diff --git a/.gitignore b/.gitignore index 7696ab90..322f7ca7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ # Build directory build +build_tfm build_unit_test # Cache directory diff --git a/.gitmodules b/.gitmodules index f7aa5ffc..e50e236a 100644 --- a/.gitmodules +++ b/.gitmodules @@ -40,9 +40,6 @@ [submodule "mbedtls"] path = components/security/mbedtls/library url = https://github.com/Mbed-TLS/mbedtls.git -[submodule "open_iot_sdk_toolchain"] - path = components/tools/open_iot_sdk_toolchain/library - url = https://git.gitlab.arm.com/iot/open-iot-sdk/toolchain.git [submodule "tinycbor"] path = components/aws_iot/tinycbor/library url = https://github.com/intel/tinycbor.git diff --git a/.vscode/launch.json b/.vscode/launch.json index 674116b5..01d994a8 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -1,4 +1,4 @@ -// Copyright 2021-2024 Arm Limited and/or its affiliates +// Copyright 2021-2025 Arm Limited and/or its affiliates // // SPDX-License-Identifier: MIT @@ -15,8 +15,8 @@ "overrideLaunchCommands": [ "-enable-pretty-printing", "break main.c:main", - "add-symbol-file iot_reference_arm_corstone3xx/components/security/trusted_firmware-m/integration/trusted_firmware-m-build-prefix/src/trusted_firmware-m-build-build/api_ns/bin/bl2.axf", - "add-symbol-file iot_reference_arm_corstone3xx/components/security/trusted_firmware-m/integration/trusted_firmware-m-build-prefix/src/trusted_firmware-m-build-build/api_ns/bin/tfm_s.axf", + "add-symbol-file ${workspaceFolder}/build_tfm/api_ns/bin/bl2.axf", + "add-symbol-file ${workspaceFolder}/build_tfm/api_ns/bin/tfm_s.axf", ], "preLaunchTask": "Debug Arm Featured Reference Integration applications", "showDevDebugOutput": "raw" diff --git a/applications/blinky/CMakeLists.txt b/applications/blinky/CMakeLists.txt index f860d8ae..3e6704a3 100644 --- a/applications/blinky/CMakeLists.txt +++ b/applications/blinky/CMakeLists.txt @@ -4,23 +4,17 @@ cmake_minimum_required(VERSION 3.21.0 FATAL_ERROR) +# NS target name the TF-M api_ns CMakeLists.txt uses +set(NS_TARGET_NAME blinky) set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/blinky" CACHE STRING "Path to the application folder") -# Trusted Firmware-M setup -set(TFM_CMAKE_APP_ARGS - -DPROJECT_CONFIG_HEADER_FILE=${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/blinky/configs/tfm_config/project_config.h -) -set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "Total number of firmware images") -set(DEFAULT_MCUBOOT_FLASH_MAP ON) +# Toolchain file has to be included before the very first project() call +include(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/components/security/trusted_firmware-m/integration/cmake/TfmNsToolchain.cmake) project(blinky-example LANGUAGES C) -# Set global optimization level to reduce code size while keeping the debug experience. -if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU") - add_compile_options(-Og) -elseif(${CMAKE_C_COMPILER_ID} STREQUAL "ARMClang") - add_compile_options(-O1) -endif() +set_compiler_and_linker_flags() +include(${CONFIG_SPE_PATH}/config/cp_check.cmake) add_subdirectory(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR} ${CMAKE_BINARY_DIR}/iot_reference_arm_corstone3xx) @@ -32,24 +26,24 @@ include(SignTfmImage) add_subdirectory(configs) -add_executable(blinky main.c) -# Trusted Firmware-M must be built before the application, because -# the application depends on the NS interface and the BL2 signing scripts, -# both of which are generated as parts of the Trusted Firmware-M build process. -add_dependencies(blinky trusted_firmware-m-build) +add_executable(blinky + main.c + ${CONFIG_SPE_PATH}/interface/src/os_wrapper/tfm_ns_interface_rtos.c +) + target_link_libraries(blinky freertos_kernel fri-bsp - tfm-ns-interface + tfm_api_ns toolchain-override + # FRI always uses TrustZone + tfm_api_ns_tz ) set_linker_script(blinky) list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/tools/cmake) include(ConvertElfToBin) -include(ExternalProject) -ExternalProject_Get_Property(trusted_firmware-m-build BINARY_DIR) extract_sections_from_axf( blinky @@ -57,15 +51,18 @@ extract_sections_from_axf( OUTPUT_BIN_NAME "ns_image" ) -# The non-secure application image should be padded while being signed -# Hence, passing "TRUE" as the input parameter to the pad option of sign function. -iot_reference_arm_corstone3xx_tf_m_sign_image( - blinky - "ns_image" - blinky_signed - 0.0.1 - "${BINARY_DIR}/api_ns/image_signing/layout_files/signing_layout_ns.o" - TRUE +# Copy the binary flash content to the location expected by default signing +# Signing is implemented in the exported TF-M NS CMakeLists.txt (in the +# ${CONFIG_SPE_PATH} directory) +add_custom_target(blinky_bin + SOURCES ${CMAKE_BINARY_DIR}/blinky.bin + DEPENDS blinky +) +add_custom_command(OUTPUT ${CMAKE_BINARY_DIR}/blinky.bin + DEPENDS blinky + COMMAND ${CMAKE_COMMAND} + -E copy ${SECTORS_BIN_DIR}/ns_image.bin + ${CMAKE_BINARY_DIR}/blinky.bin ) # A user project that consumes the ARM FRI needs to explicitly provide diff --git a/applications/blinky/TfmInitialCache.cmake b/applications/blinky/TfmInitialCache.cmake new file mode 100644 index 00000000..013ef805 --- /dev/null +++ b/applications/blinky/TfmInitialCache.cmake @@ -0,0 +1,10 @@ +# Copyright 2025 Arm Limited and/or its affiliates +# +# SPDX-License-Identifier: MIT + +include(${ROOT}/cmake/TfmInitialCacheCommon.cmake) + +set(MCUBOOT_IMAGE_VERSION_NS 0.0.1 CACHE STRING "MCUBOOT_IMAGE_VERSION_NS" FORCE) +set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "MCUBOOT_IMAGE_NUMBER" FORCE) +set(DEFAULT_MCUBOOT_FLASH_MAP ON CACHE STRING "DEFAULT_MCUBOOT_FLASH_MAP" FORCE) +set(PROJECT_CONFIG_HEADER_FILE ${ROOT}/applications/blinky/configs/tfm_config/project_config.h CACHE FILEPATH "PROJECT_CONFIG_HEADER_FILE" FORCE) diff --git a/applications/blinky/configs/freertos_config/CMakeLists.txt b/applications/blinky/configs/freertos_config/CMakeLists.txt index cdc1dc88..0a595fb2 100644 --- a/applications/blinky/configs/freertos_config/CMakeLists.txt +++ b/applications/blinky/configs/freertos_config/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright 2023 Arm Limited and/or its affiliates +# Copyright 2023-2025 Arm Limited and/or its affiliates # # SPDX-License-Identifier: MIT @@ -14,6 +14,6 @@ target_compile_definitions(freertos_config target_link_libraries(freertos_config INTERFACE - tfm-ns-interface + tfm_api_ns app-config ) diff --git a/applications/blinky/tests/corstone300_pass_output.log b/applications/blinky/tests/corstone300_pass_output.log index c03de573..25e2b268 100644 --- a/applications/blinky/tests/corstone300_pass_output.log +++ b/applications/blinky/tests/corstone300_pass_output.log @@ -1,6 +1,6 @@ Waiting for provisioning bundle Running provisioning bundle -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 psa_framework_version is: 257 LED on LED off diff --git a/applications/blinky/tests/corstone310_pass_output.log b/applications/blinky/tests/corstone310_pass_output.log index c03de573..25e2b268 100644 --- a/applications/blinky/tests/corstone310_pass_output.log +++ b/applications/blinky/tests/corstone310_pass_output.log @@ -1,6 +1,6 @@ Waiting for provisioning bundle Running provisioning bundle -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 psa_framework_version is: 257 LED on LED off diff --git a/applications/blinky/tests/corstone315_pass_output.log b/applications/blinky/tests/corstone315_pass_output.log index 5ac36780..2ba7bcb0 100644 --- a/applications/blinky/tests/corstone315_pass_output.log +++ b/applications/blinky/tests/corstone315_pass_output.log @@ -1,6 +1,6 @@ Waiting for DM provisioning bundle Running DM provisioning bundle -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 psa_framework_version is: 257 LED on LED off diff --git a/applications/blinky/tests/corstone320_pass_output.log b/applications/blinky/tests/corstone320_pass_output.log index 5ac36780..2ba7bcb0 100644 --- a/applications/blinky/tests/corstone320_pass_output.log +++ b/applications/blinky/tests/corstone320_pass_output.log @@ -1,6 +1,6 @@ Waiting for DM provisioning bundle Running DM provisioning bundle -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 psa_framework_version is: 257 LED on LED off diff --git a/applications/freertos_iot_libraries_tests/CMakeLists.txt b/applications/freertos_iot_libraries_tests/CMakeLists.txt index 7e3529ad..7a5bd94b 100644 --- a/applications/freertos_iot_libraries_tests/CMakeLists.txt +++ b/applications/freertos_iot_libraries_tests/CMakeLists.txt @@ -4,33 +4,18 @@ cmake_minimum_required(VERSION 3.21.0 FATAL_ERROR) +set(NS_TARGET_NAME freertos-iot-libraries-tests) +set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/freertos_iot_libraries_tests" CACHE STRING "Path to the application folder") set(AWS_OTA_SIGNATURE_TYPE "RSA-3072" CACHE STRING "Supported algorithms for signature validation [RSA-2048, RSA-3072, EC-P256, EC-P384]") -set(MCUBOOT_IMAGE_VERSION_NS "0.0.1+10") -set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "Total number of firmware images") -set(DEFAULT_MCUBOOT_FLASH_MAP ON) - -set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/freertos_iot_libraries_tests" CACHE STRING "Path to the application folder") +# Toolchain file has to be included before the very first project() call +include(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/components/security/trusted_firmware-m/integration/cmake/TfmNsToolchain.cmake) -# Trusted Firmware-M setup -set(TFM_CMAKE_APP_ARGS - -DPROJECT_CONFIG_HEADER_FILE=${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/freertos_iot_libraries_tests/configs/tfm_config/project_config.h - -DMCUBOOT_DATA_SHARING=ON - -DMCUBOOT_CONFIRM_IMAGE=ON - -DMCUBOOT_UPGRADE_STRATEGY=SWAP_USING_SCRATCH - -DMCUBOOT_IMAGE_VERSION_NS=${MCUBOOT_IMAGE_VERSION_NS} - -DPLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT=ON - -DTFM_PARTITION_FIRMWARE_UPDATE=ON -) project(freertos-iot-libraries-tests LANGUAGES C) -# Set global optimization level to reduce code size while keeping the debug experience. -if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU") - add_compile_options(-Og) -elseif(${CMAKE_C_COMPILER_ID} STREQUAL "ARMClang") - add_compile_options(-O1) -endif() +set_compiler_and_linker_flags() +include(${CONFIG_SPE_PATH}/config/cp_check.cmake) # This variable is checked to apply configurations specific to FreeRTOS Libraries Integrations Tests set(FREERTOS_LIBRARIES_INTEGRATION_TESTS 1) @@ -74,15 +59,13 @@ target_link_libraries(freertos-libraries-integration-tests-config add_executable(${CMAKE_PROJECT_NAME} main.c integration_tests_platform_function.c + ${CONFIG_SPE_PATH}/interface/src/os_wrapper/tfm_ns_interface_rtos.c ) -# Trusted Firmware-M must be built before the application, because -# the application depends on the NS interface and the BL2 signing scripts, -# both of which are generated as parts of the Trusted Firmware-M build process. -add_dependencies(${CMAKE_PROJECT_NAME} trusted_firmware-m-build) # The provision data must be built before the application because # it provides credentials to connect to AWS add_dependencies(${CMAKE_PROJECT_NAME} provisioning_data_bin) + target_link_libraries(${CMAKE_PROJECT_NAME} PRIVATE backoff-algorithm @@ -97,15 +80,16 @@ target_link_libraries(${CMAKE_PROJECT_NAME} helpers-events provisioning-lib mbedtls - tfm-ns-interface + toolchain-override + tfm_api_ns + # FRI always uses TrustZone + tfm_api_ns_tz ) set_linker_script(${CMAKE_PROJECT_NAME}) list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/tools/cmake) include(ConvertElfToBin) -include(ExternalProject) -ExternalProject_Get_Property(trusted_firmware-m-build BINARY_DIR) extract_sections_from_axf( ${CMAKE_PROJECT_NAME} @@ -113,14 +97,18 @@ extract_sections_from_axf( OUTPUT_BIN_NAME "ns_image" ) -# The non-secure application image should be padded while being signed -iot_reference_arm_corstone3xx_tf_m_sign_image( - ${CMAKE_PROJECT_NAME} - "ns_image" - ${CMAKE_PROJECT_NAME}_signed - ${MCUBOOT_IMAGE_VERSION_NS} - "${BINARY_DIR}/api_ns/image_signing/layout_files/signing_layout_ns.o" - TRUE +# Copy the binary flash content to the location expected by default signing +# Signing is implemented in the exported TF-M NS CMakeLists.txt (in the +# ${CONFIG_SPE_PATH} directory) +add_custom_target(freertos-iot-libraries-tests_bin + SOURCES ${CMAKE_BINARY_DIR}/freertos-iot-libraries-tests.bin + DEPENDS freertos-iot-libraries-tests +) +add_custom_command(OUTPUT ${CMAKE_BINARY_DIR}/freertos-iot-libraries-tests.bin + DEPENDS freertos-iot-libraries-tests + COMMAND ${CMAKE_COMMAND} + -E copy ${SECTORS_BIN_DIR}/ns_image.bin + ${CMAKE_BINARY_DIR}/freertos-iot-libraries-tests.bin ) # A user project that consumes the ARM FRI needs to explicitly provide diff --git a/applications/freertos_iot_libraries_tests/TfmInitialCache.cmake b/applications/freertos_iot_libraries_tests/TfmInitialCache.cmake new file mode 100644 index 00000000..30e5ecac --- /dev/null +++ b/applications/freertos_iot_libraries_tests/TfmInitialCache.cmake @@ -0,0 +1,16 @@ +# Copyright 2025 Arm Limited and/or its affiliates +# +# SPDX-License-Identifier: MIT + +include(${ROOT}/cmake/TfmInitialCacheCommon.cmake) + +# Trusted Firmware-M setup +set(TFM_MBEDCRYPTO_CONFIG_CLIENT_PATH "${ROOT}/applications/freertos_iot_libraries_tests/configs/mbedtls_config/aws_mbedtls_config.h" CACHE FILEPATH "TFM_MBEDCRYPTO_CONFIG_CLIENT_PATH" FORCE) +set(PROJECT_CONFIG_HEADER_FILE ${ROOT}/applications/freertos_iot_libraries_tests/configs/tfm_config/project_config.h CACHE FILEPATH "PROJECT_CONFIG_HEADER_FILE" FORCE) +set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "MCUBOOT_IMAGE_NUMBER" FORCE) +set(DEFAULT_MCUBOOT_FLASH_MAP ON CACHE BOOL "DEFAULT_MCUBOOT_FLASH_MAP" FORCE) +set(MCUBOOT_DATA_SHARING ON CACHE BOOL "MCUBOOT_DATA_SHARING" FORCE) +set(MCUBOOT_UPGRADE_STRATEGY "SWAP_USING_SCRATCH" CACHE STRING "MCUBOOT_UPGRADE_STRATEGY" FORCE) +set(MCUBOOT_IMAGE_VERSION_NS "0.0.10+0" CACHE STRING "MCUBOOT_IMAGE_VERSION_NS" FORCE) +set(PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT ON CACHE BOOL "PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT" FORCE) +set(TFM_PARTITION_FIRMWARE_UPDATE ON CACHE BOOL "TFM_PARTITION_FIRMWARE_UPDATE" FORCE) diff --git a/applications/freertos_iot_libraries_tests/configs/freertos_config/CMakeLists.txt b/applications/freertos_iot_libraries_tests/configs/freertos_config/CMakeLists.txt index a7a2b28c..0a595fb2 100644 --- a/applications/freertos_iot_libraries_tests/configs/freertos_config/CMakeLists.txt +++ b/applications/freertos_iot_libraries_tests/configs/freertos_config/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright 2023-2024 Arm Limited and/or its affiliates +# Copyright 2023-2025 Arm Limited and/or its affiliates # # SPDX-License-Identifier: MIT @@ -14,6 +14,6 @@ target_compile_definitions(freertos_config target_link_libraries(freertos_config INTERFACE - tfm-ns-interface + tfm_api_ns app-config ) diff --git a/applications/freertos_iot_libraries_tests/configs/mbedtls_config/CMakeLists.txt b/applications/freertos_iot_libraries_tests/configs/mbedtls_config/CMakeLists.txt index b87f454a..38dc7fb1 100644 --- a/applications/freertos_iot_libraries_tests/configs/mbedtls_config/CMakeLists.txt +++ b/applications/freertos_iot_libraries_tests/configs/mbedtls_config/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright 2023-2024 Arm Limited and/or its affiliates +# Copyright 2023-2025 Arm Limited and/or its affiliates # # SPDX-License-Identifier: MIT @@ -7,11 +7,6 @@ target_include_directories(mbedtls-config . ) -target_compile_definitions(mbedtls-config - INTERFACE - MBEDTLS_CONFIG_FILE="aws_mbedtls_config.h" -) - target_link_libraries(mbedtls-config