1Trusted Firmware-M Overview
2###########################
3
4`Trusted Firmware-M (TF-M) <https://tf-m-user-guide.trustedfirmware.org/>`__
5is a reference implementation of the Platform Security Architecture (PSA)
6`IoT Security Framework <https://www.psacertified.org/what-is-psa-certified/>`__.
7It defines and implements an architecture and a set of software components
8that aim to address some of the main security concerns in IoT products.
9
10Zephyr RTOS has been PSA Certified since Zephyr 2.0.0 with TF-M 1.0, and
11is currently integrated with TF-M 1.8.0.
12
13What Does TF-M Offer?
14*********************
15
16Through a set of secure services and by design, TF-M provides:
17
18* Isolation of secure and non-secure resources
19* Embedded-appropriate crypto
20* Management of device secrets (keys, etc.)
21* Firmware verification (and encryption)
22* Protected off-chip data storage and retrieval
23* Proof of device identity (device attestation)
24* Audit logging
25
26Build System Integration
27************************
28
29When using TF-M with a supported platform, TF-M will be automatically built and
30link in the background as part of the standard Zephyr build process. This
31build process makes a number of assumptions about how TF-M is being used, and
32has certain implications about what the Zephyr application image can and can
33not do:
34
35* The secure processing environment (secure boot and TF-M) starts first
36* Resource allocation for Zephyr relies on choices made in the secure image.
37
38Architecture Overview
39*********************
40
41A TF-M application will, generally, have the following three parts, from most
42to least trusted, left-to-right, with code execution happening in the same
43order (secure boot > secure image > ns image).
44
45While the secure bootloader is optional, it is enabled by default, and secure
46boot is an important part of providing a secure solution:
47
48::
49
50    +-------------------------------------+           +--------------+
51    | Secure Processing Environment (SPE) |           |     NSPE     |
52    | +----------++---------------------+ |           | +----------+ |
53    | |          ||                     | |           | |          | |
54    | | bl2.bin  ||  tfm_s_signed.bin   | |           | |zephyr.bin| |
55    | |          ||                     | | <- PSA -> | |          | |
56    | |  Secure  || Trusted Firmware-M  | |    APIs   | |  Zephyr  | |
57    | |   Boot   ||   (Secure Image)    | |           | |(NS Image)| |
58    | |          ||                     | |           | |          | |
59    | +----------++---------------------+ |           | +----------+ |
60    +-------------------------------------+           +--------------+
61
62Communication between the (Zephyr) Non-Secure Processing Environment (NSPE) and
63the (TF-M) Secure Processing Environment image happens based on a set of PSA
64APIs, and normally makes use of an IPC mechanism that is included as part of
65the TF-M build, and implemented in Zephyr
66(see :zephyr_file:`modules/trusted-firmware-m/interface`).
67
68Root of Trust (RoT) Architecture
69================================
70
71TF-M is based upon a **Root of Trust (RoT)** architecture. This allows for
72hierarchies of trust from most, to less, to least trusted, providing a sound
73foundation upon which to build or access trusted services and resources.
74
75The benefit of this approach is that less trusted components are prevented from
76accessing or compromising more critical parts of the system, and error
77conditions in less trusted environments won't corrupt more trusted, isolated
78resources.
79
80The following RoT hierarchy is defined for TF-M, from most to least trusted:
81
82* PSA Root of Trust (**PRoT**), which consists of:
83
84  * PSA Immutable Root of Trust: secure boot
85  * PSA Updateable Root of Trust: most trusted secure services
86* Application Root of Trust (**ARoT**): isolated secure services
87
88The **PSA Immutable Root of Trust** is the most trusted piece of code in the
89system, to which subsequent Roots of Trust are anchored. In TF-M, this is the
90secure boot image, which verifies that the secure and non-secure images are
91valid, have not been tampered with, and come from a reliable source. The
92secure bootloader also verifies new images during the firmware update process,
93thanks to the public signing key(s) built into it. As the name implies,
94this image is **immutable**.
