build: Blinky application with split-build

gergkv · aggarg · commit 4740e53a22ac · 2025-02-24T16:01:23.000+05:30
Blinky application with the seperately build TF-M and the new toolchain.
The cmake files exported by TF-M set up the NS interface. The default
TF-M signing is used and the resulting images are merged by FRI.

Signed-off-by: Gergely Kovacs &lt;Gergely.Kovacs2@arm.com&gt;
diff --git a/applications/blinky/CMakeLists.txt b/applications/blinky/CMakeLists.txt
@@ -4,23 +4,17 @@
 
 cmake_minimum_required(VERSION 3.21.0 FATAL_ERROR)
 
+# NS target name the TF-M api_ns CMakeLists.txt uses
+set(NS_TARGET_NAME blinky)
 set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/blinky" CACHE STRING "Path to the application folder")
 
-# Trusted Firmware-M setup
-set(TFM_CMAKE_APP_ARGS
-    -DPROJECT_CONFIG_HEADER_FILE=${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/blinky/configs/tfm_config/project_config.h
-)
-set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "Total number of firmware images")
-set(DEFAULT_MCUBOOT_FLASH_MAP ON)
+# Toolchain file has to be included before the very first project() call
+include(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/components/security/trusted_firmware-m/integration/cmake/TfmNsToolchain.cmake)
 
 project(blinky-example LANGUAGES C)
 
-# Set global optimization level to reduce code size while keeping the debug experience.
-if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU")
-    add_compile_options(-Og)
-elseif(${CMAKE_C_COMPILER_ID} STREQUAL "ARMClang")
-    add_compile_options(-O1)
-endif()
+set_compiler_and_linker_flags()
+include(${CONFIG_SPE_PATH}/config/cp_check.cmake)
 
 add_subdirectory(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR} ${CMAKE_BINARY_DIR}/iot_reference_arm_corstone3xx)
 
@@ -32,40 +26,43 @@ include(SignTfmImage)
 
 add_subdirectory(configs)
 
-add_executable(blinky main.c)
-# Trusted Firmware-M must be built before the application, because
-# the application depends on the NS interface and the BL2 signing scripts,
-# both of which are generated as parts of the Trusted Firmware-M build process.
-add_dependencies(blinky trusted_firmware-m-build)
+add_executable(blinky
+    main.c
+    ${CONFIG_SPE_PATH}/interface/src/os_wrapper/tfm_ns_interface_rtos.c
+)
+
 target_link_libraries(blinky
     freertos_kernel
     fri-bsp
-    tfm-ns-interface
+    tfm_api_ns
     toolchain-override
+    # FRI always uses TrustZone
+    tfm_api_ns_tz
 )
 
 set_linker_script(blinky)
 
 list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/tools/cmake)
 include(ConvertElfToBin)
-include(ExternalProject)
-ExternalProject_Get_Property(trusted_firmware-m-build BINARY_DIR)
 
 extract_sections_from_axf(
     blinky
     SECTIONS_NAMES   "ddr.bin"
     OUTPUT_BIN_NAME  "ns_image"
 )
 
-# The non-secure application image should be padded while being signed
-# Hence, passing "TRUE" as the input parameter to the pad option of sign function.
-iot_reference_arm_corstone3xx_tf_m_sign_image(
-    blinky
-    "ns_image"
-    blinky_signed
-    0.0.1
-    "${BINARY_DIR}/api_ns/image_signing/layout_files/signing_layout_ns.o"
-    TRUE
+# Copy the binary flash content to the location expected by default signing
+# Signing is implemented in the exported TF-M NS CMakeLists.txt (in the
+# ${CONFIG_SPE_PATH} directory)
+add_custom_target(blinky_bin
+    SOURCES ${CMAKE_BINARY_DIR}/blinky.bin
+    DEPENDS blinky
+)
+add_custom_command(OUTPUT ${CMAKE_BINARY_DIR}/blinky.bin
+    DEPENDS blinky
+    COMMAND ${CMAKE_COMMAND}
+        -E copy ${SECTORS_BIN_DIR}/ns_image.bin
+        ${CMAKE_BINARY_DIR}/blinky.bin
 )
 
 # A user project that consumes the ARM FRI needs to explicitly provide
diff --git a/applications/blinky/configs/freertos_config/CMakeLists.txt b/applications/blinky/configs/freertos_config/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright 2023 Arm Limited and/or its affiliates
+# Copyright 2023-2025 Arm Limited and/or its affiliates
 # <open-source-office@arm.com>
 # SPDX-License-Identifier: MIT
 
