aboutsummaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorDavid Hu <david.hu@arm.com>2021-05-12 15:52:16 +0800
committerDavid Hu <david.hu@arm.com>2021-05-21 05:07:05 +0200
commitf40be9345761f6e6f0757dc74330e5270c5c0dda (patch)
treeb35ccb3fc41d6b38586e9d8840172692d3ecb584 /docs
parent0c250bcb1506d99eded650ea8f21c1f32a0723e9 (diff)
downloadtrusted-firmware-m-f40be9345761f6e6f0757dc74330e5270c5c0dda.tar.gz
Profiles: Update Profile Medium document and default configs
Update Profile Medium design document. Refine Profile Medium configs. Disable asymmetric encryption by default. Change-Id: I7e42751073192a74532396fb4251c775b7b2fb3b Signed-off-by: David Hu <david.hu@arm.com>
Diffstat (limited to 'docs')
-rw-r--r--docs/technical_references/profiles/tfm_profile_medium.rst60
1 files changed, 36 insertions, 24 deletions
diff --git a/docs/technical_references/profiles/tfm_profile_medium.rst b/docs/technical_references/profiles/tfm_profile_medium.rst
index b1ab1c178..ab552f18d 100644
--- a/docs/technical_references/profiles/tfm_profile_medium.rst
+++ b/docs/technical_references/profiles/tfm_profile_medium.rst
@@ -33,7 +33,7 @@ TF-M Profile Medium defines the following feature set:
- Crypto
- - Support both symmetric ciphers and asymmetric ciphers
+ - Support both symmetric cryptography and asymmetric cryptography
- Asymmetric key based cipher suite suggested in TLS/DTLS profiles for
IoT [RFC7925]_ and CoAP [RFC7252]_, including
@@ -94,8 +94,9 @@ TF-M IPC model implementation follows the PSA Firmware Framework for M
Crypto service
==============
-Compared to Profile Small, Profile Medium includes asymmetric cipher to support
-direct connection to Cloud services via common protocols, such as TLS/DTLS 1.2.
+Compared to Profile Small, Profile Medium includes asymmetric cryptography to
+support direct connection to Cloud services via common protocols, such as
+TLS/DTLS 1.2.
As suggested in CoAP [RFC7252]_ and [RFC7925]_, TF-M Profile Medium by default
selects ``TLS_ECDHE_ECDSA_WITH_AES_128_CCM`` as reference, which requires:
@@ -253,6 +254,9 @@ shown below.
+--------------------------------------------+-----------------------------------------------------------------------------------------------------+-------------------------------------+
| ``TFM_PARTITION_CRYPTO`` | ``ON`` | Enable Crypto service |
+--------------------------------------------+-----------------------------------------------------------------------------------------------------+-------------------------------------+
+ | ``CRYPTO_ASYM_ENCRYPT_MODULE_DISABLED`` | ``ON`` | Disable Crypto asymmetric |
+ | | | encryption operations |
+ +--------------------------------------------+-----------------------------------------------------------------------------------------------------+-------------------------------------+
| ``TFM_MBEDCRYPTO_CONFIG_PATH`` | ``${CMAKE_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h`` | Mbed Crypto config file path |
+--------------------------------------------+-----------------------------------------------------------------------------------------------------+-------------------------------------+
| ``TFM_PARTITION_INITIAL_ATTESTATION`` | ``ON`` | Enable Initial Attestation service |
@@ -292,23 +296,23 @@ Some cryptography tests are disabled due to the reduced Mbed Crypto config.
