| Julian Hall | e76ade8 | 2020-11-25 03:07:21 +0100 | [diff] [blame^] | 1 | PSA Certification Requirements |
| 2 | ============================== |
| 3 | |
| 4 | Trusted services contribute to meeting PSA security requirements. In the context of PSA certification, the scope and required |
| 5 | capabilities of supported trusted services are guided by: |
| 6 | |
| 7 | - The security primitives needed by system software for PSA level 1 checklist compliance. |
| 8 | - Test coverage of the certification test suite used for PSA Functional API certification. |
| 9 | |
| 10 | To determine what security primitives are needed, the 'system software' PSA scope has been used as a reference. The current PSA |
| 11 | level 1 questionnaire is highly Cortex-M specific so some interpretation is needed to map requirements to Cortex-A based designs |
| 12 | that use a rich-OS such as Linux. The following assessment is based on the assumption that the PSA system software scope |
| 13 | encompasses an entire Linux distribution. The reference system software for the assessment will include: |
| 14 | |
| 15 | - TF-A. |
| 16 | - Secure partition manager (OP-TEE with FF-A extensions performs this role). |
| 17 | - Set of trusted services, deployed in S-EL0 secure partitions that are built-in to the OP-TEE image to allow early loading. |
| 18 | - Normal-world boot loader. EDK2 with Grub used as reference. |
| 19 | - Linux kernel. |
| 20 | - Root filesystem that includes generic services, libraries and program binaries. |
| 21 | |
| 22 | Product developers will extend the base distribution to add application specific components. |
| 23 | |
| 24 | PSA System Software Questionnaire Analysis |
| 25 | ------------------------------------------ |
| 26 | |
| 27 | The following table lists PSA level 1 assessment questions with an attempt to identify the back-end security primitives that are |
| 28 | needed to meet the requirement. The table is based on PSA Certified Level 1 Questionnaire Version 2.1. |
| 29 | |
| 30 | .. list-table:: PSA Questionnaire Analysis |
| 31 | :widths: 13 40 15 15 28 |
| 32 | :header-rows: 1 |
| 33 | |
| 34 | * - Requirement |
| 35 | - Summary |
| 36 | - Depends on |
| 37 | - TS used |
| 38 | - Comment |
| 39 | * - R1.1 |
| 40 | - | System software and application software update |
| 41 | | verification using immutable root-of-trust. |
| 42 | - Verify signed hash |
| 43 | - Crypto |
| 44 | - Depends on secure for persistent key storage. |
| 45 | * - R1.2 |
| 46 | - | System software and application software update |
| 47 | | anti-rollback protection. |
| 48 | - Increment only NV counter |
| 49 | - | Secure Storage (for protecting normal |
| 50 | | world components) |
| 51 | - | TF-A uses OTP fuses for early boot stages. This requirement is much more difficult to meet |
| 52 | | on Cortex-A compared to M as |
| 53 | | there are potentially many separately updatable components. |
| 54 | * - R2.1 |
| 55 | - Protected device ID |
| 56 | - Sign hash |
| 57 | - Crypto |
| 58 | - Depends on secure storage for persistent key storage. |
| 59 | * - R2.2 |
| 60 | - Secure storage |
| 61 | - Replay protected persistent storage, tied to device |
| 62 | - Secure storage |
| 63 | - | A filesystem mount that provided file storage with the required security properties would be |
| 64 | | the conventional interface for user-space processes. |
| 65 | * - R2.3 |
| 66 | - Crypto best practices |
| 67 | - TRNG for random number and key generation |
| 68 | - Crypto |
| 69 | - Crypto service will need an entropy source. |
| 70 | * - R3.1 |
| 71 | - Remote server authentication |
| 72 | - Verify signed hash |
| 73 | - Crypto |
| 74 | - Depends on secure storage for persistent key storage. |
| 75 | * - R3.2 |
| 76 | - Communication encryption |
| 77 | - Kernel encryption support |
| 78 | - None |
| 79 | - Not a use-case for trusted services. |
| 80 | * - R3.3 |
| 81 | - TLS authentication support |
| 82 | - Sign & verify hash |
| 83 | - Crypto |
| 84 | - TLS library such as Mbed TLS needs to use Crypto service. |
| 85 | * - R4.1 |
| 86 | - Provide attestation token for device life-cycle state |
| 87 | - Secure life-cycle state variable, Sign message. |
| 88 | - Attestation, Secure lifecycle, Crypto |
| 89 | - |
| 90 | * - R4.2 |
| 91 | - Unused functionality disabled |
| 92 | - Secure life-cycle state variable |
| 93 | - Secure Lifecycle |
| 94 | - | Although the PSA questionnaire doesn't state this, in practice, the minimal capabilities |
| 95 | | required will depend on the device lifecycle state. This will extend to all parts of the |
| 96 | | system software, including trusted service capabilities. |
| 97 | * - R4.3 |
| 98 | - Secure logging |
| 99 | - Sign hash for non-repudiable log. |
| 100 | - Crypto |
| 101 | - | PSA questionnaire isn't specific about non-repudiation but for security auditing purposes, |
