Integrate TF-M split-build

.gitignore

@@ -1,5 +1,6 @@
 # Build directory
 build
+build_tfm
 build_unit_test
 
 # Cache directory

.gitmodules

@@ -40,9 +40,6 @@
 [submodule "mbedtls"]
 	path = components/security/mbedtls/library
 	url = https://github.com/Mbed-TLS/mbedtls.git
-[submodule "open_iot_sdk_toolchain"]
-	path = components/tools/open_iot_sdk_toolchain/library
-	url = https://git.gitlab.arm.com/iot/open-iot-sdk/toolchain.git
 [submodule "tinycbor"]
 	path = components/aws_iot/tinycbor/library
 	url = https://github.com/intel/tinycbor.git

.vscode/launch.json

@@ -1,4 +1,4 @@
-// Copyright 2021-2024 Arm Limited and/or its affiliates
+// Copyright 2021-2025 Arm Limited and/or its affiliates
 // <[email protected]>
 // SPDX-License-Identifier: MIT
 
@@ -15,8 +15,8 @@
             "overrideLaunchCommands": [
                 "-enable-pretty-printing",
                 "break main.c:main",
-                "add-symbol-file iot_reference_arm_corstone3xx/components/security/trusted_firmware-m/integration/trusted_firmware-m-build-prefix/src/trusted_firmware-m-build-build/api_ns/bin/bl2.axf",
-                "add-symbol-file iot_reference_arm_corstone3xx/components/security/trusted_firmware-m/integration/trusted_firmware-m-build-prefix/src/trusted_firmware-m-build-build/api_ns/bin/tfm_s.axf",
+                "add-symbol-file ${workspaceFolder}/build_tfm/api_ns/bin/bl2.axf",
+                "add-symbol-file ${workspaceFolder}/build_tfm/api_ns/bin/tfm_s.axf",
             ],
             "preLaunchTask": "Debug Arm Featured Reference Integration applications",
             "showDevDebugOutput": "raw"

applications/blinky/CMakeLists.txt

@@ -4,23 +4,17 @@
 
 cmake_minimum_required(VERSION 3.21.0 FATAL_ERROR)
 
+# NS target name the TF-M api_ns CMakeLists.txt uses
+set(NS_TARGET_NAME blinky)
 set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/blinky" CACHE STRING "Path to the application folder")
 
-# Trusted Firmware-M setup
-set(TFM_CMAKE_APP_ARGS
-    -DPROJECT_CONFIG_HEADER_FILE=${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/blinky/configs/tfm_config/project_config.h
-)
-set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "Total number of firmware images")
-set(DEFAULT_MCUBOOT_FLASH_MAP ON)
+# Toolchain file has to be included before the very first project() call
+include(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/components/security/trusted_firmware-m/integration/cmake/TfmNsToolchain.cmake)
 
 project(blinky-example LANGUAGES C)
 
-# Set global optimization level to reduce code size while keeping the debug experience.
-if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU")
-    add_compile_options(-Og)
-elseif(${CMAKE_C_COMPILER_ID} STREQUAL "ARMClang")
-    add_compile_options(-O1)
-endif()
+set_compiler_and_linker_flags()
+include(${CONFIG_SPE_PATH}/config/cp_check.cmake)
 
 add_subdirectory(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR} ${CMAKE_BINARY_DIR}/iot_reference_arm_corstone3xx)
 
@@ -32,40 +26,43 @@ include(SignTfmImage)
 
 add_subdirectory(configs)
 
