doc: tfm: add overview of PSA Certified API #20863
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
doc-required
greg-fer
force-pushed
the
doc_move_psa_cert_api_blog
branch
from
36d962b to
ca23bbf
Compare
github-actions
bot
removed
the
changelog-entry-required
CI InformationTo view the history of this post, clich the 'edited' button above Inputs:Sources:more detailsGithub labels
List of changed files detected by CI (0)Outputs:ToolchainVersion: Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
greg-fer
force-pushed
the
doc_move_psa_cert_api_blog
branch
from
ca23bbf to
9776fc9
Compare
|
You can find the documentation preview for this PR here. Preview links for modified nRF Connect SDK documents: https://ncsdoc.z6.web.core.windows.net/PR-20863/nrf/releases_and_maturity/releases/release-notes-changelog.html |
|
|
||
| Internal Trusted Storage is only available internally. | ||
|
|
||
| For Nordic SoCs without an SPU, the PSA Secure Storage API will save data in regular flash storage. |
There was a problem hiding this comment.
This sentence should not mention the SPU, but be more generic.
Also, it should link to the Trusted Storage docs, as those are used for devices that does not have HW to secure the storage.
|
|
||
| For Nordic SoCs without an SPU, the PSA Secure Storage API will save data in regular flash storage. | ||
|
|
||
| To store sensitive user information in an external flash, it is recommended to use the Protected Storage API. |
There was a problem hiding this comment.
Can we double check if Protected Storage actually supports External flash?
| PSA Attestation API in the |NCS| | ||
| ================================ | ||
|
|
||
| See the :ref:`TF-M PSA template <tfm_psa_template>` for reference implementation of the PSA Attestation API in the |NCS|. |
There was a problem hiding this comment.
For later:
Once we have a recommended path for partitioning and such for the nRF54L15, we should update these docs to reflect that.
| Instead, other options are available for the immutable bootloader and the upgradable bootloader. | ||
| See :ref:`app_bootloaders` for more information on available bootloaders. | ||
|
|
||
| The bootloaders supported in the |NCS| fulfill requirements by PSA Certified, and several of our devices are already among `PSA Certified Products`_. |
There was a problem hiding this comment.
I suggest we link to https://www.nordicsemi.com/Products/Technologies/Security instead
greg-fer
force-pushed
the
doc_move_psa_cert_api_blog
branch
from
9776fc9 to
f33908b
Compare
peknis
requested changes
Mar 14, 2025
doc/nrf/security/tfm/index.rst
Outdated
| * Implement the trusted components and firmware, making use of high-level APIs to build-in security and create an interface to the hardware Root of Trust (RoT). | ||
| * Certify device, platform, or silicon by following independent security evaluation. | ||
| Trusted Firmware-M (TF-M) is the reference implementation of PSA, which follows `PSA Certified IoT Security Framework`_ for securing connected devices. | ||
| You can read more about the framework on the :ref:`ug_psa_certified_api_overview` page. |
There was a problem hiding this comment.
Suggested change
| You can read more about the framework on the :ref:`ug_psa_certified_api_overview` page. | |
| For more information about the framework, see the :ref:`ug_psa_certified_api_overview` page. |
| * Implement the trusted components and firmware, making use of high-level APIs to build-in security and create an interface to the hardware Root of Trust (RoT). | ||
| * Certify device, platform, or silicon by following independent security evaluation. | ||
|
|
||
| This page focuses on the implementation step (specifically the `PSA Certified APIs`_), which establishes a separation between security-critical firmware and application firmware. |
There was a problem hiding this comment.
Suggested change
| This page focuses on the implementation step (specifically the `PSA Certified APIs`_), which establishes a separation between security-critical firmware and application firmware. | |
| This page focuses on the implementation step (specifically the `PSA Certified APIs`_) that establishes the separation between security-critical firmware and application firmware. |
| * `PSA Certified Attestation API`_ | ||
| * `PSA Certified Firmware Update API`_ | ||
|
|
||
| Using the PSA Certified APIs has numerous benefits: |
There was a problem hiding this comment.