| 102 | | this may be a requirement. For example, for industrial IoT applications where conformance |
| 103 | | to IEC 62443 is important, verifiable log data that can be reliably traced, back to the |
| 104 | | originating device is understood to be required. |
| 105 | * - R4.4 |
| 106 | - Restricted log file access |
| 107 | - File access control |
| 108 | - None |
| 109 | - File access using standard Linux DAC or MAC if used. |
| 110 | * - R4.5 |
| 111 | - Data on external interfaces checked defensively |
| 112 | - Good coding practices in application components |
| 113 | - |
| 114 | - | The same could be applied for messages crossing any security boundary e.g. trusted service |
| 115 | | interfaces. PSA only mentions external interfaces and critical APIs but for Cortex-A, this |
| 116 | | likely to be insufficient. |
| 117 | * - R4.6 |
| 118 | - Principle of least privileges |
| 119 | - Use of Linux isolation, access control and other containment methods. |
| 120 | - |
| 121 | - | No direct dependency on trusted services but access to TS held assets must be controlled |
| 122 | | according to principle of least privileges. |
| 123 | * - R5.1 |
| 124 | - Passwords not resettable |
| 125 | - Enforcing password policy |
| 126 | - |
| 127 | - |
| 128 | * - R5.2 |
| 129 | - Password best practices |
| 130 | - Enforcing password policy |
| 131 | - |
| 132 | - |
| 133 | * - R5.3 |
| 134 | - User authentication using critical security parameters |
| 135 | - Depends on auth method |
| 136 | - Crypto (possibly) |
| 137 | - | Requirement is not specific enough to determine if there is a trusted service dependency. |
| 138 | | Dependency may be indirect, say to authenticate an Oauth2 server. |
| 139 | * - R6.1 |
| 140 | - Externally applied configuration signed |
| 141 | - Verify signed hash |
| 142 | - Crypto |
| 143 | - Similar to firmware update verification requirement. |
| 144 | * - R7.1 |
| 145 | - Persistent storage of user data must support destructive erase |
| 146 | - Destructive erase secure Storage (possibly) |
| 147 | - Secure storage |
| 148 | - | File based storage with a filesystem mount with the required security properties would be the |
| 149 | | conventional way to provide persistent storage to user-space processes. |
| 150 | |
| 151 | Observations |
| 152 | ------------ |
| 153 | |
| 154 | - All dependencies on the PSA Crypto service involve persistent keys. Volatile key support is not needed for compliance. |
| 155 | - Applying R4.2 to system software doesn't really make sense. The system software features that are needed are largely |
| 156 | determined by the application software that implements the device functionality. For a supplier of the base system software, |
| 157 | a super-set of required functionality is likely to be the right offering but with the facility to allow features to be |
| 158 | configured by device developers. The ability to apply a configuration that limits functionality would be a more useful goal. |
| 159 | - Although the PSA certification document doesn't mention this, available device capabilities need to be a function of device |
| 160 | life-cycle state. For example, some features used during manufacture should not be available when a device is delivered to |
| 161 | end users. |
| 162 | - It's hard to see anyone using the PSA Protected Storage API directly. However, enabling a filesystem mount with equivalent |
| 163 | security properties would be beneficial. For example, a protected storage filesystem driver that uses the Protected Storage |
| 164 | service as its back-end would be a good fit. The PSA Protected Storage API would never be used directly by user-space |
| 165 | applications. |
| 166 | - Logging with the guarantee of non-repudiation is really required to support audit use-cases. Without that guarantee, it's |
| 167 | just logging. |
| 168 | |
| 169 | PSA Functional API Tests |
| 170 | ------------------------ |
| 171 | |
| 172 | Functional API tests suites are currently available for: |
| 173 | |
| 174 | - PSA Crypto |
| 175 | - PSA Attestation |
| 176 | - PSA Storage |
| 177 | |
| 178 | Running and passing API tests is not a requirement for PSA level 1 certification. However, incorporating the API tests into the |
| 179 | trusted service test process is obviously beneficial as a way of demonstrating a defined set of functionality. |
| 180 | |
| 181 | Functional API tests focus on valid behavior testing and are quite thorough in exercising all required functionality that can be |
| 182 | observed at each API. To pass all tests, the service implementation needs to be complete, at least from a functional |
| 183 | perspective. |
| 184 | |
| 185 | Test code depends on an implementation of the PSA C APIs for each service under test. |
| 186 | |
| 187 | -------------- |
| 188 | |
| 189 | *Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.* |
| 190 | |
| 191 | SPDX-License-Identifier: BSD-3-Clause |