Blame - docs/overview/index.rst - TS/trusted-services

blob: 3e657ab0579b2d004018ff53809574efd08a1f03 [file] [log] [blame]

Julian Hall	7b59462	2022-04-08 14:04:15 +0100	[diff] [blame]	1	Introduction
				2	============
				3
				4	The term 'trusted service' is used as a general name for a class of application that runs in an isolated
				5	processing environment. Other applications rely on trusted services to perform security related operations in
				6	a way that avoids exposing secret data beyond the isolation boundary of the environment. The word 'trusted'
				7	does not imply anything inherently trustworthy about a service application but rather that other applications
				8	put trust in the service. Meeting those trust obligations relies on a range of hardware and firmware
				9	implemented security measures.
				10
Julian Hall	f12cfd4	2022-04-12 17:00:19 +0100	[diff] [blame]	11	The Arm Application-profile (A-profile) architecture, in combination with standard firmware, provides a range
				12	of isolated processing environments that offer hardware-backed protection against various classes of attack.
				13	Because of their strong security properties, these environments are suitable for running applications that have
Julian Hall	7b59462	2022-04-08 14:04:15 +0100	[diff] [blame]	14	access to valuable assets such as keys or sensitive user data. The goal of the Trusted Services project is
				15	to provide a framework in which security related services may be developed, tested and easily deployed to
				16	run in any of the supported environments. A core set of trusted services are implemented to provide basic
				17	device security functions such as cryptography and secure storage.
				18
				19	Example isolated processing environments are:
				20
Julian Hall	f12cfd4	2022-04-12 17:00:19 +0100	[diff] [blame]	21	- Secure partitions - secure world isolated environments managed by a secure partition manager
Julian Hall	7b59462	2022-04-08 14:04:15 +0100	[diff] [blame]	22	- Trusted applications - application environments managed by a TEE
Julian Hall	f12cfd4	2022-04-12 17:00:19 +0100	[diff] [blame]	23	- VM backed container - container runtime that uses a hypervisor to provide hardware backed container isolation
				24
				25	The default reference system, used for test and development, uses the Secure Partition Manager configuration
				26	of OP-TEE to manage a set of secure partitions running at S-EL0. The secure partitions host service providers
				27	that implement PSA root-of-trust services. Services may be accessed using client-side C bindings that expose PSA
				28	Functional APIs. UEFI SMM services are provided by the SMM Gateway.
				29
				30	.. image:: image/TsReferencePlatform.svg
				31	.. The image was exported from an original on Arm Confluence.
Julian Hall	7b59462	2022-04-08 14:04:15 +0100	[diff] [blame]	32
				33	For more background on the type of problems solved by trusted services and how the project aims to
				34	make solutions more accessible, see:
Julian Hall	e76ade8	2020-11-25 03:07:21 +0100	[diff] [blame]	35
				36	.. toctree::
				37	:maxdepth: 1
Julian Hall	e76ade8	2020-11-25 03:07:21 +0100	[diff] [blame]	38
Julian Hall	7b59462	2022-04-08 14:04:15 +0100	[diff] [blame]	39	example-usage
Julian Hall	e76ade8	2020-11-25 03:07:21 +0100	[diff] [blame]	40	goals
				41
Julian Hall	f12cfd4	2022-04-12 17:00:19 +0100	[diff] [blame]	42	The Trusted Services project includes components that may be integrated into platform firmware
				43	to enable A-profile platforms to meet PSA Certified security requirements. For more information, see:
				44	:ref:`Platform Certification`.
Julian Hall	7b59462	2022-04-08 14:04:15 +0100	[diff] [blame]	45
Julian Hall	e76ade8	2020-11-25 03:07:21 +0100	[diff] [blame]	46	--------------
				47
Julian Hall	7b59462	2022-04-08 14:04:15 +0100	[diff] [blame]	48	Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
Julian Hall	e76ade8	2020-11-25 03:07:21 +0100	[diff] [blame]	49
				50	SPDX-License-Identifier: BSD-3-Clause