Industry Expert Blogs
Arm security APIs now open to contributionsNicolas Devillard, Security Architect - Arm Inc.
Jan 10, 2023
Arm has opened contributions to PSA Certified APIs on GitHub: a range of embedded software APIs designed to ease industry collaboration around best practices and software standards. The APIs target security integrations for billions of IoT applications running on ultra-constrained devices typically powered by Arm MCU processors and provide open standards for more secure software development. They have the backing of PSA Certified, a security framework certifying silicon, software, and devices across the industry.
The work is also part of the Arm Centauri project, a recent initiative making IoT development easier and faster. This project builds architecture agnostic standards that enable interoperability and a fast track to best practice for software developers, across the full range of low-power Arm-based devices. Centauri relies on PSA Certified APIs for everything related to security and provides the other pieces of the puzzle for standardizing APIs to commonly used hardware.
Developers creating ultra-constrained devices have many system software options available to consider. There are hundreds of real-time operating systems, libraries, and peripherals to choose from.
While diversity is good for software, fragmentation does not help when establishing common best practices around security. Arm's initiative through PSA Certified APIs is to level the field for the integration of Roots of Trust, by providing a common set of low-level, standard APIs that are likely to help implement secure operations on those devices.
PSA Certified APIs define a set of functions and symbols in C, providing common services for embedded systems regardless of the underlying hardware. Those API sets are split into four chapters:
- Crypto API defines how to achieve basic crypto operations.
- Attestation API defines an attestation token and a generation function.
- Storage API defines a small set of get and set functions to securely store data.
- Firmware Update API defines a flow for securely updating firmware.
Arm started working on the definition of the APIs in 2018, gathering inputs from partners to ensure all topics are correctly covered and they can be implemented in software and/or hardware. The API specifications have been public for a few years now. Today we are proud to open them up on github.com for anyone wishing to contribute, correct bugs, suggest new functions, or address new topics around security for ultra-constrained devices.
Documentation is available from https://arm-software.github.io/psa-api/
The GitHub repository can be found at: https://github.com/ARM-software/psa-api
As a reminder: the APIs are not architecture-specific, they can be implemented on any microcontroller. We already have a reference implementation of the Crypto API inside the Mbed TLS project and all PSA Certified APIs in TF-M.
Partners implementing their own solutions behind the APIs can validate their compliance to the specification by running our PSA Certified API Compliance suite, available from GitHub. PSA Certified delivers compliance certificates which can be used to showcase your products by displaying the logo on your product site.
PSA Certified APIs define a contract between developers seeking to use secure services and vendors of secure solutions. Please have a look at those specifications and come help us steer them towards something that will change the way secure firmware is developed.
Developers working on more powerful A-class systems may be interested to know that the PSA Certified Crypto API has been made available as a Linux micro-service running in user-space. A similar open-source initiative, PARSEC, fully implemented in Rust, makes the same APIs available in Rust and various other programming languages. Crypto services are handed over to crypto capability providers like a TPM, a secure element, a partition running in a trusted execution environment, or just a crypto software library running in user-space.
This is good news to everyone who has ever had to deal with painful crypto integrations. These APIs are not just one more standard, they aim to fundamentally solve the Crypto API issues that have plagued security developers for more than two decades.