[nrf fromtree] tfm: Harded build against TF-M built with unsecure keys

joerchan · nordicjm · commit ec48dcb2ee49 · 2023-12-14T07:51:54.000Z
Introduce Kconfig option in zephyr build system that reflects the TF-M cmake config variable with the same default value for dummy provisioning and have it satisfy the IAK present requirement. This configuration is not suitable for production, and by having this in zephyr configuration we can have this as part of the hardened configuration check. Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no> (cherry picked from commit 25787e2) Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
diff --git a/boards/arm/b_u585i_iot02a/Kconfig.defconfig b/boards/arm/b_u585i_iot02a/Kconfig.defconfig
@@ -20,4 +20,11 @@ config USE_DT_CODE_PARTITION
 config SYS_CLOCK_TICKS_PER_SEC
 	default 4096 if STM32_LPTIM_TIMER
 
+if BUILD_WITH_TFM
+
+config TFM_DUMMY_PROVISIONING
+	default n
+
+endif # BUILD_WITH_TFM
+
 endif # BOARD_B_U585I_IOT02A
diff --git a/modules/trusted-firmware-m/CMakeLists.txt b/modules/trusted-firmware-m/CMakeLists.txt
@@ -95,6 +95,12 @@ if (CONFIG_BUILD_WITH_TFM)
     list(APPEND TFM_CMAKE_ARGS -DMCUBOOT_IMAGE_NUMBER=${CONFIG_TFM_MCUBOOT_IMAGE_NUMBER})
   endif()
 
+  if (CONFIG_TFM_DUMMY_PROVISIONING)
+    list(APPEND TFM_CMAKE_ARGS -DTFM_DUMMY_PROVISIONING=ON)
+  else()
+    list(APPEND TFM_CMAKE_ARGS -DTFM_DUMMY_PROVISIONING=OFF)
+  endif()
+
   if (CONFIG_TFM_EXCEPTION_INFO_DUMP)
     list(APPEND TFM_CMAKE_ARGS -DTFM_EXCEPTION_INFO_DUMP=ON)
   else()
@@ -579,4 +585,13 @@ if (CONFIG_BUILD_WITH_TFM)
       ${MERGED_FILE}
     )
   endif()
-endif()
+
+  if(CONFIG_TFM_DUMMY_PROVISIONING)
+    message(WARNING
+      "TFM_DUMMY_PROVISIONING is enabled:
+      The device will be provisioned using dummy keys and is NOT secure!
+      This is not suitable for production"
+      )
+  endif()
+
+endif() # CONFIG_BUILD_WITH_TFM
diff --git a/modules/trusted-firmware-m/Kconfig.tfm b/modules/trusted-firmware-m/Kconfig.tfm
@@ -177,6 +177,17 @@ config TFM_PARTITION_PLATFORM_CUSTOM_REBOOT
 	  Instead the application will have to override the weak ARM
 	  implementation of sys_arch_reset().
 
+config TFM_DUMMY_PROVISIONING
+	bool "Provision with dummy values. NOT to be used in production"
+	default y
+	help
+	  If this option is enabled (as it is by default), a set of dummy
+	  keys / data will be provisioned. The dummy IAK matches the IAK tested
+	  by the TF-M tests, and the dummy bl2 ROTPKs match the dummy bl2 keys
+	  used by default.
+	  This option MUST not be used in production hardware, as the keys are
+	  insecure.
+
 config TFM_BL2_NOT_SUPPORTED
 	bool
 	help
diff --git a/scripts/kconfig/hardened.csv b/scripts/kconfig/hardened.csv
@@ -39,6 +39,7 @@ TEST_RANDOM_GENERATOR,n
 TEST_SHELL,n
 TEST_USERSPACE,n
 TFM_CMAKE_BUILD_TYPE_DEBUG,n
+TFM_DUMMY_PROVISIONING,n
 THREAD_MONITOR,n
 THREAD_NAME,n
 TIMER_RANDOM_GENERATOR,n
