doc: tfm: move overview to a separate page

greg-fer · greg-fer · commit b32e03197f10 · 2025-03-26T15:20:49.000+01:00
Moved the Overview section of the TF-M doc to a separate page.
Moved the PSA Certified API page one level up.
Added information about security services supported by minimal build.
NCSDK-32307, NCSDK-15032, and NCSDK-9188.

Signed-off-by: Grzegorz Ferenc &lt;Grzegorz.Ferenc@nordicsemi.no&gt;
diff --git a/doc/nrf/links.txt b/doc/nrf/links.txt
@@ -235,6 +235,9 @@
 .. _`crypto.h`: https://github.com/nrfconnect/sdk-trusted-firmware-m/blob/master/interface/include/psa/crypto.h
 .. _`protected_storage.h`: https://github.com/nrfconnect/sdk-trusted-firmware-m/blob/master/interface/include/psa/protected_storage.h
 .. _`initial_attestation.h`: https://github.com/nrfconnect/sdk-trusted-firmware-m/blob/main/interface/include/psa/initial_attestation.h.in
+.. _`tfm_platform_api.h`: https://github.com/nrfconnect/sdk-trusted-firmware-m/blob/main/interface/include/tfm_platform_api.h
+.. _`tfm_ioctl_core_api.h`: https://github.com/nrfconnect/sdk-trusted-firmware-m/blob/main/platform/ext/target/nordic_nrf/common/core/services/include/tfm_ioctl_core_api.h
+.. _`tfm_ioctl_api.h`: https://github.com/nrfconnect/sdk-nrf/blob/main/include/tfm/tfm_ioctl_api.h
 
 .. ### Source: arm-software.github.io, armmbed.github.io
 
@@ -245,8 +248,8 @@
 .. _`Key Identifiers`: https://arm-software.github.io/psa-api/crypto/1.1/api/keys/ids.html#key-identifiers
 .. _`Keystore Interface`: https://arm-software.github.io/psa-api/crypto/1.1/overview/goals.html#a-keystore-interface
 .. _`PSA Cryptography API 1.0.1`: https://armmbed.github.io/mbed-crypto/1.0.1/html/index.html
+.. _`PSA Certified Crypto API 1.0.0`: https://arm-software.github.io/psa-api/crypto/1.0/IHI0086-PSA_Cryptography_API-1.0.0.pdf
 .. _`PSA Certified Crypto API 1.2.1`: https://arm-software.github.io/psa-api/crypto/1.2/
-.. _`PSA Certified Crypto API 1.2 PAKE Extension Final 1`: https://arm-software.github.io/psa-api/crypto/1.2/ext-pake/
 .. _`PSA functions for key management`: https://arm-software.github.io/psa-api/crypto/1.1/api/keys/management.html
 
 .. _`PSA Certified Secure Storage API`: https://arm-software.github.io/psa-api/storage/
@@ -485,6 +488,7 @@
 .. _`TF-M Secure Interrupt Integration`: https://docs.nordicsemi.com/bundle/ncs-latest/page/tfm/integration_guide/tfm_secure_irq_integration_guide.html
 .. _`TF-M Secure Partition Manager`: https://docs.nordicsemi.com/bundle/ncs-latest/page/tfm/design_docs/services/secure_partition_manager.html
 .. _`TF-M Inter-Process Communication`: https://docs.nordicsemi.com/bundle/ncs-latest/page/tfm/design_docs/services/tfm_psa_inter_process_communication.html
+.. _`FF-M Isolation Rules`: https://docs.nordicsemi.com/bundle/ncs-latest/page/tfm/design_docs/ff_isolation.html
 
 .. _`HCI Events`: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrfxlib/softdevice_controller/doc/api.html#hci_events
 
diff --git a/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst b/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst
@@ -142,6 +142,7 @@ Security
     * Support for Ed25519ph(HashEdDSA) to CRACEN.
     * Documentation page about the :ref:`ug_tfm_architecture`.
     * Documentation page about the :ref:`ug_psa_certified_api_overview`.
+    * Documentation page about the :ref:`ug_tfm_supported_services`.
 
