nrfconnect · travis3630 · Sep 10, 2025 · Oct 13, 2025 · Sep 29, 2025 · travis3630
@@ -33,4 +33,4 @@ CONFIG_TFM_LOG_LEVEL_SILENCE=n
 # from the non secure application directly. This needs to be set
 # otherwise nrfx will try to configure them, resulting in a bus
 # fault.
-CONFIG_SOC_NRF54LX_SKIP_CLOCK_CONFIG=y
+CONFIG_NRF_SKIP_CLOCK_CONFIG=y
@@ -15,6 +15,7 @@
 	model = "Nordic nRF7120 PDK nRF7120 Application MCU";
 
 	chosen {
+		zephyr,code-partition = &slot0_ns_partition;
 		zephyr,sram = &cpuapp_sram;
 	};
 };

@@ -869,6 +869,28 @@
 			status = "disabled";
 			#mbox-cells = <1>;
 		};
+
+		mram_controller: mram-controller@5004e000 {
+			compatible = "nordic,nrf-mramc";
+			reg = <0x5004e000 0x1000>;
+			#address-cells = <1>;
+			#size-cells = <1>;
+			interrupts = <78 NRF_DEFAULT_IRQ_PRIORITY>;
+
+			cpuapp_mram: mram@0 {
+				compatible = "soc-nv-flash";
+				reg = <0 DT_SIZE_K(3972)>;
+				erase-block-size = <4096>;
+				write-block-size = <4>;
+			};
+
+			cpuflpr_mram: mram@3e1000 {
+				compatible = "soc-nv-flash";
+				reg = <0x3e1000 DT_SIZE_K(116)>;
+				erase-block-size = <4096>;
+				write-block-size = <4>;
+			};
+		};
 	};
 
 	wifi: wifi {

@@ -21,28 +21,6 @@ kmu: kmu@49000 {
 	status = "disabled";
 };
 
-mram_controller: mram-controller@4e000 {
-	compatible = "nordic,nrf-mramc";
-	reg = <0x4e000 0x1000>;
-	#address-cells = <1>;
-	#size-cells = <1>;
-	interrupts = <78 NRF_DEFAULT_IRQ_PRIORITY>;
-
-	cpuapp_mram: mram@0 {
-		compatible = "soc-nv-flash";
-		reg = <0 DT_SIZE_K(3972)>;
-		erase-block-size = <4096>;
-		write-block-size = <4>;
-	};
-
-	cpuflpr_mram: mram@3e1000 {
-		compatible = "soc-nv-flash";
-		reg = <0x3e1000 DT_SIZE_K(116)>;
-		erase-block-size = <4096>;
-		write-block-size = <4>;
-	};
-};
-
 spu10: spu@80000 {
 	compatible = "nordic,nrf-spu";
 	reg = <0x80000 0x1000>;

@@ -217,16 +217,16 @@ config TFM_ITS_BUF_SIZE
 
 config TFM_ITS_STACK_SIZE
 	hex "Stack size"
-	default 0x1000 if SOC_SERIES_NRF54LX
-	default 0x720 if !SOC_SERIES_NRF54LX
+	default 0x1000 if SOC_SERIES_NRF54LX || SOC_SERIES_NRF71X
+	default 0x720 if !(SOC_SERIES_NRF54LX || SOC_SERIES_NRF71X)
 
