soc: nrf53: Add handling of secure-only code in init with TFM enabled

Add handling of secure-only code with TF-M enabled that can only be done
from secure processing environment.

Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>

soc/arm/nordic_nrf/nrf53/CMakeLists.txt

@@ -11,3 +11,9 @@ zephyr_library_sources_ifdef(CONFIG_PM
 zephyr_library_sources_ifdef(CONFIG_NRF53_SYNC_RTC
   sync_rtc.c
   )
+
+if (CONFIG_BUILD_WITH_TFM)
+  zephyr_library_include_directories(
+    $<TARGET_PROPERTY:tfm,TFM_BINARY_DIR>/install/interface/include
+  )
+endif()

soc/arm/nordic_nrf/nrf53/Kconfig.soc

@@ -144,7 +144,7 @@ config SOC_DCDC_NRF53X_HV
 	help
 	  Enable nRF53 series System on Chip High Voltage DC/DC converter.
 
-if !TRUSTED_EXECUTION_NONSECURE
+if !TRUSTED_EXECUTION_NONSECURE || BUILD_WITH_TFM
 
 config SOC_ENABLE_LFXO
 	bool "Enable LFXO"
@@ -206,14 +206,14 @@ config SOC_HFXO_CAP_INT_VALUE_X2
 	  capacitance value for the two capacitors. Set it to 14 to get 7.0 pF
 	  for each capacitor, 15 to get 7.5 pF, and so on.
 
-endif # !TRUSTED_EXECUTION_NONSECURE
+endif # !TRUSTED_EXECUTION_NONSECURE || BUILD_WITH_TFM
 
 endif # SOC_NRF5340_CPUAPP
 
 
 config NRF_ENABLE_CACHE
 	bool "Enable cache"
-	depends on (SOC_NRF5340_CPUAPP && !TRUSTED_EXECUTION_NONSECURE) \
+	depends on (SOC_NRF5340_CPUAPP && (!TRUSTED_EXECUTION_NONSECURE || BUILD_WITH_TFM)) \
 			|| SOC_NRF5340_CPUNET
 	default y
 	help
@@ -223,6 +223,10 @@ config NRF_ENABLE_CACHE
 	  Instruction cache only (I-Cache) is available in nRF5340
 	  CPUNET (Network MCU).
 
+config BUILD_WITH_TFM
+	# TF-M nRF53 platform enables the cache unconditionally.
+	select NRF_ENABLE_CACHE if SOC_NRF5340_CPUAPP
+
 config NRF53_SYNC_RTC
 	bool "Enable RTC clock synchronization"
 	default y if LOG && !LOG_MODE_MINIMAL

soc/arm/nordic_nrf/nrf53/soc.c

@@ -26,6 +26,7 @@
 #elif defined(CONFIG_SOC_NRF5340_CPUNET)
 #include <hal/nrf_nvmc.h>
 #endif
+#include <soc_secure.h>
 
 #define PIN_XL1 0
 #define PIN_XL2 1
@@ -57,14 +58,18 @@ static int nordicsemi_nrf53_init(const struct device *arg)
 	key = irq_lock();
 
 #if defined(CONFIG_SOC_NRF5340_CPUAPP) && defined(CONFIG_NRF_ENABLE_CACHE)
-	/* Enable the instruction & data cache */
+#if !defined(CONFIG_BUILD_WITH_TFM)
+	/* Enable the instruction & data cache.
+	 * This can only be done from secure code.
+	 * This is handled by the TF-M platform so we skip it when TF-M is
+	 * enabled.
+	 */
 	nrf_cache_enable(NRF_CACHE);
+#endif
 #elif defined(CONFIG_SOC_NRF5340_CPUNET) && defined(CONFIG_NRF_ENABLE_CACHE)
 	nrf_nvmc_icache_config_set(NRF_NVMC, NRF_NVMC_ICACHE_ENABLE);
 #endif
 
