generated `tag` should be added into each file context. They total together can be about more than 20 bytes. 3. If the encryption is mandatory/ necessary required by the thread model of your system, as discussed, the PSA crypto service should not be called to avoid the circular. I think a HAL API for encryption may be created in ITS for platform implementation defined encryption/decryption.
Regards,
Sherry Zhang
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Thursday, September 23, 2021 10:47 PM To: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com>; Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com> Cc: nd <nd@arm.commailto:nd@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hey Gyorgy,
These are very valuable comments! I am aware of the circular dependency issue because the PSA apis are using the ITS as a storage backend. This, as you said, can be circumvented by using a software crypto library or an implementation specific API. So, for the encryption a flexible API can be used which can allow externals to use their own function calls.
Regarding the key storage, this is what I had in mind as well, using derived keys from the HUK. So that we don't need to store anything but the crypto metadata. Adding another layer of storage will raise more issues, I think.
________________________________
From: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com> Sent: Thursday, September 23, 2021 4:30 PM To: Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com>; Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org>; nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi,
AFAIK the main reason for ITS not using encryption is the problem of circular dependency. ITS is used by crypto SP for key storage, so how will crypto fetch the key from ITS to decrypt ITS? You could use a software crypto implementation (another mbed-tls instance) in ITS, but where would you safely store the keys? If you have a two layer ITS, one for only storing the keys for the second instance, and a second, encrypted one, then you end up with something like ITS and PS.
You may not need a full blown on-chip FLASH device for ITS. If you have a HUK available, you can derive the same SP specific keys from that at each boot, and store these in RAM backed ITS. You won’t be able to store other keys in ITS in a persistent way of course, but for that you can use PS. Well, something along these lines.
Perhaps the TF-M team could help better if you could share some details on why your customer would need encrypted ITS. (A PSA for Cortex-A (TS) maintainer chiming in to a “not his business” discussion here ?? )
/George
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Fabian Schmidt via TF-M Sent: September 23, 2021 15:51 To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hi George,
I’m wondering if that would add value. To my understanding, ITS was never designed to be encrypted because of the way it’s supposed to be set up. (It’s Internal Trusted Storage.) I believe best practice is to place it in a “trusted” location, one that is ideally only accessible from Secure world, and also ideally on-die. If you then restrict outside access to the internal flash (JTAG, flash programmer ports,…), you’re pretty golden, in that no unauthorized party should be able to read from or write to the ITS.*
Let me know if I misunderstand anything about ITS or TrustZone, but that’s my view. Maybe I’m painting an idealized picture.
Greetings,
Fabian Schmidt
* at least short of a sophisticated physical attack or finding some loophole in TrustZone…
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Donnerstag, 23. September 2021 15:28 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [EXT] [TF-M] Supporting encryption with ITS
Caution: EXT Email
Hey all,
Lately the requirement for an encrypted ITS solution is being asked from our customers and I would like to have a discussion here on how we can design this in a reasonable way. The first thought that came to my mind was to add the functionality to the ITS flash-fs layer. This layer contains file metadata in the its_file_meta_t structure and it should be possible to expand this to include additional crypto metadata (conditionally). This seems to be the less invasive change to me, even though it will introduce some increased memory usage since supporting encryption will mean that we cannot read the data in chunks anymore, we will have to use static buffers.
At the same time, I looked at the PS partition since I knew that it has support for encryption. I believe that some core concepts of both solutions have similarities even though the code is quite different. For example, a file in ITS is similar to an object in PS and the (linear) list of file metadata in ITS is similar to the concept of the object table in PS. So, I think that it should be possible to design some generic-enough APIs that we can use for both the ITS and PS. Even though this will require some major refactoring in both partitions, it will decrease the code of these services which will probably decrease maintenance later.
What are your thoughts on this?
Regards,
George
Hi,
Note that, by specification, ITS must provide confidentiality, integrity and replay protection for the data stored within it. However, if the platform already provides that protection via isolation/logical/physical mechanisms, then adding cryptographic protection provides some defence in depth, or may mitigate some forms of physical attack. In this case, it is not obvious what forms of cryptographic protection are needed, as cryptography is not providing the primary security properties for the ITS data.
As a result, I think the best design for this requirement will depend on the details of the protection that is required.
In this use case, which of the following types of cryptographic protection are needed:
1. Confidentiality of key material (the actual bits of the key data) 2. Confidentiality of key material and key metadata 3. Confidentiality of the full keystore 4. Per-key Integrity of key material 5. Per-key Integrity of key material and key metadata 6. Per-key Confidentiality and Integrity of key material and key metadata 7. Confidentiality and integrity of the full keystore 8. Rollback protection?
Per-key confidentiality, or confidentiality+integrity would be reasonably straight-forward to implement in a layer over the simple ITS storage – but would probably add IV or nonce+tag data to each key stored (assuming a HUK-derived encryption key is used). For just encryption, given the pseudo-random nature of secret keys – it might be possible to drop the need for random IV (and just use the client id + key id as an IV/nonce).
