Platform Security Architecture (PSA) is an open, system-wide security framework developed by Arm and its partners to provide a structured methodology for building secure connected devices, particularly Internet of Things (IoT) and embedded systems. It defines a common set of security goals, threat models, and hardware/software specifications to establish a root of trust and a consistent security baseline across diverse silicon platforms. The framework is built upon three core components: a set of threat models for analyzing device risks, a multi-level security specification for hardware and firmware, and the open-source Trusted Firmware-M (TF-M) reference implementation.
Glossary
Platform Security Architecture (PSA)

What is Platform Security Architecture (PSA)?
Platform Security Architecture (PSA) is an Arm-led industry framework that provides a holistic set of threat models, security specifications, and open-source firmware to enable the design of secure, connected devices from the ground up.
For TinyML deployment on microcontrollers, PSA provides critical guidance for securing the model inference pipeline, update mechanisms, and sensitive data. It mandates isolation for secure services, cryptographic primitives for authenticated encryption and firmware attestation, and secure lifecycle states. By implementing PSA, developers can systematically address threats like side-channel attacks and fault injection, ensuring that resource-constrained devices running machine learning workloads maintain integrity, confidentiality, and a secure foundation for Secure Over-the-Air (SOTA) updates.
Key Components of the PSA Framework
The ARM Platform Security Architecture (PSA) provides a holistic, standardized framework for building secure connected devices. It is structured around four foundational pillars that guide development from threat analysis to certification.
How PSA Works: Implementing a Chain of Trust
Platform Security Architecture (PSA) establishes security through a verifiable sequence of hardware and software components, each validating the next before execution.
The chain of trust begins at power-on with a Hardware Root of Trust, an immutable silicon feature that performs the first cryptographic measurement. This root verifies the initial bootloader's digital signature before allowing it to execute. The verified bootloader then authenticates the next stage, typically the Trusted Firmware-M (TF-M) runtime, which in turn validates the application firmware. This sequential verification ensures that only authorized, unaltered code runs, blocking malware from the earliest possible moment.
This layered process extends beyond boot. The Trusted Execution Environment (TEE) established by TF-M provides runtime isolation for security services like secure storage, cryptography, and firmware attestation. For updates, Secure Over-the-Air (SOTA) protocols use this chain to authenticate new firmware images before installation, preventing downgrade attacks. The entire architecture is defined by PSA's threat models and specifications, providing a blueprint for building secure-by-design connected devices.
PSA Certification Levels
A comparison of the four progressive assurance levels defined by the Platform Security Architecture framework, detailing the security objectives, evaluation rigor, and target device types for each.
| Feature / Requirement | Level 1 (PSA Certified) | Level 2 | Level 3 | Level 4 |
|---|---|---|---|---|
Primary Security Objective | Protection against software attacks | Protection against scalable software attacks | Protection against physical attackers with some expertise | Protection against sophisticated physical attackers |
Evaluation Rigor | Documented security analysis (self-assessment) | Laboratory-based vulnerability assessment | Enhanced laboratory-based penetration testing | Formal evaluation against a recognized scheme (e.g., SESIP, Common Criteria) |
Hardware Isolation (TEE/TrustZone) | ||||
Secure Boot (Immutable Root of Trust) | ||||
Cryptographic Key Storage & Operations | Software-based | Hardware-isolated (e.g., PSA RoT) | Hardware-isolated with side-channel resistance | Hardware-isolated with advanced side-channel & fault injection resistance |
Secure Firmware Update (SOTA) | Integrity & authenticity verification | Integrity, authenticity, and confidentiality | Integrity, authenticity, confidentiality, and anti-rollback | Integrity, authenticity, confidentiality, anti-rollback, and resilience to complex network attacks |
Unique Device Identity | ||||
Attestation (Proof of Device Integrity) | ||||
Protection of Stored Secrets | Basic software protection | Hardware-backed isolation | Hardware-backed with tamper detection/response | Hardware-backed with advanced tamper detection/response and secure deletion |
Target Device Examples | Simple sensors, basic IoT nodes | Smart home devices, connected sensors | Payment terminals, industrial gateways, medical sensors | Critical infrastructure, automotive systems, high-value asset trackers |
Certification Audit | PSA Certified - Self-assessed questionnaire | PSA Certified - Lab tested by a PSA Qualified Lab | PSA Certified - Lab tested by a PSA Qualified Lab | PSA Certified - Evaluated by a PSA Certified Lab against a PSA-defined Protection Profile |
PSA Applications in TinyML and Embedded AI
The Platform Security Architecture (PSA) provides a foundational security framework for resource-constrained devices. These cards detail its specific applications in securing TinyML and embedded AI workloads.
Tamper-Resistant Inference Execution
PSA ensures the integrity of the inference runtime itself, guaranteeing that model execution has not been subverted by malware or fault injection attacks.
- Trusted Firmware-M (TF-M) provides a secure, isolated environment to run inference kernels.