   * Updated:
 
diff --git a/doc/nrf/releases_and_maturity/software_maturity.rst b/doc/nrf/releases_and_maturity/software_maturity.rst
@@ -1930,11 +1930,13 @@ Trusted Firmware-M support
 
 .. toggle::
 
+   .. tfm_ncs_profiles_support_table_start
+
    .. list-table::
       :widths: auto
       :header-rows: 1
 
-      * -
+      * - Profile
         - nRF52810
         - nRF52811
         - nRF52820
@@ -1950,7 +1952,7 @@ Trusted Firmware-M support
         - nRF9151
         - nRF9160
         - nRF9161
-      * - **Full build**
+      * - :ref:`Configurable <ug_tfm_supported_services_profiles_configurable>`
         - --
         - --
         - --
@@ -1966,7 +1968,7 @@ Trusted Firmware-M support
         - Experimental
         - Experimental
         - Experimental
-      * - **Minimal Build**
+      * - :ref:`Minimal <ug_tfm_supported_services_profiles_minimal>`
         - --
         - --
         - --
@@ -1985,6 +1987,10 @@ Trusted Firmware-M support
 
    | [1]: The attestation service is not supported.
 
+    .. tfm_ncs_profiles_support_table_end
+
+   For more information about supported TF-M features in the |NCS|, see :ref:`ug_tfm_supported_services`.
+
 .. _software_maturity_security_features_psa:
 
 PSA Crypto support
diff --git a/doc/nrf/security.rst b/doc/nrf/security.rst
@@ -64,6 +64,7 @@ Some of them are documented in detail in other parts of this documentation, whil
    :maxdepth: 2
    :caption: Subpages:
 
+   security/psa_certified_api_overview
    security/ap_protect
    security/tfm/index
    security/trusted_storage
diff --git a/doc/nrf/security/images/psa_certified_api_general.png b/doc/nrf/security/images/psa_certified_api_general.png
diff --git a/doc/nrf/security/images/psa_certified_api_lib_selection.svg b/doc/nrf/security/images/psa_certified_api_lib_selection.svg
diff --git a/doc/nrf/security/psa_certified_api_overview.rst b/doc/nrf/security/psa_certified_api_overview.rst
@@ -45,6 +45,34 @@ Using the PSA Certified APIs has the following benefits:
 * Flexible and scalable - The various use cases supported ensure that the PSA Certified APIs can be used across multiple devices, from very simple ones to more complex systems.
 * Future-proof - PSA Certified APIs are designed to be updated over time as security threats evolve, ensuring that devices remain secure throughout their lifecycle.
 
+.. _ug_psa_certified_api_overview_supported_apis:
+
+Supported PSA Certified APIs
+============================
+
+The following table provides an overview of the PSA Certified APIs support status in the |NCS|:
+
+.. list-table:: PSA Certified APIs support in the |NCS|
+   :header-rows: 1
+   :widths: auto
+
+   * - PSA Certified API
+     - Support status in the |NCS|
+     - Latest version supported
+   * - `PSA Certified Crypto API`_
+     - Supported
+     - | `PSA Certified Crypto API 1.2.1`_ for :ref:`nRF54L cryptography <ug_nrf54l_cryptography>` and :ref:`nrf_security` builds without TF-M
+       | `PSA Certified Crypto API 1.0.0`_ for builds with TF-M
+   * - `PSA Certified Attestation API`_
+     - Supported
+     - `PSA Certified Attestation API 1.0`_
+   * - `PSA Certified Secure Storage API`_
+     - Supported
+     - `PSA Certified Secure Storage API 1.0`_
+   * - `PSA Certified Firmware Update API`_
+     - Not supported
+     - n/a
+
 .. _ug_psa_certified_api_overview_crypto:
 
 PSA Crypto API
diff --git a/doc/nrf/security/tfm/index.rst b/doc/nrf/security/tfm/index.rst
@@ -12,26 +12,30 @@ Nordic Semiconductor recommends following `Platform Security Architecture (PSA)`
 Trusted Firmware-M (TF-M) is the reference implementation of PSA, which follows `PSA Certified IoT Security Framework`_ for securing connected devices.
 For more information about the framework, see the :ref:`ug_psa_certified_api_overview` page.
 
-TF-M provides a reference design of a Secure Processing Environment (SPE) for Arm M-profile architectures.
-The SPE relies on security by separation to protect sensitive assets and code.
-TF-M also provides security services to the application, such as Protected Storage, Cryptography, and Attestation.
+TF-M provides a reference design of a Trusted Execution Environment (TEE) for Arm M-profile architectures.
+Using a highly configurable set of software components, it creates the Secure Processing Environment (SPE), which relies on security by separation to protect sensitive assets and code.
+TF-M also provides a set of secure runtime services to the application, such as Protected Storage, Cryptography, and Attestation.
+Additionally, secure boot through MCUboot in TF-M ensures integrity of runtime software and supports firmware upgrade.
 
 `ARM TrustZone`_ technology included in Nordic Semiconductor's SoCs that implement the Armv8-M architecture (such as nRF5340, the nRF54L Series or the nRF91 Series) provides hardware-enforced separation of the Secure and Non-secure Processing Environments (SPE and NSPE, respectively) into Trusted and Non-Trusted worlds.
 
