1# Copyright (c) 2019 - 2023 Linaro 2# Copyright (c) 2020 - 2023 Nordic Semiconductor ASA 3# 4# SPDX-License-Identifier: Apache-2.0 5 6# List of all partitions supported by TF-M 7# Name must match name in 'trusted-firmware-m/tools/tfm_manifest_list.yaml' 8set(TFM_VALID_PARTITIONS 9 TFM_PARTITION_NS_AGENT_MAILBOX 10 TFM_PARTITION_PROTECTED_STORAGE 11 TFM_PARTITION_INTERNAL_TRUSTED_STORAGE 12 TFM_PARTITION_CRYPTO 13 TFM_PARTITION_PLATFORM 14 TFM_PARTITION_INITIAL_ATTESTATION 15 TFM_PARTITION_FIRMWARE_UPDATE 16 ) 17 18# List of all crypto modules that can be enabled/disabled 19# Corresponds to the *_MODULE_DISABLED configs in 'trusted-firmware-m/secure_fw/partitions/crypto/Kconfig' 20set(TFM_CRYPTO_MODULES 21 CRYPTO_RNG_MODULE 22 CRYPTO_KEY_MODULE 23 CRYPTO_AEAD_MODULE 24 CRYPTO_MAC_MODULE 25 CRYPTO_HASH_MODULE 26 CRYPTO_CIPHER_MODULE 27 CRYPTO_ASYM_SIGN_MODULE 28 CRYPTO_ASYM_ENCRYPT_MODULE 29 CRYPTO_KEY_DERIVATION_MODULE 30 ) 31 32 33if (CONFIG_BUILD_WITH_TFM) 34 # PSA API awareness for the Non-Secure application 35 target_compile_definitions(app PRIVATE "TFM_PSA_API") 36 if (CONFIG_TFM_SFN) 37 list(APPEND TFM_CMAKE_ARGS -DCONFIG_TFM_SPM_BACKEND="SFN") 38 else() # CONFIG_TFM_IPC 39 list(APPEND TFM_CMAKE_ARGS -DCONFIG_TFM_SPM_BACKEND="IPC") 40 endif() 41 if (CONFIG_TFM_REGRESSION_S) 42 list(APPEND TFM_CMAKE_ARGS -DTEST_S=ON) 43 endif() 44 if (CONFIG_TFM_REGRESSION_NS) 45 list(APPEND TFM_CMAKE_ARGS -DTEST_NS=ON) 46 endif() 47 if (CONFIG_TFM_BL2) 48 list(APPEND TFM_CMAKE_ARGS -DBL2=TRUE) 49 list(APPEND TFM_CMAKE_ARGS -DMCUBOOT_IMAGE_VERSION_S=${CONFIG_TFM_IMAGE_VERSION_S}) 50 list(APPEND TFM_CMAKE_ARGS -DMCUBOOT_IMAGE_VERSION_NS=${CONFIG_TFM_IMAGE_VERSION_NS}) 51 else() 52 list(APPEND TFM_CMAKE_ARGS -DBL2=FALSE) 53 endif() 54 if (CONFIG_TFM_BUILD_NS) 55 list(APPEND TFM_CMAKE_ARGS -DNS=TRUE) 56 else() 57 list(APPEND TFM_CMAKE_ARGS -DNS=FALSE) 58 endif() 59 if (CONFIG_TFM_ISOLATION_LEVEL) 60 list(APPEND TFM_CMAKE_ARGS -DTFM_ISOLATION_LEVEL=${CONFIG_TFM_ISOLATION_LEVEL}) 61 endif() 62 if (CONFIG_TFM_ITS_NUM_ASSETS_OVERRIDE) 63 list(APPEND TFM_CMAKE_ARGS -DITS_NUM_ASSETS=${CONFIG_TFM_ITS_NUM_ASSETS}) 64 endif() 65 if (CONFIG_TFM_ITS_MAX_ASSET_SIZE_OVERRIDE) 66 list(APPEND TFM_CMAKE_ARGS -DITS_MAX_ASSET_SIZE=${CONFIG_TFM_ITS_MAX_ASSET_SIZE}) 67 endif() 68 if (CONFIG_TFM_PROFILE) 69 list(APPEND TFM_CMAKE_ARGS -DTFM_PROFILE=${CONFIG_TFM_PROFILE}) 70 endif() 71 if (CONFIG_TFM_PSA_TEST_CRYPTO) 72 set(TFM_PSA_TEST_SUITE CRYPTO) 73 elseif (CONFIG_TFM_PSA_TEST_PROTECTED_STORAGE) 74 set(TFM_PSA_TEST_SUITE PROTECTED_STORAGE) 75 elseif (CONFIG_TFM_PSA_TEST_INTERNAL_TRUSTED_STORAGE) 76 set(TFM_PSA_TEST_SUITE INTERNAL_TRUSTED_STORAGE) 77 elseif (CONFIG_TFM_PSA_TEST_STORAGE) 78 set(TFM_PSA_TEST_SUITE STORAGE) 79 elseif (CONFIG_TFM_PSA_TEST_INITIAL_ATTESTATION) 80 set(TFM_PSA_TEST_SUITE INITIAL_ATTESTATION) 81 endif() 82 if (DEFINED TFM_PSA_TEST_SUITE) 83 list(APPEND TFM_CMAKE_ARGS -DTEST_PSA_API=${TFM_PSA_TEST_SUITE}) 84 endif() 85 if (CONFIG_TFM_CMAKE_BUILD_TYPE_RELEASE) 86 set(TFM_CMAKE_BUILD_TYPE "Release") 87 elseif (CONFIG_TFM_CMAKE_BUILD_TYPE_MINSIZEREL) 88 set(TFM_CMAKE_BUILD_TYPE "MinSizeRel") 89 elseif (CONFIG_TFM_CMAKE_BUILD_TYPE_DEBUG) 90 set(TFM_CMAKE_BUILD_TYPE "Debug") 91 else () 92 set(TFM_CMAKE_BUILD_TYPE "RelWithDebInfo") 93 endif() 94 if (DEFINED CONFIG_TFM_MCUBOOT_IMAGE_NUMBER) 95 list(APPEND TFM_CMAKE_ARGS -DMCUBOOT_IMAGE_NUMBER=${CONFIG_TFM_MCUBOOT_IMAGE_NUMBER}) 96 endif() 97 98 if (CONFIG_TFM_EXCEPTION_INFO_DUMP) 99 list(APPEND TFM_CMAKE_ARGS -DTFM_EXCEPTION_INFO_DUMP=ON) 100 else() 101 list(APPEND TFM_CMAKE_ARGS -DTFM_EXCEPTION_INFO_DUMP=OFF) 102 endif() 103 104 if (CONFIG_TFM_PARTITION_LOG_LEVEL_DEBUG) 105 set(TFM_PARTITION_LOG_LEVEL "TFM_PARTITION_LOG_LEVEL_DEBUG") 106 elseif (CONFIG_TFM_PARTITION_LOG_LEVEL_INFO) 107 set(TFM_PARTITION_LOG_LEVEL "TFM_PARTITION_LOG_LEVEL_INFO") 108 elseif (CONFIG_TFM_PARTITION_LOG_LEVEL_ERROR) 109 set(TFM_PARTITION_LOG_LEVEL "TFM_PARTITION_LOG_LEVEL_ERROR") 110 elseif (CONFIG_TFM_PARTITION_LOG_LEVEL_SILENCE OR CONFIG_TFM_LOG_LEVEL_SILENCE) 111 set(TFM_PARTITION_LOG_LEVEL "TFM_PARTITION_LOG_LEVEL_SILENCE") 112 endif() 113 114 if (DEFINED TFM_PARTITION_LOG_LEVEL) 115 list(APPEND TFM_CMAKE_ARGS -DTFM_PARTITION_LOG_LEVEL=${TFM_PARTITION_LOG_LEVEL}) 116 endif() 117 118 if (CONFIG_TFM_SPM_LOG_LEVEL_DEBUG) 119 set(TFM_SPM_LOG_LEVEL "TFM_SPM_LOG_LEVEL_DEBUG") 120 elseif (CONFIG_TFM_SPM_LOG_LEVEL_INFO) 121 set(TFM_SPM_LOG_LEVEL "TFM_SPM_LOG_LEVEL_INFO") 122 elseif (CONFIG_TFM_SPM_LOG_LEVEL_ERROR) 123 set(TFM_SPM_LOG_LEVEL "TFM_SPM_LOG_LEVEL_ERROR") 124 elseif (CONFIG_TFM_SPM_LOG_LEVEL_SILENCE OR CONFIG_TFM_LOG_LEVEL_SILENCE) 125 set(TFM_SPM_LOG_LEVEL "TFM_SPM_LOG_LEVEL_SILENCE") 126 endif() 127 128 if (DEFINED TFM_SPM_LOG_LEVEL) 129 list(APPEND TFM_CMAKE_ARGS -DTFM_SPM_LOG_LEVEL=${TFM_SPM_LOG_LEVEL}) 130 endif() 131 132 # Enable TFM partitions as specified in Kconfig 133 foreach(partition ${TFM_VALID_PARTITIONS}) 134 if (CONFIG_${partition}) 135 # list(APPEND TFM_ENABLED_PARTITIONS_ARG ${partition}) 136 set(val "ON") 137 else() 138 set(val "OFF") 139 endif() 140 list(APPEND TFM_CMAKE_ARGS -D${partition}=${val}) 141 endforeach() 142 143 # Enable TFM crypto modules as specified in Kconfig 144 foreach(module ${TFM_CRYPTO_MODULES}) 145 if (CONFIG_TFM_${module}_ENABLED) 146 # list(APPEND TFM_ENABLED_CRYPTO_MODULES_ARG ${module}) 147 set(val "FALSE") 148 else() 149 set(val "TRUE") 150 endif() 151 list(APPEND TFM_CMAKE_ARGS -D${module}_DISABLED=${val}) 152 endforeach() 153 154 set(TFM_BINARY_DIR ${CMAKE_BINARY_DIR}/tfm) 155 156 set(TFM_TEST_REPO_PATH ${ZEPHYR_CURRENT_MODULE_DIR}/../tf-m-tests) 157 set(PSA_ARCH_TESTS_PATH ${ZEPHYR_CURRENT_MODULE_DIR}/../psa-arch-tests) 158 159 set(VENEERS_FILE ${TFM_BINARY_DIR}/secure_fw/s_veneers.o) 160 set(TFM_API_NS_PATH ${TFM_BINARY_DIR}/tf-m-tests/app/libtfm_api_ns.a) 161 set(PLATFORM_NS_FILE ${TFM_BINARY_DIR}/platform/ns/libplatform_ns.a) 162 set(TFM_GENERATED_INCLUDES ${TFM_BINARY_DIR}/generated/interface/include) 163 set(TFM_INTERFACE_SOURCE_DIR ${TFM_BINARY_DIR}/install/interface/src) 164 165 if (TFM_PSA_TEST_SUITE) 166 set(PSA_TEST_VAL_FILE ${TFM_BINARY_DIR}/tf-m-tests/app/psa_api_tests/val/val_nspe.a) 167 set(PSA_TEST_PAL_FILE ${TFM_BINARY_DIR}/tf-m-tests/app/psa_api_tests/platform/pal_nspe.a) 168 set(COMBINE_DIR_STORAGE storage) 169 set(COMBINE_DIR_PROTECTED_STORAGE storage) 170 set(COMBINE_DIR_INTERNAL_TRUSTED_STORAGE storage) 171 set(COMBINE_DIR_CRYPTO crypto) 172 set(COMBINE_DIR_INITIAL_ATTESTATION initial_attestation) 173 set(PSA_TEST_COMBINE_FILE ${TFM_BINARY_DIR}/tf-m-tests/app/psa_api_tests/dev_apis/${COMBINE_DIR_${TFM_PSA_TEST_SUITE}}/test_combine.a) 174 endif() 175 176 if(CONFIG_TFM_BL2) 177 set(BL2_ELF_FILE ${TFM_BINARY_DIR}/bin/bl2.elf) 178 set(BL2_BIN_FILE ${TFM_BINARY_DIR}/bin/bl2.bin) 179 set(BL2_HEX_FILE ${TFM_BINARY_DIR}/bin/bl2.hex) 180 endif() 181 set(TFM_S_ELF_FILE ${TFM_BINARY_DIR}/bin/tfm_s.elf) 182 set(TFM_S_BIN_FILE ${TFM_BINARY_DIR}/bin/tfm_s.bin) 183 set(TFM_S_HEX_FILE ${TFM_BINARY_DIR}/bin/tfm_s.hex) 184 set(TFM_NS_BIN_FILE ${TFM_BINARY_DIR}/bin/tfm_ns.bin) 185 set(TFM_NS_HEX_FILE ${TFM_BINARY_DIR}/bin/tfm_ns.hex) 186 set(TFM_S_SIGNED_BIN_FILE ${TFM_BINARY_DIR}/bin/tfm_s_signed.bin) 187 set(TFM_NS_SIGNED_BIN_FILE ${TFM_BINARY_DIR}/bin/tfm_ns_signed.bin) 188 set(TFM_S_NS_SIGNED_BIN_FILE ${TFM_BINARY_DIR}/bin/tfm_s_ns_signed.bin) 189 190 set(BUILD_BYPRODUCTS 191 ${VENEERS_FILE} 192 ${TFM_API_NS_PATH} 193 ${TFM_GENERATED_INCLUDES}/psa_manifest/sid.h 194 ${PSA_TEST_VAL_FILE} 195 ${PSA_TEST_PAL_FILE} 196 ${PSA_TEST_COMBINE_FILE} 197 ${PLATFORM_NS_FILE} 198 ${BL2_ELF_FILE} 199 ${BL2_BIN_FILE} 200 ${BL2_HEX_FILE} 201 ${TFM_S_ELF_FILE} 202 ${TFM_S_BIN_FILE} 203 ${TFM_S_HEX_FILE} 204 ${TFM_NS_BIN_FILE} 205 ${TFM_NS_HEX_FILE} 206 ${TFM_S_SIGNED_BIN_FILE} 207 ${TFM_NS_SIGNED_BIN_FILE} 208 ${TFM_S_NS_SIGNED_BIN_FILE} 209 210 ${TFM_INTERFACE_SOURCE_DIR}/tfm_attest_api.c 211 ${TFM_INTERFACE_SOURCE_DIR}/tfm_crypto_api.c 212 ${TFM_INTERFACE_SOURCE_DIR}/tfm_fwu_api.c 213 ${TFM_INTERFACE_SOURCE_DIR}/tfm_its_api.c 214 ${TFM_INTERFACE_SOURCE_DIR}/tfm_platform_api.c 215 ${TFM_INTERFACE_SOURCE_DIR}/tfm_ps_api.c 216 ${TFM_INTERFACE_SOURCE_DIR}/tfm_psa_ns_api.c 217 218 # Specific to nordic_nrf platform 219 ${TFM_INTERFACE_SOURCE_DIR}/tfm_ioctl_core_ns_api.c 