The ASSYMETRIC crypto module has been split in two, for sign and
encrypt. Update Kconfig entries to match.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Remove CRYPTO_GENERATOR_MODULE Kconfig which has been removed.
Its features are covered by TFM_CRYPTO_KEY_MODULE and
CRYPTO_KEY_DERIVATION_MODULE.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Split the zephyr project maintained repository trusted-firmware-m into
forks of the individual upstream repositories.
https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git
Upstream: TF-Mv1.4.1
Additions:
zephyr: module: Add zephyr module file
trusted-firmware-m: platform: lpcxpresso55s69: Update SDK
https://git.trustedfirmware.org/TF-M/tf-m-tests.git
Upstream: 51ff2bdfae043f6dd0813b000d928c4bda172660
Additions:
zephyr: module: Add module file for tf-m-tests
https://github.com/ARM-software/psa-arch-tests.git
Upstream: 60faad2ead1b967ec8e73accd793d3ed0e5c56bd
Additions:
zephyr: module: Add module file for psa-arch-tests
psa-arch-tests: Allow overriding of toolchain file
The organization of folders remain the same with the following
exceptions:
Moved:
root folder moved from modules/tee/tfm to modules/tee/tf-m to avoid
problems with west update.
zephyr/module.yml to trusted-firmware-m/zephyr/module.yml and
${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR} points to what was previously
${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m.
Added:
psa-arch-tests/zephyr/module.yml and ${ZEPHYR_PSA_ARCH_TESTS_MODULE_DIR}
tf-m-tests/zephyr/module/ and ${ZEPHYR_TF_M_TESTS_MODULE_DIR}
Removed:
init-git.sh
README.rst
Fixes: #39353
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Use the zephyr module dir variable for the trusted-firmware-m root
folder. Update documentation to TF-M documentation in
tfm-secure-boot.rst.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Fix configuration options for TF-M log levels configured to an empty
string when not defined. This can happen when none of the options
have been selected due to dependencies not being met.
For example when TFM_MINIMAL=y then TFM_PARTITION_LOG_LEVEL will not be
defined.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Use the Mbed TLS module, expecting the upstream directory layout rather
than the nested directory we've been using before.
Signed-off-by: David Brown <david.brown@linaro.org>
Add Kconfig options for configuring TF-M log options.
- Partition log level
- SPM log level
- Exception info dump
Set log level to "info" which is the default in upstream TF-M.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Remove duplicated setting of TF-M CMakeCache.txt entry TFM_BOARD.
In addition it is also wrong since the CONFIG_ prefix is missing.
Leftover from: 583d5a6db3
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Don't build TF-M in parallel on Windows as it has been reported to
expose dependency issues with the TF-M build system.
These issues will be investigated at a later time.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Use ZEPHYR_<MODULE>_MODULE_DIR instead of relative paths. Moving the
module folder would otherwise break the build system.
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
The psa-arch-tests project changed how third-party toolchains are
integrated. This broke the Zephyr sdk.
This patch aligns with the new mechanism.
https://github.com/ARM-software/psa-arch-tests/pull/276
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The TF-M build is passed a path to the mbedtls project
directory, however, NCS has its own mbedtls variant. When
building with TF-M we use a generator expression to allow
setting the path to mbedtls from nrf_security.
Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Signed-off-by: Martí Bolívar <marti.bolivar@nordicsemi.no>
A new configuration is available in TF-M, for disabling RNG
independent from key derivation. Introduce a corresponding
Kconfig option to control the RNG API enabling/disabling from
Zephyr.
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Allow developers the option of using the DOWNLOAD option
for MCUboot in TF-M bulds with BL2. Using MCUboot from
Zephyr is still the default option.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
TFM_MCUBOOT_IMAGE_NUMBER Kconfig option should have
a dependency on TFM_BL2, since it is not applicable
otherwise.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
We remove the tfm-mcuboot module in Zephyr (which hosts the
mcuboot version that is used for TF-M builds in Zephyr). We
will force TF-M builds in Zephyr to use the MCUboot version
that any Zephyr builds are using. This will allow Zephyr to
maintain a single mcuboot module version in its default
manifest.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
For TF-M builds on LPCXPRESSO55S69 we set the path to the
NXP HAL sources that are required for building TF-M for this
platform.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Upstream TF-M has modified the path name for ARM platforms,
so we fix the board names in the module integration code.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit updates the NS board variant from
`nrf9160dk_nrf9160ns` to `nrf9160dk_nrf9160_ns`
to maintain consistency across zephyr.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
This commit updates the NS board variant from
`nrf5340dk_nrf5340_cpuappns` to `nrf5340dk_nrf5340_cpuapp_ns`
to maintain consistency across zephyr.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
This commit update the NS board variant from `bl5340_dvk_cpuappns`
to `bl5340_dvk_cpuapp_ns` to maintain consistency across zephyr.
Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
Since we now have separate Kconfig symbols for the different
MPS2 AN521 board variants, we need to update the BOARD switch
for the TF-M target on MPS2 AN521.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The current CMakeLists.txt contains a function that is called from
the same file.
This patch removes the abstraction, allowing to remove many
lines of parameter handling.
Additionally, with this patch, the Cmake argument handling is now
done via a list, which removes many more named variables.
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
The CMake variable `TFM_ISOLATION_LEVEL_ARG` was not properly set when
application configures higher isolation level. This led to isolation
level always being to set 1.
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@linaro.org>
Fixes: #36101
The move of CMake invocation to a dedicated custom target, see #34868
results in tfm_cmake to always be considered out-of-date, causing CMake
to be reinvoked in the TF-M Binary dir, which again results in the
build command to rebuild.
