PSA Certified Level 1 Questionnaire Versions and Composition

PSA Certified Level 1

The PSA Certified Level 1 questionnaire provides evidence that security by design principles have been used in the development of an IoT device, system software or chip. The latest version of the questionnaire has been developed to enable device makers to choose certified system software and use a different PSA Certified chip for production. This useful capability is called flexible composition and is explained below.

The evaluation options are defined in the PSA Certified Level 1 Questionnaire version 2.1 (JSADEN001 v2.1), specifically in section 2.4. Below we outline the evaluation routes in the questionnaire and refer to this document when option numbers are provided.

Key Benefits of Using PSA Certified Level 1 (Version 2.1)

The easiest route for a device maker to achieve Level 1 certification is to use already certified system software and certified silicon. In this case, they only have to answer the ~20 questions at the device level, making the process easier and quicker. A device maker is likely to want to use a different PSA Certified chip to the one used to certify the system software so PSA Certified Level 1 questionnaire v2.1 has been designed to enable this more flexible composition of certificates. To support this, the system software and device sections of the questionnaire have been adapted to assess correct use of the PSA-RoT, rather than assessing the implementation on a specific chip.

How the Process Works

Chip Evaluations

Chip evaluations are unaffected by this new composition model in the PSA Certified Level 1 Questionnaire version 2.1. However, the PSA founding members recommend use of the latest questionnaire version where possible.

System Software Evaluations

For system software evaluations, there are two options depending on whether the chip being used to answer the questionnaire has already been certified or not. To enable device makers to consume the system software certifications via either route and use a different valid PSA Certified chip it is advantageous for the system software certification to only use the basic PSA-RoT security functions (see notes on “Valid PSA Certified chip” below).

Device Evaluations

There are four options for the device maker described in the PSA Certified Level 1 Questionnaire v2.1 (JSADEN001 v2.1):

1. On PSA Certified system software with a valid PSA Certified chip* other than that named in the system software certificate. This flexible composition option is available if the system software has been certified using v2.1 (or newer) questionnaire using either system software evaluation options (2a or 2b)
2. On PSA Certified system software with the chip named in the system software certificate
3. On uncertified system software with a PSA Certified chip. The evaluation must include the system software part
4. If the chip is neither a valid PSA Certified chip (it does not have its own certificate) nor the chip named in any certificate for the system software¹ then the evaluation must include both the system software and the chip parts

If the device manufacturer wishes to use a chip that was certified on previous versions of the questionnaire, please be aware that the requirements for the PSA-RoT have grown since the first PSA Certified Level 1 evaluations in February 2019. The device’s use of the PSA-RoT is checked in PSA Certified Level 1 device questions. It is recommended that the device maker ensures that these requirements can be met with the target chip and their configuration of the software prior to starting the questionnaire.

Flexible composition using the valid PSA Certified chip other than that named in the system software certificate (evaluation option 3ai) relies on the interchangeability of the chip level PSA-RoT. Typically, this means that the alternate PSA Certified chip must support at least the same PSA-RoT functionality as the chip named in the system software certificate.

If the PSA Certified system software relies on chip-level security functionality in addition to that required for the PSA-RoT then the alternative chip must provide at least the same additional functionality. In practice, this is likely to mean that such compositions may be difficult.

A device certificate is specific to the selected system software and chip; changing the system
software or chip will require recertification.

Historical Versions of the Questionnaire and Composition

Earlier versions of the questionnaire were more restrictive; they certified the combination of the RTOS/software platform on a named chip and only that combination was valid.

For example, the description of composition in PSA Certified Level 1 v1.0 states …

“The RTOS Vendor has to use an already certified chip. Reuse of an existing RTOS certificate on a different chip requires another evaluation, but it should be a straightforward step if the new chip complies similarly to the Chip Vendors requirements for the other chip (i.e. same requirements fulfilled, with a similar implementation).
The OEM has to use an already certified RTOS (and thus on an already certified chip). The certificate is only valid for the device composed of the selected chip, RTOS and integrated OEM software.”

Which Version Should I Use?

The PSA Certified Founding Members, also known as the JSA members, recommend using version 2.1 (v2.1) of the PSA Certified Level 1 questionnaire for all new certifications. However, developers can continue to use version 2.0 if they wish in accordance with the PSA JSA policy of having the two most recent versions of the questionnaire available for certification.

1: A System software certificate is only applicable with a valid PSA Certified chip or the chip named in the certificate.