Platform Security Architecture (PSA)¶

PSA Certified APIs are open-source programming interfaces that provide developers with a trusted code base that complies with platform security specifications. The APIs are designed to be easy to use and provide interfaces to basic security functions, such as secure storage, crypto, and attestation.

PSA Certified APIs also create a consistent interface to the underlying Root of Trust hardware, allowing software vendors to easily port to multiple chips and chips to port to multiple software platforms. PSA Cryptography API provides encrypt/decrypt, sign/verify, key management and derivation, hash, RNG, and key storage services with support for different key lifetime policies.

Note

Key derivation is not yet supported.

SimpleLink API to PSA Mapping¶

Note

The PSA wrapper does not require any crypto driver instances to be added to Sysconfig. If the developer wants to use the LAES engine, then the crypto driver instances are needed.

SimpleLink API		PSA API
AESCMAC_init + SHA2_init + ECDH_init + AESCBC_init + AESECB_init, AESCTR_init + AESCCM_init + AESGCM_init, ECDSA_init + EDDSA_init + TRNG_init		psa_crypto_init
N/A		psa_key_attributes_init
N/A		psa_get_key_attributes
N/A		psa_reset_key_attributes
N/A		psa_set_key_type
N/A		psa_get_key_bits
N/A		psa_set_key_bits
N/A		psa_set_key_lifetime
N/A		psa_get_key_lifetime
N/A		psa_set_key_id
N/A		psa_get_key_id
N/A		psa_set_key_algorithm
N/A		psa_get_key_algorithm
N/A		psa_set_key_usage_flags
N/A		psa_get_key_usage_flags
N/A		psa_import_key
TRNG_generateKey		psa_generate_key
N/A		psa_copy_key
N/A		psa_destroy_key
N/A		psa_purge_key
N/A		psa_export_key
N/A		psa_export_public_key
Message Digests Supported Algorithms: PSA_ALG_SHA_224 PSA_ALG_SHA_256 PSA_AL_SHA_384 PSA_ALG_SHA_512 Unsupported Algorithms: PSA_ALG_MD2 PSA_ALG_MD4 PSA_ALG_MD5 PSA_ALG_RIPEMD160 PSA_ALG_SHA_1 PSA_ALG_SHA_512_224 PSA_ALG_SHA_512_256 PSA_ALG_SHA3_256 PSA_ALG_SHA3_384 PSA_ALG_SHA3_512 PSA_ALG_SM3
SHA2_hashData		psa_hash_compute
SHA2_hashData + Assertion		psa_hash_compare
N/A		psa_hash_operation_init
SHA2_setHashType		psa_hash_setup
SHA2_addData		psa_hash_update
SHA2_finalize		psa_hash_finish
SHA2_finalize + Assertion		psa_hash_verify
SHA2_cancelOperation		psa_hash_abort
SHA2_cancelOperation Note: HSM SHA2 driver may store a full block of data for finalization. This is not supported by the PSA API specification for psa_hash_suspend. PSA_ERROR_NOT_SUPPORTED will be returned in this particular case. Hash suspend/resume with an unprocessed data with an unprocessed data length of 0 to (block_size - 1) will be supported.		psa_hash_suspend
N/A		psa_hash_resume
SHA2_construct with another instance with the same setup.		psa_hash_clone
Message Authentication Codes (MAC) Unsupported Algorithms: PSA_ALG_HMAC (coming in future release) PSA_ALG_CMAC (coming in future release) PSA_ALG_CBC_CMAC (coming in future release)
KeyStore_PSA_initKey + SHA2_hmac/AESCMAC_oneStepSign	psa_mac_compute
KeyStore_PSA_initKey + SHA2_hmac/AESCMAC_oneStepVerify	psa_mac_verify
N/A	psa_mac_operation_init
KeyStore_PSA_initKey + (SHA2_setupHmac + SHA2_setHashType) AESCMAC_setupSign	psa_mac_sign_setup
SHA2_setupHmac + SHA2_setHashType/ AESCMAC_setupVerify	psa_mac_verify_setup
SHA2_addData AESCMAC_addData	psa_mac_update
SHA2_finalizeHmac AESCMAC_finalize	psa_mac_sign_finish
SHA2_finalizeHmac AESCMAC_finalize	psa_mac_verify_finish
SHA2_reset AESCMAC_cancelOperation	psa_mac_abort
