Add TFM support for stm32l562e_dk board

boards/arm/nucleo_l552ze_q/CMakeLists.txt

@@ -11,58 +11,8 @@ elseif(${ZEPHYR_TOOLCHAIN_VARIANT} STREQUAL "gnuarmemb")
 endif()
 
 if (CONFIG_BUILD_WITH_TFM)
-	# Set default image versions if not defined elsewhere
-	if (NOT DEFINED TFM_IMAGE_VERSION_S)
-		set(TFM_IMAGE_VERSION_S 0.0.0+0)
-	endif()
-
-	if (NOT DEFINED TFM_IMAGE_VERSION_NS)
-		set(TFM_IMAGE_VERSION_NS 0.0.0+0)
-	endif()
-
-	set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
-	set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
-	set(TFM_MCUBOOT_DIR "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
-
-	# Configure which format (full or hash) to include the public key in
-	# the image manifest
-	set(TFM_PUBLIC_KEY_FORMAT "full")
-
-	#Create and sign for concatenated binary image, should align with the TF-M BL2
-	set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
-
-		#Sign secure binary image with public key
-		COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
-			 --layout ${PREPROCESSED_FILE_S}
-			 -k ${CONFIG_TFM_KEY_FILE_S}
-			 --public-key-format ${TFM_PUBLIC_KEY_FORMAT}
-			 --align 1
-			 -v ${TFM_IMAGE_VERSION_S}
-			 --pad
-			 --pad-header
-			 ${ADD_NS_IMAGE_MIN_VER}
-			 -s auto
-			 -H 0x400
-			 $<TARGET_PROPERTY:tfm,TFM_S_BIN_FILE>
-			 ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
-
-		#Sign non-secure binary image with public key
-		COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
-			 --layout ${PREPROCESSED_FILE_NS}
-			 -k ${CONFIG_TFM_KEY_FILE_NS}
-			 --public-key-format ${TFM_PUBLIC_KEY_FORMAT}
-			 --align 1
-			 -v ${TFM_IMAGE_VERSION_NS}
-			 -s auto
-			 ${ADD_S_IMAGE_MIN_VER}
-			 -H 0x400
-			 ${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
-			 ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
-
-		#Copy mcuboot.bin
-		COMMAND ${CMAKE_COMMAND} -E copy $<TARGET_PROPERTY:tfm,BL2_BIN_FILE> ${CMAKE_BINARY_DIR}/mcuboot.bin
-
+	set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts
 		#Execute post build script postbuild.sh
 		COMMAND ${CMAKE_BINARY_DIR}/tfm/postbuild.sh ${COMPILER_FULL_PATH}
-      )
+	)
 endif()

boards/arm/nucleo_l552ze_q/board.cmake

@@ -1,5 +1,15 @@
- set_ifndef(BOARD_DEBUG_RUNNER pyocd)
- set_ifndef(BOARD_FLASH_RUNNER pyocd)
+if(CONFIG_BUILD_WITH_TFM)
+  set(FLASH_BASE_ADDRESS_S 0x0C000000)
+
+  if (CONFIG_HAS_FLASH_LOAD_OFFSET)
+    MATH(EXPR TFM_HEX_BASE_ADDRESS_NS "${FLASH_BASE_ADDRESS_S}+${CONFIG_FLASH_LOAD_OFFSET}")
+  else()
+    set(TFM_HEX_BASE_ADDRESS_NS ${TFM_FLASH_BASE_ADDRESS_S})
+  endif()
+endif()
+
+set_ifndef(BOARD_DEBUG_RUNNER pyocd)
+set_ifndef(BOARD_FLASH_RUNNER pyocd)
 
 board_runner_args(pyocd "--target=stm32l552zetxq")
 

boards/arm/nucleo_l552ze_q/doc/nucleol552ze_q.rst

@@ -276,7 +276,16 @@ You should see the following message on the console:
 Building a secure/non-secure with Arm |reg| TrustZone |reg|
 -----------------------------------------------------------
 
