diff --git a/doc/nrf/releases_and_maturity/migration/migration_guide_spm_to_tf-m.rst b/doc/nrf/releases_and_maturity/migration/migration_guide_spm_to_tf-m.rst index 6988fb219319..6d3c7fcfc8d0 100644 --- a/doc/nrf/releases_and_maturity/migration/migration_guide_spm_to_tf-m.rst +++ b/doc/nrf/releases_and_maturity/migration/migration_guide_spm_to_tf-m.rst @@ -4,9 +4,9 @@ Migrating from Secure Partition Manager to Trusted Firmware-M ############################################################# The Nordic Secure Partition Manager (SPM) was replaced with Trusted Firmware-M (TF-M) as the default trusted execution solution in the |NCS| v2.1.0. -This change was made to enhance the security features of the SDK by integrating the more widely adopted TF-M that aligns with the Arm Platform Security Architecture (PSA). +This change enhances the security features of the SDK by integrating the more widely adopted TF-M that aligns with the Arm Platform Security Architecture (PSA). -The migration from SPM to TF-M requires changes in the application code and the partition configuration. +Migration from SPM to TF-M requires changes in the application code and the partition configuration. The interface to TF-M is different from the interface to SPM. Due to that, the application code that uses the SPM Secure Services needs to be ported to use TF-M instead. diff --git a/doc/nrf/security/tfm.rst b/doc/nrf/security/tfm.rst index 3e997186d44b..75cd6265868d 100644 --- a/doc/nrf/security/tfm.rst +++ b/doc/nrf/security/tfm.rst @@ -333,7 +333,7 @@ For more information about the general features of the TF-M Platform partition, Internal Trusted Storage partition ---------------------------------- -To enable Internal Trusted Storage (ITS) partition, set the :kconfig:option:`CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE` Kconfig option. +To enable the Internal Trusted Storage (ITS) partition, set the :kconfig:option:`CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE` Kconfig option. It implements the PSA Internal Trusted Storage APIs (`PSA Certified Secure Storage API 1.0`_) to achieve confidentiality, authenticity and encryption in rest (optional). ITS is meant to be used by the other TF-M partitions. It must not be accessed directly by the non-secure application. @@ -361,7 +361,7 @@ As long as each file has a unique file ID, the key used for encryption and authe To strengthen data integrity, the metadata of the ITS file (creation flags/size) is used as authenticated data in the encryption process. -The nonce for the AEAD operation is generated by concatenating a random 8-byte seed and an increasing the 4-byte counter. +The nonce for the AEAD operation is generated by concatenating a random 8-byte seed and a increasing 4-byte counter. The random seed is generated once in the boot process and stays the same until reset. .. _tfm_partition_its_sizing: @@ -670,7 +670,8 @@ It implements the PSA Initial Attestation APIs (`PSA Certified Attestation API 1 It allows the device to prove its identity to a remote entity. The :ref:`tfm_psa_template` sample demonstrates how to use the Initial Attestation partition. -The Initial Attestation partition is not enabled by default. Unless you need attestation, it is recommended to keep it disabled. +The Initial Attestation partition is not enabled by default. +Keep it disabled unless you need attestation. For more information about the general features of the TF-M Initial Attestation partition, see `TF-M Attestation`_. @@ -687,7 +688,7 @@ The device starts in the **Device Assembly and Test** state. The :ref:`provisioning_image` sample shows how to switch the device from the **Device Assembly and Test** state to the **PRoT Provisioning** state, and how to provision the device with hardware unique keys (HUKs) and an identity key. To switch the device from the **PRoT Provisioning** state to the **Secured** state, set the :kconfig:option:`CONFIG_TFM_NRF_PROVISIONING` Kconfig option for your application. -In the first boot, TF-M ensures that the keys are stored in the Key Management Unit (KMU) and switches the device to the **Secured** state. +On the first boot, TF-M ensures that the keys are stored in the Key Management Unit (KMU) and switches the device to the **Secured** state. The :ref:`tfm_psa_template` sample shows how to achieve this. .. _ug_tfm_manual_VCOM_connection: