I have a few questions regarding RSS and Secure Enclave to see what's required and considered for SoC design to leverage RSS and why we nee to use RSS & TF-M
1. What is the difference between RSS and Secure Enclave? - Is RSS the same as Secure Enclave? - Or is it referring to any subsystem providing runtime crypto service regardless of whether it's a Secure Enclave or not?
Question below is assuming RSS is a Secure Enclave...... 2. What enables TF-M to operate as a Secure Enclave? - To operate as a Secure Enclave, HW support is mandatory? a) If so, we must use a Secure Enclave IP such as cryptoisland(CI-300P-C)? b) Or can we construct a Secure Enclave with some other IPs(LCM, KMU, CryptoCell) metioned RSS doc? (by using TF-M without secure enclave IP) It feels vague whether this can be called a Secure Enclave... https://tf-m-user-guide.trustedfirmware.org/platform/arm/rss/rss_key_managem...
- If HW support is not mandatory, I wonder how TF-M can operate as a Secure Enclave.
- The article below seems to say that TF-M can provide Secure Enclave functionality without HW support. or I may misunderstand. https://developer.nordicsemi.com/nRF_Connect_SDK/doc/2.2.0/tfm/technical_ref...
Hi Sunguk,
RSS is a particular processor IP from Arm, designed to serve as a SoC Root-of-Trust (RoT) and isolated attestation enclave in Arm's A-profile reference platforms. It's in the same general category of isolated security processors as secure enclaves but targeting more towards the higher-performance end of things. You can see how RSS is integrated into a reference platform here: https://neoverse-reference-design.docs.arm.com/en/latest/platforms/rdfremont...
On your second question, TF-M can be adapted to run on a secure enclave HW IP, but yes the key thing is to have the HW IP that gives you the isolated processing environment. The article you linked at the bottom is referring to the Musca-B1 secure enclave, which was a CryptoIsland-300 IP (though support for the Musca-B1 secure enclave has now been deprecated from TF-M).
Kind regards, Jamie
-----Original Message----- From: Sunguk Bin via TF-M tf-m@lists.trustedfirmware.org Sent: Wednesday, October 25, 2023 3:37 AM To: tf-m@lists.trustedfirmware.org Subject: [TF-M] How is Secure Enclave configured?
I have a few questions regarding RSS and Secure Enclave to see what's required and considered for SoC design to leverage RSS and why we nee to use RSS & TF-M
1. What is the difference between RSS and Secure Enclave? - Is RSS the same as Secure Enclave? - Or is it referring to any subsystem providing runtime crypto service regardless of whether it's a Secure Enclave or not?
Question below is assuming RSS is a Secure Enclave...... 2. What enables TF-M to operate as a Secure Enclave? - To operate as a Secure Enclave, HW support is mandatory? a) If so, we must use a Secure Enclave IP such as cryptoisland(CI-300P-C)? b) Or can we construct a Secure Enclave with some other IPs(LCM, KMU, CryptoCell) metioned RSS doc? (by using TF-M without secure enclave IP) It feels vague whether this can be called a Secure Enclave... https://tf-m-user-guide.trustedfirmware.org/platform/arm/rss/rss_key_managem...
- If HW support is not mandatory, I wonder how TF-M can operate as a Secure Enclave.
- The article below seems to say that TF-M can provide Secure Enclave functionality without HW support. or I may misunderstand. https://developer.nordicsemi.com/nRF_Connect_SDK/doc/2.2.0/tfm/technical_ref... -- TF-M mailing list -- tf-m@lists.trustedfirmware.org To unsubscribe send an email to tf-m-leave@lists.trustedfirmware.org
Jamie, Thanks for your feedback.
I'd like to summarize like below and ask some questions. If there is anything that I misunderstood, please let me know.
