274 lines
13 KiB
ReStructuredText
274 lines
13 KiB
ReStructuredText
Trusted Firmware-M Overview
|
|
###########################
|
|
|
|
`Trusted Firmware-M (TF-M) <https://tf-m-user-guide.trustedfirmware.org/>`__
|
|
is a reference implementation of the Platform Security Architecture (PSA)
|
|
`IoT Security Framework <https://www.psacertified.org/what-is-psa-certified/>`__.
|
|
It defines and implements an architecture and a set of software components
|
|
that aim to address some of the main security concerns in IoT products.
|
|
|
|
Zephyr RTOS has been PSA Certified since Zephyr 2.0.0 with TF-M 1.0, and
|
|
is currently integrated with TF-M 1.4.1.
|
|
|
|
What Does TF-M Offer?
|
|
*********************
|
|
|
|
Through a set of secure services and by design, TF-M provides:
|
|
|
|
* Isolation of secure and non-secure resources
|
|
* Embedded-appropriate crypto
|
|
* Management of device secrets (keys, etc.)
|
|
* Firmware verification (and encryption)
|
|
* Protected off-chip data storage and retrieval
|
|
* Proof of device identity (device attestation)
|
|
* Audit logging
|
|
|
|
Build System Integration
|
|
************************
|
|
|
|
When using TF-M with a supported platform, TF-M will be automatically built and
|
|
link in the background as part of the standard Zephyr build process. This
|
|
build process makes a number of assumptions about how TF-M is being used, and
|
|
has certain implications about what the Zephyr application image can and can
|
|
not do:
|
|
|
|
* The secure processing environment (secure boot and TF-M) starts first
|
|
* Resource allocation for Zephyr relies on choices made in the secure image.
|
|
|
|
Architecture Overview
|
|
*********************
|
|
|
|
A TF-M application will, generally, have the following three parts, from most
|
|
to least trusted, left-to-right, with code execution happening in the same
|
|
order (secure boot > secure image > ns image).
|
|
|
|
While the secure bootloader is optional, it is enabled by default, and secure
|
|
boot is an important part of providing a secure solution:
|
|
|
|
::
|
|
|
|
+-------------------------------------+ +--------------+
|
|
| Secure Processing Environment (SPE) | | NSPE |
|
|
| +----------++---------------------+ | | +----------+ |
|
|
| | || | | | | | |
|
|
| | bl2.bin || tfm_s_signed.bin | | | |zephyr.bin| |
|
|
| | || | | <- PSA -> | | | |
|
|
| | Secure || Trusted Firmware-M | | APIs | | Zephyr | |
|
|
| | Boot || (Secure Image) | | | |(NS Image)| |
|
|
| | || | | | | | |
|
|
| +----------++---------------------+ | | +----------+ |
|
|
+-------------------------------------+ +--------------+
|
|
|
|
Communication between the (Zephyr) Non-Secure Processing Environment (NSPE) and
|
|
the (TF-M) Secure Processing Environment image happens based on a set of PSA
|
|
APIs, and normally makes use of an IPC mechanism that is included as part of
|
|
the TF-M build, and implemented in Zephyr
|
|
(see :zephyr_file:`modules/trusted-firmware-m/interface`).
|
|
|
|
Root of Trust (RoT) Architecture
|
|
================================
|
|
|
|
TF-M is based upon a **Root of Trust (RoT)** architecture. This allows for
|
|
hierarchies of trust from most, to less, to least trusted, providing a sound
|
|
foundation upon which to build or access trusted services and resources.
|
|
|
|
The benefit of this approach is that less trusted components are prevented from
|
|
accessing or compromising more critical parts of the system, and error
|
|
conditions in less trusted environments won't corrupt more trusted, isolated
|
|
resources.
|
|
|
|
The following RoT hierarchy is defined for TF-M, from most to least trusted:
|
|
|
|
* PSA Root of Trust (**PRoT**), which consists of:
|
|
|
|
* PSA Immutable Root of Trust: secure boot
|
|
* PSA Updateable Root of Trust: most trusted secure services
|
|
* Application Root of Trust (**ARoT**): isolated secure services
|
|
|
|
The **PSA Immutable Root of Trust** is the most trusted piece of code in the
|
|
system, to which subsequent Roots of Trust are anchored. In TF-M, this is the
|
|
secure boot image, which verifies that the secure and non-secure images are
|
|
valid, have not been tampered with, and come from a reliable source. The
|
|
secure bootloader also verifies new images during the firmware update process,
|
|
thanks to the public signing key(s) built into it. As the name implies,
|
|
this image is **immutable**.
