Last edited 3 months ago

TF-M overview

Applicable for STM32MP25x lines

1. Overview of the Trusted Firmware-M project[edit | edit source]

Trusted Firmware-M (TF-M) is an open-source project managed by TrustedFirmware group[1].
The software environment is design to run in the Secure Processing Environment (SPE) of ARMv8-M microcontrollers following the PSA Certified guidelines[2].

TF-M uses secure partitions that offers services. They can be isolated following different isolation levels:

  • Level 1: SPE and NSPE isolation.
  • Level 2: Level 1 + Application Root of Trust (ARoT) protection from NSPE and PSA Root of Trust (PRoT) protection from NSPE and ARoT.
  • Level 3: Level 2 + Secure partition protection from NSPE and other secure partitions. PSA Root of Trust (RoT) domain protection from NSPE and all Secure Partitions.

The default secure partitions that can be isolated to the non-secure environment:

  • Initial attestation
  • Crypto services
  • Internal trusted storage
  • Firmware update
  • Protected storage

The secure partitions are accessible using PSA dedicated API[3].

1.1. License[edit | edit source]

TF-M is delivered under a BSD-3-Clause style license and can run secure partitions without restriction on their licensing model. It also includes different sub-projects with their dedicated license[4].


1.2. Architecture overview[edit | edit source]

Note: The above image has been created for https://tf-m-user-guide.trustedfirmware.org/

1.3. Software profile[edit | edit source]

TF-M defines different profile offered to the user to select the security level targeted:

  • Small profile
  • ARot-IOT profile
  • Medium profile
  • Large profile

Each profile defines a subset of services embedded in the TF-M software. They are listed in the table below:

Option Base Small ARoT-less Medium Large
TFM_ISOLATION_LEVEL 1 1 1 2 3
CONFIG_TFM_SPM_BACKEND SFN SFN SFN IPC IPC
TFM_PARTITION_CRYPTO OFF ON ON ON ON
TFM_PARTITION_INTERNAL_TRUSTED_STORAGE OFF ON ON ON ON
TFM_PARTITION_PLATFORM OFF OFF ON ON ON
TFM_PARTITION_PROTECTED_STORAGE OFF OFF OFF ON ON
TFM_PARTITION_INITIAL_ATTESTATION OFF ON ON ON ON
SYMMETRIC_INITIAL_ATTESTATION OFF ON OFF OFF OFF
TFM_PARTITION_FIRMWARE_UPDATE OFF OFF ON OFF OFF
PS_CRYPTO_AEAD_ALG GCM - - CCM CCM
PSA_FRAMEWORK_HAS_MM_IOVEC OFF ON OFF OFF OFF
MCUBOOT_IMAGE_NUMBER 1 2 1 2 2 2
Advanced options, defined in the corresponded header (.h) file
CRYPTO_ENGINE_BUF_SIZE 0x2080 0x400 0x2080 0x2080 0x2380
CRYPTO_ASYM_SIGN_MODULE_ENABLED ON OFF ON ON ON
CRYPTO_ASYM_ENCRYPT_MODULE_ENABLED ON OFF OFF OFF ON
CRYPTO_SINGLE_PART_FUNCS_DISABLED OFF ON OFF OFF OFF
CRYPTO_CONC_OPER_NUM 8 4 8 8 8
CONFIG_TFM_CONN_HANDLE_MAX_NUM 8 3 8 8 8
ITS_BUF_SIZE 2 512 32 32 32 512

1.4. TF-M Core[edit | edit source]

The TF-M core is the main part of the software that manages the secure partition manager, the scheduler and the inter-communication mechanism (IPC or SFN).

1.5. Secure boot[edit | edit source]

The secure boot is driven by the BL2 boot level.

On STM32MP2 series, depending on the main processor defined on the platform, different flavors are allowed to achieve the secure boot.

1.5.1. Cortex-A main processor[edit | edit source]

When the Cortex-A is the main processor, the secure boot is ensure by default trusted boot bootchain.

To complete the secure boot chain and run TF-M in TrustZone area, it has to be started following the secure coprocessor loading process.

This will ensure that the TF-M and associated nonsecure part (NSPE) is authenticated and follow the secure boot requirements.


1.6. Secure Partitions[edit | edit source]

1.6.1. Crypto[edit | edit source]

Crypto partitions offer PSA Crypto API[6] implementation in a dedicated RoT secure partition. The implementation is based on Mbed crypto[7]

1.6.2. Firmware update[edit | edit source]

The firmware update partition implements the PSA Firmware update API [8]. It gives all the mandatory features to authenticate, verify and install a new updated image and manage the security about the update process.

1.6.3. Initial attestation[edit | edit source]

Initial attestation partition implements the PSA Attestation API [9]. It provides a verifiable report of the state of the platform.

1.6.4. Internal trusted storage[edit | edit source]

ITS implements PSA secure storage API [10]. The internal storage is design to store the most secure and critical assets used by the RoT.

1.6.5. Protected storage[edit | edit source]

Secure partition in the ARoT that implements the PSA secure storage API [10] and allows to store secure data on external storage.

2. References[edit | edit source]