1======================================
2Internal Trusted Storage (ITS) Service
3======================================
4
5:Author: Jamie Fox
6:Organization: Arm Limited
7:Contact: Jamie Fox <jamie.fox@arm.com>
8
9PSA Internal Trusted Storage
10============================
11PSA Internal Trusted Storage (ITS) is a PSA RoT Service for storing the most
12security-critical device data (e.g. cryptographic keys) in internal storage,
13which is trusted to provide data confidentiality and authenticity. This
14contrasts with PSA Protected Storage, which is an Application RoT service that
15allows larger data sets to be stored securely in external flash, with the option
16for encryption, authentication and rollback protection to protect the
17data-at-rest.
18
19Current TF-M Secure Storage
20===========================
21Currently, the TF-M Secure Storage service implements PSA Protected Storage
22version 1.0-beta2. There is not yet an implementation of PSA Internal Trusted
23Storage in TF-M.
24
25New TF-M service
26================
27The proposal is to implement the *PSA Internal Trusted Storage API* with the
28*TF-M Internal Trusted Storage service*. It can be abbreviated to *TF-M ITS
29service* in general and to ``its`` in code. This name has the advantage of
30making clear the correspondence between the service and the API it implements.
31
32If this name is adopted, then it may make sense to rename the *Secure Storage
33service* to the *Protected Storage service* in the future to match. Then "secure
34storage" could refer to the two services as a collective.
35
36The TF-M ITS service will implement PSA ITS version 1.0. It will be provided by
37a separate partition to Protected Storage, for a couple of reasons:
38
39- To permit isolation between the services.
40
41  - ITS is a PSA RoT Service, while Protected Storage is an Application RoT
42    Service.
43
44- To avoid circular dependencies.
45
46  - The PSA Firmware Framework does not permit circular dependencies between
47    partitions, which would occur if Protected Storage and ITS were provided by
48    the same partition. Protected Storage depends on Crypto, which in turn
49    depends on ITS.
50
51The existing SST filesystem will be reused to provide the backend of the
52service, with the flash layer modified to direct storage to internal flash,
53rather than external.
54
55Compared to Protected Storage, encryption, authentication and rollback
56protection are not required, so the SST encrypted object layer and the crypto
57and NV counter interfaces are not required. The rollback protection feature of
58the object table is also not required.
59
60Code structure
61==============
62The code structure of the service will be as follows:
63
64TF-M repo:
65
66``interface/``
67
68- ``include/psa/internal_trusted_storage.h`` - PSA ITS API
69- ``src/tfm_its_api.c`` - PSA ITS API implementation for NSPE
70
71``secure_fw/ns_callable/tfm_veneers.c`` - ITS veneers (auto-generated from
72manifest)
73
74``secure_fw/partitions/internal_trusted_storage/``
75
76- ``tfm_internal_trusted_storage.yaml`` - Partition manifest
77- ``tfm_its_secure_api.c`` - PSA ITS API implementation for SPE
78- ``tfm_its_req_mngr.c`` - Uniform secure functions and IPC request handlers
79- ``tfm_internal_trusted_storage.h`` - TF-M ITS API (with client_id parameter)
80- ``tfm_internal_trusted_storage.c`` - TF-M ITS implementation, using the
81  flash_fs as a backend
82- ``flash_fs/`` - Filesystem
83- ``flash/`` - Flash interface
84
85tf-m-tests repo:
86
87``test/secure_fw/suites/its/``
88
89- ``non_secure/psa_its_ns_interface_testsuite.c`` - Non-secure interface tests
90- ``secure/psa_its_s_interface_testsuite.c`` - Secure interface tests
91
92TF-M ITS implementation
93-----------------------
94The following APIs will be exposed by ``tfm_internal_trusted_storage.h``::
95
96    psa_status_t tfm_its_init(void);
97
98    psa_status_t tfm_its_set(int32_t client_id,
99                             psa_storage_uid_t uid,
100                             size_t data_length,
101                             const void *p_data,
102                             psa_storage_create_flags_t create_flags);
103
104    psa_status_t tfm_its_get(int32_t client_id,
105                             psa_storage_uid_t uid,
106                             size_t data_offset,
107                             size_t data_size,
108                             void *p_data,
109                             size_t *p_data_length);
110
111    psa_status_t tfm_its_get_info(int32_t client_id,
112                                  psa_storage_uid_t uid,
113                                  struct psa_storage_info_t *p_info);
114
115    psa_status_t tfm_its_remove(int32_t client_id,
116                                psa_storage_uid_t uid);
117
118That is, the TF-M ITS APIs will have the same prototypes as the PSA ITS APIs,
119but with the addition of a ``client_id`` parameter, which will be passed from
120the ITS request manager. A ``tfm_its_init`` function will also be present, which
121will be called at initialisation time and not exposed through a veneer or SID.
122
123The implementation in ``tfm_internal_trusted_storage.c`` must validate the
124parameters (excepting memory references, which are validated by the SPM),
125translate the UID and client ID into a file ID and then make appropriate calls
126to the filesystem layer. It must also take care ensure that any PSA Storage
127flags associated with the UID are honoured.
128
129Filesystem
130----------
131The ITS filesystem will be copied and modified from the SST filesystem. The
132modifications required will be to rename symbols from ``sst`` to ``its`` and to
133update the implementation to be aligned with the latest version of the PSA
134Storage spec (which consists mainly of moving to the ``psa_status_t`` error type
135and using common error codes from ``psa/error.h``).
136
137The filesystem will also be modified to align the size of each file stored to
138the alignment requirement exposed by the flash interface, by adding appropriate
139padding.
140
141The filesystem code will be de-duplicated again once the ITS service is
142implemented (see below).
