1Trusted Firmware-M Overview 2########################### 3 4`Trusted Firmware-M (TF-M) <https://tf-m-user-guide.trustedfirmware.org/>`__ 5is a reference implementation of the Platform Security Architecture (PSA) 6`IoT Security Framework <https://www.psacertified.org/what-is-psa-certified/>`__. 7It defines and implements an architecture and a set of software components 8that aim to address some of the main security concerns in IoT products. 9 10Zephyr RTOS has been PSA Certified since Zephyr 2.0.0 with TF-M 1.0, and 11is currently integrated with TF-M 2.1.0. 12 13What Does TF-M Offer? 14********************* 15 16Through a set of secure services and by design, TF-M provides: 17 18* Isolation of secure and non-secure resources 19* Embedded-appropriate crypto 20* Management of device secrets (keys, etc.) 21* Firmware verification (and encryption) 22* Protected off-chip data storage and retrieval 23* Proof of device identity (device attestation) 24* Audit logging 25 26Build System Integration 27************************ 28 29When using TF-M with a supported platform, TF-M will be automatically built and 30link in the background as part of the standard Zephyr build process. This 31build process makes a number of assumptions about how TF-M is being used, and 32has certain implications about what the Zephyr application image can and can 33not do: 34 35* The secure processing environment (secure boot and TF-M) starts first 36* Resource allocation for Zephyr relies on choices made in the secure image. 37 38Architecture Overview 39********************* 40 41A TF-M application will, generally, have the following three parts, from most 42to least trusted, left-to-right, with code execution happening in the same 43order (secure boot > secure image > ns image). 44 45While the secure bootloader is optional, it is enabled by default, and secure 46boot is an important part of providing a secure solution: 47 48:: 49 50 +-------------------------------------+ +--------------+ 51 | Secure Processing Environment (SPE) | | NSPE | 52 | +----------++---------------------+ | | +----------+ | 53 | | || | | | | | | 54 | | bl2.bin || tfm_s_signed.bin | | | |zephyr.bin| | 55 | | || | | <- PSA -> | | | | 56 | | Secure || Trusted Firmware-M | | APIs | | Zephyr | | 57 | | Boot || (Secure Image) | | | |(NS Image)| | 58 | | || | | | | | | 59 | +----------++---------------------+ | | +----------+ | 60 +-------------------------------------+ +--------------+ 61 62Communication between the (Zephyr) Non-Secure Processing Environment (NSPE) and 63the (TF-M) Secure Processing Environment image happens based on a set of PSA 64APIs, and normally makes use of an IPC mechanism that is included as part of 65the TF-M build, and implemented in Zephyr 66(see :zephyr_file:`modules/trusted-firmware-m/interface`). 67 68Root of Trust (RoT) Architecture 69================================ 70 71TF-M is based upon a **Root of Trust (RoT)** architecture. This allows for 72hierarchies of trust from most, to less, to least trusted, providing a sound 73foundation upon which to build or access trusted services and resources. 74 75The benefit of this approach is that less trusted components are prevented from 76accessing or compromising more critical parts of the system, and error 77conditions in less trusted environments won't corrupt more trusted, isolated 78resources. 79 80The following RoT hierarchy is defined for TF-M, from most to least trusted: 81 82* PSA Root of Trust (**PRoT**), which consists of: 83 84 * PSA Immutable Root of Trust: secure boot 85 * PSA Updateable Root of Trust: most trusted secure services 86* Application Root of Trust (**ARoT**): isolated secure services 87 88The **PSA Immutable Root of Trust** is the most trusted piece of code in the 89system, to which subsequent Roots of Trust are anchored. In TF-M, this is the 90secure boot image, which verifies that the secure and non-secure images are 91valid, have not been tampered with, and come from a reliable source. The 92secure bootloader also verifies new images during the firmware update process, 93thanks to the public signing key(s) built into it. As the name implies, 94this image is **immutable**. 95 96The **PSA Updateable Root of Trust** implements the most trusted secure 97services and components in TF-M, such as the Secure Partition Manager (SPM), 98and shared secure services like PSA Crypto, Internal Trusted Storage (ITS), 99etc. Services in the PSA Updateable Root of Trust have access to other 100resources in the same Root of Trust. 