Switch to calling the sys_arch_reboot() API directly,
instead of going through the generic sys_reboot API.
This is to avoid locking the IRQs before the reset is
called, which is breaking the PSA call execution.
Also, align sample code to use the same secure service
(platform reset) to show case the PSA connect and close
APIs, instead of a random one (since the reset service
has to work to ultimately perform the system reset).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit updates the NS board variant from
`nrf9160dk_nrf9160ns` to `nrf9160dk_nrf9160_ns`
to maintain consistency across zephyr.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
This commit updates the NS board variant from
`nrf5340dk_nrf5340_cpuappns` to `nrf5340dk_nrf5340_cpuapp_ns`
to maintain consistency across zephyr.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
This commit update the NS board variant from
`v2m_musca_s1_nonsecure` to `v2m_musca_s1_ns` to maintain
consistency across zephyr.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
This commit update the NS board variant from
`v2m_musca_b1_nonsecure` to `v2m_musca_b1_ns` to maintain
consistency across zephyr.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
This commit update the NS board variant from `mps2_an521_nonsecure`
to `mps2_an521_ns` to maintain consistency across zephyr.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
This commit update the NS board variant from `bl5340_dvk_cpuappns`
to `bl5340_dvk_cpuapp_ns` to maintain consistency across zephyr.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
Include the lpcxpresso55s69_ns board to the list of platforms
that support running the sample for the TF-M regression tests.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Removing the CONFIG_TEST=y setting from the TF-M
integration samples prj.conf. TEST does not need
to be enabled in these samples.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The README.rst in `samples/tfm_integration/tfm_ipc` was incorrectly
referring to `psa_level_1`. README.rst has been updated to refer to
`tfm_ipc` example.
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@linaro.org>
The example in folder `samples/tfm_integration/psa_level_1` contains
code that demonstrate usage of PSA crypto APIs in Zephyr rather than the
PSA levels. Therefore renaming the sample as `psa_crypto`.
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@linaro.org>
This commit extends the psa_level_1 sample's use of the PSA
Cryptography 1.0 API to demonstrate the following functionality:
- Generate a persistent key (secp256r1)
- Display the public key based on the private key above
- Calculates the SHA256 hash of a payload
- Signs the hash with the persistent key
- Verifies the signature using the public key
- Destroys the key
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
The AUDIT_LOG partition cannot be used in TF-M builds
with the IPC mode (CONFIG_TFM_IPC=y); we have added a
relevant dependency for this. So we can cleanup the
CONFIG_TFM_PARTITION_AUDIT_LOG=n from the configuration
files of the samples.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Update overlay file for nucleo_l552ze_q_ns board,
since now the sample does not enable REGRESSION,
and thus regular TF-M flash layout for the board
is used.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Removes the dependency on the external test service from the
CONFIG_TFM_REGRESSION_S test suite, instead
demonstrating how to make direct IPC calls to the CRYPTO
service that is available as a part of standard TF-M builds.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
Instead of exposing publicly the TF-M NS interface include
directories, we include them when we build relevant projects.
This is required, as the TF-M include directories contains
psa crypto sources that are also provided by the mbedtls
crypto module. The downside of this solution is that the
TF-M includes need to be added explicitly in each application
that uses TF-M APIs.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit allows a subsystem to specify additional CMake flags to be
given to the TF-M build.
The additional CMake flags can be provided through the TFM_CMAKE_OPTIONS
property on the zephyr_property_target.
Using the zephyr_property_target allows Zephyr modules to append extra
TFM_CMAKE_OPTIONS regardless of the CMake processing order.
It splits the ExternalProject_Add into a two step process with the CMake
invocation executed using add_custom_target() and the build process
using ExternalProject_Add(). The reason for this split is because CMake
generator expressions passed through ExternalProject_Add to CMake will
quoted so that `$<TARGET_PROPERTY:<tgt>,<prop>>` becomes
`"-DFOO=bar -DBAR=foo"` instead of `-DFOO=bar -DBAR=foo` which again
results in CMake failures.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
TF-M NS interface is initialized by the TF-M module
code, so it does not need to be re-initialized in the
sample code.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Add new kconfigs
Include the ns-app built by TF-M build system for regression tests
Update tfm_ipc sample to use new kconfig
Signed-off-by: Andreas Vibeto <andreas.vibeto@nordicsemi.no>
Add nucleo_l552ze_q_ns boards to the list of platforms
that can build and run the psa_level1 tf-m integration
sample. We add a dts overlay as well.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
We do not need to force TFM Isolation Level 2 for the
STM32 board that can build with TM-M. We remove the
respective Kconfig setting. We also remove the Kconfig
overlay for STM32L562 board in the psa_level1 sample,
which was used for forcing Isolation Level 1; this is
not needed any more.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
To allow using TFM NS interface without enabling
CMSIS_RTOS V2 support. And to allow using TFM NS
code that uses logging.
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Rename lib.
Disable AUDIT_LOG in regression sample because of a bug upstream.
Update stm32l562e_dk_ns overlay.
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
This commit enables the TF-M IPC sample application on stm32l562e_dk
board.
It provides device tree flash partition as an overlay in order to
configure and flash the bl2, secure/non secure firmwares.
Signed-off-by: Yestin Sun <sunyi0804@gmail.com>
Now that we have consolidated tf-m signing, the combined
binary is always named tfm_merged, so we need to modify
the QEMU targets in the tfm-integration samples.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Place the new signing code in the TFM module CMakeLists.txt.