+The TF-M implementation in the |NCS| is demonstrated in the following samples:
+
+* All :ref:`tfm_samples` in this SDK
+* All :ref:`cryptography samples <crypto_samples>` in this SDK
+* A series of :zephyr:code-sample-category:`tfm_integration` samples available in Zephyr (these include :ref:`ug_tfm_supported_services_tfm_services` from the |NCS| when they are built from the |NCS| context)
+
 Starting from the |NCS| v2.0.0, TF-M is enabled by default for applications and samples that support hardware-enforced separation of the SPE and the NSPE.
+In addition, the TF-M implementation is used in all samples and applications in this SDK that support the ``*/ns`` :ref:`variant <app_boards_names>` of the boards, due to :ref:`Cortex-M Security Extensions (CMSE) <app_boards_spe_nspe>` support.
 
 The pages in this section describe the architecture and configuration of TF-M in the |NCS|.
-For more information about TF-M, see the `Trusted Firmware-M documentation <TF-M documentation_>`_, which is oriented towards TF-M developers.
-
-.. important::
-   Currently, only the :ref:`Minimal TF-M configuration <tfm_minimal_build>` is :ref:`supported <software_maturity_security_features_tfm>` in the |NCS|.
-   Configuring TF-M to use features beyond the minimal configuration (with so called :ref:`tfm_configurable_build`) is :ref:`experimental <software_maturity_security_features_tfm>`.
+For more information about TF-M, see the `Trusted Firmware-M documentation <TF-M documentation_>`_, which is oriented towards TF-M implementation developers.
 
 .. toctree::
    :maxdepth: 2
    :caption: Subpages:
 
+   tfm_supported_services
    tfm_architecture
    processing_environments
-   psa_certified_api_overview
    tfm
diff --git a/doc/nrf/security/tfm/tfm.rst b/doc/nrf/security/tfm/tfm.rst
@@ -9,46 +9,10 @@ Configuring applications for Trusted Firmware-M
 
 On nRF5340, nRF54L15 and nRF91 Series devices, Trusted Firmware-M (TF-M) is used to configure and boot an application as non-secure.
 
-Overview
-********
+.. _ug_tfm_building:
 
-TF-M is the reference implementation of `Platform Security Architecture (PSA)`_.
-
-It provides a highly configurable set of software components to create a Trusted Execution Environment.
-This is achieved by a set of secure run time services such as Secure Storage, Cryptography, Audit Logs, and Attestation.
-Additionally, secure boot through MCUboot in TF-M ensures integrity of runtime software and supports firmware upgrade.
-
-.. note::
-   Only the TF-M :ref:`minimal build <tfm_minimal_build>` implementation in the |NCS| is currently :ref:`supported <software_maturity_security_features_tfm>`.
-   Support for TF-M with minimal version *disabled* in the |NCS| is :ref:`experimental <software_maturity_security_features_tfm>`.
-
-For official documentation, see the `TF-M documentation`_.
-
-The TF-M implementation in |NCS| is demonstrated in the following samples:
-
-* All :ref:`tfm_samples` in this SDK
-* All :ref:`cryptography samples <crypto_samples>` in this SDK
-* A series of :zephyr:code-sample-category:`tfm_integration` samples available in Zephyr
-
-In addition, the TF-M implementation is used in all samples and applications in this SDK that support the ``*/ns`` :ref:`variant <app_boards_names>` of the boards, due to :ref:`Cortex-M Security Extensions (CMSE) <app_boards_spe_nspe>` support.
-
-Limitations
-===========
-
-The following limitations apply to TF-M and its usage:
-
-* Firmware Update service is not supported.
-* The following crypto modules or ciphers are not supported:
-
-  * AES output feedback (AES-OFB) mode.
-  * AES cipher feedback (AES-CFB) mode.
-
-* Isolation level 3 is not supported.
-* In Isolation level 2 (and 3), the number of peripherals configured as secure in Application Root of Trust (ARoT) is limited by the number of available MPU regions.
-* Nordic Semiconductor devices only support the GCC toolchain for building TF-M.
-
-Building
-********
+Building with TF-M
+******************
 
 TF-M is one of the images that are built as part of a multi-image application.
 