101 102The **Application Root of Trust** is a reduced-privilege area in the secure 103processing environment which, depending on the isolation level chosen when 104building TF-M, has limited access to the PRoT, or even other ARoT services at 105the highest isolation levels. Some standard services exist in the ARoT, such as 106Protected Storage (PS), and generally custom secure services that you implement 107should be placed in the ARoT, unless a compelling reason is present to place 108them in the PRoT. 109 110These divisions are distinct from the **untrusted code**, which runs in the 111non-secure environment, and has the least privilege in the system. This is the 112Zephyr application image in this case. 113 114Isolation Levels 115---------------- 116 117At present, there are three distinct **isolation levels** defined in TF-M, 118with increasingly rigid boundaries between regions. The isolation level used 119will depend on your security requirements, and the system resources available 120to you. 121 122* **Isolation Level 1** is the lowest isolation level, and the only major 123 boundary is between the secure and non-secure processing environment, 124 usually by means of Arm TrustZone on Armv8-M processors. There is no 125 distinction here between the PSA Updateable Root of Trust (PRoT) and the 126 Application Root of Trust (ARoT). They execute at the same privilege level. 127 This isolation level will lead to the smallest combined application images. 128* **Isolation Level 2** builds upon level one by introducing a distinction 129 between the PSA Updateable Root of Trust and the Application Root of Trust, 130 where ARoT services have limited access to PRoT services, and can only 131 communicate with them through public APIs exposed by the PRoT services. 132 ARoT services, however, are not strictly isolated from one another. 133* **Isolation Level 3** is the highest isolation level, and builds upon level 134 2 by isolating ARoT services from each other, so that each ARoT is 135 essentially silo'ed from other services. This provides the highest level of 136 isolation, but also comes at the cost of additional overhead and code 137 duplication between services. 138 139The current isolation level can be checked via 140:kconfig:option:`CONFIG_TFM_ISOLATION_LEVEL`. 141 142Secure Boot 143=========== 144 145The default secure bootloader in TF-M is based on 146`MCUBoot <https://www.mcuboot.com/>`__, and is referred to as ``BL2`` in TF-M 147(for the second-stage bootloader, potentially after a HW-based bootloader on 148the secure MCU, etc.). 149 150All images in TF-M are hashed and signed, with the hash and signature verified 151by MCUBoot during the firmware update process. 152 153Some key features of MCUBoot as used in TF-M are: 154 155* Public signing key(s) are baked into the bootloader 156* S and NS images can be signed using different keys 157* Firmware images can optionally be encrypted 158* Client software is responsible for writing a new image to the secondary slot 159* By default, uses static flash layout of two identically-sized memory regions 160* Optional security counter for rollback protection 161 162When dealing with (optionally) encrypted images: 163 164* Only the payload is encrypted (header, TLVs are plain text) 165* Hashing and signing are applied over the un-encrypted data 166* Uses ``AES-CTR-128`` or ``AES-CTR-256`` for encryption 167* Encryption key randomized every encryption cycle (via ``imgtool``) 168* The ``AES-CTR`` key is included in the image and can be encrypted using: 169 170 * ``RSA-OAEP`` 171 * ``AES-KW`` (128 or 256 bits depending on the ``AES-CTR`` key length) 172 * ``ECIES-P256`` 173 * ``ECIES-X25519`` 174 175Key config properties to control secure boot in Zephyr are: 176 177* :kconfig:option:`CONFIG_TFM_BL2` toggles the bootloader (default = ``y``). 178* :kconfig:option:`CONFIG_TFM_KEY_FILE_S` overrides the secure signing key. 179* :kconfig:option:`CONFIG_TFM_KEY_FILE_NS` overrides the non-secure signing key. 180 181Secure Processing Environment 182============================= 183 184Once the secure bootloader has finished executing, a TF-M based secure image 185will begin execution in the **secure processing environment**. This is where 186our device will be initially configured, and any secure services will be 187initialised. 