nrfconnect · tomi-font · Aug 18, 2025 · Aug 18, 2025 · Aug 20, 2025 · Aug 18, 2025
@@ -333,7 +333,7 @@ add_doxygen_docset(nrfx ${ZEPHYR_HAL_NORDIC_MODULE_DIR} "" STANDALONE)
 #-------------------------------------------------------------------------------
 # docset: tfm
 
-add_docset(tfm "2.1.2")
+add_docset(tfm "2.2.0")
 
 #-------------------------------------------------------------------------------
 # docset: matter

@@ -22,6 +22,9 @@ if(CONFIG_TFM_PARTITION_PLATFORM AND CONFIG_SOC_FAMILY_NORDIC_NRF)
     )
 endif()
 
+set_property(GLOBAL PROPERTY
+  tfm_PM_HEX_FILE $<TARGET_PROPERTY:tfm,TFM_S_HEX_FILE>
+)
 if(CONFIG_TFM_USE_NS_APP)
   set_property(GLOBAL PROPERTY
     app_PM_HEX_FILE $<TARGET_PROPERTY:tfm,TFM_NS_HEX_FILE>
@@ -37,148 +40,53 @@ if(CONFIG_BOOTLOADER_MCUBOOT AND NOT CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY)
 
   set(mcuboot_single_slot)
   mcuboot_single_check(mcuboot_single_slot)
-
-  if(mcuboot_single_slot)
-    set_property(TARGET zephyr_property_target
-      APPEND PROPERTY TFM_CMAKE_OPTIONS
-      -DNRF_NS_SECONDARY=n
-    )
-  else()
-    set_property(TARGET zephyr_property_target
-      APPEND PROPERTY TFM_CMAKE_OPTIONS
-      -DNRF_NS_SECONDARY=y
-    )
-  endif()
-endif()
-
-if(CONFIG_TFM_HW_INIT_RESET_ON_BOOT)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DNRF_HW_INIT_RESET_ON_BOOT=ON
-  )
-
-  if(CONFIG_TFM_HW_INIT_NRF_PERIPHERALS)
-    set_property(TARGET zephyr_property_target
-      APPEND PROPERTY TFM_CMAKE_OPTIONS
-      -DNRF_HW_INIT_NRF_PERIPHERALS=ON
-    )
-  endif()
-endif()
-
-if(CONFIG_TFM_ALLOW_NON_SECURE_RESET)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DNRF_ALLOW_NON_SECURE_RESET=ON)
 endif()
 