This commit moves the invocation to a custom command with the
CMakeCache.txt as output. The custom target tfm_cmake is updated to
depend on CMakeCache.txt.
This mean that CMake for TF-M will only be invoked inside the Zephyr
build command if that file is missing.
If the CMakeCache.txt file is updated or TF-M CMake or source code is
modified, then the build command inside the TF-M build folder will
ensure correct re-run of CMake from within the TF-M build folder.
This ensures that TF-M will still rebuild if TF-M code is modified,
while at the same time avoid unnecessary rebuilds of TF-M code.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
We do not need the if BUILD_WITH_TFM guard in the main
Kconfig file, as the guards are present insude the respective
Kconfig files that are sourced by the main Kconfig.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The TF-M project is higly configurable and we end up having
a growing number of Kconfig option definitions in the main
Kconfig file. This commit splits out the configuration options
for the TF-M partition and for the crypto partition configuration
into separate Kconfig files, for ease of reading. The commit
does not introduce behavioral changes.
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Also, this eases readability.
The new API can be used any time all FP registers must be manually
saved and restored for an operation.
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
When running with TFM Regression option set, but without
BL2 (MCUboot) we need to use the TF-M's NS binary, and not
the Zephyr application. This was selected properly for the
case with MCUboot boot already, but not when running the
regression tests without MCUboot.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
These are needed to disable not needed crypto modules in
the trusted-firmware-m module.
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Zephyr SDK is not supported on OS X, however, Zephyr toolchain can be
built on OS X using Crosstool-NG.
Currently, trusted-firmware-m CMakeLists.txt only supports `zephyr` and
`gnuarmemb` toolchains which prohibits building TF-M on OS X using
Zephyr toolchain built with Crosstool-NG.
docs:
https://docs.zephyrproject.org/latest/getting_started/toolchain_3rd_party_x_compilers.html#crosstool-ng
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@linaro.org>
The caller saved registers were restored both as caller saved and
callee saved registers, i.e. register 0-15 were restored into
both register 0-15 and 15-31.
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
Follow-up: #34868
The CMAKE_ARGS was accidentally lost during work on #34868.
This commit fixes that by re-adding `CMAKE_ARGS` as multi value arg.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
Instead of exposing publicly the TF-M NS interface include
directories, we include them when we build relevant projects.
This is required, as the TF-M include directories contains
psa crypto sources that are also provided by the mbedtls
crypto module. The downside of this solution is that the
TF-M includes need to be added explicitly in each application
that uses TF-M APIs.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Define the MBEDCRYPTO_PATH variable for the TF-M build,
so the latter can used a checked-out version of mbedtls,
instead of pulling an external tree during build time.
This will make Zephyr builds with TF-M must faster.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit allows a subsystem to specify additional CMake flags to be
given to the TF-M build.
The additional CMake flags can be provided through the TFM_CMAKE_OPTIONS
property on the zephyr_property_target.
Using the zephyr_property_target allows Zephyr modules to append extra
TFM_CMAKE_OPTIONS regardless of the CMake processing order.
It splits the ExternalProject_Add into a two step process with the CMake
invocation executed using add_custom_target() and the build process
using ExternalProject_Add(). The reason for this split is because CMake
generator expressions passed through ExternalProject_Add to CMake will
quoted so that `$<TARGET_PROPERTY:<tgt>,<prop>>` becomes
`"-DFOO=bar -DBAR=foo"` instead of `-DFOO=bar -DBAR=foo` which again
results in CMake failures.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
When ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS is enabled, if FPU is
being used (CONTROL.FPCA == 1), store all FP registers before
entering the secure function, and restore them afterwards.
This is needed if any NS thread or ISR that interrupts the secure
function uses FP registers. If they do, a secure UsageFault occurs
unless this change is applied.
This allows k_sched_lock() and k_sched_unlock() to be dropped when
ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS is enabled.
Enable ARM_NONSECURE_PREEMPTIBLE_SECURE_CALLS by default when
building TF-M.
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
Add new kconfigs
Include the ns-app built by TF-M build system for regression tests
Update tfm_ipc sample to use new kconfig
Signed-off-by: Andreas Vibeto <andreas.vibeto@nordicsemi.no>
Add necessary libs and files to the build
Add support for new kconfigs
Add Zephyr-only implementations of tfm_log and tfm_ns_interface.
Add zephyr_tfm_psa_test.c for easily running PSA tests.
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
Do not allow the TFM_ISOLATION_LEVEL to be non-hidden option,
if the TFM_IPC (PSA_API) option is not set, since, in that case,
only Isolation Level 1 is supported.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
We add a Kconfig choice for the TF-M profile, in
TF-M's Kconfig file. The reason for that is to be
able to easily enable additional configurations,
depending on the profile type being selected. We
also enhance the documentation of TFM_PROFILE,
stressing that there is now also profile_large
available as an option. TFM_PROFILE is now made
hidden, forcing the users to select one of the
available choice symbols. IF the TFM_PROFILE is
set to something other than "none", then certain
options shall be made hidden, namely, IPC and
isolation level, as they are determined by the
profile setting.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Add a dependency on IPC for the Audit Log secure service,
since the service is not compliant with the IPC model.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
When compiling TF-M with profile_medium, disable the support
for Audit Log due to an upstream bug.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Prevent a thread from being preempted, while executing a Secure
function. This is required to prevent system crashes that could
occur if a thead context switch is triggered in the middle of a
Secure call.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
To allow using TFM NS interface without enabling
CMSIS_RTOS V2 support. And to allow using TFM NS
code that uses logging.
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The TF-M NS interface needs to be initialized before
it is used. We add an initialization function that
calls tfm_ns_interface_init(), at boot time, so then
we can use TF-M interface calls (veneers).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
