Add TF-M support for nrf9161 DK and enable it by default for the
non-secure board variant.
Disable UART1 since TF-M use this for output and it is configured
as a secure peripheral.
Enabling this will trigger a BusFault in TF-M.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Print the memory usage of TF-M built executables during build.
This is defaulting to OFF because we have CONFIG_TFM_BUILD_LOG_QUIET
set to ON.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
The init infrastructure, found in `init.h`, is currently used by:
- `SYS_INIT`: to call functions before `main`
- `DEVICE_*`: to initialize devices
They are all sorted according to an initialization level + a priority.
`SYS_INIT` calls are really orthogonal to devices, however, the required
function signature requires a `const struct device *dev` as a first
argument. The only reason for that is because the same init machinery is
used by devices, so we have something like:
```c
struct init_entry {
int (*init)(const struct device *dev);
/* only set by DEVICE_*, otherwise NULL */
const struct device *dev;
}
```
As a result, we end up with such weird/ugly pattern:
```c
static int my_init(const struct device *dev)
{
/* always NULL! add ARG_UNUSED to avoid compiler warning */
ARG_UNUSED(dev);
...
}
```
This is really a result of poor internals isolation. This patch proposes
a to make init entries more flexible so that they can accept sytem
initialization calls like this:
```c
static int my_init(void)
{
...
}
```
This is achieved using a union:
```c
union init_function {
/* for SYS_INIT, used when init_entry.dev == NULL */
int (*sys)(void);
/* for DEVICE*, used when init_entry.dev != NULL */
int (*dev)(const struct device *dev);
};
struct init_entry {
/* stores init function (either for SYS_INIT or DEVICE*)
union init_function init_fn;
/* stores device pointer for DEVICE*, NULL for SYS_INIT. Allows
* to know which union entry to call.
*/
const struct device *dev;
}
```
This solution **does not increase ROM usage**, and allows to offer clean
public APIs for both SYS_INIT and DEVICE*. Note that however, init
machinery keeps a coupling with devices.
**NOTE**: This is a breaking change! All `SYS_INIT` functions will need
to be converted to the new signature. See the script offered in the
following commit.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
init: convert SYS_INIT functions to the new signature
Conversion scripted using scripts/utils/migrate_sys_init.py.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
manifest: update projects for SYS_INIT changes
Update modules with updated SYS_INIT calls:
- hal_ti
- lvgl
- sof
- TraceRecorderSource
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
tests: devicetree: devices: adjust test
Adjust test according to the recently introduced SYS_INIT
infrastructure.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
tests: kernel: threads: adjust SYS_INIT call
Adjust to the new signature: int (*init_fn)(void);
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
Move tfm_merged.hex from <build>/tfm_merged.hex to
<build>/zephyr/tfm_merged.hex.
Use relative path to the runners.yaml hex file.
This makes it possible to move the build folder.
Example would be to copy out the runners.yaml and tfm_merged.hex file
and still be able to call west flash --skip-rebuild.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Fixes an issue where thread preemption was not being disabled
correctly, failing to taking into account MetaIRQ, which can be
used to preempt any cooperative thread.
The updated code sets the current thread to `K_HIGHEST_THREAD_PRIO`
before calling the secure function, and restores the thread priority
level once secure execution has terminated, allowing the thread
to be preempted once again.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
QCBOR cannot be shipped with Zephyr.
Allow the application to supply their own copy of QCBOR or let the TF-M
build system automatically download this dependency.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Prevents Zephyr from enabling the initial attestation service in TF-M,
due to a dependency it has on an incompatibly-licensed library (QCBOR).
This update checks if either of the following config flags are
enabled at build time:
- `CONFIG_TFM_PARTITION_INITIAL_ATTESTATION`
- `CONFIG_TFM_PSA_TEST_INITIAL_ATTESTATION`
If either of these are set to true, a fatal error will be thrown at
build time, indicating the reason for the failure.
This change can be reverted once a longer term solution to the QCBOR
license issues has been resolved.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
The TF-M platform partition has now been ported to PSA firmware
framework 1.1 and can now be used together with the SFN model.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Remove setting of the TFM_LIB_MODEL option for IPC and SFN models.
This option is removed together with the library model.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Fix setting of TF-M floating point options when floating point is
enabled in the application.
FP design in Armv8.0-M architecture requires consistent FP ABI types
between SPE and NSPE.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Add TF-M connection based NCS API source file to build.
This file is needed when a secure service is using connection
based method.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Signed-off-by: David Brown <david.brown@linaro.org>
Update TF-M from 1.6.0 to 1.7.0
Update MBedTLS from 3.1.0 to 3.2.1.
Updates the cmake wrapper for changes introduced in TF-M 1.7.0.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Signed-off-by: David Brown <david.brown@linaro.org>
In TF-M 1.7.0 release the Library model has been removed.
