| Julian Hall | 7b59462 | 2022-04-08 14:04:15 +0100 | [diff] [blame] | 1 | Secure Storage Service |
| 2 | ====================== |
| 3 | Overview |
| 4 | -------- |
| Julian Hall | 2075a21 | 2021-03-24 10:11:29 +0000 | [diff] [blame] | 5 | The Secure Storage service provides a generic persistent object store for valuable |
| 6 | assets such as cryptographic keys. The confidentiality and integrity of stored data |
| 7 | is typically achieved using keys that are bound to the device. The backend object |
| 8 | store can be implemented in different ways, depending on available hardware such as: |
| 9 | |
| 10 | * On-SoC secure world peripherals such as NV counters. |
| 11 | * A hardware unique key stored in OTP. |
| 12 | * Internal flash (on-die or in package). |
| 13 | * On-SoC crypto island with persistent storage. |
| 14 | * RPMB partition in a an external eMMC chip. |
| 15 | |
| 16 | The secure storage service provider architecture offers flexibility to use alternative |
| 17 | backend storage implementations to suite available hardware. |
| 18 | |
| 19 | Service Access Protocol |
| 20 | ----------------------- |
| 21 | A client accesses any instance of the Secure Storage service using a common secure |
| 22 | storage access protocol. Although multiple secure storage service instances may exist |
| 23 | on a device, they are all accessed using the same access protocol. By standardizing on |
| 24 | a common protocol, client applications maintain compatibility with any secure storage |
| 25 | provider instance. |
| 26 | |
| 27 | The protocol definition lives here:: |
| 28 | |
| 29 | protocols/service/secure_storage |
| 30 | |
| 31 | PSA Storage Classes |
| 32 | ------------------- |
| 33 | Backend storage implementations that rely on external components, such as a flash chip, |
| 34 | will require security measures that are not necessarily needed when on-chip or in-package |
| 35 | storage is used. The PSA Storage API specification introduces the storage classes |
| 36 | *Protected* and *Internal Trusted* to distinguish between externally and internally provided |
| 37 | storage. These storage class designations are used for naming secure storage service instances. |
| 38 | For example, the secure storage deployment that uses an RPMB backend is referred to as |
| 39 | Protected Storage. The two storage classes have the following characteristics. Both |
| 40 | classes of storage are required to support the notion of data ownership and to implement |
| 41 | access control based on policy set by the owner. |
| 42 | |
| 43 | Internal Trusted Storage |
| 44 | '''''''''''''''''''''''' |
| 45 | Internal trusted storage uses isolated or shielded locations for storage. Example |
| 46 | storage backends could be on-die or in package flash memory that is inherently secure. |
| 47 | Alternatively, storage may be delegated to an on-die secure enclave that offers equivalent |
| 48 | security properities. An external storage device may also be used, as long as there is a |
| 49 | cryptographic binding between the owning secure partition and the stored data that prevents |
| 50 | unauthorized access to the storage device. |
| 51 | |
| 52 | To provide a persisent store for fundamental objects such as device ID and trust anchor |
| 53 | certificates, access control based on the secure lifecycle state should be possible to |
| 54 | support access policies such as r/w during manufacture but read-only in all other lifecycle |
| 55 | states. |
| 56 | |
| 57 | Protected Storage |
| 58 | ''''''''''''''''' |
| 59 | Protected storage uses an external memory device for persistent storage. To meet PSA |
| 60 | security goals, the following protection measures should exist: |
| 61 | |
| 62 | * Privacy and integrity protection to prevent data access and modification by an |
| 63 | unauthorized agent. |
| 64 | * Replay protection to prevent the current set of stored data being replaced by an |
| 65 | old set. |
| 66 | |
| 67 | Common implementation options for a protected store are: |
| 68 | |
| 69 | * RPMB partition in an eMMC device. Access to the device is brokered by a normal-world |
| 70 | agent such as tee-supplicant. |
| 71 | * Dedicated serial flash device with secure-world only access. |
| 72 | * Normal-world filesystem for backend storage. Data is encrypted and integrity protected |
| 73 | in the secure-world. |
| 74 | |
| 75 | PSA Storage C API |
| 76 | ----------------- |
| 77 | For client application developers who wish to use the PSA Storage API to access secure |
| 78 | storage, two storage frontends are available; one that implements the Protected Storage |
| 79 | API and another that implements the Internal Trusted Storage API. |
| 80 | |
| 81 | Storage Frontend and Backend Separation |
| 82 | --------------------------------------- |
| 83 | For flexibility, secure storage components are separated between frontend and backend. |
| 84 | All storage backends implement a common public interface and may be used with any storage |
| 85 | frontend. A storage frontend presents an interface that suites a particular type of consumer. |