-The TF-M integration sample :ref:`tfm_ipc` can be run by a Nucleo L552ZE Q, using the ``nucleo_l552ze_q_ns`` target. When building a ``*_ns`` image with TF-M, a ``build/tfm/install/postbuild.sh`` bash script will be run as a post-build step to make some required flash layout changes. The ``build/tfm/install/postbuild.sh`` script will also be used to flash the board. Check the ``build/tfm/install`` directory to ensure that the commands required by these scripts (``readlink``, etc.) are available on your system.
+The TF-M integration sample :ref:`tfm_ipc` can be run by a Nucleo L552ZE Q,
+using the ``nucleo_l552ze_q_ns`` target. When building a ``*_ns`` image with TF-M,
+a ``build/tfm/install/postbuild.sh`` bash script will be run as a post-build step
+to make some required flash layout changes. The ``build/tfm/regression.sh`` script
+will need to be run to perform device initialization, and then run ``west flash --hex-file build/tfm_merged.hex``
+to flash the board.
+
+Check the ``build/tfm/`` directory to ensure that the commands required by these scripts
+(``readlink``, etc.) are available on your system. Please also check ``STM32_Programmer_CLI``
+used for initialization is available in the PATH.
 
 Debugging
 =========

boards/arm/stm32l562e_dk/CMakeLists.txt

@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: Apache-2.0
+
+if(${ZEPHYR_TOOLCHAIN_VARIANT} STREQUAL "zephyr")
+  set(COMPILER_FULL_PATH ${ZEPHYR_SDK_INSTALL_DIR}/arm-zephyr-eabi/bin/arm-zephyr-eabi-gcc)
+elseif(${ZEPHYR_TOOLCHAIN_VARIANT} STREQUAL "gnuarmemb")
+  set(COMPILER_FULL_PATH ${GNUARMEMB_TOOLCHAIN_PATH}/bin/arm-none-eabi-gcc)
+endif()
+
+if(CONFIG_BUILD_WITH_TFM)
+  set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts
+    #Execute post build script postbuild.sh
+    COMMAND ${CMAKE_BINARY_DIR}/tfm/postbuild.sh ${COMPILER_FULL_PATH}
+  )
+endif()

boards/arm/stm32l562e_dk/Kconfig.defconfig

@@ -32,4 +32,16 @@ config BT_HCI_VS_EXT
 
 endif # BT
 
+if TRUSTED_EXECUTION_NONSECURE
+
+# Get flash configuration for NS image from dts flash partition
+config USE_DT_CODE_PARTITION
+	default y
+
+config TFM_ISOLATION_LEVEL
+	default 2
+	depends on BUILD_WITH_TFM
+
+endif # TRUSTED_EXECUTION_NONSECURE
+
 endif # BOARD_STM32L562E_DK

boards/arm/stm32l562e_dk/board.cmake

@@ -1,3 +1,13 @@
+if(CONFIG_BUILD_WITH_TFM)
+  set(TFM_FLASH_BASE_ADDRESS 0x0C000000)
+
+  if (CONFIG_HAS_FLASH_LOAD_OFFSET)
+    MATH(EXPR TFM_HEX_BASE_ADDRESS_NS "${TFM_FLASH_BASE_ADDRESS}+${CONFIG_FLASH_LOAD_OFFSET}")
+  else()
+    set(TFM_HEX_BASE_ADDRESS_NS ${TFM_TFM_FLASH_BASE_ADDRESS})
+  endif()
+endif()
+
 set_ifndef(BOARD_DEBUG_RUNNER pyocd)
 set_ifndef(BOARD_FLASH_RUNNER pyocd)
 

boards/arm/stm32l562e_dk/doc/index.rst

@@ -166,6 +166,8 @@ The Zephyr stm32l562e_dk board configuration supports the following hardware fea
 +-----------+------------+-------------------------------------+
 | SPI       | on-chip    | spi                                 |
 +-----------+------------+-------------------------------------+
+| TrustZone | on-chip    | Trusted Firmware-M                  |
++-----------+------------+-------------------------------------+
 
 Other hardware features are not yet supported on this Zephyr port.
 
