207 lines
8.7 KiB
ReStructuredText
207 lines
8.7 KiB
ReStructuredText
|
.. _tfm_psa_level_1:
|
||
|
|
||
|
TF-M PSA Level 1
|
||
|
################
|
||
|
|
||
|
Overview
|
||
|
********
|
||
|
This TF-M integration example demonstrates how to use certain TF-M features
|
||
|
that are covered as part of the RTOS vendor requirements for a
|
||
|
`PSA Certified Level 1`_ product, such as secure storage for config data,
|
||
|
initial attestation for device verification, and the PSA crypto API for
|
||
|
cryptography.
|
||
|
|
||
|
Trusted Firmware (TF-M) Platform Security Architecture (PSA) APIs
|
||
|
are used for the secure processing environment, with Zephyr running in the
|
||
|
non-secure processing environment.
|
||
|
|
||
|
It uses **IPC Mode** for communication, where an IPC mechanism is inserted to
|
||
|
handle secure TF-M API calls and responses. The OS-specific code to handle
|
||
|
the IPC calls is in ``tfm_ipc.c``.
|
||
|
|
||
|
The sample prints test info to the console either as a single-thread or
|
||
|
multi-thread application.
|
||
|
|
||
|
.. _PSA Certified Level 1:
|
||
|
https://www.psacertified.org/security-certification/psa-certified-level-1/
|
||
|
|
||
|
Building and Running
|
||
|
********************
|
||
|
|
||
|
This project outputs startup status and info to the console. It can be built and
|
||
|
executed on an MPS2+ configured for AN521 (dual-core ARM Cortex M33), or using
|
||
|
the ``mps2_an521_nonsecure`` target with QEMU.
|
||
|
|
||
|
This sample will only build on a Linux or macOS development system
|
||
|
(not Windows), and has been tested on the following setups:
|
||
|
|
||
|
- macOS Mojave using QEMU 4.2.0 with gcc-arm-none-eabi-7-2018-q2-update
|
||
|
- macOS Mojave with gcc-arm-none-eabi-7-2018-q2-update
|
||
|
- Ubuntu 18.04 using Zephyr SDK 0.11.2
|
||
|
|
||
|
On MPS2+ AN521:
|
||
|
===============
|
||
|
|
||
|
1. Build Zephyr with a non-secure configuration
|
||
|
(``-DBOARD=mps2_an521_nonsecure``).
|
||
|
|
||
|
Using ``west``
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
cd <ZEPHYR_ROOT>
|
||
|
west build -p -b mps2_an521_nonsecure samples/tfm_integration/psa_level_1
|
||
|
|
||
|
Using ``cmake`` and ``ninja``
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
cd <ZEPHYR_ROOT>/samples/tfm_integration/psa_level_1/
|
||
|
rm -rf build
|
||
|
mkdir build && cd build
|
||
|
cmake -GNinja -DBOARD=mps2_an521_nonsecure ..
|
||
|
ninja
|
||
|
|
||
|
Using ``cmake`` and ``make``
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
cd <ZEPHYR_ROOT>/samples/tfm_integration/psa_level_1/
|
||
|
rm -rf build
|
||
|
mkdir build && cd build
|
||
|
cmake -DBOARD=mps2_an521_nonsecure ..
|
||
|
make
|
||
|
|
||
|
2. Copy application binary files (mcuboot.bin and tfm_sign.bin) to
|
||
|
``<MPS2 device name>/SOFTWARE/``.
|
||
|
|
||
|
3. Edit (e.g., with vim) the ``<MPS2 device name>/MB/HBI0263C/AN521/images.txt``
|
||
|
file, and update it as shown below:
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
TITLE: Versatile Express Images Configuration File
|
||
|
|
||
|
[IMAGES]
|
||
|
TOTALIMAGES: 2 ;Number of Images (Max: 32)
|
||
|
|
||
|
IMAGE0ADDRESS: 0x10000000
|
||
|
IMAGE0FILE: \SOFTWARE\mcuboot.bin ; BL2 bootloader
|
||
|
|
||
|
IMAGE1ADDRESS: 0x10080000
|
||
|
IMAGE1FILE: \SOFTWARE\tfm_sign.bin ; TF-M with application binary blob
|
||
|
|
||
|
4. Save the file, exit the editor, and reset the MPS2+ board.
|
||
|
|
||
|
On QEMU:
|
||
|
========
|
||
|
|
||
|
Build Zephyr with a non-secure configuration (``-DBOARD=mps2_an521_nonsecure``)
|
||
|
and run it in qemu via the ``run`` command.
|
||
|
|
||
|
Using ``west``
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
cd <ZEPHYR_ROOT>
|
||
|
west build -p -b mps2_an521_nonsecure samples/tfm_integration/psa_level_1 -t run
|
||
|
|
||
|
Using ``cmake`` and ``ninja``
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
cd <ZEPHYR_ROOT>/samples/tfm_integration/psa_level_1/
|
||
|
rm -rf build
|
||
|
mkdir build && cd build
|
||
|
cmake -GNinja -DBOARD=mps2_an521_nonsecure ..
