Remove setting of the TFM_LIB_MODEL option for IPC and SFN models.
This option is removed together with the library model.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Fix setting of TF-M floating point options when floating point is
enabled in the application.
FP design in Armv8.0-M architecture requires consistent FP ABI types
between SPE and NSPE.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Add TF-M connection based NCS API source file to build.
This file is needed when a secure service is using connection
based method.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Signed-off-by: David Brown <david.brown@linaro.org>
Update TF-M from 1.6.0 to 1.7.0
Update MBedTLS from 3.1.0 to 3.2.1.
Updates the cmake wrapper for changes introduced in TF-M 1.7.0.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Signed-off-by: David Brown <david.brown@linaro.org>
In TF-M 1.7.0 release the Library model has been removed.
Remove the library model support from zephyr before updating TF-M
version.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Signed-off-by: David Brown <david.brown@linaro.org>
Remove the dependency on the test repositories having a zephyr module
file in their repositories.
With this change we can take the upstream test repositories direct
commit SHA or tag.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Add option to enable the SFN model when building TF-M.
The SFN model will eventually replace the Library model.
Change the default model to be IPC, which follows the default
configuration of TF-M.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Exclude the non-secure TF-M application from being built by TF-M.
This also stops the building of the tfm_ns_api library that we were
linking against.
This library is defined by the tf-m regression tests.
Add the installed interface source files exported by the TF-M build
system compile them in the zephyr build system.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Move scripts needed by the build system and not designed to be run
individually or standalone into the build subfolder.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Zephyr adds a custom handler that overrides the weak function
sys_arch_reset when TF-M platform partition is enabled.
This takes away the option for the application to override the weak
definition for their platform or use-case.
Add an option that control whether this default reset handling is added
to the build.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Allow the application to enable the FPU when TF-M has been enabled.
Pass the correct compilation flags according to the TF-M integration
guide.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Previously val_nspe.a, pal_nspe.a, test_combine.a created under tfm binary
directory (${TFM_BINARY_DIR}/app/psa_api_tests/) now from TFM 1.6 it is
generated to the respective tfm binary directory with parent directory
(${TFM_BINARY_DIR}/tf-m-tests/app/psa_api_tests), update the CMake
accordingly.
Signed-off-by: Rajkumar Kanagaraj <rajkumar.kanagaraj@linaro.org>
Previously, MCUBOOT_DATA_SHARING was enabled when BL2 was built
and when the firmware update partition was present. This is not
the only situation that you might be interested in this data
sharing. The data sharing now has it's own Kconfig.
Further, use of the firmware update partition requires data
sharing, so it selects it.
Signed-off-by: Jimmy Brisson <jimmy.brisson@linaro.org>
Previously, you were required to set the image versions through the
CMake variables TFM_IMAGE_VERSION_{S,NS}. For better integration with
the rest of the zephyr build system, these are now KConfig variables
with the same name.
Signed-off-by: Jimmy Brisson <jimmy.brisson@linaro.org>
This commit adds a sample application demonstrating how to use
the PSA Firmware Update API from TF-M. It also enables the
`FIRMWARE_UPDATE` partition to be included at build time.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
Signed-off-by: Jimmy Brisson <jimmy.brisson@linaro.org>
Add support for TF-M and BL2 image size reports.
This adds the following targets when TF-M or BL2 is enabled:
tfm_rom_report, tfm_ram_report, tfm_footprint
bl2_rom_report, bl2_ram_report, bl2_footprint
Example:
west build -t tfm_rom_report
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Add config to disable all TF-M output. This configuration is needed
in order to exclude the UART driver through a select in Kconfig
when either the code size optimization or the UART instance requires it.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Use the set of headers that the TF-M build system places in the
install output. Not all public header files are available in the
interface/include directory and the TF-M build system uses the install
mechanism of cmake to include additional headers based on platform
or configuration.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
In TF-M 1.5 some defaults changed. Some of our CMake code was
unfortunately making assumptions about the defaults.
This is now rectified. The TF-M CMake variables that had their
defaults changed are now always set dependent on the Kconfig values
and we no longer leave the CMake variables unset and with default
values.
A cleanup will be done later to not rely on default values for all
variables. This patch only fixes the defaults that have changed.
Also, TFM_PSA_API is removed as it is now an internal variable.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Add two Kconfig variables for controlling the size and
the number of assets to be stored in Internal Trusted
Storage (ITS).
