- TF-M - lists.trustedfirmware.org

by Anton Komlev

Hi, All TF-M repositories are tagged with TF-Mv1.4.0-RC1 tag. Code is frozen now for the release candidate testing. Note that changes to other repositories are still possible during that time. Please use this tag for your tests and report any issues found by the end of July 30. Thanks and good luck, Anton

4 years, 3 months

1
0
0 0

Updates to the documentation

by Anton Komlev

Hello, Some of you might notice TF-M documentation updates but let me bring your attention to: 1. New look and layout of Getting Started Guides: https://tf-m-user-guide.trustedfirmware.org/docs/getting_started/tfm_gettin… 2. Porting TF-M to a New Hardware: https://tf-m-user-guide.trustedfirmware.org/docs/integration_guide/porting_… 3. Clear documentation URLs Please enjoy, contribute and give a feedback. Anton

4 years, 3 months

1
0
0 0

Re: [TF-M] TF-M is trying to migrate to mbedtls 3.0

by Chris.Brand＠infineon.com

Hi Summer. Is the plan that this is part of the 1.4 release? Thanks, Chris From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Summer Qin via TF-M Sent: Monday, July 19, 2021 3:40 AM To: tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: [TF-M] TF-M is trying to migrate to mbedtls 3.0 Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe<https://intranet-content.infineon.com/explore/aboutinfineon/rules/informati…>. Hi, TF-M is trying to migrate to mbedtls 3.0. Here<https://review.trustedfirmware.org/q/topic:%22mbedtls3.0%22+(status:open%20…> are the patches for mbedtls 3.0 upgrading. Some patches touch platforms changes, especially are the following three patches: https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/10628/6 https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/10685/5 https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/10760/1 If these patches influence your platform's work, please feel free to let us know. Best Regards, Summer

4 years, 3 months

2
1
0 0

TF-M is trying to migrate to mbedtls 3.0

by Summer Qin

Hi, TF-M is trying to migrate to mbedtls 3.0. Here<https://review.trustedfirmware.org/q/topic:%22mbedtls3.0%22+(status:open%20…> are the patches for mbedtls 3.0 upgrading. Some patches touch platforms changes, especially are the following three patches: https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/10628/6 https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/10685/5 https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/10760/1 If these patches influence your platform's work, please feel free to let us know. Best Regards, Summer

4 years, 3 months

1
0
0 0

Technical Forum call - July 22

by Anton Komlev

Hi, The next Technical Forum is planned on Thursday, July 22 7:00-8:00 UTC (Asia time zone). Please reply on this email with your proposals for agenda topics. Recording and slides of previous meetings are here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/ Best regards, Anton

4 years, 3 months

1
0
0 0

[CANCELLED]: Technical Forum call - July 8

by Anton Komlev

Hi, Having no topics proposed or requested and considering the release preparation busy time, let me cancel this slot. A reminder: TF-M v1.4.0 code freeze is planned on July 16 and the release is on July 30. Thanks, Anton From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Anton Komlev via TF-M Sent: Monday, July 5, 2021 2:15 PM To: tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: [TF-M] Technical Forum call - July 8 Hi, The next Technical Forum is planned on Thursday, July 8 at 15:00-16:00 UTC (US time zone). Please reply on this email with your proposals for agenda topics. Recording and slides of previous meetings are here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/ Best regards, Anton

4 years, 3 months

1
0
0 0

Re: [TF-M] Whether the codes in platform folder of tf-m project can be allowed to call secure services in secure_fw folder?