Remove the library model support from zephyr before updating TF-M
version.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Signed-off-by: David Brown <david.brown@linaro.org>
Remove the dependency on the test repositories having a zephyr module
file in their repositories.
With this change we can take the upstream test repositories direct
commit SHA or tag.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Add option to enable the SFN model when building TF-M.
The SFN model will eventually replace the Library model.
Change the default model to be IPC, which follows the default
configuration of TF-M.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
As of today <zephyr/zephyr.h> is 100% equivalent to <zephyr/kernel.h>.
This patch proposes to then include <zephyr/kernel.h> instead of
<zephyr/zephyr.h> since it is more clear that you are including the
Kernel APIs and (probably) nothing else. <zephyr/zephyr.h> sounds like a
catch-all header that may be confusing. Most applications need to
include a bunch of other things to compile, e.g. driver headers or
subsystem headers like BT, logging, etc.
The idea of a catch-all header in Zephyr is probably not feasible
anyway. Reason is that Zephyr is not a library, like it could be for
example `libpython`. Zephyr provides many utilities nowadays: a kernel,
drivers, subsystems, etc and things will likely grow. A catch-all header
would be massive, difficult to keep up-to-date. It is also likely that
an application will only build a small subset. Note that subsystem-level
headers may use a catch-all approach to make things easier, though.
NOTE: This patch is **NOT** removing the header, just removing its usage
in-tree. I'd advocate for its deprecation (add a #warning on it), but I
understand many people will have concerns.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
Exclude the non-secure TF-M application from being built by TF-M.
This also stops the building of the tfm_ns_api library that we were
linking against.
This library is defined by the tf-m regression tests.
Add the installed interface source files exported by the TF-M build
system compile them in the zephyr build system.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Move scripts needed by the build system and not designed to be run
individually or standalone into the build subfolder.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Zephyr adds a custom handler that overrides the weak function
sys_arch_reset when TF-M platform partition is enabled.
This takes away the option for the application to override the weak
definition for their platform or use-case.
Add an option that control whether this default reset handling is added
to the build.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Allow the application to enable the FPU when TF-M has been enabled.
Pass the correct compilation flags according to the TF-M integration
guide.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Previously val_nspe.a, pal_nspe.a, test_combine.a created under tfm binary
directory (${TFM_BINARY_DIR}/app/psa_api_tests/) now from TFM 1.6 it is
generated to the respective tfm binary directory with parent directory
(${TFM_BINARY_DIR}/tf-m-tests/app/psa_api_tests), update the CMake
accordingly.
Signed-off-by: Rajkumar Kanagaraj <rajkumar.kanagaraj@linaro.org>
Refactor help text for TFM_FLASH_MERGED_BINARY to use the standard
indentation of tab plus 2 spaces.
Reword BUILD_WITH_TFM default comment, TF-M is enabled by default, not
forced enabled.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
In order to bring consistency in-tree, migrate all modules code to the
new prefix <zephyr/...>. Note that the conversion has been scripted,
refer to zephyrproject-rtos#45388 for more details.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
Previously, MCUBOOT_DATA_SHARING was enabled when BL2 was built
and when the firmware update partition was present. This is not
the only situation that you might be interested in this data
sharing. The data sharing now has it's own Kconfig.
Further, use of the firmware update partition requires data
sharing, so it selects it.
Signed-off-by: Jimmy Brisson <jimmy.brisson@linaro.org>
Previously, you were required to set the image versions through the
CMake variables TFM_IMAGE_VERSION_{S,NS}. For better integration with
the rest of the zephyr build system, these are now KConfig variables
with the same name.
Signed-off-by: Jimmy Brisson <jimmy.brisson@linaro.org>
This commit adds a sample application demonstrating how to use
the PSA Firmware Update API from TF-M. It also enables the
`FIRMWARE_UPDATE` partition to be included at build time.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
Signed-off-by: Jimmy Brisson <jimmy.brisson@linaro.org>
Add configuration for BL2 not supported. In some configurations
BL2 will not be supported. Provide a way to deselect BL2 support.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Fix crash in TF-M when non-secure IRQ is interrupting the secure
processing and using the FPU.
The FPU context must be saved when
ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS is disabled since an IRQ handler
can still access the FPU registers.
Fixes: #43587
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Fix TF-M nonsecure interface dispatch handling when calling secure
service before the kernel is fully active.
This fixes crash in nordicsemi_nrf53_init, which is called with
PRE_KERNEL_1, when calling soc_secure_gpio_pin_mcu_select.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Add support for TF-M and BL2 image size reports.
