build: Keyword detection application with split-build

The application is built similarly to blinky. The update image
generation is unchanged. The mbedtls config file needs the DOMAIN_NS
check because S and NS clients are not separated. The minimal config
is added for S clients.

Signed-off-by: Gergely Kovacs <[email protected]>

Author: david-hazi-arm

applications/helpers/provisioning/CMakeLists.txt

@@ -1,4 +1,4 @@
-# Copyright 2023-2024 Arm Limited and/or its affiliates
+# Copyright 2023-2025 Arm Limited and/or its affiliates
 # <[email protected]>
 # SPDX-License-Identifier: MIT
 
@@ -19,9 +19,8 @@ else()
             ${CMAKE_CURRENT_LIST_DIR}/inc
     )
 
-    target_link_libraries(provisioning_data PRIVATE
-        fri-bsp
-    )
+    # Only use interface includes for fri-bsp for provisioning config, public sources are not needed
+    target_include_directories(provisioning_data PRIVATE $<TARGET_PROPERTY:fri-bsp,INTERFACE_INCLUDE_DIRECTORIES>)
 
     set(
         CODE_SIGNING_PUBLIC_KEY_PEM_PATH
@@ -45,13 +44,14 @@ else()
             ${CMAKE_CURRENT_BINARY_DIR}/aws_clientcredential_keys.h
     )
 
-    add_dependencies(aws_clientcredential_keys_header trusted_firmware-m-build)
     add_dependencies(provisioning_data aws_clientcredential_keys_header)
 
     if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU")
         target_link_options(provisioning_data
             PRIVATE
-                "-nostartfiles"
+            # We should define an entry point to override the default Reset_Handler
+            "--entry=provisioningBundle"
+            "-nostartfiles"
         )
         target_add_scatter_file(provisioning_data ${CMAKE_CURRENT_LIST_DIR}/provisioning_data.ld)
     else()

applications/helpers/provisioning/cmake/SetProvisioningLinkOptions.cmake

@@ -1,13 +1,12 @@
-# Copyright 2023 Arm Limited and/or its affiliates
+# Copyright 2023-2025 Arm Limited and/or its affiliates
 # <[email protected]>
 # SPDX-License-Identifier: MIT
 
 macro(target_add_scatter_file target)
     add_library(${target}_scatter OBJECT)
 
-    target_link_libraries(${target}_scatter PRIVATE
-        fri-bsp
-    )
+    # Only use interface includes for fri-bsp, the linker script does not need public sources
+    target_include_directories(${target}_scatter PRIVATE $<TARGET_PROPERTY:fri-bsp,INTERFACE_INCLUDE_DIRECTORIES>)
 
     if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU")
         target_link_options(${target}

applications/keyword_detection/CMakeLists.txt

@@ -3,6 +3,13 @@
 # SPDX-License-Identifier: MIT
 
 cmake_minimum_required(VERSION 3.21.0 FATAL_ERROR)
+
+# NS target name the TF-M api_ns CMakeLists.txt uses
+set(NS_TARGET_NAME keyword-detection)
+# Toolchain file has to be included before the very first project() call
+include(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/components/security/trusted_firmware-m/integration/cmake/TfmNsToolchain.cmake)
+
+
 project(keyword-detection LANGUAGES C CXX)
 
 set(ML_INFERENCE_ENGINE     "ETHOS" CACHE STRING "Machine Learning inference engine (ETHOS | SOFTWARE)")
@@ -23,20 +30,13 @@ set(AWS_OTA_SIGNATURE_TYPE  "RSA-3072" CACHE STRING "Supported algorithms for si
 # Because of this, if only PATCH version is changed then the OTA will be rejected
 # due to same firmware version.
 # We will therefore change the build version from TF-M.
-set(MCUBOOT_IMAGE_VERSION_NS "0.0.1+10")
+# MCUBOOT_IMAGE_VERSION_NS is passed to the TF-M build in TfmInitialCache.cmake
 set(MCUBOOT_IMAGE_VERSION_NS_UPDATE "0.0.1+20")
 