Suggested change
| Using the PSA Certified APIs has numerous benefits: | |
| Using the PSA Certified APIs has the following benefits: |
| Using the PSA Certified APIs has numerous benefits: | ||
|
|
||
| * Enhanced security - PSA Certified APIs enable devices to meet industry-standard security requirements and enhance the overall trustworthiness of IoT devices. | ||
| * Implementation agnostic - By using PSA Certified APIs, developers don't need to be concerned about the underlying hardware and software implementation. |
There was a problem hiding this comment.
Suggested change
| * Implementation agnostic - By using PSA Certified APIs, developers don't need to be concerned about the underlying hardware and software implementation. | |
| * Implementation agnostic - When using PSA Certified APIs, developers do not need to be concerned about the underlying hardware and software implementation. |
| * Implementation agnostic - By using PSA Certified APIs, developers don't need to be concerned about the underlying hardware and software implementation. | ||
| * Reduce time-to-market - Using an API standard can accelerate development time and reduce costs associated with developing, testing, and certifying custom solutions. | ||
| * Flexible and scalable - The various use cases supported ensure that the PSA Certified APIs can be used across multiple devices, from very simple ones to more complex systems. | ||
| * Future-proof - PSA Certified APIs are designed to be updated over time as security threats evolve, ensuring devices remain secure throughout their lifecycle. |
There was a problem hiding this comment.
Suggested change
| * Future-proof - PSA Certified APIs are designed to be updated over time as security threats evolve, ensuring devices remain secure throughout their lifecycle. | |
| * Future-proof - PSA Certified APIs are designed to be updated over time as security threats evolve, ensuring that devices remain secure throughout their lifecycle. |
| ======================================================= | ||
|
|
||
| SoCs from Nordic Semiconductor that come with dedicated hardware components for security (such as `nRF9160's System Protection Unit <nRF9160 System Protection Unit_>`_ or :ref:`nRF54L Series' security components <nRF54L15 Security_>`_) have the functionality for `flash <nRF9160 flash access control_>`_ (on nRF9160) or `feature <nRF54L15 feature access control_>`_ access control, making it possible to configure different features as secure. | ||
| Internal Trusted Storage and Protected Storage will save data to the sections of secure flash. |
There was a problem hiding this comment.
Suggested change
| Internal Trusted Storage and Protected Storage will save data to the sections of secure flash. | |
| Internal Trusted Storage and Protected Storage saves data to the sections of secure flash. |
|
|
||
| SoCs from Nordic Semiconductor that come with dedicated hardware components for security (such as `nRF9160's System Protection Unit <nRF9160 System Protection Unit_>`_ or :ref:`nRF54L Series' security components <nRF54L15 Security_>`_) have the functionality for `flash <nRF9160 flash access control_>`_ (on nRF9160) or `feature <nRF54L15 feature access control_>`_ access control, making it possible to configure different features as secure. | ||
| Internal Trusted Storage and Protected Storage will save data to the sections of secure flash. | ||
| This way, the NSPE can not directly access data saved by the Internal Trusted Storage API or the Protected Storage API. |
There was a problem hiding this comment.
Suggested change
| This way, the NSPE can not directly access data saved by the Internal Trusted Storage API or the Protected Storage API. | |
| This way, the NSPE cannot directly access data saved by the Internal Trusted Storage API or the Protected Storage API. |
|
|
||
| Internal Trusted Storage is by default only available from the SPE. | ||
|
|
||
| For Nordic SoCs without an SPU, the PSA Secure Storage API will save data in regular flash storage. |
There was a problem hiding this comment.
