boards: st: nucleo_u5a5zj_q: Import TF-M code

Add the TF-M S image code dedicated to the board, which uses an
Out-Of-Tree approach. This can be used as example to customers
interested in this technology and don't have an initial idea
how to do it. This will avoid that customers will try the easy
script copy over TF-M folder patch.

Signed-off-by: BUDKE Gerson Fernando <[email protected]>

Author: nandojve

boards/st/nucleo_u5a5zj_q/tfm/CMakeLists.txt

@@ -0,0 +1,80 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2020, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+
+set(NUCLEO_U5A5ZJ_Q_DIR ${CMAKE_CURRENT_LIST_DIR})
+set(STM_COMMON_DIR ${PLATFORM_DIR}/ext/target/stm/common)
+
+include(${STM_COMMON_DIR}/stm32u5xx/CMakeLists.txt)
+
+#========================= Platform defs ===============================#
+
+# Specify the location of platform specific build dependencies.
+target_sources(tfm_s
+    PRIVATE
+        ${STM_COMMON_DIR}/stm32u5xx/Device/Source/startup_stm32u5xx_s.c
+)
+
+# cpuarch.cmake is used to set things that related to the platform that are both
+install(FILES
+    ${TARGET_PLATFORM_PATH}/cpuarch.cmake
+    DESTINATION ${INSTALL_PLATFORM_NS_DIR}
+)
+
+install(FILES
+    ${STM_COMMON_DIR}/stm32u5xx/Device/Source/startup_stm32u5xx_ns.c
+    DESTINATION ${INSTALL_PLATFORM_NS_DIR}/Device/Source
+)
+
+install(DIRECTORY
+    ${TARGET_PLATFORM_PATH}/ns/
+    DESTINATION ${INSTALL_PLATFORM_NS_DIR}
+)
+
+install(DIRECTORY
+    ${TARGET_PLATFORM_PATH}/include
+    DESTINATION ${INSTALL_PLATFORM_NS_DIR}
+)
+
+install(FILES
+    ${TARGET_PLATFORM_PATH}/accelerator/crypto_accelerator_config.h
+    DESTINATION ${INSTALL_PLATFORM_NS_DIR}/include
+)
+
+install(DIRECTORY
+    ${STM_COMMON_DIR}/hal/accelerator/
+    DESTINATION ${INSTALL_PLATFORM_NS_DIR}/include
+    FILES_MATCHING PATTERN "*.h"
+)
+
+install(FILES
+    ${NUCLEO_U5A5ZJ_Q_DIR}/partition/flash_layout.h
+    ${NUCLEO_U5A5ZJ_Q_DIR}/partition/region_defs.h
+    DESTINATION ${INSTALL_PLATFORM_NS_DIR}/partition
+)
+
+if(BL2)
+    target_sources(bl2
+        PRIVATE
+            ${STM_COMMON_DIR}/stm32u5xx/Device/Source/startup_stm32u5xx_bl2.c
+            ${STM_COMMON_DIR}/hal/provision/nvm_init.c
+            ${STM_COMMON_DIR}/hal/provision/nvmcnt_init.c
+            ${NUCLEO_U5A5ZJ_Q_DIR}/keys/otp_provision.c
+    )
+endif()
+#install flash layout for postbuild.sh
+install(FILES
+    ${NUCLEO_U5A5ZJ_Q_DIR}/partition/flash_layout.h
+    ${NUCLEO_U5A5ZJ_Q_DIR}/partition/region_defs.h
+    DESTINATION ${CMAKE_INSTALL_PREFIX}
+)
+set (BL2_FILE_TO_PREPROCESS ${CMAKE_CURRENT_BINARY_DIR}/image_macros_to_preprocess_bl2.c)
+file(WRITE ${BL2_FILE_TO_PREPROCESS} ${BL2_PREPROCESSING})
+
+install(FILES
+    ${BL2_FILE_TO_PREPROCESS}
+    DESTINATION ${CMAKE_INSTALL_PREFIX}
+)

