docs/1.0.1/html/overview/sample-arch.html - mirror/mbed-crypto - TrustedFirmware Git Browser


 <!DOCTYPE html>

 <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
     <meta charset="utf-8" />
     <title>4. Sample architectures &#8212; PSA Crypto API 1.0.1 documentation</title>
     <link rel="stylesheet" href="../_static/alabaster.css" type="text/css" />
     <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
     <script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
     <script type="text/javascript" src="../_static/jquery.js"></script>
     <script type="text/javascript" src="../_static/underscore.js"></script>
     <script type="text/javascript" src="../_static/doctools.js"></script>
     <script type="text/javascript" src="../_static/language_data.js"></script>
     <link rel="author" title="About these documents" href="../about.html" />
     <link rel="index" title="Index" href="../genindex.html" />
     <link rel="search" title="Search" href="../search.html" />
     <link rel="next" title="5. Library conventions" href="conventions.html" />
     <link rel="prev" title="3. Functionality overview" href="functionality.html" />

   <link rel="stylesheet" href="../_static/custom.css" type="text/css" />


   <meta name="viewport" content="width=device-width, initial-scale=0.9, maximum-scale=0.9" />

   </head><body>


     <div class="document">
       <div class="documentwrapper">
         <div class="bodywrapper">


           <div class="body" role="main">

   <div class="section" id="sample-architectures">
 <span id="architectures"></span><h1>4. Sample architectures</h1>
 <p>This section describes some example architectures that can be used for
 implementations of the interface described in this specification. This list is
 not exhaustive and the section is entirely non-normative.</p>
 <div class="section" id="single-partition-architecture">
 <h2>4.1. Single-partition architecture</h2>
 <p>In the single-partition architecture, there is no security boundary inside the system. The
 application code can access all the system memory, including the memory used by
 the cryptographic services described in this specification. Thus, the
 architecture provides <a class="reference internal" href="goals.html#isolation"><span class="std std-ref">no isolation</span></a>.</p>
 <p>This architecture does not conform to the Arm <em>Platform Security Architecture
 Security Model</em>. However, it is useful for providing cryptographic services
 that use the same interface, even on devices that cannot support any security
 boundary. So, while this architecture is not the primary design goal of the API
 defined in the present specification, it is supported.</p>
 <p>The functions in this specification simply execute the underlying algorithmic
 code. Security checks can be kept to a minimum, since the cryptoprocessor cannot
 defend against a malicious application. Key import and export copy data inside
 the same memory space.</p>
 <p>This architecture also describes a subset of some larger systems, where the
 cryptographic services are implemented inside a high-security partition,
 separate from the code of the main application, though it shares this
 high-security partition with other platform security services.</p>
 </div>
 <div class="section" id="cryptographic-token-and-single-application-processor">
 <span id="isolated-cryptoprocessor"></span><h2>4.2. Cryptographic token and single-application processor</h2>
 <p>This system is composed of two partitions: one is a cryptoprocessor and the
 other partition runs an application. There is a security boundary between the
 two partitions, so that the application cannot access the cryptoprocessor,
 except through its public interface. Thus, the architecture provides
 <a class="reference internal" href="goals.html#isolation"><span class="std std-ref">cryptoprocessor isolation</span></a>. The cryptoprocessor has
 some non-volatile storage, a TRNG, and possibly, some cryptographic accelerators.</p>
 <p>There are a number of potential physical realizations: the cryptoprocessor might
 be a separate chip, a separate processor on the same chip, or a logical
 partition using a combination of hardware and software to provide the isolation.