INTERFACE freertos_kernel diff --git a/applications/helpers/provisioning/CMakeLists.txt b/applications/helpers/provisioning/CMakeLists.txt index fbb749b3..ac94f082 100644 --- a/applications/helpers/provisioning/CMakeLists.txt +++ b/applications/helpers/provisioning/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright 2023-2024 Arm Limited and/or its affiliates +# Copyright 2023-2025 Arm Limited and/or its affiliates # # SPDX-License-Identifier: MIT @@ -19,9 +19,8 @@ else() ${CMAKE_CURRENT_LIST_DIR}/inc ) - target_link_libraries(provisioning_data PRIVATE - fri-bsp - ) + # Only use interface includes for fri-bsp for provisioning config, public sources are not needed + target_include_directories(provisioning_data PRIVATE $) set( CODE_SIGNING_PUBLIC_KEY_PEM_PATH @@ -45,13 +44,14 @@ else() ${CMAKE_CURRENT_BINARY_DIR}/aws_clientcredential_keys.h ) - add_dependencies(aws_clientcredential_keys_header trusted_firmware-m-build) add_dependencies(provisioning_data aws_clientcredential_keys_header) if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU") target_link_options(provisioning_data PRIVATE - "-nostartfiles" + # We should define an entry point to override the default Reset_Handler + "--entry=provisioningBundle" + "-nostartfiles" ) target_add_scatter_file(provisioning_data ${CMAKE_CURRENT_LIST_DIR}/provisioning_data.ld) else() diff --git a/applications/helpers/provisioning/cmake/SetProvisioningLinkOptions.cmake b/applications/helpers/provisioning/cmake/SetProvisioningLinkOptions.cmake index 59b9fd85..f8dbe644 100644 --- a/applications/helpers/provisioning/cmake/SetProvisioningLinkOptions.cmake +++ b/applications/helpers/provisioning/cmake/SetProvisioningLinkOptions.cmake @@ -1,13 +1,12 @@ -# Copyright 2023 Arm Limited and/or its affiliates +# Copyright 2023-2025 Arm Limited and/or its affiliates # # SPDX-License-Identifier: MIT macro(target_add_scatter_file target) add_library(${target}_scatter OBJECT) - target_link_libraries(${target}_scatter PRIVATE - fri-bsp - ) + # Only use interface includes for fri-bsp, the linker script does not need public sources + target_include_directories(${target}_scatter PRIVATE $) if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU") target_link_options(${target} diff --git a/applications/keyword_detection/CMakeLists.txt b/applications/keyword_detection/CMakeLists.txt index 8fedeedc..fadd13b7 100644 --- a/applications/keyword_detection/CMakeLists.txt +++ b/applications/keyword_detection/CMakeLists.txt @@ -3,6 +3,13 @@ # SPDX-License-Identifier: MIT cmake_minimum_required(VERSION 3.21.0 FATAL_ERROR) + +# NS target name the TF-M api_ns CMakeLists.txt uses +set(NS_TARGET_NAME keyword-detection) +# Toolchain file has to be included before the very first project() call +include(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/components/security/trusted_firmware-m/integration/cmake/TfmNsToolchain.cmake) + + project(keyword-detection LANGUAGES C CXX) set(ML_INFERENCE_ENGINE "ETHOS" CACHE STRING "Machine Learning inference engine (ETHOS | SOFTWARE)") @@ -23,20 +30,13 @@ set(AWS_OTA_SIGNATURE_TYPE "RSA-3072" CACHE STRING "Supported algorithms for si # Because of this, if only PATCH version is changed then the OTA will be rejected # due to same firmware version. # We will therefore change the build version from TF-M. -set(MCUBOOT_IMAGE_VERSION_NS "0.0.1+10") -set(MCUBOOT_IMAGE_VERSION_NS_UPDATE "0.0.1+20") +# MCUBOOT_IMAGE_VERSION_NS is passed to the TF-M build in TfmInitialCache.cmake +set(MCUBOOT_IMAGE_VERSION_NS_UPDATE "0.0.20+0") -# These variables are only defined in case of GNU toolchain as it is currently the only toolchain -# that supports the ML Model component OTA update feature where these variables are needed. +# This variable is only defined in case of GNU toolchain as it is currently the only toolchain +# that supports the ML Model component OTA update feature where this variable is needed. if (${CMAKE_C_COMPILER_ID} STREQUAL "GNU") - set(MCUBOOT_IMAGE_VERSION_NS_ML_MODEL "0.0.1+11") - set(MCUBOOT_IMAGE_VERSION_NS_ML_MODEL_UPDATE "0.0.1+42") - set(MCUBOOT_IMAGE_NUMBER 3 CACHE STRING "Total number of firmware images") - set(MCUBOOT_NS_ML_MODEL_IMAGE_FLASH_AREA_NUM "1_0") - set(DEFAULT_MCUBOOT_FLASH_MAP OFF) -else() - set(DEFAULT_MCUBOOT_FLASH_MAP ON) - set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "Total number of firmware images") + set(MCUBOOT_IMAGE_VERSION_NS_ML_MODEL_UPDATE "0.0.42+0") endif() if (${ML_INFERENCE_ENGINE} STREQUAL "ETHOS") @@ -48,42 +48,9 @@ endif() set(ML_USE_CASE "kws") set(ML_MODEL "GenerateKWSModel") set(ML_USE_CASE_RESOURCES_FILE "${CMAKE_CURRENT_LIST_DIR}/resources/use_case_resources.json") -set(TFM_PLATFORM_UPGRADE_STRATEGY "SWAP_USING_SCRATCH") -set(TFM_PLATFORM_CONFIRM_IMAGE ON) - -# Trusted Firmware-M setup -set(TFM_CMAKE_APP_ARGS - -DPROJECT_CONFIG_HEADER_FILE=${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/keyword_detection/configs/tfm_config/project_config.h - -DMCUBOOT_CONFIRM_IMAGE=${TFM_PLATFORM_CONFIRM_IMAGE} - -DMCUBOOT_UPGRADE_STRATEGY=${TFM_PLATFORM_UPGRADE_STRATEGY} - -DMCUBOOT_IMAGE_VERSION_NS=${MCUBOOT_IMAGE_VERSION_NS} - -DMCUBOOT_IMAGE_VERSION_NS_ML_MODEL=${MCUBOOT_IMAGE_VERSION_NS_ML_MODEL} - -DMCUBOOT_NS_ML_MODEL_IMAGE_FLASH_AREA_NUM=${MCUBOOT_NS_ML_MODEL_IMAGE_FLASH_AREA_NUM} - -DMCUBOOT_SECURITY_COUNTER_NS_ML_MODEL=1 - -DCONFIG_TFM_HALT_ON_CORE_PANIC=ON - -DMCUBOOT_DATA_SHARING=ON - -DPLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT=ON - -DTFM_PARTITION_FIRMWARE_UPDATE=ON - -DTFM_PARTITION_LOG_LEVEL=TFM_PARTITION_LOG_LEVEL_INFO -) - -# These definitions are only defined in case of GNU toolchain as it is currently the only toolchain -# that supports the ML Model component OTA update feature where these definitions are needed. -if (${CMAKE_C_COMPILER_ID} STREQUAL "GNU") - list(APPEND TFM_CMAKE_APP_ARGS - -DMCUBOOT_IMAGE_VERSION_NS_ML_MODEL=${MCUBOOT_IMAGE_VERSION_NS_ML_MODEL} - -DMCUBOOT_NS_ML_MODEL_IMAGE_FLASH_AREA_NUM=${MCUBOOT_NS_ML_MODEL_IMAGE_FLASH_AREA_NUM} - -DMCUBOOT_SECURITY_COUNTER_NS_ML_MODEL=1 - ) -endif() - -# Set global optimization level to reduce code size while keeping the debug experience. -if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU") - add_compile_options(-Og) -elseif(${CMAKE_C_COMPILER_ID} STREQUAL "ARMClang") - add_compile_options(-O1) -endif() +set_compiler_and_linker_flags() +include(${CONFIG_SPE_PATH}/config/cp_check.cmake) add_subdirectory(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR} ${CMAKE_BINARY_DIR}/iot_reference_arm_corstone3xx) @@ -105,6 +72,7 @@ add_executable(keyword-detection main.c ml_interface.cc model_config.cc + ${CONFIG_SPE_PATH}/interface/src/os_wrapper/tfm_ns_interface_rtos.c ) # These definitions are only defined in case of GNU toolchain as it is currently the only toolchain @@ -157,10 +125,6 @@ target_compile_options(keyword-detection $<$:-std=c99> ) -# Trusted Firmware-M must be built before the application, because -# the application depends on the NS interface and the BL2 signing scripts, -# both of which are generated as parts of the Trusted Firmware-M build process. -add_dependencies(keyword-detection trusted_firmware-m-build) # The provision data must be built before the application because # it provides credentials to connect to AWS. add_dependencies(keyword-detection provisioning_data_bin) @@ -181,10 +145,12 @@ target_link_libraries(keyword-detection mbedtls ota-update provisioning-lib - tfm-ns-interface + tfm_api_ns toolchain-override kws_api kws_model + # FRI always uses TrustZone + tfm_api_ns_tz ) # sntp helper library depends on FreeRTOS-Plus-TCP connectivity stack as it @@ -203,8 +169,6 @@ set_linker_script(keyword-detection) list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/tools/cmake) include(ConvertElfToBin) -include(ExternalProject) -ExternalProject_Get_Property(trusted_firmware-m-build BINARY_DIR) # The ML Model is only extracted in case of GNU toolchain as it is currently the only toolchain # that supports the ML Model component OTA update feature. @@ -220,26 +184,31 @@ extract_sections_from_axf( OUTPUT_BIN_NAME "ns_image" ) -# The non-secure application, and ML model images should be padded while being signed -# Hence, passing "TRUE" as the input parameter to the pad option of sign function. -iot_reference_arm_corstone3xx_tf_m_sign_image( - keyword-detection - "ns_image" - keyword-detection_signed - ${MCUBOOT_IMAGE_VERSION_NS} - "${BINARY_DIR}/api_ns/image_signing/layout_files/signing_layout_ns.o" - TRUE +# Copy the binary flash content to the location expected by default signing +# Signing is implemented in the exported TF-M NS CMakeLists.txt (in the +# ${CONFIG_SPE_PATH} directory) +add_custom_target(keyword-detection_bin + SOURCES ${CMAKE_BINARY_DIR}/keyword-detection.bin + DEPENDS keyword-detection +) +add_custom_command(OUTPUT ${CMAKE_BINARY_DIR}/keyword-detection.bin + DEPENDS keyword-detection + COMMAND ${CMAKE_COMMAND} + -E copy ${SECTORS_BIN_DIR}/ns_image.bin + ${CMAKE_BINARY_DIR}/keyword-detection.bin ) # The ML Model image is only signed in case of GNU toolchain as it is currently the only toolchain # that supports the ML Model component OTA update feature. +# The ML model image should be padded while being signed +# Hence, passing "TRUE" as the input parameter to the pad option of sign function if (${CMAKE_C_COMPILER_ID} STREQUAL "GNU") iot_reference_arm_corstone3xx_tf_m_sign_image( keyword-detection "model" keyword-detection-model_signed ${MCUBOOT_IMAGE_VERSION_NS_ML_MODEL} - "${BINARY_DIR}/api_ns/image_signing/layout_files/signing_layout_ns_ml_model.o" + "${CONFIG_SPE_PATH}/image_signing/layout_files/signing_layout_ns_ml_model.o" TRUE ) endif() @@ -253,7 +222,7 @@ iot_reference_arm_corstone3xx_tf_m_sign_image( "ns_image" keyword-detection-update_signed ${MCUBOOT_IMAGE_VERSION_NS_UPDATE} - "${BINARY_DIR}/api_ns/image_signing/layout_files/signing_layout_ns.o" + "${CONFIG_SPE_PATH}/image_signing/layout_files/signing_layout_ns.o" FALSE ) @@ -265,7 +234,7 @@ if (${CMAKE_C_COMPILER_ID} STREQUAL "GNU") "model" keyword-detection-model-update_signed ${MCUBOOT_IMAGE_VERSION_NS_ML_MODEL_UPDATE} - "${BINARY_DIR}/api_ns/image_signing/layout_files/signing_layout_ns_ml_model.o" + "${CONFIG_SPE_PATH}/image_signing/layout_files/signing_layout_ns_ml_model.o" FALSE ) endif() diff --git a/applications/keyword_detection/TfmInitialCache.cmake b/applications/keyword_detection/TfmInitialCache.cmake new file mode 100644 index 00000000..d79a5435 --- /dev/null +++ b/applications/keyword_detection/TfmInitialCache.cmake @@ -0,0 +1,30 @@ +# Copyright 2025 Arm Limited and/or its affiliates +# +# SPDX-License-Identifier: MIT + +include(${ROOT}/cmake/TfmInitialCacheCommon.cmake) + +set(TFM_MBEDCRYPTO_CONFIG_CLIENT_PATH "${ROOT}/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h" CACHE FILEPATH "TFM_MBEDCRYPTO_CONFIG_CLIENT_PATH" FORCE) +set(PROJECT_CONFIG_HEADER_FILE ${ROOT}/applications/keyword_detection/configs/tfm_config/project_config.h CACHE FILEPATH "PROJECT_CONFIG_HEADER_FILE" FORCE) +set(MCUBOOT_UPGRADE_STRATEGY "SWAP_USING_SCRATCH" CACHE STRING "MCUBOOT_UPGRADE_STRATEGY" FORCE) +set(MCUBOOT_IMAGE_VERSION_NS "0.0.10+0" CACHE STRING "MCUBOOT_IMAGE_VERSION_NS" FORCE) +set(CONFIG_TFM_HALT_ON_CORE_PANIC ON CACHE BOOL "CONFIG_TFM_HALT_ON_CORE_PANIC" FORCE) +set(MCUBOOT_DATA_SHARING ON CACHE BOOL "MCUBOOT_DATA_SHARING" FORCE) +set(PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT ON CACHE BOOL "PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT" FORCE) +set(TFM_PARTITION_FIRMWARE_UPDATE ON CACHE BOOL "TFM_PARTITION_FIRMWARE_UPDATE" FORCE) +set(TFM_PARTITION_LOG_LEVEL TFM_PARTITION_LOG_LEVEL_INFO CACHE STRING "TFM_PARTITION_LOG_LEVEL" FORCE) +set(CONFIG_TFM_ENABLE_MVE ON CACHE STRING "CONFIG_TFM_ENABLE_MVE" FORCE) +set(CONFIG_TFM_ENABLE_MVE_FP ON CACHE STRING "CONFIG_TFM_ENABLE_MVE_FP" FORCE) + +# These variables are only defined in case of GNU toolchain as it is currently the only toolchain +# that supports the ML Model component OTA update feature where these variables are needed. +if (${TOOLCHAIN} STREQUAL "GNU") + set(MCUBOOT_IMAGE_VERSION_NS_ML_MODEL "0.0.11+0" CACHE STRING "MCUBOOT_IMAGE_VERSION_NS_ML_MODEL" FORCE) + set(MCUBOOT_NS_ML_MODEL_IMAGE_FLASH_AREA_NUM "1_0" CACHE STRING "MCUBOOT_NS_ML_MODEL_IMAGE_FLASH_AREA_NUM" FORCE) + set(MCUBOOT_SECURITY_COUNTER_NS_ML_MODEL 1 CACHE STRING "MCUBOOT_SECURITY_COUNTER_NS_ML_MODEL" FORCE) + set(MCUBOOT_IMAGE_NUMBER 3 CACHE STRING "MCUBOOT_IMAGE_NUMBER" FORCE) + set(DEFAULT_MCUBOOT_FLASH_MAP OFF CACHE BOOL "DEFAULT_MCUBOOT_FLASH_MAP" FORCE) +else() + set(DEFAULT_MCUBOOT_FLASH_MAP ON CACHE BOOL "DEFAULT_MCUBOOT_FLASH_MAP" FORCE) + set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "MCUBOOT_IMAGE_NUMBER" FORCE) +endif() diff --git a/applications/keyword_detection/configs/freertos_config/CMakeLists.txt b/applications/keyword_detection/configs/freertos_config/CMakeLists.txt index cdc1dc88..0a595fb2 100644 --- a/applications/keyword_detection/configs/freertos_config/CMakeLists.txt +++ b/applications/keyword_detection/configs/freertos_config/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright 2023 Arm Limited and/or its affiliates +# Copyright 2023-2025 Arm Limited and/or its affiliates # # SPDX-License-Identifier: MIT @@ -14,6 +14,6 @@ target_compile_definitions(freertos_config target_link_libraries(freertos_config INTERFACE - tfm-ns-interface + tfm_api_ns app-config ) diff --git a/applications/keyword_detection/configs/mbedtls_config/CMakeLists.txt b/applications/keyword_detection/configs/mbedtls_config/CMakeLists.txt index d52c4da1..38dc7fb1 100644 --- a/applications/keyword_detection/configs/mbedtls_config/CMakeLists.txt +++ b/applications/keyword_detection/configs/mbedtls_config/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright 2023 Arm Limited and/or its affiliates +# Copyright 2023-2025 Arm Limited and/or its affiliates # # SPDX-License-Identifier: MIT @@ -7,11 +7,6 @@ target_include_directories(mbedtls-config . ) -target_compile_definitions(mbedtls-config - INTERFACE - MBEDTLS_CONFIG_FILE="aws_mbedtls_config.h" -) - target_link_libraries(mbedtls-config INTERFACE freertos_kernel diff --git a/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h b/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h index d7885978..a809d016 100644 --- a/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h @@ -11,7 +11,7 @@ /* * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 - * Copyright 2024 Arm Limited and/or its affiliates + * Copyright 2024-2025 Arm Limited and/or its affiliates * * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -27,15 +27,21 @@ * limitations under the License. */ -#include "app_config.h" +#if DOMAIN_NS == 1 + #include "app_config.h" /* AWS IoT Core Device Advisor validation is not supported on ARMClang because * ARMClang compiler does not support gmtime() function which is needed when * MBEDTLS_HAVE_TIME macro is defined. MBEDTLS_HAVE_TIME should be defined to * pass TLS Expired Server Cert test which is part of AWS IoT Core Device Advisor validation tests. */ -#if ( ( appCONFIG_DEVICE_ADVISOR_TEST_ACTIVE == 1 ) && ( defined( __ARMCC_VERSION ) ) ) - #error "AWS IoT Core Device Advisor validation is not supported on Arm Compiler For Embedded (ARMClang)" -#endif + #if ( ( appCONFIG_DEVICE_ADVISOR_TEST_ACTIVE == 1 ) && ( defined( __ARMCC_VERSION ) ) ) + #error "AWS IoT Core Device Advisor validation is not supported on Arm Compiler For Embedded (ARMClang)" + #endif + +#else /* DOMAIN_NS != 1 */ + /* Set if this config file is currently used for TF-M secure clients */ + #define PSA_CRYPTO_TFM_SECURE_CONFIG +#endif /* DOMAIN_NS == 1 */ /** * This is an optional version symbol that