-add_executable(blinky main.c)
-# Trusted Firmware-M must be built before the application, because
-# the application depends on the NS interface and the BL2 signing scripts,
-# both of which are generated as parts of the Trusted Firmware-M build process.
-add_dependencies(blinky trusted_firmware-m-build)
+add_executable(blinky
+    main.c
+    ${CONFIG_SPE_PATH}/interface/src/os_wrapper/tfm_ns_interface_rtos.c
+)
+
 target_link_libraries(blinky
     freertos_kernel
     fri-bsp
-    tfm-ns-interface
+    tfm_api_ns
     toolchain-override
+    # FRI always uses TrustZone
+    tfm_api_ns_tz
 )
 
 set_linker_script(blinky)
 
 list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/tools/cmake)
 include(ConvertElfToBin)
-include(ExternalProject)
-ExternalProject_Get_Property(trusted_firmware-m-build BINARY_DIR)
 
 extract_sections_from_axf(
     blinky
     SECTIONS_NAMES   "ddr.bin"
     OUTPUT_BIN_NAME  "ns_image"
 )
 
-# The non-secure application image should be padded while being signed
-# Hence, passing "TRUE" as the input parameter to the pad option of sign function.
-iot_reference_arm_corstone3xx_tf_m_sign_image(
-    blinky
-    "ns_image"
-    blinky_signed
-    0.0.1
-    "${BINARY_DIR}/api_ns/image_signing/layout_files/signing_layout_ns.o"
-    TRUE
+# Copy the binary flash content to the location expected by default signing
+# Signing is implemented in the exported TF-M NS CMakeLists.txt (in the
+# ${CONFIG_SPE_PATH} directory)
+add_custom_target(blinky_bin
+    SOURCES ${CMAKE_BINARY_DIR}/blinky.bin
+    DEPENDS blinky
+)
+add_custom_command(OUTPUT ${CMAKE_BINARY_DIR}/blinky.bin
+    DEPENDS blinky
+    COMMAND ${CMAKE_COMMAND}
+        -E copy ${SECTORS_BIN_DIR}/ns_image.bin
+        ${CMAKE_BINARY_DIR}/blinky.bin
 )
 
 # A user project that consumes the ARM FRI needs to explicitly provide

applications/blinky/TfmInitialCache.cmake

@@ -0,0 +1,10 @@
+# Copyright 2025 Arm Limited and/or its affiliates
+# <[email protected]>
+# SPDX-License-Identifier: MIT
+
+include(${ROOT}/cmake/TfmInitialCacheCommon.cmake)
+
+set(MCUBOOT_IMAGE_VERSION_NS 0.0.1 CACHE STRING "MCUBOOT_IMAGE_VERSION_NS" FORCE)
+set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "MCUBOOT_IMAGE_NUMBER" FORCE)
+set(DEFAULT_MCUBOOT_FLASH_MAP ON CACHE STRING "DEFAULT_MCUBOOT_FLASH_MAP" FORCE)
+set(PROJECT_CONFIG_HEADER_FILE ${ROOT}/applications/blinky/configs/tfm_config/project_config.h CACHE FILEPATH "PROJECT_CONFIG_HEADER_FILE" FORCE)

applications/blinky/configs/freertos_config/CMakeLists.txt

@@ -1,4 +1,4 @@
-# Copyright 2023 Arm Limited and/or its affiliates
+# Copyright 2023-2025 Arm Limited and/or its affiliates
 # <[email protected]>
 # SPDX-License-Identifier: MIT
 
@@ -14,6 +14,6 @@ target_compile_definitions(freertos_config
 
 target_link_libraries(freertos_config
     INTERFACE
-        tfm-ns-interface
+        tfm_api_ns
         app-config
 )

applications/blinky/tests/corstone300_pass_output.log

@@ -1,6 +1,6 @@
 Waiting for provisioning bundle
 Running provisioning bundle
-Booting TF-M v2.1.0
+Booting TF-M v2.1.1
 psa_framework_version is: 257
 LED on
 LED off

applications/blinky/tests/corstone310_pass_output.log

@@ -1,6 +1,6 @@
 Waiting for provisioning bundle
 Running provisioning bundle
-Booting TF-M v2.1.0
+Booting TF-M v2.1.1
 psa_framework_version is: 257
 LED on
 LED off