Signed-off-by: Damian Krolik <damian.krolik@nordicsemi.no>
Fix copy-paste mistake in SPM log level silence configuration, PARTITION
should be SPM in order to correctly silence SPM log.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
The TFM build directory path is hardcoded in many places.
In order to support out-of-tree secure partitions the output path
has to be known in potentially out-of-tree build scripts.
This could potentially break out-of-tree build scripts if the
location of the build directory was changed.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Fix issue with TFM signing of images not using the correct imgtool.
The wrapper command expects the mcuboot scripts folder to be the
current working directory when called in order to find its own
version of imgtool.
Since the command is using a different current working directory
this is not found and the system imgtool is used instead.
This causes the commands to be run with 2 different version of imgtool
if the system imgtool is found and does not have any issues.
The system imgtool could not be installed or have compatibility issues
as 1.7.2 version of imgtool is currently required by the wrapper script
Fixes: #40254
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Fix cmake warnings for TF-M build system when PSA tests are not enabled.
This produces the following warnings:
"
CMake Warning:
Manually-specified variables were not used by the project:
PSA_TOOLCHAIN_FILE
TOOLCHAIN
"
These warnings can point to cache or config variables being updated in
the TF-M build system so keep this free of warnings.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
The ASSYMETRIC crypto module has been split in two, for sign and
encrypt. Update Kconfig entries to match.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Remove CRYPTO_GENERATOR_MODULE Kconfig which has been removed.
Its features are covered by TFM_CRYPTO_KEY_MODULE and
CRYPTO_KEY_DERIVATION_MODULE.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Split the zephyr project maintained repository trusted-firmware-m into
forks of the individual upstream repositories.
https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git
Upstream: TF-Mv1.4.1
Additions:
zephyr: module: Add zephyr module file
trusted-firmware-m: platform: lpcxpresso55s69: Update SDK
https://git.trustedfirmware.org/TF-M/tf-m-tests.git
Upstream: 51ff2bdfae043f6dd0813b000d928c4bda172660
Additions:
zephyr: module: Add module file for tf-m-tests
https://github.com/ARM-software/psa-arch-tests.git
Upstream: 60faad2ead1b967ec8e73accd793d3ed0e5c56bd
Additions:
zephyr: module: Add module file for psa-arch-tests
psa-arch-tests: Allow overriding of toolchain file
The organization of folders remain the same with the following
exceptions:
Moved:
root folder moved from modules/tee/tfm to modules/tee/tf-m to avoid
problems with west update.
zephyr/module.yml to trusted-firmware-m/zephyr/module.yml and
${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR} points to what was previously
${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m.
Added:
psa-arch-tests/zephyr/module.yml and ${ZEPHYR_PSA_ARCH_TESTS_MODULE_DIR}
tf-m-tests/zephyr/module/ and ${ZEPHYR_TF_M_TESTS_MODULE_DIR}
Removed:
init-git.sh
README.rst
Fixes: #39353
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Fix configuration options for TF-M log levels configured to an empty
string when not defined. This can happen when none of the options
have been selected due to dependencies not being met.
For example when TFM_MINIMAL=y then TFM_PARTITION_LOG_LEVEL will not be
defined.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Use the Mbed TLS module, expecting the upstream directory layout rather
than the nested directory we've been using before.
Signed-off-by: David Brown <david.brown@linaro.org>
Add Kconfig options for configuring TF-M log options.
- Partition log level
- SPM log level
- Exception info dump
Set log level to "info" which is the default in upstream TF-M.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Remove duplicated setting of TF-M CMakeCache.txt entry TFM_BOARD.
In addition it is also wrong since the CONFIG_ prefix is missing.
Leftover from: 583d5a6db3
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Don't build TF-M in parallel on Windows as it has been reported to
expose dependency issues with the TF-M build system.
These issues will be investigated at a later time.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Use ZEPHYR_<MODULE>_MODULE_DIR instead of relative paths. Moving the
module folder would otherwise break the build system.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
The psa-arch-tests project changed how third-party toolchains are
integrated. This broke the Zephyr sdk.
This patch aligns with the new mechanism.
https://github.com/ARM-software/psa-arch-tests/pull/276
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The TF-M build is passed a path to the mbedtls project
directory, however, NCS has its own mbedtls variant. When
building with TF-M we use a generator expression to allow
setting the path to mbedtls from nrf_security.
Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Signed-off-by: Martí Bolívar <marti.bolivar@nordicsemi.no>
A new configuration is available in TF-M, for disabling RNG
independent from key derivation. Introduce a corresponding
Kconfig option to control the RNG API enabling/disabling from
Zephyr.
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Allow developers the option of using the DOWNLOAD option
for MCUboot in TF-M bulds with BL2. Using MCUboot from
Zephyr is still the default option.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
We remove the tfm-mcuboot module in Zephyr (which hosts the
mcuboot version that is used for TF-M builds in Zephyr). We
will force TF-M builds in Zephyr to use the MCUboot version
that any Zephyr builds are using. This will allow Zephyr to
maintain a single mcuboot module version in its default
manifest.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
For TF-M builds on LPCXPRESSO55S69 we set the path to the
NXP HAL sources that are required for building TF-M for this
platform.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The current CMakeLists.txt contains a function that is called from
the same file.
This patch removes the abstraction, allowing to remove many
lines of parameter handling.
Additionally, with this patch, the Cmake argument handling is now
done via a list, which removes many more named variables.
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
The CMake variable `TFM_ISOLATION_LEVEL_ARG` was not properly set when
application configures higher isolation level. This led to isolation
level always being to set 1.
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@linaro.org>
Fixes: #36101
The move of CMake invocation to a dedicated custom target, see #34868
results in tfm_cmake to always be considered out-of-date, causing CMake
to be reinvoked in the TF-M Binary dir, which again results in the
build command to rebuild.
This commit moves the invocation to a custom command with the
CMakeCache.txt as output. The custom target tfm_cmake is updated to
depend on CMakeCache.txt.
This mean that CMake for TF-M will only be invoked inside the Zephyr
build command if that file is missing.
If the CMakeCache.txt file is updated or TF-M CMake or source code is
modified, then the build command inside the TF-M build folder will
ensure correct re-run of CMake from within the TF-M build folder.
This ensures that TF-M will still rebuild if TF-M code is modified,
while at the same time avoid unnecessary rebuilds of TF-M code.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
When running with TFM Regression option set, but without
BL2 (MCUboot) we need to use the TF-M's NS binary, and not
the Zephyr application. This was selected properly for the
case with MCUboot boot already, but not when running the
regression tests without MCUboot.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
These are needed to disable not needed crypto modules in
the trusted-firmware-m module.
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Zephyr SDK is not supported on OS X, however, Zephyr toolchain can be
built on OS X using Crosstool-NG.
Currently, trusted-firmware-m CMakeLists.txt only supports `zephyr` and
`gnuarmemb` toolchains which prohibits building TF-M on OS X using
Zephyr toolchain built with Crosstool-NG.
docs:
https://docs.zephyrproject.org/latest/getting_started/toolchain_3rd_party_x_compilers.html#crosstool-ng
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@linaro.org>
Follow-up: #34868
The CMAKE_ARGS was accidentally lost during work on #34868.
This commit fixes that by re-adding `CMAKE_ARGS` as multi value arg.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
Instead of exposing publicly the TF-M NS interface include
directories, we include them when we build relevant projects.
This is required, as the TF-M include directories contains
psa crypto sources that are also provided by the mbedtls
crypto module. The downside of this solution is that the
TF-M includes need to be added explicitly in each application
that uses TF-M APIs.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Define the MBEDCRYPTO_PATH variable for the TF-M build,
so the latter can used a checked-out version of mbedtls,
instead of pulling an external tree during build time.
This will make Zephyr builds with TF-M must faster.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit allows a subsystem to specify additional CMake flags to be
given to the TF-M build.
The additional CMake flags can be provided through the TFM_CMAKE_OPTIONS
property on the zephyr_property_target.
Using the zephyr_property_target allows Zephyr modules to append extra
TFM_CMAKE_OPTIONS regardless of the CMake processing order.
It splits the ExternalProject_Add into a two step process with the CMake
invocation executed using add_custom_target() and the build process
using ExternalProject_Add(). The reason for this split is because CMake
generator expressions passed through ExternalProject_Add to CMake will
quoted so that `$<TARGET_PROPERTY:<tgt>,<prop>>` becomes
`"-DFOO=bar -DBAR=foo"` instead of `-DFOO=bar -DBAR=foo` which again
results in CMake failures.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