@@ -254,6 +256,20 @@ You should see the following message on the console:
 
    Hello World! stm32l562e_dk
 
+Building Secure/Non-Secure Zephyr applications with Arm |reg| TrustZone |reg|
+-----------------------------------------------------------------------------
+
+The TF-M integration sample :ref:`tfm_ipc` can be run on a STM32L562E-DK Discovery,
+using the ``stm32l562e_dk_ns`` target. When building a ``*_ns`` image with TF-M,
+a ``build/tfm/postbuild.sh`` bash script will be run automatically as a post-build step
+to make some required flash layout changes. The ``build/tfm/regression.sh`` script will
+need to be run to perform device initialization, and then run ``west flash --hex-file build/tfm_merged.hex``
+to flash the board.
+
+Check the ``build/tfm`` directory to ensure that the commands required by these scripts
+(``readlink``, etc.) are available on your system. Please also check ``STM32_Programmer_CLI``
+used for initialization is available in the PATH.
+
 Debugging
 =========
 

boards/arm/stm32l562e_dk/stm32l562e_dk.dts

@@ -26,3 +26,7 @@
 		sw0 = &user_button;
 	};
 };
+
+&usart1 {
+	pinctrl-0 = <&usart1_tx_pa9 &usart1_rx_pa10>;
+};

boards/arm/stm32l562e_dk/stm32l562e_dk_common.dtsi

@@ -31,7 +31,6 @@
 };
 
 &usart1 {
-	pinctrl-0 = <&usart1_tx_pa9 &usart1_rx_pa10>;
 	current-speed = <115200>;
 	status = "okay";
 };

boards/arm/stm32l562e_dk/stm32l562e_dk_ns.dts

@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2021 Yestin Sun
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/dts-v1/;
+#include "stm32l562e_dk_common.dtsi"
+
+/ {
+	model = "STMicroelectronics STM32L562E-DK Discovery board";
+	compatible = "st,stm32l562e-dk";
+
+	#address-cells = <1>;
+	#size-cells = <1>;
+
+	chosen {
+		zephyr,console = &usart1;
+		zephyr,shell-uart = &usart1;
+		zephyr,sram = &sram0;
+		zephyr,flash = &flash0;
+	};
+
+	aliases {
+		led0 = &green_led_10;
+		sw0 = &user_button;
+	};
+};

boards/arm/stm32l562e_dk/stm32l562e_dk_ns.yaml

@@ -0,0 +1,13 @@
+identifier: stm32l562e_dk_ns
+name: ST STM32L562E-DK Discovery non secure
+type: mcu
+arch: arm
+toolchain:
+  - zephyr
+  - gnuarmemb
+supported:
+  - gpio
+  - i2c
+  - lsm6dso
+ram: 192
+flash: 512

boards/arm/stm32l562e_dk/stm32l562e_dk_ns_defconfig

@@ -0,0 +1,44 @@
+# SPDX-License-Identifier: Apache-2.0
+
+CONFIG_SOC_SERIES_STM32L5X=y
+CONFIG_SOC_STM32L562XX=y
+# 110MHz system clock
+CONFIG_SYS_CLOCK_HW_CYCLES_PER_SEC=110000000
+
+# enable uart driver
+CONFIG_SERIAL=y
+
+# enable pinmux
+CONFIG_PINMUX=y
+
+# enable GPIO
+CONFIG_GPIO=y
+
+# clock configuration
+CONFIG_CLOCK_CONTROL=y
+# SYSCLK selection
+CONFIG_CLOCK_STM32_SYSCLK_SRC_PLL=y
+# PLL configuration
+CONFIG_CLOCK_STM32_PLL_SRC_MSI=y
+CONFIG_CLOCK_STM32_MSI_RANGE=6
+# produce 110MHz clock at PLL output
+CONFIG_CLOCK_STM32_PLL_M_DIVISOR=1
+CONFIG_CLOCK_STM32_PLL_N_MULTIPLIER=55
+CONFIG_CLOCK_STM32_PLL_P_DIVISOR=7
+CONFIG_CLOCK_STM32_PLL_Q_DIVISOR=2
+CONFIG_CLOCK_STM32_PLL_R_DIVISOR=2
+CONFIG_CLOCK_STM32_AHB_PRESCALER=1
+CONFIG_CLOCK_STM32_APB1_PRESCALER=1
+CONFIG_CLOCK_STM32_APB2_PRESCALER=1
+
+# console
+CONFIG_CONSOLE=y
+CONFIG_UART_CONSOLE=y
+
+# Enable MPU
+CONFIG_ARM_MPU=y
+
+CONFIG_ARM_TRUSTZONE_M=y
+CONFIG_CORTEX_M_SYSTICK=y
+CONFIG_RUNTIME_NMI=y
+CONFIG_TRUSTED_EXECUTION_NONSECURE=y

modules/trusted-firmware-m/CMakeLists.txt

@@ -278,6 +278,14 @@ if (CONFIG_BUILD_WITH_TFM)
     set(TFM_PUBLIC_KEY_FORMAT "full")
   endif()
 
