| Anton Komlev | affe14f | 2022-11-01 00:07:41 +0000 | [diff] [blame^] | 1 | TF-M Profiles |
| 2 | ============= |
| 3 | |
| 4 | The capabilities and resources may dramatically vary on different IoT devices. |
| 5 | Some IoT devices may have very limited memory resource. The program on those devices should keep |
| 6 | small memory footprint and basic functionalities. |
| 7 | On the other hand, some devices may consist of more memory and extended storage, to support stronger |
| 8 | software capabilities. |
| 9 | |
| 10 | Diverse IoT use cases also require different levels of security and requirements on device resource. |
| 11 | For example, use cases require different cipher capabilities. Selecting cipher suites can be |
| 12 | sensitive to memory footprint on devices with constrained resource. |
| 13 | |
| 14 | Trusted Firmware-M (TF-M) defines several general profiles, such as Profile Small, Profile Medium, |
| 15 | Profile Medium ARoT-less and Profile Large, to provide different levels of security to fit diverse |
| 16 | device capabilities and use cases applied on the top of the base configuration. |
| 17 | |
| 18 | Each profile specifies a predefined list of features, targeting typical use cases with specific |
| 19 | hardware constraints. Profiles can serve as reference designs, based on which developers can |
| 20 | continue further development and configurations, according to use case. |
| 21 | |
| 22 | TF-M Profiles align with Platform Security Architecture specifications and certification |
| 23 | guidelines. It can help vendors to simplify security configuring for PSA certification. |
| 24 | |
| 25 | Please check the table below to compare differences while details are discussed |
| 26 | in the links below. |
| 27 | |
| 28 | .. toctree:: |
| 29 | :maxdepth: 1 |
| 30 | :glob: |
| 31 | |
| 32 | Small <tfm_profile_small> |
| 33 | ARoT-less <tfm_profile_medium_arot-less> |
| 34 | Medium <tfm_profile_medium> |
| 35 | Large <tfm_profile_large> |
| 36 | |
| 37 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 38 | | Option | Base | Small |ARoT-less| Medium | Large | |
| 39 | +========================================+========+========+=========+========+========+ |
| 40 | | TFM_ISOLATION_LEVEL | 1 | 1 | 1 | 2 | 3 | |
| 41 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 42 | | CONFIG_TFM_SPM_BACKEND | SFN | SFN | SFN | IPC | IPC | |
| 43 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 44 | | TFM_PARTITION_CRYPTO | OFF | ON | ON | ON | ON | |
| 45 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 46 | | TFM_PARTITION_INTERNAL_TRUSTED_STORAGE | OFF | ON | ON | ON | ON | |
| 47 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 48 | | TFM_PARTITION_PLATFORM | OFF | OFF | ON | ON | ON | |
| 49 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 50 | | TFM_PARTITION_PROTECTED_STORAGE | OFF | OFF | OFF | ON | ON | |
| 51 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 52 | | TFM_PARTITION_INITIAL_ATTESTATION | OFF | ON | ON | ON | ON | |
| 53 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 54 | | SYMMETRIC_INITIAL_ATTESTATION | OFF | ON | OFF | ON | ON | |
| 55 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 56 | | TFM_PARTITION_FIRMWARE_UPDATE | OFF | OFF | ON | OFF | OFF | |
| 57 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 58 | | *Advanced options, defined in the corresponded header (.h) file* | |
| 59 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 60 | | CRYPTO_ENGINE_BUF_SIZE | 0x2080 | 0x400 | 0x2080 | 0x2080 | 0x2080 | |
| 61 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 62 | | CRYPTO_ASYM_SIGN_MODULE_DISABLED | OFF | ON | OFF | OFF | OFF | |
| 63 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 64 | | PS_CRYPTO_AEAD_ALG | GCM | GCM | CCM | CCM | GCM | |
| 65 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 66 | | CRYPTO_ASYM_ENCRYPT_MODULE_DISABLED | OFF | ON | ON | ON | OFF | |
| 67 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 68 | | CRYPTO_SINGLE_PART_FUNCS_DISABLED | OFF | ON | OFF | OFF | OFF | |
| 69 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 70 | | CRYPTO_CONC_OPER_NUM | 8 | 4 | 8 | 8 | 8 | |
| 71 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 72 | | PSA_FRAMEWORK_HAS_MM_IOVEC | OFF | ON | OFF | OFF | OFF | |
| 73 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 74 | | CONFIG_TFM_CONN_HANDLE_MAX_NUM | 8 | 3 | 8 | 8 | 8 | |
| 75 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 76 | | ITS_BUF_SIZE | | 32 | 32 | | | |
| 77 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 78 | | MCUBOOT_IMAGE_NUMBER | | 1 | | | | |
| 79 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 80 | |
| 81 | Each profile has predefined configuration for cryptographic library, located in |
| 82 | ``/lib/ext/mbedcrypto/mbedcrypto_config/`` |
| 83 | |
| 84 | -------------- |
| 85 | |
| 86 | Copyright (c) 2020, Arm Limited. All rights reserved.* |