|
|
|
|
The **PSA Updateable Root of Trust** implements the most trusted secure
|
|
services and components in TF-M, such as the Secure Partition Manager (SPM),
|
|
and shared secure services like PSA Crypto, Internal Trusted Storage (ITS),
|
|
etc. Services in the PSA Updateable Root of Trust have access to other
|
|
resources in the same Root of Trust.
|
|
|
|
The **Application Root of Trust** is a reduced-privilege area in the secure
|
|
processing environment which, depending on the isolation level chosen when
|
|
building TF-M, has limited access to the PRoT, or even other ARoT services at
|
|
the highest isolation levels. Some standard services exist in the ARoT, such as
|
|
Protected Storage (PS), and generally custom secure services that you implement
|
|
should be placed in the ARoT, unless a compelling reason is present to place
|
|
them in the PRoT.
|
|
|
|
These divisions are distinct from the **untrusted code**, which runs in the
|
|
non-secure environment, and has the least privilege in the system. This is the
|
|
Zephyr application image in this case.
|
|
|
|
Isolation Levels
|
|
----------------
|
|
|
|
At present, there are three distinct **isolation levels** defined in TF-M,
|
|
with increasingly rigid boundaries between regions. The isolation level used
|
|
will depend on your security requirements, and the system resources available
|
|
to you.
|
|
|
|
* **Isolation Level 1** is the lowest isolation level, and the only major
|
|
boundary is between the secure and non-secure processing environment,
|
|
usually by means of Arm TrustZone on Armv8-M processors. There is no
|
|
distinction here between the PSA Updateable Root of Trust (PRoT) and the
|
|
Application Root of Trust (ARoT). They execute at the same privilege level.
|
|
This isolation level will lead to the smallest combined application images.
|
|
* **Isolation Level 2** builds upon level one by introducing a distinction
|
|
between the PSA Updateable Root of Trust and the Application Root of Trust,
|
|
where ARoT services have limited access to PRoT services, and can only
|
|
communicate with them through public APIs exposed by the PRoT services.
|
|
ARoT services, however, are not strictly isolated from one another.
|
|
* **Isolation Level 3** is the highest isolation level, and builds upon level
|
|
2 by isolating ARoT services from each other, so that each ARoT is
|
|
essentially silo'ed from other services. This provides the highest level of
|
|
isolation, but also comes at the cost of additional overhead and code
|
|
duplication between services.
|
|
|
|
The current isolation level can be checked via
|
|
:kconfig:`CONFIG_TFM_ISOLATION_LEVEL`.
|
|
|
|
Secure Boot
|
|
===========
|
|
|
|
The default secure bootloader in TF-M is based on
|
|
`MCUBoot <https://www.mcuboot.com/>`__, and is referred to as ``BL2`` in TF-M
|
|
(for the second-stage bootloader, potentially after a HW-based bootloader on
|
|
the secure MCU, etc.).
|
|
|
|
All images in TF-M are hashed and signed, with the hash and signature verified
|
|
by MCUBoot during the firmware update process.
|
|
|
|
Some key features of MCUBooot as used in TF-M are:
|
|
|
|
* Public signing key(s) are baked into the bootloader
|
|
* S and NS images can be signed using different keys
|
|
* Firmware images can optionally be encyrpted
|
|
* Client software is responsible for writing a new image to the secondary slot
|
|
* By default, uses static flash layout of two identically-sized memory regions
|
|
* Optional security counter for rollback protection
|
|
|
|
When dealing with (optionally) encrypted images:
|
|
|
|
* Only the payload is encrypted (header, TLVs are plain text)
|
|
* Hashing and signing are applied over the un-encrypted data
|
|
* Uses ``AES-CTR-128`` or ``AES-CTR-256`` for encryption
|
|
* Encryption key randomized every encryption cycle (via ``imgtool``)
|
|
* The ``AES-CTR`` key is included in the image and can be encrypted using:
|
|
|
|
* ``RSA-OAEP``
|
|
* ``AES-KW`` (128 or 256 bits depending on the ``AES-CTR`` key length)
|
|
* ``ECIES-P256``
|
|
* ``ECIES-X25519``
|
|
|
|
Key config properties to control secure boot in Zephyr are:
|
|
|
|
* :kconfig:`CONFIG_TFM_BL2` toggles the bootloader (default = ``y``).
|
|
* :kconfig:`CONFIG_TFM_KEY_FILE_S` overrides the secure signing key.
|
|
* :kconfig:`CONFIG_TFM_KEY_FILE_NS` overrides the non-secure signing key.