Full key store confidentiality or confidentiality+integrity requires much more complex design, as this aims to conceal and protect the identity of the keys that are stored, not just the key material and/or key metadata.
Regards, Andrew
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Vasilakis, Georgios via TF-M Sent: 19 October 2021 14:31 To: tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] Supporting encryption with ITS
Hello again, sorry for the second email by my formatting got lost in the first one unfortunately. Let me include the formatted context below:
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
1)Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch)
2)Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them.
3)Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level.
The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
________________________________ From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Tuesday, October 19, 2021 3:18 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello all,
Following the discussion regarding the encryption with ITS let's discuss a bit further the ideas discussed in the meeting.
Allow the protected storage to be used as a storage backend for persistent key storage in PSA crypto: This introduces the problem of reentrance that we discussed before. We cannot call crypto from the inside the PSA storage partition (either ITS of PS if we wanted to switch) Do the encryption in the crypto partition instead of the ITS: This will require to create some platform specific encryption abstraction since we cannot have reentrance in PSA crypto as well. Meaning that we cannot call PSA crypto from PSA crypto. The main thing that needs to be solved in this solution is where can we store the metadata. The key itself can be derived from the HUK and does not need to be stored but the metadata need to be stored. These metadata can be stored by expanding the psa_storage_info_t struct or by introducing a new struct. The crypto storage apis will need to be modified to be aware of the extra information and handle them. Put a frontend to ITS so that we select specific keys that need to be derived by the HUK. This is like the idea 2 I think in a concept level. The previous two designs described in the mailing list was to refactor the ITS and the PS partitions to have a common "encryption" library and the idea of refactoring the ITS itself to have an encryption layer.
I personally prefer the solution 2 more than the other solutions. Moving the encryption in a higher level and using the ITS as a simple storage solution seems a cleaner approach. This will introduce a crypto abstraction layer (different than PS) but I don't consider it as a major disadvantage since all the crypto implementations in this scope will be very platform specific.
Let me know about your opinions on this, if there are no major objections, I am willing to design a solution and some header files to elaborate more on this design.
Regards, George
________________________________ From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Wednesday, September 29, 2021 2:04 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for the feedback!
Does the storage area on your device meet this requirement? Yes, our devices can secure against read and write access through the dedicated peripherals (SPU + MPU).
Is the memory physically isolated? If by that you mean if they are located outside of the chip then it is not. It is part of the package.
If not, I wonder why not uses the Protected Storage service instead? The reason that we cannot use the protected storage service is that it is not supported as a storage backend by the PSA crypto APIs. Storing non-volatile keys right now using the PSA APIs uses ITS as a storage backend. Your comments regarding storing the IV and the TAG in Protected Storage are, of course, valid. If we decide to use a common code base we will have to do changes in the design of both services to overcome these issues.
Overall, the motivation for encrypted ITS is based on the raising popularity of hardware-based attacks. The fact that right now we provide all the security measures needed does not mean that nothing will get compromised in the future. A security in depth approach seems more reasonable for such sensitive data.
I am happy to join the TF-M Tech forum this Thursday and discuss it further, yes!
Regards, George
________________________________ From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Tuesday, September 28, 2021 12:20 PM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
The ITS without encryption is not a compromised RoT. In the PSA Secure Storage API spec, the PSA Internal Trust Storage aims at providing a place for devices to store their most intimate secrets. Also
“”””””””””””””””””””
1. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from read and modification by attackers with physical access to the device.
2. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from direct read or write access from software partitions outside of the PSA Root of Trust (PRoT).
“”””””””””””””””””””
So, for internal trusted storage service, it requires the underlying storage itself should provide being read or write protection. The storage area should be a “trusted” area. Does the storage area on your device meet this requirement? Is the memory physically isolated? If not, I wonder why not uses the Protected Storage service instead?
For the design of adding encryption in ITS, in the PS partition, the `iv` and the encrypted object data are stored with the object file while the tag of each object is stored with the object table file. So, if encrypt the PS object in the ITS file system, how the PS partition get the `tag` of each object? After a rough thought, I think probably a standalone encryption for ITS is more reasonable.
As this is a relatively “big topic”, would you like to hold a discussion on the TF-M Tech forum if it is not limited by confidential information? The next Tech forum will be hold on this Thursday 3:00 PM UTC time.
Regards,
Sherry Zhang
From: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Sent: Friday, September 24, 2021 8:52 PM To: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: Re: [TF-M] Supporting encryption with ITS
Hello Sherry,
Thank you for your input!
1. Our threat model is more concerned about attacks which can happen very early in the boot process, I think. A completely compromised RoT is not in our threat model. 2. I see that, ITS is supposed to store small objects. The storage overhead of adding encryption will be probably bigger than 20 bytes I think but the intention is to have this only as a configuration, not as the default option. 3. Agreed, a HAL API should be used for this.
Do you have any opinion on the design of it? Do you think that it adds value to do try to use a common design for the object handling of both PS and ITS or is it better to have it as a standalone thing for the ITS.