enables compatibility handling of @@ -1175,7 +1181,7 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -#ifdef PSA_CRYPTO_IMPLEMENTATION_TFM +#if defined( PSA_CRYPTO_IMPLEMENTATION_TFM ) || defined( PSA_CRYPTO_TFM_SECURE_CONFIG ) #define MBEDTLS_PSA_CRYPTO_CLIENT #endif @@ -1775,7 +1781,9 @@ void mbedtls_platform_free( void * ptr ); * This feature is still experimental and is not ready for production since * it is not completed. */ -/*#define MBEDTLS_PSA_CRYPTO_CONFIG */ +#ifdef PSA_CRYPTO_TFM_SECURE_CONFIG + #define MBEDTLS_PSA_CRYPTO_CONFIG +#endif /** * \def MBEDTLS_VERSION_FEATURES diff --git a/applications/keyword_detection/tests/corstone300_model_pass_output.log b/applications/keyword_detection/tests/corstone300_model_pass_output.log index 83512f37..da1aa56c 100644 --- a/applications/keyword_detection/tests/corstone300_model_pass_output.log +++ b/applications/keyword_detection/tests/corstone300_model_pass_output.log @@ -1,12 +1,12 @@ Waiting for provisioning bundle Running provisioning bundle -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 ML Model Component (ID 2) version=0.0.11 Starting bootloader -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 PSA Framework version is: 257 -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 ML Model Component (ID 2) version=0.0.42 ML interface initialised diff --git a/applications/keyword_detection/tests/corstone300_pass_output.log b/applications/keyword_detection/tests/corstone300_pass_output.log index efec65fa..dee3d71f 100644 --- a/applications/keyword_detection/tests/corstone300_pass_output.log +++ b/applications/keyword_detection/tests/corstone300_pass_output.log @@ -1,11 +1,11 @@ Waiting for provisioning bundle Running provisioning bundle -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 Starting bootloader -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 PSA Framework version is: 257 -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.20 ML interface initialised ML_HEARD_ON diff --git a/applications/keyword_detection/tests/corstone310_model_pass_output.log b/applications/keyword_detection/tests/corstone310_model_pass_output.log index 83512f37..da1aa56c 100644 --- a/applications/keyword_detection/tests/corstone310_model_pass_output.log +++ b/applications/keyword_detection/tests/corstone310_model_pass_output.log @@ -1,12 +1,12 @@ Waiting for provisioning bundle Running provisioning bundle -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 ML Model Component (ID 2) version=0.0.11 Starting bootloader -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 PSA Framework version is: 257 -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 ML Model Component (ID 2) version=0.0.42 ML interface initialised diff --git a/applications/keyword_detection/tests/corstone310_pass_output.log b/applications/keyword_detection/tests/corstone310_pass_output.log index efec65fa..dee3d71f 100644 --- a/applications/keyword_detection/tests/corstone310_pass_output.log +++ b/applications/keyword_detection/tests/corstone310_pass_output.log @@ -1,11 +1,11 @@ Waiting for provisioning bundle Running provisioning bundle -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 Starting bootloader -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 PSA Framework version is: 257 -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.20 ML interface initialised ML_HEARD_ON diff --git a/applications/keyword_detection/tests/corstone315_model_pass_output.log b/applications/keyword_detection/tests/corstone315_model_pass_output.log index b71ac69e..7cbd4692 100644 --- a/applications/keyword_detection/tests/corstone315_model_pass_output.log +++ b/applications/keyword_detection/tests/corstone315_model_pass_output.log @@ -1,12 +1,12 @@ Waiting for DM provisioning bundle Running DM provisioning bundle -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 ML Model Component (ID 2) version=0.0.11 Starting bootloader -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 PSA Framework version is: 257 -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 ML Model Component (ID 2) version=0.0.42 ML interface initialised diff --git a/applications/keyword_detection/tests/corstone315_pass_output.log b/applications/keyword_detection/tests/corstone315_pass_output.log index 07ea45ea..780e5932 100644 --- a/applications/keyword_detection/tests/corstone315_pass_output.log +++ b/applications/keyword_detection/tests/corstone315_pass_output.log @@ -1,11 +1,11 @@ Waiting for DM provisioning bundle Running DM provisioning bundle -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 Starting bootloader -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 PSA Framework version is: 257 -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.20 ML interface initialised ML_HEARD_ON diff --git a/applications/keyword_detection/tests/corstone320_model_pass_output.log b/applications/keyword_detection/tests/corstone320_model_pass_output.log index b71ac69e..7cbd4692 100644 --- a/applications/keyword_detection/tests/corstone320_model_pass_output.log +++ b/applications/keyword_detection/tests/corstone320_model_pass_output.log @@ -1,12 +1,12 @@ Waiting for DM provisioning bundle Running DM provisioning bundle -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 ML Model Component (ID 2) version=0.0.11 Starting bootloader -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 PSA Framework version is: 257 -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 ML Model Component (ID 2) version=0.0.42 ML interface initialised diff --git a/applications/keyword_detection/tests/corstone320_pass_output.log b/applications/keyword_detection/tests/corstone320_pass_output.log index 07ea45ea..780e5932 100644 --- a/applications/keyword_detection/tests/corstone320_pass_output.log +++ b/applications/keyword_detection/tests/corstone320_pass_output.log @@ -1,11 +1,11 @@ Waiting for DM provisioning bundle Running DM provisioning bundle -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 Starting bootloader -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 PSA Framework version is: 257 -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.20 ML interface initialised ML_HEARD_ON diff --git a/applications/object_detection/CMakeLists.txt b/applications/object_detection/CMakeLists.txt index 82a271f8..27514f70 100644 --- a/applications/object_detection/CMakeLists.txt +++ b/applications/object_detection/CMakeLists.txt @@ -4,6 +4,8 @@ cmake_minimum_required(VERSION 3.21.0 FATAL_ERROR) +# NS target name the TF-M api_ns CMakeLists.txt uses +set(NS_TARGET_NAME object-detection) set(ML_INFERENCE_ENGINE "ETHOS" CACHE STRING "Machine Learning inference engine (ETHOS)") set(AUDIO_SOURCE "ROM" CACHE STRING "Source of audio data (ROM | VSI)") set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/object_detection" CACHE STRING "Path to the application folder") @@ -22,10 +24,8 @@ set(AWS_OTA_SIGNATURE_TYPE "RSA-3072" CACHE STRING "Supported algorithms for si # Because of this, if only PATCH version is changed then the OTA will be rejected # due to same firmware version. # We will therefore change the build version from TF-M. -set(MCUBOOT_IMAGE_VERSION_NS "0.0.1+10") -set(MCUBOOT_IMAGE_VERSION_NS_UPDATE "0.0.1+20") -set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "Total number of firmware images") -set(DEFAULT_MCUBOOT_FLASH_MAP ON) +# MCUBOOT_IMAGE_VERSION_NS is passed to the TF-M build in TfmInitialCache.cmake +set(MCUBOOT_IMAGE_VERSION_NS_UPDATE "0.0.20+0") if (${ML_INFERENCE_ENGINE} STREQUAL "ETHOS") set(ETHOS_U_NPU_ENABLED ON) @@ -36,31 +36,15 @@ endif() set(ML_USE_CASE "object_detection") set(ML_MODEL "GenerateObjectDetectionModel") set(ML_USE_CASE_RESOURCES_FILE "${CMAKE_CURRENT_LIST_DIR}/resources/use_case_resources.json") -set(TFM_PLATFORM_UPGRADE_STRATEGY "SWAP_USING_SCRATCH") -set(TFM_PLATFORM_CONFIRM_IMAGE ON) - -# Trusted Firmware-M setup -set(TFM_CMAKE_APP_ARGS - -DPROJECT_CONFIG_HEADER_FILE=${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/object_detection/configs/tfm_config/project_config.h - -DMCUBOOT_CONFIRM_IMAGE=${TFM_PLATFORM_CONFIRM_IMAGE} - -DMCUBOOT_UPGRADE_STRATEGY=${TFM_PLATFORM_UPGRADE_STRATEGY} - -DMCUBOOT_IMAGE_VERSION_NS=${MCUBOOT_IMAGE_VERSION_NS} - -DCONFIG_TFM_HALT_ON_CORE_PANIC=ON - -DMCUBOOT_DATA_SHARING=ON - -DPLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT=ON - -DTFM_PARTITION_FIRMWARE_UPDATE=ON - -DTFM_PARTITION_LOG_LEVEL=TFM_PARTITION_LOG_LEVEL_INFO -) -project(object-detection LANGUAGES C CXX) +# Toolchain file has to be included before the very first project() call +include(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/components/security/trusted_firmware-m/integration/cmake/TfmNsToolchain.cmake) -# Set global optimization level to reduce code size while keeping the debug experience. -if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU") - add_compile_options(-Og) -elseif(${CMAKE_C_COMPILER_ID} STREQUAL "ARMClang") - add_compile_options(-O1) -endif() +project(object-detection LANGUAGES C CXX) + +set_compiler_and_linker_flags() +include(${CONFIG_SPE_PATH}/config/cp_check.cmake) add_subdirectory(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR} ${CMAKE_BINARY_DIR}/iot_reference_arm_corstone3xx) @@ -81,6 +65,7 @@ add_executable(object-detection blink_task.c main.c ml_interface.cc + ${CONFIG_SPE_PATH}/interface/src/os_wrapper/tfm_ns_interface_rtos.c ) target_include_directories(object-detection @@ -106,10 +91,6 @@ target_compile_definitions(arm-corstone-platform-bsp RTE_USART1=1 ) -# Trusted Firmware-M must be built before the application, because -# the application depends on the NS interface and the BL2 signing scripts, -# both of which are generated as parts of the Trusted Firmware-M build process. -add_dependencies(object-detection trusted_firmware-m-build) # The provision data must be built before the application because # it provides credentials to connect to AWS. add_dependencies(object-detection provisioning_data_bin) @@ -132,11 +113,13 @@ target_link_libraries(object-detection mbedtls ota-update provisioning-lib - tfm-ns-interface + tfm_api_ns toolchain-override object_detection_api object_detection_model helpers-logging + # FRI always uses TrustZone + tfm_api_ns_tz ) include(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/bsp/cmake/SetLinkerOptions.cmake) @@ -144,8 +127,6 @@ set_linker_script(object-detection) list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/tools/cmake) include(ConvertElfToBin) -include(ExternalProject) -ExternalProject_Get_Property(trusted_firmware-m-build BINARY_DIR) extract_sections_from_axf( object-detection @@ -153,15 +134,18 @@ extract_sections_from_axf( OUTPUT_BIN_NAME "ns_image" ) -# The non-secure application image should be padded while being signed -# Hence, passing "TRUE" as the input parameter to the pad option of sign function. -iot_reference_arm_corstone3xx_tf_m_sign_image( - object-detection - "ns_image" - object-detection_signed - ${MCUBOOT_IMAGE_VERSION_NS} - "${BINARY_DIR}/api_ns/image_signing/layout_files/signing_layout_ns.o" - TRUE +# Copy the binary flash content to the location expected by default signing +# Signing is implemented in the exported TF-M NS CMakeLists.txt (in the +# ${CONFIG_SPE_PATH} directory) +add_custom_target(object-detection_bin + SOURCES ${CMAKE_BINARY_DIR}/object-detection.bin + DEPENDS object-detection +) +add_custom_command(OUTPUT ${CMAKE_BINARY_DIR}/object-detection.bin + DEPENDS object-detection + COMMAND ${CMAKE_COMMAND} + -E copy ${SECTORS_BIN_DIR}/ns_image.bin + ${CMAKE_BINARY_DIR}/object-detection.bin ) # The update image is not padded to fill the whole slot (no --pad), because @@ -173,7 +157,7 @@ iot_reference_arm_corstone3xx_tf_m_sign_image( "ns_image" object-detection-update_signed ${MCUBOOT_IMAGE_VERSION_NS_UPDATE} - "${BINARY_DIR}/api_ns/image_signing/layout_files/signing_layout_ns.o" + "${CONFIG_SPE_PATH}/image_signing/layout_files/signing_layout_ns.o" FALSE ) diff --git a/applications/object_detection/TfmInitialCache.cmake b/applications/object_detection/TfmInitialCache.cmake new file mode 100644 index 00000000..772465c4 --- /dev/null +++ b/applications/object_detection/TfmInitialCache.cmake @@ -0,0 +1,19 @@ +# Copyright 2025 Arm Limited and/or its affiliates +# +# SPDX-License-Identifier: MIT + +include(${ROOT}/cmake/TfmInitialCacheCommon.cmake) + +set(TFM_MBEDCRYPTO_CONFIG_CLIENT_PATH "${ROOT}/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h" CACHE FILEPATH "TFM_MBEDCRYPTO_CONFIG_CLIENT_PATH" FORCE) +set(PROJECT_CONFIG_HEADER_FILE ${ROOT}/applications/object_detection/configs/tfm_config/project_config.h CACHE FILEPATH "PROJECT_CONFIG_HEADER_FILE" FORCE) +set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "MCUBOOT_IMAGE_NUMBER" FORCE) +set(DEFAULT_MCUBOOT_FLASH_MAP ON CACHE BOOL "DEFAULT_MCUBOOT_FLASH_MAP" FORCE) +set(MCUBOOT_UPGRADE_STRATEGY "SWAP_USING_SCRATCH" CACHE STRING "MCUBOOT_UPGRADE_STRATEGY" FORCE) +set(MCUBOOT_IMAGE_VERSION_NS "0.0.10+0" CACHE STRING "MCUBOOT_IMAGE_VERSION_NS" FORCE) +set(CONFIG_TFM_HALT_ON_CORE_PANIC ON CACHE BOOL "CONFIG_TFM_HALT_ON_CORE_PANIC" FORCE) +set(MCUBOOT_DATA_SHARING ON CACHE BOOL "MCUBOOT_DATA_SHARING" FORCE) +set(PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT ON CACHE BOOL "PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT" FORCE) +set(TFM_PARTITION_FIRMWARE_UPDATE ON CACHE BOOL "TFM_PARTITION_FIRMWARE_UPDATE" FORCE) +set(TFM_PARTITION_LOG_LEVEL TFM_PARTITION_LOG_LEVEL_INFO CACHE STRING "TFM_PARTITION_LOG_LEVEL" FORCE) +set(CONFIG_TFM_ENABLE_MVE ON CACHE STRING "CONFIG_TFM_ENABLE_MVE" FORCE) +set(CONFIG_TFM_ENABLE_MVE_FP ON CACHE STRING "CONFIG_TFM_ENABLE_MVE_FP" FORCE) diff --git a/applications/object_detection/configs/freertos_config/CMakeLists.txt b/applications/object_detection/configs/freertos_config/CMakeLists.txt index 371b4b20..1ca8686d 100644 --- a/applications/object_detection/configs/freertos_config/CMakeLists.txt +++ b/applications/object_detection/configs/freertos_config/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright 2023-2024, Arm Limited and/or its affiliates +# Copyright 2023-2025, Arm Limited and/or its affiliates # # SPDX-License-Identifier: MIT @@ -14,6 +14,6 @@ target_compile_definitions(freertos_config target_link_libraries(freertos_config INTERFACE - tfm-ns-interface + tfm_api_ns app-config ) diff --git a/applications/object_detection/configs/mbedtls_config/CMakeLists.txt b/applications/object_detection/configs/mbedtls_config/CMakeLists.txt index a3d55dd6..3fc4ae01 100644 --- a/applications/object_detection/configs/mbedtls_config/CMakeLists.txt +++ b/applications/object_detection/configs/mbedtls_config/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright 2023-2024, Arm Limited and/or its affiliates +# Copyright 2023-2025, Arm Limited and/or its affiliates # # SPDX-License-Identifier: MIT @@ -7,11 +7,6 @@ target_include_directories(mbedtls-config . ) -target_compile_definitions(mbedtls-config - INTERFACE - MBEDTLS_CONFIG_FILE="aws_mbedtls_config.h" -) - target_link_libraries(mbedtls-config INTERFACE freertos_kernel diff --git a/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h b/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h index 2168f274..0fe01868 100644 --- a/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h @@ -11,7 +11,7 @@ /* * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 - * Copyright 2024 Arm Limited and/or its affiliates + * Copyright 2024-2025 Arm Limited and/or its affiliates * * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -27,6 +27,11 @@ * limitations under the License. */ +#ifndef DOMAIN_NS + /* Set if this config file is currently used for TF-M secure