+  if(DEFINED TFM_HEX_BASE_ADDRESS_S)
+    set(HEX_ADDR_ARGS_S "--hex-addr=${TFM_HEX_BASE_ADDRESS_S}")
+  endif()
+
+  if(DEFINED TFM_HEX_BASE_ADDRESS_NS)
+    set(HEX_ADDR_ARGS_NS "--hex-addr=${TFM_HEX_BASE_ADDRESS_NS}")
+  endif()
+
   function(tfm_sign OUT_ARG SUFFIX PAD INPUT_FILE OUTPUT_FILE)
     if(PAD)
       set(pad_args --pad --pad-header)
@@ -290,6 +298,7 @@ if (CONFIG_BUILD_WITH_TFM)
       --align 1
       -v ${TFM_IMAGE_VERSION_${SUFFIX}}
       ${pad_args}
+      ${HEX_ADDR_ARGS_${SUFFIX}}
       ${ADD_${SUFFIX}_IMAGE_MIN_VER}
       -s auto
       -H ${CONFIG_ROM_START_OFFSET}

modules/trusted-firmware-m/Kconfig

@@ -14,6 +14,7 @@ config TFM_BOARD
 	default "nxp/lpcxpresso55s69" if BOARD_LPCXPRESSO55S69_CPU0
 	default "mps2/an521" if BOARD_MPS2_AN521
 	default "stm/nucleo_l552ze_q" if BOARD_NUCLEO_L552ZE_Q
+	default "stm/stm32l562e_dk" if BOARD_STM32L562E_DK
 	default "musca_b1" if BOARD_MUSCA_B1
 	default "musca_s1" if BOARD_MUSCA_S1
 	help

samples/tfm_integration/tfm_ipc/README.rst

@@ -103,33 +103,38 @@ Or, post build:
 
       $ ninja run
 
-On ST Nucleo L552ZE Q:
-======================
+On ST Nucleo L552ZE Q or STM32L562E-DK Discovery:
+=================================================
 
 This sample was tested on Ubuntu 18.04 with Zephyr SDK 0.11.3.
 
 Build Zephyr with a non-secure configuration:
 
+   Example, for building non-secure configuration for Nucleo L552ZE Q
+
    .. code-block:: bash
 
       $ west build -b nucleo_l552ze_q_ns samples/tfm_integration/tfm_ipc/
 
-Two scripts are avalaible in the ``build/tfm`` folder:
+   Example, for building non-secure configuration for STM32L562E-DK Discovery
+
+   .. code-block:: bash
+
+      $ west build -b stm32l562e_dk_ns samples/tfm_integration/tfm_ipc/
+
+The script to initialize the device is avalaible in the ``build/tfm`` folder:
 
   - ``regression.sh``: Sets platform option bytes config and erase platform.
-  - ``TFM_UPDATE.sh``: Writes bl2, secure, and non secure image in target.
 
 Run them in the following order to flash the board:
 
    .. code-block:: bash
 
       $ ./build/tfm/regression.sh
-      $ ./build/tfm/TFM_UPDATE.sh
-
-Reset the board.
+      $ west flash --hex-file build/tfm_merged.hex
 
  .. note::
-      Note that ``arm-none-eabi-gcc`` should be available in the PATH variable and that ``STM32_Programmer_CLI`` is required to run ``regression.sh`` and ``TFM_UPDATE.sh`` (see https://www.st.com/en/development-tools/stm32cubeprog.html). If you are still having trouble running these scripts, check the Programming and Debugging section of the :ref:`nucleo_l552ze_q_board` documentation.
+      Note that ``arm-none-eabi-gcc`` should be available in the PATH variable and that ``STM32_Programmer_CLI`` is required to run ``regression.sh`` (see https://www.st.com/en/development-tools/stm32cubeprog.html). If you are still having trouble running these scripts, check the Programming and Debugging section of the :ref:`nucleo_l552ze_q_board` or :ref:`stm32l562e_dk_board` documentation.
 
 On LPCxpresso55S69:
 ===================