This adds the following targets when TF-M or BL2 is enabled:
tfm_rom_report, tfm_ram_report, tfm_footprint
bl2_rom_report, bl2_ram_report, bl2_footprint
Example:
west build -t tfm_rom_report
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
According to Kconfig guidelines, boolean prompts must not start with
"Enable...". The following command has been used to automate the changes
in this patch:
sed -i "s/bool \"[Ee]nables\? \(\w\)/bool \"\U\1/g" **/Kconfig*
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
Add config to disable all TF-M output. This configuration is needed
in order to exclude the UART driver through a select in Kconfig
when either the code size optimization or the UART instance requires it.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Use the set of headers that the TF-M build system places in the
install output. Not all public header files are available in the
interface/include directory and the TF-M build system uses the install
mechanism of cmake to include additional headers based on platform
or configuration.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Provide a _ns target for b_u585i_iot02a board.
Flash partition is given as default for most applications,
with the following sizes:
MCUBoot: 208K
Secure: 256K
Non secure: 512K
Tested using tfm_ipc sample.
Signed-off-by: Erwan Gouriou <erwan.gouriou@linaro.org>
For functions returning nothing, there is no need to document
with @return, as Doxgen complains about "documented empty
return type of ...".
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
In TF-M 1.5 some defaults changed. Some of our CMake code was
unfortunately making assumptions about the defaults.
This is now rectified. The TF-M CMake variables that had their
defaults changed are now always set dependent on the Kconfig values
and we no longer leave the CMake variables unset and with default
values.
A cleanup will be done later to not rely on default values for all
variables. This patch only fixes the defaults that have changed.
Also, TFM_PSA_API is removed as it is now an internal variable.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Add two Kconfig variables for controlling the size and
the number of assets to be stored in Internal Trusted
Storage (ITS).
Signed-off-by: Damian Krolik <damian.krolik@nordicsemi.no>
Fix copy-paste mistake in SPM log level silence configuration, PARTITION
should be SPM in order to correctly silence SPM log.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
The TFM build directory path is hardcoded in many places.
In order to support out-of-tree secure partitions the output path
has to be known in potentially out-of-tree build scripts.
This could potentially break out-of-tree build scripts if the
location of the build directory was changed.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Fix issue with TFM signing of images not using the correct imgtool.
The wrapper command expects the mcuboot scripts folder to be the
current working directory when called in order to find its own
version of imgtool.
Since the command is using a different current working directory
this is not found and the system imgtool is used instead.
This causes the commands to be run with 2 different version of imgtool
if the system imgtool is found and does not have any issues.
The system imgtool could not be installed or have compatibility issues
as 1.7.2 version of imgtool is currently required by the wrapper script
Fixes: #40254
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Fix cmake warnings for TF-M build system when PSA tests are not enabled.
This produces the following warnings:
"
CMake Warning:
Manually-specified variables were not used by the project:
PSA_TOOLCHAIN_FILE
TOOLCHAIN
"
These warnings can point to cache or config variables being updated in
the TF-M build system so keep this free of warnings.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Update crypto modules prompt strings to follow the Kconfig guidelines.
"For a Kconfig symbol that enables a driver/subsystem FOO, consider
having just “Foo” as the prompt, instead of “Enable Foo support” or the
like."
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
The ASSYMETRIC crypto module has been split in two, for sign and
encrypt. Update Kconfig entries to match.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Remove CRYPTO_GENERATOR_MODULE Kconfig which has been removed.
Its features are covered by TFM_CRYPTO_KEY_MODULE and
CRYPTO_KEY_DERIVATION_MODULE.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Split the zephyr project maintained repository trusted-firmware-m into
forks of the individual upstream repositories.
https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git
Upstream: TF-Mv1.4.1
Additions:
zephyr: module: Add zephyr module file
trusted-firmware-m: platform: lpcxpresso55s69: Update SDK
https://git.trustedfirmware.org/TF-M/tf-m-tests.git
Upstream: 51ff2bdfae043f6dd0813b000d928c4bda172660
Additions:
zephyr: module: Add module file for tf-m-tests
https://github.com/ARM-software/psa-arch-tests.git
Upstream: 60faad2ead1b967ec8e73accd793d3ed0e5c56bd
Additions:
zephyr: module: Add module file for psa-arch-tests
psa-arch-tests: Allow overriding of toolchain file
The organization of folders remain the same with the following
exceptions:
Moved:
root folder moved from modules/tee/tfm to modules/tee/tf-m to avoid
problems with west update.
zephyr/module.yml to trusted-firmware-m/zephyr/module.yml and
${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR} points to what was previously
${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m.
Added:
psa-arch-tests/zephyr/module.yml and ${ZEPHYR_PSA_ARCH_TESTS_MODULE_DIR}
tf-m-tests/zephyr/module/ and ${ZEPHYR_TF_M_TESTS_MODULE_DIR}
Removed:
init-git.sh
README.rst
Fixes: #39353
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Use the zephyr module dir variable for the trusted-firmware-m root
folder. Update documentation to TF-M documentation in
tfm-secure-boot.rst.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Fix configuration options for TF-M log levels configured to an empty
string when not defined. This can happen when none of the options
have been selected due to dependencies not being met.
For example when TFM_MINIMAL=y then TFM_PARTITION_LOG_LEVEL will not be
defined.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
