Hi Brian,

The pre-provisioned keys are highly platform dependent. TF-M just provide an API to access them, but currently we have no standard/general solution to storing them.

There was question a few weeks ago related to same topic. I just copied Shebu's past answer here:

"Provisioning was added as a future roadmap item in anticipation of a PSA Provisioning Specification. The Specification (Factory or application specific) hasn't happened so far. There is no active work ongoing in TF-M around provisioning. TF-M using provisioned keys in CC-312 on MuscaB1 platform is available as an example. See details herehttps://ci.trustedfirmware.org/job/tf-m-build-test-nightly/lastSuccessfulBuild/artifact/build-docs/tf-m_documents/install/doc/user_guide/html/platform/ext/readme.html under CC312 heading.

In TrustedFirmware TSC, provisioning has been a discussion topic sometime back. Search for provisioning in the minutes below. https://github.com/microbuilder/certificate_chains/blob/master/rfc_tfm.md is an RFC that Kevin prepared during those discussions for TF-M devices to use certificate chain. "

I hope this helps!

Tamas

From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Ken Liu via TF-M Sent: 27 May 2020 03:41 To: tf-m@lists.trustedfirmware.org; Quach, Brian brian@ti.com Cc: nd nd@arm.com Subject: [TF-M] FW: Pre-provisioned keys

Hi Folks,

Brian got one question about pre-provisioned keys, anyone could reply?

Hi Brian, you can subscribe the mailing list here: https://lists.trustedfirmware.org/mailman/listinfo/tf-m

Thanks.

/Ken

From: Quach, Brian <brian@ti.commailto:brian@ti.com> Sent: Wednesday, May 27, 2020 6:36 AM Subject: Pre-provisioned keys

Hi Ken,

Does TF-M have a plan for storing and accessing persistent keys (such as HUK) installed to flash at the factory prior to provisioning of the device? I had seen these as being stored outside of ITS flash in some compile time defined location and being read-only.

Regards, Brian