STM32U585 TFM Package Usage for Secure Project access and Crypto Module Implementation

PJose.4 · ‎2024-02-15

Hi Team
Greetings

I have some general queries with respect to the usage of the TFM Application provided in firmware package.(Some of them were asked previously but to get a clear understanding)

1. For calling a secure module(example UART or ADC) - can i create a secure nsc.c file(in TFM_Appli_Secure)-> initialise the module and for usage(for example uart tx function) in the non secure area(using CMSE_NS_ENTRY and CMSE_NS_CALL) to the functions that will be called from the TFM_Appli_Non_Secure project) - is this method a correct approach.

2. I need to implement some crypto modules in the secure area(TFM_Appli_Secure) and access them from the non Secure Area(TFM_Appli_Non_Secure). Can i use the implementation directly from the mbedtls library -> initialise them in the TFM_Appli_Secure project and use the above secure_nsc.c file to give a function to use the encrypt and decrypt functionality, from the TFM_Appli_Non_Secure project.

3. I saw some reference implementation of crypto schemes using PSA Crypto API over mbedCrypto. Is it a must to follow and use the PSA Crypto API over mbedCrypto library to add more crypto operations in the TFM Application?

These methods are from the present requirement of my work and as im not very experienced in the security domain, i would like to get an expert opinion in 3 of these points. If the method is not the right direction, please suggest me a simplified step so that i can satisfy both of the 2 requirements(point 1 and 2). Hope both the queries are clear.
Thanks again for your support

Regards
Philip

Jocelyn RICARD · ‎2024-02-19

Hello Philip,

1) No. TFM provides a framework that you need to use

Either you add a service in an existing partition or you create a new partition:

Adding Secure Partition — Trusted Firmware-M Unknown documentation

2) TFM already provide crypto services. If this is not what you need, create your secure partition to implement it.

3) Yes, especially if you don't need something special and it is already available in the PSA crypto API

TFM is also not mandatory. You can create your own crypto service in the secure application instead of TFM.

In this case, you can use the standard secure calls you are referring to.

I hope this answers your questions

Best regards

Jocelyn

PJose.4 · ‎2024-02-19

Hi @Jocelyn RICARD
Greetings

Thanks for your valuable inputs in this regard.
1. with respect to this point, i had already got some inputs from ST Team from this link regarding using the existing partition, but was not able to successfully execute my function in the existing partition.
Link https://community.st.com/t5/stm32-mcus-security/reg-secure-service-access-from-non-secure-world-in-tf-m-appli-in/m-p/629163#M6342

i will need ST support in this regard, to help me solve this issue. I will get back with my understanding and R&D from my end with the steps provided in the earlier steps.

2,3. got the clarity on the points. Thanks for your inputs

Regards

Jocelyn RICARD · ‎2024-02-22

Hello @PJose.4 ,

This is pure software. You need to understand how things work.

I know this is very complex and requires lot of time to understand. This is ARM framework.

There are many examples of partitions available that you can take as example.

The best would be to find a thirst party to help you I guess

Best regards

Jocelyn

PJose.4 · ‎2024-02-23

Hi @Jocelyn RICARD
Yes as you said since i'm not an expert in TF-M concepts, I'm finding difficulties, and due to this am unable to select a correct reference model so as to get a better understanding with respect to my requirements.
As you suggested will internally check for third party assistance also on this regard. Will also go through the reference documents and websites.
Thanks for your valuable guidance.
Regards
Philip