@@ -85,18 +49,13 @@ See :ref:`tfm_partition_crypto` for more information about the TF-M Crypto parti
 Minimal build
 =============
 
-The default configuration of TF-M has all supported features enabled, which results in a significant memory footprint.
-For this reason, the |NCS| provides a minimal version of the TF-M secure application, which shows how to configure a reduced version of TF-M.
-
-The secure services supported by this minimal version allow for:
+.. include:: tfm_supported_services.rst
+   :start-after: minimal_build_overview_start
+   :end-before: minimal_build_overview_end
 
-* Generating random numbers using the CryptoCell peripheral.
-* Using the :ref:`platform services <ug_tfm_services_platform>`.
-* Reading secure memory from the non-secure application (strictly restricted to a list of allowed addresses).
-  Depending on the device, this lets you read metadata in the bootloader, verify FICR or UICR values, or access a peripheral that is secure-only.
-* Rebooting from the non-secure side.
+The minimal build uses an image of around 32 kB.
+It is set with the :kconfig:option:`CONFIG_TFM_PROFILE_TYPE_MINIMAL` Kconfig option that is enabled by default on the nRF53 and nRF91 Series devices.
 
-The minimal version is set with the :kconfig:option:`CONFIG_TFM_PROFILE_TYPE_MINIMAL` Kconfig option, which is enabled by default on the nRF53 Series and nRF91 Series devices.
 With the minimal build, the configuration of TF-M is severely limited.
 Hence, it is not possible to modify the TF-M minimal configuration to create your own variant of the minimal configuration.
 Instead, the default configuration must be used as a starting point.
@@ -106,8 +65,9 @@ Instead, the default configuration must be used as a starting point.
 Configurable build
 ==================
 
-The configurable build is the full TF-M implementation that lets you configure all of its features.
-It does not come with the constraints of the minimal build.
+.. include:: tfm_supported_services.rst
+   :start-after: configurable_build_overview_start
+   :end-before: configurable_build_overview_end
 
 To enable the configurable, full TF-M build, make sure the following Kconfig options are configured:
 
@@ -379,6 +339,8 @@ See :ref:`lib_tfm_ioctl_api` for more information about APIs available for the n
 
 For more information about the general features of the TF-M Platform partition, see `TF-M Platform`_.
 
+.. _ug_tfm_services_its:
+
 Internal Trusted Storage service
 ================================
 
@@ -721,6 +683,8 @@ The available space for the non-secure application has increased by 0x10000 byte
 
    For devices that are intended for production and meant to be updated in the field, you should always use static partitions to ensure that the partitions are not moved around in the flash memory.
 
+.. _ug_tfm_services_initial_attestation:
+
 Initial Attestation service
 ===========================
 
diff --git a/doc/nrf/security/tfm/tfm_architecture.rst b/doc/nrf/security/tfm/tfm_architecture.rst
@@ -161,17 +161,17 @@ Isolation Levels
 The TF-M architecture figure at the top of this page uses several lines as connectors and separators.
 These lines represent the isolation levels between different parts of the SPE and between the SPE and the NSPE.
 
-The following table describes the isolation levels in the TF-M architecture, based on the `Trusted Base System Architecture for M (TBSA-M) Specification`_ (section 4.3).
+The following table describes the isolation levels in the TF-M architecture, based on the `Trusted Base System Architecture for M (TBSA-M) Specification`_ (section 4.3) and the `FF-M Isolation Rules`_.
 
 .. list-table::
    :header-rows: 1
 
    * - Isolation Level
      - Description
    * - Level 1
-     - | SPE isolation
+     - | Two security domains
        |
-       | Two security domains
+       | SPE isolation
        |
        | SPE is protected from access by Non-Secure application firmware and hardware.
    * - Level 2
@@ -181,9 +181,9 @@ The following table describes the isolation levels in the TF-M architecture, bas
        |
        | In addition to Level 1, the Platform RoT is also protected from access by the Application RoT.
    * - Level 3
-     - | Maximum firmware isolation
+     - | Three or more security domains
        |
-       | Three or more security domains
+       | Maximum firmware isolation
        |
        | In addition to Level 2, each Secure Partition is sandboxed and only permitted to access its own resources.
        | This protects each Secure Partition from access by other Secure Partitions and protects the SPM from access by any Secure Partition.
@@ -193,3 +193,4 @@ In other words:
 * Level 1 Isolation is the Secure/Non-Secure separation described in the :ref:`ug_tfm_architecture_spe_nspe` section.
 * Level 2 Isolation means that the :ref:`ug_tfm_architecture_rot_services_application` are *unable* to access other parts of the SPE.
 * Level 3 Isolation means that the Application RoT Services are unable to access other parts of the SPE *and* other Application RoT Services.
+  Level 3 Isolation is :ref:`not supported <ug_tfm_supported_services_isolation>` in the |NCS|.
diff --git a/doc/nrf/security/tfm/tfm_supported_services.rst b/doc/nrf/security/tfm/tfm_supported_services.rst