Suggested change
| For Nordic SoCs without an SPU, the PSA Secure Storage API will save data in regular flash storage. | |
| For Nordic SoCs without an SPU, the PSA Secure Storage API saves data in the regular flash storage. |
| For Nordic SoCs without an SPU, the PSA Secure Storage API will save data in regular flash storage. | ||
|
|
||
| To store sensitive user information in an external flash, it is recommended to use the Protected Storage API. | ||
| This encrypts the data, protecting it in case the external flash is lost. |
There was a problem hiding this comment.
Suggested change
| This encrypts the data, protecting it in case the external flash is lost. | |
| This encrypts the data, protecting it if the external flash is lost. |
|
|
||
| Cloud service providers need to make informed judgements on end devices to ensure the data they are providing can be trusted. | ||
| EAT has the capabilities to provide this source of trust, using a cryptographically signed piece of data containing claims that are generated in the device RoT. | ||
| There are many ways it can be useful, but most importantly it can be read by the relying party. |
There was a problem hiding this comment.
Suggested change
| There are many ways it can be useful, but most importantly it can be read by the relying party. | |
| It can be useful in many ways, but most importantly it can be read by the relying party. |
There was a problem hiding this comment.
Quote, no edit applied.
greg-fer
force-pushed
the
doc_move_psa_cert_api_blog
branch
2 times, most recently
from
d971b1c to
cabff7d
Compare
peknis
approved these changes
Mar 14, 2025
doc/nrf/links.txt
Outdated
| @@ -226,18 +226,32 @@ | |||
| .. _`nRF Connect SDK Add-ons`: https://nrfconnect.github.io/ncs-app-index/ | |||
| .. _`ncs-app-index`: https://github.com/nrfconnect/ncs-app-index | |||
|
|
|||
| .. _`psa/crypto.h`: https://github.com/nrfconnect/sdk-trusted-firmware-m/blob/master/interface/include/psa/crypto.h | |||
| .. _`psa/protected_storage.h`: https://github.com/nrfconnect/sdk-trusted-firmware-m/blob/master/interface/include/psa/protected_storage.h | |||
| .. _`psa/initial_attestation.h`: https://github.com/nrfconnect/sdk-trusted-firmware-m/blob/master/interface/include/psa/initial_attestation.h | |||
There was a problem hiding this comment.
Suggested change
| .. _`psa/initial_attestation.h`: https://github.com/nrfconnect/sdk-trusted-firmware-m/blob/master/interface/include/psa/initial_attestation.h | |
| .. _`psa/initial_attestation.h`: https://github.com/nrfconnect/sdk-trusted-firmware-m/blob/master/interface/include/psa/initial_attestation.h.in |
greg-fer
force-pushed
the
doc_move_psa_cert_api_blog
branch
from
cabff7d to
9b86ff2
Compare
hellesvik-nordic
approved these changes
Mar 14, 2025
b-gent
approved these changes
Mar 14, 2025
umapraseeda
reviewed
Mar 14, 2025
Comment on lines
+22
to
+18
| * Analyze the threats that have the potential to compromise your device and generate a set of security requirements based on these risks. | ||
| * Architect the right level of security for your product by using unique security requirements to identify and select components and specifications. | ||
| * Implement the trusted components and firmware, making use of high-level APIs to build-in security and create an interface to the hardware Root of Trust (RoT). | ||
| * Certify device, platform, or silicon by following independent security evaluation. |
There was a problem hiding this comment.
Should these be numbered steps?
There was a problem hiding this comment.
They are not on the source page.
SeppoTakalo
approved these changes
Mar 14, 2025
Added a new page about the PSA Certified API overview to the TF-M documentation. The page is based on a DevZone blog. NCSDK-32263. Signed-off-by: Grzegorz Ferenc <[email protected]> Signed-off-by: Sigurd Hellesvik <[email protected]>
greg-fer
force-pushed
the
doc_move_psa_cert_api_blog
branch
from
9b86ff2 to
32d0917
Compare
|
rlubos
approved these changes
Mar 17, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added a new page about the PSA Certified API overview to the TF-M documentation. The page is based on a DevZone blog. NCSDK-32263.