-#if defined(CONFIG_SOC_NRF5340_CPUAPP) && \
-	!defined(CONFIG_TRUSTED_EXECUTION_NONSECURE)
 #if defined(CONFIG_SOC_ENABLE_LFXO)
 	nrf_oscillators_lfxo_cap_set(NRF_OSCILLATORS,
 		IS_ENABLED(CONFIG_SOC_LFXO_CAP_INT_6PF) ?
@@ -74,13 +79,18 @@ static int nordicsemi_nrf53_init(const struct device *arg)
 		IS_ENABLED(CONFIG_SOC_LFXO_CAP_INT_9PF) ?
 			NRF_OSCILLATORS_LFXO_CAP_9PF :
 			NRF_OSCILLATORS_LFXO_CAP_EXTERNAL);
-	/* This can only be done from secure code. */
+#if !defined(CONFIG_BUILD_WITH_TFM)
+	/* This can only be done from secure code.
+	 * This is handled by the TF-M platform so we skip it when TF-M is
+	 * enabled.
+	 */
 	nrf_gpio_pin_mcu_select(PIN_XL1, NRF_GPIO_PIN_MCUSEL_PERIPHERAL);
 	nrf_gpio_pin_mcu_select(PIN_XL2, NRF_GPIO_PIN_MCUSEL_PERIPHERAL);
-#endif
+#endif /* !defined(CONFIG_BUILD_WITH_TFM) */
+#endif /* defined(CONFIG_SOC_ENABLE_LFXO) */
 #if defined(CONFIG_SOC_HFXO_CAP_INTERNAL)
 	/* This register is only accessible from secure code. */
-	uint32_t xosc32mtrim = NRF_FICR->XOSC32MTRIM;
+	uint32_t xosc32mtrim = soc_secure_read_xosc32mtrim();
 	/* As specified in the nRF5340 PS:
 	 * CAPVALUE = (((FICR->XOSC32MTRIM.SLOPE+56)*(CAPACITANCE*2-14))
 	 *            +((FICR->XOSC32MTRIM.OFFSET-8)<<4)+32)>>6;
@@ -99,7 +109,6 @@ static int nordicsemi_nrf53_init(const struct device *arg)
 #elif defined(CONFIG_SOC_HFXO_CAP_EXTERNAL)
 	nrf_oscillators_hfxo_cap_set(NRF_OSCILLATORS, false, 0);
 #endif
-#endif /* defined(CONFIG_SOC_NRF5340_CPUAPP) && ... */
 
 #if defined(CONFIG_SOC_DCDC_NRF53X_APP)
 	nrf_regulators_dcdcen_set(NRF_REGULATORS, true);

soc/arm/nordic_nrf/nrf53/soc_secure.h

@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2019 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+#include <stdint.h>
+#include <hal/nrf_gpio.h>
+
+#if defined(CONFIG_SOC_NRF5340_CPUAPP)
+#if defined(CONFIG_BUILD_WITH_TFM)
+/* Use TF-M platform services */
+#include "tfm_ioctl_api.h"
+#include "hal/nrf_gpio.h"
+
+static inline void soc_secure_gpio_pin_mcu_select(uint32_t pin_number, nrf_gpio_pin_mcusel_t mcu)
+{
+	uint32_t result;
+	enum tfm_platform_err_t err;
+
+	err = tfm_platform_gpio_pin_mcu_select(pin_number, mcu, &result);
+	__ASSERT(err == TFM_PLATFORM_ERR_SUCCESS, "TFM platform error (%d)", err);
+	__ASSERT(result == 0, "GPIO service error (%d)", result);
+}
+
+#if defined(CONFIG_SOC_HFXO_CAP_INTERNAL)
+static inline uint32_t soc_secure_read_xosc32mtrim(void)
+{
+	uintptr_t ptr = (uintptr_t)&NRF_FICR_S->XOSC32MTRIM;
+	enum tfm_platform_err_t err;
+	uint32_t result;
+	uint32_t xosc32mtrim;
+
+	err = tfm_platform_mem_read(&xosc32mtrim, ptr, 4, &result);
+	__ASSERT(err == TFM_PLATFORM_ERR_SUCCESS, "TFM platform error (%d)", err);
+	__ASSERT(result == 0, "Read service error (%d)", result);
+
+	return xosc32mtrim;
+}
+#endif /* defined(CONFIG_SOC_HFXO_CAP_INTERNAL) */
+#else
+#include <nrf.h>
+/* Do this directly from secure processing environment. */
+static inline void soc_secure_gpio_pin_mcu_select(uint32_t pin_number, nrf_gpio_pin_mcusel_t mcu)
+{
+	nrf_gpio_pin_mcu_select(pin_number, mcu);
+}
+
+static inline uint32_t soc_secure_read_xosc32mtrim(void)
+{
+	return NRF_FICR_S->XOSC32MTRIM;
+}
+#endif /* defined CONFIG_BUILD_WITH_TFM */
+#endif /* defined(CONFIG_SOC_NRF5340_CPUAPP) */

west.yml

@@ -218,7 +218,7 @@ manifest:
       groups:
         - debug
     - name: trusted-firmware-m
-      revision: c8134809a9439571c54d36ef39210270dbee8f67
+      revision: 5d32c3e64b3d589548e881eeeeb37d84944c90af
       path: modules/tee/tf-m/trusted-firmware-m
       groups:
         - tee