220 ) 221 222 # Get the toolchain variant 223 # TODO: Add support for cross-compile toolchain variant 224 # TODO: Enforce GCC version check against TF-M compiler requirements 225 if(${ZEPHYR_TOOLCHAIN_VARIANT} STREQUAL "zephyr") 226 set(TFM_TOOLCHAIN_FILE "toolchain_GNUARM.cmake") 227 set(TFM_TOOLCHAIN_PREFIX "arm-zephyr-eabi") 228 set(TFM_TOOLCHAIN_PATH ${ZEPHYR_SDK_INSTALL_DIR}/arm-zephyr-eabi/bin) 229 elseif(${ZEPHYR_TOOLCHAIN_VARIANT} STREQUAL "gnuarmemb") 230 set(TFM_TOOLCHAIN_FILE "toolchain_GNUARM.cmake") 231 set(TFM_TOOLCHAIN_PREFIX "arm-none-eabi") 232 set(TFM_TOOLCHAIN_PATH ${GNUARMEMB_TOOLCHAIN_PATH}/bin) 233 elseif(${ZEPHYR_TOOLCHAIN_VARIANT} STREQUAL "xtools") 234 set(TFM_TOOLCHAIN_FILE "toolchain_GNUARM.cmake") 235 set(TFM_TOOLCHAIN_PREFIX "arm-zephyr-eabi") 236 set(TFM_TOOLCHAIN_PATH ${XTOOLS_TOOLCHAIN_PATH}/arm-zephyr-eabi/bin) 237 else() 238 message(FATAL_ERROR "Unsupported ZEPHYR_TOOLCHAIN_VARIANT: ${ZEPHYR_TOOLCHAIN_VARIANT}") 239 endif() 240 241 if (CONFIG_TFM_PARTITION_INITIAL_ATTESTATION AND CONFIG_TFM_QCBOR_PATH STREQUAL "") 242 # TODO: Remove this when QCBOR licensing issues w/t_cose have been resolved, 243 # or only allow it when 'QCBOR_PATH' is set to a local path where QCBOR has 244 # been manually downloaded by the user before starting the build. 245 message(FATAL_ERROR "CONFIG_TFM_PARTITION_INITIAL_ATTESTATION is not available " 246 "with TF-M 1.7.0 due to licensing issues with a dependent library. This " 247 "restriction will be removed once licensing issues have been resolved." 248 ) 249 endif() 250 251 if (CONFIG_TFM_PSA_TEST_INITIAL_ATTESTATION AND CONFIG_TFM_QCBOR_PATH STREQUAL "") 252 # TODO: Remove this when QCBOR licensing issues w/t_cose have been resolved, 253 # or only allow it when 'QCBOR_PATH' is set to a local path where QCBOR has 254 # been manually downloaded by the user before starting the build. 255 message(FATAL_ERROR "CONFIG_TFM_PSA_TEST_INITIAL_ATTESTATION is not available " 256 "with TF-M 1.7.0 due to licensing issues with a dependent library. This " 257 "restriction will be removed once licensing issues have been resolved." 258 ) 259 endif() 260 261 if (CONFIG_TFM_QCBOR_PATH STREQUAL "DOWNLOAD") 262 # Change CMake cache type to string to avoid QCBOR_PATH=/absolute/path/DOWNLOAD being set. 263 set(QCBOR_PATH_TYPE ":STRING") 264 endif() 265 # Always set QCBOR_PATH, this will make sure that we don't automatically download this 266 # dependency in the TF-M build system and it will fail when set to an invalid value. 