1PSA Certified
2=============
3PSA Certified provides a framework for securing connected devices. Certification demonstrates
4that security best practices have been implemented, based on an independent security assessment.
5For more information, see: `PSA Certified`_.
6
7PSA Certified defines ten security goals that form the foundation for device security. The
8certification process involves an assessment that these security goals have been met. The
9Trusted Services project includes service provider components and reference integrations
10that a system integrator may use as the basis for creating a platform that meets these goals.
11
12PSA Goals
13---------
14The following table lists the ten security goals and how the Trusted Services
15project helps to achieve them:
16
17.. list-table::
18  :widths: 1 2
19  :header-rows: 1
20
21  * - PSA Certified Goal
22    - Trusted Services Contribution
23  * - Unique Identification
24    - | A unique device identity, assigned during manufacture, may be stored securely
25      | using the Secure Storage trusted service with a suitable platform provided backend.
26  * - Security Lifecycle
27    - | The Attestation trusted service provides an extensible framework for adding claims
28      | to a signed attestation report. The security lifecycle state claim is planned to be
29      | added in a future release.
30  * - Attestation
31    - | A remote third-party may obtain a trusted view of the security state of a device by
32      | obtaining a signed attestation token from the Attestation service.
33  * - Secure Boot
34    - | Secure boot relies on a hardware trust anchor such as a public key hash programmed into
35      | an OTP eFuse array. For firmware that uses TF-A, all firmware components are verified
36      | during the early boot phase.
37  * - Secure Update
38    - | Involves cooperation of a trusted service with other firmware components such as the
39      | boot loader.
40  * - Anti-Rollback
41    - | The Secure Storage service provider can be used with arbitrary storage backends, allowing
42      | platform specific storage to be used. Where the necessary hardware is available, roll-back
43      | protected storage can be provided with a suitable backend.
44  * - Isolation
45    - | The trusted services architectural model assumes that service isolation is implemented using
46      | a hardware backed secure processing environment. A secure partition managed by a Secure
47      | Partition Manager is one method for realizing isolation.
48  * - Interaction
49    - | The FF-A specification defines messaging and memory management primitives that enable
50      | secure interaction between partitions. Importantly, the secure partition manager provides
51      | a trusted view of the identity of a message sender, allowing access to be controlled.
52  * - Secure Storage
53    - | The Secure Storage service provider uses a pre-configured storage backend to provide
54      | an object store with suitable security properties. Two deployments of the secure storage
55      | provider (Internal Trusted Storage and Protected Storage) are included with platform
56      | specific storage backends.
57  * - Cryptographic Service
58    - | The Crypto service provider implements a rich set of cryptographic operations using
59      | a protected key store. Key usage is controlled based on the least privileges principle
60      | where usage flags constrain permitted operations.
61
62Conformance Test Support
63------------------------
64To support API level conformance testing, the `PSA Arch Test project`_ provides a rich set
65of test suites that allow service implementations to be tested. To facilitate running of
66PSA functional API tests, the psa-api-test deployment (see: :ref:`Test Executables`) is
67supported which integrates test suites with service clients. This can be used to run tests
68on a platform and collect tests results to provide visibility to an external assessor.
69
70--------------
71
72.. _`PSA Certified`: https://www.psacertified.org/
73.. _`PSA Arch Test project`: https://github.com/ARM-software/psa-arch-tests.git.
74
75*Copyright (c) 2022, Arm Limited and Contributors. All rights reserved.*
76
77SPDX-License-Identifier: BSD-3-Clause
78