-# These variables are only defined in case of GNU toolchain as it is currently the only toolchain
-# that supports the ML Model component OTA update feature where these variables are needed.
+# This variable is only defined in case of GNU toolchain as it is currently the only toolchain
+# that supports the ML Model component OTA update feature where this variable is needed.
 if (${CMAKE_C_COMPILER_ID} STREQUAL "GNU")
-    set(MCUBOOT_IMAGE_VERSION_NS_ML_MODEL "0.0.1+11")
     set(MCUBOOT_IMAGE_VERSION_NS_ML_MODEL_UPDATE "0.0.1+42")
-    set(MCUBOOT_IMAGE_NUMBER 3 CACHE STRING "Total number of firmware images")
-    set(MCUBOOT_NS_ML_MODEL_IMAGE_FLASH_AREA_NUM "1_0")
-    set(DEFAULT_MCUBOOT_FLASH_MAP OFF)
-else()
-    set(DEFAULT_MCUBOOT_FLASH_MAP ON)
-    set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "Total number of firmware images")
 endif()
 
 if (${ML_INFERENCE_ENGINE} STREQUAL "ETHOS")
@@ -48,42 +48,9 @@ endif()
 set(ML_USE_CASE "kws")
 set(ML_MODEL "GenerateKWSModel")
 set(ML_USE_CASE_RESOURCES_FILE "${CMAKE_CURRENT_LIST_DIR}/resources/use_case_resources.json")
-set(TFM_PLATFORM_UPGRADE_STRATEGY "SWAP_USING_SCRATCH")
-set(TFM_PLATFORM_CONFIRM_IMAGE ON)
-
-# Trusted Firmware-M setup
-set(TFM_CMAKE_APP_ARGS
-    -DPROJECT_CONFIG_HEADER_FILE=${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/keyword_detection/configs/tfm_config/project_config.h
-    -DMCUBOOT_CONFIRM_IMAGE=${TFM_PLATFORM_CONFIRM_IMAGE}
-    -DMCUBOOT_UPGRADE_STRATEGY=${TFM_PLATFORM_UPGRADE_STRATEGY}
-    -DMCUBOOT_IMAGE_VERSION_NS=${MCUBOOT_IMAGE_VERSION_NS}
-    -DMCUBOOT_IMAGE_VERSION_NS_ML_MODEL=${MCUBOOT_IMAGE_VERSION_NS_ML_MODEL}
-    -DMCUBOOT_NS_ML_MODEL_IMAGE_FLASH_AREA_NUM=${MCUBOOT_NS_ML_MODEL_IMAGE_FLASH_AREA_NUM}
-    -DMCUBOOT_SECURITY_COUNTER_NS_ML_MODEL=1
-    -DCONFIG_TFM_HALT_ON_CORE_PANIC=ON
-    -DMCUBOOT_DATA_SHARING=ON
-    -DPLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT=ON
-    -DTFM_PARTITION_FIRMWARE_UPDATE=ON
-    -DTFM_PARTITION_LOG_LEVEL=TFM_PARTITION_LOG_LEVEL_INFO
-)
-
-# These definitions are only defined in case of GNU toolchain as it is currently the only toolchain
-# that supports the ML Model component OTA update feature where these definitions are needed.
-if (${CMAKE_C_COMPILER_ID} STREQUAL "GNU")
-    list(APPEND TFM_CMAKE_APP_ARGS
-    -DMCUBOOT_IMAGE_VERSION_NS_ML_MODEL=${MCUBOOT_IMAGE_VERSION_NS_ML_MODEL}
-    -DMCUBOOT_NS_ML_MODEL_IMAGE_FLASH_AREA_NUM=${MCUBOOT_NS_ML_MODEL_IMAGE_FLASH_AREA_NUM}
-    -DMCUBOOT_SECURITY_COUNTER_NS_ML_MODEL=1
-    )
-endif()
-
-# Set global optimization level to reduce code size while keeping the debug experience.
-if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU")
-    add_compile_options(-Og)
-elseif(${CMAKE_C_COMPILER_ID} STREQUAL "ARMClang")
-    add_compile_options(-O1)
-endif()
 
+set_compiler_and_linker_flags()
+include(${CONFIG_SPE_PATH}/config/cp_check.cmake)
 
 add_subdirectory(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR} ${CMAKE_BINARY_DIR}/iot_reference_arm_corstone3xx)
 