267 list(APPEND TFM_CMAKE_ARGS -DQCBOR_PATH${QCBOR_PATH_TYPE}=${CONFIG_TFM_QCBOR_PATH}) 268 269 if(CONFIG_BOARD_LPCXPRESSO55S69_CPU0) 270 # Supply path to NXP HAL sources used for TF-M build 271 set(TFM_PLATFORM_NXP_HAL_FILE_PATH ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/platform/ext/target/nxp/) 272 list(APPEND TFM_CMAKE_ARGS -DTFM_PLATFORM_NXP_HAL_FILE_PATH=${TFM_PLATFORM_NXP_HAL_FILE_PATH}) 273 endif() 274 275 if(CONFIG_TFM_BL2 AND CONFIG_TFM_MCUBOOT_PATH_LOCAL) 276 # Supply path to MCUboot for TF-M build 277 list(APPEND TFM_CMAKE_ARGS -DMCUBOOT_PATH=${ZEPHYR_MCUBOOT_MODULE_DIR}) 278 endif() 279 280 if(CONFIG_TFM_MCUBOOT_DATA_SHARING) 281 list(APPEND TFM_CMAKE_ARGS -DMCUBOOT_DATA_SHARING=ON) 282 endif() 283 284 if(TFM_PSA_TEST_SUITE) 285 list(APPEND TFM_CMAKE_ARGS 286 -DPSA_TOOLCHAIN_FILE=${CMAKE_CURRENT_LIST_DIR}/psa/GNUARM.cmake 287 -DTOOLCHAIN=INHERIT 288 ) 289 endif() 290 291 if(CONFIG_FPU AND CONFIG_FP_HARDABI) 292 list(APPEND TFM_CMAKE_ARGS -DCONFIG_TFM_ENABLE_FP=ON) 293 # Note: This is not a cmake option in TF-M. 294 # This should be specified by the platform in preload.cmake 295 # This works as a workaround for the platforms that do not have this. 296 list(APPEND TFM_CMAKE_ARGS -DCONFIG_TFM_FP_ARCH=${FPU_FOR_${GCC_M_CPU}}) 297 else() 298 list(APPEND TFM_CMAKE_ARGS -DCONFIG_TFM_ENABLE_FP=OFF) 299 endif() 300 301 file(MAKE_DIRECTORY ${TFM_BINARY_DIR}) 302 add_custom_target(tfm_cmake 303 DEPENDS ${TFM_BINARY_DIR}/CMakeCache.txt 304 ) 305 add_custom_command( 306 OUTPUT ${TFM_BINARY_DIR}/CMakeCache.txt 307 COMMAND ${CMAKE_COMMAND} 308 -G${CMAKE_GENERATOR} 309 -DTFM_TOOLCHAIN_FILE=${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/${TFM_TOOLCHAIN_FILE} 310 -DCROSS_COMPILE=${TFM_TOOLCHAIN_PATH}/${TFM_TOOLCHAIN_PREFIX} 311 -DCMAKE_BUILD_TYPE=${TFM_CMAKE_BUILD_TYPE} 312 -DTFM_PLATFORM=${CONFIG_TFM_BOARD} 313 -DCONFIG_TFM_BUILD_LOG_QUIET=ON 314 -DCONFIG_TFM_MEMORY_USAGE_QUIET=OFF 315 ${TFM_CMAKE_ARGS} 316 $<GENEX_EVAL:$<TARGET_PROPERTY:zephyr_property_target,TFM_CMAKE_OPTIONS>> 317 -DMBEDCRYPTO_PATH=$<IF:$<BOOL:$<TARGET_PROPERTY:zephyr_property_target,TFM_MBEDCRYPTO_PATH>>,$<TARGET_PROPERTY:zephyr_property_target,TFM_MBEDCRYPTO_PATH>,${ZEPHYR_MBEDTLS_MODULE_DIR}> 318 -DTFM_TEST_REPO_PATH=${TFM_TEST_REPO_PATH} 319 -DPSA_ARCH_TESTS_PATH=${PSA_ARCH_TESTS_PATH} 320 ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR} 321 WORKING_DIRECTORY ${TFM_BINARY_DIR} 322 COMMAND_EXPAND_LISTS 323 ) 324 325 include(ExternalProject) 326 327 if(${CMAKE_HOST_SYSTEM_NAME} STREQUAL Windows) 328 # Set number of parallel jobs for TF-M build to 1. 329 # In some circumstances it has been experienced that building TF-M with 330 # multiple parallel jobs then `permission denied` may occur. Root cause on 331 # Windows has not been identified but current suspicion is around folder / 332 # file lock mechanism. To ensure correct behaviour in all cases, limit 333 # number of parallel jobs to 1. 