clients */ + #define PSA_CRYPTO_TFM_SECURE_CONFIG +#endif /* DOMAIN_NS == 1 */ + /** * This is an optional version symbol that enables compatibility handling of * config files. @@ -1158,7 +1163,7 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -#ifdef PSA_CRYPTO_IMPLEMENTATION_TFM +#if defined( PSA_CRYPTO_IMPLEMENTATION_TFM ) || defined( PSA_CRYPTO_TFM_SECURE_CONFIG ) #define MBEDTLS_PSA_CRYPTO_CLIENT #endif @@ -1758,7 +1763,9 @@ void mbedtls_platform_free( void * ptr ); * This feature is still experimental and is not ready for production since * it is not completed. */ -/*#define MBEDTLS_PSA_CRYPTO_CONFIG */ +#ifdef PSA_CRYPTO_TFM_SECURE_CONFIG + #define MBEDTLS_PSA_CRYPTO_CONFIG +#endif /** * \def MBEDTLS_VERSION_FEATURES diff --git a/applications/object_detection/tests/corstone300_pass_output.log b/applications/object_detection/tests/corstone300_pass_output.log index b1c3f71d..d55646d2 100644 --- a/applications/object_detection/tests/corstone300_pass_output.log +++ b/applications/object_detection/tests/corstone300_pass_output.log @@ -1,11 +1,11 @@ Waiting for provisioning bundle Running provisioning bundle -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 Starting bootloader -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 PSA Framework version is: 257 -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.20 Complete recognition: Detected faces: 2 Complete recognition: Detected faces: 2 diff --git a/applications/object_detection/tests/corstone310_pass_output.log b/applications/object_detection/tests/corstone310_pass_output.log index b1c3f71d..d55646d2 100644 --- a/applications/object_detection/tests/corstone310_pass_output.log +++ b/applications/object_detection/tests/corstone310_pass_output.log @@ -1,11 +1,11 @@ Waiting for provisioning bundle Running provisioning bundle -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 Starting bootloader -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 PSA Framework version is: 257 -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.20 Complete recognition: Detected faces: 2 Complete recognition: Detected faces: 2 diff --git a/applications/object_detection/tests/corstone315_pass_output.log b/applications/object_detection/tests/corstone315_pass_output.log index 7e8fe031..8b6d709d 100644 --- a/applications/object_detection/tests/corstone315_pass_output.log +++ b/applications/object_detection/tests/corstone315_pass_output.log @@ -1,11 +1,11 @@ Waiting for DM provisioning bundle Running DM provisioning bundle -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 Starting bootloader -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 PSA Framework version is: 257 -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.20 Complete recognition: Detected faces: 2 Complete recognition: Detected faces: 2 diff --git a/applications/object_detection/tests/corstone320_pass_output.log b/applications/object_detection/tests/corstone320_pass_output.log index 7e8fe031..8b6d709d 100644 --- a/applications/object_detection/tests/corstone320_pass_output.log +++ b/applications/object_detection/tests/corstone320_pass_output.log @@ -1,11 +1,11 @@ Waiting for DM provisioning bundle Running DM provisioning bundle -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 Starting bootloader -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 PSA Framework version is: 257 -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.20 Complete recognition: Detected faces: 2 Complete recognition: Detected faces: 2 diff --git a/applications/speech_recognition/CMakeLists.txt b/applications/speech_recognition/CMakeLists.txt index 9ed0546c..f5eb5ae9 100644 --- a/applications/speech_recognition/CMakeLists.txt +++ b/applications/speech_recognition/CMakeLists.txt @@ -4,6 +4,8 @@ cmake_minimum_required(VERSION 3.21.0 FATAL_ERROR) +# NS target name the TF-M api_ns CMakeLists.txt uses +set(NS_TARGET_NAME speech-recognition) set(ML_INFERENCE_ENGINE "ETHOS" CACHE STRING "Machine Learning inference engine (ETHOS)") set(AUDIO_SOURCE "ROM" CACHE STRING "Source of audio data (ROM | VSI)") set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/speech_recognition" CACHE STRING "Path to the application folder") @@ -22,10 +24,7 @@ set(AWS_OTA_SIGNATURE_TYPE "RSA-3072" CACHE STRING "Supported algorithms for si # Because of this, if only PATCH version is changed then the OTA will be rejected # due to same firmware version. # We will therefore change the build version from TF-M. -set(MCUBOOT_IMAGE_VERSION_NS "0.0.1+10") -set(MCUBOOT_IMAGE_VERSION_NS_UPDATE "0.0.1+20") -set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "Total number of firmware images") -set(DEFAULT_MCUBOOT_FLASH_MAP ON) +set(MCUBOOT_IMAGE_VERSION_NS_UPDATE "0.0.20+0") if (${ML_INFERENCE_ENGINE} STREQUAL "ETHOS") set(ETHOS_U_NPU_ENABLED ON) @@ -36,31 +35,14 @@ endif() set(ML_USE_CASE "asr") set(ML_MODEL "GenerateASRModel") set(ML_USE_CASE_RESOURCES_FILE "${CMAKE_CURRENT_LIST_DIR}/resources/use_case_resources.json") -set(TFM_PLATFORM_UPGRADE_STRATEGY "SWAP_USING_SCRATCH") -set(TFM_PLATFORM_CONFIRM_IMAGE ON) - -# Trusted Firmware-M setup -set(TFM_CMAKE_APP_ARGS - -DPROJECT_CONFIG_HEADER_FILE=${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/speech_recognition/configs/tfm_config/project_config.h - -DMCUBOOT_CONFIRM_IMAGE=${TFM_PLATFORM_CONFIRM_IMAGE} - -DMCUBOOT_UPGRADE_STRATEGY=${TFM_PLATFORM_UPGRADE_STRATEGY} - -DMCUBOOT_IMAGE_VERSION_NS=${MCUBOOT_IMAGE_VERSION_NS} - -DCONFIG_TFM_HALT_ON_CORE_PANIC=ON - -DMCUBOOT_DATA_SHARING=ON - -DPLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT=ON - -DTFM_PARTITION_FIRMWARE_UPDATE=ON - -DTFM_PARTITION_LOG_LEVEL=TFM_PARTITION_LOG_LEVEL_INFO -) -project(speech-recognition LANGUAGES C CXX) +# Toolchain file has to be included before the very first project() call +include(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/components/security/trusted_firmware-m/integration/cmake/TfmNsToolchain.cmake) -# Set global optimization level to reduce code size while keeping the debug experience. -if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU") - add_compile_options(-Og) -elseif(${CMAKE_C_COMPILER_ID} STREQUAL "ARMClang") - add_compile_options(-O1) -endif() +project(speech-recognition LANGUAGES C CXX) +set_compiler_and_linker_flags() +include(${CONFIG_SPE_PATH}/config/cp_check.cmake) add_subdirectory(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR} ${CMAKE_BINARY_DIR}/iot_reference_arm_corstone3xx) @@ -85,6 +67,7 @@ add_executable(speech-recognition main.c ml_interface.cc model_config.cc + ${CONFIG_SPE_PATH}/interface/src/os_wrapper/tfm_ns_interface_rtos.c ) target_include_directories(speech-recognition @@ -136,10 +119,6 @@ target_compile_options(speech-recognition $<$:-std=c99> ) -# Trusted Firmware-M must be built before the application, because -# the application depends on the NS interface and the BL2 signing scripts, -# both of which are generated as parts of the Trusted Firmware-M build process. -add_dependencies(speech-recognition trusted_firmware-m-build) # The provision data must be built before the application because # it provides credentials to connect to AWS. add_dependencies(speech-recognition provisioning_data_bin) @@ -159,11 +138,13 @@ target_link_libraries(speech-recognition ota-update provisioning-lib speexdsp - tfm-ns-interface + tfm_api_ns toolchain-override asr_api asr_model helpers-logging + # FRI always uses TrustZone + tfm_api_ns_tz ) include(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/bsp/cmake/SetLinkerOptions.cmake) @@ -171,8 +152,6 @@ set_linker_script(speech-recognition) list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/tools/cmake) include(ConvertElfToBin) -include(ExternalProject) -ExternalProject_Get_Property(trusted_firmware-m-build BINARY_DIR) extract_sections_from_axf( speech-recognition @@ -180,16 +159,20 @@ extract_sections_from_axf( OUTPUT_BIN_NAME "ns_image" ) -# The non-secure application image should be padded while being signed -# Hence, passing "TRUE" as the input parameter to the pad option of sign function. -iot_reference_arm_corstone3xx_tf_m_sign_image( - speech-recognition - "ns_image" - speech-recognition_signed - ${MCUBOOT_IMAGE_VERSION_NS} - "${BINARY_DIR}/api_ns/image_signing/layout_files/signing_layout_ns.o" - TRUE +# Copy the binary flash content to the location expected by default signing +# Signing is implemented in the exported TF-M NS CMakeLists.txt (in the +# ${CONFIG_SPE_PATH} directory) +add_custom_target(speech-recognition_bin + SOURCES ${CMAKE_BINARY_DIR}/speech-recognition.bin + DEPENDS speech-recognition ) +add_custom_command(OUTPUT ${CMAKE_BINARY_DIR}/speech-recognition.bin + DEPENDS speech-recognition + COMMAND ${CMAKE_COMMAND} + -E copy ${SECTORS_BIN_DIR}/ns_image.bin + ${CMAKE_BINARY_DIR}/speech-recognition.bin +) + # The update image is not padded to fill the whole slot (no --pad), because # 1) the image to download is smaller without padding @@ -200,7 +183,7 @@ iot_reference_arm_corstone3xx_tf_m_sign_image( "ns_image" speech-recognition-update_signed ${MCUBOOT_IMAGE_VERSION_NS_UPDATE} - "${BINARY_DIR}/api_ns/image_signing/layout_files/signing_layout_ns.o" + "${CONFIG_SPE_PATH}/image_signing/layout_files/signing_layout_ns.o" FALSE ) diff --git a/applications/speech_recognition/TfmInitialCache.cmake b/applications/speech_recognition/TfmInitialCache.cmake new file mode 100644 index 00000000..cc2e1787 --- /dev/null +++ b/applications/speech_recognition/TfmInitialCache.cmake @@ -0,0 +1,20 @@ +# Copyright 2025 Arm Limited and/or its affiliates +# +# SPDX-License-Identifier: MIT + +include(${ROOT}/cmake/TfmInitialCacheCommon.cmake) + +set(TFM_MBEDCRYPTO_CONFIG_CLIENT_PATH "${ROOT}/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h" CACHE FILEPATH "TFM_MBEDCRYPTO_CONFIG_CLIENT_PATH" FORCE) + +set(PROJECT_CONFIG_HEADER_FILE ${ROOT}/applications/speech_recognition/configs/tfm_config/project_config.h CACHE FILEPATH "PROJECT_CONFIG_HEADER_FILE" FORCE) +set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "MCUBOOT_IMAGE_NUMBER" FORCE) +set(DEFAULT_MCUBOOT_FLASH_MAP ON CACHE BOOL "DEFAULT_MCUBOOT_FLASH_MAP" FORCE) +set(MCUBOOT_UPGRADE_STRATEGY "SWAP_USING_SCRATCH" CACHE STRING "MCUBOOT_UPGRADE_STRATEGY" FORCE) +set(MCUBOOT_IMAGE_VERSION_NS "0.0.10+0" CACHE STRING "MCUBOOT_IMAGE_VERSION_NS" FORCE) +set(CONFIG_TFM_HALT_ON_CORE_PANIC ON CACHE BOOL "CONFIG_TFM_HALT_ON_CORE_PANIC" FORCE) +set(MCUBOOT_DATA_SHARING ON CACHE BOOL "MCUBOOT_DATA_SHARING" FORCE) +set(PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT ON CACHE BOOL "PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT" FORCE) +set(TFM_PARTITION_FIRMWARE_UPDATE ON CACHE BOOL "TFM_PARTITION_FIRMWARE_UPDATE" FORCE) +set(TFM_PARTITION_LOG_LEVEL TFM_PARTITION_LOG_LEVEL_INFO CACHE STRING "TFM_PARTITION_LOG_LEVEL" FORCE) +set(CONFIG_TFM_ENABLE_MVE ON CACHE STRING "CONFIG_TFM_ENABLE_MVE" FORCE) +set(CONFIG_TFM_ENABLE_MVE_FP ON CACHE STRING "CONFIG_TFM_ENABLE_MVE_FP" FORCE) diff --git a/applications/speech_recognition/configs/freertos_config/CMakeLists.txt b/applications/speech_recognition/configs/freertos_config/CMakeLists.txt index cdc1dc88..0a595fb2 100644 --- a/applications/speech_recognition/configs/freertos_config/CMakeLists.txt +++ b/applications/speech_recognition/configs/freertos_config/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright 2023 Arm Limited and/or its affiliates +# Copyright 2023-2025 Arm Limited and/or its affiliates # # SPDX-License-Identifier: MIT @@ -14,6 +14,6 @@ target_compile_definitions(freertos_config target_link_libraries(freertos_config INTERFACE - tfm-ns-interface + tfm_api_ns app-config ) diff --git a/applications/speech_recognition/configs/mbedtls_config/CMakeLists.txt b/applications/speech_recognition/configs/mbedtls_config/CMakeLists.txt index d52c4da1..38dc7fb1 100644 --- a/applications/speech_recognition/configs/mbedtls_config/CMakeLists.txt +++ b/applications/speech_recognition/configs/mbedtls_config/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright 2023 Arm Limited and/or its affiliates +# Copyright 2023-2025 Arm Limited and/or its affiliates # # SPDX-License-Identifier: MIT @@ -7,11 +7,6 @@ target_include_directories(mbedtls-config . ) -target_compile_definitions(mbedtls-config - INTERFACE - MBEDTLS_CONFIG_FILE="aws_mbedtls_config.h" -) - target_link_libraries(mbedtls-config INTERFACE freertos_kernel diff --git a/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h b/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h index 2168f274..0fe01868 100644 --- a/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h @@ -11,7 +11,7 @@ /* * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 - * Copyright 2024 Arm Limited and/or its affiliates + * Copyright 2024-2025 Arm Limited and/or its affiliates * * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -27,6 +27,11 @@ * limitations under the License. */ +#ifndef DOMAIN_NS + /* Set if this config file is currently used for TF-M secure clients */ + #define PSA_CRYPTO_TFM_SECURE_CONFIG +#endif /* DOMAIN_NS == 1 */ + /** * This is an optional version symbol that enables compatibility handling of * config files. @@ -1158,7 +1163,7 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -#ifdef PSA_CRYPTO_IMPLEMENTATION_TFM +#if defined( PSA_CRYPTO_IMPLEMENTATION_TFM ) || defined( PSA_CRYPTO_TFM_SECURE_CONFIG ) #define MBEDTLS_PSA_CRYPTO_CLIENT #endif @@ -1758,7 +1763,9 @@ void mbedtls_platform_free( void * ptr ); * This feature is still experimental and is not ready for production since * it is not completed. */ -/*#define MBEDTLS_PSA_CRYPTO_CONFIG */ +#ifdef PSA_CRYPTO_TFM_SECURE_CONFIG + #define MBEDTLS_PSA_CRYPTO_CONFIG +#endif /** * \def MBEDTLS_VERSION_FEATURES diff --git a/applications/speech_recognition/tests/corstone300_pass_output.log b/applications/speech_recognition/tests/corstone300_pass_output.log index 3788b1c5..7d9c447d 100644 --- a/applications/speech_recognition/tests/corstone300_pass_output.log +++ b/applications/speech_recognition/tests/corstone300_pass_output.log @@ -1,11 +1,11 @@ Waiting for provisioning bundle Running provisioning bundle -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 Starting bootloader -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 PSA Framework version is: 257 -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.20 Init speex ML interface initialised diff --git a/applications/speech_recognition/tests/corstone310_pass_output.log b/applications/speech_recognition/tests/corstone310_pass_output.log index 3788b1c5..7d9c447d 100644 --- a/applications/speech_recognition/tests/corstone310_pass_output.log +++ b/applications/speech_recognition/tests/corstone310_pass_output.log @@ -1,11 +1,11 @@ Waiting for provisioning bundle Running provisioning bundle -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 Starting bootloader -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 PSA Framework version is: 257 -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.20 Init speex ML interface initialised diff --git a/applications/speech_recognition/tests/corstone315_pass_output.log b/applications/speech_recognition/tests/corstone315_pass_output.log index cb995a04..9e830fed 100644 --- a/applications/speech_recognition/tests/corstone315_pass_output.log +++ b/applications/speech_recognition/tests/corstone315_pass_output.log @@ -1,11 +1,11 @@ Waiting for DM provisioning bundle Running DM provisioning bundle -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 Starting bootloader -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 PSA Framework version is: 257 -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.20 Init speex ML interface initialised diff --git a/applications/speech_recognition/tests/corstone320_pass_output.log b/applications/speech_recognition/tests/corstone320_pass_output.log index cb995a04..9e830fed 100644 --- a/applications/speech_recognition/tests/corstone320_pass_output.log +++ b/applications/speech_recognition/tests/corstone320_pass_output.log @@ -1,11 +1,11 @@ Waiting for DM provisioning bundle Running DM provisioning bundle -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.10 Starting bootloader -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 PSA Framework version is: 257 -Secure Component (ID 0) version=2.1.0 +Secure Component (ID 0) version=2.1.1 Non-Secure Component (ID 1) version=0.0.20 Init speex ML interface initialised diff --git a/bsp/CMakeLists.txt b/bsp/CMakeLists.txt index 574fa268..c1d4fbbe 100644 --- a/bsp/CMakeLists.txt +++ b/bsp/CMakeLists.txt @@ -43,22 +43,18 @@ target_compile_definitions(arm-corstone-platform-bsp ) if(ARM_CORSTONE_BSP_TARGET_PLATFORM STREQUAL "corstone300") - set(TFM_PLATFORM_LOCAL_PATH "arm/mps3/corstone300/fvp" CACHE STRING "TFM Platform local path") - set(TFM_FLASH_S_PARTITION_SIZE "0x40000") # These variables are only defined in case of building keyword_detection application with GNU toolchain # as it is currently the only application that utilises the ML Model component OTA update feature # where these variables are needed. if((${APPLICATION_PATH} MATCHES ".