modules: tfm: Exclude non-secure TF-M application from build

joerchan · carlescufi · commit c51505f66167 · 2022-08-09T13:59:02.000+02:00
Exclude the non-secure TF-M application from being built by TF-M.
This also stops the building of the tfm_ns_api library that we were
linking against.
This library is defined by the tf-m regression tests.
Add the installed interface source files exported by the TF-M build
system compile them in the zephyr build system.

Signed-off-by: Joakim Andersson &lt;joakim.andersson@nordicsemi.no&gt;
diff --git a/modules/trusted-firmware-m/CMakeLists.txt b/modules/trusted-firmware-m/CMakeLists.txt
@@ -49,6 +49,11 @@ if (CONFIG_BUILD_WITH_TFM)
   else()
     list(APPEND TFM_CMAKE_ARGS -DBL2=FALSE)
   endif()
+  if (CONFIG_TFM_BUILD_NS)
+    list(APPEND TFM_CMAKE_ARGS -DNS=TRUE)
+  else()
+    list(APPEND TFM_CMAKE_ARGS -DNS=FALSE)
+  endif()
   if (CONFIG_TFM_ISOLATION_LEVEL)
     list(APPEND TFM_CMAKE_ARGS -DTFM_ISOLATION_LEVEL=${CONFIG_TFM_ISOLATION_LEVEL})
   endif()
@@ -148,8 +153,9 @@ if (CONFIG_BUILD_WITH_TFM)
 
   set(VENEERS_FILE ${TFM_BINARY_DIR}/secure_fw/s_veneers.o)
   set(TFM_API_NS_PATH ${TFM_BINARY_DIR}/tf-m-tests/app/libtfm_api_ns.a)
-  set(TFM_GENERATED_INCLUDES ${TFM_BINARY_DIR}/generated/interface/include)
   set(PLATFORM_NS_FILE ${TFM_BINARY_DIR}/platform/libplatform_ns.a)
+  set(TFM_GENERATED_INCLUDES ${TFM_BINARY_DIR}/generated/interface/include)
+  set(TFM_INTERFACE_SOURCE_DIR ${TFM_BINARY_DIR}/install/interface/src)
 
   if (TFM_PSA_TEST_SUITE)
     set(PSA_TEST_VAL_FILE ${TFM_BINARY_DIR}/tf-m-tests/app/psa_api_tests/val/val_nspe.a)
@@ -195,6 +201,25 @@ if (CONFIG_BUILD_WITH_TFM)
     ${TFM_S_SIGNED_BIN_FILE}
     ${TFM_NS_SIGNED_BIN_FILE}
     ${TFM_S_NS_SIGNED_BIN_FILE}
+
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_platform_ipc_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_ps_ipc_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_its_ipc_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_crypto_ipc_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_initial_attestation_ipc_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_firmware_update_ipc_api.c
+
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_psa_ns_api.c
+
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_platform_func_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_ps_func_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_its_func_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_crypto_func_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_initial_attestation_func_api.c
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_firmware_update_func_api.c
+
+    # Specific to nordic_nrf platform
+    ${TFM_INTERFACE_SOURCE_DIR}/tfm_ioctl_core_ns_api.c
     )
 
   # Get the toolchain variant
@@ -331,12 +356,51 @@ if (CONFIG_BUILD_WITH_TFM)
     src/zephyr_tfm_log.c
     interface/interface.c
     )
+
   # Non-Secure interface to request system reboot
   if (CONFIG_TFM_PARTITION_PLATFORM AND NOT CONFIG_TFM_PARTITION_PLATFORM_CUSTOM_REBOOT)
     zephyr_library_sources(src/reboot.c)
   endif()
   zephyr_library_sources_ifndef(CONFIG_TFM_PSA_TEST_NONE src/zephyr_tfm_psa_test.c)
 