188 189Note that the starting state of our device is controlled by the secure firmware, 190meaning that when the non-secure Zephyr application starts, peripherals may 191not be in the HW-default reset state. In case of doubts, be sure to consult 192the board support packages in TF-M, available in the ``platform/ext/target/`` 193folder of the TF-M module (which is in ``modules/tee/tf-m/trusted-firmware-m/`` 194within a default Zephyr west workspace.) 195 196Secure Services 197--------------- 198 199As of TF-M 1.8.0, the following secure services are generally available (although vendor support may vary): 200 201* Crypto 202* Firmware Update (FWU) 203* Initial Attestation 204* Platform 205* Secure Storage, which has two parts: 206 207 * Internal Trusted Storage (ITS) 208 * Protected Storage (PS) 209 210A template also exists for creating your own custom services. 211 212For full details on these services, and their exposed APIs, please consult the 213`TF-M Documentation <https://tf-m-user-guide.trustedfirmware.org/>`__. 214 215Key Management and Derivation 216----------------------------- 217 218Key and secret management is a critical part of any secure device. You need to 219ensure that key material is available to regions that require it, but not to 220anything else, and that it is stored securely in a way that makes it difficult 221to tamper with or maliciously access. 222 223The **Internal Trusted Storage** service in TF-M is used by the **PSA Crypto** 224service (which itself makes use of mbedtls) to store keys, and ensure that 225private keys are only ever accessible to the secure processing environment. 226Crypto operations that make use of key material, such as when signing payloads 227or when decrypting sensitive data, all take place via key handles. At no point 228should the key material ever be exposed to the NS environment. 229 230One exception is that private keys can be provisioned into the secure 231processing environment as a one-way operation, such as during a factory 232provisioning process, but even this should be avoided where possible, and a 233request should be made to the SPE (via the PSA Crypto service) to generate a 234new private key itself, and the public key for that can be requested during 235provisioning and logged in the factory. This ensures the private key 236material is never exposed, or even known during the provisioning phase. 237 238TF-M also makes extensive use of the **Hardware Unique Key (HUK)**, which 239every TF-M device must provide. This device-unique key is used by the 240**Protected Storage** service, for example, to encrypt information stored in 241external memory. For example, this ensures that the contents of flash memory 242can't be decrypted if they are removed and placed on a new device, since each 243device has its own unique HUK used while encrypting the memory contents 244the first time. 245 246HUKs provide an additional advantage for developers, in that they can be used 247to derive new keys, and the **derived keys** don't need to be stored since 248they can be regenerated from the HUK at startup, using an additional salt/seed 249value (depending on the key derivation algorithm used). This removes the 250storage issue and a frequent attack vector. The HUK itself it usually highly 251protected in secure devices, and inaccessible directly by users. 252 253``TFM_CRYPTO_ALG_HUK_DERIVATION`` identifies the default key derivation 254algorithm used if a software implementation is used. The current default 255algorithm is ``HKDF`` (RFC 5869) with a SHA-256 hash. Other hardware 256implementations may be available on some platforms. 257 258Non-Secure Processing Environment 259================================= 260 261Zephyr is used for the NSPE, using a board that is supported by TF-M where the 262:kconfig:option:`CONFIG_BUILD_WITH_TFM` flag has been enabled. 263 264Generally, you simply need to select the ``*/ns`` board target of a valid board 265(for example ``mps2/an521/cpu0/ns``), which will configure your Zephyr application 266to run in the NSPE, correctly build and link it with the TF-M secure images, 267sign the secure and non-secure images, and merge the three binaries into a 268single ``tfm_merged.hex`` file. The :ref:`west flash <west-flashing>` command 269will flash ``tfm_merged.hex`` by default in this configuration. 270 271At present, Zephyr can not be configured to be used as the secure processing 272environment. 273