| Anton Komlev | 2cd9153 | 2022-11-17 13:36:55 +0000 | [diff] [blame] | 1 | .. _tf-m_profiles: |
| 2 | |
| 3 | ############# |
| Anton Komlev | affe14f | 2022-11-01 00:07:41 +0000 | [diff] [blame] | 4 | TF-M Profiles |
| Anton Komlev | 2cd9153 | 2022-11-17 13:36:55 +0000 | [diff] [blame] | 5 | ############# |
| Anton Komlev | affe14f | 2022-11-01 00:07:41 +0000 | [diff] [blame] | 6 | |
| 7 | The capabilities and resources may dramatically vary on different IoT devices. |
| 8 | Some IoT devices may have very limited memory resource. The program on those devices should keep |
| 9 | small memory footprint and basic functionalities. |
| 10 | On the other hand, some devices may consist of more memory and extended storage, to support stronger |
| 11 | software capabilities. |
| 12 | |
| 13 | Diverse IoT use cases also require different levels of security and requirements on device resource. |
| 14 | For example, use cases require different cipher capabilities. Selecting cipher suites can be |
| 15 | sensitive to memory footprint on devices with constrained resource. |
| 16 | |
| 17 | Trusted Firmware-M (TF-M) defines several general profiles, such as Profile Small, Profile Medium, |
| 18 | Profile Medium ARoT-less and Profile Large, to provide different levels of security to fit diverse |
| 19 | device capabilities and use cases applied on the top of the base configuration. |
| 20 | |
| 21 | Each profile specifies a predefined list of features, targeting typical use cases with specific |
| 22 | hardware constraints. Profiles can serve as reference designs, based on which developers can |
| 23 | continue further development and configurations, according to use case. |
| 24 | |
| 25 | TF-M Profiles align with Platform Security Architecture specifications and certification |
| 26 | guidelines. It can help vendors to simplify security configuring for PSA certification. |
| 27 | |
| 28 | Please check the table below to compare differences while details are discussed |
| 29 | in the links below. |
| 30 | |
| 31 | .. toctree:: |
| 32 | :maxdepth: 1 |
| 33 | :glob: |
| 34 | |
| 35 | Small <tfm_profile_small> |
| 36 | ARoT-less <tfm_profile_medium_arot-less> |
| 37 | Medium <tfm_profile_medium> |
| 38 | Large <tfm_profile_large> |
| 39 | |
| 40 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 41 | | Option | Base | Small |ARoT-less| Medium | Large | |
| 42 | +========================================+========+========+=========+========+========+ |
| Anton Komlev | 5fd9943 | 2022-11-26 22:08:05 +0000 | [diff] [blame] | 43 | | TFM_ISOLATION_LEVEL | 1 | 1 | 1 | 2 | 3 | |
| Anton Komlev | affe14f | 2022-11-01 00:07:41 +0000 | [diff] [blame] | 44 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 45 | | CONFIG_TFM_SPM_BACKEND | SFN | SFN | SFN | IPC | IPC | |
| 46 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 47 | | TFM_PARTITION_CRYPTO | OFF | ON | ON | ON | ON | |
| 48 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 49 | | TFM_PARTITION_INTERNAL_TRUSTED_STORAGE | OFF | ON | ON | ON | ON | |
| 50 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 51 | | TFM_PARTITION_PLATFORM | OFF | OFF | ON | ON | ON | |
| 52 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 53 | | TFM_PARTITION_PROTECTED_STORAGE | OFF | OFF | OFF | ON | ON | |
| 54 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 55 | | TFM_PARTITION_INITIAL_ATTESTATION | OFF | ON | ON | ON | ON | |