Unauthenticated Ciphers: Supported Algorithms: PSA_ALG_ECB_NO_PADDING Unsupported Algorithms: PSA_ALG_STREAM_CIPHER PSA_ALG_CFB PSA_ALG_OFB PSA_ALG_XTS PSA_ALG_CBC_PKCS7 PSA_ALG_CBC_NO_PADDING (coming in future release) PSA_ALG_CTR (coming in future release)
KeyStore_PSA_initKey + AESECB_oneStepEncrypt AESCBC_oneStepEncrypt AESCTR_setupEncrypt	psa_cipher_encrypt
KeyStore_PSA_initKey + AESECB_oneStepDecrypt AESCBC_oneStepDecrypt AESCTR_setupDecrypt	psa_cipher_decrypt
N/A	psa_cipher_operation_init
KeyStore_PSA_initKey + AESECB_setupEncrypt AESCBC_setupEncrypt AESCTR_setupEncrypt	psa_cipher_encrypt_setup
KeyStore_PSA_initKey + AESECB_setupDecrypt AESCBC_setupDecrypt AESCTR_setupDecrypt	psa_cipher_decrypt_setup
TRNG_getRandomBytes + AESCBC_setIV AESCTR_setupEncrypt + AESCTR_setupDecrypt	psa_cipher_generate_iv
AESCBC_setIV	psa_cipher_set_iv
AESECB_addData AESCBC_addData AESCTR_addData	psa_cipher_update
AESECB_finalize AESCBC_finalize AESCTR_finalize	psa_cipher_finish
AESECB_cancelOperation AESCBC_cancelOperation AESCTR_cancelOperation	psa_cipher_abort
Authenticated Encryption with Associated Data (AEAD) Supported Algorithms: PSA_ALG_CCM PSA_ALG_AEAD_WITH_SHORTENED_TAG Unsupported Algorithms: PSA_ALG_GCM (coming in future release) PSA_ALG_CHACHA20_POLY1305
KeyStore_PSA_initKey + AESCCM_Operation_init AESGCM_Operation_init AESGCM_oneStepEncrypt AESCCM_oneStepEncrypt	psa_aead_encrypt
KeyStore_PSA_initKey + AESCCM_Operation_init AESGCM_Operation_init AESGCM_oneStepDecrypt AESCCM_oneStepDecrypt	psa_aead_decrypt
N/A	psa_aead_operation_init
AESCCM_setupEncrypt AESGCM_setupEncrypt KeyStore_PSA_initKey	psa_aead_encrypt_setup
AESCCM_setupDecrypt AESGCM_setupDecrypt KeyStore_PSA_initKey	psa_aead_decrypt_setup
AESCCM_setLengths AESGCM_setLengths	psa_aead_set_lengths
TRNG_getRandombytes	psa_aead_generate_nonce
AESCCM_setNonce AESGCM_setIV	psa_aead_set_nonce
AESCCM_addAAD AESGCM_addAAD	psa_aead_update_ad
AESCCM_addData AESGCM_addData	psa_aead_update
AESCCM_finalizeEncrypt AESGCM_finalizeEncrypt	psa_aead_finish
AESCCM_finalizeDecrypt AESGCM_finalizeDecrypt + Assertion of tag	psa_aead_verify
AESCMM_close + AESCCM_open AESGCM_close + AESGCM_open	psa_aead_abort
Key Derivation Supported Algorithms: N/A Unsupported Algorithms: PSA_ALG_HKDF PSA_ALG_TLS12_PRF PSA_ALG_TLS12_PSK_TO_MS
N/A	psa_key_derivation_operation_init
N/A	psa_key_derivation_setup
N/A	psa_key_derivation_get_capacity
N/A	psa_key_derivation_set_capacity
N/A	psa_key_derivation_input_bytes
N/A	psa_key_derivation_input_key
N/A	psa_key_derivation_output_bytes
N/A	psa_key_derivation_output_key
N/A	psa_key_derivation_abort
Asymmetric Signature Supported Algorithms: PSA_ALG_ECDSA Supported Curves: NIST P224 NIST P256 NIST P384 NIST P521 Brainpool P256R1 Brainpool P384R1 Brainpool P512R1 Curve25519 Unsupported Algorithms: PSA_ALG_ED25519PH (coming in future release) PSA_ALG_DETERMINISTIC_ECDSA PSA_ALG_RSA_PKCS1V15_SIGN PSA_ALG_RSA_PKCS1V15_SIGN_RAW PSA_ALG_RSA_PSS
KeyStore_PSA_initKey EDDSA_sign ECDSA_sign + Sha2_hashData	psa_sign_message
KeyStore_PSA_initKey ECDSA_verify + Sha2_hashData	psa_verify_message
KeyStore_PSA_initKey ECDSA_sign	psa_sign_hash
KeyStore_PSA_initKey ECDSA_verify	psa_verify_hash
No Support	psa_asymmetric_encrypt
No Support	psa_asymmetric_decrypt
ECDH_computerShareSecret + KeyStore_PSA_initKey + CryptoKeyPlaintext_initKey	psa_raw_key_agreement
TRNG_getRandomBytes	psa_generate_random
N/A	psa_key_derivation_key_agreement