Inferensys

Glossary

Platform Security Architecture (PSA)

Platform Security Architecture (PSA) is an ARM-led industry framework providing threat models, security specifications, and open-source firmware to enable secure-by-design connected devices.
Governance lead reviewing model governance framework on laptop, policy documents visible, executive office setup.
SECURITY FRAMEWORK

What is Platform Security Architecture (PSA)?

Platform Security Architecture (PSA) is an Arm-led industry framework that provides a holistic set of threat models, security specifications, and open-source firmware to enable the design of secure, connected devices from the ground up.

Platform Security Architecture (PSA) is an open, system-wide security framework developed by Arm and its partners to provide a structured methodology for building secure connected devices, particularly Internet of Things (IoT) and embedded systems. It defines a common set of security goals, threat models, and hardware/software specifications to establish a root of trust and a consistent security baseline across diverse silicon platforms. The framework is built upon three core components: a set of threat models for analyzing device risks, a multi-level security specification for hardware and firmware, and the open-source Trusted Firmware-M (TF-M) reference implementation.

For TinyML deployment on microcontrollers, PSA provides critical guidance for securing the model inference pipeline, update mechanisms, and sensitive data. It mandates isolation for secure services, cryptographic primitives for authenticated encryption and firmware attestation, and secure lifecycle states. By implementing PSA, developers can systematically address threats like side-channel attacks and fault injection, ensuring that resource-constrained devices running machine learning workloads maintain integrity, confidentiality, and a secure foundation for Secure Over-the-Air (SOTA) updates.

PLATFORM SECURITY ARCHITECTURE

Key Components of the PSA Framework

The ARM Platform Security Architecture (PSA) provides a holistic, standardized framework for building secure connected devices. It is structured around four foundational pillars that guide development from threat analysis to certification.

SECURITY MECHANISM

How PSA Works: Implementing a Chain of Trust

Platform Security Architecture (PSA) establishes security through a verifiable sequence of hardware and software components, each validating the next before execution.

The chain of trust begins at power-on with a Hardware Root of Trust, an immutable silicon feature that performs the first cryptographic measurement. This root verifies the initial bootloader's digital signature before allowing it to execute. The verified bootloader then authenticates the next stage, typically the Trusted Firmware-M (TF-M) runtime, which in turn validates the application firmware. This sequential verification ensures that only authorized, unaltered code runs, blocking malware from the earliest possible moment.

This layered process extends beyond boot. The Trusted Execution Environment (TEE) established by TF-M provides runtime isolation for security services like secure storage, cryptography, and firmware attestation. For updates, Secure Over-the-Air (SOTA) protocols use this chain to authenticate new firmware images before installation, preventing downgrade attacks. The entire architecture is defined by PSA's threat models and specifications, providing a blueprint for building secure-by-design connected devices.

CERTIFICATION FRAMEWORK

PSA Certification Levels

A comparison of the four progressive assurance levels defined by the Platform Security Architecture framework, detailing the security objectives, evaluation rigor, and target device types for each.

Feature / RequirementLevel 1 (PSA Certified)Level 2Level 3Level 4

Primary Security Objective

Protection against software attacks

Protection against scalable software attacks

Protection against physical attackers with some expertise

Protection against sophisticated physical attackers

Evaluation Rigor

Documented security analysis (self-assessment)

Laboratory-based vulnerability assessment

Enhanced laboratory-based penetration testing

Formal evaluation against a recognized scheme (e.g., SESIP, Common Criteria)

Hardware Isolation (TEE/TrustZone)

Secure Boot (Immutable Root of Trust)

Cryptographic Key Storage & Operations

Software-based

Hardware-isolated (e.g., PSA RoT)

Hardware-isolated with side-channel resistance

Hardware-isolated with advanced side-channel & fault injection resistance

Secure Firmware Update (SOTA)

Integrity & authenticity verification

Integrity, authenticity, and confidentiality

Integrity, authenticity, confidentiality, and anti-rollback

Integrity, authenticity, confidentiality, anti-rollback, and resilience to complex network attacks

Unique Device Identity

Attestation (Proof of Device Integrity)

Protection of Stored Secrets

Basic software protection

Hardware-backed isolation

Hardware-backed with tamper detection/response

Hardware-backed with advanced tamper detection/response and secure deletion

Target Device Examples

Simple sensors, basic IoT nodes

Smart home devices, connected sensors

Payment terminals, industrial gateways, medical sensors

Critical infrastructure, automotive systems, high-value asset trackers

Certification Audit

PSA Certified - Self-assessed questionnaire

PSA Certified - Lab tested by a PSA Qualified Lab

PSA Certified - Lab tested by a PSA Qualified Lab

PSA Certified - Evaluated by a PSA Certified Lab against a PSA-defined Protection Profile

SECURITY FRAMEWORK

PSA Applications in TinyML and Embedded AI

The Platform Security Architecture (PSA) provides a foundational security framework for resource-constrained devices. These cards detail its specific applications in securing TinyML and embedded AI workloads.