 set_property(TARGET zephyr_property_target
   APPEND PROPERTY TFM_CMAKE_OPTIONS
   -DCONFIG_TFM_HALT_ON_CORE_PANIC=${CONFIG_TFM_HALT_ON_CORE_PANIC}
-)
-
-set_property(TARGET zephyr_property_target
-  APPEND PROPERTY TFM_CMAKE_OPTIONS
   -DCONFIG_HW_UNIQUE_KEY=${CONFIG_HW_UNIQUE_KEY}
   -DCONFIG_HW_UNIQUE_KEY_RANDOM=${CONFIG_HW_UNIQUE_KEY_RANDOM}
   -DCRYPTO_TFM_BUILTIN_KEYS_DRIVER=${CONFIG_TFM_CRYPTO_BUILTIN_KEYS}
-)
-
-set_property(TARGET zephyr_property_target
-  APPEND PROPERTY TFM_CMAKE_OPTIONS
   -DSECURE_UART1=${CONFIG_TFM_SECURE_UART}
-)
-
-if(CONFIG_TFM_SECURE_UART0)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DNRF_SECURE_UART_INSTANCE=0
-  )
-endif()
-
-if(CONFIG_TFM_SECURE_UART1)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DNRF_SECURE_UART_INSTANCE=1
-  )
-endif()
-
-if(CONFIG_TFM_SECURE_UART00)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DNRF_SECURE_UART_INSTANCE=00
-  )
-endif()
-
-if(CONFIG_TFM_SECURE_UART20)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DNRF_SECURE_UART_INSTANCE=20
-  )
-endif()
-
-if(CONFIG_TFM_SECURE_UART21)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DNRF_SECURE_UART_INSTANCE=21
-  )
-endif()
-
-if(CONFIG_TFM_SECURE_UART22)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DNRF_SECURE_UART_INSTANCE=22
-  )
-endif()
-
-if(CONFIG_TFM_SECURE_UART30)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DNRF_SECURE_UART_INSTANCE=30
-  )
-endif()
-
-set_property(TARGET zephyr_property_target
-  APPEND PROPERTY TFM_CMAKE_OPTIONS
   -DCONFIG_TFM_LOG_SHARE_UART=${CONFIG_TFM_SECURE_UART_SHARE_INSTANCE}
-)
-
-set_property(GLOBAL PROPERTY
-  tfm_PM_HEX_FILE $<TARGET_PROPERTY:tfm,TFM_S_HEX_FILE>
-)
-
-set_property(TARGET zephyr_property_target
-  APPEND PROPERTY TFM_CMAKE_OPTIONS
   -DZEPHYR_NRF_MODULE_DIR=${ZEPHYR_NRF_MODULE_DIR}
-)
-
-set_property(TARGET zephyr_property_target
-  APPEND PROPERTY TFM_CMAKE_OPTIONS
   -DZEPHYR_BASE=${ZEPHYR_BASE}
+  -DCRYPTO_HW_ACCELERATOR=ON
+  -DPLATFORM_DEFAULT_NV_SEED=OFF
+  -DTFM_CPU_FREQ_MHZ=${CONFIG_TFM_CPU_FREQ_MHZ}
+  # Pass Zephyr Python to TF-M so both uses identical Python.
+  -DPython3_EXECUTABLE=${Python3_EXECUTABLE}
+  -DPROJECT_CONFIG_HEADER_FILE=${CMAKE_CURRENT_BINARY_DIR}/tfm_config.h
+  -DTFM_EXTRA_CONFIG_PATH="${CMAKE_CURRENT_BINARY_DIR}/config_extra.cmake"
+  -DPS_ROLLBACK_PROTECTION=${CONFIG_TFM_PS_ROLLBACK_PROTECTION}
+  $<$<AND:$<NOT:$<BOOL:${mcuboot_single_slot}>>,$<BOOL:${CONFIG_BOOTLOADER_MCUBOOT}>>:-DNRF_NS_SECONDARY=ON>
+  $<$<BOOL:${CONFIG_TFM_HW_INIT_RESET_ON_BOOT}>:-DNRF_HW_INIT_RESET_ON_BOOT=ON>
+  $<$<BOOL:${CONFIG_TFM_HW_INIT_NRF_PERIPHERALS}>:-DNRF_HW_INIT_NRF_PERIPHERALS=ON>
+  $<$<BOOL:${CONFIG_TFM_ALLOW_NON_SECURE_RESET}>:-DNRF_ALLOW_NON_SECURE_RESET=ON>
+  $<$<BOOL:${CONFIG_TFM_SECURE_UART0}>:-DNRF_SECURE_UART_INSTANCE=0>
+  $<$<BOOL:${CONFIG_TFM_SECURE_UART1}>:-DNRF_SECURE_UART_INSTANCE=1>
+  $<$<BOOL:${CONFIG_TFM_SECURE_UART00}>:-DNRF_SECURE_UART_INSTANCE=00>
+  $<$<BOOL:${CONFIG_TFM_SECURE_UART20}>:-DNRF_SECURE_UART_INSTANCE=20>
+  $<$<BOOL:${CONFIG_TFM_SECURE_UART21}>:-DNRF_SECURE_UART_INSTANCE=21>
+  $<$<BOOL:${CONFIG_TFM_SECURE_UART22}>:-DNRF_SECURE_UART_INSTANCE=22>
+  $<$<BOOL:${CONFIG_TFM_SECURE_UART30}>:-DNRF_SECURE_UART_INSTANCE=30>
+  $<$<BOOL:${CONFIG_TFM_ALLOW_NON_SECURE_FAULT_HANDLING}>:-DNRF_ALLOW_NON_SECURE_FAULT_HANDLING=ON>
+  $<$<BOOL:${CONFIG_TFM_LOG_LEVEL_SILENCE}>:-DPLATFORM_DEFAULT_UART_STDOUT=OFF>
+  # NCSDK-13530 - Allow TF-M crypto to not depend on ITS when PSA crypto storage is disabled.
+  $<$<NOT:$<BOOL:${CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C}>>:-DCRYPTO_STORAGE_DISABLED=ON>
+  $<$<BOOL:${CONFIG_BOOTLOADER_MCUBOOT}>:-DCONFIG_BOOTLOADER_MCUBOOT=ON>
+  $<$<BOOL:${CONFIG_TFM_NRF_PROVISIONING}>:-DNRF_PROVISIONING=ON>
+  $<$<BOOL:${CONFIG_TFM_PSA_FRAMEWORK_HAS_MM_IOVEC}>:-DPSA_FRAMEWORK_HAS_MM_IOVEC=ON>
+  $<$<BOOL:${CONFIG_NRF_TRACE_PORT}>:-DCONFIG_NRF_TRACE_PORT=ON>
+  $<$<BOOL:${CONFIG_TFM_CONN_HANDLE_MAX_NUM}>:-DCONFIG_TFM_DOORBELL_API=${CONFIG_TFM_CONN_HANDLE_MAX_NUM}>
+  $<$<BOOL:${CONFIG_NRF_APPROTECT_LOCK}>:-DCONFIG_NRF_APPROTECT_LOCK=ON>
+  $<$<BOOL:${CONFIG_NRF_APPROTECT_USER_HANDLING}>:-DCONFIG_NRF_APPROTECT_USER_HANDLING=ON>
+  $<$<BOOL:${CONFIG_NRF_SECURE_APPROTECT_LOCK}>:-DCONFIG_NRF_SECURE_APPROTECT_LOCK=ON>
+  $<$<BOOL:${CONFIG_NRF_SECURE_APPROTECT_USER_HANDLING}>:-DCONFIG_NRF_SECURE_APPROTECT_USER_HANDLING=ON>
+  $<$<BOOL:${CONFIG_IDENTITY_KEY_TFM}>:-DCONFIG_IDENTITY_KEY_TFM=ON>
 )
 