|
||
|
ninja run
|
||
|
|
||
|
Using ``cmake`` and ``make``
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
cd <ZEPHYR_ROOT>/samples/tfm_integration/psa_level_1/
|
||
|
rm -rf build
|
||
|
mkdir build && cd build
|
||
|
cmake -DBOARD=mps2_an521_nonsecure ..
|
||
|
make run
|
||
|
|
||
|
Sample Output
|
||
|
=============
|
||
|
|
||
|
.. code-block:: console
|
||
|
|
||
|
[INF] Starting bootloader
|
||
|
[INF] Swap type: none
|
||
|
[INF] Swap type: none
|
||
|
[INF] Bootloader chainload address offset: 0x80000
|
||
|
|
||
|
[INF] Jumping to the first image slot
|
||
|
[Sec Thread] Secure image initializing!
|
||
|
TF-M isolation level is: 1
|
||
|
Booting TFM v1.0
|
||
|
*** Booting Zephyr OS build v1.12.0-rc1-19787-g7bf29820769f ***
|
||
|
[00:00:00.003,000] <inf> app: app_cfg: Creating new config file with UID 0x155cfda7a
|
||
|
[00:00:03.517,000] <inf> app: att: System IAT size is: 545 bytes.
|
||
|
[00:00:03.517,000] <inf> app: att: Requesting IAT with 64 byte challenge.
|
||
|
[00:00:06.925,000] <inf> app: att: IAT data received: 545 bytes.
|
||
|
0 1 2 3 4 5 6 7 8 9 A B C D E F
|
||
|
00000000 D2 84 43 A1 01 26 A0 59 01 D5 AA 3A 00 01 24 FF ..C..&.Y...:..$.
|
||
|
00000010 58 40 00 11 22 33 44 55 66 77 88 99 AA BB CC DD X@.."3DUfw......
|
||
|
00000020 EE FF 00 11 22 33 44 55 66 77 88 99 AA BB CC DD ...."3DUfw......
|
||
|
00000030 EE FF 00 11 22 33 44 55 66 77 88 99 AA BB CC DD ...."3DUfw......
|
||
|
00000040 EE FF 00 11 22 33 44 55 66 77 88 99 AA BB CC DD ...."3DUfw......
|
||
|
00000050 EE FF 3A 00 01 24 FB 58 20 A0 A1 A2 A3 A4 A5 A6 ..:..$.X .......
|
||
|
|
||
|
00000060 A7 A8 A9 AA AB AC AD AE AF B0 B1 B2 B3 B4 B5 B6 ................
|
||
|
00000070 B7 B8 B9 BA BB BC BD BE BF 3A 00 01 25 00 58 21 .........:..%.X!
|
||
|
00000080 01 FA 58 75 5F 65 86 27 CE 54 60 F2 9B 75 29 67 ..Xu_e.'.T`..u)g
|
||
|
00000090 13 24 8C AE 7A D9 E2 98 4B 90 28 0E FC BC B5 02 .$..z...K.(.....
|
||
|
000000A0 48 3A 00 01 24 FA 58 20 AA AA AA AA AA AA AA AA H:..$.X ........
|
||
|
000000B0 BB BB BB BB BB BB BB BB CC CC CC CC CC CC CC CC ................
|
||
|
000000C0 DD DD DD DD DD DD DD DD 3A 00 01 24 F8 20 3A 00 ........:..$. :.
|
||
|
000000D0 01 24 F9 19 30 00 3A 00 01 24 FD 82 A5 01 63 53 .$..0.:..$....cS
|
||
|
000000E0 50 45 04 65 30 2E 30 2E 30 05 58 20 BF E6 D8 6F PE.e0.0.0.X ...o
|
||
|
000000F0 88 26 F4 FF 97 FB 96 C4 E6 FB C4 99 3E 46 19 FC .&..........>F..
|
||
|
00000100 56 5D A2 6A DF 34 C3 29 48 9A DC 38 06 66 53 48 V].j.4.)H..8.fSH
|
||
|
00000110 41 32 35 36 02 58 20 EF FC 32 08 03 06 CA 5A 8C A256.X ..2....Z.
|
||
|
00000120 D2 93 C8 46 04 DD 45 3F CA 41 20 47 A8 F7 D4 09 ...F..E?.A G....
|
||
|
00000130 24 16 94 38 05 68 B6 A5 01 64 4E 53 50 45 04 65 $..8.h...dNSPE.e
|
||
|
00000140 30 2E 30 2E 30 05 58 20 B3 60 CA F5 C9 8C 6B 94 0.0.0.X .`....k.
|
||
|
00000150 2A 48 82 FA 9D 48 23 EF B1 66 A9 EF 6A 6E 4A A3 *H...H#..f..jnJ.