Regards,
George
________________________________
From: Sherry Zhang <Sherry.Zhang2@arm.commailto:Sherry.Zhang2@arm.com> Sent: Friday, September 24, 2021 11:58 AM To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi George,
Some comments from my side:
1. Internal trusted storage is part of the Root of Trust domain. If ITS storage device is attacked, then the code flash where the PSA Rot SP locates may also be attacked. Does the thread model of your system require the encryption in ITS? 2. The ITS service is intended to be used to interface to a small piece of storage. Encryption would increase the context for each ITS file. For example, similarly to PS object context, the `IV` which is used in encryption as well as the generated `tag` should be added into each file context. They total together can be about more than 20 bytes. 3. If the encryption is mandatory/ necessary required by the thread model of your system, as discussed, the PSA crypto service should not be called to avoid the circular. I think a HAL API for encryption may be created in ITS for platform implementation defined encryption/decryption.
Regards,
Sherry Zhang
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Thursday, September 23, 2021 10:47 PM To: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com>; Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com> Cc: nd <nd@arm.commailto:nd@arm.com>; tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hey Gyorgy,
These are very valuable comments! I am aware of the circular dependency issue because the PSA apis are using the ITS as a storage backend. This, as you said, can be circumvented by using a software crypto library or an implementation specific API. So, for the encryption a flexible API can be used which can allow externals to use their own function calls.
Regarding the key storage, this is what I had in mind as well, using derived keys from the HUK. So that we don't need to store anything but the crypto metadata. Adding another layer of storage will raise more issues, I think.
________________________________
From: Gyorgy Szing <Gyorgy.Szing@arm.commailto:Gyorgy.Szing@arm.com> Sent: Thursday, September 23, 2021 4:30 PM To: Fabian Schmidt <fabian.schmidt@nxp.commailto:fabian.schmidt@nxp.com>; Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org>; nd <nd@arm.commailto:nd@arm.com> Subject: RE: [TF-M] Supporting encryption with ITS
Hi,
AFAIK the main reason for ITS not using encryption is the problem of circular dependency. ITS is used by crypto SP for key storage, so how will crypto fetch the key from ITS to decrypt ITS? You could use a software crypto implementation (another mbed-tls instance) in ITS, but where would you safely store the keys? If you have a two layer ITS, one for only storing the keys for the second instance, and a second, encrypted one, then you end up with something like ITS and PS.
You may not need a full blown on-chip FLASH device for ITS. If you have a HUK available, you can derive the same SP specific keys from that at each boot, and store these in RAM backed ITS. You won’t be able to store other keys in ITS in a persistent way of course, but for that you can use PS. Well, something along these lines.
Perhaps the TF-M team could help better if you could share some details on why your customer would need encrypted ITS. (A PSA for Cortex-A (TS) maintainer chiming in to a “not his business” discussion here 😉 )
/George
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Fabian Schmidt via TF-M Sent: September 23, 2021 15:51 To: Vasilakis, Georgios <georgios.vasilakis@nordicsemi.nomailto:georgios.vasilakis@nordicsemi.no> Cc: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: Re: [TF-M] Supporting encryption with ITS
Hi George,
I’m wondering if that would add value. To my understanding, ITS was never designed to be encrypted because of the way it’s supposed to be set up. (It’s Internal Trusted Storage.) I believe best practice is to place it in a “trusted” location, one that is ideally only accessible from Secure world, and also ideally on-die. If you then restrict outside access to the internal flash (JTAG, flash programmer ports,…), you’re pretty golden, in that no unauthorized party should be able to read from or write to the ITS.*
Let me know if I misunderstand anything about ITS or TrustZone, but that’s my view. Maybe I’m painting an idealized picture.
Greetings,
Fabian Schmidt
* at least short of a sophisticated physical attack or finding some loophole in TrustZone…
From: TF-M <tf-m-bounces@lists.trustedfirmware.orgmailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Vasilakis, Georgios via TF-M Sent: Donnerstag, 23. September 2021 15:28 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [EXT] [TF-M] Supporting encryption with ITS
Caution: EXT Email
Hey all,
Lately the requirement for an encrypted ITS solution is being asked from our customers and I would like to have a discussion here on how we can design this in a reasonable way. The first thought that came to my mind was to add the functionality to the ITS flash-fs layer. This layer contains file metadata in the its_file_meta_t structure and it should be possible to expand this to include additional crypto metadata (conditionally). This seems to be the less invasive change to me, even though it will introduce some increased memory usage since supporting encryption will mean that we cannot read the data in chunks anymore, we will have to use static buffers.
At the same time, I looked at the PS partition since I knew that it has support for encryption. I believe that some core concepts of both solutions have similarities even though the code is quite different. For example, a file in ITS is similar to an object in PS and the (linear) list of file metadata in ITS is similar to the concept of the object table in PS. So, I think that it should be possible to design some generic-enough APIs that we can use for both the ITS and PS. Even though this will require some major refactoring in both partitions, it will decrease the code of these services which will probably decrease maintenance later.
What are your thoughts on this?
Regards,
George
tf-m@lists.trustedfirmware.org