 # Nordic additions to ITS Kconfig
 config TFM_ITS_ENCRYPTED
 	bool
 	prompt "PSA Internal Trusted Storage with encryption"
 	depends on !CRACEN_NEED_MULTIPART_WORKAROUNDS
-	default y if SOC_SERIES_NRF54LX
-	select PSA_WANT_ALG_CHACHA20_POLY1305 if SOC_SERIES_NRF54LX
+	default y if SOC_SERIES_NRF54LX || SOC_SERIES_NRF71X
+	select PSA_WANT_ALG_CHACHA20_POLY1305 if SOC_SERIES_NRF54LX || SOC_SERIES_NRF71X
 	select PSA_WANT_GENERATE_RANDOM
 	help
 	  Enables authenticated encryption for PSA Internal Trusted Storage files
@@ -338,7 +338,7 @@ endchoice
 config TFM_CPU_FREQ_MHZ
 	int
 	default $(div, $(dt_node_int_prop_int,/clocks/hfpll,clock-frequency), 1000000) \
-		if SOC_SERIES_NRF54LX
+		if SOC_SERIES_NRF54LX || SOC_SERIES_NRF71X
 	default $(div, $(dt_node_int_prop_int,/cpus/cpu@0,clock-frequency), 1000000) \
 		if $(dt_node_has_prop,/cpus/cpu@0,clock-frequency)
 	default $(div, $(dt_node_int_prop_int,/cpus/cpu@1,clock-frequency), 1000000) \
@@ -391,7 +391,7 @@ config TFM_SECURE_UART_SHARE_INSTANCE
 choice TFM_SECURE_UART_INSTANCE
 	prompt "TF-M logging UART instance"
 	default TFM_SECURE_UART20 if SOC_NRF54LV10A_ENGA_CPUAPP
-	default TFM_SECURE_UART30 if SOC_SERIES_NRF54LX
+	default TFM_SECURE_UART30 if SOC_SERIES_NRF54LX || SOC_SERIES_NRF71X
 	default TFM_SECURE_UART1
 
 config TFM_SECURE_UART0
@@ -516,6 +516,7 @@ config TFM_S_CODE_VECTOR_TABLE_SIZE
 	default 0x144 if SOC_SERIES_NRF91X
 	default 0x154 if SOC_NRF5340_CPUAPP
 	default 0x47c if SOC_SERIES_NRF54LX
+	default 0x504 if SOC_SERIES_NRF71X
 	default 0xffffffff # Invalid value to discover missing SOC support.
 	help
 	  The TF-M interrupt vector table size.

@@ -13,6 +13,7 @@ config TFM_BOARD
 	default "$(ZEPHYR_NRF_MODULE_DIR)/modules/trusted-firmware-m/tfm_boards/nrf54l15_cpuapp" if SOC_NRF54L15_CPUAPP
 	default "$(ZEPHYR_NRF_MODULE_DIR)/modules/trusted-firmware-m/tfm_boards/nrf54l10_cpuapp" if SOC_NRF54L10_CPUAPP
 	default "$(ZEPHYR_NRF_MODULE_DIR)/modules/trusted-firmware-m/tfm_boards/nrf54lv10a_cpuapp" if SOC_NRF54LV10A_ENGA_CPUAPP
+	default "${ZEPHYR_NRF_MODULE_DIR}/modules/trusted-firmware-m/tfm_boards/nrf7120_cpuapp" if SOC_NRF7120_ENGA_CPUAPP
 	depends on TRUSTED_EXECUTION_NONSECURE
 
 if BUILD_WITH_TFM
@@ -27,8 +28,8 @@ config TFM_DUMMY_PROVISIONING
 
 config TFM_REGRESSION_NS
 	bool
-	select NRF_TIMER0_SECURE if !SOC_SERIES_NRF54LX
-	select NRF_TIMER00_SECURE if SOC_SERIES_NRF54LX
+	select NRF_TIMER0_SECURE if !(SOC_SERIES_NRF54LX || SOC_SERIES_NRF71X)
+	select NRF_TIMER00_SECURE if SOC_SERIES_NRF54LX || SOC_SERIES_NRF71X
 
 config TFM_LOG_LEVEL_SILENCE
 	# Overrule zephyr disable TF-M secure output if the uart1 node has not
@@ -43,7 +44,8 @@ config TFM_LOG_LEVEL_SILENCE
 		   $(dt_nodelabel_has_prop,uart30,pinctrl-names)
 
 choice TFM_PROFILE_TYPE
-	default TFM_PROFILE_TYPE_NOT_SET if SOC_SERIES_NRF54LX || BT_CRYPTO || BT_MESH_USES_TFM_PSA || OPENTHREAD
+	default TFM_PROFILE_TYPE_NOT_SET if SOC_SERIES_NRF54LX || SOC_SERIES_NRF71X || \
+		BT_CRYPTO || BT_MESH_USES_TFM_PSA || OPENTHREAD
 	default TFM_PROFILE_TYPE_MINIMAL
 endchoice
 
@@ -83,7 +85,7 @@ config TFM_PARTITION_PROTECTED_STORAGE
 	select PSA_WANT_KEY_TYPE_AES
 	select PSA_WANT_ALG_CCM if SOC_SERIES_NRF91X
 	select PSA_WANT_ALG_GCM if SOC_NRF5340_CPUAPP
-	select PSA_WANT_ALG_GCM if SOC_SERIES_NRF54LX
+	select PSA_WANT_ALG_GCM if SOC_SERIES_NRF54LX || SOC_SERIES_NRF71X
 