@@ -14,6 +14,6 @@ target_compile_definitions(freertos_config
 
 target_link_libraries(freertos_config
     INTERFACE
-        tfm-ns-interface
+        tfm_api_ns
         app-config
 )
diff --git a/components/security/freertos_pkcs11_psa/integration/CMakeLists.txt b/components/security/freertos_pkcs11_psa/integration/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright 2023 Arm Limited and/or its affiliates
+# Copyright 2023-2025 Arm Limited and/or its affiliates
 # <open-source-office@arm.com>
 # SPDX-License-Identifier: MIT
 
@@ -10,19 +10,17 @@ add_library(freertos-pkcs11-psa
     ${freertos_pkcs11_psa_SOURCE_DIR}/iot_pkcs11_psa.c
 )
 
-ExternalProject_Get_Property(trusted_firmware-m-build BINARY_DIR)
-
 target_include_directories(freertos-pkcs11-psa
     PUBLIC
         ${freertos_pkcs11_psa_SOURCE_DIR}
-        ${BINARY_DIR}/api_ns/interface/include
 )
 
 add_library(freertos-pkcs11-psa-config INTERFACE)
 
 target_link_libraries(freertos-pkcs11-psa
     PUBLIC
         freertos-pkcs11-psa-config
+        tfm_api_ns
     PRIVATE
         corepkcs11
         freertos_kernel
diff --git a/components/security/mbedtls/integration/CMakeLists.txt b/components/security/mbedtls/integration/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright 2023-2024 Arm Limited and/or its affiliates
+# Copyright 2023-2025 Arm Limited and/or its affiliates
 # <open-source-office@arm.com>
 # SPDX-License-Identifier: MIT
 
@@ -15,7 +15,7 @@ target_link_libraries(mbedtls
 if(PSA_CRYPTO_IMPLEMENTATION STREQUAL "TF-M")
     target_link_libraries(mbedtls
         PRIVATE
-            tfm-ns-interface
+            tfm_api_ns
     )
     target_compile_definitions(mbedtls-config
         INTERFACE
diff --git a/components/security/trusted_firmware-m/integration/CMakeLists.txt b/components/security/trusted_firmware-m/integration/CMakeLists.txt
@@ -2,48 +2,24 @@
 # <open-source-office@arm.com>
 # SPDX-License-Identifier: MIT
 
-project(tfm-ns-interface)
-
 list(APPEND CMAKE_MODULE_PATH ${CMAKE_CURRENT_LIST_DIR}/cmake)
 
-include(BuildTfm)
-
-# TF-M NS interface for the non-secure side
-
-add_library(tfm-ns-interface ${tfm_ns_interface_generated})
-add_dependencies(tfm-ns-interface trusted_firmware-m-build)
+# Use different startup and driver files than TF-M defaults
+set(PLATFORM_CUSTOM_NS_FILES TRUE)
+# The exported TF-M interfaces
+add_subdirectory(${CONFIG_SPE_PATH} ${CMAKE_BINARY_DIR}/spe)
 
-target_include_directories(tfm-ns-interface
-    PUBLIC
-        ${BINARY_DIR}/api_ns/interface/include
-        ${BINARY_DIR}/api_ns/platform/include
-)
-
-target_link_libraries(tfm-ns-interface
+target_link_libraries(tfm_api_ns
     PRIVATE
-        ${s_veneers_generated}
         tfm-ns-interface-mbedtls-config
 )
 
-target_compile_definitions(tfm-ns-interface
-    PUBLIC
-        BL2
-        # Corstone-315 is not using the default crypto keys, it is defined in the TF-M platform port
-        $<$<STREQUAL:${ARM_CORSTONE_BSP_TARGET_PLATFORM},corstone300>:PLATFORM_DEFAULT_CRYPTO_KEYS>
-        $<$<STREQUAL:${ARM_CORSTONE_BSP_TARGET_PLATFORM},corstone310>:PLATFORM_DEFAULT_CRYPTO_KEYS>
-)
-
 add_library(tfm-ns-interface-mbedtls-config INTERFACE)
 
