Version 1.3.0
New major features
Support stateless RoT Service defined in FF-M 1.1 1.
Support Second-Level Interrupt Handling (SLIH) defined in FF-M 1.1 1.
Add Firmware Update (FWU) secure service, following Platform Security Architecture Firmware Update API 2.
Migrate to Mbed TLS v2.25.0.
Update MCUboot version to v1.7.2.
Add a TF-M generic threat model 3 .
Implement Fault Injection Handling library to mitigate physical attacks 4.
Add Profile Large 5.
Enable code sharing between boot loader and TF-M 6.
Support Armv8.1-M Privileged Execute Never (PXN) attribute and Thread reentrancy disabled (TRD) feature.
New platforms added. See New platforms supported for details.
Add a TF-M security landing page 7.
Enhance dual-cpu non-secure mailbox reference implementation.
New security advisories
Invoking secure functions from non-secure handler mode
Refer to Advisory TFMV-2 for more details. The mitigation is included in this release.
New platforms supported
Cortex-M23 based system:
Cortex-M55 based system:
Secure Enclave system:
Musca-B1 Secure Enclave (deprecated after TF-M v1.6.0).
Deprecated platforms
The following platforms have been removed from TF-M code base.
SSE-200_AWS
AN539
See Platform deprecation and removal for other platforms under deprecation process.
Tested platforms
The following platforms are successfully tested in this release.
AN519
AN521
AN524
AN547
LPCXpresso55S69
MPS2 SSE300
Musca-B1
Musca-B1 Secure Enclave
Musca-S1
M2351
M2354
nrf5340dk
nrf9160dk
NUCLEO-L552ZE-Q
PSoC 64
STM32L562E-DK
Known issues
Some open issues exist and will not be fixed in this release.
Descriptions |
Issue links |
PSA Arch Crypto test suite have several known failures.
|
See this link for detailed analysis of the failures. |
Protected Storage Regression test 4001 is stuck on SSE-300 in isolation
level 2 when PXN is enabled.
|
|
IPC Regression test fail when non-secure regression test is enabled and
secure regression test is disabled.
|
|
Panic test in PSA Arch IPC test suite generates inconsistent results
between Armclang and GNUARM.
|
Issues fixed since 1.2.0
Issues fixed by TF-M since v1.2.0 are listed below.
Descriptions |
Issue links |
Dual-cpu NS mailbox initialization shall be executed after CMSIS-RTOS
RTX kernel initialization
|
Issues closed since 1.2.0
The following issues are closed since v1.2.0. These issues are related to platform hardware limitations or 3rd-party tools and therefore won’t be fixed by TF-M.
Descriptions |
Issue links |
psa_verify_rsa() fails when PSA Crypto processes RSASSA-PSSalgorithm in CryptoCell-312.
Mbed TLS implementation of
psa_verify_rsa() always passesMBEDTLS_MD_NONE to mbedtls_rsa_rsassa_pss_verify() .However, CryptoCell-312 doesn’t support MD5 and uses other algorithms
instead. Therefore, Mbed TLS implementation may fail when input
algorithm doesn’t match other parameters.
|
|
Regression tests fail with GNU Arm Embedded toolchain version
10-2020-q4-major.
The support for CMSE feature is broken in version 10-2020-q4-major. The
fix will be available in future release version.
A note is added in Install a toolchain.
|