-set_property(TARGET zephyr_property_target
-  APPEND PROPERTY TFM_CMAKE_OPTIONS
-  -DCRYPTO_HW_ACCELERATOR=True
-)
-
-set_property(TARGET zephyr_property_target
-  APPEND PROPERTY TFM_CMAKE_OPTIONS -DPLATFORM_DEFAULT_NV_SEED=OFF
-  )
-
-if(CONFIG_TFM_ALLOW_NON_SECURE_FAULT_HANDLING)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DNRF_ALLOW_NON_SECURE_FAULT_HANDLING=True
-  )
-endif()
-
-if(CONFIG_TFM_LOG_LEVEL_SILENCE)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DPLATFORM_DEFAULT_UART_STDOUT=OFF
-  )
-endif()
-
 if(CONFIG_TFM_PROFILE_TYPE_MINIMAL)
   set_property(TARGET zephyr_property_target
     APPEND PROPERTY TFM_CMAKE_OPTIONS
@@ -204,116 +112,24 @@ if(CONFIG_TFM_PLATFORM_NV_COUNTER_MODULE_DISABLED)
     -DPLATFORM_DEFAULT_OTP=OFF
     -DPLATFORM_DEFAULT_OTP_WRITEABLE=OFF
     -DPLATFORM_DEFAULT_NV_COUNTERS=OFF
-    )
-endif()
-
-if(NOT CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C)
-  # Workaround: NCSDK-13530
-  # Allow TF-M crypto to not depend on ITS when PSA crypto storage is disabled.
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DCRYPTO_STORAGE_DISABLED=TRUE
-  )
-endif()
-
-if(CONFIG_BOOTLOADER_MCUBOOT)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DCONFIG_BOOTLOADER_MCUBOOT=TRUE
   )
 endif()
 
