Provide properties for selected TF-M toolchain so that the NS
application will use the same toolchain as TF-M.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Signed-off-by: Markus Swarowsky <markus.swarowsky@nordicsemi.no>
The sample now builds the psa-arch-tests itself and doesn't rely anymore
on the TF-M module CMakeFile.
Additionally it will not run the zephyr main.c anymore but therefore only
uses the tf-m non-secure application.
Signed-off-by: Markus Swarowsky <markus.swarowsky@nordicsemi.no>
Update the TF-M regression tests sample to build the NS app
in the tf-m-tests repository as an external project.
The regression tests need to provide test configurations to both
TF-M an NS app.
Duplicate configuration done in the spe/CMakeLists.txt to configure
TF-M image for the regression tests.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Signed-off-by: Markus Swarowsky <markus.swarowsky@nordicsemi.no>
TF-M no longer builds the NS app, but exports build files to api_ns
folder and expects the user to build the rest themselves.
Remove the option to build the NS app, and update the TFM_USE_NS_APP
to look for an output hex file in the tfm_ns folder.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Signed-off-by: Markus Swarowsky <markus.swarowsky@nordicsemi.no>
Update install path of tfm_ioctl_api.h, remove include of tfm_api.h
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Signed-off-by: Markus Swarowsky <markus.swarowsky@nordicsemi.no>
The place where TF-M places its non-secure api header files has changed
Therefore changing it for for all applications that use it.
Signed-off-by: Markus Swarowsky <markus.swarowsky@nordicsemi.no>
Instead of forcing use of NEWLIB_LIBC, select any available complete C
library implementation. Add CONFIG_REQUIRES_FLOAT_PRINTF and adjust
CONFIG_LIBC_MALLOC_ARENA_SIZE as needed.
Signed-off-by: Keith Packard <keithp@keithp.com>
32a9d13d61
introduced a new required tag for this test
which the integration platform does not "support"
causing the testplan generation to error out.
Fix it by removing the offending tag from the test.
Signed-off-by: Alberto Escolar Piedras <alberto.escolar.piedras@nordicsemi.no>
To avoid confusion having both a 'tfm' and a 'trusted-firmware-m' tag,
remove the old 'tfm' tag entirely. Any external test frameworks that are
using the 'tfm' tag will need to be changed to account for this.
Signed-off-by: David Brown <david.brown@linaro.org>
In addition to running the tfm tests when the trusted-firmware-m module
changes, most of the tests also use MCUboot, which comes from our module.
Add the mcuboot tag to each of these tests, except for the single test that
explicitly builds without using MCUboot.
Signed-off-by: David Brown <david.brown@linaro.org>
A recent change #61718, adds support to the twister build to check for
manifest changes, and run tests using tags based on the modules that have
changed. The tfm tests have an existing tag `tfm` to select these tests,
but the above patch uses a tag named after the module, trusted-firmware-m.
To make this work, add `trusted-firmware-m` in addition to the existing tag
`tfm` so that these tests will run whenever the tfm module is updated.
Signed-off-by: David Brown <david.brown@linaro.org>
This conflicts with what the compiler expects for the definition of 'main'
when -ffreestanding is not used.
Signed-off-by: Keith Packard <keithp@keithp.com>
Adds a refactored version of the psa_crypto sample back,
which was removed as part of the update to TF-M 1.7.0
due to unresolvable (at the time) issues with use of
MbedTLS instances on the S and NS sides.
This sample takes advantage of changes to MbedTLS and
TF-M that were introduced after the TF-M 1.7.0 and MbedTLS
3.3 release, and cherry-picked in Zephyr, allowing for
improved linking of MbedTLS in secure and non-secure
images. PSA API calls on the non-secure side can now be
correctly routed to the secure partition, while X.509
and TLS calls remain on the non-secure/Zephyr side.
Signed-off-by: Rajkumar Kanagaraj <rajkumar.kanagaraj@linaro.org>
Twister now supports using YAML lists for all fields that were written
as space-separated lists. Used twister_to_list.py script. Some artifacts
on string length are due to how ruamel dumps content.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
As both C and C++ standards require applications running under an OS to
return 'int', adapt that for Zephyr to align with those standard. This also
eliminates errors when building with clang when not using -ffreestanding,
and reduces the need for compiler flags to silence warnings for both clang
and gcc.
Most of these changes were automated using coccinelle with the following
script:
@@
@@
- void
+ int
main(...) {
...
- return;
+ return 0;
...
}
Approximately 40 files had to be edited by hand as coccinelle was unable to
fix them.
Signed-off-by: Keith Packard <keithp@keithp.com>
Move tfm_merged.hex from <build>/tfm_merged.hex to
<build>/zephyr/tfm_merged.hex.
Use relative path to the runners.yaml hex file.
This makes it possible to move the build folder.
Example would be to copy out the runners.yaml and tfm_merged.hex file
and still be able to call west flash --skip-rebuild.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Disables the initial attestation suite, which we are unable to run
at present due to a license issue with the underlying QCBOR library
which this service depends on in TF-M.
This commit can be reverted once an acceptable solution has been found
for the QCBOR license in TF-M.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
Prevents Zephyr from enabling the initial attestation service in TF-M,
due to a dependency it has on an incompatibly-licensed library (QCBOR).
This update checks if either of the following config flags are
enabled at build time:
- `CONFIG_TFM_PARTITION_INITIAL_ATTESTATION`
- `CONFIG_TFM_PSA_TEST_INITIAL_ATTESTATION`
If either of these are set to true, a fatal error will be thrown at
build time, indicating the reason for the failure.