|
||
|
00000160 7C 19 19 ED 1F CC C0 49 06 66 53 48 41 32 35 36 |......I.fSHA256
|
||
|
00000170 02 58 20 D5 3F 25 8F AA 5A 05 33 36 F4 D9 2C D6 .X .?%..Z.36..,.
|
||
|
00000180 11 DF 6E 1B 18 B9 03 09 37 01 9D A7 5E FC 57 32 ..n.....7...^.W2
|
||
|
00000190 B3 1A 94 3A 00 01 25 01 77 77 77 77 2E 74 72 75 ...:..%.wwww.tru
|
||
|
000001A0 73 74 65 64 66 69 72 6D 77 61 72 65 2E 6F 72 67 stedfirmware.org
|
||
|
000001B0 3A 00 01 24 F7 71 50 53 41 5F 49 4F 54 5F 50 52 :..$.qPSA_IOT_PR
|
||
|
000001C0 4F 46 49 4C 45 5F 31 3A 00 01 24 FC 72 30 36 30 OFILE_1:..$.r060
|
||
|
000001D0 34 35 36 35 32 37 32 38 32 39 31 30 30 31 30 58 456527282910010X
|
||
|
000001E0 40 51 33 D9 87 96 A9 91 55 18 9E BF 14 7A E1 76 @Q3.....U....z.v
|
||
|
000001F0 F5 0F A6 3C 7B F2 3A 1B 59 24 5B 2E 67 A8 F8 AB ...<{.:.Y$[.g...
|
||
|
00000200 12 B4 2E 09 13 5B BF 35 1F ED 66 E3 36 CF DA CE .....[.5..f.6...
|
||
|
00000210 06 03 69 DF C0 DC 4D 2F 17 33 D7 5E BE 73 B9 0E ..i...M/.3.^.s..
|
||
|
00000220 08 .
|
||
|
[00:00:06.982,000] <inf> app: Generating 256 bytes of random data.
|
||
|
0 1 2 3 4 5 6 7 8 9 A B C D E F
|
||
|
00000000 0C 90 D8 0C FA 0F 97 00 29 B2 AE 5C 90 48 3D 39 ........)..\.H=9
|
||
|
00000010 00 14 6C A3 84 E2 C0 C9 82 F5 8B A6 E9 38 66 16 ..l..........8f.
|
||
|
00000020 EA B7 E7 78 91 0D 6D 87 5B B8 04 0B 8B E0 74 23 ...x..m.[.....t#
|
||
|
00000030 7D 11 E2 17 32 34 1A 01 71 24 29 D5 7C 05 B1 11 }...24..q$).|...
|
||
|
00000040 A0 97 20 82 03 FF D6 76 9D 6F D5 52 45 C9 E1 17 .. ....v.o.RE...
|
||
|
00000050 69 DF 18 B6 8E 0C AA 3B 74 B4 EF 97 D9 0E 82 25 i......;t......%
|
||
|
00000060 E1 97 0E 6E 4F 0F DE B9 20 60 34 A4 EA 0D 9A B3 ...nO... `4.....
|
||
|
00000070 3F C4 9A CF F3 5E F2 2C 78 96 6F 0E DD E3 E6 CB ?....^.,x.o.....
|
||
|
00000080 DC 19 26 A3 E8 8E 07 0E 1E 5B DB 59 B0 05 41 E2 ..&......[.Y..A.
|
||
|
00000090 A4 ED 90 35 8B AB 1C B8 00 7E BB 2D 22 FE 7A EA ...5.....~.-".z.
|
||
|
000000A0 CF A0 BB DF 4F 2B 32 55 C9 07 0D 3D CE B8 43 78 ....O+2U...=..Cx
|
||
|
000000B0 63 33 6C 79 CA 43 3A 4F 0B 93 33 2B B1 D2 B0 A7 c3ly.C:O..3+....
|
||
|
000000C0 44 A0 E9 E8 BF FB FD 89 2A 44 7A 60 2D 9B 0F 9E D.......*Dz`-...
|
||
|
000000D0 0D B1 0E 9D 5C 60 5D E6 92 78 36 79 68 37 24 C5 ....\`]..x6yh7$.
|
||
|
000000E0 57 7F 2E DF 53 D2 7B 3F EE 56 9B 9E BB 39 2C B6 W...S.{?.V...9,.
|
||
|
000000F0 AA FF B5 3B 59 4E 40 1D E0 34 50 05 D0 E0 95 12 ...;YN@..4P.....
|
||
|
[00:00:07.004,000] <inf> app: Calculating SHA-256 hash of value.
|
||
|
0 1 2 3 4 5 6 7 8 9 A B C D E F
|
||
|
00000000 E3 B0 C4 42 98 FC 1C 14 9A FB F4 C8 99 6F B9 24
|
||
|
00000010 27 AE 41 E4 64 9B 93 4C A4 95 99 1B 78 52 B8 55
|