 These realizations are functionally equivalent in terms of the offered software
 interface, but they would typically offer different levels of security
 guarantees.</p>
 <p>The PSA crypto API in the application processor consists of a thin layer of code
 that translates function calls to remote procedure calls in the cryptoprocessor.
 All cryptographic computations are, therefore, performed inside the
 cryptoprocessor. Non-volatile keys are stored inside the cryptoprocessor.</p>
 </div>
 <div class="section" id="cryptoprocessor-with-no-key-storage">
 <h2>4.3. Cryptoprocessor with no key storage</h2>
 <p>As in the <a class="reference internal" href="#isolated-cryptoprocessor"><span class="secref">Cryptographic token and single-application processor</span></a> architecture, this system
 is also composed of two partitions separated by a security boundary and also
 provides <a class="reference internal" href="goals.html#isolation"><span class="std std-ref">cryptoprocessor isolation</span></a>.
 However, unlike the previous architecture, in this system, the cryptoprocessor
 does not have any secure, persistent storage that could be used to store
 application keys.</p>
 <p>If the cryptoprocessor is not capable of storing cryptographic material, then
 there is little use for a separate cryptoprocessor, since all data would have to
 be imported by the application.</p>
 <p>The cryptoprocessor can provide useful services if it is able to store at least
 one key. This might be a hardware unique key that is burnt to one-time
 programmable memory during the manufacturing of the device. This key can be used
 for one or more purposes:</p>
 <ul class="simple">
 <li><p>Encrypt and authenticate data stored in the application processor.</p></li>
 <li><p>Communicate with a paired device.</p></li>
 <li><p>Allow the application to perform operations with keys that are derived from
 the hardware unique key.</p></li>
 </ul>
 </div>
 <div class="section" id="multi-client-cryptoprocessor">
 <h2>4.4. Multi-client cryptoprocessor</h2>
 <p>This is an expanded variant of the <a class="reference internal" href="#isolated-cryptoprocessor"><span class="std std-ref">cryptographic token plus application
 architecture</span></a>. In this
 variant, the cryptoprocessor serves multiple applications that are mutually
 untrustworthy. This architecture provides <a class="reference internal" href="goals.html#isolation"><span class="std std-ref">caller
 isolation</span></a>.</p>
 <p>In this architecture, API calls are translated to remote procedure calls, which
 encode the identity of the client application. The cryptoprocessor carefully
 segments its internal storage to ensure that a client’s data is never leaked to
 another client.</p>
 </div>
 <div class="section" id="multi-cryptoprocessor-architecture">
 <h2>4.5. Multi-cryptoprocessor architecture</h2>
 <p>This system includes multiple cryptoprocessors. There are several reasons to
 have multiple cryptoprocessors:</p>
 <ul class="simple">
 <li><p>Different compromises between security and performance for different keys.
 Typically, this means a cryptoprocessor that runs on the same hardware as the
 main application and processes short-term secrets, a secure element or a
 similar separate chip that retains long-term secrets.</p></li>
 <li><p>Independent provisioning of certain secrets.</p></li>
 <li><p>A combination of a non-removable cryptoprocessor and removable ones, for
 example, a smartcard or HSM.</p></li>
 <li><p>Cryptoprocessors managed by different stakeholders who do not trust each
 other.</p></li>
 </ul>
 <p>The keystore implementation needs to dispatch each request to the correct
 processor. For example:</p>
 <ul class="simple">
 <li><p>All requests involving a non-extractable key must be processed in the
 cryptoprocessor that holds that key.</p></li>
 <li><p>Requests involving a persistent key must be processed in the cryptoprocessor
 that corresponds to the key’s lifetime value.</p></li>
 <li><p>Requests involving a volatile key might target a cryptoprocessor based on
 parameters supplied by the application, or based on considerations such as
 performance inside the implementation.</p></li>
 </ul>
 </div>
 </div>


