We do not need the if BUILD_WITH_TFM guard in the main
Kconfig file, as the guards are present insude the respective
Kconfig files that are sourced by the main Kconfig.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The TF-M project is higly configurable and we end up having
a growing number of Kconfig option definitions in the main
Kconfig file. This commit splits out the configuration options
for the TF-M partition and for the crypto partition configuration
into separate Kconfig files, for ease of reading. The commit
does not introduce behavioral changes.
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
These are needed to disable not needed crypto modules in
the trusted-firmware-m module.
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
When ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS is enabled, if FPU is
being used (CONTROL.FPCA == 1), store all FP registers before
entering the secure function, and restore them afterwards.
This is needed if any NS thread or ISR that interrupts the secure
function uses FP registers. If they do, a secure UsageFault occurs
unless this change is applied.
This allows k_sched_lock() and k_sched_unlock() to be dropped when
ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS is enabled.
Enable ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS by default when
building TF-M.
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
Add new kconfigs
Include the ns-app built by TF-M build system for regression tests
Update tfm_ipc sample to use new kconfig
Signed-off-by: Andreas Vibeto <andreas.vibeto@nordicsemi.no>
Do not allow the TFM_ISOLATION_LEVEL to be non-hidden option,
if the TFM_IPC (PSA_API) option is not set, since, in that case,
only Isolation Level 1 is supported.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
We add a Kconfig choice for the TF-M profile, in
TF-M's Kconfig file. The reason for that is to be
able to easily enable additional configurations,
depending on the profile type being selected. We
also enhance the documentation of TFM_PROFILE,
stressing that there is now also profile_large
available as an option. TFM_PROFILE is now made
hidden, forcing the users to select one of the
available choice symbols. IF the TFM_PROFILE is
set to something other than "none", then certain
options shall be made hidden, namely, IPC and
isolation level, as they are determined by the
profile setting.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Add a dependency on IPC for the Audit Log secure service,
since the service is not compliant with the IPC model.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
When compiling TF-M with profile_medium, disable the support
for Audit Log due to an upstream bug.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit enables the TF-M IPC sample application on stm32l562e_dk
board.
It provides device tree flash partition as an overlay in order to
configure and flash the bl2, secure/non secure firmwares.
Signed-off-by: Yestin Sun <sunyi0804@gmail.com>
Introduce an option to instruct the build system
to flash the Non-Secure (Zephyr) firmware image
together with the TF-M (Secure) firmware image
as a single merged binary, instead of just flashing
the Non-Secure application.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Place the new signing code in the TFM module CMakeLists.txt.
Make some small tweaks and add a sentence to the docs.
In the process, make a few changes to the signing code:
- Change some names of files created.
- Minimize the number of files created.
- Use hex files instead of bin files. This is so we don't need to know
the offset when creating hex files from bin files.
Also add signing for MCUBOOT_IMAGE_NUMBER=1 based on the code from the
v2m_musca_b1 board, though, this board does not build with =1 now
because of (I assume) some flash aliasing which places the S and NS
images 0x10000000 apart, where the manual algorithm places them next to
each other. It builds with =2, though.
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
The choice allowed for using TFM's own default. We now need full
knowledge over whether BL2 is enabled or not (e.g. to do signing),
so remove this option and simplify to a bool.
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
This commit moves TFM CMakeLists.txt into Zephyr and relocates the
Kconfig.tfm file under the modules/tfm folder.
Updates the manifest to point to related TFM changes.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
