External memories use
The integrator can also choose to use external Flash or SRAM memories for its non-secure application. To use
the certified configuration, it is not allowed to use external memories for non-secure applications.
TOE functions changes
Finally, the integrator can choose to modify functions implemented in software in the TOE (such as replacing
some cryptographic functionality with a different implementation or such as removing some functions of the TOE
that are not used by the application to save memory). Any changes in the software code of the TOE cannot and
do not fall within the scope of this evaluation and it is not the certified configuration.
4.2.2 Available interfaces and methods of use (AGD_OPE.1.2C and AGD_OPE.1.3C)
The integrator can access different interfaces to develop its product:
• Physical chip interface
• Secure image secondary slot interface
• Non‑secure image secondary slot interface
• PSA API interface
• JTAG interface
• GPIO port C pin 13, corresponding to the user button on the B-U585I-IOT02A development board
There are no particular instructions regarding effective use or security parameters under the control of the user, as
these are functional interfaces not directly related to security functionality. TOE implements several mechanisms
to validate inputs received to ensure that secured or privileged data or code are well protected. However,
the integrator is warned that extending the security services in the secure or unprivileged domain (so-called
Application RoT services) may compromise any other security services or any hardware resources configured
in a secure or unprivileged domain as there is no isolation between each secure service inside the secure or
unprivileged domain. Therefore:
• Any input received from an IoT application, bounds checking, for example, must be validated within the
Application RoT services API.
• The integrator must be aware of what data is sent to the IoT application and must ensure that there is no
unintentional leak of sensitive information.
• Properly handle errors - always check a result or status code returned by a function.
• Always initialize or clear allocated memory – do not rely on uninitialized data, prevent leakage of residual
information.
• The API extension must not modify any global system variables. It is permitted to use only local private
variables and memory allocated or mapped by the API extension itself and care must be taken not to reveal
sensitive system variable values (ie keys).
• The source code of the API extension must be reviewed and thoroughly tested.
• Static analysis tools must be used to avoid common bugs such as null pointer dereference, memory leaks,
and buffer overflows or overruns.
• A secure coding standard such as MITRE, CWE, or CERT, must be utilized to avoid common pitfalls and to
improve code readability and maintainability.
• As the TOE is delivered in the shape of source code, as opposed to a compiled binary image, the integrator
may choose to use other interfaces than the ones described above. Using other interfaces does not fall
within the certified configuration and would constitute a failure to implement the TRUSTED_INTEGRATOR
environment objective.
Physical chip interface
After each product power-on or reset (refer to RM0456 to get details about power-on and reset procedure), TOE
starts to execute the TFM immutable TFM_SBSFU_Boot application (corresponding to the code located at the fix
secure entry point defined for the TOE) that manages the secure initialization of the platform.
UM2852
Operational guidance for the integrator role
UM2852 - Rev 1
page 14/27
To Next Page
Loading...
Need help?
General