           </div>

         </div>
       </div>
       <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
         <div class="sphinxsidebarwrapper"><h3><a href="../index.html"><b>PSA Crypto API</b></a></h3>
 IHI 0086<br/>
 Non-confidential<br/>
 Version 1.0.1
 <span style="color: red; font-weight: bold;"></span>
 <ul>
 <li class="toctree-l1"><a class="reference internal" href="../about.html">About this document</a></li>
 </ul>
 <ul class="current">
 <li class="toctree-l1"><a class="reference internal" href="intro.html">1. Introduction</a></li>
 <li class="toctree-l1"><a class="reference internal" href="goals.html">2. Design goals</a></li>
 <li class="toctree-l1"><a class="reference internal" href="functionality.html">3. Functionality overview</a></li>
 <li class="toctree-l1 current"><a class="current reference internal" href="#">4. Sample architectures</a><ul>
 <li class="toctree-l2"><a class="reference internal" href="#single-partition-architecture">4.1. Single-partition architecture</a></li>
 <li class="toctree-l2"><a class="reference internal" href="#cryptographic-token-and-single-application-processor">4.2. Cryptographic token and single-application processor</a></li>
 <li class="toctree-l2"><a class="reference internal" href="#cryptoprocessor-with-no-key-storage">4.3. Cryptoprocessor with no key storage</a></li>
 <li class="toctree-l2"><a class="reference internal" href="#multi-client-cryptoprocessor">4.4. Multi-client cryptoprocessor</a></li>
 <li class="toctree-l2"><a class="reference internal" href="#multi-cryptoprocessor-architecture">4.5. Multi-cryptoprocessor architecture</a></li>
 </ul>
 </li>
 <li class="toctree-l1"><a class="reference internal" href="conventions.html">5. Library conventions</a></li>
 <li class="toctree-l1"><a class="reference internal" href="implementation.html">6. Implementation considerations</a></li>
 <li class="toctree-l1"><a class="reference internal" href="usage.html">7. Usage considerations</a></li>
 <li class="toctree-l1"><a class="reference internal" href="../api/library/index.html">8. Library management reference</a></li>
 <li class="toctree-l1"><a class="reference internal" href="../api/keys/index.html">9. Key management reference</a></li>
 <li class="toctree-l1"><a class="reference internal" href="../api/ops/index.html">10. Cryptographic operation reference</a></li>
 </ul>
 <ul>
 <li class="toctree-l1"><a class="reference internal" href="../appendix/example_header.html">Example header file</a></li>
 <li class="toctree-l1"><a class="reference internal" href="../appendix/specdef_values.html">Example macro implementations</a></li>
 <li class="toctree-l1"><a class="reference internal" href="../appendix/history.html">Changes to the API</a></li>
 </ul>
 <ul>
 <li class="toctree-l1"><a class="reference internal" href="../psa_c-identifiers.html">Index of API elements</a></li>
 </ul>
 <div id="searchbox" style="display: none" role="search">
   <h3 id="searchlabel">Quick search</h3>
     <div class="searchformwrapper">
     <form class="search" action="../search.html" method="get">
       <input type="text" name="q" aria-labelledby="searchlabel" />
       <input type="submit" value="Go" />
     </form>
     </div>
 </div>
 <script type="text/javascript">$('#searchbox').show(0);</script>
         </div>
       </div>
       <div class="clearer"></div>
     </div>
     <div class="footer">
       &copy; 2018-2020, Arm Limited or its affiliates. All rights reserved.

       |
       Powered by <a href="http://sphinx-doc.org/">Sphinx 2.1.2</a>
       &amp; <a href="https://github.com/bitprophet/alabaster">Alabaster 0.7.12</a>

     </div>


   </body>
 </html>

	<!DOCTYPE html>

	<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
	<meta charset="utf-8" />
	<title>4. Sample architectures — PSA Crypto API 1.0.1 documentation</title>
	<link rel="stylesheet" href="../_static/alabaster.css" type="text/css" />
	<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
	<script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
	<script type="text/javascript" src="../_static/jquery.js"></script>
	<script type="text/javascript" src="../_static/underscore.js"></script>
	<script type="text/javascript" src="../_static/doctools.js"></script>
	<script type="text/javascript" src="../_static/language_data.js"></script>
	<link rel="author" title="About these documents" href="../about.html" />
	<link rel="index" title="Index" href="../genindex.html" />
	<link rel="search" title="Search" href="../search.html" />
	<link rel="next" title="5. Library conventions" href="conventions.html" />
	<link rel="prev" title="3. Functionality overview" href="functionality.html" />

	<link rel="stylesheet" href="../_static/custom.css" type="text/css" />


	<meta name="viewport" content="width=device-width, initial-scale=0.9, maximum-scale=0.9" />

