Security acronyms and definitions

Revision as of 19:33, 16 November 2023 by Registered User (Escoda Michael moved page Security:Security Acronyms to Security:Security acronyms and definitions)

1. Security acronyms

Acronyms Definition Comment
ADAC Authentication Debug Access Control Arm® protocol specification that allows a target to securely authenticate a debug host.
AEAD Authenticated Encryption with Associated Data -
AES Advanced Encryption Standard -
ARoT Application Root of Trust -
ASS Additional Secure Services Part of the secure manager
BL Bootloader -
CLI Command-Line Interface -
CM Contract Manufacturer -
DA Debug Authentication Process based on ADAC protocol.
DAP Debug Access Port -
DFU Device Firmware Update For example through USB.
DHUK Derived Hardware Unique Key 256 bits, Unique Key based on the device Root HUK, not accessible by software, debug, or test mode.
DUA Device Unique Authentication pre-provisioned keys/certificates.
ECC Error Code Correction -
ECC Elliptic Curve Cryptography -
ECDSA Elliptic Curve Digital Signature Algorithm Public Key Crypto, asym keys, variant of DSA but with shorter key.
EPOCH-NS / -S Nonsecure/Secure Monotonic Counter Avoid key reuse, or control regression.
FWU Firmware Update -
GSS Generic Secure Services Part of the secure manager
GTZC Global TrustZone® Controller -
HDP Hide Protection Hide and protect the secure user memory.
HDPL Hardware Protection Level. Temporal isolation levels (controlled by a monotonic counter); HDPL0: RSS (never erased); HDPL1: iRot, HDPL2: Urot, HDPL3: Appli.
HSM Hardware Security Module Can be programmed by the Trusted Package Creator
HUK Hardware Unique Key -
IA Initial Attestation -
IPC Inter Processor Communication -
ITS Internal Trusted Storage API that permits to write data in a trusted storage.
KDF Key Derivation Function Taking as input RHUK & TrustZone® state & Key Usage State) to generate the DHUKy.
KMOD Key Mode Key uses the state mode
KMS Key Management Services -
MPU Memory Protection Unit -
NS Non-Secure -
NSPE Non Secure Processing Environment -
OBK Option Byte Key -
OBKeys Option Byte Keys hardware secure storage.
OEM Original Equipment Manufacturer -
OEM-CM Original Equipment Manufacturer Contract Manufacturer -
OEMiRoT Original Equipment Manufacturer immutable Root of Trust First boot stage developped by OEM, located in user flash and used instead of STiROT
OEMuRoT Original Equipment Manufacturer updatable Root of Trust Second boot stage developped by OEM
PKA Public Key Algorithm Also named asymmetric algorithm.
PRoT PSA Root of Trust -
PSA Platform Security Architecture -
PSA level Arm® Security standard certification Level one to three, PSA level three (physical attack robustness).
RDP Readout Protection Level zero (no protection), level one (enabled), level two (read protection and debugger deactivated).
RHUK Root Hardware Unique Key 256 bits, immutable, nonvolatile used to create DHUK, never used as it is.
RoT Root of Trust -
RSS Root Security System Embedded in System Memory
RSSFS Root Security System First Stage Embedded in System Memory
SAES Secure Advanced Encryption System Side channel attack resistant.
SB Secure Boot -
SBSFU Secure Boot Secure Firmware Update -
SESIP Security Evaluation Standard for IOT Platform Level one to five, SESIP3 > PSA level two, SESIP4/5 for secure element/smart card.
SFI Secure Firmware Install For L462 delivered in RDP1, the 42k secure bootloader is erased at the end of SFI.
SM Secure Manager ST updatable Secure Framework
SMAK Secure Manager Access Kit -
SMDK Secure Module Development Kit -
SMI Secure Module Install -
SMU Secure Module Update -
SPE Secure Processing Environment -
SSFI Secure ST Firmware Install -
STiRoT ST immutable Root of Trust Software Located in system flash immutable, first boot stage
STuRoT ST updatable Root of Trust -
TF-M Trusted Firmware Trusted Firmware for cortex M, Open source software Arm® framework.
TLV Type Length Value Containing image metadata placed at the end of the image.
TPC Trusted Package Creator ST provided tool.
TZ TrustZone® -
UBE Unique Boot Entry Option byte for boot path selection.
URoT Updatable Root of Trust Software located in user flash, second boot stage, see STuRoT and OEMuRoT
WM Watermark -
WRP Write Protection -
XIP eXecute In Place -
XO eXecute Only -

2. Security definitions

Name Definition Comment
Active slot User flash slot where code is executed. -
Download slot User flash slot where code is downloaded to be later installed in active slot. -
Primary slot Same definition as active slot. MCUboot naming
Secondary slot Same definition as download slot. MCUboot naming
Update agent Software running on nonsecure domain responsible of the firmware update procedure. -