Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trusted Execution Framework: practical use-cases (high-level overview) #6648

Closed
ioannisg opened this issue Mar 16, 2018 · 4 comments
Closed

Trusted Execution Framework: practical use-cases (high-level overview) #6648

ioannisg opened this issue Mar 16, 2018 · 4 comments
Labels
Feature A planned feature with a milestone

Comments

@ioannisg
Copy link
Member

ioannisg commented Mar 16, 2018
edited
Loading

Introduction

This issue intends to list the practical use-case within the Trusted Execution paradigm.
By having a high-level description of each relevant use-case (requirements & challenges), we can facilitate the design of the Trusted Execution framework as part of Zephyr Project.

Use-case description

High-level description only:

  1. Secure Bootloader

    • Two images are loaded on the MCU: Secure bootloader and Non-Secure Zephyr RTOS + Application
    • MCU boots in Secure mode, from Secure bootloader. Bootloader verifies the Non-secure firmware.
    • After security attributions are configured, the bootloader prepares to boot to the Non-Secure image.
    • Most of MCU resources (memory, peripherals, IRQs etc.) are allocated to the Non-Secure Zephyr firmware. Certain resources are allocated to Secure bootloader (e.g. secure memory, secure peripherals)
    • secure image is not used after booting into non-secure image, however:
      • functions can still be called (e.g. libraries)
      • security faults are handled

  2. Secure storage

    • One composite image, or two separate images are loaded on the MCU.
    • Zephyr RTOS and user application runs in non-secure mode
    • Application uses secure libraries (stored in secure image or in secure areas of the composite image
      and accessible by non-secure callable entry functions) to perform secure storage operations (e.g. store critical data, keys, certificates etc. in the secure regions)
    • non-secure callable region shall be minimized, to remove wasted memory for the interface between the two security domains.
@MaureenHelm MaureenHelm added the Feature A planned feature with a milestone label Mar 19, 2018
@agross-oss agross-oss mentioned this issue Dec 4, 2018
Closed
@d3zd3z
Copy link
Collaborator

d3zd3z commented Dec 4, 2018

In order for secure storage to be useful, the secure side must also have code for operations that make use of that secure data. For example, if we store a private key, there needs to be an operation to sign something using that key. There shouldn't be a way of getting the key out.

@d3zd3z
Copy link
Collaborator

d3zd3z commented Dec 4, 2018

non-secure callable region shall be minimized, to remove wasted memory for the interface between the two security domains.

Ideally, I think the secure veneers could just be an 'sg' followed by a jump to the implementation on secure side. The seem to end up being full functions in the current implementation of tfm, though.

@d3zd3z d3zd3z mentioned this issue Dec 5, 2019
Closed
@carlescufi
Copy link
Member

No longer relevant

@nkaramolegos
Copy link

i would like to store secure a private key in the device flash (nrf 52840-dk). I am bit confused does zephyr supports something like this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature A planned feature with a milestone
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@d3zd3z @ioannisg @MaureenHelm @carlescufi @nkaramolegos