This change can be reverted once a longer term solution to the QCBOR
license issues has been resolved.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
The AN547 no longer functions with this TF-M sample, and has been
broken since TF-M 1.6.0 without CI catching the issue, since this sample
wasn't modified to cause a CI run on the affected target.
Removing this board from the sample until the board support can be
reworked.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
Signed-off-by: David Brown <david.brown@linaro.org>
Update TF-M secure partition sample for TF-M 1.7.0.
Removes the support for Library model in the sample.
Updates to using PSA framework 1.1.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Signed-off-by: David Brown <david.brown@linaro.org>
Update the sample to be compatible with API changes introduced in
TF-M 1.7.0, adding a new direct call to the PSA Crypto API to generate
random data, and cleaning up existing functions for compatibility
sake.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
Signed-off-by: David Brown <david.brown@linaro.org>
Removes the `psa_crypto` sample from the current release, due to
PSA API conflicts that can not be immediately resolved between Zephyr's
instance of MbedTLS in the NS environment, and the TF-M PSA APIs
included when building with TF-M support.
PSA API changes upstream in MbedTLS 3.2.1 (used by TF-M 1.7.0), and
MbedTLS 3.1 (used in TF-M 1.6.0) need to be be resolved in both
upstream projects before this sample can be reintroduced.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
Signed-off-by: David Brown <david.brown@linaro.org>
Removes the `psa_firmware` sample, which is based on an older version
(0.7) of the FWU service from TF-M 1.6.0. This sample needs to be
refactored to use FWU 1.0, included in TF-M 1.7.0 and future releases.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
Signed-off-by: David Brown <david.brown@linaro.org>
Add SFN model configurations to samples.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Signed-off-by: David Brown <david.brown@linaro.org>
In TF-M 1.7.0 release the Library model has been removed.
Remove the library model support from zephyr before updating TF-M
version.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Signed-off-by: David Brown <david.brown@linaro.org>
Disables allowing the python argparse library from automatically
shortening command line arguments, this prevents issues whereby
a new command is added and code that wrongly uses the shortened
command of an existing argument which is the same as the new
command being added will silently change script behaviour.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fix all comments-indentation errors detected by yamllint:
yamllint -f parsable -c .yamllint $( find -regex '.*\.y[a]*ml' ) | \
grep '(comments-indentation)'
This checks that the comment is aligned with the content.
Signed-off-by: Fabio Baltieri <fabiobaltieri@google.com>
Fix all hyphens errors detected by yamllint:
yamllint -f parsable -c .yamllint $( find -regex '.*\.y[a]*ml' ) | \
grep '(comments)'
Default config would be to require two spaces after the start of the
comment, proposing to keep it on 1, inline with the Linux binding
config, that is:
```
- comments:
- min-spaces-from-content: 1
```
Signed-off-by: Fabio Baltieri <fabiobaltieri@google.com>
integration_platforms help us control what get built/executed in CI and
for each PR submitted. They do not filter out platforms, instead they
just minimize the amount of builds/testing for a particular
tests/sample.
Tests still run on all supported platforms when not in integration mode.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Add library model configuration to tfm_secure_partition model.
IPC model is now the default, so add back the library configuration
for the sample as an additional configuration to the default.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
So far running twister tests didn't fail even though the sample failed
to receive the initial attestation token data.
Therefore this adds the regex lines that the samples prints if the
IAT data were received.
Signed-off-by: Markus Swarowsky <markus.swarowsky@nordicsemi.no>
Only enable the TF-M Audit Partition in the TF-M regression tests when
Library model is used.
This is not supported in IPC model and produces a Kconfig warning.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Set the TF-M library mode explicitly instead disabling IPC model and
relying on this selecting Libray model in the choice.
This is a follow-up on the TFM_IPC being put into a choice selection
when SFN model was added.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Update the link for the TrustedFirmware-M documentation to point to the
official user guide.
Signed-off-by: Stephanos Ioannidis <stephanos.ioannidis@nordicsemi.no>
Updated the document with the correct west build command,
and done some restructuring as well.
Signed-off-by: Rajkumar Kanagaraj <rajkumar.kanagaraj@linaro.org>
The current stm32l562_dk_ns has no flash partitions defined. This add
flash partitions following partition sizes that are compatible with
the TF-M platform defined at flash_layout.h and removes the redundant
overlays board files.
Signed-off-by: Gerson Fernando Budke <gerson.budke@ossystems.com.br>
As of today <zephyr/zephyr.h> is 100% equivalent to <zephyr/kernel.h>.
This patch proposes to then include <zephyr/kernel.h> instead of
<zephyr/zephyr.h> since it is more clear that you are including the
Kernel APIs and (probably) nothing else. <zephyr/zephyr.h> sounds like a
catch-all header that may be confusing. Most applications need to
include a bunch of other things to compile, e.g. driver headers or
subsystem headers like BT, logging, etc.
The idea of a catch-all header in Zephyr is probably not feasible
anyway. Reason is that Zephyr is not a library, like it could be for
example `libpython`. Zephyr provides many utilities nowadays: a kernel,
drivers, subsystems, etc and things will likely grow. A catch-all header
would be massive, difficult to keep up-to-date. It is also likely that
an application will only build a small subset. Note that subsystem-level
headers may use a catch-all approach to make things easier, though.
NOTE: This patch is **NOT** removing the header, just removing its usage
in-tree. I'd advocate for its deprecation (add a #warning on it), but I
understand many people will have concerns.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