 if(CONFIG_TFM_NRF_PROVISIONING)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DNRF_PROVISIONING=ON
-  )
-
   message("
   TF-M Provisioning has been enabled
   The device must be correctly provisioned in order to boot.
   See TF-M: Provisioning image sample on how to provision the device for TF-M.
   ")
 endif()
 
-if(CONFIG_TFM_PSA_FRAMEWORK_HAS_MM_IOVEC)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DPSA_FRAMEWORK_HAS_MM_IOVEC=ON
-  )
-endif()
-
 if(CONFIG_NFCT_PINS_AS_GPIOS OR CONFIG_TFM_NFCT_PINS_AS_GPIOS)
   set_property(TARGET zephyr_property_target
     APPEND PROPERTY TFM_CMAKE_OPTIONS
     -DCONFIG_NFCT_PINS_AS_GPIOS=ON
   )
 endif()
 
-if(CONFIG_TFM_CPU_FREQ_MHZ)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DTFM_CPU_FREQ_MHZ=${CONFIG_TFM_CPU_FREQ_MHZ}
-  )
-endif()
-
-if(CONFIG_NRF_TRACE_PORT)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DCONFIG_NRF_TRACE_PORT=${CONFIG_NRF_TRACE_PORT}
-  )
-endif()
-
-set_property(TARGET zephyr_property_target
-  APPEND PROPERTY TFM_CMAKE_OPTIONS
-  # Pass Zephyr Python to TF-M so both uses identical Python.
-  -DPython3_EXECUTABLE=${Python3_EXECUTABLE}
-)
-
-# CONN_HANDLE_MAX_NUM is only needed if IPC mode is used
-# The maximal number of secure services that are connected or requested at the same time
-if(CONFIG_TFM_CONN_HANDLE_MAX_NUM)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DCONFIG_TFM_DOORBELL_API=${CONFIG_TFM_CONN_HANDLE_MAX_NUM}
-  )
-endif()
-
-if(CONFIG_NRF_APPROTECT_LOCK)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DCONFIG_NRF_APPROTECT_LOCK=ON
-  )
-endif()
-
-if(CONFIG_NRF_APPROTECT_USER_HANDLING)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DCONFIG_NRF_APPROTECT_USER_HANDLING=ON
-  )
-endif()
-
-if(CONFIG_NRF_SECURE_APPROTECT_LOCK)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DCONFIG_NRF_SECURE_APPROTECT_LOCK=ON
-  )
-endif()
-
-if(CONFIG_NRF_SECURE_APPROTECT_USER_HANDLING)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DCONFIG_NRF_SECURE_APPROTECT_USER_HANDLING=ON
-  )
-endif()
-
-if(CONFIG_IDENTITY_KEY_TFM)
-  set_property(TARGET zephyr_property_target
-    APPEND PROPERTY TFM_CMAKE_OPTIONS
-    -DCONFIG_IDENTITY_KEY_TFM=ON
-  )
-endif()
-
 zephyr_include_directories(${ZEPHYR_NRF_MODULE_DIR}/include/tfm)
 
 # Default values from config_base.h in TF-M.
@@ -365,20 +181,10 @@ set(CONFIG_TFM_DOORBELL_API                ${CONFIG_TFM_DOORBELL_API})
 configure_file(${CMAKE_CURRENT_SOURCE_DIR}/tfm_config.h.in
                ${CMAKE_CURRENT_BINARY_DIR}/tfm_config.h)
 
