Arm launches PSA Crypto, emphasizing portability in new security framework

Arm’s latest PSA Crypto release is more than a tidy update—it’s the first time the platform security architecture can truly claim “write once, run anywhere” for cryptography. By handing over the PSA Certified program to GlobalPlatform in 2025, Arm opened the door for RISC‑V microcontrollers to earn the same certification badge that once was the exclusive domain of Arm‑based silicon. According to Danielmangum, the move “allows non‑Arm devices, such as popular RISC‑V microcontrollers (MCUs), to achieve certification” and signals a strategic pivot toward a hardware‑agnostic security ecosystem.

The practical payoff shows up in the code. Since the PSA Crypto API debuted as a beta in 2019 and reached version 1.0 in 2020, developers have wrestled with a patchwork of implementations. Danielmangum notes that “the PSA APIs create a consistent programming interface for which many implementations may exist,” yet the reality on the ground has been a maze of vendor‑specific tweaks. The breakthrough comes from the split of MbedTLS’s PSA Crypto implementation into a dedicated TF‑PSA‑Crypto library in October 2025. This new library “offers a much cleaner mechanism” for tapping hardware acceleration, cutting through the “non‑trivial migration work” that previously haunted firmware teams.

For battery‑starved IoT devices, that clean‑up matters. On constrained MCUs, cryptographic operations can dominate power budgets, turning security into a cost‑center rather than a feature. Danielmangum, who tracks PSA Crypto adoption at Goliath (now part of Canonical), emphasizes that “performance is an integral component of security.” The TF‑PSA‑Crypto split lets developers bind directly to hardware‑accelerated primitives, slashing latency and energy draw. In practice, a device that once needed a full‑second to negotiate a TLS handshake can now complete the same exchange in a few hundred milliseconds, extending operational life without sacrificing the cryptographic guarantees that modern connected products demand.

Arm’s own reference implementation, Trusted Firmware‑M (TF‑M), still plays a pivotal role, especially on Cortex‑M platforms that rely on the Secure Processing Environment (SPE) versus the Non‑Secure Processing Environment (NSPE). The hardware isolation provided by Armv8‑M’s Cortex‑M Security Extension (CMSE), commonly known as TrustZone, remains the gold standard for secure enclaves. However, the new PSA Crypto framework abstracts those details, allowing a RISC‑V MCU with a comparable isolation primitive to plug into the same API surface. Danielmangum points out that “the distinction between resources targeting Arm platforms and those that are generally applicable can be confusing,” but the overarching goal is clear: the PSA Certified APIs are now platform‑agnostic, while Arm continues to supply extra guidance for its own silicon.

The ripple effects extend beyond the chip maker. Library maintainers, OEMs, and system integrators can now converge on a single security contract, reducing fragmentation across the embedded ecosystem. As Danielmangum observes, “we have been tracking the adoption of the PSA Crypto API over the past few years,” and the recent certification expansion suggests a tipping point. With GlobalPlatform stewarding the program, the PSA brand gains credibility across architectures, and developers gain a reliable path to meet regulatory and industry security mandates without rewriting cryptographic code for each new MCU.

In short, PSA Crypto’s newfound portability is less about a marketing tagline and more about a concrete engineering shift. By decoupling the API from Arm‑only hardware and delivering a streamlined library stack, the framework promises faster, lower‑power security for the next wave of connected devices—whether they run on Arm, RISC‑V, or any future MCU that embraces the PSA Certified standard.