applications/blinky/tests/corstone315_pass_output.log

@@ -1,6 +1,6 @@
 Waiting for DM provisioning bundle
 Running DM provisioning bundle
-Booting TF-M v2.1.0
+Booting TF-M v2.1.1
 psa_framework_version is: 257
 LED on
 LED off

applications/blinky/tests/corstone320_pass_output.log

@@ -1,6 +1,6 @@
 Waiting for DM provisioning bundle
 Running DM provisioning bundle
-Booting TF-M v2.1.0
+Booting TF-M v2.1.1
 psa_framework_version is: 257
 LED on
 LED off

applications/freertos_iot_libraries_tests/CMakeLists.txt

@@ -4,33 +4,18 @@
 
 cmake_minimum_required(VERSION 3.21.0 FATAL_ERROR)
 
+set(NS_TARGET_NAME freertos-iot-libraries-tests)
+set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/freertos_iot_libraries_tests" CACHE STRING "Path to the application folder")
 set(AWS_OTA_SIGNATURE_TYPE  "RSA-3072" CACHE STRING "Supported algorithms for signature validation [RSA-2048, RSA-3072, EC-P256, EC-P384]")
 
-set(MCUBOOT_IMAGE_VERSION_NS "0.0.1+10")
-set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "Total number of firmware images")
-set(DEFAULT_MCUBOOT_FLASH_MAP ON)
-
-set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/freertos_iot_libraries_tests" CACHE STRING "Path to the application folder")
+# Toolchain file has to be included before the very first project() call
+include(${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/components/security/trusted_firmware-m/integration/cmake/TfmNsToolchain.cmake)
 
-# Trusted Firmware-M setup
-set(TFM_CMAKE_APP_ARGS
-    -DPROJECT_CONFIG_HEADER_FILE=${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/freertos_iot_libraries_tests/configs/tfm_config/project_config.h
-    -DMCUBOOT_DATA_SHARING=ON
-    -DMCUBOOT_CONFIRM_IMAGE=ON
-    -DMCUBOOT_UPGRADE_STRATEGY=SWAP_USING_SCRATCH
-    -DMCUBOOT_IMAGE_VERSION_NS=${MCUBOOT_IMAGE_VERSION_NS}
-    -DPLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT=ON
-    -DTFM_PARTITION_FIRMWARE_UPDATE=ON
-)
 
 project(freertos-iot-libraries-tests LANGUAGES C)
 
-# Set global optimization level to reduce code size while keeping the debug experience.
-if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU")
-    add_compile_options(-Og)
-elseif(${CMAKE_C_COMPILER_ID} STREQUAL "ARMClang")
-    add_compile_options(-O1)
-endif()
+set_compiler_and_linker_flags()
+include(${CONFIG_SPE_PATH}/config/cp_check.cmake)
 
 # This variable is checked to apply configurations specific to FreeRTOS Libraries Integrations Tests
 set(FREERTOS_LIBRARIES_INTEGRATION_TESTS 1)
@@ -74,15 +59,13 @@ target_link_libraries(freertos-libraries-integration-tests-config
 add_executable(${CMAKE_PROJECT_NAME}
     main.c
     integration_tests_platform_function.c
+    ${CONFIG_SPE_PATH}/interface/src/os_wrapper/tfm_ns_interface_rtos.c
 )
 
