Version 13 vs 38
Version 13 vs 38
Content Changes
Content Changes
TF-M has been under active development since it was launched in Q1'18. It is being designed to include
1. //**Secure boot**// ensuring integrity of runtime images and responsible for firmware upgrade.
2. Runtime firmware consisting of
//** TF-M Core**// responsible for secure isolation, execution and communication aspects. and a set of Secure Services
providing services to the Non-Secure and Secure Applications. The secures services currently planned to be supported are
//**Secure Storage, Cryptography, Audit Logs, Attestation, Provisioning and Platform Services**//
Roadmap below shows when the services are getting supported and then enhanced.
Currently Supported Features
- [[ http://git.trustedfirmware.org/trusted-firmware-m.git/tree/bl2/ext/mcuboot | Secure Boot]]
- [[ https://developer.trustedfirmware.org/w/tf_m/design/ipc_design/ | TF-M Core - Inter Process Communication (IPC)]]
- [[ http://git.trustedfirmware.org/trusted-firmware-m.git/tree/docs/user_guides/services/tfm_sst_integration_guide.md | Secure Storage]]
- [[ http://git.trustedfirmware.org/trusted-firmware-m.git/tree/docs/user_guides/services/tfm_audit_integration_guide.md | Audit Logs]]
- [[ https://git.trustedfirmware.org/trusted-firmware-m.git/tree/docs/user_guides/services/tfm_crypto_integration_guide.md | Crypto Secure Service]]
- [[ https://git.trustedfirmware.org/trusted-firmware-m.git/tree/docs/user_guides/services/tfm_attestation_integration_guide.md | Initial Attestation Service ]]
[[ https://developer.trustedfirmware.org/w/tf_m/design/secure_partition_interrupt_handling/ | Secure Partition Interrupt Handling ]]
- [Platform] Reset Service
- [Attestation] EAT (Entity Attestation Token) - CBOR, COSE Integration. PSA Compliance
- [Crypto] PSA API Compliance
- [Secure Storage] PSA API Implementation
- [TF-M Core] [[ https://developer.trustedfirmware.org/w/tf_m/design/trusted_firmware-m_isolation_level_2/ | PSA Level2 Isolation ]]
- [Secure Storage,Crypto,Attestation] Compatible with PSA Firmware Framework IPC
- [Secure Boot] [[ https://developer.trustedfirmware.org/w/tf_m/design/trusted_boot/rollback_protection/ | Rollback Protection ]]
- [TF-M Core] Secure Interrupt Handling
- [TF-M Core] Pre-emption of SPE execution
- Dual CPU Enablement
- Open Continuous Integration (CI) System
- [Crypto] Use mbedcrypto
- [Secure Boot] Multiple Image Update
CQ4'19
- [Storage] Crypto Binding
- Boot and Runtime Crypto Hardware Integration
- Dual CPU Hardening
- [Secure Storage] Support Internal Trusted Storage PSA APIs
- PSA FF, API v1.0
Future
- Scheduler - Initial Support
- [Secure Storage] Key Diversification Enhancements
- [Platform] NV Count, Timer
- [Platform] Secure Time
- Secure Debug Investigation
- [Provisioning] Initial Investigation/API Prototype
- [Secure Boot] Key Revocation
- [Secure Storage] Lifecycle Management
- [Crypto] RNG, KDF
- [Audit Logs] Secure Storage, Policy Manager
- [Platform] GPIO, Debug, NONCE
- Secure Debug Prototype
TF-M has been under active development since it was launched in Q1'18. It is being designed to include
1. //**Secure boot**// ensuring integrity of runtime images and responsible for firmware upgrade.
2. Runtime firmware consisting of
//** TF-M Core**// responsible for secure isolation, execution and communication aspects. and a set of Secure Services
providing services to the Non-Secure and Secure Applications. The secures services currently supported are
//**Secure Storage, Cryptography, Firmware Update, Attestation and Platform Services**//
If you are interested in collaborating on any of the roadmap features or other features, please mail TF-M [[ https://lists.trustedfirmware.org/mailman3/lists/tf-m.lists.trustedfirmware.org/ | mailing list ]]
Supported Features
- PSA Firmware Framework v1.0, 1.1 Extension including IPC and SFN modes.
