1. Introduction

1.1. About Platform Security Architecture

This document is one of a set of resources provided by Arm that can help organizations develop products that meet the security requirements of PSA Certified on Arm-based platforms. The PSA Certified scheme provides a framework and methodology that helps silicon manufacturers, system software providers and OEMs to develop more secure products. Arm resources that support PSA Certified range from threat models, standard architectures that simplify development and increase portability, and open-source partnerships that provide ready-to-use software. You can read more about PSA Certified here at www.psacertified.org and find more Arm resources here at developer.arm.com/platform-security-resources.

1.2. About the Crypto API

The interface described in this document is a PSA Certified API, that provides a portable programming interface to cryptographic operations, and key storage functionality, on a wide range of hardware.

The interface is user-friendly, while still providing access to the low-level primitives used in modern cryptography. It does not require that the user has access to the key material. Instead, it uses opaque key identifiers.

You can find additional resources relating to the Crypto API here at arm-software.github.io/psa-api/crypto, and find other PSA Certified APIs here at arm-software.github.io/psa-api.

This document includes:

• A rationale for the design. See Design goals.

• A high-level overview of the functionality provided by the interface. See Functionality overview.

• A description of typical architectures of implementations for this specification. See Sample architectures.

• General considerations for implementers of this specification, and for applications that use the interface defined in this specification. See Implementation considerations and Usage considerations.

• A detailed definition of the API. See Library management reference, Key management reference, and Cryptographic operation reference.

PSA Certified Crypto API 1.1 PAKE Extension [PSA-PAKE] is a companion document for version 1.1 of this specification. [PSA-PAKE] defines a new API for Password Authenticated Key Establishment (PAKE) algorithms. The PAKE API is an initial proposal at BETA status. The API defined by [PSA-PAKE] is provided in a separate specification to reflect the different status of this API, and indicate that a future version can include incompatible changes to the PAKE API. When the PAKE API is stable, it will be included in a future version of the Crypto API specification.

In future, other companion documents will define profiles for this specification. A profile is a minimum mandatory subset of the interface that a compliant implementation must provide.