|
1 | 1 | ## Mbed PSA |
2 | 2 |
|
3 | | -### Terms and Abbreviations |
| 3 | +### Terms and abbreviations |
4 | 4 |
|
5 | 5 | | Term | Meaning | |
6 | 6 | |--------------|-------------------------------------| |
|
12 | 12 | | SPE | Secure Processing Environment | |
13 | 13 | | SPM | Secure Partition Manager | |
14 | 14 |
|
15 | | - |
16 | 15 | ### Overview |
17 | | -Mbed PSA provides essential root of trust services and infrastructure for developing robust IoT applications. |
18 | 16 |
|
19 | | -When Mbed OS is running on PSA Security Model compliant target, Mbed PSA helps to protect cryptographic assets, credentials, and critical code sections by providing an isolation between a Secure Processing Environment (SPE) and a Non-Secure Processing Environment (NSPE). The isolation is managed by the Secure Partition Manager (SPM) which utilizes unique hardware features available on the target. The SPM provides standardized IPC APIs which abstract the fact that partitions could be living inside a virtualized environment (v8M, TEE on Cortex-A), or inside another chip. |
| 17 | +Mbed PSA provides root of trust services and infrastructure for developing IoT applications. |
| 18 | + |
| 19 | +When Mbed OS is running on a PSA Security Model compliant target, Mbed PSA helps to protect cryptographic assets, credentials and critical code sections by providing an isolation between a Secure Processing Environment (SPE) and a Non-Secure Processing Environment (NSPE). The Secure Partition Manager (SPM), which uses the target's hardware features, manages the isolation. The SPM provides standardized IPC APIs that abstract the fact that partitions could be living inside a virtualized environment (v8M, TEE on Cortex-A) or inside another chip. |
20 | 20 |
|
21 | | -Mbed PSA bridges the differences between PSA platforms and Non-PSA platforms for application developers, allowing them to use the same standard PSA APIs on both platform types. |
22 | | -Mbed PSA provides PSA API compliance for developing robust IoT applications and |
23 | | -allows to choose platform type at later phase according to final application threat model. |
| 21 | +Mbed PSA bridges the differences between PSA platforms and non-PSA platforms for application developers, allowing them to use the same standard PSA APIs on both platform types. |
24 | 22 |
|
25 | | - |
| 23 | +Mbed PSA allows you to choose the platform type at later phase according to the final application threat model. |
26 | 24 |
|
27 | | -### Secure Partition Manager (SPM) |
| 25 | +<span class="images"><span>PSA diagram</span></span> |
28 | 26 |
|
29 | | -The **Secure Partition Manager (SPM)** is a PSA compliant software hypervisor that creates and manages independent Secure Partitions on Arm Cortex®-M microcontrollers. It increases resilience against malware and protects secrets from leaking between different modules in the same application. The SPM complements other important security features, such as safe firmware updates and secure crypto libraries. |
| 27 | +### SPM |
| 28 | + |
| 29 | +The SPM is a PSA-compliant software hypervisor that creates and manages independent secure partitions on Arm Cortex®-M microcontrollers. It increases resilience against malware and protects secrets from leaking between different modules in the same application. The SPM complements other important security features, such as safe firmware updates and secure crypto libraries. |
30 | 30 |
|
31 | 31 | The SPM provides hardware-enforced partitions for individual code blocks by limiting access to memories and peripherals using the existing hardware security features of the Cortex®-M microcontrollers. It isolates software in partitions, managing the execution of software within those partitions and providing IPC between the partitions. Correct use of SPM prevents malware from becoming resident on the device and enables protection of device secrets, such as cryptographic keys. |
32 | 32 |
|
33 | | -#### Isolating partitions in the Secure Processing Environment |
| 33 | +#### Isolating partitions in the SPE |
34 | 34 |
|
35 | | -The SPM and the secure partitions are located in the Secure Processing Environment (SPE), isolating them from the Non-Secure Processing Environment (NSPE), which contains the application firmware, OS kernel and libraries, and other nonsecure hardware resources. |
| 35 | +The SPM and the secure partitions are located in the SPE, isolating them from the NSPE, which contains the application firmware, OS kernel and libraries and other nonsecure hardware resources. |
36 | 36 |
|
37 | 37 | A secure partition is a container for one or more root of trust services, and a platform may have multiple secure partitions. Secure partitions provide the execution environment for security functionality. |
38 | 38 |
|
39 | | -Platform hardware, such as the Security Attribution Unit (SAU) and Memory Protection Unit (MPU) in the new ARMv8-M platforms, enforces the separation of partitions. Other platforms may use different mechanisms to provide equivalent isolation for the partitions. |
| 39 | +Platform hardware, such as the Security Attribution Unit (SAU) and Memory Protection Unit (MPU) in the ARMv8-M platforms, enforces the separation of partitions. Other platforms may use different mechanisms to provide equivalent isolation for the partitions. |
40 | 40 |
|
41 | 41 | ### Platform types |
| 42 | + |
42 | 43 | Mbed PSA supports the following platform types: |
43 | | -- Non PSA platform: These are single core ARMv7-M targets. |
44 | | -On these targets Mbed PSA provides the same PSA services exposing PSA APIs as it would on PSA targets. |
45 | | -PSA emulation layer allows seamless software portability to more security oriented targets. |
46 | | -- Asymmetric Multiprocessing (AMP) systems: Multi core ARMv7-M targets (for example, PSoC6 featuring CM4 and CM0+ cores). |
47 | | -On these targets one of the cores is dedicated to PSA usage only and implements SPE. |
48 | | -Mbed PSA provides PSA APIs proxy implementation on non-secure core, which redirects execution to the SPE. |
49 | | -- ARMv8-M: New generation of ARM processors featuring TrustZone-M architecture. |
50 | | -PSA support for this platforms is in final stages of development and will be added to the list of Mbed PSA supported platforms shortly. |
51 | 44 |
|
52 | | -### Mbed PSA RoT Services |
| 45 | +- Non-PSA platform: These are single core ARMv7-M targets. On these targets, Mbed PSA provides the same PSA services exposing PSA APIs as it would on PSA targets. The PSA emulation layer allows seamless software portability to more security-oriented targets. |
| 46 | + |
| 47 | +- Asymmetric Multiprocessing (AMP) systems: Multicore ARMv7-M targets (for example, PSoC6 featuring CM4 and CM0+ cores). On these targets, one of the cores is dedicated to PSA use only and implements SPE. Mbed PSA provides PSA API proxy implementation on a nonsecure core, which redirects execution to the SPE. |
| 48 | + |
| 49 | +- ARMv8-M: Generation of ARM processors featuring TrustZone-M architecture. PSA support for this platforms is in final stages of development and will be added to the list of Mbed PSA supported platforms shortly. |
| 50 | + |
| 51 | +### Mbed PSA RoT services |
53 | 52 |
|
54 | 53 | Mbed PSA provides the following services: |
55 | | -- PSA RoT internal storage |
56 | | -- PSA Crypto APIs |
| 54 | + |
| 55 | +- PSA RoT internal storage. |
| 56 | +- PSA Crypto APIs. |
0 commit comments