modules: trusted-firmware-m: Define BL1 flags

Define BL1 and sign key for BL2 configs and pass them to the TF-M
This will allow to trigger BL1 over zephyr and specify BL2 sign key

Signed-off-by: Sadik Ozer <sadik.ozer@analog.com>

modules/trusted-firmware-m/CMakeLists.txt

@@ -18,6 +18,14 @@ set(TFM_VALID_PARTITIONS
 if (CONFIG_BUILD_WITH_TFM)
   # PSA API awareness for the Non-Secure application
   target_compile_definitions(app PRIVATE "TFM_PSA_API")
+
+  if(CONFIG_TFM_BL1)
+    list(APPEND TFM_CMAKE_ARGS -DBL1:BOOL=ON)
+    if(CONFIG_TFM_BL2_SIGNING_KEY_PATH)
+      list(APPEND TFM_CMAKE_ARGS -DTFM_BL2_SIGNING_KEY_PATH=${CONFIG_TFM_BL2_SIGNING_KEY_PATH})
+    endif()
+  endif()
+
   if (CONFIG_TFM_SFN)
     list(APPEND TFM_CMAKE_ARGS -DCONFIG_TFM_SPM_BACKEND="SFN")
   else() # CONFIG_TFM_IPC

modules/trusted-firmware-m/Kconfig.tfm

@@ -206,6 +206,12 @@ config TFM_IMAGE_VERSION_NS
 	help
 	  Version of the non-secure image.
 
+config TFM_BL1
+	bool "Add BL1 to TFM"
+	help
+	  TFM is designed to run with BL1 in a certain configuration.
+	  This config adds BL1 to the build - built via TFM's build system.
+
 config TFM_BL2
 	bool "Add MCUboot to TFM"
 	depends on !TFM_BL2_NOT_SUPPORTED
@@ -240,6 +246,18 @@ config TFM_CONNECTION_BASED_SERVICE_API
 	  system. When this option is not enabled in the TF-M build system this
 	  will result in compilation error.
 
+
+if TFM_BL1
+
+config TFM_BL2_SIGNING_KEY_PATH
+	string "Path to private key used to sign BL2 firmware images."
+	help
+	  Path to binary BL2 signing private key
+	  Default is ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl1/bl1_2/bl1_dummy_rotpk
+	  if it has not been changed on TF-M side for your board
+
+endif # TFM_BL1
+
 if TFM_BL2
 
 config TFM_IMAGE_SECURITY_COUNTER