boards: st: stm32wba65i_dk1: Add 'ns' variant for TF-M support

Add variant ns to stm32wba65i_dk1 board to embed TF-M in the SoC
secure world. The flash layout is synced with the layout defined
in Zephyr TF-M integration of platform STM32WBA65I.

Successfully tested against a few samples and test samples:
- samples/tfm_integration/psa_crypto
- samples/tfm_integration/psa_protected_storage
- samples/tfm_integration/tfm_ipc
- samples/tfm_integration/tfm_regression_test
- samples/tfm_integration/tfm_secure_partition
- tests/subsys/secure_storage/psa/crypto
- tests/subsys/secure_storage/psa/its
  (with CONFIG_TFM_ITS_MAX_ASSET_SIZE_OVERRIDE=y
  and CONFIG_TFM_ITS_MAX_ASSET_SIZE=256)

Support for PSA Arch Tests (samples/tfm_integration/tfm_psa_test) is
not yet merged but is in under review [1].

Link: ARM-software/psa-arch-tests#406 [1]
Signed-off-by: Etienne Carriere <[email protected]>

Author: etienne-lms

boards/st/stm32wba65i_dk1/board.cmake

@@ -1,7 +1,29 @@
 # Copyright (c) 2025 STMicroelectronics
 # SPDX-License-Identifier: Apache-2.0
 
-board_runner_args(stm32cubeprogrammer "--port=swd" "--reset-mode=hw")
+if(CONFIG_BUILD_WITH_TFM)
+  set(FLASH_BASE_ADDRESS_S 0x0C000000)
+
+  # Flash merged TF-M + Zephyr binary
+  set_property(TARGET runners_yaml_props_target PROPERTY hex_file tfm_merged.hex)
+
+  if(CONFIG_HAS_FLASH_LOAD_OFFSET)
+    MATH(EXPR TFM_HEX_BASE_ADDRESS_NS "${FLASH_BASE_ADDRESS_S}+${CONFIG_FLASH_LOAD_OFFSET}")
+  else()
+    set(TFM_HEX_BASE_ADDRESS_NS ${TFM_FLASH_BASE_ADDRESS_S})
+  endif()
+
+  # System entry point is TF-M vector, located 1kByte after tfm_fmw_partition in DTS
+  dt_nodelabel(tfm_partition_path NODELABEL slot0_secure_partition REQUIRED)
+  dt_reg_addr(tfm_partition_offset PATH ${tfm_partition_path} REQUIRED)
+  math(EXPR tfm_fwm_boot_address "${tfm_partition_offset}+${FLASH_BASE_ADDRESS_S}+0x400")
+
+  board_runner_args(stm32cubeprogrammer "--port=swd" "--reset-mode=hw"
+    "--erase" "--start-address=${tfm_fwm_boot_address}"
+  )
+else()
+  board_runner_args(stm32cubeprogrammer "--port=swd" "--reset-mode=hw")
+endif()
 
 include(${ZEPHYR_BASE}/boards/common/stm32cubeprogrammer.board.cmake)
 include(${ZEPHYR_BASE}/boards/common/openocd-stm32.board.cmake)

boards/st/stm32wba65i_dk1/board.yml

@@ -4,3 +4,5 @@ board:
   vendor: st
   socs:
     - name: stm32wba65xx
+      variants:
+        - name: ns

boards/st/stm32wba65i_dk1/doc/index.rst

@@ -151,6 +151,48 @@ Supported Features
 
 .. zephyr:board-supported-hw::
 
+Zephyr board options
+====================
+
+Zephyr supports building both Secure and Non-Secure firmware for
+STM32WBA65I-DK1 board where TF-M is the embedded Secure firmware
+and Zephyr the Non-Secure firmware.
+
+The BOARD options are summarized below:
+
++---------------------------------+------------------------------------------+
+| BOARD                           | Description                              |
++=================================+==========================================+
+| stm32wba65i_dk1                 | For building TrustZone Disabled firmware |
++---------------------------------+------------------------------------------+
+| stm32wba65i_dk1/stm32wba65xx/ns | For building Non-Secure firmware         |
++---------------------------------+------------------------------------------+
+
+Here are the instructions to build Zephyr with a non-secure configuration,
+using :zephyr:code-sample:`tfm_ipc` sample:
+
+.. zephyr-app-commands::
+   :zephyr-app: samples/tfm_integration/tfm_ipc
+   :board: stm32wba65i_dk1/stm32wba65xx/ns
+   :goals: build
+
+Once done, before flashing, you need to first run a generated script that
+will set platform Option Bytes config and erase internal flash (among others,
+Option Bit TZEN will be set).
+
+.. code-block:: bash
+
+   $ ./build/tfm/api_ns/regression.sh
+   $ west flash
+
+Please note that, after having programmed the board for a TrustZone enabled system
+(e.g. with ``./build/tfm/api_ns/regression.sh``), the SoC TZEN Option Byte is enabled
+and you will need to operate specific sequence to disable this TZEN Option Byte
+configuration to get your board back in normal state for booting with a TrustZone
+disabled system (e.g. without TF-M support).
+You can use STM32CubeProgrammer_ to disable the SoC TZEN Option Byte config. Refer
+to `How to disable STM32WBA65 TZEN Option Byte`_.
+
 Connections and IOs
 ===================
 
