Lines Matching +full:secure +full:- +full:only

3 TF-M Build System
6 When building a valid ``_ns`` board target, TF-M will be built in the
7 background, and linked with the Zephyr non-secure application. No knowledge
8 of TF-M's build system is required in most cases, and the following will
9 build a TF-M and Zephyr image pair, and run it in qemu with no additional
12 .. code-block:: bash
14 … $ west build -p auto -b mps2/an521/cpu0/ns samples/tfm_integration/psa_protected_storage/ -t run
18 deal with signing the secure and non-secure images before deploying them.
20 Images Created by the TF-M Build
23 The TF-M build system creates the following executable files:
25 * tfm_s - TF-M secure firmware
26 * tfm_ns - TF-M non-secure app (only used by regression tests).
27 * bl2 - TF-M MCUboot, if enabled
31 The TF-M build system also creates signed variants of tfm_s and tfm_ns, and a
38 For each of these, only .bin files are created.
40 The TF-M non-secure app is discarded in favor of Zephyr non-secure app except
41 when running the TF-M regression test suite.
43 The Zephyr build system usually signs both tfm_s and the Zephyr non-secure app itself.
49 .. code-block::
59 When :kconfig:option:`CONFIG_TFM_BL2` is set to ``y``, TF-M uses a secure bootloader
62 key, which is stored inside the secure bootloader firmware image.
64 By default, ``<tfm-dir>/bl2/ext/mcuboot/root-rsa-3072.pem`` is used to sign secure
65 images, and ``<tfm-dir>/bl2/ext/mcuboot/root-rsa-3072_1.pem`` is used to sign
66 non-secure images. These default .pem keys can (and **should**) be overridden
75 .. code-block:: bash
77 $ imgtool keygen -k root-rsa-3072_s.pem -t rsa-3072
78 $ imgtool keygen -k root-rsa-3072_ns.pem -t rsa-3072
91 After the built-in signing script has run, it creates a ``tfm_merged.hex``
96 https://www.psacertified.org/security-certification/psa-certified-level-1/
101 When building a Zephyr application with TF-M it might be necessary to control
102 the CMake arguments passed to the TF-M build.
104 Zephyr TF-M build offers several Kconfig options for controlling the build, but
105 doesn't cover every CMake argument supported by the TF-M build system.
108 to pass custom CMake arguments to the TF-M build system.
110 To pass the CMake argument ``-DFOO=bar`` to the TF-M build system, place the
113 .. code-block:: cmake
117 -DFOO=bar
123 ``$<1:-DFOO=bar>``
126 passed to the TF-M build system.
130 .. code-block:: cmake
134 -DFOO="bar\\\;baz"
144 Use the ``tfm_ram_report`` to get the RAM report for TF-M secure firmware (tfm_s).
146 .. zephyr-app-commands::
148 :zephyr-app: samples/hello_world
152 Use the ``tfm_rom_report`` to get the ROM report for TF-M secure firmware (tfm_s).
154 .. zephyr-app-commands::
156 :zephyr-app: samples/hello_world
160 Use the ``bl2_ram_report`` to get the RAM report for TF-M MCUboot, if enabled.
162 .. zephyr-app-commands::
164 :zephyr-app: samples/hello_world
168 Use the ``bl2_rom_report`` to get the ROM report for TF-M MCUboot, if enabled.
170 .. zephyr-app-commands::
172 :zephyr-app: samples/hello_world