1. TF-M itself doesn't operate as an secure enclave. 2. To operate as an secure enclave, we must adapt secure enclave IP or RSS. 3. RSS is a collection of IPs (LCM, KMU, CryptoCell...). 4. With HW support listed above, keys and crypto operations can be isolated from SW(CPU). 5. Should we have separate dedicated memory and ROM for RSS core? or is there any IP to provide a dedicated region? or it doesn't necessary?
Kind Regards, Sunguk
Hi Sunguk,
- TF-M itself doesn't operate as an secure enclave.
- To operate as an secure enclave, we must adapt secure enclave IP or RSS.
Yep, TF-M is portable firmware and the precise security guarantees depend on the HW used and how the HW features are used to implement the TF-M HAL.
- RSS is a collection of IPs (LCM, KMU, CryptoCell...).
- With HW support listed above, keys and crypto operations can be isolated from SW(CPU).
It is made up of those IPs, integrated together into a subsystem that can then be integrated into a SoC. The crypto operations running on RSS are isolated from the application processor in the SoC, and the RSS key management IPs (LCM, KMU, crypto accelerator) mean that keys provisioned in RSS can be used by the accelerator, with HW protections against side-channel attacks, and without even SW running on the RSS CPU reading them.
- Should we have separate dedicated memory and ROM for RSS core? or is there any IP to provide a dedicated region? or it doesn't necessary?
Yes, RSS needs its own ROM, to provide the immutable root of trust for secure boot, and its own SRAM, so it has isolated memory for runtime data and loaded code. RSS can also be configured with the Secure I-cache (SIC) IP, which allows it to decrypt, authenticate & execute code from memory outside RSS, which can reduce how much SRAM is needed inside the RSS for loaded code.
Kind regards, Jamie
-----Original Message----- From: Sunguk Bin via TF-M tf-m@lists.trustedfirmware.org Sent: Wednesday, October 25, 2023 11:48 AM To: tf-m@lists.trustedfirmware.org Subject: [TF-M] Re: How is Secure Enclave configured?
Jamie, Thanks for your feedback.
I'd like to summarize like below and ask some questions. If there is anything that I misunderstood, please let me know.
1. TF-M itself doesn't operate as an secure enclave. 2. To operate as an secure enclave, we must adapt secure enclave IP or RSS. 3. RSS is a collection of IPs (LCM, KMU, CryptoCell...). 4. With HW support listed above, keys and crypto operations can be isolated from SW(CPU). 5. Should we have separate dedicated memory and ROM for RSS core? or is there any IP to provide a dedicated region? or it doesn't necessary?
Kind Regards, Sunguk -- TF-M mailing list -- tf-m@lists.trustedfirmware.org To unsubscribe send an email to tf-m-leave@lists.trustedfirmware.org
Jamie,
I have one more question. Is there an FVP reference platform that I can test to run RSS with TF-M?
Thanks, Sunguk
Hi Sunguk,
Yes, you can test RSS with either the TC2 FVP or the RD-Fremont FVP, both available here: https://developer.arm.com/downloads/-/arm-ecosystem-fvps
These platforms have build systems that build the full SW stack (including TF-M for the RSS), see here for TC2 https://totalcompute.docs.arm.com/en/latest/totalcompute/tc2/index.html and RD-Fremont https://neoverse-reference-design.docs.arm.com/en/latest/platforms/rdfremont.... Following one of the user guides there is the easiest way to get started, since RSS will not be able to do much without a working SW stack for the main application processor.
Kind regards, Jamie
-----Original Message----- From: Sunguk Bin via TF-M tf-m@lists.trustedfirmware.org Sent: Tuesday, October 31, 2023 2:51 AM To: tf-m@lists.trustedfirmware.org Subject: [TF-M] Re: How is Secure Enclave configured?
Jamie,
I have one more question. Is there an FVP reference platform that I can test to run RSS with TF-M?
Thanks, Sunguk -- TF-M mailing list -- tf-m@lists.trustedfirmware.org To unsubscribe send an email to tf-m-leave@lists.trustedfirmware.org
tf-m@lists.trustedfirmware.org
-
Jamie Fox -
Sunguk Bin