by Raef Coles

Hey Poppy Along with all the good advice from Kevin, I wanted to highlight a couple of things: * There is an example of this already being done in TF-M. The nv-seed code calls into ITS depite being in the platform layer. This code isn't widely enabled, but works fine. (see platform/ext/common/template/crypto_nv_seed.c) * One nuance is when you're calling into the SP. Under library mode, it's not possible to call into another secure partition from a secure partitions's init code. It's possible to do this under IPC mode however. This is likely to cause problems with your usecase, as it seems likely you'd want to load cryptographic keys into the crypto partition during init. On another note - we're currently looking into tidying up our OTP support and creating some sort of basic provisioning workflow (which would also replace the current CryptoCell-312 provisioning code). Our design seems to be similar to yours (Either storing the provisioned data in real OTP or internal flash depending on platform support). This is currently still in progress, but we hope to get patches on the trustedfirmware.org gerrit soon. Raef ________________________________________ From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> on behalf of Kevin Peng via TF-M <tf-m(a)lists.trustedfirmware.org> Sent: 08 July 2021 03:56 To: Edward Yang; tf-m(a)lists.trustedfirmware.org Subject: Re: [TF-M] Whether the codes in platform folder of tf-m project can be allowed to call secure services in secure_fw folder? Hi Poppy, As you said, how to read the provisioned information varies from platforms. So I cannot comment on how is your approach. But I can give something from the Framework’s point of view. The Client APIs mainly target two kind of consumers, one is the NSPE, the other is Secure Partitions. In your scenario B, a Partition wants to call psa_its_get(this is not the PSA Client API, but a “service API” that implemented with the Client APIs) to get something, that’s totally OK. Remember to add your Partition to the “dependencies” of the ITS Partition’s manifest, otherwise you’ll get errors for permission issues. Best Regards, Kevin From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Edward Yang via TF-M Sent: Thursday, July 8, 2021 10:43 AM To: tf-m(a)lists.trustedfirmware.org Subject: Re: [TF-M] Whether the codes in platform folder of tf-m project can be allowed to call secure services in secure_fw folder? Hi Anton and Kevin, "call secure services directly” here means calling by PSA client API in IPC mode. Here is the scenarios, For example, a new secure partition is added ,and this partition provides some secure services. One service needs get some pre-provisioned information,such as a key. This operation(get pre-provisioned information) may vary with platforms. [cid:image001.gif@01D773E7.56814130] [cid:image002.gif@01D773E7.56814130] Scenario A:Target1(A board without MCU embedded Flash ) , the pre-provisioned information were stored in OTP during provisioning, so this target reads pre-provisioned information from OTP during deployment period. Scenario B: Target1(A board with MCU embedded Flash ) , assume the pre-provisioned information were stored in MCU embedded Flash by calling psa_its_set() service during provisioning(I am not sure whether this kind of implementation is right ), so this target needs reading pre-provisioned information by calling psa_its_get() service during deployment period. I am wondering whether this design breaks the design rules of tf-m. Best Regards, Poppy Wu Macronix Microelectronics (Suzhou) Co.,Ltd Kevin Peng via TF-M <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>> Sent by: "TF-M" <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> 2021/07/07 11:10 Please respond to Kevin Peng <Kevin.Peng(a)arm.com<mailto:Kevin.Peng@arm.com>> To "tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>" <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>> cc nd <nd(a)arm.com<mailto:nd@arm.com>> Subject Re: [TF-M] Whether the codes in platform folder of tf-m project can be allowed to call secure services in secure_fw folder? Hi Poppy, By “call secure services directly” I guess you mean function call? That is forbidden. Secure services can be only called by PSA Client APIs (psa_connect/psa_call/psa_close) or Partition provided APIs (for example psa_ps_set). As Anton mentioned, platform folder actually provide HW level support to Secure Partitions and Framework (SPM). Could you provide more details of you use case of calling Secure Services from platform folder? Best Regards, Kevin From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Anton Komlev via TF-M Sent: Tuesday, July 6, 2021 8:31 PM To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd(a)arm.com<mailto:nd@arm.com>> Subject: Re: [TF-M] Whether the codes in platform folder of tf-m project can be allowed to call secure services in secure_fw folder? Hi Poppy, Platform folder represents a HW integration layer. What kind of use case you have in mind to call the secure services from there? Thanks, Anton From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Edward Yang via TF-M Sent: Tuesday, July 6, 2021 9:30 AM To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>; nd <nd(a)arm.com<mailto:nd@arm.com>> Subject: [TF-M] Whether the codes in platform folder of tf-m project can be allowed to call secure services in secure_fw folder? Hi experts, The tf-m project includes secure_fw and paltform these two folders, I want to know whether the codes in platform folder are allowed to call secure services directly? Best Regards, Poppy Wu Macronix Microelectronics (Suzhou) Co.,Ltd CONFIDENTIALITY NOTE: This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as its attachment(s) from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation. Macronix International Co., Ltd. =====================================================================-- TF-M mailing list TF-M(a)lists.trustedfirmware.org<mailto:TF-M@lists.trustedfirmware.org> https://lists.trustedfirmware.org/mailman/listinfo/tf-m CONFIDENTIALITY NOTE: This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as it attachments from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation. Macronix International Co., Ltd. =====================================================================

4 years, 3 months

1
0
0 0

Re: [TF-M] Whether the codes in platform folder of tf-m project can be allowed to call secure services in secure_fw folder?