-set_property(TARGET zephyr_property_target
-  APPEND PROPERTY TFM_CMAKE_OPTIONS
-  -DPROJECT_CONFIG_HEADER_FILE=${CMAKE_CURRENT_BINARY_DIR}/tfm_config.h
-)
-
 configure_file(${NRF_DIR}/subsys/nrf_security/configs/config_extra.cmake.in
   ${CMAKE_CURRENT_BINARY_DIR}/config_extra.cmake
 )
 
-set_property(TARGET zephyr_property_target
-  APPEND PROPERTY TFM_CMAKE_OPTIONS
-  -DTFM_EXTRA_CONFIG_PATH="${CMAKE_CURRENT_BINARY_DIR}/config_extra.cmake"
-)
-
 set(BYPRODUCT_KERNEL_SIGNED_HEX_NAME "${CMAKE_BINARY_DIR}/zephyr/tfm_merged.hex"
     CACHE FILEPATH "Kernel hex file" FORCE
 )
@@ -23,9 +23,9 @@
 #define TFM_NS_PARTITION_ID                  MAPPED_TZ_NS_AGENT_DEFAULT_CLIENT_ID
 
 #ifdef CONFIG_HW_UNIQUE_KEY
-static enum tfm_plat_err_t tfm_plat_get_huk(uint8_t *buf, size_t buf_len, size_t *key_len,
-					    psa_key_bits_t *key_bits, psa_algorithm_t *algorithm,
-					    psa_key_type_t *type)
+static enum tfm_plat_err_t tfm_plat_get_huk(const void *ctx, uint8_t *buf, size_t buf_len,
+					    size_t *key_len, psa_key_bits_t *key_bits,
+					    psa_algorithm_t *algorithm, psa_key_type_t *type)
 {
 	if (buf_len < HUK_SIZE_BYTES) {
 		return TFM_PLAT_ERR_SYSTEM_ERR;
@@ -52,9 +52,9 @@ static enum tfm_plat_err_t tfm_plat_get_huk(uint8_t *buf, size_t buf_len, size_t
 #endif /* CONFIG_HW_UNIQUE_KEY */
 
 #ifdef TFM_PARTITION_INITIAL_ATTESTATION
-static enum tfm_plat_err_t tfm_plat_get_iak(uint8_t *buf, size_t buf_len, size_t *key_len,
-					    psa_key_bits_t *key_bits, psa_algorithm_t *algorithm,
-					    psa_key_type_t *type)
+static enum tfm_plat_err_t tfm_plat_get_iak(const void *ctx, uint8_t *buf, size_t buf_len,
+					    size_t *key_len, psa_key_bits_t *key_bits,
+					    psa_algorithm_t *algorithm, psa_key_type_t *type)
 {
 	int err;
 

@@ -69,6 +69,7 @@ set(TEST_PSA_API "${TFM_PSA_TEST_SUITE}")
 set_property(TARGET zephyr_property_target
              APPEND PROPERTY TFM_CMAKE_OPTIONS
              -DCONFIG_TFM_TEST_DIR=${TFM_TEST_DIR}
+             -DTFM_PROFILE=profile_large
 )
 
 set_property(TARGET zephyr_property_target

@@ -65,7 +65,7 @@ manifest:
     # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html
     - name: zephyr
       repo-path: sdk-zephyr
-      revision: 1d73d0e3cb5ff37fd53c103bb49c1e9b92be75c5
+      revision: pull/3205/head
       import:
         # In addition to the zephyr repository itself, NCS also
         # imports the contents of zephyr/west.yml at the above
@@ -149,11 +149,11 @@ manifest:
     - name: trusted-firmware-m
       repo-path: sdk-trusted-firmware-m
       path: modules/tee/tf-m/trusted-firmware-m
-      revision: 44bbc980ed6bcc7583d5bf532991f804d8ef0ea6
+      revision: pull/204/head
     - name: psa-arch-tests
       repo-path: sdk-psa-arch-tests
       path: modules/tee/tf-m/psa-arch-tests
-      revision: 3da9313e64806d352c519e3205e81cf959067588
+      revision: pull/5/head
     - name: matter
       repo-path: sdk-connectedhomeip
       path: modules/lib/matter