	</head><body>


	<div class="document">
	<div class="documentwrapper">
	<div class="bodywrapper">


	<div class="body" role="main">

	<div class="section" id="sample-architectures">
	<span id="architectures"></span><h1>4. Sample architectures</h1>
	<p>This section describes some example architectures that can be used for
	implementations of the interface described in this specification. This list is
	not exhaustive and the section is entirely non-normative.</p>
	<div class="section" id="single-partition-architecture">
	<h2>4.1. Single-partition architecture</h2>
	<p>In the single-partition architecture, there is no security boundary inside the system. The
	application code can access all the system memory, including the memory used by
	the cryptographic services described in this specification. Thus, the
	architecture provides <a class="reference internal" href="goals.html#isolation"><span class="std std-ref">no isolation</span></a>.</p>
	<p>This architecture does not conform to the Arm <em>Platform Security Architecture
	Security Model</em>. However, it is useful for providing cryptographic services
	that use the same interface, even on devices that cannot support any security
	boundary. So, while this architecture is not the primary design goal of the API
	defined in the present specification, it is supported.</p>
	<p>The functions in this specification simply execute the underlying algorithmic
	code. Security checks can be kept to a minimum, since the cryptoprocessor cannot
	defend against a malicious application. Key import and export copy data inside
	the same memory space.</p>
	<p>This architecture also describes a subset of some larger systems, where the
	cryptographic services are implemented inside a high-security partition,
	separate from the code of the main application, though it shares this
	high-security partition with other platform security services.</p>
	</div>
	<div class="section" id="cryptographic-token-and-single-application-processor">
	<span id="isolated-cryptoprocessor"></span><h2>4.2. Cryptographic token and single-application processor</h2>
	<p>This system is composed of two partitions: one is a cryptoprocessor and the
	other partition runs an application. There is a security boundary between the
	two partitions, so that the application cannot access the cryptoprocessor,
	except through its public interface. Thus, the architecture provides
	<a class="reference internal" href="goals.html#isolation"><span class="std std-ref">cryptoprocessor isolation</span></a>. The cryptoprocessor has
	some non-volatile storage, a TRNG, and possibly, some cryptographic accelerators.</p>
	<p>There are a number of potential physical realizations: the cryptoprocessor might
	be a separate chip, a separate processor on the same chip, or a logical
	partition using a combination of hardware and software to provide the isolation.
	These realizations are functionally equivalent in terms of the offered software
	interface, but they would typically offer different levels of security
	guarantees.</p>
	<p>The PSA crypto API in the application processor consists of a thin layer of code
	that translates function calls to remote procedure calls in the cryptoprocessor.
	All cryptographic computations are, therefore, performed inside the
	cryptoprocessor. Non-volatile keys are stored inside the cryptoprocessor.</p>
	</div>
	<div class="section" id="cryptoprocessor-with-no-key-storage">
	<h2>4.3. Cryptoprocessor with no key storage</h2>
	<p>As in the <a class="reference internal" href="#isolated-cryptoprocessor"><span class="secref">Cryptographic token and single-application processor</span></a> architecture, this system
	is also composed of two partitions separated by a security boundary and also
	provides <a class="reference internal" href="goals.html#isolation"><span class="std std-ref">cryptoprocessor isolation</span></a>.
	However, unlike the previous architecture, in this system, the cryptoprocessor
	does not have any secure, persistent storage that could be used to store
	application keys.</p>
	<p>If the cryptoprocessor is not capable of storing cryptographic material, then
	there is little use for a separate cryptoprocessor, since all data would have to
	be imported by the application.</p>
	<p>The cryptoprocessor can provide useful services if it is able to store at least
	one key. This might be a hardware unique key that is burnt to one-time
	programmable memory during the manufacturing of the device. This key can be used
	for one or more purposes:</p>
	<ul class="simple">
	<li><p>Encrypt and authenticate data stored in the application processor.</p></li>
	<li><p>Communicate with a paired device.</p></li>
	<li><p>Allow the application to perform operations with keys that are derived from
	the hardware unique key.</p></li>
	</ul>
	</div>
	<div class="section" id="multi-client-cryptoprocessor">
	<h2>4.4. Multi-client cryptoprocessor</h2>
	<p>This is an expanded variant of the <a class="reference internal" href="#isolated-cryptoprocessor"><span class="std std-ref">cryptographic token plus application
	architecture</span></a>. In this
	variant, the cryptoprocessor serves multiple applications that are mutually
	untrustworthy. This architecture provides <a class="reference internal" href="goals.html#isolation"><span class="std std-ref">caller
	isolation</span></a>.</p>
	<p>In this architecture, API calls are translated to remote procedure calls, which
	encode the identity of the client application. The cryptoprocessor carefully
	segments its internal storage to ensure that a client’s data is never leaked to
	another client.</p>
	</div>
	<div class="section" id="multi-cryptoprocessor-architecture">
	<h2>4.5. Multi-cryptoprocessor architecture</h2>
	<p>This system includes multiple cryptoprocessors. There are several reasons to
	have multiple cryptoprocessors:</p>
	<ul class="simple">
	<li><p>Different compromises between security and performance for different keys.
	Typically, this means a cryptoprocessor that runs on the same hardware as the
	main application and processes short-term secrets, a secure element or a
	similar separate chip that retains long-term secrets.</p></li>
	<li><p>Independent provisioning of certain secrets.</p></li>
	<li><p>A combination of a non-removable cryptoprocessor and removable ones, for
	example, a smartcard or HSM.</p></li>
	<li><p>Cryptoprocessors managed by different stakeholders who do not trust each
	other.</p></li>
	</ul>
	<p>The keystore implementation needs to dispatch each request to the correct
	processor. For example:</p>
	<ul class="simple">
	<li><p>All requests involving a non-extractable key must be processed in the
	cryptoprocessor that holds that key.</p></li>
	<li><p>Requests involving a persistent key must be processed in the cryptoprocessor
	that corresponds to the key’s lifetime value.</p></li>
	<li><p>Requests involving a volatile key might target a cryptoprocessor based on
	parameters supplied by the application, or based on considerations such as
	performance inside the implementation.</p></li>
	</ul>
	</div>
	</div>