- PSA Level1, 2 and 3 Isolation.
- Secure Boot (mcuboot upstream) including generic fault injection mitigations
- PSA Protected Storage, Internal Trusted Storage v1.0 and Encrypted ITS
- PSA Cryptov1.0 (uses Mbed TLS v3.4.0)
- PSA Initial Attestation Service v1.0
- PSA Firmware Update v1.0
- PSA ADAC Specification Implementation
- Base Config
- kconfig based configuration
- Profile Small, Medium, ARoT-less Medium, Large
- Secure Partition Interrupt Handling, Pre-emption of SPE execution
- Platform Reset Service
- Dual CPU
- Open Continuous Integration (CI) System
- Boot and Runtime Crypto Hardware Integration
- Fault Injection Handling library to mitigate against physical attacks
- Threat Model
- Arm v8.1-M Privileged Execute Never (PXN) attribute and Thread reentrancy disabled (TRD)
- FPU, MVE Support
- CC-312 PSA Cryptoprocessor Driver Interface
CQ4'23
- TF-M v1.9 release
- Mbed TLS 3.5.0, mcuboot 2.0.0 Integration
- Design, prototype: Supporting multiple clients
i.e. TF-M supporting multiple on core and off core clients on Hetrogeneous (e.g. Cortex-A + Cortex-M platforms)
- Demonstrating TLS in Non-Secure using PSA Crypto APIs in TF-M
- Build System Enhancements - Separate Secure, Non-Secure Builds
- Mailbox interrupt handling
Future:
- Long Term Stable (LTS) support
- Implement support for multiple clients
- Remote Test Infrastructure
- MISRA testing
- TF-M Performance - Further Benchmarking and Optimization
- Scheduler - Multiple Secure Context Implementation
- Arm v8.1-M Architecture Enablement - PAC/BTI
- PSA FWU Service Enhancements
- PSA ADAC Spec - Enhancements and Testing
- Arm v8.1-M Unprevileged Debug
- [Secure Storage] Extended PSA APIs, Key Diversification Enhancements
- [Audit Logs] Secure Storage, Policy Manager
- PSA FF Lifecycle API
- Fuzz Testing
TF-M has been under active development since it was launched in Q1'18. It is being designed to include
1. //**Secure boot**// ensuring integrity of runtime images and responsible for firmware upgrade.
2. Runtime firmware consisting of
//** TF-M Core**// responsible for secure isolation, execution and communication aspects. and a set of Secure Services
providing services to the Non-Secure and Secure Applications. The secures services currently planned to be supported are
//**Secure Storage, Cryptography, Audit Logs, AttestationFirmware Update, ProvisioningAttestation and Platform Services**//
Roadmap below shows when the services are getting supported and then enhanced.
Currently If you are interested in collaborating on any of the roadmap features or other features, please mail TF-M [[ https://lists.trustedfirmware.org/mailman3/lists/tf-m.lists.trustedfirmware.org/ | mailing list ]]
Supported Features
- [[ http://git.trustedf- PSA Firmware.org/trusted-firmware-m.git/tree/bl2/ext/mcuboot | Secure Boot]] Framework v1.0, 1.1 Extension including IPC and SFN modes.
- [[ https://d- PSA Leveloper.trustedfirmware.org/w/tf_m/design/ipc_design/ | TF-M Core - Inter Process Communic1, 2 and 3 Isolation (IPC)]].