 # Override TF-M crypto dependency on ITS when using KMU
 config TFM_PARTITION_CRYPTO

@@ -15,6 +15,7 @@ config PM_PARTITION_SIZE_TFM_SRAM
 	# assigning 0x16000 of RAM to TFM will not leave enough RAM for
 	# Matter. So we use 0x13000 of RAM on 54L.
 	default 0x13000 if SOC_NRF54L15_CPUAPP
+	default 0x13000 if SOC_NRF7120_ENGA_CPUAPP
 	# Set the of TFM_SRAM to 0x10000(64kB) since the nR54L10
 	# has less RAM. The number was selected based on the observed memory
 	# usage of TFM in crypto samples and it can be changed later if needed.
@@ -28,18 +29,19 @@ config PM_PARTITION_SIZE_TFM
 	hex
 	prompt  "Memory reserved for TFM" if !TFM_PROFILE_TYPE_MINIMAL
 	default 0xE800 if TFM_PROFILE_TYPE_MINIMAL && TFM_CMAKE_BUILD_TYPE_DEBUG && \
-		BOOTLOADER_MCUBOOT && SOC_SERIES_NRF54LX
+		BOOTLOADER_MCUBOOT && (SOC_SERIES_NRF54LX || SOC_SERIES_NRF71X)
 	default 0xFE00 if TFM_PROFILE_TYPE_MINIMAL && TFM_CMAKE_BUILD_TYPE_DEBUG && \
 		BOOTLOADER_MCUBOOT
 	default 0x10000 if TFM_PROFILE_TYPE_MINIMAL && TFM_CMAKE_BUILD_TYPE_DEBUG
-	default 0x6800 if TFM_PROFILE_TYPE_MINIMAL && BOOTLOADER_MCUBOOT && SOC_NRF54L15_CPUAPP
+	default 0x6800 if TFM_PROFILE_TYPE_MINIMAL && BOOTLOADER_MCUBOOT && \
+		(SOC_NRF54L15_CPUAPP || SOC_NRF7120_ENGA_CPUAPP)
 	default 0x7E00 if TFM_PROFILE_TYPE_MINIMAL && BOOTLOADER_MCUBOOT
 	default 0x8000 if TFM_PROFILE_TYPE_MINIMAL
 	# NCSDK-13503: Temporarily bump size while regressions are being fixed
 	default 0x60000 if TFM_REGRESSION_S
 	default 0x4FE00 if TFM_CMAKE_BUILD_TYPE_DEBUG && BOOTLOADER_MCUBOOT
 	default 0x50000 if TFM_CMAKE_BUILD_TYPE_DEBUG
-	default 0x3F800 if BOOTLOADER_MCUBOOT && SOC_NRF54L15_CPUAPP
+	default 0x3F800 if BOOTLOADER_MCUBOOT && (SOC_NRF54L15_CPUAPP || SOC_NRF7120_ENGA_CPUAPP)
 	default 0x3FE00 if BOOTLOADER_MCUBOOT
 	default 0x40000
 	help

@@ -88,10 +88,11 @@ if (${TFM_PARTITION_CRYPTO})
       $<$<BOOL:${CONFIG_HW_UNIQUE_KEY_RANDOM}>:CONFIG_HW_UNIQUE_KEY_RANDOM>
     )
 
-    # nrf54l15/nrf54l10 use the PSA headers in the hw_unique_key_cracen_kmu.c file, which means
-    # that we need to make sure that the nrf_security PSA headers are included
-    # before any other PSA-related headers.
-    if(NRF_SOC_VARIANT MATCHES "nrf54l1[05]" OR NRF_SOC_VARIANT MATCHES "nrf54lv10a")
+    # nrf54l15/nrf54l10/nrf7120 use the PSA headers in the hw_unique_key_cracen_kmu.c
+    # file, which means that we need to make sure that the nrf_security PSA headers
+    # are included before any other PSA-related headers.
+    if((NRF_SOC_VARIANT MATCHES "nrf54l1[05]") OR
+        (NRF_SOC_VARIANT MATCHES "nrf54lv10a") OR (NRF_SOC_VARIANT MATCHES "nrf7120"))
       target_link_libraries(platform_crypto_keys
         PRIVATE
         psa_crypto_library_config
@@ -222,7 +223,8 @@ file(COPY ${CMAKE_CURRENT_LIST_DIR}/common
      DESTINATION ${INSTALL_PLATFORM_NS_DIR})
 
