The Platform Security Architecture (PSA) is a framework for securing a trillion connected devices. For more details about PSA, read part 1 of this article. The application of the PSA consists of four key phases, each of which is supplied with documentation and guide.
Contents
- Phase 1: Analyze with Threat Models and Security Analyses
- Phase 2: Architect with Architecture Specifications
- Phase 3: Implement with Trusted Firmware-M
- Phase 4: Certify with PSA Certified and PSA Functional API Certification
- Conclusion
Phase 1: analyze with threat models and security analyses
When designing a secure system, you need to carry out a risk analysis and create a threat model, taking into consideration the key factors. These include:
- Assets in need of protection
- All potential threats
- The scope and severity of these threats
- The different types of attacker and the methods they might use to exploit vulnerabilities
From this research, security objectives can be determined and the security functional requirements established to mitigate the threats. Arm has developed example threat models, available to download via the PSA resources page. These were created through a close analysis of three common IoT use cases. Generally applicable security principles can be derived from these analyses, and are then used to guide the development of the architecture specification documents.
The threat models have been created using an English Language Protection Profile-style approach, to establish a set of Security Functional Requirements for the Target of Evaluation (TOE). Each profile considers the functional description, the TOE, and the necessary security requirements. The documentation is intended to make threat modeling more accessible and more useable by engineers, regardless of whether they have prior security knowledge or expertise. An example of a high-level analysis is illustrated below.
Phase 2: Architect with architecture specifications
Following analysis of a device, security recommendations are generated based on the value of the device assets and the list of potential attacks that threaten those assets. Phase two focuses on creating a system architecture that is capable of delivering the security requirements, and describes this architecture in the PSA specifications.
The PSA specifications consist of a suite of connected documents, as follows:
- PSA Security Model – Foundational trust models and patterns
- Factory Initialization – Requirements for initial secure device programming and configuration (yet to be available)
- Trusted Base System Architecture – Hardware platform requirements
- Trusted Boot and Firmware Update
- Firmware Framework – Firmware interface definition of a Secure Processing
- Environment for constrained IoT platforms, including PSA Root of Trust APIs
- Developer APIs – Interfaces to security services for application developers
Phase 3: Implement with Trusted Firmware-M
Trusted Firmware-M (TF-M) is a reference implementation of the PSA specifications, for IoT devices based on M-Profile platforms. The implementation for Arm Cortex-M processors leverages Arm’s TrustZone technology. TF-M is an open source, open governance project and is available at www.trustedfirmware.org, alongside the existing Trusted Firmware-A project that targets Cortex-A-powered mobile devices. Other ecosystem partners may provide other implementations.
Phase 4: Certify with PSA certified PSA functional API certification
The certify stage uses the PSA Certified scheme to provide independent security evaluation of PSA-based IoT systems. PSA Certified is an independent security testing program devised by several companies that make up the PSA Joint Stakeholder Agreement members. PSA Certified enables IoT chipsets and devices to be tested in laboratory conditions, to evaluate their level of security, and to help developers and customers trust that they can achieve the level of security they need. Working with leading test labs, PSA Certified provides multi-level assurance for devices, depending on the security requirements established through analysis of threats for a specific use case. There are two types of certification: Multi-level Security Certification and Functional API Certification. PSA Certified provides a multi-level assurance and robustness scheme, to meet the security needs of specific use cases. The certification scheme uses independent test labs to review the security requirements of the generic parts of IoT platforms and system-on-chips. There are three progressive levels of security certification:
LEVEL 1: THE FOUNDATION OF PSA CERTIFIED
Achieving the first level of PSA Certified requires completion of a critical security questionnaire, based on PSA security model goals and IoT threat models. There are different forms depending on if you are a chip maker, OS provider or device maker and, once complete, the questionnaire is reviewed alongside a PSA Certified lab check of your product.
LEVEL 2: LAB-BASED EVALUATION
level 2 is aimed at chip makers and includes a 25-day lab-based evaluation against the PSA Root of Trust (PSA-RoT) protection profile. This time-limited evaluation makes the scheme affordable and efficient, and tests for both software and light-weight hardware attacks.
LEVEL 3: CURRENTLY UNDER DEVELOPMENT
Level 3 will support more extensive attacks, such as side channel and physical tamper, and it will come to market in the near future. There is also room for additional device-level evaluation, such as market vertical-specific devices. We will share more information on this later in the year.
Conclusion
IoT devices present multiple threat surfaces for hackers who want to use compromised devices such as access to IoT networks, applications and corporate resources. Among mitigation techniques, secure boot appears to be a critical element in a broader security strategy. However, implementing appropriate and customized software tests for the hardware used can ensure greater security through Platform Security Architecture (PSA). PSA brings together industry best practices to form a holistic set of architecture documentation, analysis and security requirements, along with an implementation of the open source reference firmware. Reducing the fragmentation of low-level security, through Arm's tools, enables the development of a safe ecosystem that works for everyone: silicon partners, OEMs, platform owners, service providers, consumers and the wider community of developers. We invite the Arm ecosystem to develop and expand our work on PSA and Trusted Firmware-M.