boards/st/nucleo_u5a5zj_q/tfm/accelerator/CMakeLists.txt

@@ -0,0 +1,79 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2020-2024, Arm Limited. All rights reserved.
+# Copyright (c) 2021 STMicroelectronics. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+
+############################ Crypto Service ####################################
+
+if (TFM_PARTITION_CRYPTO)
+    target_sources(crypto_service_crypto_hw
+        PRIVATE
+            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/rsa_alt.c
+            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/ecdsa_alt.c
+            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/gcm_alt.c
+            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/aes_alt.c
+            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/ccm_alt.c
+            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/ecp_alt.c
+            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/ecp_curves_alt.c
+            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/sha1_alt.c
+            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/sha256_alt.c
+            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/stm.c
+    )
+
+    target_include_directories(crypto_service_crypto_hw
+        PRIVATE
+            ${PLATFORM_DIR}/ext/target/${TFM_PLATFORM}/accelerator/
+            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/
+            ${PLATFORM_DIR}/ext/target/${TFM_PLATFORM}/include/
+            ${PLATFORM_DIR}/ext/target/stm/common/stm32u5xx/hal/Inc/
+            ${PLATFORM_DIR}/ext/target/stm/common/stm32u5xx/Device/Include/
+            ${PLATFORM_DIR}/include
+            ${CMAKE_BINARY_DIR}/generated
+            ${CMAKE_SOURCE_DIR}/interface/include
+    )
+    target_include_directories(crypto_service_mbedcrypto
+        PUBLIC
+            ${PLATFORM_DIR}/ext/target/${TFM_PLATFORM}/accelerator/
+            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/
+            ${PLATFORM_DIR}/ext/target/${TFM_PLATFORM}/include/
+            ${PLATFORM_DIR}/ext/target/stm/common/stm32u5xx/hal/Inc/
+            ${PLATFORM_DIR}/ext/target/stm/common/stm32u5xx/Device/Include/
+    )
+
+    target_include_directories(psa_crypto_config
+        INTERFACE
+            $<BUILD_INTERFACE:${PLATFORM_DIR}/ext/target/${TFM_PLATFORM}/accelerator/>
+    )
+
+    target_compile_definitions(crypto_service_crypto_hw
+        PRIVATE
+            ST_HW_CONTEXT_SAVING
+            $<$<AND:$<BOOL:${TFM_PARTITION_PROTECTED_STORAGE}>,$<STREQUAL:${PS_CRYPTO_AEAD_ALG},PSA_ALG_GCM>>:BUILD_CRYPTO_TFM>
+        INTERFACE
+            $<$<AND:$<BOOL:${TFM_PARTITION_PROTECTED_STORAGE}>,$<STREQUAL:${PS_CRYPTO_AEAD_ALG},PSA_ALG_GCM>>:PSA_WANT_ALG_GCM>
+    )
+
+    target_link_libraries(crypto_service_crypto_hw
+        PRIVATE
+            crypto_service_mbedcrypto
+            platform_s
+            cmsis
+    )
+
+    target_link_libraries(crypto_service_mbedcrypto
+        PUBLIC
+            cmsis
+    )
+
+    target_link_libraries(platform_s
+        PRIVATE
+            crypto_service_crypto_hw
+    )
+    target_link_libraries(crypto_service_crypto_hw
+         INTERFACE
+            tfm_config
+    )
+endif()

boards/st/nucleo_u5a5zj_q/tfm/accelerator/crypto_accelerator_config.h

@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2019-2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2021 STMicroelectronics. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#ifndef CRYPTO_ACCELERATOR_CONF_H
+#define CRYPTO_ACCELERATOR_CONF_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+/****************************************************************/
+/* Require built-in implementations based on PSA requirements */
+/****************************************************************/
+#ifdef PSA_USE_SE_ST
+/* secure element define */
+#define PSA_WANT_KEY_TYPE_AES
+#ifdef MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_PSA_CRYPTO_SE_C
+#define MBEDTLS_CMAC_C
+#define MBEDTLS_CIPHER_MODE_CBC
+#endif
+
+#ifdef PSA_WANT_ALG_SHA_1
+#define MBEDTLS_SHA1_ALT
+#endif /* PSA_WANT_ALG_SHA_1 */
+
+#ifdef PSA_WANT_ALG_SHA_256
+#define MBEDTLS_SHA256_ALT
+#endif /* PSA_WANT_ALG_SHA_256 */
+
+#if defined(PSA_WANT_ALG_RSA_OAEP)			|| \
+	defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT)	|| \
+	defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)		|| \
+	defined(PSA_WANT_ALG_RSA_PSS)			|| \
+	defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)	|| \
+	defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY)
+#define MBEDTLS_RSA_ALT
+#endif
+
+#if defined(PSA_WANT_ALG_ECDH)				|| \
+	defined(PSA_WANT_ALG_ECDSA)			|| \
+	defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC)	|| \
+	defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+#define MBEDTLS_ECP_ALT
+#undef MBEDTLS_ECP_NIST_OPTIM
+#endif
+
+#ifdef PSA_WANT_ALG_CCM
+#define MBEDTLS_CCM_ALT
+#endif /* PSA_WANT_ALG_CCM */
+
+#ifdef PSA_WANT_KEY_TYPE_AES
+#define MBEDTLS_AES_ALT
+#endif /* PSA_WANT_KEY_TYPE_AES */
+
+#ifdef PSA_WANT_ALG_GCM
+#define MBEDTLS_GCM_ALT
+#endif /* PSA_WANT_ALG_GCM */
+
+#if defined(PSA_WANT_ALG_ECDSA)				||  \
+	defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)
+#define MBEDTLS_ECDSA_VERIFY_ALT
+#define MBEDTLS_ECDSA_SIGN_ALT
+#endif
+
+#endif
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* CRYPTO_ACCELERATOR_CONF_H */