- Memory Protection Units (MPUs) enforce strict boundaries, preventing other processes from reading or modifying the model's activations or intermediate tensors during computation.
- Control Flow Integrity (CFI) can be applied to the inference engine to prevent code-reuse attacks.
- This protects against attacks designed to manipulate model outputs (e.g., causing a vision model to misclassify a stop sign).
Secure Sensor Data Ingestion
For TinyML systems, the integrity of input sensor data is paramount. PSA frameworks secure the data pipeline from the physical sensor to the model input.
- Establishes a chain of trust starting at the sensor or IO peripheral, ensuring raw data (audio, accelerometer, image) has not been spoofed or altered in transit.
- Uses hardware-enforced secure channels or Authenticated Encryption for data passing between sensor hubs and the main application processor.
- Mitigates attacks where an adversary feeds maliciously crafted sensor data to trigger incorrect or dangerous model behavior.
PSA Certified for Compliance & Assurance
The PSA Certified program provides a multi-level assurance framework (Level 1-3) that allows IoT and TinyML device makers to demonstrate robust security to customers and regulators.
- Level 1 (Basic): Threat model and security analysis documentation.
- Level 2 (Medium): Lab-based evaluation of the PSA Root of Trust implementation.
- Level 3 (High): In-depth lab evaluation of the entire device's resistance to sophisticated physical attacks.
- Using a PSA Certified chip or SDK simplifies compliance with regulations like the EU Cyber Resilience Act and provides a verifiable security claim.
Secure Model Updates & Lifecycle Management
PSA enables secure Over-the-Air (OTA) updates for TinyML models, a core requirement for maintaining and improving deployed AI systems.
- Secure Boot and Firmware Attestation verify the authenticity and integrity of the entire update package before installation.
- Update payloads (new model weights) are encrypted and signed using keys derived from the device's Hardware Root of Trust.
- Anti-rollback mechanisms prevent attackers from reverting a device to a vulnerable older model version.
- This creates a trusted pipeline for deploying model patches, retrained versions, or new capabilities to a fielded device fleet.
Foundations for Federated Edge Learning
PSA provides the essential security primitives required for privacy-preserving, decentralized training paradigms like Federated Learning on edge devices.
- Trusted Execution Environment (TEE) provides a secure enclave where local model training or fine-tuning can occur, isolating sensitive user data.
- Secure cryptographic operations (using Lightweight Cryptography or ECC) are used to encrypt the model updates (gradients) before they are sent to the aggregation server.
- Remote Attestation allows the central server to verify that the participating edge device is running genuine, unmodified firmware, ensuring the integrity of the federated learning process.
Frequently Asked Questions
Platform Security Architecture (PSA) is an ARM-led industry framework that provides a holistic set of threat models, security specifications, and open-source firmware to enable the design of secure, connected devices from the ground up.
Platform Security Architecture (PSA) is an industry-standard security framework, led by Arm, that provides a structured methodology for building hardware-rooted security into resource-constrained IoT and embedded devices. It works by defining a comprehensive, multi-stage process: first, it provides standardized threat models and security analyses for common device profiles; second, it delivers a set of hardware and firmware security specifications (PSA Certified) that define requirements for a Root of Trust; and third, it supplies reference open-source firmware, Trusted Firmware-M (TF-M), which implements critical security services like secure boot, cryptography, and attestation. This layered approach ensures devices are designed with security as a foundational property, not an afterthought.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Platform Security Architecture (PSA) is built upon and integrates with several foundational hardware and software security concepts. These related terms define the critical components that compose a PSA-aligned secure system.
Hardware Root of Trust
An immutable, hardware-based security foundation within a system-on-chip that performs the initial trusted measurement and verification of system software. It establishes a chain of trust for all subsequent operations, including booting the Trusted Firmware-M (TF-M) specified by PSA. This is typically implemented via a Secure Boot ROM or a Physical Unclonable Function (PUF).
Trusted Execution Environment (TEE)
A secure, isolated area of a main processor that provides a protected space for the execution of sensitive code and the handling of confidential data. In the PSA model, this is the Secure World created by technologies like ARM TrustZone-M. It isolates the Trusted Firmware-M runtime and secure services (crypto, attestation) from the non-secure application code in the Normal World.
Secure Boot
A hardware-enforced security mechanism that ensures a device executes only cryptographically signed and verified firmware during its initial startup sequence. PSA mandates Secure Boot as the first step in its chain of trust. Each stage (Boot ROM → TF-M → Application) verifies the digital signature of the next before execution, preventing the loading of malicious or tampered firmware.
Firmware Attestation
A security process where a device cryptographically proves the integrity and authenticity of its currently running firmware to a remote verifier. PSA defines a standard attestation token format and protocol. The device uses its Hardware Root of Trust to sign a report of its software state, allowing a cloud service to verify it is running a genuine, unmodified PSA-compliant firmware stack.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us