|
|
|
|
Secure Processing Environment
|
|
=============================
|
|
|
|
Once the secure bootloader has finished executing, a TF-M based secure image
|
|
will begin execution in the **secure processing environment**. This is where
|
|
our device will be initially configured, and any secure services will be
|
|
initialised.
|
|
|
|
Note that the starting state of our device is controlled by the secure firmware,
|
|
meaning that when the non-secure Zephyr application starts, peripherals may
|
|
not be in the HW-default reset state. In case of doubts, be sure to consult
|
|
the board support packages in TF-M, available in the ``platform/ext/target/``
|
|
folder of the TF-M module (which is in ``modules/tee/tf-m/trusted-firmware-m/``
|
|
within a default Zephyr west workspace.)
|
|
|
|
Secure Services
|
|
---------------
|
|
|
|
As of TF-M 1.4.1, the following secure services are generally available (although vendor support may vary):
|
|
|
|
* Audit Logging (Audit)
|
|
* Crypto (Crypto)
|
|
* Firmware Update (FWU)
|
|
* Initial Attestation (IAS)
|
|
* Platform (Platform)
|
|
* Secure Storage, which has two parts:
|
|
|
|
* Internal Trusted Storage (ITS)
|
|
* Protected Storage (PS)
|
|
|
|
A template also exists for creating your own custom services.
|
|
|
|
For full details on these services, and their exposed APIs, please consult the
|
|
`TF-M Documentation <https://tf-m-user-guide.trustedfirmware.org/>`__.
|
|
|
|
Key Management and Derivation
|
|
-----------------------------
|
|
|
|
Key and secret management is a critical part of any secure device. You need to
|
|
ensure that key material is available to regions that require it, but not to
|
|
anything else, and that it is stored securely in a way that makes it difficult
|
|
to tamper with or maliciously access.
|
|
|
|
The **Internal Trusted Storage** service in TF-M is used by the **PSA Crypto**
|
|
service (which itself makes use of mbedtls) to store keys, and ensure that
|
|
private keys are only ever accessible to the secure processing environment.
|
|
Crypto operations that make use of key material, such as when signing payloads
|
|
or when decrypting sensitive data, all take place via key handles. At no point
|
|
should the key material ever be exposed to the NS environment.
|
|
|
|
One exception is that private keys can be provisioned into the secure
|
|
processing environment as a one-way operation, such as during a factory
|
|
provisioning process, but even this should be avoided where possible, and a
|
|
request should be made to the SPE (via the PSA Crypto service) to generate a
|
|
new private key itself, and the public key for that can be requested during
|
|
provisioning and logged in the factory. This ensures the private key
|
|
material is never exposed, or even known during the provisioning phase.
|
|
|
|
TF-M also makes extensive use of the **Hardware Unique Key (HUK)**, which
|
|
every TF-M device must provide. This device-unique key is used by the
|
|
**Protected Storage** service, for example, to encrypt information stored in
|
|
external memory. For example, this ensures that the contents of flash memory
|
|
can't be decrypted if they are removed and placed on a new device, since each
|
|
device has its own unique HUK used while encrypting the memory contents
|
|
the first time.
|
|
|
|
HUKs provide an additional advantage for developers, in that they can be used
|
|
to derive new keys, and the **derived keys** don't need to be stored since
|
|
they can be regenerated from the HUK at startup, using an additional salt/seed
|
|
value (depending on the key derivation algorithm used). This removes the
|
|
storage issue and a frequent attack vector. The HUK itself it usually highly
|
|
protected in secure devices, and inaccessible directly by users.
|
|
|
|
``TFM_CRYPTO_ALG_HUK_DERIVATION`` identifies the default key derivation
|
|
algorithm used if a software implementation is used. The current default
|
|
algorithm is ``HKDF`` (RFC 5869) with a SHA-256 hash. Other hardware
|
|
implementations may be available on some platforms.
|
|
|
|
Non-Secure Processing Environment
|
|
=================================
|
|
|
|
Zephyr is used for the NSPE, using a board that is supported by TF-M where the
|
|
:kconfig:`CONFIG_BUILD_WITH_TFM` flag has been enabled.
|
|
|
|
Generally, you simply need to select the ``*_ns`` variant of a valid target
|
|
(for example ``mps2_an521_ns``), which will configure your Zephyr application
|
|
to run in the NSPE, correctly build and link it with the TF-M secure images,
|
|
sign the secure and non-secure images, and merge the three binaries into a
|
|
single ``tfm_merged.hex`` file. The :ref:`west flash <west-flashing>` command
|
|
will flash ``tfm_merged.hex`` by default in this configuration.
|
|
|
|
At present, Zephyr can not be configured to be used as the secure processing
|
|
environment.
|