95
96The **PSA Updateable Root of Trust** implements the most trusted secure
97services and components in TF-M, such as the Secure Partition Manager (SPM),
98and shared secure services like PSA Crypto, Internal Trusted Storage (ITS),
99etc. Services in the PSA Updateable Root of Trust have access to other
100resources in the same Root of Trust.
101
102The **Application Root of Trust** is a reduced-privilege area in the secure
103processing environment which, depending on the isolation level chosen when
104building TF-M, has limited access to the PRoT, or even other ARoT services at
105the highest isolation levels. Some standard services exist in the ARoT, such as
106Protected Storage (PS), and generally custom secure services that you implement
107should be placed in the ARoT, unless a compelling reason is present to place
108them in the PRoT.
109
110These divisions are distinct from the **untrusted code**, which runs in the
111non-secure environment, and has the least privilege in the system. This is the
112Zephyr application image in this case.
113
114Isolation Levels
115----------------
116
117At present, there are three distinct **isolation levels** defined in TF-M,
118with increasingly rigid boundaries between regions. The isolation level used
119will depend on your security requirements, and the system resources available
120to you.
121
122* **Isolation Level 1** is the lowest isolation level, and the only major
123  boundary is between the secure and non-secure processing environment,
124  usually by means of Arm TrustZone on Armv8-M processors. There is no
125  distinction here between the PSA Updateable Root of Trust (PRoT) and the
126  Application Root of Trust (ARoT). They execute at the same privilege level.
127  This isolation level will lead to the smallest combined application images.
128* **Isolation Level 2** builds upon level one by introducing a distinction
129  between the PSA Updateable Root of Trust and the Application Root of Trust,
130  where ARoT services have limited access to PRoT services, and can only
131  communicate with them through public APIs exposed by the PRoT services.
132  ARoT services, however, are not strictly isolated from one another.
133* **Isolation Level 3** is the highest isolation level, and builds upon level
134  2 by isolating ARoT services from each other, so that each ARoT is
135  essentially silo'ed from other services. This provides the highest level of
136  isolation, but also comes at the cost of additional overhead and code
137  duplication between services.
138
139The current isolation level can be checked via
140:kconfig:option:`CONFIG_TFM_ISOLATION_LEVEL`.
141
142Secure Boot
143===========
144
145The default secure bootloader in TF-M is based on
146`MCUBoot <https://www.mcuboot.com/>`__, and is referred to as ``BL2`` in TF-M
147(for the second-stage bootloader, potentially after a HW-based bootloader on
148the secure MCU, etc.).
149
150All images in TF-M are hashed and signed, with the hash and signature verified
151by MCUBoot during the firmware update process.
152
153Some key features of MCUBoot as used in TF-M are:
154
155* Public signing key(s) are baked into the bootloader
156* S and NS images can be signed using different keys
157* Firmware images can optionally be encrypted
158* Client software is responsible for writing a new image to the secondary slot
159* By default, uses static flash layout of two identically-sized memory regions
160* Optional security counter for rollback protection
161
162When dealing with (optionally) encrypted images:
163
164* Only the payload is encrypted (header, TLVs are plain text)
165* Hashing and signing are applied over the un-encrypted data
166* Uses ``AES-CTR-128`` or ``AES-CTR-256`` for encryption
167* Encryption key randomized every encryption cycle (via ``imgtool``)
168* The ``AES-CTR`` key is included in the image and can be encrypted using:
169
170  * ``RSA-OAEP``
171  * ``AES-KW`` (128 or 256 bits depending on the ``AES-CTR`` key length)
172  * ``ECIES-P256``
173  * ``ECIES-X25519``
174
175Key config properties to control secure boot in Zephyr are:
176
177* :kconfig:option:`CONFIG_TFM_BL2` toggles the bootloader (default = ``y``).
178* :kconfig:option:`CONFIG_TFM_KEY_FILE_S` overrides the secure signing key.
179* :kconfig:option:`CONFIG_TFM_KEY_FILE_NS` overrides the non-secure signing key.
