Hi,
for PSA Certification level 2 a log of significant security events is required. Which I assume should be done with the Audit log service.
But the Audit log service does not support IPC mode.
Should PSA Certification level 2 be done with IPC mode or with library mode?
Hi Sebastian,
F.Audit Security function requiring security events to be logged is optional as noted in the PSA L2 PP [1]. As it is optional and there isn't PSA Functional APIs defined for Audit logging, the service hasn't been updated with IPC model or crypto binding etc. The secure logging service supported in Library model may not satisfy requirements of audit logging.
Considering PSA L2 PP requires isolation level2 (F.Software_Isolation) and isolation level2 is supported only in IPC model, TF-M is expected to be built in IPC model for PSA L2 cert.
May I know if you ask about Audit logging for PSA Certified, or for an actual use scenario?
[1] https://www.psacertified.org/app/uploads/2019/02/JSADEN002-PSA_Certified_Lev...
Best regards, Hu Ziji
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Bøe, Sebastian via TF-M Sent: Wednesday, December 1, 2021 9:59 PM To: tf-m@lists.trustedfirmware.org Subject: [TF-M] IPC mode support for Audit log service
Hi,
for PSA Certification level 2 a log of significant security events is required. Which I assume should be done with the Audit log service.
But the Audit log service does not support IPC mode.
Should PSA Certification level 2 be done with IPC mode or with library mode?
Hi,
thank you for the reply.
I don't have a user scenario, I just need it for certification.
I saw that the audit log requirement was only optional for "resource-constrained" devices.
I thought that 1MB of flash would disqualify the nRF chips from opting out of this requirement, but if someone on the mailing list knows otherwise I would appreciate it.
In any case, it is clear that certifying to level 2 is not an option with library mode, thank you. ________________________________ From: David Hu David.Hu@arm.com Sent: Thursday, December 2, 2021 7:48 AM To: Bøe, Sebastian Sebastian.Boe@nordicsemi.no; tf-m@lists.trustedfirmware.org tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: RE: IPC mode support for Audit log service
Hi Sebastian,
F.Audit Security function requiring security events to be logged is optional as noted in the PSA L2 PP [1].
As it is optional and there isn’t PSA Functional APIs defined for Audit logging, the service hasn’t been updated with IPC model or crypto binding etc.
The secure logging service supported in Library model may not satisfy requirements of audit logging.
Considering PSA L2 PP requires isolation level2 (F.Software_Isolation) and isolation level2 is supported only in IPC model, TF-M is expected to be built in IPC model for PSA L2 cert.
May I know if you ask about Audit logging for PSA Certified, or for an actual use scenario?
[1] https://www.psacertified.org/app/uploads/2019/02/JSADEN002-PSA_Certified_Lev...https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.psacertified.org%2Fapp%2Fuploads%2F2019%2F02%2FJSADEN002-PSA_Certified_Level_2_PP-1.1.pdf&data=04%7C01%7CSebastian.Boe%40nordicsemi.no%7Ce394c7d034fb44b6e5f608d9b55fd3e3%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C637740245732538979%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Zyx3AtWF8vYJNVa6u1Sbd9p2%2Bx0fa4s2k%2FWqc9wcKuY%3D&reserved=0
Best regards,
Hu Ziji
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Bøe, Sebastian via TF-M Sent: Wednesday, December 1, 2021 9:59 PM To: tf-m@lists.trustedfirmware.org Subject: [TF-M] IPC mode support for Audit log service
Hi,
for PSA Certification level 2 a log of significant security events is required. Which I assume
should be done with the Audit log service.
But the Audit log service does not support IPC mode.
Should PSA Certification level 2 be done with IPC mode or with library mode?
tf-m@lists.trustedfirmware.org