334 set(PARALLEL_JOBS -j 1) 335 else() 336 # Leave PARALLEL_JOBS unset and use the default number of 337 # threads. Which is num_cores+2 on Ninja and MAKEFLAGS with Make. 338 endif() 339 340 ExternalProject_Add( 341 tfm 342 SOURCE_DIR ${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR} 343 BINARY_DIR ${TFM_BINARY_DIR} 344 CONFIGURE_COMMAND "" 345 BUILD_COMMAND ${CMAKE_COMMAND} --build . ${PARALLEL_JOBS} 346 INSTALL_COMMAND ${CMAKE_COMMAND} --install . 347 BUILD_ALWAYS True 348 USES_TERMINAL_BUILD True 349 DEPENDS tfm_cmake 350 BUILD_BYPRODUCTS ${BUILD_BYPRODUCTS} 351 ) 352 353 # Set TFM binary directory as target property on 'tfm' 354 # This is the root of all TFM build artifacts. 355 set_target_properties(tfm PROPERTIES TFM_BINARY_DIR ${TFM_BINARY_DIR}) 356 357 # Set BL2 (MCUboot) executable file paths as target properties on 'tfm' 358 # These files are produced by the TFM build system. 359 if(CONFIG_TFM_BL2) 360 set_target_properties(tfm PROPERTIES 361 BL2_ELF_FILE ${BL2_ELF_FILE} 362 BL2_BIN_FILE ${BL2_BIN_FILE} 363 BL2_HEX_FILE ${BL2_HEX_FILE} 364 ) 365 endif() 366 367 # Set TFM S/NS executable file paths as target properties on 'tfm' 368 # These files are produced by the TFM build system. 369 # Note that the Nonsecure FW is replaced by the Zephyr app in regular Zephyr 370 # builds. 371 set_target_properties(tfm PROPERTIES 372 TFM_S_ELF_FILE ${TFM_S_ELF_FILE} 373 TFM_S_BIN_FILE ${TFM_S_BIN_FILE} # TFM Secure FW (unsigned) 374 TFM_S_HEX_FILE ${TFM_S_HEX_FILE} # TFM Secure FW (unsigned) 375 TFM_NS_BIN_FILE ${TFM_NS_BIN_FILE} # TFM Nonsecure FW (unsigned) 376 TFM_NS_HEX_FILE ${TFM_NS_HEX_FILE} # TFM Nonsecure FW (unsigned) 377 TFM_S_SIGNED_BIN_FILE ${TFM_S_SIGNED_BIN_FILE} # TFM Secure FW (signed) 378 TFM_NS_SIGNED_BIN_FILE ${TFM_NS_SIGNED_BIN_FILE} # TFM Nonsecure FW (signed) 379 TFM_S_NS_SIGNED_BIN_FILE ${TFM_S_NS_SIGNED_BIN_FILE} # Merged TFM Secure/Nonsecure FW (signed) 380 ) 381 382 zephyr_library_named(tfm_api) 383 384 zephyr_library_sources( 385 src/zephyr_tfm_log.c 386 interface/interface.c 387 ) 388 389 # Non-Secure interface to request system reboot 390 if (CONFIG_TFM_PARTITION_PLATFORM AND NOT CONFIG_TFM_PARTITION_PLATFORM_CUSTOM_REBOOT) 391 zephyr_library_sources(src/reboot.c) 392 endif() 393 zephyr_library_sources_ifndef(CONFIG_TFM_PSA_TEST_NONE src/zephyr_tfm_psa_test.c) 394 395 if (TFM_PSA_TEST_SUITE) 396 zephyr_library_link_libraries( 397 ${PSA_TEST_VAL_FILE} 398 ${PSA_TEST_PAL_FILE} 399 ${PSA_TEST_COMBINE_FILE} 400 ) 401 endif() 402 403 if(NOT CONFIG_TFM_BUILD_NS) 404 zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_PLATFORM ${TFM_INTERFACE_SOURCE_DIR}/tfm_platform_api.c) 405 zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_PROTECTED_STORAGE ${TFM_INTERFACE_SOURCE_DIR}/tfm_ps_api.c) 406 zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE ${TFM_INTERFACE_SOURCE_DIR}/tfm_its_api.c) 407 zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_CRYPTO ${TFM_INTERFACE_SOURCE_DIR}/tfm_crypto_api.c) 408 zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_INITIAL_ATTESTATION ${TFM_INTERFACE_SOURCE_DIR}/tfm_attest_api.c) 409 zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_FIRMWARE_UPDATE ${TFM_INTERFACE_SOURCE_DIR}/tfm_fwu_api.c) 410 411 zephyr_library_sources(${TFM_INTERFACE_SOURCE_DIR}/tfm_psa_ns_api.c) 412 413 if(CONFIG_SOC_FAMILY_NRF) 414 zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_PLATFORM ${TFM_INTERFACE_SOURCE_DIR}/tfm_ioctl_core_ns_api.c) 415 endif() 416 417 else() 418 zephyr_library_link_libraries( 419 ${TFM_API_NS_PATH} 420 ${PLATFORM_NS_FILE} 421 ) 422 endif() 423 424 zephyr_include_directories( 425 ${TFM_GENERATED_INCLUDES} 426 ) 427 428 target_include_directories(tfm_api PRIVATE 429 ${TFM_BINARY_DIR}/install/interface/include 430 ${TFM_BINARY_DIR}/install/interface/include/crypto_keys 431 ) 432 433 zephyr_library_link_libraries( 434 ${VENEERS_FILE} 435 ) 436 437 # To ensure that generated include files are created before they are used. 438 add_dependencies(zephyr_interface tfm) 439 440 if (CONFIG_TFM_BL2) 441 set(PREPROCESSED_FILE_S "${TFM_BINARY_DIR}/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o") 442 set(PREPROCESSED_FILE_NS "${TFM_BINARY_DIR}/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o") 443 set(TFM_MCUBOOT_DIR "${ZEPHYR_TRUSTED_FIRMWARE_M_MODULE_DIR}/bl2/ext/mcuboot") 444 endif() 445 446 # Configure which format (full or hash) to include the public key in 447 # the image manifest 448 if(NOT DEFINED TFM_PUBLIC_KEY_FORMAT) 449 set(TFM_PUBLIC_KEY_FORMAT "full") 450 endif() 451 452 if(DEFINED TFM_HEX_BASE_ADDRESS_S) 453 set(HEX_ADDR_ARGS_S "--hex-addr=${TFM_HEX_BASE_ADDRESS_S}") 454 endif() 455 456 if(DEFINED TFM_HEX_BASE_ADDRESS_NS) 457 set(HEX_ADDR_ARGS_NS "--hex-addr=${TFM_HEX_BASE_ADDRESS_NS}") 458 endif() 459 460 function(tfm_sign OUT_ARG SUFFIX PAD INPUT_FILE OUTPUT_FILE) 461 if(PAD) 462 set(pad_args --pad --pad-header) 463 endif() 464 set (${OUT_ARG} 465 # Add the MCUBoot script to the path so that if there is a version of imgtool in there then 466 # it gets used over the system imgtool. Used so that imgtool from upstream 467 # mcuboot is preferred over system imgtool 468 ${CMAKE_COMMAND} -E env PYTHONPATH=${ZEPHYR_MCUBOOT_MODULE_DIR}/scripts 469 ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py 470 --layout ${PREPROCESSED_FILE_${SUFFIX}} 471 -k ${CONFIG_TFM_KEY_FILE_${SUFFIX}} 472 --public-key-format ${TFM_PUBLIC_KEY_FORMAT} 473 --align 1 474 -v ${CONFIG_TFM_IMAGE_VERSION_${SUFFIX}} 475 ${pad_args} 476 ${HEX_ADDR_ARGS_${SUFFIX}} 477 ${ADD_${SUFFIX}_IMAGE_MIN_VER} 478 -s auto 479 --measured-boot-record 