overview.rst - OpenGrok cross reference for /Zephyr-latest/doc/services/tfm/overview.rst

Lines Matching refs:secure
16 Through a set of secure services and by design, TF-M provides:
18 * Isolation of secure and non-secure resources
35 * The secure processing environment (secure boot and TF-M) starts first
36 * Resource allocation for Zephyr relies on choices made in the secure image.
43 order (secure boot > secure image > ns image).
45 While the secure bootloader is optional, it is enabled by default, and secure
46 boot is an important part of providing a secure solution:
84   * PSA Immutable Root of Trust: secure boot
85   * PSA Updateable Root of Trust: most trusted secure services
86 * Application Root of Trust (**ARoT**): isolated secure services
90 secure boot image, which verifies that the secure and non-secure images are
92 secure bootloader also verifies new images during the firmware update process,
96 The **PSA Updateable Root of Trust** implements the most trusted secure
98 and shared secure services like PSA Crypto, Internal Trusted Storage (ITS),
102 The **Application Root of Trust** is a reduced-privilege area in the secure
106 Protected Storage (PS), and generally custom secure services that you implement
111 non-secure environment, and has the least privilege in the system. This is the
123   boundary is between the secure and non-secure processing environment,
145 The default secure bootloader in TF-M is based on
148 the secure MCU, etc.).
175 Key config properties to control secure boot in Zephyr are:
178 * :kconfig:option:`CONFIG_TFM_KEY_FILE_S` overrides the secure signing key.
179 * :kconfig:option:`CONFIG_TFM_KEY_FILE_NS` overrides the non-secure signing key.
184 Once the secure bootloader has finished executing, a TF-M based secure image
185 will begin execution in the **secure processing environment**. This is where
186 our device will be initially configured, and any secure services will be
189 Note that the starting state of our device is controlled by the secure firmware,
190 meaning that when the non-secure Zephyr application starts, peripherals may
199 As of TF-M 1.8.0, the following secure services are generally available (although vendor support ma…
218 Key and secret management is a critical part of any secure device. You need to
225 private keys are only ever accessible to the secure processing environment.
230 One exception is that private keys can be provisioned into the secure
251 protected in secure devices, and inaccessible directly by users.
266 to run in the NSPE, correctly build and link it with the TF-M secure images,
267 sign the secure and non-secure images, and merge the three binaries into a
271 At present, Zephyr can not be configured to be used as the secure processing