build.rst - OpenGrok cross reference for /Zephyr-latest/doc/services/tfm/build.rst

Lines Matching +full:all +full:- +full:outputs
3 TF-M Build System
6 When building a valid ``_ns`` board target, TF-M will be built in the
7 background, and linked with the Zephyr non-secure application. No knowledge
8 of TF-M's build system is required in most cases, and the following will
9 build a TF-M and Zephyr image pair, and run it in qemu with no additional
12    .. code-block:: bash
14 …   $ west build -p auto -b mps2/an521/cpu0/ns samples/tfm_integration/psa_protected_storage/ -t run
16 The outputs and certain key steps in this build process are described here,
17 however, since you will need to understand and interact with the outputs, and
18 deal with signing the secure and non-secure images before deploying them.
20 Images Created by the TF-M Build
23 The TF-M build system creates the following executable files:
25 * tfm_s - TF-M secure firmware
26 * tfm_ns - TF-M non-secure app (only used by regression tests).
27 * bl2 - TF-M MCUboot, if enabled
31 The TF-M build system also creates signed variants of tfm_s and tfm_ns, and a
40 The TF-M non-secure app is discarded in favor of Zephyr non-secure app except
41 when running the TF-M regression test suite.
43 The Zephyr build system usually signs both tfm_s and the Zephyr non-secure app itself.
46 The 'tfm' target contains properties for all these paths.
49    .. code-block::
53 See the top level CMakeLists.txt file in the tfm module for an overview of all
59 When :kconfig:option:`CONFIG_TFM_BL2` is set to ``y``, TF-M uses a secure bootloader
64 By default, ``<tfm-dir>/bl2/ext/mcuboot/root-rsa-3072.pem`` is used to sign secure
65 images, and ``<tfm-dir>/bl2/ext/mcuboot/root-rsa-3072_1.pem`` is used to sign
66 non-secure images. These default .pem keys can (and **should**) be overridden
75    .. code-block:: bash
77      $ imgtool keygen -k root-rsa-3072_s.pem -t rsa-3072
78      $ imgtool keygen -k root-rsa-3072_ns.pem -t rsa-3072
91 After the built-in signing script has run, it creates a ``tfm_merged.hex``
92 file that contains all three binaries: bl2, tfm_s, and the zephyr app. This
96   https://www.psacertified.org/security-certification/psa-certified-level-1/
101 When building a Zephyr application with TF-M it might be necessary to control
102 the CMake arguments passed to the TF-M build.
104 Zephyr TF-M build offers several Kconfig options for controlling the build, but
105 doesn't cover every CMake argument supported by the TF-M build system.
108 to pass custom CMake arguments to the TF-M build system.
110 To pass the CMake argument ``-DFOO=bar`` to the TF-M build system, place the
113    .. code-block:: cmake
117                   -DFOO=bar
123    ``$<1:-DFOO=bar>``
126 passed to the TF-M build system.
130    .. code-block:: cmake
134                   -DFOO="bar\\\;baz"
144 Use the ``tfm_ram_report`` to get the RAM report for TF-M secure firmware (tfm_s).
146 .. zephyr-app-commands::
147     :tool: all
148     :zephyr-app: samples/hello_world
152 Use the ``tfm_rom_report`` to get the ROM report for TF-M secure firmware (tfm_s).
154 .. zephyr-app-commands::
155     :tool: all
156     :zephyr-app: samples/hello_world
160 Use the ``bl2_ram_report`` to get the RAM report for TF-M MCUboot, if enabled.
162 .. zephyr-app-commands::
163     :tool: all
164     :zephyr-app: samples/hello_world
168 Use the ``bl2_rom_report`` to get the ROM report for TF-M MCUboot, if enabled.
170 .. zephyr-app-commands::
171     :tool: all
172     :zephyr-app: samples/hello_world