*keyword_detection") AND (${CMAKE_C_COMPILER_ID} STREQUAL "GNU")) - set(TFM_FLASH_NS_PARTITION_SIZE "0x240000") - set(TFM_FLASH_NS_ML_MODEL_PARTITION_SIZE "0x100000") set(NS_DDR4_IMAGE_LOAD_ADDRESS 0x60100000 CACHE STRING "Non-Secure Double Data Rate RAM image loading address") set(NS_ML_MODEL_IMAGE_LOAD_ADDRESS 0x28280000 CACHE STRING "Non-Secure ML model image loading address") set(NS_ML_MODEL_IMAGE_EXECUTION_ADDRESS 0x60000000 CACHE STRING "Non-Secure ML model image runtime address") set(NS_ML_MODEL_IMAGE_SIZE 0x100000 CACHE STRING "Non-Secure ML model image size") else() - set(TFM_FLASH_NS_PARTITION_SIZE "0x340000") set(NS_DDR4_IMAGE_LOAD_ADDRESS 0x60000000 CACHE STRING "Non-Secure Double Data Rate RAM image loading address") endif() + set(BL2_IMAGE_LOAD_ADDRESS 0x00000000 CACHE STRING "Bootload image loading address") set(S_IMAGE_LOAD_ADDRESS 0x38000000 CACHE STRING "Secure TF-M firmware loading address") set(NS_IMAGE_LOAD_ADDRESS 0x28040000 CACHE STRING "Non-secure user application loading address") @@ -82,20 +78,15 @@ if(ARM_CORSTONE_BSP_TARGET_PLATFORM STREQUAL "corstone300") "ethos-u65-512" ) elseif(ARM_CORSTONE_BSP_TARGET_PLATFORM STREQUAL "corstone310") - set(TFM_PLATFORM_LOCAL_PATH "arm/mps3/corstone310/fvp" CACHE STRING "TFM Platform local path") - set(TFM_FLASH_S_PARTITION_SIZE "0x40000") # These variables are only defined in case of building keyword_detection application with GNU toolchain # as it is currently the only application that utilises the ML Model component OTA update feature # where these variables are needed. if((${APPLICATION_PATH} MATCHES ".*keyword_detection") AND (${CMAKE_C_COMPILER_ID} STREQUAL "GNU")) - set(TFM_FLASH_NS_PARTITION_SIZE "0x240000") - set(TFM_FLASH_NS_ML_MODEL_PARTITION_SIZE "0x100000") set(NS_DDR4_IMAGE_LOAD_ADDRESS 0x60100000 CACHE STRING "Non-Secure Double Data Rate RAM image loading address") set(NS_ML_MODEL_IMAGE_LOAD_ADDRESS 0x28280000 CACHE STRING "Non-Secure ML model image loading address") set(NS_ML_MODEL_IMAGE_EXECUTION_ADDRESS 0x60000000 CACHE STRING "Non-Secure ML model image runtime address") set(NS_ML_MODEL_IMAGE_SIZE 0x100000 CACHE STRING "Non-Secure ML model image size") else() - set(TFM_FLASH_NS_PARTITION_SIZE "0x340000") set(NS_DDR4_IMAGE_LOAD_ADDRESS 0x60000000 CACHE STRING "Non-Secure Double Data Rate RAM image loading address") endif() @@ -122,20 +113,15 @@ elseif(ARM_CORSTONE_BSP_TARGET_PLATFORM STREQUAL "corstone310") "ethos-u65-512" ) elseif(ARM_CORSTONE_BSP_TARGET_PLATFORM STREQUAL "corstone315") - set(TFM_PLATFORM_LOCAL_PATH "arm/mps4/corstone315" CACHE STRING "TFM Platform local path") - set(TFM_FLASH_S_PARTITION_SIZE "0x40000") # These variables are only defined in case of building keyword_detection application with GNU toolchain # as it is currently the only application that utilises the ML Model component OTA update feature # where these variables are needed. if((${APPLICATION_PATH} MATCHES ".*keyword_detection") AND (${CMAKE_C_COMPILER_ID} STREQUAL "GNU")) - set(TFM_FLASH_NS_PARTITION_SIZE "0x240000") - set(TFM_FLASH_NS_ML_MODEL_PARTITION_SIZE "0x100000") set(NS_DDR4_IMAGE_LOAD_ADDRESS 0x60100000 CACHE STRING "Non-Secure Double Data Rate RAM image loading address") set(NS_ML_MODEL_IMAGE_LOAD_ADDRESS 0x28280000 CACHE STRING "Non-Secure ML model image loading address") set(NS_ML_MODEL_IMAGE_EXECUTION_ADDRESS 0x60000000 CACHE STRING "Non-Secure ML model image runtime address") set(NS_ML_MODEL_IMAGE_SIZE 0x100000 CACHE STRING "Non-Secure ML model image size") else() - set(TFM_FLASH_NS_PARTITION_SIZE "0x340000") set(NS_DDR4_IMAGE_LOAD_ADDRESS 0x60000000 CACHE STRING "Non-Secure Double Data Rate RAM image loading address") endif() @@ -158,28 +144,19 @@ elseif(ARM_CORSTONE_BSP_TARGET_PLATFORM STREQUAL "corstone315") "ethos-u65-512" ) - list(APPEND TFM_CMAKE_APP_ARGS - -DTFM_BL1_LOGGING=ON - ) - set(ISP_MVE_FP ON CACHE BOOL "MVE FP is used by ISP driver" FORCE) add_subdirectory(isp_mali-c55) elseif(ARM_CORSTONE_BSP_TARGET_PLATFORM STREQUAL "corstone320") - set(TFM_PLATFORM_LOCAL_PATH "arm/mps4/corstone320" CACHE STRING "TFM Platform local path") - set(TFM_FLASH_S_PARTITION_SIZE "0x40000") # These variables are only defined in case of building keyword_detection application with GNU toolchain # as it is currently the only application that utilises the ML Model component OTA update feature # where these variables are needed. if((${APPLICATION_PATH} MATCHES ".*keyword_detection") AND (${CMAKE_C_COMPILER_ID} STREQUAL "GNU")) - set(TFM_FLASH_NS_PARTITION_SIZE "0x240000") - set(TFM_FLASH_NS_ML_MODEL_PARTITION_SIZE "0x100000") set(NS_DDR4_IMAGE_LOAD_ADDRESS 0x60100000 CACHE STRING "Non-Secure Double Data Rate RAM image loading address") set(NS_ML_MODEL_IMAGE_LOAD_ADDRESS 0x28280000 CACHE STRING "Non-Secure ML model image loading address") set(NS_ML_MODEL_IMAGE_EXECUTION_ADDRESS 0x60000000 CACHE STRING "Non-Secure ML model image runtime address") set(NS_ML_MODEL_IMAGE_SIZE 0x100000 CACHE STRING "Non-Secure ML model image size") else() - set(TFM_FLASH_NS_PARTITION_SIZE "0x340000") set(NS_DDR4_IMAGE_LOAD_ADDRESS 0x60000000 CACHE STRING "Non-Secure Double Data Rate RAM image loading address") endif() @@ -205,10 +182,6 @@ elseif(ARM_CORSTONE_BSP_TARGET_PLATFORM STREQUAL "corstone320") "ethos-u85-2048" ) - list(APPEND TFM_CMAKE_APP_ARGS - -DTFM_BL1_LOGGING=ON - ) - set(ISP_MVE_FP ON CACHE BOOL "MVE FP is used by ISP driver" FORCE) add_subdirectory(isp_mali-c55) @@ -224,40 +197,6 @@ if(NOT ETHOSU_TARGET_NPU_CONFIG IN_LIST VALID_ETHOSU_TARGET_NPU_CONFIGS) "Choose from: ${VALID_ETHOSU_TARGET_NPU_CONFIGS}") endif() -set(ARM_CORSTONE_BSP_TARGET_PLATFORM_TFM_CMAKE_ARGS - -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE} - -DCONFIG_TFM_ENABLE_CP10CP11=ON - -DMCUBOOT_GENERATE_SIGNING_KEYPAIR=ON - -DMCUBOOT_LOG_LEVEL=INFO - -DNS=ON - -DPLATFORM_DEFAULT_PROVISIONING=OFF - -DPLATFORM_DEFAULT_UART_STDOUT=ON - -DTFM_DUMMY_PROVISIONING=OFF - -DTFM_EXCEPTION_INFO_DUMP=ON - -DTFM_PARTITION_CRYPTO=ON - -DTFM_PARTITION_INITIAL_ATTESTATION=ON - -DTFM_PARTITION_INTERNAL_TRUSTED_STORAGE=ON - -DTFM_PARTITION_PLATFORM=ON - -DTFM_PARTITION_PROTECTED_STORAGE=ON - -DTFM_SPM_LOG_LEVEL=TFM_SPM_LOG_LEVEL_INFO - -DTFM_PLATFORM=${TFM_PLATFORM_LOCAL_PATH} - -DFLASH_S_PARTITION_SIZE=${TFM_FLASH_S_PARTITION_SIZE} - -DFLASH_NS_PARTITION_SIZE=${TFM_FLASH_NS_PARTITION_SIZE} - -DMCUBOOT_IMAGE_NUMBER=${MCUBOOT_IMAGE_NUMBER} - -DDEFAULT_MCUBOOT_FLASH_MAP=${DEFAULT_MCUBOOT_FLASH_MAP} - ${TFM_CMAKE_APP_ARGS} - CACHE STRING "TFM CMake arguments" FORCE -) - -# This variable is only defined in case of building keyword_detection application with GNU toolchain -# as it is currently the only application that utilises the ML Model component OTA update feature -# where this variable is needed. -if((${APPLICATION_PATH} MATCHES ".*keyword_detection") AND (${CMAKE_C_COMPILER_ID} STREQUAL "GNU")) - list(APPEND ARM_CORSTONE_BSP_TARGET_PLATFORM_TFM_CMAKE_ARGS - -DFLASH_NS_ML_MODEL_PARTITION_SIZE=${TFM_FLASH_NS_ML_MODEL_PARTITION_SIZE} - ) -endif() - if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU") # Execute the command as CMAKE_C_COMPILER_VERSION is not guaranteed to be defined. EXECUTE_PROCESS( COMMAND ${CMAKE_C_COMPILER} -dumpversion OUTPUT_VARIABLE ARM_GNU_TOOLCHAIN_VERSION ) diff --git a/cmake/CompilerFlagsARMCLANG.cmake b/cmake/CompilerFlagsARMCLANG.cmake new file mode 100644 index 00000000..782b0ce7 --- /dev/null +++ b/cmake/CompilerFlagsARMCLANG.cmake @@ -0,0 +1,41 @@ +# Copyright 2025 Arm Limited and/or its affiliates +# +# SPDX-License-Identifier: MIT + +macro(set_compiler_and_linker_flags) + # Clear toolchain options for all languages similar to IOTSDK as FRI uses + # different initialization options (such as for optimization and debug symbols) + # These variables only hold -O, -g and -DNDEBUG options originally + set(CMAKE_ASM_FLAGS_DEBUG "-O1 -g" CACHE STRING "" FORCE) + set(CMAKE_ASM_FLAGS_RELWITHDEBINFO "-O1 -g" CACHE STRING "" FORCE) + set(CMAKE_ASM_FLAGS_RELEASE "-O1" CACHE STRING "" FORCE) + set(CMAKE_C_FLAGS_DEBUG "-O1 -g" CACHE STRING "" FORCE) + set(CMAKE_C_FLAGS_RELWITHDEBINFO "-O1 -g" CACHE STRING "" FORCE) + set(CMAKE_C_FLAGS_RELEASE "-O1" CACHE STRING "" FORCE) + set(CMAKE_CXX_FLAGS_DEBUG "-O1 -g" CACHE STRING "" FORCE) + set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "-O1 -g" CACHE STRING "" FORCE) + set(CMAKE_CXX_FLAGS_RELEASE "-O1" CACHE STRING "" FORCE) + + # Customization of TF-M NS toolchain provided default options + # TF-M options that are never added because the TFM_DEBUG_SYMBOLS and + # CONFIG_TFM_WARNINGS_ARE_ERRORS variables are not defined during NS build: + # $<$,$>:-g> + # $<$,$>:-g> + # $<$,$>:-Werror> + get_property(compile_options DIRECTORY PROPERTY COMPILE_OPTIONS) + # TensorFlow Lite Micro is built with the toolchain default -f[no-]short-enums + # and -f[no-]short-wchar options + list(REMOVE_ITEM compile_options $<$,$>:-fshort-enums>) + list(REMOVE_ITEM compile_options $<$,$>:-fshort-wchar>) + # This option causes error when linking with TensorFlow Lite Micro + list(REMOVE_ITEM compile_options $<$,$>:-nostdlib>) + # These options are used to align with previously used Open IOT SDK toolchain flags + list(APPEND compile_options $<$:-fno-exceptions>) + list(APPEND compile_options $<$:-fno-rtti>) + list(APPEND compile_options -mthumb) + list(REMOVE_ITEM compile_options $<$:-masm=armasm>) + list(APPEND compile_options $<$:-masm=auto>) + list(APPEND compile_options $<$:--target=arm-arm-none-eabi>) + set_property(DIRECTORY PROPERTY COMPILE_OPTIONS ${compile_options}) + +endmacro() diff --git a/cmake/CompilerFlagsGNUARM.cmake b/cmake/CompilerFlagsGNUARM.cmake new file mode 100644 index 00000000..b0775da9 --- /dev/null +++ b/cmake/CompilerFlagsGNUARM.cmake @@ -0,0 +1,41 @@ +# Copyright 2025 Arm Limited and/or its affiliates +# +# SPDX-License-Identifier: MIT + +macro(set_compiler_and_linker_flags) + # Clear toolchain options for all languages similar to IOTSDK as FRI uses + # different initialization options (such as for optimization and debug symbols) + # These variables only hold -O, -g and -DNDEBUG options originally + set(CMAKE_ASM_FLAGS_DEBUG "-Og -g3" CACHE STRING "" FORCE) + set(CMAKE_ASM_FLAGS_RELWITHDEBINFO "-Og -g3" CACHE STRING "" FORCE) + set(CMAKE_ASM_FLAGS_RELEASE "-Og" CACHE STRING "" FORCE) + set(CMAKE_C_FLAGS_DEBUG "-Og -g3" CACHE STRING "" FORCE) + set(CMAKE_C_FLAGS_RELWITHDEBINFO "-Og -g3" CACHE STRING "" FORCE) + set(CMAKE_C_FLAGS_RELEASE "-Og" CACHE STRING "" FORCE) + set(CMAKE_CXX_FLAGS_DEBUG "-Og -g3" CACHE STRING "" FORCE) + set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "-Og -g3" CACHE STRING "" FORCE) + set(CMAKE_CXX_FLAGS_RELEASE "-Og" CACHE STRING "" FORCE) + + # Customization of TF-M NS toolchain provided default options + # TF-M options that are never added because the TFM_DEBUG_SYMBOLS and + # CONFIG_TFM_WARNINGS_ARE_ERRORS variables are not defined during NS build: + # $<$,$>:-g> + # $<$,$>:-g> + # $<$,$>:-Werror> + get_property(compile_options DIRECTORY PROPERTY COMPILE_OPTIONS) + list(REMOVE_ITEM compile_options "-specs=nano.specs") + # TensorFlow Lite Micro is built with the toolchain default -f[no-]short-enums + # and -f[no-]short-wchar options + list(REMOVE_ITEM compile_options "-fshort-enums") + # These options are used to align with previously used Open IOT SDK toolchain flags + list(APPEND compile_options "-fomit-frame-pointer") + list(APPEND compile_options $<$:-fno-exceptions>) + list(APPEND compile_options $<$:-fno-rtti>) + set_property(DIRECTORY PROPERTY COMPILE_OPTIONS ${compile_options}) + + get_property(link_options DIRECTORY PROPERTY LINK_OPTIONS) + # These options are used to align with previously used Open IOT SDK toolchain flags + list(REMOVE_ITEM link_options "-specs=nano.specs") + set_property(DIRECTORY PROPERTY LINK_OPTIONS ${link_options}) + +endmacro() diff --git a/cmake/TfmInitialCacheCommon.cmake b/cmake/TfmInitialCacheCommon.cmake new file mode 100644 index 00000000..63ea8182 --- /dev/null +++ b/cmake/TfmInitialCacheCommon.cmake @@ -0,0 +1,115 @@ +# Copyright 2025 Arm Limited and/or its affiliates +# +# SPDX-License-Identifier: MIT + +# TF-M patches until long term solution +set(trusted_firmware-m_SOURCE_DIR ${CMAKE_SOURCE_DIR}) +include(${CMAKE_CURRENT_LIST_DIR}/../tools/cmake/ApplyPatches.cmake) + +set(PATCH_FILES_DIRECTORY "${CMAKE_SOURCE_DIR}/../integration/patches") +set(PATCH_FILES + "${PATCH_FILES_DIRECTORY}/0004-build-Enable-armclang-MVE.patch" +) +# These patches are only applied in case of building keyword_detection application with GNU toolchain +# as it is currently the only application that utilises the ML Model component OTA update feature +# where these patches are needed. +if((${EXAMPLE} STREQUAL "keyword-detection") AND (${TOOLCHAIN} STREQUAL "GNU")) + list(APPEND PATCH_FILES + "${PATCH_FILES_DIRECTORY}/0001-corstone300-Add-ML-model-component.patch" + "${PATCH_FILES_DIRECTORY}/0002-corstone310-Add-ML-model-component.patch" + "${PATCH_FILES_DIRECTORY}/0003-mps4-Add-ML-model-component.patch" + ) +endif() +iot_reference_arm_corstone3xx_apply_patches("${trusted_firmware-m_SOURCE_DIR}" "${PATCH_FILES}") + + +if(TARGET_NAME STREQUAL "corstone300") + set(TFM_PLATFORM "arm/mps3/corstone300/fvp" CACHE STRING "TFM Platform local path" FORCE) + set(FLASH_S_PARTITION_SIZE "0X40000" CACHE STRING "FLASH_S_PARTITION_SIZE" FORCE) + + # These variables are only defined in case of building keyword_detection application with GNU toolchain + # as it is currently the only application that utilises the ML Model component OTA update feature + # where these variables are needed. + if((${EXAMPLE} STREQUAL "keyword-detection") AND (${TOOLCHAIN} STREQUAL "GNU")) + set(FLASH_NS_PARTITION_SIZE "0X240000" CACHE STRING "FLASH_NS_PARTITION_SIZE" FORCE) + set(FLASH_NS_ML_MODEL_PARTITION_SIZE "0X100000" CACHE STRING "FLASH_NS_ML_MODEL_PARTITION_SIZE" FORCE) + else() + set(FLASH_NS_PARTITION_SIZE "0X340000" CACHE STRING "FLASH_NS_PARTITION_SIZE" FORCE) + endif() + +elseif(TARGET_NAME STREQUAL "corstone310") + set(TFM_PLATFORM "arm/mps3/corstone310/fvp" CACHE STRING "TFM Platform local path" FORCE) + set(FLASH_S_PARTITION_SIZE "0X40000" CACHE STRING "FLASH_S_PARTITION_SIZE" FORCE) + + # These variables are only defined in case of building keyword_detection application with GNU