by Kevin Peng

Hi Poppy, As you said, how to read the provisioned information varies from platforms. So I cannot comment on how is your approach. But I can give something from the Framework's point of view. The Client APIs mainly target two kind of consumers, one is the NSPE, the other is Secure Partitions. In your scenario B, a Partition wants to call psa_its_get(this is not the PSA Client API, but a "service API" that implemented with the Client APIs) to get something, that's totally OK. Remember to add your Partition to the "dependencies" of the ITS Partition's manifest, otherwise you'll get errors for permission issues. Best Regards, Kevin From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Edward Yang via TF-M Sent: Thursday, July 8, 2021 10:43 AM To: tf-m(a)lists.trustedfirmware.org Subject: Re: [TF-M] Whether the codes in platform folder of tf-m project can be allowed to call secure services in secure_fw folder? Hi Anton and Kevin, "call secure services directly" here means calling by PSA client API in IPC mode. Here is the scenarios, For example, a new secure partition is added ,and this partition provides some secure services. One service needs get some pre-provisioned information,such as a key. This operation(get pre-provisioned information) may vary with platforms. [cid:image001.gif@01D773E7.56814130] [cid:image002.gif@01D773E7.56814130] Scenario A:Target1(A board without MCU embedded Flash ) , the pre-provisioned information were stored in OTP during provisioning, so this target reads pre-provisioned information from OTP during deployment period. Scenario B: Target1(A board with MCU embedded Flash ) , assume the pre-provisioned information were stored in MCU embedded Flash by calling psa_its_set() service during provisioning(I am not sure whether this kind of implementation is right ), so this target needs reading pre-provisioned information by calling psa_its_get() service during deployment period. I am wondering whether this design breaks the design rules of tf-m. Best Regards, Poppy Wu Macronix Microelectronics (Suzhou) Co.,Ltd Kevin Peng via TF-M <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>> Sent by: "TF-M" <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> 2021/07/07 11:10 Please respond to Kevin Peng <Kevin.Peng(a)arm.com<mailto:Kevin.Peng@arm.com>> To "tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>" <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>> cc nd <nd(a)arm.com<mailto:nd@arm.com>> Subject Re: [TF-M] Whether the codes in platform folder of tf-m project can be allowed to call secure services in secure_fw folder? Hi Poppy, By "call secure services directly" I guess you mean function call? That is forbidden. Secure services can be only called by PSA Client APIs (psa_connect/psa_call/psa_close) or Partition provided APIs (for example psa_ps_set). As Anton mentioned, platform folder actually provide HW level support to Secure Partitions and Framework (SPM). Could you provide more details of you use case of calling Secure Services from platform folder? Best Regards, Kevin From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Anton Komlev via TF-M Sent: Tuesday, July 6, 2021 8:31 PM To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd(a)arm.com<mailto:nd@arm.com>> Subject: Re: [TF-M] Whether the codes in platform folder of tf-m project can be allowed to call secure services in secure_fw folder? Hi Poppy, Platform folder represents a HW integration layer. What kind of use case you have in mind to call the secure services from there? Thanks, Anton From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Edward Yang via TF-M Sent: Tuesday, July 6, 2021 9:30 AM To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>; nd <nd(a)arm.com<mailto:nd@arm.com>> Subject: [TF-M] Whether the codes in platform folder of tf-m project can be allowed to call secure services in secure_fw folder? Hi experts, The tf-m project includes secure_fw and paltform these two folders, I want to know whether the codes in platform folder are allowed to call secure services directly? Best Regards, Poppy Wu Macronix Microelectronics (Suzhou) Co.,Ltd CONFIDENTIALITY NOTE: This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as its attachment(s) from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation. Macronix International Co., Ltd. =====================================================================-- TF-M mailing list TF-M(a)lists.trustedfirmware.org<mailto:TF-M@lists.trustedfirmware.org> https://lists.trustedfirmware.org/mailman/listinfo/tf-m CONFIDENTIALITY NOTE: This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as it attachments from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation. Macronix International Co., Ltd. =====================================================================

4 years, 3 months

1
0
0 0

Re: [TF-M] Whether the codes in platform folder of tf-m project can be allowed to call secure services in secure_fw folder?