| 86 | The following class diagram illustrates how a storage frontend is decoupled from any concrete |
| 87 | storage backend through the use of an abstract storage backend interface. |
| 88 | |
| 89 | .. uml:: uml/SecureStorageClassDiagram.puml |
| 90 | |
| 91 | Some example storage frontends: |
| 92 | |
| 93 | * Secure storage service provider - provides access using the secure storage access protocol. |
| 94 | * ITS frontend - provides secure storage access via PSA Internal Trusted Storage C API |
| 95 | * PS frontend - provides secure storage access via PSA Protected Storage C API |
| 96 | |
| 97 | Some example storage backends: |
| 98 | |
| 99 | * RPMB storage backend |
| 100 | * Secure enclave storage backend |
| 101 | * Normal-world filesystem backend |
| 102 | * Secure storage service client |
| 103 | |
| 104 | Components related to storage frontends and backends live under the following TS project directories:: |
| 105 | |
| 106 | components/service/secure_storage/frontend |
| 107 | components/service/secure_storage/backend |
| 108 | |
| 109 | Storage Frontend and Backend Responsibilities |
| 110 | --------------------------------------------- |
| 111 | A storage frontend is responsible for presenting an interface that is suitable for a particular |
| 112 | type of consumer. For example, the Mbed TLS library depends on the PSA Internal Trusted Storage C |
| 113 | API for accessing persistent storage. The ITS frontend provides an implementation of this API at |
| 114 | its upper edge. Where appropriate, a storage frontend will be responsible for sanitizing input |
| 115 | parameters. |
| 116 | |
| 117 | A storage backend is responsible for: |
| 118 | |
| 119 | * Realizing the common storage backend interface. |
| 120 | * Implementing per object access control based on the provided client ID. The client ID associated |
| 121 | with the creator of an object is treated as the object owner. |
| 122 | * Providing persistent storage with appropriate security and robustness properties. |
| 123 | |
| 124 | Storage Factory |
| 125 | --------------- |
| 126 | To decouple generic code from environment and platform specific code, a storage factory |
| 127 | interface is defined that provides a common interface for constructing storage backends. |
| 128 | A concrete storage factory may use environment specific methods and configuration to construct |
| 129 | a suitable storage backend. Allows new storage backends to be added without impacting service |
| 130 | provider implementations. The factory method uses PSA storage classifications to allow a |
| 131 | service provider to specify the security characteristics of the backend. How those security |
| 132 | characteristics are realized will depend on the secure processing environment and platform. |
| 133 | |
| 134 | A concrete storage factory may exploit any of the following to influence how the storage |
| 135 | backend is constructed: |
| 136 | |
| 137 | * Environment and platform specific factory component used in deployment |
| 138 | * Runtime configuration e.g. from Device Tree |
| 139 | * The PSA storage classification specified by the SP initialization code. |
| 140 | |
| 141 | Concrete storage factory components live under the following TS project directory:: |
| 142 | |
| 143 | components/service/secure_storage/factory |
| 144 | |
| 145 | Storage Frontend/Backend Combinations |
| 146 | ------------------------------------- |
| 147 | The following storage frontend/backend combinations are used in different deployments. |
| 148 | |
| 149 | Persistent Key Store for Crypto Service Provider |
| 150 | '''''''''''''''''''''''''''''''''''''''''''''''' |
| 151 | The Crypto service provider uses the Mbed Crypto portion of Mbed TLS to implement crypto |
| 152 | operations. Persistent keys are stored via the PSA Internal Trusted Storage C API. |
| Imre Kis | 3d6848d | 2023-01-04 15:36:19 +0100 | [diff] [blame] | 153 | In the opteesp and sp deployments of the Crypto service provider, a storage client backend is |
| Julian Hall | 2075a21 | 2021-03-24 10:11:29 +0000 | [diff] [blame] | 154 | used that accesses a secure store provided by a separate secure partition. The following |
| 155 | deployment diagram illustrates the storage frontend/backend combination used: |
| 156 | |
| 157 | .. uml:: uml/InternalTrustedDeploymentDiagram.puml |
| 158 | |
| 159 | Proxy for OP-TEE Provided Storage |
| 160 | ''''''''''''''''''''''''''''''''' |
| 161 | When service providers are deployed in secure partitions running under OP-TEE, access |
| 162 | to OP-TEE provided secure storage is possible via an S-EL1 SP that hosts a secure storage |
| 163 | provider instance. The following deployment diagram illustrates how secure storage |
| 164 | access is brokered by an S-EL0 proxy: |
| 165 | |
| 166 | .. uml:: uml/ProtectedProxyDeploymentDiagram.puml |
| 167 | |
| 168 | -------------- |
| 169 | |
| Imre Kis | 3d6848d | 2023-01-04 15:36:19 +0100 | [diff] [blame] | 170 | *Copyright (c) 2022-2023, Arm Limited and Contributors. All rights reserved.* |
| Julian Hall | 2075a21 | 2021-03-24 10:11:29 +0000 | [diff] [blame] | 171 | |
| 172 | SPDX-License-Identifier: BSD-3-Clause |