:widths: auto
:align: center
- +--------------------------------------------+-----------------------------------------------------------------------------------------------------+-------------------------------------+
- | Configs | Default value | Descriptions |
- +============================================+=====================================================================================================+=====================================+
- | ``TFM_CRYPTO_TEST_ALG_CBC`` | ``OFF`` | Test CBC cryptography mode |
- +--------------------------------------------+-----------------------------------------------------------------------------------------------------+-------------------------------------+
- | ``TFM_CRYPTO_TEST_ALG_CCM`` | ``ON`` | Test CCM cryptography mode |
- +--------------------------------------------+-----------------------------------------------------------------------------------------------------+-------------------------------------+
- | ``TFM_CRYPTO_TEST_ALG_CFB`` | ``OFF`` | Test CFB cryptography mode |
- +--------------------------------------------+-----------------------------------------------------------------------------------------------------+-------------------------------------+
- | ``TFM_CRYPTO_TEST_ALG_CTR`` | ``OFF`` | Test CTR cryptography mode |
- +--------------------------------------------+-----------------------------------------------------------------------------------------------------+-------------------------------------+
- | ``TFM_CRYPTO_TEST_ALG_GCM`` | ``OFF`` | Test GCM cryptography mode |
- +--------------------------------------------+-----------------------------------------------------------------------------------------------------+-------------------------------------+
- | ``TFM_CRYPTO_TEST_ALG_SHA_512`` | ``OFF`` | Test SHA-512 cryptography algorithm |
- +--------------------------------------------+-----------------------------------------------------------------------------------------------------+-------------------------------------+
- | ``TFM_CRYPTO_TEST_HKDF`` | ``OFF`` | Test SHA-512 cryptography algorithm |
- +--------------------------------------------+-----------------------------------------------------------------------------------------------------+-------------------------------------+
+ +--------------------------------------------+---------------+--------------------------------+
+ | Configs | Default value | Descriptions |
+ +============================================+===============+================================+
+ | ``TFM_CRYPTO_TEST_ALG_CBC`` | ``OFF`` | Disable CBC mode test |
+ +--------------------------------------------+---------------+--------------------------------+
+ | ``TFM_CRYPTO_TEST_ALG_CCM`` | ``ON`` | Enable CCM mode test |
+ +--------------------------------------------+---------------+--------------------------------+
+ | ``TFM_CRYPTO_TEST_ALG_CFB`` | ``OFF`` | Disable CFB mode test |
+ +--------------------------------------------+---------------+--------------------------------+
+ | ``TFM_CRYPTO_TEST_ALG_CTR`` | ``OFF`` | Disable CTR mode test |
+ +--------------------------------------------+---------------+--------------------------------+
+ | ``TFM_CRYPTO_TEST_ALG_GCM`` | ``OFF`` | Disable GCM mode test |
+ +--------------------------------------------+---------------+--------------------------------+
+ | ``TFM_CRYPTO_TEST_ALG_SHA_512`` | ``OFF`` | Disable SHA-512 algorithm test |
+ +--------------------------------------------+---------------+--------------------------------+
+ | ``TFM_CRYPTO_TEST_HKDF`` | ``OFF`` | Disable HKDF algorithm test |
+ +--------------------------------------------+---------------+--------------------------------+
Device configuration extension
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -323,16 +327,24 @@ Crypto service configurations
Crypto Secure Partition
^^^^^^^^^^^^^^^^^^^^^^^
-TF-M Profile Medium enables Crypto SP in top-level CMake config file and selects
-all the Crypto modules.
+TF-M Profile Medium enables Crypto SP in top-level CMake config file.
+The following PSA Crypto operationts are enabled by default.
+
+ - Hash operations
+ - Message authentication codes
+ - Symmetric ciphers
+ - AEAD operations
+ - Asymmetric key algorithm based signature and verification
+ - Key derivation
+ - Key management
Mbed Crypto configurations
^^^^^^^^^^^^^^^^^^^^^^^^^^
TF-M Profile Medium adds a dedicated Mbed Crypto config file
``tfm_mbedcrypto_config_profile_medium.h`` at
-``/lib/ext/mbedcrypto/mbedcrypto_config``
-file, instead of the common one ``tfm_mbedcrypto_config_default.h`` [CRYPTO-DESIGN]_.
+``/lib/ext/mbedcrypto/mbedcrypto_config`` folder, instead of the common one
+``tfm_mbedcrypto_config_default.h`` [CRYPTO-DESIGN]_.
Major Mbed Crypto configurations are set as listed below: