modules: tfm: Exclude non-secure TF-M application from build

Exclude the non-secure TF-M application from being built by TF-M. This also stops the building of the tfm_ns_api library that we were linking against. This library is defined by the tf-m regression tests. Add the installed interface source files exported by the TF-M build system compile them in the zephyr build system. Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
2022-03-09 10:43:34 +01:00 · 2022-03-09 10:43:34 +01:00 · c51505f661
parent a703cbe9ce
commit c51505f661
5 changed files with 102 additions and 12 deletions
--- a/modules/trusted-firmware-m/CMakeLists.txt
+++ b/modules/trusted-firmware-m/CMakeLists.txt
@ -49,6 +49,11 @@ if (CONFIG_BUILD_WITH_TFM)
  else()
    list(APPEND TFM_CMAKE_ARGS -DBL2=FALSE)
  endif()
+  if (CONFIG_TFM_BUILD_NS)
+    list(APPEND TFM_CMAKE_ARGS -DNS=TRUE)
+  else()
+    list(APPEND TFM_CMAKE_ARGS -DNS=FALSE)
+  endif()
  if (CONFIG_TFM_ISOLATION_LEVEL)
    list(APPEND TFM_CMAKE_ARGS -DTFM_ISOLATION_LEVEL=${CONFIG_TFM_ISOLATION_LEVEL})
  endif()
@ -148,8 +153,9 @@ if (CONFIG_BUILD_WITH_TFM)

  set(VENEERS_FILE ${TFM_BINARY_DIR}/secure_fw/s_veneers.o)
  set(TFM_API_NS_PATH ${TFM_BINARY_DIR}/tf-m-tests/app/libtfm_api_ns.a)
-  set(TFM_GENERATED_INCLUDES ${TFM_BINARY_DIR}/generated/interface/include)
  set(PLATFORM_NS_FILE ${TFM_BINARY_DIR}/platform/libplatform_ns.a)
+  set(TFM_GENERATED_INCLUDES ${TFM_BINARY_DIR}/generated/interface/include)
+  set(TFM_INTERFACE_SOURCE_DIR ${TFM_BINARY_DIR}/install/interface/src)

  if (TFM_PSA_TEST_SUITE)
    set(PSA_TEST_VAL_FILE ${TFM_BINARY_DIR}/tf-m-tests/app/psa_api_tests/val/val_nspe.a)
@ -195,6 +201,25 @@ if (CONFIG_BUILD_WITH_TFM)
    ${TFM_S_SIGNED_BIN_FILE}
    ${TFM_NS_SIGNED_BIN_FILE}
    ${TFM_S_NS_SIGNED_BIN_FILE}
+
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_platform_ipc_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_ps_ipc_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_its_ipc_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_crypto_ipc_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_initial_attestation_ipc_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_firmware_update_ipc_api.c
+
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_psa_ns_api.c
+
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_platform_func_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_ps_func_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_its_func_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_crypto_func_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_initial_attestation_func_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_firmware_update_func_api.c
+
+    # Specific to nordic_nrf platform
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_ioctl_core_ns_api.c
    )

  # Get the toolchain variant
@ -331,12 +356,51 @@ if (CONFIG_BUILD_WITH_TFM)
    src/zephyr_tfm_log.c
    interface/interface.c
    )
+
  # Non-Secure interface to request system reboot
  if (CONFIG_TFM_PARTITION_PLATFORM AND NOT CONFIG_TFM_PARTITION_PLATFORM_CUSTOM_REBOOT)
    zephyr_library_sources(src/reboot.c)
  endif()
  zephyr_library_sources_ifndef(CONFIG_TFM_PSA_TEST_NONE src/zephyr_tfm_psa_test.c)

+  if (TFM_PSA_TEST_SUITE)
+    zephyr_library_link_libraries(
+      ${PSA_TEST_VAL_FILE}
+      ${PSA_TEST_PAL_FILE}
+      ${PSA_TEST_COMBINE_FILE}
+      )
+  endif()
+
+  if(NOT CONFIG_TFM_BUILD_NS)
+    if(CONFIG_TFM_IPC)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_PLATFORM                 ${TFM_INTERFACE_SOURCE_DIR}/tfm_platform_ipc_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_PROTECTED_STORAGE        ${TFM_INTERFACE_SOURCE_DIR}/tfm_ps_ipc_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE ${TFM_INTERFACE_SOURCE_DIR}/tfm_its_ipc_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_CRYPTO                   ${TFM_INTERFACE_SOURCE_DIR}/tfm_crypto_ipc_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_INITIAL_ATTESTATION      ${TFM_INTERFACE_SOURCE_DIR}/tfm_initial_attestation_ipc_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_FIRMWARE_UPDATE          ${TFM_INTERFACE_SOURCE_DIR}/tfm_firmware_update_ipc_api.c)
+
+      zephyr_library_sources(${TFM_INTERFACE_SOURCE_DIR}/tfm_psa_ns_api.c)
+    else()
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_PLATFORM                 ${TFM_INTERFACE_SOURCE_DIR}/tfm_platform_func_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_PROTECTED_STORAGE        ${TFM_INTERFACE_SOURCE_DIR}/tfm_ps_func_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE ${TFM_INTERFACE_SOURCE_DIR}/tfm_its_func_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_CRYPTO                   ${TFM_INTERFACE_SOURCE_DIR}/tfm_crypto_func_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_INITIAL_ATTESTATION      ${TFM_INTERFACE_SOURCE_DIR}/tfm_initial_attestation_func_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_FIRMWARE_UPDATE          ${TFM_INTERFACE_SOURCE_DIR}/tfm_firmware_update_func_api.c)
+    endif()
+
+    if(CONFIG_SOC_FAMILY_NRF)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_PLATFORM                 ${TFM_INTERFACE_SOURCE_DIR}/tfm_ioctl_core_ns_api.c)
+    endif()
+
+  else()
+    zephyr_library_link_libraries(
+      ${TFM_API_NS_PATH}
+      ${PLATFORM_NS_FILE}
+      )
+  endif()
+
  zephyr_include_directories(
    ${TFM_GENERATED_INCLUDES}
    )
@ -346,11 +410,6 @@ if (CONFIG_BUILD_WITH_TFM)
    )

  zephyr_library_link_libraries(
-    ${PSA_TEST_VAL_FILE}
-    ${PSA_TEST_PAL_FILE}
-    ${PSA_TEST_COMBINE_FILE}
-    ${PLATFORM_NS_FILE}
-    ${TFM_API_NS_PATH}
    ${VENEERS_FILE}
    )

@ -408,7 +467,7 @@ if (CONFIG_BUILD_WITH_TFM)
  set(NS_SIGNED_FILE ${CMAKE_BINARY_DIR}/zephyr_ns_signed.hex)
  set(S_SIGNED_FILE ${CMAKE_BINARY_DIR}/tfm_s_signed.hex)

-  if (CONFIG_TFM_REGRESSION_NS)
+  if (CONFIG_TFM_USE_NS_APP)
    # Use the TF-M NS binary as the Non-Secure application firmware image
    set(NS_APP_FILE $<TARGET_PROPERTY:tfm,TFM_NS_HEX_FILE>)
  else()
@ -453,7 +512,7 @@ if (CONFIG_BUILD_WITH_TFM)
    )

  else()
-    if (CONFIG_TFM_REGRESSION_NS)
+    if (CONFIG_TFM_USE_NS_APP)
      tfm_sign(sign_cmd_ns NS TRUE ${NS_APP_FILE} ${NS_SIGNED_FILE})
    else()
      tfm_sign(sign_cmd_ns NS FALSE ${NS_APP_FILE} ${NS_SIGNED_FILE})
--- a/modules/trusted-firmware-m/Kconfig.tfm
+++ b/modules/trusted-firmware-m/Kconfig.tfm
@ -206,6 +206,31 @@ config TFM_BL2
 	  TFM is designed to run with MCUboot in a certain configuration.
 	  This config adds MCUboot to the build - built via TFM's build system.

+config TFM_BUILD_NS
+	bool "Build the TF-M Non-Secure application and libraries"
+	help
+	  Instruct the TF-M build system to build the TF-M Non-Secure
+	  application and libraries.
+
+	  This option is intended for testing purposes only, since this is the
+	  easiest way to build the TF-M regression tests application and test
+	  support libraries in the zephyr build system.
+
+config TFM_USE_NS_APP
+	bool "Use the TF-M Non-Secure application"
+	depends on TFM_BUILD_NS
+	help
+	  The TF-M build system can produce multiple executable files.
+	  The main one is the TF-M secure firmware. Optionally the TF-M
+	  non-secure application can be built.
+	  Usually the TF-M non-secure application is not used since the
+	  zephyr application is the non-secure application.
+	  With this option enabled this is reversed and the TF-M non-secure
+	  application is used instead of the Zephyr non-secure application.
+
+	  This option is intended for testing purposes only, since this is the
+	  easiest way to integrate and run the TF-M regression tests in the
+	  zephyr build system.
 if TFM_BL2

 config TFM_MCUBOOT_IMAGE_NUMBER
@ -265,12 +290,15 @@ config TFM_REGRESSION_S
 	help
 	  When enabled, this option signifies that the TF-M build includes
 	  the Secure domain regression tests.
+	  The regression tests will be included in the TF-M secure firmware.

 config TFM_REGRESSION_NS
-	bool "Use the TF-M Non-Secure Regression test application"
+	bool "TF-M Non-Secure Regression tests"
 	help
-	  When this is enabled, the Zephyr application as a whole will be
-	  replaced with the TF-M Non-Secure Regression test application.
+	  When enabled, this option signifies that the TF-M build includes
+	  the Non-Secure domain regression tests.
+	  The regression tests will be included in the TF-M non-secure
+	  application.

 choice TFM_PSA_TEST
 	prompt "Enable a PSA test suite"
--- a/samples/tfm_integration/tfm_psa_test/prj.conf
+++ b/samples/tfm_integration/tfm_psa_test/prj.conf
@ -5,6 +5,7 @@
 #

 CONFIG_BUILD_WITH_TFM=y
+CONFIG_TFM_BUILD_NS=y
 CONFIG_TFM_PROFILE_TYPE_NOT_SET=y
 CONFIG_QEMU_ICOUNT_SHIFT=1

--- a/samples/tfm_integration/tfm_regression_test/prj.conf
+++ b/samples/tfm_integration/tfm_regression_test/prj.conf
@ -6,6 +6,8 @@

 CONFIG_BUILD_WITH_TFM=y
 CONFIG_TFM_PROFILE_TYPE_NOT_SET=y
+CONFIG_TFM_BUILD_NS=y
+CONFIG_TFM_USE_NS_APP=y
 CONFIG_TFM_REGRESSION_S=y
 CONFIG_TFM_REGRESSION_NS=y

--- a/west.yml
+++ b/west.yml
@ -225,7 +225,7 @@ manifest:
      groups:
        - debug
    - name: trusted-firmware-m
-      revision: 7c53a6e76130a85303f83b15d868a92fdcd5f5be
+      revision: f13209f1883232cbcb9f0c31fb4c63e7c242df0d
      path: modules/tee/tf-m/trusted-firmware-m
      groups:
        - tee