boards/st/nucleo_u5a5zj_q/tfm/accelerator/mbedtls_accelerator_config.h

@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2019-2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2021 STMicroelectronics. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#ifndef MBEDTLS_ACCELERATOR_CONF_H
+#define MBEDTLS_ACCELERATOR_CONF_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+/* RNG Config */
+#undef MBEDTLS_ENTROPY_NV_SEED
+#undef MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+#define MBEDTLS_ENTROPY_C
+#define MBEDTLS_ENTROPY_HARDWARE_ALT
+
+#undef MBEDTLS_AES_SETKEY_DEC_ALT
+#undef MBEDTLS_AES_DECRYPT_ALT
+
+/* specific Define for platform hardware accelerator */
+#define GENERATOR_HW_PKA_EXTENDED_API
+#define GENERATOR_HW_CRYPTO_DPA_SUPPORTED
+#define HW_CRYPTO_DPA_AES
+#define HW_CRYPTO_DPA_GCM
+
+/****************************************************************/
+/* Infer PSA requirements from Mbed TLS capabilities */
+/****************************************************************/
+#ifndef MBEDTLS_PSA_CRYPTO_CONFIG
+
+#ifdef MBEDTLS_SHA1_C
+#define MBEDTLS_SHA1_ALT
+#endif /* MBEDTLS_SHA1_C */
+
+#ifdef MBEDTLS_SHA256_C
+#define MBEDTLS_SHA256_ALT
+#endif /* MBEDTLS_SHA256_C */
+
+#ifdef MBEDTLS_RSA_C
+#define MBEDTLS_RSA_ALT
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+#define MBEDTLS_ECP_ALT
+#undef MBEDTLS_ECP_NIST_OPTIM
+/*#define MBEDTLS_MD5_ALT*/
+#endif /* MBEDTLS_ECP_C && MBEDTLS_MD_C */
+
+#ifdef MBEDTLS_CCM_C
+#define MBEDTLS_CCM_ALT
+#endif /* MBEDTLS_CCM_C */
+
+#ifdef MBEDTLS_AES_C
+#define MBEDTLS_AES_ALT
+#endif /* MBEDTLS_AES_C */
+
+#ifdef MBEDTLS_GCM_C
+#define MBEDTLS_GCM_ALT
+#endif /* MBEDTLS_GCM_C */
+
+#ifdef MBEDTLS_ECDSA_C
+#define MBEDTLS_ECDSA_VERIFY_ALT
+#define MBEDTLS_ECDSA_SIGN_ALT
+#endif /* MBEDTLS_ECDSA_C */
+
+/* secure element define */
+#ifdef MBEDTLS_PSA_CRYPTO_C
+#ifdef PSA_USE_SE_ST
+#define MBEDTLS_PSA_CRYPTO_SE_C
+#define MBEDTLS_CMAC_C
+#define MBEDTLS_CIPHER_MODE_CBC
+#endif
+#endif
+
+#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* MBEDTLS_ACCELERATOR_CONF_H */

