Hi,
We have added a template for ITS encryption in this change: https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/31166 You can check platform which are using "ITS_ENCRYPTION" for reference, the rp2350 is using this template solution.
For TRNG I'd suggest defining "MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG" in mbedtls_extra_config.h and implement "mbedtls_psa_external_get_random" function (the template using this method). The default entropy seed method is NV SEED in TFM, which could cause circular dependency, it should be disabled in config_tfm_target.h. The template is using the GCM authenticated encryption algorithm, you also must enable this in the mbedtls (extra) config file.
During our tests we used TFM medium profile. Regression tests are passed. I hope it helped.
Regards, Dávid
-----Original Message----- From: Jain, Saurabh via TF-M tf-m@lists.trustedfirmware.org Sent: 24 October 2024 19:58 To: tf-m@lists.trustedfirmware.org Subject: [TF-M] ITS Encryption
Hi All I am quite new to TF-M and would like some insight into the query below. I appreciate any help you can provide.
We're adding encryption support for ITS and for nonce requirement, we're thinking of accessing TRNG which is part of the crypto partition. Now, we're aware of the possible cyclic dependency issue with the IPC model but since we're using the SFN model, will it be okay to access crypto service(TRNG) from ITS? In other words, would cyclic dependency be a concern in SFN model provided there are no limitations on hardware?
Thanks in advance. Saurabh -- TF-M mailing list -- tf-m@lists.trustedfirmware.org To unsubscribe send an email to tf-m-leave@lists.trustedfirmware.org