180
181Secure Processing Environment
182=============================
183
184Once the secure bootloader has finished executing, a TF-M based secure image
185will begin execution in the **secure processing environment**. This is where
186our device will be initially configured, and any secure services will be
187initialised.
188
189Note that the starting state of our device is controlled by the secure firmware,
190meaning that when the non-secure Zephyr application starts, peripherals may
191not be in the HW-default reset state. In case of doubts, be sure to consult
192the board support packages in TF-M, available in the ``platform/ext/target/``
193folder of the TF-M module (which is in ``modules/tee/tf-m/trusted-firmware-m/``
194within a default Zephyr west workspace.)
195
196Secure Services
197---------------
198
199As of TF-M 1.8.0, the following secure services are generally available (although vendor support may vary):
200
201* Crypto
202* Firmware Update (FWU)
203* Initial Attestation
204* Platform
205* Secure Storage, which has two parts:
206
207  * Internal Trusted Storage (ITS)
208  * Protected Storage (PS)
209
210A template also exists for creating your own custom services.
211
212For full details on these services, and their exposed APIs, please consult the
213`TF-M Documentation <https://tf-m-user-guide.trustedfirmware.org/>`__.
214
215Key Management and Derivation
216-----------------------------
217
218Key and secret management is a critical part of any secure device. You need to
219ensure that key material is available to regions that require it, but not to
220anything else, and that it is stored securely in a way that makes it difficult
221to tamper with or maliciously access.
222
223The **Internal Trusted Storage** service in TF-M is used by the **PSA Crypto**
224service (which itself makes use of mbedtls) to store keys, and ensure that
225private keys are only ever accessible to the secure processing environment.
226Crypto operations that make use of key material, such as when signing payloads
227or when decrypting sensitive data, all take place via key handles. At no point
228should the key material ever be exposed to the NS environment.
229
230One exception is that private keys can be provisioned into the secure
231processing environment as a one-way operation, such as during a factory
232provisioning process, but even this should be avoided where possible, and a
233request should be made to the SPE (via the PSA Crypto service) to generate a
234new private key itself, and the public key for that can be requested during
235provisioning and logged in the factory. This ensures the private key
236material is never exposed, or even known during the provisioning phase.
237
238TF-M also makes extensive use of the **Hardware Unique Key (HUK)**, which
239every TF-M device must provide. This device-unique key is used by the
240**Protected Storage** service, for example, to encrypt information stored in
241external memory. For example, this ensures that the contents of flash memory
242can't be decrypted if they are removed and placed on a new device, since each
243device has its own unique HUK used while encrypting the memory contents
244the first time.
245
246HUKs provide an additional advantage for developers, in that they can be used
247to derive new keys, and the **derived keys** don't need to be stored since
248they can be regenerated from the HUK at startup, using an additional salt/seed
249value (depending on the key derivation algorithm used). This removes the
250storage issue and a frequent attack vector. The HUK itself it usually highly
251protected in secure devices, and inaccessible directly by users.
252
253``TFM_CRYPTO_ALG_HUK_DERIVATION`` identifies the default key derivation
254algorithm used if a software implementation is used. The current default
255algorithm is ``HKDF`` (RFC 5869) with a SHA-256 hash. Other hardware
256implementations may be available on some platforms.
257
258Non-Secure Processing Environment
259=================================
260
261Zephyr is used for the NSPE, using a board that is supported by TF-M where the
262:kconfig:option:`CONFIG_BUILD_WITH_TFM` flag has been enabled.
263
264Generally, you simply need to select the ``*_ns`` variant of a valid target
265(for example ``mps2_an521_ns``), which will configure your Zephyr application
266to run in the NSPE, correctly build and link it with the TF-M secure images,
267sign the secure and non-secure images, and merge the three binaries into a
268single ``tfm_merged.hex`` file. The :ref:`west flash <west-flashing>` command
269will flash ``tfm_merged.hex`` by default in this configuration.
270
271At present, Zephyr can not be configured to be used as the secure processing
272environment.
273