+  if (TFM_PSA_TEST_SUITE)
+    zephyr_library_link_libraries(
+      ${PSA_TEST_VAL_FILE}
+      ${PSA_TEST_PAL_FILE}
+      ${PSA_TEST_COMBINE_FILE}
+      )
+  endif()
+
+  if(NOT CONFIG_TFM_BUILD_NS)
+    if(CONFIG_TFM_IPC)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_PLATFORM                 ${TFM_INTERFACE_SOURCE_DIR}/tfm_platform_ipc_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_PROTECTED_STORAGE        ${TFM_INTERFACE_SOURCE_DIR}/tfm_ps_ipc_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE ${TFM_INTERFACE_SOURCE_DIR}/tfm_its_ipc_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_CRYPTO                   ${TFM_INTERFACE_SOURCE_DIR}/tfm_crypto_ipc_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_INITIAL_ATTESTATION      ${TFM_INTERFACE_SOURCE_DIR}/tfm_initial_attestation_ipc_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_FIRMWARE_UPDATE          ${TFM_INTERFACE_SOURCE_DIR}/tfm_firmware_update_ipc_api.c)
+
+      zephyr_library_sources(${TFM_INTERFACE_SOURCE_DIR}/tfm_psa_ns_api.c)
+    else()
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_PLATFORM                 ${TFM_INTERFACE_SOURCE_DIR}/tfm_platform_func_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_PROTECTED_STORAGE        ${TFM_INTERFACE_SOURCE_DIR}/tfm_ps_func_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE ${TFM_INTERFACE_SOURCE_DIR}/tfm_its_func_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_CRYPTO                   ${TFM_INTERFACE_SOURCE_DIR}/tfm_crypto_func_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_INITIAL_ATTESTATION      ${TFM_INTERFACE_SOURCE_DIR}/tfm_initial_attestation_func_api.c)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_FIRMWARE_UPDATE          ${TFM_INTERFACE_SOURCE_DIR}/tfm_firmware_update_func_api.c)
+    endif()
+
+    if(CONFIG_SOC_FAMILY_NRF)
+      zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_PLATFORM                 ${TFM_INTERFACE_SOURCE_DIR}/tfm_ioctl_core_ns_api.c)
+    endif()
+
+  else()
+    zephyr_library_link_libraries(
+      ${TFM_API_NS_PATH}
+      ${PLATFORM_NS_FILE}
+      )
+  endif()
+
   zephyr_include_directories(
     ${TFM_GENERATED_INCLUDES}
     )
@@ -346,11 +410,6 @@ if (CONFIG_BUILD_WITH_TFM)
     )
 
   zephyr_library_link_libraries(
-    ${PSA_TEST_VAL_FILE}
-    ${PSA_TEST_PAL_FILE}
-    ${PSA_TEST_COMBINE_FILE}
-    ${PLATFORM_NS_FILE}
-    ${TFM_API_NS_PATH}
     ${VENEERS_FILE}
     )
 
@@ -408,7 +467,7 @@ if (CONFIG_BUILD_WITH_TFM)
   set(NS_SIGNED_FILE ${CMAKE_BINARY_DIR}/zephyr_ns_signed.hex)
   set(S_SIGNED_FILE ${CMAKE_BINARY_DIR}/tfm_s_signed.hex)
 
-  if (CONFIG_TFM_REGRESSION_NS)
+  if (CONFIG_TFM_USE_NS_APP)
     # Use the TF-M NS binary as the Non-Secure application firmware image
     set(NS_APP_FILE $<TARGET_PROPERTY:tfm,TFM_NS_HEX_FILE>)
   else()
@@ -453,7 +512,7 @@ if (CONFIG_BUILD_WITH_TFM)
     )
 
   else()
-    if (CONFIG_TFM_REGRESSION_NS)
+    if (CONFIG_TFM_USE_NS_APP)
       tfm_sign(sign_cmd_ns NS TRUE ${NS_APP_FILE} ${NS_SIGNED_FILE})
     else()
       tfm_sign(sign_cmd_ns NS FALSE ${NS_APP_FILE} ${NS_SIGNED_FILE})
diff --git a/modules/trusted-firmware-m/Kconfig.tfm b/modules/trusted-firmware-m/Kconfig.tfm
@@ -206,6 +206,31 @@ config TFM_BL2
 	  TFM is designed to run with MCUboot in a certain configuration.
 	  This config adds MCUboot to the build - built via TFM's build system.
 