	</div>

	</div>
	</div>
	<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
	<div class="sphinxsidebarwrapper"><h3><a href="../index.html"><b>PSA Crypto API</b></a></h3>
	IHI 0086<br/>
	Non-confidential<br/>
	Version 1.0.1
	<span style="color: red; font-weight: bold;"></span>
	<ul>
	<li class="toctree-l1"><a class="reference internal" href="../about.html">About this document</a></li>
	</ul>
	<ul class="current">
	<li class="toctree-l1"><a class="reference internal" href="intro.html">1. Introduction</a></li>
	<li class="toctree-l1"><a class="reference internal" href="goals.html">2. Design goals</a></li>
	<li class="toctree-l1"><a class="reference internal" href="functionality.html">3. Functionality overview</a></li>
	<li class="toctree-l1 current"><a class="current reference internal" href="#">4. Sample architectures</a><ul>
	<li class="toctree-l2"><a class="reference internal" href="#single-partition-architecture">4.1. Single-partition architecture</a></li>
	<li class="toctree-l2"><a class="reference internal" href="#cryptographic-token-and-single-application-processor">4.2. Cryptographic token and single-application processor</a></li>
	<li class="toctree-l2"><a class="reference internal" href="#cryptoprocessor-with-no-key-storage">4.3. Cryptoprocessor with no key storage</a></li>
	<li class="toctree-l2"><a class="reference internal" href="#multi-client-cryptoprocessor">4.4. Multi-client cryptoprocessor</a></li>
	<li class="toctree-l2"><a class="reference internal" href="#multi-cryptoprocessor-architecture">4.5. Multi-cryptoprocessor architecture</a></li>
	</ul>
	</li>
	<li class="toctree-l1"><a class="reference internal" href="conventions.html">5. Library conventions</a></li>
	<li class="toctree-l1"><a class="reference internal" href="implementation.html">6. Implementation considerations</a></li>
	<li class="toctree-l1"><a class="reference internal" href="usage.html">7. Usage considerations</a></li>
	<li class="toctree-l1"><a class="reference internal" href="../api/library/index.html">8. Library management reference</a></li>
	<li class="toctree-l1"><a class="reference internal" href="../api/keys/index.html">9. Key management reference</a></li>
	<li class="toctree-l1"><a class="reference internal" href="../api/ops/index.html">10. Cryptographic operation reference</a></li>
	</ul>
	<ul>
	<li class="toctree-l1"><a class="reference internal" href="../appendix/example_header.html">Example header file</a></li>
	<li class="toctree-l1"><a class="reference internal" href="../appendix/specdef_values.html">Example macro implementations</a></li>
	<li class="toctree-l1"><a class="reference internal" href="../appendix/history.html">Changes to the API</a></li>
	</ul>
	<ul>
	<li class="toctree-l1"><a class="reference internal" href="../psa_c-identifiers.html">Index of API elements</a></li>
	</ul>
	<div id="searchbox" style="display: none" role="search">
	<h3 id="searchlabel">Quick search</h3>
	<div class="searchformwrapper">
	<form class="search" action="../search.html" method="get">
	<input type="text" name="q" aria-labelledby="searchlabel" />
	<input type="submit" value="Go" />
	</form>
	</div>
	</div>
	<script type="text/javascript">$('#searchbox').show(0);</script>
	</div>
	</div>
	<div class="clearer"></div>
	</div>
	<div class="footer">
	© 2018-2020, Arm Limited or its affiliates. All rights reserved.

	\|
	Powered by <a href="http://sphinx-doc.org/">Sphinx 2.1.2</a>
	& <a href="https://github.com/bitprophet/alabaster">Alabaster 0.7.12</a>

	</div>




	</body>
	</html>