 
-if(NRF_SOC_VARIANT MATCHES "nrf54l1[05]" OR NRF_SOC_VARIANT MATCHES "nrf54lv10a")
+if((NRF_SOC_VARIANT MATCHES "nrf54l1[05]") OR
+    (NRF_SOC_VARIANT MATCHES "nrf54lv10a") OR (NRF_SOC_VARIANT MATCHES "nrf7120"))
   file(COPY ${ZEPHYR_NRF_MODULE_DIR}/subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa_key_ids.h
        DESTINATION ${INSTALL_INTERFACE_INC_DIR})
   file(COPY ${ZEPHYR_NRF_MODULE_DIR}/subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa_kmu.h

@@ -33,13 +33,15 @@
 
 #define RTE_USART0 1
 
-#else /* NRF_UARTE0_S - 54L15 devices*/
+#else /* NRF_UARTE0_S - 54L15 or 7120 devices*/
 
-/* Only UART20 and UART30 are supported for TF-M tests, which are the
- * Non-secure applications build via the TF-M build system
+/* UART20 and UART30 are supported for TF-M tests on NRF54LX,
+ * while UART00 and UART30 are supported on NRF71X
  */
-#if defined(CONFIG_TFM_SECURE_UART30)
+#if defined(CONFIG_SOC_SERIES_NRF54LX) && defined(CONFIG_TFM_SECURE_UART30)
 #define RTE_USART20 1
+#elif defined(CONFIG_SOC_SERIES_NRF71X) && defined(CONFIG_TFM_SECURE_UART30)
+#define RTE_USART00 1
 #else
 #define RTE_USART30 1
 #endif

@@ -14,8 +14,8 @@
 #include <zephyr/devicetree.h>
 
 
-#if defined(NRF54L15_XXAA) || defined(NRF54L10_XXAA) || defined(NRF54LV10A_ENGA_XXAA)
-
+#if defined(NRF54L15_XXAA) || defined(NRF54L10_XXAA) || defined(NRF54LV10A_ENGA_XXAA) || \
+	defined(NRF7120_ENGA_XXAA)
 #if defined(CONFIG_TFM_SECURE_UART00) && DOMAIN_NS != 1U
 #define TFM_UART uart00
 #endif /* defined(CONFIG_TFM_SECURE_UART00) */
@@ -46,7 +46,7 @@
 #define TFM_UART uart1
 #endif /* defined(CONFIG_TFM_SECURE_UART1) */
 
-#endif /* NRF54L15_XXAA || NRF54L10_XXAA */
+#endif /* NRF54L15_XXAA || NRF54L10_XXAA || NRF54LV10A_ENGA_XXAA || NRF7120_ENGA_XXAA */
 
 #define DEFAULT_UART_BAUDRATE DT_PROP_OR(DT_NODELABEL(TFM_UART), current_speed, 115200)
 