toolchain + # as it is currently the only application that utilises the ML Model component OTA update feature + # where these variables are needed. + if((${EXAMPLE} STREQUAL "keyword-detection") AND (${TOOLCHAIN} STREQUAL "GNU")) + set(FLASH_NS_PARTITION_SIZE "0X240000" CACHE STRING "FLASH_NS_PARTITION_SIZE" FORCE) + set(FLASH_NS_ML_MODEL_PARTITION_SIZE "0X100000" CACHE STRING "FLASH_NS_ML_MODEL_PARTITION_SIZE" FORCE) + else() + set(FLASH_NS_PARTITION_SIZE "0X340000" CACHE STRING "FLASH_NS_PARTITION_SIZE" FORCE) + endif() + +elseif(TARGET_NAME STREQUAL "corstone315") + set(TFM_PLATFORM "arm/mps4/corstone315" CACHE STRING "TFM Platform local path" FORCE) + set(FLASH_S_PARTITION_SIZE "0X40000" CACHE STRING "FLASH_S_PARTITION_SIZE" FORCE) + set(TFM_BL1_LOGGING ON CACHE BOOL "TFM_BL1_LOGGING" FORCE) + + # These variables are only defined in case of building keyword_detection application with GNU toolchain + # as it is currently the only application that utilises the ML Model component OTA update feature + # where these variables are needed. + if((${EXAMPLE} STREQUAL "keyword-detection") AND (${TOOLCHAIN} STREQUAL "GNU")) + set(FLASH_NS_PARTITION_SIZE "0X240000" CACHE STRING "FLASH_NS_PARTITION_SIZE" FORCE) + set(FLASH_NS_ML_MODEL_PARTITION_SIZE "0X100000" CACHE STRING "FLASH_NS_ML_MODEL_PARTITION_SIZE" FORCE) + else() + set(FLASH_NS_PARTITION_SIZE "0X340000" CACHE STRING "FLASH_NS_PARTITION_SIZE" FORCE) + endif() + +elseif(TARGET_NAME STREQUAL "corstone320") + set(TFM_PLATFORM "arm/mps4/corstone320" CACHE STRING "TFM Platform local path" FORCE) + set(FLASH_S_PARTITION_SIZE "0X40000" CACHE STRING "FLASH_S_PARTITION_SIZE" FORCE) + set(TFM_BL1_LOGGING ON CACHE BOOL "TFM_BL1_LOGGING" FORCE) + + # These variables are only defined in case of building keyword_detection application with GNU toolchain + # as it is currently the only application that utilises the ML Model component OTA update feature + # where these variables are needed. + if((${EXAMPLE} STREQUAL "keyword-detection") AND (${TOOLCHAIN} STREQUAL "GNU")) + set(FLASH_NS_PARTITION_SIZE "0X240000" CACHE STRING "FLASH_NS_PARTITION_SIZE" FORCE) + set(FLASH_NS_ML_MODEL_PARTITION_SIZE "0X100000" CACHE STRING "FLASH_NS_ML_MODEL_PARTITION_SIZE" FORCE) + else() + set(FLASH_NS_PARTITION_SIZE "0X340000" CACHE STRING "FLASH_NS_PARTITION_SIZE" FORCE) + endif() + +else() + message(FATAL_ERROR "Invalid TARGET_NAME (${TARGET_NAME}) set. Supported are corstone300/corstone310/corstone315/corstone320") +endif() + +set(CONFIG_TFM_ENABLE_FP ON CACHE BOOL "CONFIG_TFM_ENABLE_FP" FORCE) +set(MCUBOOT_SECURITY_COUNTER_NS auto CACHE STRING "MCUBOOT_SECURITY_COUNTER_NS" FORCE) +set(MCUBOOT_CONFIRM_IMAGE ON CACHE BOOL "MCUBOOT_CONFIRM_IMAGE" FORCE) +set(MCUBOOT_SIGNATURE_TYPE "EC-P256" CACHE STRING "Supported algorithms for signature validation [RSA-2048, RSA-3072, EC-P256, EC-P384]" FORCE) +set(TFM_BL1_LOG_LEVEL "LOG_LEVEL_INFO" CACHE STRING "TFM_BL1_LOG_LEVEL") +set(CONFIG_TFM_ENABLE_CP10CP11 ON CACHE BOOL "CONFIG_TFM_ENABLE_CP10CP11" FORCE) +set(MCUBOOT_GENERATE_SIGNING_KEYPAIR ON CACHE BOOL "MCUBOOT_GENERATE_SIGNING_KEYPAIR" FORCE) +set(MCUBOOT_LOG_LEVEL INFO CACHE STRING "MCUBOOT_LOG_LEVEL" FORCE) +set(PLATFORM_DEFAULT_PROVISIONING OFF CACHE BOOL "PLATFORM_DEFAULT_PROVISIONING" FORCE) +set(PLATFORM_DEFAULT_UART_STDOUT ON CACHE BOOL "PLATFORM_DEFAULT_UART_STDOUT" FORCE) +set(TFM_DUMMY_PROVISIONING OFF CACHE BOOL "TFM_DUMMY_PROVISIONING" FORCE) +set(TFM_EXCEPTION_INFO_DUMP ON CACHE BOOL "TFM_EXCEPTION_INFO_DUMP" FORCE) +set(TFM_PARTITION_CRYPTO ON CACHE BOOL "TFM_PARTITION_CRYPTO" FORCE) +set(TFM_PARTITION_INITIAL_ATTESTATION ON CACHE BOOL "TFM_PARTITION_INITIAL_ATTESTATION" FORCE) +set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE ON CACHE BOOL "TFM_PARTITION_INTERNAL_TRUSTED_STORAGE" FORCE) +set(TFM_PARTITION_PLATFORM ON CACHE BOOL "TFM_PARTITION_PROTECTED_STORAGE" FORCE) +set(TFM_PARTITION_PROTECTED_STORAGE ON CACHE BOOL "TFM_PARTITION_PROTECTED_STORAGE" FORCE) +set(TFM_SPM_LOG_LEVEL TFM_SPM_LOG_LEVEL_INFO CACHE STRING "TFM_SPM_LOG_LEVEL" FORCE) + +# TF-M can be built with a different toolchain, but the toolchain that +# builds the IoT SDK is guaranteed to be available in the environment. +if(${TOOLCHAIN} STREQUAL "GNU") + set(TFM_TOOLCHAIN_FILE "${CMAKE_SOURCE_DIR}/toolchain_GNUARM.cmake" CACHE STRING "TFM_TOOLCHAIN_FILE" FORCE) +elseif(${TOOLCHAIN} STREQUAL "ARMCLANG") + set(TFM_TOOLCHAIN_FILE "${CMAKE_SOURCE_DIR}/toolchain_ARMCLANG.cmake" CACHE STRING "TFM_TOOLCHAIN_FILE" FORCE) +else() + message(FATAL_ERROR "Unsupported toolchain: ${TOOLCHAIN}") +endif() diff --git a/components/graphics/arm-2d/integration/CMakeLists.txt b/components/graphics/arm-2d/integration/CMakeLists.txt index a6013cf0..4ceea4c7 100644 --- a/components/graphics/arm-2d/integration/CMakeLists.txt +++ b/components/graphics/arm-2d/integration/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright 2024 Arm Limited and/or its affiliates +# Copyright 2024-2025 Arm Limited and/or its affiliates # # SPDX-License-Identifier: MIT @@ -11,7 +11,7 @@ target_include_directories(arm-2d ) target_sources(arm-2d - PUBLIC + PRIVATE ${arm-2d_SOURCE_DIR}/Library/Source/arm_2d.c ${arm-2d_SOURCE_DIR}/Library/Source/__arm_2d_tile.c ${arm-2d_SOURCE_DIR}/Library/Source/arm_2d_draw.c diff --git a/components/graphics/arm-2d/library b/components/graphics/arm-2d/library index 2b729c9c..ed9dffcc 160000 --- a/components/graphics/arm-2d/library +++ b/components/graphics/arm-2d/library @@ -1 +1 @@ -Subproject commit 2b729c9cb3b8d6b816be1a002455e197848b0478 +Subproject commit ed9dffcc0f82a6d86eab81a3e1e7c7479b734d70 diff --git a/components/security/freertos_ota_pal_psa/integration/patches/0004-app-version-Do-not-store-version-in-a-global-var.patch b/components/security/freertos_ota_pal_psa/integration/patches/0004-app-version-Do-not-store-version-in-a-global-var.patch index 7a49bd33..40c17dae 100644 --- a/components/security/freertos_ota_pal_psa/integration/patches/0004-app-version-Do-not-store-version-in-a-global-var.patch +++ b/components/security/freertos_ota_pal_psa/integration/patches/0004-app-version-Do-not-store-version-in-a-global-var.patch @@ -29,7 +29,7 @@ index 7b38c6a..a44d284 100644 @@ -33,24 +33,24 @@ #include "FreeRTOS.h" #include "application_version.h" - + -AppVersion32_t appFirmwareVersion; - -int GetImageVersionPSA( psa_fwu_component_t uxComponent ) @@ -37,7 +37,7 @@ index 7b38c6a..a44d284 100644 { psa_fwu_component_info_t xComponentInfo = { 0 }; psa_status_t uxStatus; - + + configASSERT( pxVersion != NULL ); + uxStatus = psa_fwu_query( uxComponent, &xComponentInfo ); @@ -48,7 +48,7 @@ index 7b38c6a..a44d284 100644 - appFirmwareVersion.u.x.build = (uint16_t)xComponentInfo.version.build; + pxVersion->u.x.major = xComponentInfo.version.major; + pxVersion->u.x.minor = xComponentInfo.version.minor; -+ pxVersion->u.x.build = (uint16_t)xComponentInfo.version.build; ++ pxVersion->u.x.build = (uint16_t)xComponentInfo.version.patch; return 0; } else @@ -64,7 +64,7 @@ index 7775910..fcd8b85 100644 +++ b/version/application_version.h @@ -28,18 +28,17 @@ #include "psa/update.h" - + /** - * @brief Get the running image version of the given component. - * @@ -91,8 +91,8 @@ index 7775910..fcd8b85 100644 +* @return 0 on success and -1 on failure. +*/ +int GetImageVersionPSA( psa_fwu_component_t uxComponent, AppVersion32_t *pxVersion ); - + #endif --- +-- 2.34.1 diff --git a/components/security/freertos_pkcs11_psa/integration/CMakeLists.txt b/components/security/freertos_pkcs11_psa/integration/CMakeLists.txt index 6e682998..3476f0ce 100644 --- a/components/security/freertos_pkcs11_psa/integration/CMakeLists.txt +++ b/components/security/freertos_pkcs11_psa/integration/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright 2023 Arm Limited and/or its affiliates +# Copyright 2023-2025 Arm Limited and/or its affiliates # # SPDX-License-Identifier: MIT @@ -10,12 +10,9 @@ add_library(freertos-pkcs11-psa ${freertos_pkcs11_psa_SOURCE_DIR}/iot_pkcs11_psa.c ) -ExternalProject_Get_Property(trusted_firmware-m-build BINARY_DIR) - target_include_directories(freertos-pkcs11-psa PUBLIC ${freertos_pkcs11_psa_SOURCE_DIR} - ${BINARY_DIR}/api_ns/interface/include ) add_library(freertos-pkcs11-psa-config INTERFACE) @@ -23,6 +20,7 @@ add_library(freertos-pkcs11-psa-config INTERFACE) target_link_libraries(freertos-pkcs11-psa PUBLIC freertos-pkcs11-psa-config + tfm_api_ns PRIVATE corepkcs11 freertos_kernel diff --git a/components/security/mbedtls/integration/CMakeLists.txt b/components/security/mbedtls/integration/CMakeLists.txt index 8f363de4..39edb98e 100644 --- a/components/security/mbedtls/integration/CMakeLists.txt +++ b/components/security/mbedtls/integration/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright 2023-2024 Arm Limited and/or its affiliates +# Copyright 2023-2025 Arm Limited and/or its affiliates # # SPDX-License-Identifier: MIT @@ -15,7 +15,7 @@ target_link_libraries(mbedtls if(PSA_CRYPTO_IMPLEMENTATION STREQUAL "TF-M") target_link_libraries(mbedtls PRIVATE - tfm-ns-interface + tfm_api_ns ) target_compile_definitions(mbedtls-config INTERFACE diff --git a/components/security/trusted_firmware-m/CMakeLists.txt b/components/security/trusted_firmware-m/CMakeLists.txt index 4754cec2..3624b61c 100644 --- a/components/security/trusted_firmware-m/CMakeLists.txt +++ b/components/security/trusted_firmware-m/CMakeLists.txt @@ -12,19 +12,5 @@ set(trusted_firmware-m_SOURCE_DIR if(BUILD_TESTING AND NOT CMAKE_CROSSCOMPILING) add_subdirectory(library_mocks) else() - # This patch is only applied in case of building keyword_detection application with GNU toolchain - # as it is currently the only application that utilises the ML Model component OTA update feature - # where this patch is needed. - if((${APPLICATION_PATH} MATCHES ".*keyword_detection") AND (${CMAKE_C_COMPILER_ID} STREQUAL "GNU")) - include(ApplyPatches) - - set(PATCH_FILES_DIRECTORY "${CMAKE_CURRENT_LIST_DIR}/integration/patches") - set(PATCH_FILES - "${PATCH_FILES_DIRECTORY}/0001-corstone300-Add-ML-model-component.patch" - "${PATCH_FILES_DIRECTORY}/0002-corstone310-Add-ML-model-component.patch" - "${PATCH_FILES_DIRECTORY}/0003-mps4-Add-ML-model-component.patch" - ) - iot_reference_arm_corstone3xx_apply_patches("${trusted_firmware-m_SOURCE_DIR}" "${PATCH_FILES}") - endif() add_subdirectory(integration) endif() diff --git a/components/security/trusted_firmware-m/integration/CMakeLists.txt b/components/security/trusted_firmware-m/integration/CMakeLists.txt index 699040d3..272c0e41 100644 --- a/components/security/trusted_firmware-m/integration/CMakeLists.txt +++ b/components/security/trusted_firmware-m/integration/CMakeLists.txt @@ -2,48 +2,24 @@ # # SPDX-License-Identifier: MIT -project(tfm-ns-interface) - list(APPEND CMAKE_MODULE_PATH ${CMAKE_CURRENT_LIST_DIR}/cmake) -include(BuildTfm) - -# TF-M NS interface for the non-secure side - -add_library(tfm-ns-interface ${tfm_ns_interface_generated}) -add_dependencies(tfm-ns-interface trusted_firmware-m-build) +# Use different startup and driver files than TF-M defaults +set(PLATFORM_CUSTOM_NS_FILES TRUE) +# The exported TF-M interfaces +add_subdirectory(${CONFIG_SPE_PATH} ${CMAKE_BINARY_DIR}/spe) -target_include_directories(tfm-ns-interface - PUBLIC - ${BINARY_DIR}/api_ns/interface/include - ${BINARY_DIR}/api_ns/platform/include -) - -target_link_libraries(tfm-ns-interface +target_link_libraries(tfm_api_ns PRIVATE - ${s_veneers_generated} tfm-ns-interface-mbedtls-config ) -target_compile_definitions(tfm-ns-interface - PUBLIC - BL2 - # Corstone-315 is not using the default crypto keys, it is defined in the TF-M platform port - $<$:PLATFORM_DEFAULT_CRYPTO_KEYS> - $<$:PLATFORM_DEFAULT_CRYPTO_KEYS> -) - add_library(tfm-ns-interface-mbedtls-config INTERFACE) if(APPLICATION_PATH MATCHES ".*blinky") - # TODO: These compile definitions shouldn't be defined explicitly for `blinky` application as - # they should have been defined by `psa_crypto_config` library which should be linked - # to `tfm-ns-interface-mbedtls-config` library. However, since we are not using TF-M split-build feature, - # the exported library `psa_crypto_config` is not used by the non-secure side and these definitions are missing. - target_compile_definitions(tfm-ns-interface-mbedtls-config - INTERFACE - MBEDTLS_CONFIG_FILE="${trusted_firmware-m_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_client.h" - MBEDTLS_PSA_CRYPTO_CONFIG_FILE="${trusted_firmware-m_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/crypto_config_default.h" + target_link_libraries(tfm-ns-interface-mbedtls-config + INTERFACE + psa_crypto_config ) else() target_link_libraries(tfm-ns-interface-mbedtls-config @@ -52,9 +28,13 @@ else() ) target_compile_definitions(tfm-ns-interface-mbedtls-config INTERFACE - MBEDTLS_CONFIG_FILE="${APPLICATION_PATH}/configs/mbedtls_config/aws_mbedtls_config.h" -DPSA_CRYPTO_IMPLEMENTATION_TFM ) + # Change PUBLIC sources to PRIVATE: + # PUBLIC sources are added to both INTERFACE_SOURCES and SOURCES property, + # so removing from interface makes them PRIVATE (only use them when + # building tfm_api_ns, not consuming targets) + set_target_properties(tfm_api_ns PROPERTIES INTERFACE_SOURCES "") # In case of using Mbed TLS library to provide the PSA Crypto APIs # implementation, the PSA Crypto APIs implemented and provided by # TF-M shall be renamed to start with a prefix of tfm_crypto__ diff --git a/components/security/trusted_firmware-m/integration/cmake/BuildTfm.cmake b/components/security/trusted_firmware-m/integration/cmake/BuildTfm.cmake deleted file mode 100644 index 36226665..00000000 --- a/components/security/trusted_firmware-m/integration/cmake/BuildTfm.cmake +++ /dev/null @@ -1,70 +0,0 @@ -# Copyright 2021-2024, Arm Limited and/or its affiliates -# -# SPDX-License-Identifier: MIT - -# Files generated by TF-M build must be listed as BUILD_BYPRODUCTS -# to inform CMake that they don't exist before build starts. Include -# paths do not need to be listed. -# is a placeholder keyword in ExternalProject_Add. - -set(TFM_SIGNATURE_TYPE "EC-P256" CACHE STRING "Supported algorithms for signature validation [RSA-2048, RSA-3072, EC-P256, EC-P384]") - -set(tfm_ns_interface_generated - /api_ns/interface/src/tfm_tz_psa_ns_api.c - /api_ns/interface/src/tfm_ps_api.c - /api_ns/interface/src/tfm_its_api.c - /api_ns/interface/src/tfm_crypto_api.c - /api_ns/interface/src/tfm_attest_api.c - /api_ns/interface/src/tfm_platform_api.c - /api_ns/interface/src/os_wrapper/tfm_ns_interface_rtos.c -) -if(ARM_CORSTONE_BSP_TARGET_PLATFORM_TFM_CMAKE_ARGS MATCHES "TFM_PARTITION_FIRMWARE_UPDATE=ON") - list(APPEND tfm_ns_interface_generated /api_ns/interface/src/tfm_fwu_api.c) -endif() - -set(s_veneers_generated - /api_ns/interface/lib/s_veneers.o -) - -include(ExternalProject) - -# TF-M can be built with a different toolchain, but the toolchain that -# builds the IoT SDK is guaranteed to be available in the environment. -if(CMAKE_C_COMPILER_ID STREQUAL "GNU") - set(tfm_toolchain_file "toolchain_GNUARM.cmake") -elseif(CMAKE_C_COMPILER_ID STREQUAL "ARMClang") - set(tfm_toolchain_file "toolchain_ARMCLANG.cmake") -else() - message(FATAL_ERROR "Unsupported compiler: ${CMAKE_C_COMPILER_ID}") -endif() - -ExternalProject_Add( - trusted_firmware-m-build - - DOWNLOAD_COMMAND "" - SOURCE_DIR ${trusted_firmware-m_SOURCE_DIR} - - USES_TERMINAL_CONFIGURE ON - USES_TERMINAL_BUILD ON - - BUILD_ALWAYS ON - - CMAKE_ARGS - -DTFM_TOOLCHAIN_FILE=/${tfm_toolchain_file} - -DMCUBOOT_SIGNATURE_TYPE=${TFM_SIGNATURE_TYPE} - -DTFM_BL1_LOG_LEVEL=LOG_LEVEL_INFO - ${ARM_CORSTONE_BSP_TARGET_PLATFORM_TFM_CMAKE_ARGS} - - PATCH_COMMAND - ${TFM_PATCH_COMMAND} - - BUILD_BYPRODUCTS - ${tfm_ns_interface_generated} - ${s_veneers_generated} -) - -# The path ${BINARY_DIR} is available after ExternalProject_Add. -# Convert to allow projects to use those files. -ExternalProject_Get_Property(trusted_firmware-m-build BINARY_DIR) -list(TRANSFORM tfm_ns_interface_generated REPLACE "" "${BINARY_DIR}") -list(TRANSFORM s_veneers_generated REPLACE "" "${BINARY_DIR}") diff --git a/components/security/trusted_firmware-m/integration/cmake/MergeTfmImages.cmake b/components/security/trusted_firmware-m/integration/cmake/MergeTfmImages.cmake index 1d9404cb..bb7403b0 100644 --- a/components/security/trusted_firmware-m/integration/cmake/MergeTfmImages.cmake +++ b/components/security/trusted_firmware-m/integration/cmake/MergeTfmImages.cmake @@ -2,10 +2,6 @@ # # SPDX-License-Identifier: MIT -include(ExternalProject) - -ExternalProject_Get_Property(trusted_firmware-m-build BINARY_DIR) - # To merge the bootloader image, TF-M secure image, non-secure user application image, # secure and non-secure provsioning bundle images into one image, their addresses are # needed. As the addresses are defined in their respective linker scripts, there is no @@ -37,20 +33,17 @@ function(iot_reference_arm_corstone3xx_tf_m_merge_images target) find_program(srec_cat NAMES srec_cat REQUIRED) find_program(objcopy NAMES arm-none-eabi-objcopy objcopy REQUIRED) if(ARM_CORSTONE_BSP_TARGET_PLATFORM STREQUAL "corstone300" OR ARM_CORSTONE_BSP_TARGET_PLATFORM STREQUAL "corstone310") - add_custom_command( - TARGET - ${target} - POST_BUILD + add_custom_target(${target}_merged DEPENDS - $/${target}_signed.bin + ${target}_signed_bin COMMAND - ${srec_cat} ${BINARY_DIR}/api_ns/bin/bl2.bin -Binary -offset ${BL2_IMAGE_LOAD_ADDRESS} - ${BINARY_DIR}/api_ns/bin/tfm_s_signed.bin -Binary -offset ${S_IMAGE_LOAD_ADDRESS} - $/${target}_signed.bin -Binary -offset ${NS_IMAGE_LOAD_ADDRESS} + ${srec_cat} ${CONFIG_SPE_PATH}/bin/bl2.bin -Binary -offset ${BL2_IMAGE_LOAD_ADDRESS} + ${CONFIG_SPE_PATH}/bin/tfm_s_signed.bin -Binary -offset ${S_IMAGE_LOAD_ADDRESS} + ${CMAKE_BINARY_DIR}/bin/${target}_signed.bin -Binary -offset ${NS_IMAGE_LOAD_ADDRESS} ${ddr_binary_param} ${ns_provisioning_data_param} ${model_binary_param} - ${BINARY_DIR}/api_ns/bin/provisioning_bundle.bin -Binary -offset ${S_PROVISIONING_BUNDLE_LOAD_ADDRESS} + ${CONFIG_SPE_PATH}/bin/provisioning_bundle.bin -Binary -offset ${S_PROVISIONING_BUNDLE_LOAD_ADDRESS} -o $/${target}_merged.hex COMMAND ${objcopy} -I ihex -O elf32-little @@ -61,19 +54,16 @@ function(iot_reference_arm_corstone3xx_tf_m_merge_images target) VERBATIM ) else() - add_custom_command( - TARGET - ${target} - POST_BUILD + add_custom_target(${target}_merged DEPENDS - $/${target}_signed.bin + ${target}_signed_bin COMMAND - ${srec_cat} ${BINARY_DIR}/api_ns/bin/bl1_1.bin -Binary -offset ${BL1_IMAGE_LOAD_ADDRESS} - ${BINARY_DIR}/api_ns/bin/cm_provisioning_bundle.bin -Binary -offset ${S_CM_PROVISIONING_BUNDLE_LOAD_ADDRESS} - ${BINARY_DIR}/api_ns/bin/dm_provisioning_bundle.bin -Binary -offset ${S_DM_PROVISIONING_BUNDLE_LOAD_ADDRESS} - ${BINARY_DIR}/api_ns/bin/bl2_signed.bin -Binary -offset ${BL2_IMAGE_LOAD_ADDRESS} - ${BINARY_DIR}/api_ns/bin/tfm_s_signed.bin -Binary -offset ${S_IMAGE_LOAD_ADDRESS} - $/${target}_signed.bin -Binary -offset ${NS_IMAGE_LOAD_ADDRESS} + ${srec_cat} ${CONFIG_SPE_PATH}/bin/bl1_1.bin -Binary -offset ${BL1_IMAGE_LOAD_ADDRESS} + ${CONFIG_SPE_PATH}/bin/cm_provisioning_bundle.bin -Binary -offset ${S_CM_PROVISIONING_BUNDLE_LOAD_ADDRESS} + ${CONFIG_SPE_PATH}/bin/dm_provisioning_bundle.bin -Binary -offset ${S_DM_PROVISIONING_BUNDLE_LOAD_ADDRESS} + ${CONFIG_SPE_PATH}/bin/bl2_signed.bin -Binary -offset ${BL2_IMAGE_LOAD_ADDRESS} + ${CONFIG_SPE_PATH}/bin/tfm_s_signed.bin -Binary -offset ${S_IMAGE_LOAD_ADDRESS} + ${CMAKE_BINARY_DIR}/bin/${target}_signed.bin -Binary -offset ${NS_IMAGE_LOAD_ADDRESS} ${model_binary_param} ${ddr_binary_param} ${ns_provisioning_data_param} diff --git a/components/security/trusted_firmware-m/integration/cmake/SignTfmImage.cmake b/components/security/trusted_firmware-m/integration/cmake/SignTfmImage.cmake index e74fa932..f30bb030 100644 --- a/components/security/trusted_firmware-m/integration/cmake/SignTfmImage.cmake +++ b/components/security/trusted_firmware-m/integration/cmake/SignTfmImage.cmake @@ -4,9 +4,6 @@ list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/tools/cmake) include(ConvertElfToBin) -include(ExternalProject) - -ExternalProject_Get_Property(trusted_firmware-m-build BINARY_DIR) # This function is documented under `Image signing` section in `trusted_firmware-m.md` document located at # `${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/docs/components/security/` directory. @@ -25,10 +22,10 @@ function(iot_reference_arm_corstone3xx_tf_m_sign_image target unsigned_image_bin $/${target}.bin COMMAND # Sign the non-secure (application) image for TF-M bootloader (BL2) - python3 ${BINARY_DIR}/api_ns/image_signing/scripts/wrapper/wrapper.py + python3 ${CONFIG_SPE_PATH}/image_signing/scripts/wrapper/wrapper.py -v ${signed_bin_version} --layout ${signature_layout_file} - -k ${BINARY_DIR}/api_ns/image_signing/keys/image_ns_signing_private_key.pem + -k ${CONFIG_SPE_PATH}/image_signing/keys/image_ns_signing_private_key.pem --public-key-format full --align 1 --pad-header ${pad_option} -H 0x400 -s auto --measured-boot-record diff --git a/components/security/trusted_firmware-m/integration/cmake/TfmNsToolchain.cmake b/components/security/trusted_firmware-m/integration/cmake/TfmNsToolchain.cmake new file mode 100644 index 00000000..e6a498d6 --- /dev/null +++ b/components/security/trusted_firmware-m/integration/cmake/TfmNsToolchain.cmake @@ -0,0 +1,28 @@ +# Copyright 2025 Arm Limited and/or its affiliates +# +# SPDX-License-Identifier: MIT + +list(APPEND CMAKE_MODULE_PATH ${CONFIG_SPE_PATH}/cmake) + +# A platform specific MCPU and architecture flags for NS side +include(${CONFIG_SPE_PATH}/platform/cpuarch.cmake) +# Include common configs exported from TF-M +include(${CONFIG_SPE_PATH}/cmake/spe_config.cmake) + +if(NOT DEFINED TFM_TOOLCHAIN_FILE) + if(${TOOLCHAIN} STREQUAL "GNU") + set(TFM_TOOLCHAIN_FILE ${CONFIG_SPE_PATH}/cmake/toolchain_ns_GNUARM.cmake) + elseif(${TOOLCHAIN} STREQUAL "ARMCLANG") + set(TFM_TOOLCHAIN_FILE ${CONFIG_SPE_PATH}/cmake/toolchain_ns_ARMCLANG.cmake) + endif() +endif() + +if(${TOOLCHAIN} STREQUAL "GNU") + include(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/cmake/CompilerFlagsGNUARM.cmake) +elseif(${TOOLCHAIN} STREQUAL "ARMCLANG") + include(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/cmake/CompilerFlagsARMCLANG.cmake) +else() + message(FATAL_ERROR "Unsupported toolchain: ${TOOLCHAIN}") +endif() + +include(${TFM_TOOLCHAIN_FILE}) diff --git a/components/security/trusted_firmware-m/integration/patches/0004-build-Enable-armclang-MVE.patch b/components/security/trusted_firmware-m/integration/patches/0004-build-Enable-armclang-MVE.patch new file mode 100644 index 00000000..a14dbc15 --- /dev/null +++ b/components/security/trusted_firmware-m/integration/patches/0004-build-Enable-armclang-MVE.patch @@ -0,0 +1,304 @@ +From 2e4aa5a7a63fa063f9486512296d74787cf08608 Mon Sep 17 00:00:00 2001 +From: Gergely Kovacs +Date: Thu, 5 Dec 2024 13:51:23 +0000 +Subject: [PATCH 4/4] build: Enable armclang MVE + +The vulnerability preventing the use of MVE was already fixed when FPU +was enabled. For m55 and m85 the compiler specifies the allowed -mcpu +feature combinations. These are different when -march is used. Also +armlink accepts only a few options when architecture is given. + +Signed-off-by: Gergely Kovacs +Change-Id: I1351a7b4e9d383894204a0ddbc8b5317ab3dbafe +--- + config/cp_check.cmake | 2 +- + platform/ns/toolchain_ns_ARMCLANG.cmake | 90 ++++++++++++++++++------- + toolchain_ARMCLANG.cmake | 87 +++++++++++++++++------- + 3 files changed, 128 insertions(+), 51 deletions(-) + +diff --git a/config/cp_check.cmake b/config/cp_check.cmake +index b6a1963a1..7463b174a 100644 +--- a/config/cp_check.cmake ++++ b/config/cp_check.cmake +@@ -25,7 +25,7 @@ endif() + + ########################## FPU and MVE ######################################### + +-tfm_invalid_config(NOT CMAKE_C_COMPILER_ID STREQUAL "GNU" AND (CONFIG_TFM_ENABLE_MVE OR CONFIG_TFM_ENABLE_MVE_FP)) ++tfm_invalid_config(CMAKE_C_COMPILER_ID STREQUAL "IAR" AND (CONFIG_TFM_ENABLE_MVE OR CONFIG_TFM_ENABLE_MVE_FP)) + tfm_invalid_config((NOT CONFIG_TFM_FP_ARCH) AND (CONFIG_TFM_ENABLE_FP OR CONFIG_TFM_ENABLE_MVE_FP)) + tfm_invalid_config((CMAKE_C_COMPILER_ID STREQUAL "ARMClang") AND (NOT CONFIG_TFM_FP_ARCH_ASM) AND CONFIG_TFM_ENABLE_FP) + tfm_invalid_config((NOT CONFIG_TFM_ENABLE_FP AND NOT CONFIG_TFM_ENABLE_MVE AND NOT CONFIG_TFM_ENABLE_MVE_FP) AND CONFIG_TFM_LAZY_STACKING) +diff --git a/platform/ns/toolchain_ns_ARMCLANG.cmake b/platform/ns/toolchain_ns_ARMCLANG.cmake +index 77956e062..31e9d05cc 100644 +--- a/platform/ns/toolchain_ns_ARMCLANG.cmake ++++ b/platform/ns/toolchain_ns_ARMCLANG.cmake +@@ -43,8 +43,15 @@ if (DEFINED TFM_SYSTEM_PROCESSOR) + set(CMAKE_SYSTEM_PROCESSOR ${TFM_SYSTEM_PROCESSOR}) + + if (TFM_SYSTEM_ARCHITECTURE STREQUAL "armv8.1-m.main") +- message(WARNING "MVE is not yet supported using ARMCLANG") +- string(APPEND CMAKE_SYSTEM_PROCESSOR "+nomve") ++ if(NOT CONFIG_TFM_ENABLE_MVE) ++ string(APPEND CMAKE_SYSTEM_PROCESSOR "+nomve") ++ endif() ++ if((NOT TFM_SYSTEM_PROCESSOR STREQUAL "cortex-m85") ++ AND (NOT CONFIG_TFM_ENABLE_MVE_FP) ++ AND CONFIG_TFM_ENABLE_MVE ++ AND CONFIG_TFM_ENABLE_FP) ++ string(APPEND CMAKE_SYSTEM_PROCESSOR "+nomve.fp") ++ endif() + endif() + + if (DEFINED TFM_SYSTEM_DSP) +@@ -57,7 +64,7 @@ if (DEFINED TFM_SYSTEM_PROCESSOR) + # 'cortex-m4', 'cortex-m7', 'cortex-m33', 'cortex-m35p', 'cortex-m55' and 'cortex-m85'. + # Build fails if other M-profile cpu, such as 'cortex-m23', is added with '+nofp'. + # Explicitly list those cpu to align with ARMCLANG description. +- if (NOT CONFIG_TFM_FLOAT_ABI STREQUAL "hard" AND ++ if (NOT CONFIG_TFM_ENABLE_FP AND + (TFM_SYSTEM_PROCESSOR STREQUAL "cortex-m4" + OR TFM_SYSTEM_PROCESSOR STREQUAL "cortex-m7" + OR TFM_SYSTEM_PROCESSOR STREQUAL "cortex-m33" +@@ -80,17 +87,30 @@ set(CMAKE_C_COMPILER_TARGET arm-${CROSS_COMPILE}) + set(CMAKE_CXX_COMPILER_TARGET arm-${CROSS_COMPILE}) + set(CMAKE_ASM_COMPILER_TARGET arm-${CROSS_COMPILE}) + +-# MVE is currently not supported in case of armclang + if (TFM_SYSTEM_ARCHITECTURE STREQUAL "armv8.1-m.main") +- string(APPEND CMAKE_SYSTEM_ARCH "+nomve") +-endif() ++ if(CONFIG_TFM_ENABLE_MVE_FP) ++ string(APPEND CMAKE_SYSTEM_ARCH "+mve.fp") ++ elseif(CONFIG_TFM_ENABLE_MVE) ++ string(APPEND CMAKE_SYSTEM_ARCH "+mve") ++ elseif(TFM_SYSTEM_DSP) ++ string(APPEND CMAKE_SYSTEM_ARCH "+dsp") ++ endif() + +-if (DEFINED TFM_SYSTEM_DSP) +- if(NOT TFM_SYSTEM_DSP) +- string(APPEND CMAKE_SYSTEM_ARCH "+nodsp") ++ # Generic fp extension names to be used instead of -mfpu ++ # +fp/fpv5-sp-d16 is not handled as it is the default ++ if(CONFIG_TFM_ENABLE_FP) ++ if (CONFIG_TFM_FP_ARCH STREQUAL "fpv5-d16") ++ string(APPEND CMAKE_SYSTEM_ARCH "+fp.dp") ++ endif() ++ else() ++ string(APPEND CMAKE_SYSTEM_ARCH "+nofp") + endif() + endif() + ++if(TFM_SYSTEM_DSP AND (NOT TFM_SYSTEM_ARCHITECTURE STREQUAL "armv8.1-m.main")) ++ string(APPEND CMAKE_SYSTEM_ARCH "+dsp") ++endif() ++ + # Cmake's ARMClang support has several issues with compiler validation. To + # avoid these, we set the list of supported -mcpu and -march variables to + # the ones we intend to use so that the validation will never fail. +@@ -114,28 +134,42 @@ if (ARMCLANG_VERSION VERSION_GREATER_EQUAL 6.15 AND + " Please use other Armclang versions instead.") + endif() + ++ + if (CMAKE_SYSTEM_PROCESSOR) + set(CMAKE_C_FLAGS "-mcpu=${CMAKE_SYSTEM_PROCESSOR}") + set(CMAKE_CXX_FLAGS "-mcpu=${CMAKE_SYSTEM_PROCESSOR}") + set(CMAKE_ASM_FLAGS "--target=${CMAKE_ASM_COMPILER_TARGET} -mcpu=${CMAKE_SYSTEM_PROCESSOR}") +- set(CMAKE_C_LINK_FLAGS "--cpu=${CMAKE_SYSTEM_PROCESSOR}") +- set(CMAKE_CXX_LINK_FLAGS "--cpu=${CMAKE_SYSTEM_PROCESSOR}") +- set(CMAKE_ASM_LINK_FLAGS "--cpu=${CMAKE_SYSTEM_PROCESSOR}") ++ ++ set(ARMLINK_MAPPED_OPTION "--cpu=${CMAKE_SYSTEM_PROCESSOR}") + # But armlink doesn't support this +dsp syntax +- string(REGEX REPLACE "\\+nodsp" "" CMAKE_C_LINK_FLAGS "${CMAKE_C_LINK_FLAGS}") +- string(REGEX REPLACE "\\+nodsp" "" CMAKE_CXX_LINK_FLAGS "${CMAKE_CXX_LINK_FLAGS}") +- string(REGEX REPLACE "\\+nodsp" "" CMAKE_ASM_LINK_FLAGS "${CMAKE_ASM_LINK_FLAGS}") +- # And uses different syntax for +nofp +- string(REGEX REPLACE "\\+nofp" ".no_fp" CMAKE_C_LINK_FLAGS "${CMAKE_C_LINK_FLAGS}") +- string(REGEX REPLACE "\\+nofp" ".no_fp" CMAKE_CXX_LINK_FLAGS "${CMAKE_CXX_LINK_FLAGS}") +- string(REGEX REPLACE "\\+nofp" ".no_fp" CMAKE_ASM_LINK_FLAGS "${CMAKE_ASM_LINK_FLAGS}") +- +- string(REGEX REPLACE "\\+nomve" ".no_mve" CMAKE_C_LINK_FLAGS "${CMAKE_C_LINK_FLAGS}") +- string(REGEX REPLACE "\\+nomve" ".no_mve" CMAKE_CXX_LINK_FLAGS "${CMAKE_CXX_LINK_FLAGS}") +- string(REGEX REPLACE "\\+nomve" ".no_mve" CMAKE_ASM_LINK_FLAGS "${CMAKE_ASM_LINK_FLAGS}") ++ string(REGEX REPLACE "\\+nodsp" "" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ # And uses different syntax for +nofp, +nomve.fp, nomve ++ string(REGEX REPLACE "\\+nofp" ".no_fp" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ string(REGEX REPLACE "\\+nomve\\.fp" ".no_mvefp" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ string(REGEX REPLACE "\\+nomve" ".no_mve" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ ++ set(CMAKE_C_LINK_FLAGS ${ARMLINK_MAPPED_OPTION}) ++ set(CMAKE_CXX_LINK_FLAGS ${ARMLINK_MAPPED_OPTION}) ++ set(CMAKE_ASM_LINK_FLAGS ${ARMLINK_MAPPED_OPTION}) + else() + set(CMAKE_C_FLAGS "-march=${CMAKE_SYSTEM_ARCH}") + set(CMAKE_CXX_FLAGS "-march=${CMAKE_SYSTEM_ARCH}") ++ set(CMAKE_ASM_FLAGS "--target=${CMAKE_ASM_COMPILER_TARGET} -march=${CMAKE_SYSTEM_ARCH}") ++ ++ set(ARMLINK_MAPPED_OPTION "--cpu=${CMAKE_SYSTEM_PROCESSOR}") ++ # Mapping the architecture name ++ string(REGEX REPLACE "armv" "" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ # Armlink uses --fpu option instead of the generic extension names ++ string(REGEX REPLACE "\\+fp\\.dp" "" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ string(REGEX REPLACE "\\+nofp" "" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ # And different syntax for these features ++ string(REGEX REPLACE "\\+mve\\.fp" ".mve.fp" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ string(REGEX REPLACE "\\+mve" ".mve" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ string(REGEX REPLACE "\\+dsp" ".dsp" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ ++ set(CMAKE_C_LINK_FLAGS ${ARMLINK_MAPPED_OPTION}) ++ set(CMAKE_CXX_LINK_FLAGS ${ARMLINK_MAPPED_OPTION}) ++ set(CMAKE_ASM_LINK_FLAGS ${ARMLINK_MAPPED_OPTION}) + endif() + + # This flag is used to check if toolchain has fixed VLLDM vulnerability +@@ -145,8 +179,14 @@ set(CP_CHECK_C_FLAGS ${CMAKE_C_FLAGS}) + if (CONFIG_TFM_FLOAT_ABI STREQUAL "hard") + set(COMPILER_CP_C_FLAG "-mfloat-abi=hard") + if (CONFIG_TFM_ENABLE_FP) +- set(COMPILER_CP_C_FLAG "-mfloat-abi=hard -mfpu=${CONFIG_TFM_FP_ARCH}") +- set(COMPILER_CP_ASM_FLAG "-mfloat-abi=hard -mfpu=${CONFIG_TFM_FP_ARCH}") ++ if (TFM_SYSTEM_ARCHITECTURE STREQUAL "armv8.1-m.main") ++ # setting the -mfpu option disables the floating point mve, generic +fp.dp is used instead ++ set(COMPILER_CP_C_FLAG "-mfloat-abi=hard") ++ set(COMPILER_CP_ASM_FLAG "-mfloat-abi=hard") ++ else() ++ set(COMPILER_CP_C_FLAG "-mfloat-abi=hard -mfpu=${CONFIG_TFM_FP_ARCH}") ++ set(COMPILER_CP_ASM_FLAG "-mfloat-abi=hard -mfpu=${CONFIG_TFM_FP_ARCH}") ++ endif() + # armasm and armlink have the same option "--fpu" and are both used to + # specify the target FPU architecture. So the supported FPU architecture + # names can be shared by armasm and armlink. +diff --git a/toolchain_ARMCLANG.cmake b/toolchain_ARMCLANG.cmake +index cc0ac1966..7050adebb 100644 +--- a/toolchain_ARMCLANG.cmake ++++ b/toolchain_ARMCLANG.cmake +@@ -36,8 +36,15 @@ if (DEFINED TFM_SYSTEM_PROCESSOR) + set(CMAKE_SYSTEM_PROCESSOR ${TFM_SYSTEM_PROCESSOR}) + + if (TFM_SYSTEM_ARCHITECTURE STREQUAL "armv8.1-m.main") +- message(WARNING "MVE is not yet supported using ARMCLANG") +- string(APPEND CMAKE_SYSTEM_PROCESSOR "+nomve") ++ if(NOT CONFIG_TFM_ENABLE_MVE) ++ string(APPEND CMAKE_SYSTEM_PROCESSOR "+nomve") ++ endif() ++ if((NOT TFM_SYSTEM_PROCESSOR STREQUAL "cortex-m85") ++ AND (NOT CONFIG_TFM_ENABLE_MVE_FP) ++ AND CONFIG_TFM_ENABLE_MVE ++ AND CONFIG_TFM_ENABLE_FP) ++ string(APPEND CMAKE_SYSTEM_PROCESSOR "+nomve.fp") ++ endif() + endif() + + if (DEFINED TFM_SYSTEM_DSP) +@@ -73,17 +80,31 @@ set(CMAKE_C_COMPILER_TARGET arm-${CROSS_COMPILE}) + set(CMAKE_CXX_COMPILER_TARGET arm-${CROSS_COMPILE}) + set(CMAKE_ASM_COMPILER_TARGET arm-${CROSS_COMPILE}) + +-# MVE is currently not supported in case of armclang + if (TFM_SYSTEM_ARCHITECTURE STREQUAL "armv8.1-m.main") +- string(APPEND CMAKE_SYSTEM_ARCH "+nomve") +-endif() ++ # These three feature options are the only ones armlink accepts ++ if(CONFIG_TFM_ENABLE_MVE_FP) ++ string(APPEND CMAKE_SYSTEM_ARCH "+mve.fp") ++ elseif(CONFIG_TFM_ENABLE_MVE) ++ string(APPEND CMAKE_SYSTEM_ARCH "+mve") ++ elseif(TFM_SYSTEM_DSP) ++ string(APPEND CMAKE_SYSTEM_ARCH "+dsp") ++ endif() + +-if (DEFINED TFM_SYSTEM_DSP) +- if(NOT TFM_SYSTEM_DSP) +- string(APPEND CMAKE_SYSTEM_ARCH "+nodsp") ++ # Generic fp extension names to be used instead of -mfpu ++ # +fp/fpv5-sp-d16 is not handled as it is the default ++ if(CONFIG_TFM_ENABLE_FP) ++ if (CONFIG_TFM_FP_ARCH STREQUAL "fpv5-d16") ++ string(APPEND CMAKE_SYSTEM_ARCH "+fp.dp") ++ endif() ++ else() ++ string(APPEND CMAKE_SYSTEM_ARCH "+nofp") + endif() + endif() + ++if(TFM_SYSTEM_DSP AND (NOT TFM_SYSTEM_ARCHITECTURE STREQUAL "armv8.1-m.main")) ++ string(APPEND CMAKE_SYSTEM_ARCH "+dsp") ++endif() ++ + # Cmake's ARMClang support has several issues with compiler validation. To + # avoid these, we set the list of supported -mcpu and -march variables to + # the ones we intend to use so that the validation will never fail. +@@ -159,24 +180,37 @@ if (CMAKE_SYSTEM_PROCESSOR) + set(CMAKE_C_FLAGS "-mcpu=${CMAKE_SYSTEM_PROCESSOR}") + set(CMAKE_CXX_FLAGS "-mcpu=${CMAKE_SYSTEM_PROCESSOR}") + set(CMAKE_ASM_FLAGS "--target=${CMAKE_ASM_COMPILER_TARGET} -mcpu=${CMAKE_SYSTEM_PROCESSOR}") +- set(CMAKE_C_LINK_FLAGS "--cpu=${CMAKE_SYSTEM_PROCESSOR}") +- set(CMAKE_CXX_LINK_FLAGS "--cpu=${CMAKE_SYSTEM_PROCESSOR}") +- set(CMAKE_ASM_LINK_FLAGS "--cpu=${CMAKE_SYSTEM_PROCESSOR}") ++ ++ set(ARMLINK_MAPPED_OPTION "--cpu=${CMAKE_SYSTEM_PROCESSOR}") + # But armlink doesn't support this +dsp syntax +- string(REGEX REPLACE "\\+nodsp" "" CMAKE_C_LINK_FLAGS "${CMAKE_C_LINK_FLAGS}") +- string(REGEX REPLACE "\\+nodsp" "" CMAKE_CXX_LINK_FLAGS "${CMAKE_CXX_LINK_FLAGS}") +- string(REGEX REPLACE "\\+nodsp" "" CMAKE_ASM_LINK_FLAGS "${CMAKE_ASM_LINK_FLAGS}") +- # And uses different syntax for +nofp +- string(REGEX REPLACE "\\+nofp" ".no_fp" CMAKE_C_LINK_FLAGS "${CMAKE_C_LINK_FLAGS}") +- string(REGEX REPLACE "\\+nofp" ".no_fp" CMAKE_CXX_LINK_FLAGS "${CMAKE_CXX_LINK_FLAGS}") +- string(REGEX REPLACE "\\+nofp" ".no_fp" CMAKE_ASM_LINK_FLAGS "${CMAKE_ASM_LINK_FLAGS}") +- +- string(REGEX REPLACE "\\+nomve" ".no_mve" CMAKE_C_LINK_FLAGS "${CMAKE_C_LINK_FLAGS}") +- string(REGEX REPLACE "\\+nomve" ".no_mve" CMAKE_CXX_LINK_FLAGS "${CMAKE_CXX_LINK_FLAGS}") +- string(REGEX REPLACE "\\+nomve" ".no_mve" CMAKE_ASM_LINK_FLAGS "${CMAKE_ASM_LINK_FLAGS}") ++ string(REGEX REPLACE "\\+nodsp" "" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ # And uses different syntax for +nofp, +nomve.fp, nomve ++ string(REGEX REPLACE "\\+nofp" ".no_fp" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ string(REGEX REPLACE "\\+nomve\\.fp" ".no_mvefp" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ string(REGEX REPLACE "\\+nomve" ".no_mve" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ ++ set(CMAKE_C_LINK_FLAGS ${ARMLINK_MAPPED_OPTION}) ++ set(CMAKE_CXX_LINK_FLAGS ${ARMLINK_MAPPED_OPTION}) ++ set(CMAKE_ASM_LINK_FLAGS ${ARMLINK_MAPPED_OPTION}) + else() + set(CMAKE_C_FLAGS "-march=${CMAKE_SYSTEM_ARCH}") + set(CMAKE_CXX_FLAGS "-march=${CMAKE_SYSTEM_ARCH}") ++ set(CMAKE_ASM_FLAGS "--target=${CMAKE_ASM_COMPILER_TARGET} -march=${CMAKE_SYSTEM_ARCH}") ++ ++ set(ARMLINK_MAPPED_OPTION "--cpu=${CMAKE_SYSTEM_PROCESSOR}") ++ # Mapping the architecture name ++ string(REGEX REPLACE "armv" "" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ # Armlink uses --fpu option instead of the generic extension names ++ string(REGEX REPLACE "\\+fp\\.dp" "" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ string(REGEX REPLACE "\\+nofp" "" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ # And different syntax for these features ++ string(REGEX REPLACE "\\+mve\\.fp" ".mve.fp" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ string(REGEX REPLACE "\\+mve" ".mve" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ string(REGEX REPLACE "\\+dsp" ".dsp" ARMLINK_MAPPED_OPTION "${ARMLINK_MAPPED_OPTION}") ++ ++ set(CMAKE_C_LINK_FLAGS ${ARMLINK_MAPPED_OPTION}) ++ set(CMAKE_CXX_LINK_FLAGS ${ARMLINK_MAPPED_OPTION}) ++ set(CMAKE_ASM_LINK_FLAGS ${ARMLINK_MAPPED_OPTION}) + endif() + + set(BL2_COMPILER_CP_FLAG +@@ -198,9 +232,12 @@ if (CONFIG_TFM_FLOAT_ABI STREQUAL "hard") + $<$:-mfloat-abi=hard> + ) + if (CONFIG_TFM_ENABLE_FP) +- set(COMPILER_CP_FLAG +- -mfpu=${CONFIG_TFM_FP_ARCH};-mfloat-abi=hard +- ) ++ if (TFM_SYSTEM_ARCHITECTURE STREQUAL "armv8.1-m.main") ++ # setting the -mfpu option disables the floating point mve, generic +fp.dp is used instead ++ set(COMPILER_CP_FLAG -mfloat-abi=hard) ++ else() ++ set(COMPILER_CP_FLAG -mfpu=${CONFIG_TFM_FP_ARCH};-mfloat-abi=hard) ++ endif() + # armasm and armlink have the same option "--fpu" and are both used to + # specify the target FPU architecture. So the supported FPU architecture + # names can be shared by armasm and armlink. +-- +2.34.1 + diff --git a/components/security/trusted_firmware-m/library b/components/security/trusted_firmware-m/library index c9352b59..96cc0445 160000 --- a/components/security/trusted_firmware-m/library +++ b/components/security/trusted_firmware-m/library @@ -1 +1 @@ -Subproject commit c9352b59f2a501b5af3f648b3fc91065993c002f +Subproject commit 96cc044555f57b755ca3605788798b71f2c1a180 diff --git a/components/tools/CMakeLists.txt b/components/tools/CMakeLists.txt index e45293f5..5a6f69c8 100644 --- a/components/tools/CMakeLists.txt +++ b/components/tools/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright 2023-2024 Arm Limited and/or its affiliates +# Copyright 2023-2025 Arm Limited and/or its affiliates # # SPDX-License-Identifier: MIT @@ -7,6 +7,5 @@ if(BUILD_TESTING AND NOT CMAKE_CROSSCOMPILING) add_subdirectory(googletest) else() add_subdirectory(freertos_libraries_integration_tests) - add_subdirectory(open_iot_sdk_toolchain) add_subdirectory(unity) endif() diff --git a/components/tools/open_iot_sdk_toolchain/CMakeLists.txt b/components/tools/open_iot_sdk_toolchain/CMakeLists.txt deleted file mode 100644 index 5dfe775e..00000000 --- a/components/tools/open_iot_sdk_toolchain/CMakeLists.txt +++ /dev/null @@ -1,9 +0,0 @@ -# Copyright 2023 Arm Limited and/or its affiliates -# -# SPDX-License-Identifier: MIT - -set(open_iot_sdk_toolchain_SOURCE_DIR - ${CMAKE_CURRENT_LIST_DIR}/library - CACHE INTERNAL - "Path to Open IoT SDK CMake Toolchain source code" -) diff --git a/components/tools/open_iot_sdk_toolchain/library b/components/tools/open_iot_sdk_toolchain/library deleted file mode 160000 index f77e1ba2..00000000 --- a/components/tools/open_iot_sdk_toolchain/library +++ /dev/null @@ -1 +0,0 @@ -Subproject commit f77e1ba2bb830f6950a88c34849cf3df9af4ad32 diff --git a/docs/applications/keyword_detection.md b/docs/applications/keyword_detection.md index b52bc929..f22b2711 100644 --- a/docs/applications/keyword_detection.md +++ b/docs/applications/keyword_detection.md @@ -103,7 +103,7 @@ To run the Keyword-Detection example, run the following command: [INF] Bootloader chainload address offset: 0x0 [INF] Jumping to the first image slot [Sec Thread] Secure image initializing! -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 Creating an empty ITS flash layout. Creating an empty PS flash layout. [INF][Crypto] Provisioning entropy seed... complete. @@ -245,7 +245,7 @@ Follow the instructions described in the [Firmware update with AWS](./aws_iot/aw [INF] Bootloader chainload address offset: 0x0 [INF] Jumping to the first image slot [Sec Thread] Secure image initializing! -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 Creating an empty ITS flash layout. Creating an empty PS flash layout. [INF][Crypto] Provisioning entropy seed... complete. @@ -320,7 +320,7 @@ Creating an empty PS flash layout. [INF] Bootloader chainload address offset: 0x0 [INF] Jumping to the first image slot [Sec Thread] Secure image initializing! -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 [INF][Crypto] Provisioning entropy seed... complete. 0 0 [None] [INFO] PSA Framework version is: 257 1 0 [None] Write certificate... diff --git a/docs/applications/object_detection.md b/docs/applications/object_detection.md index 4086ca96..5a41e21c 100644 --- a/docs/applications/object_detection.md +++ b/docs/applications/object_detection.md @@ -67,7 +67,7 @@ Check [Device Provisioning](./device_provisioning/device_provisioning.md) for de [INF] Image index: 0, Swap type: none [INF] Bootloader chainload address offset: 0x0 [INF] Jumping to the first image slot -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 [Sec Thread] Secure image initializing! [INF][Crypto] Provisioning entropy seed... complete. 0 0 [None] [INFO] PSA Framework version is: 257 @@ -378,7 +378,7 @@ Follow the instructions described in the [Firmware update with AWS](./aws_iot/aw [INF] Image index: 0, Swap type: none [INF] Bootloader chainload address offset: 0x0 [INF] Jumping to the first image slot -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 [Sec Thread] Secure image initializing! Creating an empty ITS flash layout. Creating an empty PS flash layout. diff --git a/docs/applications/speech_recognition.md b/docs/applications/speech_recognition.md index 85fd0c97..c2a76a39 100644 --- a/docs/applications/speech_recognition.md +++ b/docs/applications/speech_recognition.md @@ -81,7 +81,7 @@ To run the Speech-Recognition example, run the following command: [INF] Bootloader chainload address offset: 0x0 [INF] Jumping to the first image slot [Sec Thread] Secure image initializing! -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 Creating an empty ITS flash layout. Creating an empty PS flash layout. [INF][Crypto] Provisioning entropy seed... complete. @@ -229,7 +229,7 @@ Follow the instructions described in the [Firmware update with AWS](./aws_iot/aw [INF] Bootloader chainload address offset: 0x0 [INF] Jumping to the first image slot [Sec Thread] Secure image initializing! -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 Creating an empty ITS flash layout. Creating an empty PS flash layout. [INF][Crypto] Provisioning entropy seed... complete. @@ -300,7 +300,7 @@ Creating an empty PS flash layout. [INF] Bootloader chainload address offset: 0x0 [INF] Jumping to the first image slot [Sec Thread] Secure image initializing! -Booting TF-M v2.1.0 +Booting TF-M v2.1.1 [INF][Crypto] Provisioning entropy seed... complete. 0 0 [None] [INFO] PSA Framework version is: 257 1 0 [None] Write certificate... diff --git a/manifest.yml b/manifest.yml index 203dad4b..4aa11fd9 100644 --- a/manifest.yml +++ b/manifest.yml @@ -25,7 +25,7 @@ dependencies: license: "BSD-3-Clause" tpip-category: "category-2" security-risk: "high" - version: "c9352b59f2a501b5af3f648b3fc91065993c002f" + version: "96cc044555f57b755ca3605788798b71f2c1a180" repository: type: "git" url: "https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git" @@ -138,15 +138,6 @@ dependencies: type: "git" url: "https://github.com/intel/tinycbor" path: "components/aws_iot/tinycbor/library" - - name: "toolchains" - license: "Apache-2.0" - tpip-category: "category-2" - security-risk: "low" - version: "f77e1ba2bb830f6950a88c34849cf3df9af4ad32" - repository: - type: "git" - url: "https://git.gitlab.arm.com/iot/open-iot-sdk/toolchain.git" - path: "components/tools/open_iot_sdk_toolchain/library" - name: "FreeRTOS-Libraries-Integration-Tests" license: "MIT" tpip-category: "category-2" @@ -205,7 +196,7 @@ dependencies: license: "Apache-2.0" tpip-category: "category-2" security-risk: "low" - version: "v1.1.5" + version: "v1.2.1" repository: type: "git" url: "https://github.com/ARM-software/Arm-2D.git" diff --git a/release_changes/202411251654.change.md b/release_changes/202411251654.change.md new file mode 100644 index 00000000..6d47b744 --- /dev/null +++ b/release_changes/202411251654.change.md @@ -0,0 +1 @@ +build: Integrate TF-M split-build diff --git a/tools/scripts/build.sh b/tools/scripts/build.sh index bd472099..59e22771 100755 --- a/tools/scripts/build.sh +++ b/tools/scripts/build.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2023-2024 Arm Limited and/or its affiliates +# Copyright 2023-2025 Arm Limited and/or its affiliates # # SPDX-License-Identifier: MIT @@ -12,6 +12,7 @@ ROOT="$(realpath $HERE/../..)" EXAMPLE="" CLEAN=0 BUILD_PATH="$(realpath $ROOT/build)" +TFM_BUILD_PATH="$(realpath $ROOT/build_tfm)" TARGET="corstone320" TARGET_PROCESSOR="" ML_INFERENCE_ENGINE="ETHOS" @@ -19,7 +20,6 @@ ETHOS_U_NPU_ID="" ETHOS_U_NPU_NUM_MACS="" AUDIO_SOURCE="ROM" TOOLCHAIN="GNU" -TOOLCHAIN_FILE="" BUILD=1 CERTIFICATE_PATH="" PRIVATE_KEY_PATH="" @@ -38,6 +38,7 @@ function build_with_cmake { if [[ $CLEAN -ne 0 ]]; then echo "Clean building $EXAMPLE" >&2 rm -rf $BUILD_PATH + rm -rf $TFM_BUILD_PATH else echo "Building $EXAMPLE" >&2 fi @@ -45,11 +46,28 @@ function build_with_cmake { ( set -ex - # Note: A bug in CMake force us to set the toolchain here cmake_args=() - cmake_args+=(-G Ninja --toolchain=$TOOLCHAIN_FILE) + cmake_args+=(-G Ninja) + cmake_args+=(-B $TFM_BUILD_PATH) + cmake_args+=(-S $ROOT/components/security/trusted_firmware-m/library) + cmake_args+=(-DTOOLCHAIN=$TOOLCHAIN) + cmake_args+=(-DROOT=$ROOT) + cmake_args+=(-DEXAMPLE=$EXAMPLE) + # TARGET_NAME is used, becasue TARGET is a cmake keyword + cmake_args+=(-DTARGET_NAME="$TARGET") + # Toolchain and the cache entries are used in initial cache file so should + # appear before it on the command line + cmake_args+=(-C $PATH_TO_SOURCE/TfmInitialCache.cmake) + # Building TF-M + cmake "${cmake_args[@]}" + cmake --build $TFM_BUILD_PATH -- install + + cmake_args=() + cmake_args+=(-G Ninja) cmake_args+=(-B $BUILD_PATH) cmake_args+=(-S $PATH_TO_SOURCE) + cmake_args+=(-DCONFIG_SPE_PATH=$TFM_BUILD_PATH/api_ns) + cmake_args+=(-DTOOLCHAIN=$TOOLCHAIN) cmake_args+=(-DCMAKE_SYSTEM_PROCESSOR=$TARGET_PROCESSOR) cmake_args+=(-DARM_CORSTONE_BSP_TARGET_PLATFORM=$TARGET) cmake_args+=(-DAWS_CLIENT_PRIVATE_KEY_PEM_PATH=$PRIVATE_KEY_PATH) @@ -73,7 +91,7 @@ function build_with_cmake { cmake "${cmake_args[@]}" echo "Building $EXAMPLE" >&2 - cmake --build $BUILD_PATH --target "$EXAMPLE" + cmake --build $BUILD_PATH --target "${EXAMPLE}_merged" ) } @@ -266,10 +284,8 @@ esac case "$TOOLCHAIN" in ARMCLANG ) - TOOLCHAIN_FILE="$ROOT/components/tools/open_iot_sdk_toolchain/library/toolchain-armclang.cmake" ;; GNU ) - TOOLCHAIN_FILE="$ROOT/components/tools/open_iot_sdk_toolchain/library/toolchain-arm-none-eabi-gcc.cmake" ;; * ) echo "Invalid toolchain "