Make some small tweaks and add a sentence to the docs.
In the process, make a few changes to the signing code:
- Change some names of files created.
- Minimize the number of files created.
- Use hex files instead of bin files. This is so we don't need to know
the offset when creating hex files from bin files.
Also add signing for MCUBOOT_IMAGE_NUMBER=1 based on the code from the
v2m_musca_b1 board, though, this board does not build with =1 now
because of (I assume) some flash aliasing which places the S and NS
images 0x10000000 apart, where the manual algorithm places them next to
each other. It builds with =2, though.
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
Remove missing printout, and add the last line of printout.
Note that it's not possible to run this on hardware using Twister as of
now, since west flash will not flash tfm_s.
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
Musca-S1 is a Cortex-M33 based SoC. It's similar to the
Musca-B1, but among other things the embedded flash has
been replaced with embedded MRAM (eMRAM) memory.
The Musca-S1 files have been created based on the Musca-B1
SoC and board files.
Add the Musca-S1 board to the list of allowed platforms
for the TF-M integration examples.
Change-Id: I4f517d28d0a5b8c4a3fc3fab73adb5519acfc3c2
Signed-off-by: David Vincze <david.vincze@linaro.org>
Add a section about executable files produced by the build, as well as
how to access them.
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
Remove the DTS overlay files for nRF5340 DK and PDK,
since the SRAM partition changes are matching the
default SRAM partitioning in these boards.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Add Kconfig options that will be used by the module
to call the function with the desired parameters.
Refactor the tfm_integration samples and
the supported boards.
Update west.yml to bring in Cmake changes that use the new KConfigs.
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
Make it easier to add TF-M in an app by selecting and implying the
necessary configs so the app doesn't have to specify the configs itself.
Remove unneeded configs from the prj.conf files in the tfm samples.
Also, fix case in key file name.
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
Add support for nRF5340 DK in the TF-M integration
samples (nrf5340dk_nrf5340_cpuappns build target).
Add the required DTS overlays needed for the samples
to build and run successfully.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Add nucleo_l552ze_q_ns board to the allowed list of platforms
for the tfm_ipc sample. This allows the sample to be built for
the nucleo_l552ze_q_ns platform by sanity check.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Fix the name of the sample in the .yaml file so it matches
the sample directory, and does not collide with tfm_ipc.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
In the samples' documentation we update the requirements
for building TF-M binaries according to the latest upstream
TF-M documentation.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Add documentation on how to build and run the TF-M integration
samples on nRF platforms.
The arm-none-eabi-gcc does not need to be on the PATH anymore
for building and running the tfm_ipc sample on nucleo so remove
the note from the sample docs.
Fix some paths for TFM binaries for the LPC board as well.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adapts the DTS overlay for nucleo_l552ze_q_ns
board, to comply with the changes applied in the flash
layout of the TF-M build.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Changes required in TF-M integration samples CMakeLists.txt
files due to the new upstream TF-M build system. In brief,
configuration related to PSA API (IPC), Regression, and
Isolation level needs to be passed, now, directly, not
via invoking a given TF-M CMake configuration.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Adding support for TF-M in the Nordic nRF9160 DK.
Allow the TF-M integration samples to be built and
executed for nRF9160 DK.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
TF-M related information in the relevant board definitions
needs to be updated in the wake of the new TF-M Build
system.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Provide device tree flash partition in order to configure
and flash non secure binary.
Flash partitioning depends on TFM configuration and use case,
so it is provided as an overlay in the sample it is used.
Signed-off-by: Erwan Gouriou <erwan.gouriou@linaro.org>
Configure build variable BL2 depending on board configuration. BL2 is
set to True by default. BL2 enabled building TFM with MCUboot.
Signed-off-by: Andrei Gansari <andrei.gansari@nxp.com>
This commit adds the signing commands and the configuration required
to build a non secure image for a nucleo_l552ze_q.
Signed-off-by: Nolwenn Violette <nolwenn.violette01@st.com>
This provides a better error message when building with CMake and
forgetting ZEPHYR_BASE or not registering Zephyr in the CMake package
registry. See parent commit for more details (split from parent for
better readability).
Signed-off-by: Marc Herbert <marc.herbert@intel.com>
This commit adds a `tfm_level_1` samples app that shows how
to use the PSA APIs in IPC mode in a real-world example.
It makes use of the crypto, initial attestation and secure
storage modules.
Signed-off-by: Kevin Townsend <kevin@ktownsend.com>
This commit adds a minimal sample application showing how
TF-M can be used in IPC mode, with Zephyr providing the
non-secure processing environment image, and linking against
the PSA APIs implemented in TF-M.
This commit also include work from the commit quoted below,
which is included here for attribution purposes:
tfm_ipc: cmake: now using tfm_ipc library created by TF-M module
This commit removes the need for local knowledge of the TF-M
repository structure and files.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
Signed-off-by: Karl Zhang <karl.zhang@linaro.org>
This commits adds a config option to build a PSA trusted-firmware-m
(TF-M) application image for the secure processing environment, and
configures the Zephyr application image for the non-secure processing
environment. The secure and non-secure environment images will be
linked together via the veneer function table that is produced as an
artifact of the TF-M build process.
Signed-off-by: Karl Zhang <karl.zhang@linaro.org>
