Platform Security Architecture

The Platform Security Architecture (PSA) is a holistic set of threat models, security analyses, hardware and firmware architecture specifications, and an open source firmware reference implementation. PSA provides a recipe, based on industry best practice, that allows security to be consistently designed in, at both a hardware and firmware level.

PSA is a contribution from Arm to the entire IoT ecosystem, from chip designers and device developers to cloud and network infrastructure providers and software vendors.

PSA is scalable for all connected devices, offering common ground rules and a more economical approach to building more secure devices.

If you’re ready to get started, access PSA resources now.

Visit PSA resources

Four key phases of PSA 

Analyze

The analyze phase offers a set of freely available example threat models and security analyses (TMSA) for three common IoT use cases. The goal of this stage is to analyze the threats that have the potential to compromise your device and generate a set of security requirements, based on the risks.

Architect

The architect phase contains a set of freely available hardware and firmware specifications that allow you to design-in the necessary security requirements for your device. These specifications include the PSA Security Model (PSA-SM), Trusted Base System Architecture for M-Profile (TBSA-M), PSA Firmware Framework (PSA-FF), Trusted Boot Firmware Update (TBFU). The PSA Security Model provides important terminology and methodology for PSA and informs the use of the other PSA specifications.

Implement

The implement phase provides an open source firmware reference implementation, APIs and an API test suite. Trusted Firmware-M is a reference implementation of secure world software. It provides SoC developers and OEMs with a reference trusted code base that complies with the PSA specifications.

Additionally, there are three sets of PSA APIs: PSA Developer APIs for RTOS and software developers, PSA Firmware Framework APIs for security specialists, and TBSA APIs for silicon manufacturers.

Certify

The certify phase, known as PSA Certified™, is an independent testing scheme developed by Arm and its security partners. The scheme is split into two key areas: PSA Functional API Certification and PSA Certified.

PSA Functional API Certification checks that software uses PSA interfaces correctly, through an API test suite.

PSA Certified consists of three progressive levels of assurance and robustness, enabling device makers to choose solutions appropriate to their use case.


Visit PSA Resources

PSA security framework

  • PSA Functional API Certification checks compliance to PSA architectural specifications.
  • PSA Certified tests that the correct level of security robustness has been implemented, as defined by the analyze phase.

Platform Security Architecture security evaluation block diagram.

Platform Security Architecture Information Block Diagram.

Standardized isolation

  • Designed to secure low cost IoT devices, where a full Trusted Execution Environment (TEE) would not be appropriate
  • PSA protects sensitive assets (keys, credentials and firmware) by separating these from the application firmware and hardware
  • PSA defines a Secure Processing Environment (SPE) for this data, the code that manages it and its trusted hardware resources
  • PSA is architecture agnostic and can be implemented on Cortex-M, Cortex-R and Cortex-A-based devices
  • The initial focus is Cortex-M-based devices

Platform Security Architecture Standardized Interfaces Diagram.

Standardized interfaces

  • PSA specifies interfaces to decouple components:
    • Enables reuse of components in other device platforms
    • Reduces integration effort
  • Partners can provide alternative implementations:
    • Necessary to address different cost, footprint, regulatory or security needs
  • PSA provides an architectural specification:
    • Hardware, firmware and process requirements and interfaces
Example of IoT device implementation diagram

Example of IoT device implementation

  • OEMs can choose their preferred implementations.
  • Trusted Firmware-M will be a new OSS project:
    • To reduce rework across our partners
    • To speed up device or component validation against standards such as Common Criteria EAL
  • Open to any RTOS and other partners

Want to know more about Security on Arm?

Learn more

Get support

Arm support

Arm training courses and on-site system-design advisory services enable licensees to realize maximum system performance with lowest risk and fastest time-to-market.

Arm training courses  Open a support case

Community Blogs

Blog post image
Unlocking new smart metering opportunities with eSIM

This blog explores the opportunities for cellular technology to enable connectivity for smart meters, along with some of the hurdles to overcome and the offering from Arm Kigen SIM solutions.

19 hours ago by Jean-Philippe Betoin
Blog post image
Accelerating innovation: Enabling IIoT at the device edge with Machbase and…

Learn how Machbase’s Arm-based technology is transforming the future of IIoT with advanced edge compute in an interview with Machbase CEO Andrew Kim.

1 months ago by Chris Shore
Blog post image
The Role of Physical Security in IoT

Physical security, also known as silicon or hardware security, involves securing the silicon element of a system. This blog explores the different physical attacks and Arm IP on offer as a counter-measure.

2 months ago by Kobus Marneweck
2
Blog post image
MWC19: The Important Connection Between eSIM and 5G

5G was a major theme at MWC 2019, we look at how eSIM supports the growth of 5G along with the momentum of Arm Kigen eSIM and iSIM technology.

2 months ago by Oxana Latypova
Blog post image
The highlights for Pelion IoT Platform at MWC 2019

Pelion activities at Mobile World Congress 2019 summarised in one blog.

2 months ago by Kristen
Blog post image
Mobile World Congress 2019: Secret Accounts, Robot Teachers and Retiring at…

MWC has chosen the theme of Intelligent Connectivity this year. At face value, it is an obvious choice given the explosion of what I call the Fifth Wave of Computing i.e. the combined impact of IoT, AI and 5G.

2 months ago by Simon Segars

Community Forums

Answered Where do I find presentations and photos from SC'18? 1 votes 892 views 0 replies Started 5 months ago by John Linford Answer this
Not answered Create standalone function to be loaded into Code memory 0 votes 13 views 0 replies Started 8 hours ago by RSB Answer this
Suggested answer Modify SP register and PC register in Cortex-M1 using Keil
  • R15 (PC Program Counter)
  • Cortex-M1
  • R13 (SP Stack Pointer)
  • Keil
 0 votes 48 views 2 replies Latest 8 hours ago by Juanea7 Answer this
Answered Load an image in QVGA format into a ARM Compute Library ICTensor.
  • Arm Compute Library (ACL)
 0 votes 420 views 1 replies Latest yesterday by Gian Marco Iodice Answer this
Suggested answer Code is not run after loading into chip 0 votes 67 views 1 replies Latest yesterday by Bojan Potocnik Answer this
Not answered What is the "Integer divide unit with support for operand-dependent early termination"? 0 votes 35 views 0 replies Started 2 days ago by jing Answer this
Answered Where do I find presentations and photos from SC'18? Started 5 months ago by John Linford 0 replies 892 views
Not answered Create standalone function to be loaded into Code memory Started 8 hours ago by RSB 0 replies 13 views
Suggested answer Modify SP register and PC register in Cortex-M1 using Keil Latest 8 hours ago by Juanea7 2 replies 48 views
Answered Load an image in QVGA format into a ARM Compute Library ICTensor. Latest yesterday by Gian Marco Iodice 1 replies 420 views
Suggested answer Code is not run after loading into chip Latest yesterday by Bojan Potocnik 1 replies 67 views
Not answered What is the "Integer divide unit with support for operand-dependent early termination"? Started 2 days ago by jing 0 replies 35 views