@@ -105,6 +72,7 @@ add_executable(keyword-detection
     main.c
     ml_interface.cc
     model_config.cc
+    ${CONFIG_SPE_PATH}/interface/src/os_wrapper/tfm_ns_interface_rtos.c
 )
 
 # These definitions are only defined in case of GNU toolchain as it is currently the only toolchain
@@ -157,10 +125,6 @@ target_compile_options(keyword-detection
         $<$<COMPILE_LANGUAGE:C>:-std=c99>
 )
 
-# Trusted Firmware-M must be built before the application, because
-# the application depends on the NS interface and the BL2 signing scripts,
-# both of which are generated as parts of the Trusted Firmware-M build process.
-add_dependencies(keyword-detection trusted_firmware-m-build)
 # The provision data must be built before the application because
 # it provides credentials to connect to AWS.
 add_dependencies(keyword-detection provisioning_data_bin)
@@ -181,10 +145,12 @@ target_link_libraries(keyword-detection
         mbedtls
         ota-update
         provisioning-lib
-        tfm-ns-interface
+        tfm_api_ns
         toolchain-override
         kws_api
         kws_model
+        # FRI always uses TrustZone
+        tfm_api_ns_tz
 )
 
 # sntp helper library depends on FreeRTOS-Plus-TCP connectivity stack as it
@@ -203,8 +169,6 @@ set_linker_script(keyword-detection)
 
 list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/tools/cmake)
 include(ConvertElfToBin)
-include(ExternalProject)
-ExternalProject_Get_Property(trusted_firmware-m-build BINARY_DIR)
 
 # The ML Model is only extracted in case of GNU toolchain as it is currently the only toolchain
 # that supports the ML Model component OTA update feature.
@@ -220,26 +184,31 @@ extract_sections_from_axf(
     OUTPUT_BIN_NAME  "ns_image"
 )
 
-# The non-secure application, and ML model images should be padded while being signed
-# Hence, passing "TRUE" as the input parameter to the pad option of sign function.
-iot_reference_arm_corstone3xx_tf_m_sign_image(
-    keyword-detection
-    "ns_image"
-    keyword-detection_signed
-    ${MCUBOOT_IMAGE_VERSION_NS}
-    "${BINARY_DIR}/api_ns/image_signing/layout_files/signing_layout_ns.o"
-    TRUE
+# Copy the binary flash content to the location expected by default signing
+# Signing is implemented in the exported TF-M NS CMakeLists.txt (in the
+# ${CONFIG_SPE_PATH} directory)
+add_custom_target(keyword-detection_bin
+    SOURCES ${CMAKE_BINARY_DIR}/keyword-detection.bin
+    DEPENDS keyword-detection
+)
+add_custom_command(OUTPUT ${CMAKE_BINARY_DIR}/keyword-detection.bin
+    DEPENDS keyword-detection
+    COMMAND ${CMAKE_COMMAND}
+        -E copy ${SECTORS_BIN_DIR}/ns_image.bin
+        ${CMAKE_BINARY_DIR}/keyword-detection.bin
 )
 
 # The ML Model image is only signed in case of GNU toolchain as it is currently the only toolchain
 # that supports the ML Model component OTA update feature.
+# The ML model image should be padded while being signed
+# Hence, passing "TRUE" as the input parameter to the pad option of sign function
 if (${CMAKE_C_COMPILER_ID} STREQUAL "GNU")
     iot_reference_arm_corstone3xx_tf_m_sign_image(
         keyword-detection
         "model"
         keyword-detection-model_signed
         ${MCUBOOT_IMAGE_VERSION_NS_ML_MODEL}
-        "${BINARY_DIR}/api_ns/image_signing/layout_files/signing_layout_ns_ml_model.o"
+        "${CONFIG_SPE_PATH}/image_signing/layout_files/signing_layout_ns_ml_model.o"
         TRUE
     )
 endif()
@@ -253,7 +222,7 @@ iot_reference_arm_corstone3xx_tf_m_sign_image(
     "ns_image"
     keyword-detection-update_signed
     ${MCUBOOT_IMAGE_VERSION_NS_UPDATE}
-    "${BINARY_DIR}/api_ns/image_signing/layout_files/signing_layout_ns.o"
+    "${CONFIG_SPE_PATH}/image_signing/layout_files/signing_layout_ns.o"
     FALSE
 )
 
