Secure Services At Runtime; Protected Storage Service (Ps); Internal Trusted Storage Service (Its) - ST STM32CubeU5 TFM User Manual

6

Secure services at runtime

The secure services at runtime are a set of services that can be called at a nonsecure application runtime. They
manage critical assets that are isolated from the nonsecure application. A nonsecure application cannot access
directly to any of the critical assets but can only use the secure services that use the critical assets. The secure
services are provided with two levels of isolation through the privileged/unprivileged mode usage (the processor
can limit or exclude access to some resources by executing code in the privileged or unprivileged mode):
• Privileged secure services: secure services executed in privileged mode. Such type of services can access
any assets in the system (secure or nonsecure, privileged or unprivileged). These services are in PSA
updatable RoT partition: firmware update service, internal trusted storage service, secure cryptographic
service, and initial attestation service.
• Unprivileged secure services: secure services executed in unprivileged mode. Such type of services can
access any assets in the system except the assets stored in a privileged area. These services are in
application updatable RoT partition: protected storage and third-party service.
6.1

Protected storage service (PS)

The TF‑M protected storage (PS) service implements PSA protected storage APIs (refer to
information).
The service is backed by hardware isolation of the flash memory access domain. In the current version, it relies
on hardware to isolate the flash memory area from nonsecure accesses.
The current PS service design relies on the hardware abstraction level provided by TF‑M. The PS service
provides a nonhierarchical storage model, as a filesystem, where a linearly-indexed list of metadata manages all
the assets.
The PS service implements an AES-GCM based AEAD encryption policy, as a reference, to protect data
confidentiality, integrity, and authenticity.
Additionally, it implements nonvolatile counters as a rollback protection mechanism against malicious attacks.
The design addresses the following high-level requirements as well:
• Confidentiality: Resistance to unauthorized accesses through hardware/software attacks.
• Access authentication: Mechanism to establish the requester's identity (a nonsecure entity, a secure entity,
or a remote server).
• Integrity: Resistance to tampering by either the normal users of a product, package, or system or others
with physical access to it. If the content of the secure storage is changed maliciously, the service is able to
detect it.
• Reliability: Resistance to power failure scenarios and incomplete write cycles.
• Configurability: High-level configurability to scale the memory footprint up or down to cater for a variety of
devices with varying security requirements.
• Performance: Optimized to be used for resource-constrained devices with very small silicon footprint, the
PPA (power, performance, area) should be optimal.
• Modularity: The PS partition is placed in an unprivileged; The filesystem is in a privileged area. This implies
dependencies with other services: cryptography, internal trusted storage API, and platform service.
For more information about the hardware isolation mechanism, refer to
security strategy.
6.2

Internal trusted storage service (ITS)

The TF‑M internal trusted storage (ITS) service implements PSA internal trusted storage APIs (for more
information, refer to [PSA_API]).
The service is backed by hardware isolation of the flash memory access domain and relies on hardware to isolate
the flash memory area from nonsecure access and application updatable RoT at higher levels of isolation.
Contrary to the PS service, the ITS service does not implement any encryption policy. The confidentiality of data
is ensured by means of the hardware isolation of the internal flash memory access domain.
The current ITS service design relies on a hardware abstraction provided by TF‑M. The ITS service provides a
nonhierarchical storage model, as a filesystem, where a linearly-indexed list of metadata manages all the assets.
UM2851 - Rev 4
Secure services at runtime
[PSA_API]
Section 7 Protection measures and
UM2851
for more
page 10/117