boards/st/nucleo_u5a5zj_q/tfm/config.cmake

@@ -0,0 +1,53 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2020-2023, Arm Limited. All rights reserved.
+# Copyright (c) 2021 STMicroelectronics. All rights reserved.
+# Copyright (c) 2022 Cypress Semiconductor Corporation (an Infineon company)
+# or an affiliate of Cypress Semiconductor Corporation. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+
+################################## BL2 #########################################################################################################
+set(MCUBOOT_IMAGE_NUMBER                   2           CACHE STRING    "Whether to combine S and NS into either 1 image, or sign each separately")
+set(BL2_TRAILER_SIZE                       0x9000      CACHE STRING    "Trailer size")
+set(MCUBOOT_ALIGN_VAL                      16          CACHE STRING    "Align option to build image with imgtool")
+set(MCUBOOT_UPGRADE_STRATEGY      "SWAP_USING_SCRATCH" CACHE STRING    "Upgrade strategy for images")
+set(TFM_PARTITION_PLATFORM                 ON          CACHE BOOL      "Enable platform partition")
+set(MCUBOOT_CONFIRM_IMAGE                  ON          CACHE BOOL      "Whether to confirm the image if REVERT is supported in MCUboot")
+set(MCUBOOT_BOOTSTRAP                      ON          CACHE BOOL      "Allow initial state with images in secondary slots(empty primary slots)")
+set(MCUBOOT_ENC_IMAGES                     ON          CACHE BOOL      "Enable encrypted image upgrade support")
+set(MCUBOOT_ENCRYPT_RSA                    ON          CACHE BOOL      "Use RSA for encrypted image upgrade support")
+set(MCUBOOT_DATA_SHARING                   ON          CACHE BOOL      "Enable Data Sharing")
+cmake_path(NORMAL_PATH MCUBOOT_KEY_S)
+cmake_path(NORMAL_PATH MCUBOOT_KEY_NS)
+cmake_path(GET MCUBOOT_KEY_S PARENT_PATH MCUBOOT_KEY_PATH)
+set(MCUBOOT_KEY_ENC "${MCUBOOT_KEY_PATH}/rsa-2048-public-bl2.pem" CACHE FILEPATH "Path to key with which to encrypt binary")
+
+################################## Dependencies ################################################################################################
+set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE ON          CACHE BOOL      "Enable Internal Trusted Storage partition")
+set(TFM_PARTITION_CRYPTO                   ON          CACHE BOOL      "Enable Crypto partition")
+set(CRYPTO_HW_ACCELERATOR                  ON          CACHE BOOL      "Whether to enable the crypto hardware accelerator on supported platforms")
+set(MBEDCRYPTO_BUILD_TYPE                  minsizerel  CACHE STRING    "Build type of Mbed Crypto library")
+set(TFM_DUMMY_PROVISIONING                 OFF         CACHE BOOL      "Provision with dummy values. NOT to be used in production")
+set(PLATFORM_DEFAULT_OTP_WRITEABLE         OFF         CACHE BOOL      "Use on chip flash with write support")
+set(PLATFORM_DEFAULT_NV_COUNTERS           OFF         CACHE BOOL      "Use default nv counter implementation.")
+set(PS_CRYPTO_AEAD_ALG                     PSA_ALG_GCM CACHE STRING    "The AEAD algorithm to use for authenticated encryption in Protected Storage")
+set(MCUBOOT_FIH_PROFILE                    LOW         CACHE STRING    "Fault injection hardening profile [OFF, LOW, MEDIUM, HIGH]")
+
+################################## Platform-specific configurations ############################################################################
+set(CONFIG_TFM_USE_TRUSTZONE               ON          CACHE BOOL      "Use TrustZone")
+set(TFM_MULTI_CORE_TOPOLOGY                OFF         CACHE BOOL      "Platform has multi core")
+set(PLATFORM_HAS_FIRMWARE_UPDATE_SUPPORT   ON          CACHE BOOL      "Whether the platform has firmware update support")
+set(STSAFEA                                OFF         CACHE BOOL      "Activate ST SAFE SUPPORT")
+
+################################## FIRMWARE_UPDATE #############################################################################################
+set(TFM_PARTITION_FIRMWARE_UPDATE          ON          CACHE BOOL      "Enable firmware update partition")
+set(MCUBOOT_HW_ROLLBACK_PROT               ON          CACHE BOOL      "Security counter validation against non-volatile HW counters")
+set(TFM_FWU_BOOTLOADER_LIB                 "mcuboot"   CACHE STRING    "Bootloader configure file for Firmware Update partition")
+set(TFM_CONFIG_FWU_MAX_WRITE_SIZE          8192        CACHE STRING    "The maximum permitted size for block in psa_fwu_write, in bytes.")
+set(TFM_CONFIG_FWU_MAX_MANIFEST_SIZE       0           CACHE STRING    "The maximum permitted size for manifest in psa_fwu_start(), in bytes.")
+set(FWU_DEVICE_CONFIG_FILE                 ""          CACHE STRING    "The device configuration file for Firmware Update partition")
+set(FWU_SUPPORT_TRIAL_STATE                ON          CACHE BOOL      "Device support TRIAL component state.")
+set(DMCUBOOT_UPGRADE_STRATEGY              SWAP_USING_MOVE)
+set(DEFAULT_MCUBOOT_FLASH_MAP              ON          CACHE BOOL      "Whether to use the default flash map defined by TF-M project")