| 56 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| Anton Komlev | 5fd9943 | 2022-11-26 22:08:05 +0000 | [diff] [blame] | 57 | | SYMMETRIC_INITIAL_ATTESTATION | OFF | ON | OFF | OFF | OFF | |
| Anton Komlev | affe14f | 2022-11-01 00:07:41 +0000 | [diff] [blame] | 58 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 59 | | TFM_PARTITION_FIRMWARE_UPDATE | OFF | OFF | ON | OFF | OFF | |
| 60 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| Anton Komlev | 5fd9943 | 2022-11-26 22:08:05 +0000 | [diff] [blame] | 61 | | PS_CRYPTO_AEAD_ALG | GCM | `-` | `-` | CCM | CCM | |
| 62 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 63 | | PSA_FRAMEWORK_HAS_MM_IOVEC | OFF | ON | OFF | OFF | OFF | |
| 64 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 65 | | MCUBOOT_IMAGE_NUMBER :sup:`1` | 2 | 1 | 2 | 2 | 2 | |
| 66 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| Anton Komlev | affe14f | 2022-11-01 00:07:41 +0000 | [diff] [blame] | 67 | | *Advanced options, defined in the corresponded header (.h) file* | |
| 68 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| Andrej Butok | 44d9d6c | 2023-05-26 13:41:25 +0200 | [diff] [blame] | 69 | | CRYPTO_ENGINE_BUF_SIZE | 0x2080 | 0x400 | 0x2080 | 0x2080 | 0x2380 | |
| Anton Komlev | affe14f | 2022-11-01 00:07:41 +0000 | [diff] [blame] | 70 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| Anton Komlev | 5bc799f | 2022-11-10 18:22:48 +0000 | [diff] [blame] | 71 | | CRYPTO_ASYM_SIGN_MODULE_ENABLED | ON | OFF | ON | ON | ON | |
| Anton Komlev | affe14f | 2022-11-01 00:07:41 +0000 | [diff] [blame] | 72 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| Anton Komlev | 5bc799f | 2022-11-10 18:22:48 +0000 | [diff] [blame] | 73 | | CRYPTO_ASYM_ENCRYPT_MODULE_ENABLED | ON | OFF | OFF | OFF | ON | |
| Anton Komlev | affe14f | 2022-11-01 00:07:41 +0000 | [diff] [blame] | 74 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 75 | | CRYPTO_SINGLE_PART_FUNCS_DISABLED | OFF | ON | OFF | OFF | OFF | |
| 76 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| 77 | | CRYPTO_CONC_OPER_NUM | 8 | 4 | 8 | 8 | 8 | |
| 78 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| Anton Komlev | affe14f | 2022-11-01 00:07:41 +0000 | [diff] [blame] | 79 | | CONFIG_TFM_CONN_HANDLE_MAX_NUM | 8 | 3 | 8 | 8 | 8 | |
| 80 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| Anton Komlev | 5fd9943 | 2022-11-26 22:08:05 +0000 | [diff] [blame] | 81 | | ITS_BUF_SIZE :sup:`2` | 512 | 32 | 32 | 32 | 512 | |
| Anton Komlev | affe14f | 2022-11-01 00:07:41 +0000 | [diff] [blame] | 82 | +----------------------------------------+--------+--------+---------+--------+--------+ |
| Anton Komlev | 5fd9943 | 2022-11-26 22:08:05 +0000 | [diff] [blame] | 83 | |
| 84 | 1. `MCUBOOT_IMAGGE_NUMBER` value is taken from MCUBoot default configuration, |
| 85 | execept profile Small. |
| 86 | 2. Many platforms redefine `ITS_BUF_SIZE` value. |
| Anton Komlev | affe14f | 2022-11-01 00:07:41 +0000 | [diff] [blame] | 87 | |
| 88 | Each profile has predefined configuration for cryptographic library, located in |
| 89 | ``/lib/ext/mbedcrypto/mbedcrypto_config/`` |
| 90 | |
| 91 | -------------- |
| 92 | |
| Anton Komlev | 2cd9153 | 2022-11-17 13:36:55 +0000 | [diff] [blame] | 93 | *Copyright (c) 2020, Arm Limited. All rights reserved.* |