- [[ http://git.trustedfirmware.org/trusted-firmware-m.git/tree/docs/user_guides/services/tfm_sst_integration_guide.md | Secure Storage]]Secure Boot (mcuboot upstream) including generic fault injection mitigations
- [[ http://git.trustedfirmware.org/trusted-firmware-m.git/tree/docs/user_guides/services/tfm_audit_integration_guide.md | Audit Logs]]PSA Protected Storage, Internal Trusted Storage v1.0 and Encrypted ITS
- [[ https://git.trustedfirmware.org/trusted-firmware-m.git/tree/docs/user_guides/services/tfm_crypto_integration_guide.md | Crypto Secure Service]]PSA Cryptov1.0 (uses Mbed TLS v3.4.0)
- [[ https://git.trustedfirmware.org/trusted-firmware-m.git/tree/docs/user_guides/services/tfm_attestation_integration_guide.md | Initial Attestation Service ]]PSA Initial Attestation Service v1.0
[[ https://developer.trustedfirmware.org/w/tf_m/design/secure_partition_interrupt_handling/ | Secure Partition Interrupt Handling ]]
- [Platform] Reset Service
- [Attestation] EAT (Entity Attestation Token) - CBOR, COSE Integration. PSA Compliance- PSA Firmware Update v1.0
- [Crypto]- PSA API Compliance
- [Secure Storage] PSA APIDAC Specification Implementation
- [TF-M Core] [[ https://developer.trustedfirmware.org/w/tf_m/design/trusted_firmware-m_isolation_level_2/ | PSA Level2 Isolation ]] Base Config
- [Secure Storage,Crypto,Attestation] Compatible with PSA Firmware Framework IPC- kconfig based configuration
- [Secure Boot] [[ https://developer.trustedfirmware.org/w/tf_m/design/trusted_boot/rollback_protection/ | Rollback Protection ]]- Profile Small, Medium, ARoT-less Medium, Large
- [TF-M Core] Secure- Secure Partition Interrupt Handling, Pre-emption of SPE execution
- [TF-M Core] Pre-emption of SPE execution- Platform Reset Service
- Dual CPU Enablement
- Open Continuous Integration (CI) System
- [Crypto] Use mbedc- Boot and Runtime Crypto
- [Secure Boot] Multiple Image Update
CQ4'19Hardware Integration
- [Storage] Crypto Binding - Fault Injection Handling library to mitigate against physical attacks
- Boot and Runtime Crypto Hardware Integration- Threat Model
- Dual CPU Hardening- Arm v8.1-M Privileged Execute Never (PXN) attribute and Thread reentrancy disabled (TRD)
- [Secure Storage]- FPU, MVE Support Internal Trusted Storage PSA APIsrt
-- CC-312 PSA FF, API v1.0Cryptoprocessor Driver Interface
FutureCQ4'23
- Scheduler - Initial Support- TF-M v1.9 release
- [Secure Storage] Key Diversification Enhancements- Mbed TLS 3.5.0, mcuboot 2.0.0 Integration
- [Platform] NV Count- Design, Timer
- [Platform] Secure Timeprototype: Supporting multiple clients
- Secure Debug Investigation i.e. TF-M supporting multiple on core and off core clients on Hetrogeneous (e.g. Cortex-A + Cortex-M platforms)
- [Provisioning] Initial Investigation/API Prototype- Demonstrating TLS in Non-Secure using PSA Crypto APIs in TF-M
- [- Build System Enhancements - Separate Secure, Non-Secure Boot] Key Revocationuilds
- Mailbox interrupt handling
Future:
- [Secure Storage] Lifecycle Management- Long Term Stable (LTS) support
- Implement support for multiple clients
- [Crypto] RNG, KDF- Remote Test Infrastructure
- MISRA testing
- TF-M Performance - Further Benchmarking and Optimization
- Scheduler - Multiple Secure Context Implementation
- Arm v8.1-M Architecture Enablement - PAC/BTI
- PSA FWU Service Enhancements
- PSA ADAC Spec - Enhancements and Testing
- Arm v8.1-M Unprevileged Debug
- [Secure Storage] Extended PSA APIs, Key Diversification Enhancements
- [Audit Logs] Secure Storage, Policy Manager
- [Platform] GPIO, Debug, NONCE- PSA FF Lifecycle API
- Secure Debug Prototype- Fuzz Testing