@@ -265,7 +234,7 @@ if (${CMAKE_C_COMPILER_ID} STREQUAL "GNU")
         "model"
         keyword-detection-model-update_signed
         ${MCUBOOT_IMAGE_VERSION_NS_ML_MODEL_UPDATE}
-        "${BINARY_DIR}/api_ns/image_signing/layout_files/signing_layout_ns_ml_model.o"
+        "${CONFIG_SPE_PATH}/image_signing/layout_files/signing_layout_ns_ml_model.o"
         FALSE
     )
 endif()

applications/keyword_detection/TfmInitialCache.cmake

@@ -0,0 +1,30 @@
+# Copyright 2025 Arm Limited and/or its affiliates
+# <[email protected]>
+# SPDX-License-Identifier: MIT
+
+include(${ROOT}/cmake/TfmInitialCacheCommon.cmake)
+
+set(TFM_MBEDCRYPTO_CONFIG_CLIENT_PATH "${ROOT}/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h" CACHE FILEPATH "TFM_MBEDCRYPTO_CONFIG_CLIENT_PATH" FORCE)
+set(PROJECT_CONFIG_HEADER_FILE ${ROOT}/applications/keyword_detection/configs/tfm_config/project_config.h CACHE FILEPATH "PROJECT_CONFIG_HEADER_FILE" FORCE)
+set(MCUBOOT_UPGRADE_STRATEGY "SWAP_USING_SCRATCH" CACHE STRING "MCUBOOT_UPGRADE_STRATEGY" FORCE)
+set(MCUBOOT_IMAGE_VERSION_NS  "0.0.1+10" CACHE STRING "MCUBOOT_IMAGE_VERSION_NS" FORCE)
+set(CONFIG_TFM_HALT_ON_CORE_PANIC ON CACHE BOOL "CONFIG_TFM_HALT_ON_CORE_PANIC" FORCE)
+set(MCUBOOT_DATA_SHARING ON CACHE BOOL "MCUBOOT_DATA_SHARING" FORCE)
+set(PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT ON CACHE BOOL "PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT" FORCE)
+set(TFM_PARTITION_FIRMWARE_UPDATE ON CACHE BOOL "TFM_PARTITION_FIRMWARE_UPDATE" FORCE)
+set(TFM_PARTITION_LOG_LEVEL TFM_PARTITION_LOG_LEVEL_INFO CACHE STRING "TFM_PARTITION_LOG_LEVEL" FORCE)
+set(CONFIG_TFM_ENABLE_MVE ON CACHE STRING "CONFIG_TFM_ENABLE_MVE" FORCE)
+set(CONFIG_TFM_ENABLE_MVE_FP ON CACHE STRING "CONFIG_TFM_ENABLE_MVE_FP" FORCE)
+
+# These variables are only defined in case of GNU toolchain as it is currently the only toolchain
+# that supports the ML Model component OTA update feature where these variables are needed.
+if (${TOOLCHAIN} STREQUAL "GNU")
+    set(MCUBOOT_IMAGE_VERSION_NS_ML_MODEL "0.0.1+11" CACHE STRING "MCUBOOT_IMAGE_VERSION_NS_ML_MODEL" FORCE)
+    set(MCUBOOT_NS_ML_MODEL_IMAGE_FLASH_AREA_NUM "1_0" CACHE STRING "MCUBOOT_NS_ML_MODEL_IMAGE_FLASH_AREA_NUM" FORCE)
+    set(MCUBOOT_SECURITY_COUNTER_NS_ML_MODEL 1 CACHE STRING "MCUBOOT_SECURITY_COUNTER_NS_ML_MODEL" FORCE)
+    set(MCUBOOT_IMAGE_NUMBER 3 CACHE STRING "MCUBOOT_IMAGE_NUMBER" FORCE)
+    set(DEFAULT_MCUBOOT_FLASH_MAP OFF CACHE BOOL "DEFAULT_MCUBOOT_FLASH_MAP" FORCE)
+else()
+    set(DEFAULT_MCUBOOT_FLASH_MAP ON CACHE BOOL "DEFAULT_MCUBOOT_FLASH_MAP" FORCE)
+    set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "MCUBOOT_IMAGE_NUMBER" FORCE)
+endif()

applications/keyword_detection/configs/freertos_config/CMakeLists.txt

@@ -1,4 +1,4 @@
-# Copyright 2023 Arm Limited and/or its affiliates
+# Copyright 2023-2025 Arm Limited and/or its affiliates
 # <[email protected]>
 # SPDX-License-Identifier: MIT
 
