Mistake on this page?
Report an issue in GitHub or email us

The Mbed implementation of PSA

The Mbed implementation of the Platform Security Architecture (PSA) provides root of trust services and infrastructure for developing IoT applications.

When Mbed OS is running on a PSA Security Model compliant target, the Mbed implementation of PSA helps to protect cryptographic assets, credentials and critical code sections by providing an isolation between a Secure Processing Environment (SPE) and a Non-Secure Processing Environment (NSPE). The Secure Partition Manager (SPM), which uses the target's hardware features, manages the isolation. The SPM provides standardized Inter-Process Communication (IPC) APIs that you can use regardless of system architecture (v8M, TEE on Cortex-A) or inside another chip.

The Mbed implementation of PSA bridges the differences between PSA boards and non-PSA boards for application developers, allowing them to use the same standard PSA APIs on both board types.

The Mbed implementation of PSA allows you to choose the board type at later phase according to the final application threat model.

diagramPSA diagram


The SPM is a PSA-compliant software hypervisor that creates and manages independent secure partitions on Arm Cortex®-M microcontrollers. It increases resilience against malware and protects secrets from leaking between different modules in the same application. The SPM complements other important security features, such as safe firmware updates and secure crypto libraries.

The SPM provides hardware-enforced partitions for individual code blocks by limiting access to memories and peripherals using the existing hardware security features of the Cortex®-M microcontrollers. It isolates software in partitions, managing the execution of software within those partitions and providing IPC between the partitions. Correct use of SPM prevents malware from becoming resident on the device and enables protection of device secrets, such as cryptographic keys.

Isolating partitions in the SPE

The SPM and the secure partitions are located in the SPE, isolating them from the NSPE, which contains the application firmware, OS kernel and libraries and other nonsecure hardware resources.

A secure partition is a container for one or more root of trust services, and a board may have multiple secure partitions. Secure partitions provide the execution environment for security functionality.

Board hardware, such as the Security Attribution Unit (SAU) and Memory Protection Unit (MPU) in the ARMv8-M boards, enforces the separation of partitions. Other boards may use different mechanisms to provide equivalent isolation for the partitions.

Board types

The Mbed implementation of PSA supports the following board types:

  • Non-PSA boards: These are single core ARMv7-M targets. On these targets, the Mbed implementation of PSA provides the same PSA services exposing PSA APIs as it would on PSA targets. The PSA emulation layer allows seamless software portability to more security-oriented targets.

  • Asymmetric Multiprocessing (AMP) systems: Multicore ARMv7-M targets (for example, PSoC6 featuring CM4 and CM0+ cores). On these targets, one of the cores is dedicated to PSA use only and implements SPE. The Mbed implementation of PSA provides PSA API proxy implementation on a nonsecure core, which redirects execution to the SPE.

  • ARMv8-M: Generation of ARM processors featuring TrustZone-M architecture. PSA support for these boards is based on a specialized TrustedFirmware-M implementation.

RoT services

The Mbed implementation of PSA provides the following services:

Additional Mbed OS security APIs

Arm Mbed OS provides the following additional security APIs:

Important Information for this Arm website

This site uses cookies to store information on your computer. By continuing to use our site, you consent to our cookies. If you are not happy with the use of these cookies, please review our Cookie Policy to learn how they can be disabled. By disabling cookies, some features of the site will not work.