143
144Flash layer
145-----------
146The flash layer will be copied from SST, and modified to direct writes to the
147internal flash device. It too needs to be updated to use ``psa_status_t`` error
148types.
149
150Platform layer
151--------------
152The TF-M platform layer must be be updated to distinguish between the external
153flash device used for Protected Storage and internal flash device used for ITS.
154A flash region for the relevant storage service needs to be allocated in each.
155
156On test platforms these may just be two distinct regions of the same flash
157device, but in general they will separate devices with their own drivers.
158
159Detailed design considerations
160==============================
161
162Mapping UID onto file ID
163------------------------
164The ITS APIs identify assets with 64-bit UIDs, to which the ITS service must
165append the 32-bit client ID of the calling partition for access control. The
166existing filesystem uses 32-bit file IDs to identify files, so some mapping
167would be required to convert between the identifiers.
168
169SST uses the object table to do the mapping from client ID, UID pairs to file
170IDs, which means making an extra filesystem read/write for each get/set
171operation. This mapping has minimal overhead for SST though, because object
172table lookups are already required for rollback protection.
173
174For ITS, no rollback protection feature is required, so there are two options:
175
176- Keep a simplified version of the SST object table that just maps from
177  (client ID, UID) to file ID
178
179- Modify the filesystem to take (at least) 96-bit file IDs, in the form of a
180  fixed-length char buffer.
181
182The advantage of the former is that it would require no extra modification to
183the existing filesystem code, and the existing SST object table could be cut
184down for ITS. However, it would mean that every ITS request would invoke twice
185the number of filesystem operations, increasing latency and flash wear. The code
186size of the ITS partition would be increased, as would RAM usage as the table
187would need to be read into RAM.
188
189The latter option would make the filesystem slightly more complex: the size of a
190metadata entry would be increased by 64-bits and the 96-bit fids would need to
191be copied and compared with ``memcpy`` and ``memcmp`` calls. On the other hand,
192mapping onto file IDs would incur only the cost of copying the UID and client ID
193values into the file ID buffer.
194
195A third, even more general, solution would be to use arbitrary-length
196null-terminated strings as the file IDs. This is the standard solution in
197full-featured filesystems, but we do not currently require this level of
198complexity in secure storage.
199
200With this in mind, the proposed option is the second.
201
202Storing create flags
203--------------------
204The ITS APIs provide a 32-bit ``create_flags`` parameter, which contains bit
205flags that determine the properties of the stored data. Only one flag is
206currently defined for ITS: ``PSA_STORAGE_FLAG_WRITE_ONCE``, which prevents a UID
207from being modified or deleted after it is set for the first time.
208
209There are two places that these flags could be stored: in the file data or as
210part of the file metadata.
211
212For the first option, the ITS implementation would need to copy to the flags
213into the buffer containing the data, and adjust the size accordingly, for each
214set operation, and the reverse for each get. Every get_info operation would need
215to read some of the file data, rather than just the metadata, implying a second
216flash read. A potential downside is that many of the cryptographic assets stored
217in ITS will be aligned to power-of-two sizes; adding an extra 32-bits would
218misalign the size, which may reduce flash performance or necessitate adding
219padding to align to the flash page size.
220
221To implement the second option, a 32-bit ``flag`` field would be added to the
222filesystem's metadata structure, whose interpretation is defined by the user.
223This field would clearly be catered towards the PSA Storage APIs, even if
224nominally generic, and alternative filesystems may not have any such field.
225However, it is a more intuitive solution and would simplify both flash alignment
226and get_info operations.
227
228Overall, it seems more beneficial to store the flags in the metadata, so this is
229the proposed solution.
230
231Code sharing between Protected Storage and ITS
232----------------------------------------------
233To de-duplicate the filesystem code used by both Protected Storage and ITS, it
234is proposed that Protected Storage calls ITS APIs as its backend filesystem.
235
236Protected Storage essentially becomes an encryption, authentication and rollback
237protection layer on top of ITS. It makes IPC requests or secure function calls
238to the ITS service to do filesystem operations on its behalf.
239
240This has a couple of advantages:
241
242- It shrinks Protected Storage's stack size, because the filesystem and flash
243  layer stack is only in ITS.
244
245- It automatically solves the problem of ensuring mutual exclusion in the
246  filesystem and flash layers when Protected Storage and ITS are called
247  concurrently. The second request to ITS will just be made to wait by the SPM.
248
249The disadvantage of this approach is that it will increase the latency of
250Protected Storage requests, due to the extra overhead associated with making a
251second IPC request or secure function call. It also limits Protected Storage to
252using only the ITS APIs, unless extra veneers are added solely for Protected
253Storage to use. This, for example, prevents Protected Storage from doing partial
254writes to file without reading and re-writing the whole file.
255
256ITS will need to be modified to direct calls from Protected Storage to a
257different flash device. It can use the client ID to detect when the caller is
258Protected Storage, and pass down the identity of the flash device to use to the
259flash layer, which then calls the appropriate driver.
260
261An open question is what to do if Protected Storage itself wants to store
262something in internal storage in the future (e.g. rollback counters, hash
263tree/table or top hash). A couple of possible solutions would be:
264
265- Divide up the UIDs, so certain UIDs from Protected Storage refer to assets in
266  internal storage, and others to ones in external storage.
267
268- Use the ``type`` field of ``psa_call`` in IPC model to distinguish between
269  internal and external storage requests.
270
271The other option for code sharing would be for Protected Storage and ITS to
272directly share filesystem code, which would be placed in a shared code region.
273With this approach, mutual exclusion to the flash device would need to be
274implemented separately, as would some way of isolating static memory belonging
275to each partition but not the code. Because of these complications, this option
276has not been considered further at this time.
277
278--------------
279
280*Copyright (c) 2019-2022, Arm Limited. All rights reserved.*
281