by Edward Yang

Hi Anton and Kevin, "call secure services directly” here means calling by PSA client API in IPC mode. Here is the scenarios, For example, a new secure partition is added ,and this partition provides some secure services. One service needs get some pre-provisioned information,such as a key. This operation(get pre-provisioned information) may vary with platforms. Scenario A:Target1(A board without MCU embedded Flash ) , the pre-provisioned information were stored in OTP during provisioning, so this target reads pre-provisioned information from OTP during deployment period. Scenario B: Target1(A board with MCU embedded Flash ) , assume the pre-provisioned information were stored in MCU embedded Flash by calling psa_its_set() service during provisioning(I am not sure whether this kind of implementation is right ), so this target needs reading pre-provisioned information by calling psa_its_get() service during deployment period. I am wondering whether this design breaks the design rules of tf-m. Best Regards, Poppy Wu Macronix Microelectronics (Suzhou) Co.,Ltd Kevin Peng via TF-M <tf-m(a)lists.trustedfirmware.org> Sent by: "TF-M" <tf-m-bounces(a)lists.trustedfirmware.org> 2021/07/07 11:10 Please respond to Kevin Peng <Kevin.Peng(a)arm.com> To "tf-m(a)lists.trustedfirmware.org" <tf-m(a)lists.trustedfirmware.org> cc nd <nd(a)arm.com> Subject Re: [TF-M] Whether the codes in platform folder of tf-m project can be allowed to call secure services in secure_fw folder? Hi Poppy, By “call secure services directly” I guess you mean function call? That is forbidden. Secure services can be only called by PSA Client APIs (psa_connect/psa_call/psa_close) or Partition provided APIs (for example psa_ps_set). As Anton mentioned, platform folder actually provide HW level support to Secure Partitions and Framework (SPM). Could you provide more details of you use case of calling Secure Services from platform folder? Best Regards, Kevin From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Anton Komlev via TF-M Sent: Tuesday, July 6, 2021 8:31 PM To: tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: Re: [TF-M] Whether the codes in platform folder of tf-m project can be allowed to call secure services in secure_fw folder? Hi Poppy, Platform folder represents a HW integration layer. What kind of use case you have in mind to call the secure services from there? Thanks, Anton From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Edward Yang via TF-M Sent: Tuesday, July 6, 2021 9:30 AM To: tf-m(a)lists.trustedfirmware.org; nd <nd(a)arm.com> Subject: [TF-M] Whether the codes in platform folder of tf-m project can be allowed to call secure services in secure_fw folder? Hi experts, The tf-m project includes secure_fw and paltform these two folders, I want to know whether the codes in platform folder are allowed to call secure services directly? Best Regards, Poppy Wu Macronix Microelectronics (Suzhou) Co.,Ltd CONFIDENTIALITY NOTE: This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as its attachment(s) from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation. Macronix International Co., Ltd. =====================================================================-- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m ============================================================================ CONFIDENTIALITY NOTE: This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as it attachments from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation. Macronix International Co., Ltd. =====================================================================

4 years, 3 months

1
0
0 0

Re: [TF-M] Whether the codes in platform folder of tf-m project can be allowed to call secure services in secure_fw folder?

by Kevin Peng

Hi Poppy, By "call secure services directly" I guess you mean function call? That is forbidden. Secure services can be only called by PSA Client APIs (psa_connect/psa_call/psa_close) or Partition provided APIs (for example psa_ps_set). As Anton mentioned, platform folder actually provide HW level support to Secure Partitions and Framework (SPM). Could you provide more details of you use case of calling Secure Services from platform folder? Best Regards, Kevin From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Anton Komlev via TF-M Sent: Tuesday, July 6, 2021 8:31 PM To: tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: Re: [TF-M] Whether the codes in platform folder of tf-m project can be allowed to call secure services in secure_fw folder? Hi Poppy, Platform folder represents a HW integration layer. What kind of use case you have in mind to call the secure services from there? Thanks, Anton From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Edward Yang via TF-M Sent: Tuesday, July 6, 2021 9:30 AM To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>; nd <nd(a)arm.com<mailto:nd@arm.com>> Subject: [TF-M] Whether the codes in platform folder of tf-m project can be allowed to call secure services in secure_fw folder? Hi experts, The tf-m project includes secure_fw and paltform these two folders, I want to know whether the codes in platform folder are allowed to call secure services directly? Best Regards, Poppy Wu Macronix Microelectronics (Suzhou) Co.,Ltd CONFIDENTIALITY NOTE: This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as its attachment(s) from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation. Macronix International Co., Ltd. =====================================================================

4 years, 4 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

TF-M