PSA Certified
Firmware Update API 1.0ΒΆ
Document number: |
IHI 0093 |
Release Quality: |
Final |
Issue Number: |
1 |
Confidentiality: |
Non-confidential |
Date of Issue: |
23/9/2025 |
Abstract
This document defines a standard firmware interface for installing firmware updates.
Contents
- 1 Introduction
- 2 Design goals
- 2.1 Suitable for constrained devices
- 2.2 Updating the Platform Root of Trust
- 2.3 Updating the Application Root of Trust
- 2.4 Flexibility for different trust models
- 2.5 Protocol independence
- 2.6 Transport independence
- 2.7 Firmware format independence
- 2.8 Flexibility for different hardware designs
- 2.9 Suitable for composite devices
- 2.10 Robust and reliable update
- 2.11 Flexibility in implementation design
- 3 Architecture
- 4 Programming model
- 5 API reference
- A Example header file
- B Example usage
- C Variation in system design parameters
- D Security Risk Assessment
- D.1 About this assessment
- D.2 Feature definition
- D.3 Feature characterization
- D.4 Threats
- D.4.1 T.TAMPER: Tampering with the firmware image or manifest
- D.4.2 T.NON_FUNCTIONAL: Install defective firmware
- D.4.3 T.ROLLBACK: Install old firmware
- D.4.4 T.SKIP_INTERMEDIATE: Skip intermediate update
- D.4.5 T.DEGRADE_DEVICE: Repeatedly install invalid firmware
- D.4.6 T.INTERFACE_ABUSE: Illegal inputs to the API
- D.4.7 T.TOCTOU: Modify asset between authentication and use
- D.4.8 T.PARTIAL_UPDATE: Trigger installation of incomplete update
- D.4.9 T.INCOMPATIBLE: Mismatched firmware
- D.4.10 T.DISCLOSURE: Disclosure of protected firmware
- D.4.11 T.DISRUPT_INSTALL: Corrupt image by disrupting installer
- D.4.12 T.DISRUPT_DOWNLOAD: Corrupt image by disrupting writes
- D.4.13 T.FAULT_INJECTION: Verification bypass via glitching
- D.4.14 T.SERVER: Attack from exploited update server
- D.4.15 T.CREATOR: Attack from spoof firmware creator
- D.4.16 T.NETWORK: Manipulate network traffic
- D.5 Mitigation summary
- E Document change history