Proof Of Concepts
Updated 10 Days AgoPublic

This page gives information on the Proof Of Concepts (PoCs) based on Trusted Firwamre-M (TF-M). It demonstrates Non-Secure Applications availing Secure Services in Trusted Firmware.

The PoC have been demostrated at various events such as ELC at Edinburgh, Linaro Connect at Vancouver.

1. Pelion Client using TF-M
The PoC is done on a MuscaA board.

One of the Cortex-M33 processor on the MuscaA board runs Trusted Firmware-M on the Secure domain and Pelion client on the Non-Secure domain. mbedOS is the RTOS running on the Non-Secure domain.

The PSK credentials are stored in the Secure domain using the TF-M Secure Storage (SST) service. Pelion client fetches these credentials for establishing secure connection to Pelion portal. Resources (e.g. LED) on board can be accessed using the get/put/post methods over the internet through the Mbed cloud portal, the duration can be changed through pattern resource.

Here is a functional block diagram showing the components involved in the PoC.

Using Secure Storage Service
1.Mbed cloud app fetches PSK from Secure Storage in TFM
2.Keys are used to secure the communication between client and Pelion portal
3.App uses the IP stack (TCP) for communicating with the internet
4.Connection is established between the client and Pelion portal. Client is registered with the portal

Using Secure LED Service
1.Remote server initiates get/put/post commands for resources over internet
2.Pelion client receives these commands
3.Mbed cloud app uses secure LED service to blink the LED in a predetermined pattern.

2. Google IoT Client using TF-M
The PoC is done on a MuscaA board.

One of the Cortex-M33 processor on the MuscaA board runs Trusted Firmware-M on the Secure domain and Google IoT client on the Non-Secure domain. Zephyr is the RTOS running on the Non-Secure domain.

The client requires signed JWT (JSON Web Tokens) to perform handshake with Google MQTT server. The Client running on the Non-Secure side uses JWT sign service in TF-M for signing the token securely. A blink LED secure service in TF-M is invoked whenever the client talks to the service.

Steps:

  1. After secure boot, Trusted Firmware runs in Secure space and jumps to Zephyr.
  2. Zephyr start in Non-Secure. Connect to google server by TCP with TLS handshake
  3. Call secure service from Zephyr to TFM for JWT sign
  4. Connect to MQTT server and subscribe the device config topic
  5. Get the latest configuration from server and publish device status periodically
  6. Blink LED by calling secure service when talking with server

Last Author
shebuk
Projects
None
Subscribers
None