480 -H ${CONFIG_ROM_START_OFFSET} 481 ${INPUT_FILE} 482 ${OUTPUT_FILE} 483 PARENT_SCOPE) 484 endfunction() 485 486 set(MERGED_FILE ${CMAKE_BINARY_DIR}/zephyr/tfm_merged.hex) 487 set(S_NS_FILE ${CMAKE_BINARY_DIR}/zephyr/tfm_s_zephyr_ns.hex) 488 set(S_NS_SIGNED_FILE ${CMAKE_BINARY_DIR}/zephyr/tfm_s_zephyr_ns_signed.hex) 489 set(NS_SIGNED_FILE ${CMAKE_BINARY_DIR}/zephyr/zephyr_ns_signed.hex) 490 set(S_SIGNED_FILE ${CMAKE_BINARY_DIR}/zephyr/tfm_s_signed.hex) 491 492 if (CONFIG_TFM_USE_NS_APP) 493 # Use the TF-M NS binary as the Non-Secure application firmware image 494 set(NS_APP_FILE $<TARGET_PROPERTY:tfm,TFM_NS_HEX_FILE>) 495 else() 496 # Use the Zephyr binary as the Non-Secure application firmware image 497 set(NS_APP_FILE ${CMAKE_BINARY_DIR}/zephyr/${KERNEL_HEX_NAME}) 498 endif() 499 500 if (NOT CONFIG_TFM_BL2) 501 # Merge tfm_s and zephyr (NS) image to a single binary. 502 set_property(GLOBAL APPEND PROPERTY extra_post_build_commands 503 COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/build/mergehex.py 504 -o ${MERGED_FILE} 505 $<TARGET_PROPERTY:tfm,TFM_S_HEX_FILE> 506 ${NS_APP_FILE} 507 ) 508 509 set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts 510 ${MERGED_FILE} 511 ) 512 513 elseif(CONFIG_TFM_MCUBOOT_IMAGE_NUMBER STREQUAL "1") 514 tfm_sign(sign_cmd NS TRUE ${S_NS_FILE} ${S_NS_SIGNED_FILE}) 515 516 set_property(GLOBAL APPEND PROPERTY extra_post_build_commands 517 COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/build/mergehex.py 518 -o ${S_NS_FILE} 519 $<TARGET_PROPERTY:tfm,TFM_S_HEX_FILE> 520 ${NS_APP_FILE} 521 522 COMMAND ${sign_cmd} 523 524 COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/build/mergehex.py 525 -o ${MERGED_FILE} 526 $<TARGET_PROPERTY:tfm,BL2_HEX_FILE> 527 ${S_NS_SIGNED_FILE} 528 ) 529 530 set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts 531 ${S_NS_FILE} 532 ${S_NS_SIGNED_FILE} 533 ${MERGED_FILE} 534 ) 535 536 else() 537 if (CONFIG_TFM_USE_NS_APP) 538 tfm_sign(sign_cmd_ns NS TRUE ${NS_APP_FILE} ${NS_SIGNED_FILE}) 539 else() 540 tfm_sign(sign_cmd_ns NS FALSE ${NS_APP_FILE} ${NS_SIGNED_FILE}) 541 endif() 542 543 tfm_sign(sign_cmd_s S TRUE $<TARGET_PROPERTY:tfm,TFM_S_HEX_FILE> ${S_SIGNED_FILE}) 544 545 #Create and sign for concatenated binary image, should align with the TF-M BL2 546 set_property(GLOBAL APPEND PROPERTY extra_post_build_commands 547 COMMAND ${sign_cmd_ns} 548 COMMAND ${sign_cmd_s} 549 550 COMMAND ${PYTHON_EXECUTABLE} ${ZEPHYR_BASE}/scripts/build/mergehex.py 551 -o ${MERGED_FILE} 552 $<TARGET_PROPERTY:tfm,BL2_HEX_FILE> 553 ${S_SIGNED_FILE} 554 ${NS_SIGNED_FILE} 555 ) 556 557 set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts 558 ${S_SIGNED_FILE} 559 ${NS_SIGNED_FILE} 560 ${MERGED_FILE} 561 ) 562 endif() 563endif() 564
