TF-M key storage security/threat model on nrf91

Hi

As far as I understand it, TF-M stores symmetric keys unencrypted on flash in the nrf91, and then uses other means (like flash read protection and trustzone) to keep the keys secret. Is this therefore vulnerable decapping attacks, where one could directly read out the flash?

The nRF chips have no protection against decapping attacks.

Also, assuming that code execution was possible by an attacker in the secure world, would they be able to access the keys in the device by reading them through the NVM controller, or is there some other hardware level protection in place for the flash?

If you are able to access your data from your code the Secure world, an attacker with code execution can do the same.

----------------------------------------------------------------------------------------------------------------------------

I should mention that for the TF-M Secure world, the Internal Trusted Storage (ITS) driver is used to read/write from the "secure flash"(flash only available from the secure world).
I have not tried to read the "secure flash" with our NVMC driver, but it matters little if ITS or NVMC driver has to be used; An attacker with Secure World code execution rights could do any of those.

In nRF Connect SDK 2.0.0, we will introduce the new experimental feature Encrypted ITS, which will encrypt data before storing it with ITS.
The encryption keys for this will be stored in the KMU.
But I do not think Encrypted ITS would protect against the cases you describe either.

Regards,
Sigurd Hellesvik

Hi

As far as I understand it, TF-M stores symmetric keys unencrypted on flash in the nrf91, and then uses other means (like flash read protection and trustzone) to keep the keys secret. Is this therefore vulnerable decapping attacks, where one could directly read out the flash?

The nRF chips have no protection against decapping attacks.

Also, assuming that code execution was possible by an attacker in the secure world, would they be able to access the keys in the device by reading them through the NVM controller, or is there some other hardware level protection in place for the flash?

If you are able to access your data from your code the Secure world, an attacker with code execution can do the same.

----------------------------------------------------------------------------------------------------------------------------

I should mention that for the TF-M Secure world, the Internal Trusted Storage (ITS) driver is used to read/write from the "secure flash"(flash only available from the secure world).
I have not tried to read the "secure flash" with our NVMC driver, but it matters little if ITS or NVMC driver has to be used; An attacker with Secure World code execution rights could do any of those.

In nRF Connect SDK 2.0.0, we will introduce the new experimental feature Encrypted ITS, which will encrypt data before storing it with ITS.
The encryption keys for this will be stored in the KMU.
But I do not think Encrypted ITS would protect against the cases you describe either.

Regards,
Sigurd Hellesvik