@@ -14,6 +14,6 @@ target_compile_definitions(freertos_config
 
 target_link_libraries(freertos_config
     INTERFACE
-        tfm-ns-interface
+        tfm_api_ns
         app-config
 )

applications/keyword_detection/configs/mbedtls_config/CMakeLists.txt

@@ -1,4 +1,4 @@
-# Copyright 2023 Arm Limited and/or its affiliates
+# Copyright 2023-2025 Arm Limited and/or its affiliates
 # <[email protected]>
 # SPDX-License-Identifier: MIT
 
@@ -7,11 +7,6 @@ target_include_directories(mbedtls-config
         .
 )
 
-target_compile_definitions(mbedtls-config
-    INTERFACE
-        MBEDTLS_CONFIG_FILE="aws_mbedtls_config.h"
-)
-
 target_link_libraries(mbedtls-config
     INTERFACE
         freertos_kernel

applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h

@@ -11,7 +11,7 @@
 /*
  *  Copyright The Mbed TLS Contributors
  *  SPDX-License-Identifier: Apache-2.0
- *  Copyright 2024 Arm Limited and/or its affiliates
+ *  Copyright 2024-2025 Arm Limited and/or its affiliates
  *  <[email protected]>
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -27,15 +27,21 @@
  *  limitations under the License.
  */
 
-#include "app_config.h"
+#if DOMAIN_NS == 1
+    #include "app_config.h"
 
 /* AWS IoT Core Device Advisor validation is not supported on ARMClang because
  * ARMClang compiler does not support gmtime() function which is needed when
  * MBEDTLS_HAVE_TIME macro is defined. MBEDTLS_HAVE_TIME should be defined to
  * pass TLS Expired Server Cert test which is part of AWS IoT Core Device Advisor validation tests. */
-#if ( ( appCONFIG_DEVICE_ADVISOR_TEST_ACTIVE == 1 ) && ( defined( __ARMCC_VERSION ) ) )
-    #error "AWS IoT Core Device Advisor validation is not supported on Arm Compiler For Embedded (ARMClang)"
-#endif
+    #if ( ( appCONFIG_DEVICE_ADVISOR_TEST_ACTIVE == 1 ) && ( defined( __ARMCC_VERSION ) ) )
+        #error "AWS IoT Core Device Advisor validation is not supported on Arm Compiler For Embedded (ARMClang)"
+    #endif
+
+#else /* DOMAIN_NS != 1 */
+    /* Set if this config file is currently used for TF-M secure clients */
+    #define PSA_CRYPTO_TFM_SECURE_CONFIG
+#endif /* DOMAIN_NS == 1 */
 
 /**
  * This is an optional version symbol that enables compatibility handling of
@@ -1175,7 +1181,7 @@ void mbedtls_platform_free( void * ptr );
  * \warning This interface is experimental and may change or be removed
  * without notice.
  */
-#ifdef PSA_CRYPTO_IMPLEMENTATION_TFM
+#if defined( PSA_CRYPTO_IMPLEMENTATION_TFM ) || defined( PSA_CRYPTO_TFM_SECURE_CONFIG )
     #define MBEDTLS_PSA_CRYPTO_CLIENT
 #endif
 
@@ -1775,7 +1781,9 @@ void mbedtls_platform_free( void * ptr );
  * This feature is still experimental and is not ready for production since
  * it is not completed.
  */
-/*#define MBEDTLS_PSA_CRYPTO_CONFIG */
+#ifdef PSA_CRYPTO_TFM_SECURE_CONFIG
+    #define MBEDTLS_PSA_CRYPTO_CONFIG
+#endif
 
 /**
  * \def MBEDTLS_VERSION_FEATURES