@@ -230,3 +272,6 @@ You can debug an application in the usual way using OpenOCD. Here is an example
 
 .. _STM32CubeProgrammer:
    https://www.st.com/en/development-tools/stm32cubeprog.html
+
+.. _How to disable STM32WBA65 TZEN Option Byte:
+   https://wiki.st.com/stm32mcu/wiki/Connectivity:STM32WBA_BLE_%26_TrustZone#How_to_disable_the_TrustZone

boards/st/stm32wba65i_dk1/stm32wba65i_dk1_stm32wba65xx_ns.dts

@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2025 STMicroelectronics
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/dts-v1/;
+#include "stm32wba65i_dk1.dts"
+
+/ {
+	chosen {
+		zephyr,code-partition = &slot0_ns_partition;
+	};
+
+	/* SRAM1 (node label sram0) last 64kByte are owned by TF-M */
+	sram0: memory@20000000 {
+		reg = <0x20000000 DT_SIZE_K(448 - 64)>;
+	};
+
+	/* SRAM2 (node label sram1) is owned by TF-M */
+	/delete-node/ memory@20070000;
+};
+
+&flash0 {
+	/delete-node/ partitions;
+
+	partitions {
+		compatible = "fixed-partitions";
+		#address-cells = <1>;
+		#size-cells = <1>;
+
+		boot_partition: partition@0 {
+			label = "bootstage";
+			reg = <0 DT_SIZE_K(48)>;
+		};
+
+		slot0_secure_partition: partition@c000 {
+			label = "image-secure";
+			reg = <0xc000 DT_SIZE_K(256)>;
+		};
+
+		slot0_ns_partition: partition@4c000 {
+			label = "image-non-secure";
+			reg = <0x4c000 DT_SIZE_K(512)>;
+		};
+
+		storage_partition: partition@cc000 {
+			label = "storage";
+			reg = <0xcc000 (DT_SIZE_M(2) - DT_SIZE_K(48 + 256 + 512))>;
+		};
+	};
+};

boards/st/stm32wba65i_dk1/stm32wba65i_dk1_stm32wba65xx_ns.yaml

@@ -0,0 +1,10 @@
+identifier: stm32wba65i_dk1/stm32wba65xx/ns
+name: ST STM32WBA65I Discovery kit with TF-M and non-secure firmware
+type: mcu
+arch: arm
+toolchain:
+  - zephyr
+  - gnuarmemb
+ram: 384
+flash: 512
+vendor: st

boards/st/stm32wba65i_dk1/stm32wba65i_dk1_stm32wba65xx_ns_defconfig

@@ -0,0 +1,31 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) 2025 STMicroelectronics
+
+# Enable UART driver
+CONFIG_SERIAL=y
+
+# Enable GPIO
+CONFIG_GPIO=y
+
+# Console
+CONFIG_CONSOLE=y
+CONFIG_UART_CONSOLE=y
+
+# Enable MPU
+CONFIG_ARM_MPU=y
+
+# Enable HW stack protection
+CONFIG_HW_STACK_PROTECTION=y
+
+# Enable the internal SMPS regulator
+CONFIG_POWER_SUPPLY_DIRECT_SMPS=y
+
+# Enable ADC for joystick
+CONFIG_ADC=y
+
+# Header offset since TF-M has no BL2 hence Zephyr is not signed
+CONFIG_ROM_START_OFFSET=0x400
+
+# Enable TZ non-secure configuration
+CONFIG_TRUSTED_EXECUTION_NONSECURE=y
+CONFIG_RUNTIME_NMI=y