@@ -0,0 +1,42 @@
+#
+# Copyright (c) 2025, Nordic Semiconductor ASA.
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+set(NRF_BOARD_SELECTED True)
+
+add_subdirectory(${Trusted\ Firmware\ M_SOURCE_DIR}/platform/ext/target/nordic_nrf/common/nrf7120 nrf7120)
+
+add_subdirectory(.. tfm_board)
+
+target_include_directories(platform_s
+  PUBLIC
+  ${ZEPHYR_NRF_MODULE_DIR}/subsys/nrf_security/src/drivers/cracen/cracenpsa/include
+  )
+
+target_sources(platform_s
+  PRIVATE
+  ${ZEPHYR_NRF_MODULE_DIR}/soc/nordic/nrf71/soc.c
+  )
+
+target_include_directories(platform_s
+  PRIVATE
+  ${ZEPHYR_BASE}/modules/cmsis/
+  ${ZEPHYR_NRF_MODULE_DIR}/soc/nordic/nrf71
+  ${ZEPHYR_BASE}/soc/nordic/common
+  )
+
+install(FILES       ${CMAKE_CURRENT_LIST_DIR}/ns/cpuarch_ns.cmake
+        DESTINATION ${INSTALL_PLATFORM_NS_DIR}
+        RENAME      cpuarch.cmake)
+
+install(FILES       config.cmake
+        DESTINATION ${INSTALL_PLATFORM_NS_DIR})
+
+install(FILES       ../common/config.cmake
+        DESTINATION ${INSTALL_PLATFORM_NS_DIR}/../common/)
+
+install(DIRECTORY   ${Trusted\ Firmware\ M_SOURCE_DIR}/platform/ext/target/nordic_nrf/nrf7120pdk_nrf7120_cpuapp/tests
+        DESTINATION ${INSTALL_PLATFORM_NS_DIR}
+)
@@ -0,0 +1,23 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2025, Nordic Semiconductor ASA.
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+#-------------------------------------------------------------------------------
+
+include(${CMAKE_CURRENT_LIST_DIR}/../common/config.cmake)
+
+set(NRF_SOC_VARIANT nrf7120 CACHE STRING "nRF SoC Variant")
+
+include(${PLATFORM_PATH}/common/${NRF_SOC_VARIANT}/config.cmake)
+
+# Override PS_CRYPTO_KDF_ALG
+set(PS_CRYPTO_KDF_ALG                  PSA_ALG_SP800_108_COUNTER_CMAC CACHE STRING    "KDF Algorithm to use")
+
+# attest_hal.c includes bl_storage.h, which needs CONFIG_NRFX_MRAMC to be defined.
+# This is because bl_storage is a lib intended to be run from either the bootloader (Zephyr) or from TF-M.
+# This is independent from the NS image's CONFIG_NRFX_MRAMC, which must be disabled, so we can not inherit
+# this from app Kconfig.
+if(TFM_PARTITION_INITIAL_ATTESTATION)
+  add_compile_definitions(CONFIG_NRFX_MRAMC)
+endif()
@@ -0,0 +1,10 @@
+#
+# Copyright (c) 2025, Nordic Semiconductor ASA.
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+set(PLATFORM_PATH platform/ext/target/nordic_nrf)
+
+include(${PLATFORM_PATH}/common/nrf7120/cpuarch.cmake)
+add_compile_definitions(__NRF_TFM__)
@@ -0,0 +1,10 @@
+#
+# Copyright (c) 2025, Nordic Semiconductor ASA.
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+set(PLATFORM_DIR  ${CMAKE_CURRENT_LIST_DIR})
+set(PLATFORM_PATH ${CMAKE_CURRENT_LIST_DIR})
+
+include(${CMAKE_CURRENT_LIST_DIR}/common/nrf7120/cpuarch.cmake)
@@ -9,6 +9,7 @@ config SOC_SERIES_NRF71X
 	select HAS_SEGGER_RTT if ZEPHYR_SEGGER_MODULE
 	select SOC_EARLY_INIT_HOOK
 	select SOC_RESET_HOOK
+	select NRF_PLATFORM_LUMOS
 
 config SOC_NRF7120_ENGA_CPUAPP
 	select ARM

@@ -23,10 +23,10 @@ tfm_nonsecure:
 tfm_storage:
   span: []
 
-# In nRF54L15 we place the tfm_storage partitions before the
+# In nRF54L15 and nRF7120 we place the tfm_storage partitions before the
 # TF-M non-secure application to avoid splitting the secure/non-secure
 # partitions more than necessary.
-#if defined(CONFIG_SOC_NRF54L15_CPUAPP) || defined(CONFIG_SOC_NRF54LV10A_ENGA_CPUAPP)
+#if defined(CONFIG_SOC_NRF54L15_CPUAPP) || defined(CONFIG_SOC_NRF54LV10A_ENGA_CPUAPP) || defined(CONFIG_SOC_NRF7120_ENGA_CPUAPP)
 
 tfm_ps:
   placement:

@@ -149,7 +149,7 @@ manifest:
     - name: trusted-firmware-m
       repo-path: sdk-trusted-firmware-m
       path: modules/tee/tf-m/trusted-firmware-m
-      revision: b4dfb8e90f7a133a68fd6949bc24586af99a3e0c
+      revision: 902f58b94409fa12a57e6b821592ea53d8dfef96
     - name: psa-arch-tests
       repo-path: sdk-psa-arch-tests
       path: modules/tee/tf-m/psa-arch-tests