1Secure Partition Images
2=======================
3Secure partition (SP) deployments are concerned with building SP images that can
4be loaded and run under a secure partition manager such as Hafnium or OP-TEE.
5SP images will usually include service provider components that expose a
6service interface that may be reached using FF-A messages. A set of SP images
7will be loaded and verified by device firmware to provide the required services.
8
9The following deployments that create SP images are currently supported:
10
11crypto
12------
13An instance of the crypto service provider is built into an SP image to
14perform cryptographic operations on behalf of clients running in different
15partitions. Backend crypto operations are implemented by the crypto library
16component of MbedTLS. This deployment provides the cryptographic facilities
17needed for PSA certification. For more information, see:
18:ref:`Crypto Service`.
19
20.. list-table::
21  :widths: 1 2
22  :header-rows: 0
23
24  * - Supported Environments
25    - * *opteesp* (runs as an S-EL0 SP under OP-TEE)
26      * *sp* (SPMC agnostic S-EL0 SP format)
27  * - External Dependencies
28    - * | TRNG (platform specific)
29      * | Secure storage SP
30
31attestation
32-----------
33An instance of the attestation service provider is built into an SP image
34to support remote attestation use-cases. The service provider obtains a
35trusted view of the boot state of device firmware from the TPM event log
36collected by the boot loader. This deployment provides the initial attestation
37facility needed for PSA certification. For more information, see:
38:ref:`Attestation Service`.
39
40.. list-table::
41  :widths: 1 2
42  :header-rows: 0
43
44  * - Supported Environments
45    - * *opteesp* (runs as an S-EL0 SP under OP-TEE)
46      * *sp* (SPMC agnostic S-EL0 SP format)
47  * - External Dependencies
48    - * | TPM Event Log (via SP boot parameter)
49      * | Crypto SP
50
51internal-trusted-storage & protected-storage
52--------------------------------------------
53Two secure storage SP deployments are provided to allow different classes
54of storage to coexist on a device. Both deployments build an instance of
55the secure storage service provider with a storage backend. To allow
56different security trade-offs to be made and to support different hardware,
57a system integrator may configure which storage backend to use. Secure storage
58is a requirement for PSA certification. For more information, see:
59:ref:`Secure Storage Service`.
60
61.. list-table::
62  :widths: 1 2
63  :header-rows: 0
64
65  * - Supported Environments
66    - * *opteesp* (runs as an S-EL0 SP under OP-TEE)
67      * *sp* (SPMC agnostic S-EL0 SP format)
68  * - External Dependencies
69    - * Depends on configured storage backend
70
71se-proxy
72--------
73The se-proxy SP provides access to services hosted by a secure enclave (hence
74'se'). A secure enclave consists of a separate MCU, connected to the host via
75a secure communications channel. To protect access to the communication channel,
76the se-proxy SP is assigned exclusive access to the communication peripheral via
77device or memory regions defined in the SP manifest. The deployment integrates
78multiple service providers into the SP image. After performing access control,
79service requests are forwarded to the secure enclave.
80
81The se-proxy deployment includes proxies for the following services:
82
83  - Crypto
84  - Attestation
85  - Internal Trusted Storage
86  - Protected Storage
87
88.. list-table::
89  :widths: 1 2
90  :header-rows: 0
91
92  * - Supported Environments
93    - * *opteesp* (runs as an S-EL0 SP under OP-TEE)
94      * *sp* (SPMC agnostic S-EL0 SP format)
95  * - External Dependencies
96    - * SE communication peripheral (platform specific)
97
98smm-gateway
99-----------
100An instance of the smm-variable service provider is built into the smm-gateway SP
101image to provide secure world backing for UEFI SMM services. The smm-gateway SP
102provides a lightweight alternative to StMM. For more information, see:
103:ref:`UEFI SMM Services`.
104
105.. list-table::
106  :widths: 1 2
107  :header-rows: 0
108
109  * - Supported Environments
110    - * *opteesp* (runs as an S-EL0 SP under OP-TEE)
111      * *sp* (SPMC agnostic S-EL0 SP format)
112  * - External Dependencies
113    - * | Secure storage service instance (e.g. hosted by protected-storage SP)
114      * | Crypto service instance (e.g. hosted crypto SP)
115
116env-test
117--------
118An instance of the test runner service provider is built into an SP image to
119allow test cases to be run from within the SP isolated environment. The SP
120image also includes environment and platform specific test cases to allow
121access to FF-A services and platform hardware to be tested. The test runner
122service provider is intended to be used in conjunction with a client that
123coordinates which tests to run and collects test results.
124
125.. list-table::
126  :widths: 1 2
127  :header-rows: 0
128
129  * - Supported Environments
130    - * *opteesp* (runs as an S-EL0 SP under OP-TEE)
131      * *sp* (SPMC agnostic S-EL0 SP format)
132  * - External Dependencies
133    - * Any hardware accessed by test cases (platform specific)
134
135--------------
136
137*Copyright (c) 2022-2023, Arm Limited and Contributors. All rights reserved.*
138
139SPDX-License-Identifier: BSD-3-Clause
140