-# Trusted Firmware-M must be built before the application, because
-# the application depends on the NS interface and the BL2 signing scripts,
-# both of which are generated as parts of the Trusted Firmware-M build process.
-add_dependencies(${CMAKE_PROJECT_NAME} trusted_firmware-m-build)
 # The provision data must be built before the application because
 # it provides credentials to connect to AWS
 add_dependencies(${CMAKE_PROJECT_NAME} provisioning_data_bin)
+
 target_link_libraries(${CMAKE_PROJECT_NAME}
     PRIVATE
         backoff-algorithm
@@ -97,30 +80,35 @@ target_link_libraries(${CMAKE_PROJECT_NAME}
         helpers-events
         provisioning-lib
         mbedtls
-        tfm-ns-interface
+        toolchain-override
+        tfm_api_ns
+        # FRI always uses TrustZone
+        tfm_api_ns_tz
 )
 
 set_linker_script(${CMAKE_PROJECT_NAME})
 
 list(APPEND CMAKE_MODULE_PATH ${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/tools/cmake)
 include(ConvertElfToBin)
-include(ExternalProject)
-ExternalProject_Get_Property(trusted_firmware-m-build BINARY_DIR)
 
 extract_sections_from_axf(
     ${CMAKE_PROJECT_NAME}
     SECTIONS_NAMES   "ddr.bin"
     OUTPUT_BIN_NAME  "ns_image"
 )
 
-# The non-secure application image should be padded while being signed
-iot_reference_arm_corstone3xx_tf_m_sign_image(
-    ${CMAKE_PROJECT_NAME}
-    "ns_image"
-    ${CMAKE_PROJECT_NAME}_signed
-    ${MCUBOOT_IMAGE_VERSION_NS}
-    "${BINARY_DIR}/api_ns/image_signing/layout_files/signing_layout_ns.o"
-    TRUE
+# Copy the binary flash content to the location expected by default signing
+# Signing is implemented in the exported TF-M NS CMakeLists.txt (in the
+# ${CONFIG_SPE_PATH} directory)
+add_custom_target(freertos-iot-libraries-tests_bin
+    SOURCES ${CMAKE_BINARY_DIR}/freertos-iot-libraries-tests.bin
+    DEPENDS freertos-iot-libraries-tests
+)
+add_custom_command(OUTPUT ${CMAKE_BINARY_DIR}/freertos-iot-libraries-tests.bin
+    DEPENDS freertos-iot-libraries-tests
+    COMMAND ${CMAKE_COMMAND}
+        -E copy ${SECTORS_BIN_DIR}/ns_image.bin
+        ${CMAKE_BINARY_DIR}/freertos-iot-libraries-tests.bin
 )
 
 # A user project that consumes the ARM FRI needs to explicitly provide

applications/freertos_iot_libraries_tests/TfmInitialCache.cmake

@@ -0,0 +1,16 @@
+# Copyright 2025 Arm Limited and/or its affiliates
+# <[email protected]>
+# SPDX-License-Identifier: MIT
+
+include(${ROOT}/cmake/TfmInitialCacheCommon.cmake)
+
+# Trusted Firmware-M setup
+set(TFM_MBEDCRYPTO_CONFIG_CLIENT_PATH "${ROOT}/applications/freertos_iot_libraries_tests/configs/mbedtls_config/aws_mbedtls_config.h" CACHE FILEPATH "TFM_MBEDCRYPTO_CONFIG_CLIENT_PATH" FORCE)
+set(PROJECT_CONFIG_HEADER_FILE ${ROOT}/applications/freertos_iot_libraries_tests/configs/tfm_config/project_config.h CACHE FILEPATH "PROJECT_CONFIG_HEADER_FILE" FORCE)
+set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "MCUBOOT_IMAGE_NUMBER" FORCE)
+set(DEFAULT_MCUBOOT_FLASH_MAP ON CACHE BOOL "DEFAULT_MCUBOOT_FLASH_MAP" FORCE)
+set(MCUBOOT_DATA_SHARING ON CACHE BOOL "MCUBOOT_DATA_SHARING" FORCE)
+set(MCUBOOT_UPGRADE_STRATEGY "SWAP_USING_SCRATCH" CACHE STRING "MCUBOOT_UPGRADE_STRATEGY" FORCE)
+set(MCUBOOT_IMAGE_VERSION_NS "0.0.10+0" CACHE STRING "MCUBOOT_IMAGE_VERSION_NS" FORCE)
+set(PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT ON CACHE BOOL "PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT" FORCE)
+set(TFM_PARTITION_FIRMWARE_UPDATE ON CACHE BOOL "TFM_PARTITION_FIRMWARE_UPDATE" FORCE)