02

Tamper-Resistant Inference Execution

PSA ensures the integrity of the inference runtime itself, guaranteeing that model execution has not been subverted by malware or fault injection attacks.

  • Trusted Firmware-M (TF-M) provides a secure, isolated environment to run inference kernels.
  • Memory Protection Units (MPUs) enforce strict boundaries, preventing other processes from reading or modifying the model's activations or intermediate tensors during computation.
  • Control Flow Integrity (CFI) can be applied to the inference engine to prevent code-reuse attacks.
  • This protects against attacks designed to manipulate model outputs (e.g., causing a vision model to misclassify a stop sign).
03

Secure Sensor Data Ingestion

For TinyML systems, the integrity of input sensor data is paramount. PSA frameworks secure the data pipeline from the physical sensor to the model input.

  • Establishes a chain of trust starting at the sensor or IO peripheral, ensuring raw data (audio, accelerometer, image) has not been spoofed or altered in transit.
  • Uses hardware-enforced secure channels or Authenticated Encryption for data passing between sensor hubs and the main application processor.
  • Mitigates attacks where an adversary feeds maliciously crafted sensor data to trigger incorrect or dangerous model behavior.
04

PSA Certified for Compliance & Assurance

The PSA Certified program provides a multi-level assurance framework (Level 1-3) that allows IoT and TinyML device makers to demonstrate robust security to customers and regulators.

  • Level 1 (Basic): Threat model and security analysis documentation.
  • Level 2 (Medium): Lab-based evaluation of the PSA Root of Trust implementation.
  • Level 3 (High): In-depth lab evaluation of the entire device's resistance to sophisticated physical attacks.
  • Using a PSA Certified chip or SDK simplifies compliance with regulations like the EU Cyber Resilience Act and provides a verifiable security claim.
05

Secure Model Updates & Lifecycle Management

PSA enables secure Over-the-Air (OTA) updates for TinyML models, a core requirement for maintaining and improving deployed AI systems.

  • Secure Boot and Firmware Attestation verify the authenticity and integrity of the entire update package before installation.
  • Update payloads (new model weights) are encrypted and signed using keys derived from the device's Hardware Root of Trust.
  • Anti-rollback mechanisms prevent attackers from reverting a device to a vulnerable older model version.
  • This creates a trusted pipeline for deploying model patches, retrained versions, or new capabilities to a fielded device fleet.
06

Foundations for Federated Edge Learning

PSA provides the essential security primitives required for privacy-preserving, decentralized training paradigms like Federated Learning on edge devices.

  • Trusted Execution Environment (TEE) provides a secure enclave where local model training or fine-tuning can occur, isolating sensitive user data.
  • Secure cryptographic operations (using Lightweight Cryptography or ECC) are used to encrypt the model updates (gradients) before they are sent to the aggregation server.
  • Remote Attestation allows the central server to verify that the participating edge device is running genuine, unmodified firmware, ensuring the integrity of the federated learning process.
PLATFORM SECURITY ARCHITECTURE

Frequently Asked Questions

Platform Security Architecture (PSA) is an ARM-led industry framework that provides a holistic set of threat models, security specifications, and open-source firmware to enable the design of secure, connected devices from the ground up.

Platform Security Architecture (PSA) is an industry-standard security framework, led by Arm, that provides a structured methodology for building hardware-rooted security into resource-constrained IoT and embedded devices. It works by defining a comprehensive, multi-stage process: first, it provides standardized threat models and security analyses for common device profiles; second, it delivers a set of hardware and firmware security specifications (PSA Certified) that define requirements for a Root of Trust; and third, it supplies reference open-source firmware, Trusted Firmware-M (TF-M), which implements critical security services like secure boot, cryptography, and attestation. This layered approach ensures devices are designed with security as a foundational property, not an afterthought.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.