Hi Antonio,

Thank you for your information, it is very helpful.

Best regards

Tao Li (William Lee)

Software Engineer @ Garmin

Mobile: +8618628138760

From: Antonio De Angelis via TF-M <tf-m@lists.trustedfirmware.org>
Reply-To: Antonio De Angelis <Antonio.DeAngelis@arm.com>
Date: Monday, January 1, 2024 at 06:58
To: "tf-m@lists.trustedfirmware.org" <tf-m@lists.trustedfirmware.org>
Cc: nd <nd@arm.com>
Subject: [TF-M] Re: Are MCUs without internal flash not supported by TF-M?

CAUTION - EXTERNAL EMAIL: Do not click any links or open any attachments unless you trust the sender and know the content is safe.

Hi Torsten,

you can have a look at the design document for ITS which describes encryption in ITS for a generic introduction:

https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/tfm/design_docs/services/tfm_its_service.html

A platform supports ITS_ENCRYPTION=ON if it provides an implementation of the HAL functions as follows:

tfm_hal_its_aead_*

For the exact list of Nordic platforms that support this option I suggest to have a look directly in the Nordic Connect SDK. Probably any platform based on the 5340 would be able to support this option, but there might be other platforms as well which you would be able to use through the SDK itself.

Hope this helps.

Thanks, Antonio

From: Labs, Torsten via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Saturday, December 30, 2023 14:51
To: Antonio De Angelis <Antonio.DeAngelis@arm.com>; Lee, William <William.Lee@garmin.com>; tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.org>
Subject: [TF-M] Re: Are MCUs without internal flash not supported by TF-M?

Hi antonio,

Thanks for those interesting news. Do you know on which Nordic platform supports encrypted ITS with TFM?

Regards

Torsten

Von: Antonio De Angelis via TF-M <tf-m@lists.trustedfirmware.org>
Gesendet: Saturday, December 30, 2023 9:31:10 AM
An: Lee, William <William.Lee@garmin.com>; tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.org>
Betreff: [TF-M] Re: Are MCUs without internal flash not supported by TF-M?

Hi William,

The requirement on the storage is for it to be isolated, either physically or cryptographically, as you can read from the PSA security model [1].

TF-M initially supported only the isolated model in ITS (i.e. for internal flashes) but more recently it was added support for encrypted ITS, which I believe it can be used on one of the Nordic platforms already.

Hope this helps.

Thanks, Antonio

[1] Platform Security Model - PSA Certified https://www.psacertified.org/app/uploads/2021/12/JSADEN014_PSA_Certified_SM_V1.1_BET0.pdf

Sent from Outlook for Android

From: Lee, William via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Friday, December 29, 2023 5:53:50 AM
To: tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.org>
Subject: [TF-M] Are MCUs without internal flash not supported by TF-M?

Hello everyone,

Happy New Year!

Are MCUs without internal flash not supported by TF-M?

From TF-M’s documents, I saw ITS(Internal Trusted Storage) is a PSA-ROT secure service and requires store data in internal flash.

Does that mean TF-M not support hardware platforms that do not have internal flash? For example, RT500 does not have internal flash: https://www.nxp.com/products/processors-and-microcontrollers/arm-microcontrollers/i-mx-rt-crossover-mcus/i-mx-rt500-crossover-mcu-with-arm-cortex-m33-dsp-and-gpu-cores:i.MX-RT500

Thank you!

Best regards

William Lee