+config TFM_BUILD_NS
+	bool "Build the TF-M Non-Secure application and libraries"
+	help
+	  Instruct the TF-M build system to build the TF-M Non-Secure
+	  application and libraries.
+
+	  This option is intended for testing purposes only, since this is the
+	  easiest way to build the TF-M regression tests application and test
+	  support libraries in the zephyr build system.
+
+config TFM_USE_NS_APP
+	bool "Use the TF-M Non-Secure application"
+	depends on TFM_BUILD_NS
+	help
+	  The TF-M build system can produce multiple executable files.
+	  The main one is the TF-M secure firmware. Optionally the TF-M
+	  non-secure application can be built.
+	  Usually the TF-M non-secure application is not used since the
+	  zephyr application is the non-secure application.
+	  With this option enabled this is reversed and the TF-M non-secure
+	  application is used instead of the Zephyr non-secure application.
+
+	  This option is intended for testing purposes only, since this is the
+	  easiest way to integrate and run the TF-M regression tests in the
+	  zephyr build system.
 if TFM_BL2
 
 config TFM_MCUBOOT_IMAGE_NUMBER
@@ -265,12 +290,15 @@ config TFM_REGRESSION_S
 	help
 	  When enabled, this option signifies that the TF-M build includes
 	  the Secure domain regression tests.
+	  The regression tests will be included in the TF-M secure firmware.
 
 config TFM_REGRESSION_NS
-	bool "Use the TF-M Non-Secure Regression test application"
+	bool "TF-M Non-Secure Regression tests"
 	help
-	  When this is enabled, the Zephyr application as a whole will be
-	  replaced with the TF-M Non-Secure Regression test application.
+	  When enabled, this option signifies that the TF-M build includes
+	  the Non-Secure domain regression tests.
+	  The regression tests will be included in the TF-M non-secure
+	  application.
 
 choice TFM_PSA_TEST
 	prompt "Enable a PSA test suite"
diff --git a/samples/tfm_integration/tfm_psa_test/prj.conf b/samples/tfm_integration/tfm_psa_test/prj.conf
@@ -5,6 +5,7 @@
 #
 
 CONFIG_BUILD_WITH_TFM=y
+CONFIG_TFM_BUILD_NS=y
 CONFIG_TFM_PROFILE_TYPE_NOT_SET=y
 CONFIG_QEMU_ICOUNT_SHIFT=1
 
diff --git a/samples/tfm_integration/tfm_regression_test/prj.conf b/samples/tfm_integration/tfm_regression_test/prj.conf
@@ -6,6 +6,8 @@
 
 CONFIG_BUILD_WITH_TFM=y
 CONFIG_TFM_PROFILE_TYPE_NOT_SET=y
+CONFIG_TFM_BUILD_NS=y
+CONFIG_TFM_USE_NS_APP=y
 CONFIG_TFM_REGRESSION_S=y
 CONFIG_TFM_REGRESSION_NS=y
 
diff --git a/west.yml b/west.yml
@@ -225,7 +225,7 @@ manifest:
       groups:
         - debug
     - name: trusted-firmware-m
-      revision: 7c53a6e76130a85303f83b15d868a92fdcd5f5be
+      revision: f13209f1883232cbcb9f0c31fb4c63e7c242df0d
       path: modules/tee/tf-m/trusted-firmware-m
       groups:
         - tee

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`#`
`6`	`6`
`7`	`7`	`CONFIG_BUILD_WITH_TFM=y`
	`8`	`+CONFIG_TFM_BUILD_NS=y`
`8`	`9`	`CONFIG_TFM_PROFILE_TYPE_NOT_SET=y`
`9`	`10`	`CONFIG_QEMU_ICOUNT_SHIFT=1`
`10`	`11`