 if(APPLICATION_PATH MATCHES ".*blinky")
-    # TODO: These compile definitions shouldn't be defined explicitly for `blinky` application as
-    # they should have been defined by `psa_crypto_config` library which should be linked
-    # to `tfm-ns-interface-mbedtls-config` library. However, since we are not using TF-M split-build feature,
-    # the exported library `psa_crypto_config` is not used by the non-secure side and these definitions are missing.
-    target_compile_definitions(tfm-ns-interface-mbedtls-config
-        INTERFACE
-            MBEDTLS_CONFIG_FILE="${trusted_firmware-m_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_client.h"
-            MBEDTLS_PSA_CRYPTO_CONFIG_FILE="${trusted_firmware-m_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/crypto_config_default.h"
+    target_link_libraries(tfm-ns-interface-mbedtls-config
+            INTERFACE
+                psa_crypto_config
     )
 else()
     target_link_libraries(tfm-ns-interface-mbedtls-config
@@ -52,9 +28,13 @@ else()
     )
     target_compile_definitions(tfm-ns-interface-mbedtls-config
         INTERFACE
-            MBEDTLS_CONFIG_FILE="${APPLICATION_PATH}/configs/mbedtls_config/aws_mbedtls_config.h"
             -DPSA_CRYPTO_IMPLEMENTATION_TFM
     )
+    # Change PUBLIC sources to PRIVATE:
+    # PUBLIC sources are added to both INTERFACE_SOURCES and SOURCES property,
+    # so removing from interface makes them PRIVATE (only use them when
+    # building tfm_api_ns, not consuming targets)
+    set_target_properties(tfm_api_ns PROPERTIES INTERFACE_SOURCES "")
     # In case of using Mbed TLS library to provide the PSA Crypto APIs
     # implementation, the PSA Crypto APIs implemented and provided by
     # TF-M shall be renamed to start with a prefix of tfm_crypto__
diff --git a/components/security/trusted_firmware-m/integration/cmake/MergeTfmImages.cmake b/components/security/trusted_firmware-m/integration/cmake/MergeTfmImages.cmake
@@ -2,10 +2,6 @@
 # <open-source-office@arm.com>
 # SPDX-License-Identifier: MIT
 