applications/freertos_iot_libraries_tests/configs/freertos_config/CMakeLists.txt

@@ -1,4 +1,4 @@
-# Copyright 2023-2024 Arm Limited and/or its affiliates
+# Copyright 2023-2025 Arm Limited and/or its affiliates
 # <[email protected]>
 # SPDX-License-Identifier: MIT
 
@@ -14,6 +14,6 @@ target_compile_definitions(freertos_config
 
 target_link_libraries(freertos_config
     INTERFACE
-        tfm-ns-interface
+        tfm_api_ns
         app-config
 )

applications/freertos_iot_libraries_tests/configs/mbedtls_config/CMakeLists.txt

@@ -1,4 +1,4 @@
-# Copyright 2023-2024 Arm Limited and/or its affiliates
+# Copyright 2023-2025 Arm Limited and/or its affiliates
 # <[email protected]>
 # SPDX-License-Identifier: MIT
 
@@ -7,11 +7,6 @@ target_include_directories(mbedtls-config
         .
 )
 
-target_compile_definitions(mbedtls-config
-    INTERFACE
-        MBEDTLS_CONFIG_FILE="aws_mbedtls_config.h"
-)
-
 target_link_libraries(mbedtls-config
     INTERFACE
         freertos_kernel

applications/helpers/provisioning/CMakeLists.txt

@@ -1,4 +1,4 @@
-# Copyright 2023-2024 Arm Limited and/or its affiliates
+# Copyright 2023-2025 Arm Limited and/or its affiliates
 # <[email protected]>
 # SPDX-License-Identifier: MIT
 
@@ -19,9 +19,8 @@ else()
             ${CMAKE_CURRENT_LIST_DIR}/inc
     )
 
-    target_link_libraries(provisioning_data PRIVATE
-        fri-bsp
-    )
+    # Only use interface includes for fri-bsp for provisioning config, public sources are not needed
+    target_include_directories(provisioning_data PRIVATE $<TARGET_PROPERTY:fri-bsp,INTERFACE_INCLUDE_DIRECTORIES>)
 
     set(
         CODE_SIGNING_PUBLIC_KEY_PEM_PATH
@@ -45,13 +44,14 @@ else()
             ${CMAKE_CURRENT_BINARY_DIR}/aws_clientcredential_keys.h
     )
 
-    add_dependencies(aws_clientcredential_keys_header trusted_firmware-m-build)
     add_dependencies(provisioning_data aws_clientcredential_keys_header)
 
     if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU")
         target_link_options(provisioning_data
             PRIVATE
-                "-nostartfiles"
+            # We should define an entry point to override the default Reset_Handler
+            "--entry=provisioningBundle"
+            "-nostartfiles"
         )
         target_add_scatter_file(provisioning_data ${CMAKE_CURRENT_LIST_DIR}/provisioning_data.ld)
     else()

applications/helpers/provisioning/cmake/SetProvisioningLinkOptions.cmake

@@ -1,13 +1,12 @@
-# Copyright 2023 Arm Limited and/or its affiliates
+# Copyright 2023-2025 Arm Limited and/or its affiliates
 # <[email protected]>
 # SPDX-License-Identifier: MIT
 
 macro(target_add_scatter_file target)
     add_library(${target}_scatter OBJECT)
 
-    target_link_libraries(${target}_scatter PRIVATE
-        fri-bsp
-    )
+    # Only use interface includes for fri-bsp, the linker script does not need public sources
+    target_include_directories(${target}_scatter PRIVATE $<TARGET_PROPERTY:fri-bsp,INTERFACE_INCLUDE_DIRECTORIES>)
 
     if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU")
         target_link_options(${target}