-include(ExternalProject)
-
-ExternalProject_Get_Property(trusted_firmware-m-build BINARY_DIR)
-
 # To merge the bootloader image, TF-M secure image, non-secure user application image,
 # secure and non-secure provsioning bundle images into one image, their addresses are
 # needed. As the addresses are defined in their respective linker scripts, there is no
@@ -37,20 +33,17 @@ function(iot_reference_arm_corstone3xx_tf_m_merge_images target)
     find_program(srec_cat NAMES srec_cat REQUIRED)
     find_program(objcopy NAMES arm-none-eabi-objcopy objcopy REQUIRED)
     if(ARM_CORSTONE_BSP_TARGET_PLATFORM STREQUAL "corstone300" OR ARM_CORSTONE_BSP_TARGET_PLATFORM STREQUAL "corstone310")
-        add_custom_command(
-            TARGET
-                ${target}
-            POST_BUILD
+        add_custom_target(${target}_merged
             DEPENDS
-                $<TARGET_FILE_DIR:${target}>/${target}_signed.bin
+                ${target}_signed_bin
             COMMAND
-                ${srec_cat} ${BINARY_DIR}/api_ns/bin/bl2.bin -Binary -offset ${BL2_IMAGE_LOAD_ADDRESS}
-                    ${BINARY_DIR}/api_ns/bin/tfm_s_signed.bin -Binary -offset ${S_IMAGE_LOAD_ADDRESS}
-                    $<TARGET_FILE_DIR:${target}>/${target}_signed.bin -Binary -offset ${NS_IMAGE_LOAD_ADDRESS}
+                ${srec_cat} ${CONFIG_SPE_PATH}/bin/bl2.bin -Binary -offset ${BL2_IMAGE_LOAD_ADDRESS}
+                    ${CONFIG_SPE_PATH}/bin/tfm_s_signed.bin -Binary -offset ${S_IMAGE_LOAD_ADDRESS}
+                    ${CMAKE_BINARY_DIR}/bin/${target}_signed.bin -Binary -offset ${NS_IMAGE_LOAD_ADDRESS}
                     ${ddr_binary_param}
                     ${ns_provisioning_data_param}
                     ${model_binary_param}
-                    ${BINARY_DIR}/api_ns/bin/provisioning_bundle.bin -Binary -offset ${S_PROVISIONING_BUNDLE_LOAD_ADDRESS}
+                    ${CONFIG_SPE_PATH}/bin/provisioning_bundle.bin -Binary -offset ${S_PROVISIONING_BUNDLE_LOAD_ADDRESS}
                     -o $<TARGET_FILE_DIR:${target}>/${target}_merged.hex
             COMMAND
                 ${objcopy} -I ihex -O elf32-little
@@ -61,19 +54,16 @@ function(iot_reference_arm_corstone3xx_tf_m_merge_images target)
             VERBATIM
         )
     else()
-        add_custom_command(
-            TARGET
-                ${target}
-            POST_BUILD
+        add_custom_target(${target}_merged
             DEPENDS
-                $<TARGET_FILE_DIR:${target}>/${target}_signed.bin
+                ${target}_signed_bin
             COMMAND
-                ${srec_cat} ${BINARY_DIR}/api_ns/bin/bl1_1.bin -Binary -offset ${BL1_IMAGE_LOAD_ADDRESS}
-                    ${BINARY_DIR}/api_ns/bin/cm_provisioning_bundle.bin -Binary -offset ${S_CM_PROVISIONING_BUNDLE_LOAD_ADDRESS}
-                    ${BINARY_DIR}/api_ns/bin/dm_provisioning_bundle.bin -Binary -offset ${S_DM_PROVISIONING_BUNDLE_LOAD_ADDRESS}
-                    ${BINARY_DIR}/api_ns/bin/bl2_signed.bin -Binary -offset ${BL2_IMAGE_LOAD_ADDRESS}
-                    ${BINARY_DIR}/api_ns/bin/tfm_s_signed.bin -Binary -offset ${S_IMAGE_LOAD_ADDRESS}
-                    $<TARGET_FILE_DIR:${target}>/${target}_signed.bin -Binary -offset ${NS_IMAGE_LOAD_ADDRESS}
+                ${srec_cat} ${CONFIG_SPE_PATH}/bin/bl1_1.bin -Binary -offset ${BL1_IMAGE_LOAD_ADDRESS}
+                    ${CONFIG_SPE_PATH}/bin/cm_provisioning_bundle.bin -Binary -offset ${S_CM_PROVISIONING_BUNDLE_LOAD_ADDRESS}
+                    ${CONFIG_SPE_PATH}/bin/dm_provisioning_bundle.bin -Binary -offset ${S_DM_PROVISIONING_BUNDLE_LOAD_ADDRESS}
+                    ${CONFIG_SPE_PATH}/bin/bl2_signed.bin -Binary -offset ${BL2_IMAGE_LOAD_ADDRESS}
+                    ${CONFIG_SPE_PATH}/bin/tfm_s_signed.bin -Binary -offset ${S_IMAGE_LOAD_ADDRESS}
+                    ${CMAKE_BINARY_DIR}/bin/${target}_signed.bin -Binary -offset ${NS_IMAGE_LOAD_ADDRESS}
                     ${model_binary_param}
                     ${ddr_binary_param}
                     ${ns_provisioning_data_param}
diff --git a/components/security/trusted_firmware-m/integration/cmake/SignTfmImage.cmake b/components/security/trusted_firmware-m/integration/cmake/SignTfmImage.cmake
@@ -4,9 +4,6 @@
 
 list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/tools/cmake)
 include(ConvertElfToBin)
-include(ExternalProject)
-
-ExternalProject_Get_Property(trusted_firmware-m-build BINARY_DIR)
 
 # This function is documented under `Image signing` section in `trusted_firmware-m.md` document located at
 # `${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/docs/components/security/` directory.
@@ -25,10 +22,10 @@ function(iot_reference_arm_corstone3xx_tf_m_sign_image target unsigned_image_bin
             $<TARGET_FILE_DIR:${target}>/${target}.bin
         COMMAND
             # Sign the non-secure (application) image for TF-M bootloader (BL2)
-            python3 ${BINARY_DIR}/api_ns/image_signing/scripts/wrapper/wrapper.py
+            python3 ${CONFIG_SPE_PATH}/image_signing/scripts/wrapper/wrapper.py
                 -v ${signed_bin_version}
                 --layout ${signature_layout_file}
-                -k ${BINARY_DIR}/api_ns/image_signing/keys/image_ns_signing_private_key.pem
+                -k ${CONFIG_SPE_PATH}/image_signing/keys/image_ns_signing_private_key.pem
                 --public-key-format full
                 --align 1 --pad-header ${pad_option} -H 0x400 -s auto
                 --measured-boot-record
