Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not ready for review: TF-M support for building without PSA ITS #19036

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Not ready for review: TF-M support for building without PSA ITS #19036

wants to merge 6 commits into from

Conversation

frkv
Copy link
Contributor

@frkv frkv commented Nov 22, 2024

For use-cases where KMU provides persistent key support

@frkv
TF-M: Avoid enabling OTP and NV if CRYPTO_STORAGE_DISABLED is set
add4d1e 
-Disabling DPLATFORM_DEFAULT_OTP, DPLATFORM_DEFAULT_OTP_WRITEABLE
 and DPLATFORM_DEFAULT_NV_COUNTERS when CRYPTO_STORAGE_DISABLED is
 set to remove dependency for NVM driver when ITS is not
 in use.
-Removing hack to falsely give access to non existent service ID
 TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_ID which was used for
 TF-M Minimal configuration.

ref: NCSDK-13530

Signed-off-by: Frank Audun Kvamtrø <[email protected]>
@frkv
TF-M: Made TFM_PLATFORM_NV_CONTER_MODULE_DISABLE generic
6c22b49 
-Previously we used TFM_PLATFORM_NV_COUNTER_MODULE_DISABLED to signal
 that NV counters should be enabled when TFM_PROFILE_TYPE_MINIMAL is
 set. This commit changes the default enablement with a dependency
 on TFM_PARTITION_INTERNAL_TRUSTED_STORAGE instead. This is done to
 allow for persistent keys using only the KMU.

Ref: NCSDK-13530

Signed-off-by: Frank Audun Kvamtrø <[email protected]>
@frkv
TF-M: Adjusting the workaround for MBEDTLS_PSA_CRYPTO_STORAGE_C unset
3d2a8d5 
-This commit feeds the following configurations to disable OTP and ITS
 when MBEDTLS_PSA_CRYPTO_STORAGE_C is not enabled
 -DTFM_PARTITION_INTERNAL_TRUSTED_STORAGE=OFF
 -DPLATFORM_DEFAULT_OTP=OFF
 -DPLATFORM_DEFAULT_OTP_WRITEABLE=OFF
 -DPLATFORM_DEFAULT_NV_COUNTERS=OFF
 The configurations are made to avoid dependency on NVM driver when
 KMU supports persistent key and generally to be able to optimize for
 size.

Ref: NCSDK-13530

Signed-off-by: Frank Audun Kvamtrø <[email protected]>
@frkv
TF-M: Adding more dependencies for TFM_ITS_ENCRYPTED
39cbab7 
-This commit sets up dependency between TFM_ITS_ENCRYPTED and
 MBEDTLS_PSA_CRYPTO_STORAGE_C and TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
 to ensure that TFM_ITS_ENCRYPTED is not enabled if one of these
 are missing. This is used when the persistent keys are stored in
 KMU.

Signed-off-by: Frank Audun Kvamtrø <[email protected]>
@frkv
mbedtls: Fix ependency of MBEDTLS_PSA_CRYPTO_STORAGE_C for TF-M
0812bc7 
-This commit ensure MBEDTLS_PSA_CRYPTO_STORAGE_C is only default
 enabled for TF-M builds when TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
 is also enabled.

Signed-off-by: Frank Audun Kvamtrø <[email protected]>
@frkv
manifest: Update TF-M to support building without without ITS
bcfdf30 
-This pulls in TF-M PR nrfconnect#181 which allows for building TF-M without
 ITS for use-cases where KMU-stored key is sufficient for
 persistent key support

Signed-off-by: Frank Audun Kvamtrø <[email protected]>
@frkv frkv requested review from a team as code owners November 22, 2024 14:51
@github-actions github-actions bot added manifest changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. labels Nov 22, 2024
@NordicBuilder
Copy link
Contributor

The following west manifest projects have been modified in this Pull Request:

Name Old Revision New Revision Diff
trusted-firmware-m nrfconnect/sdk-trusted-firmware-m@82e7763 (main) nrfconnect/sdk-trusted-firmware-m#181 nrfconnect/sdk-trusted-firmware-m#181/files

Note: This message is automatically posted and updated by the Manifest GitHub Action.

@NordicBuilder
Copy link
Contributor

CI Information

To view the history of this post, clich the 'edited' button above
Build number: 1

Inputs:

Sources:

trusted-firmware-m: PR head: f302508a2d5623eb21f99988485980c2606a48e0
sdk-nrf: PR head: bcfdf30bb94a81b9201ba8cfdfacf6196bccf358

more details

trusted-firmware-m:

PR head: f302508a2d5623eb21f99988485980c2606a48e0
merge base: 82e7763eba112a350d58dd52dc39f340a291ffd0
target head (main): 82e7763eba112a350d58dd52dc39f340a291ffd0
Diff

sdk-nrf:

PR head: bcfdf30bb94a81b9201ba8cfdfacf6196bccf358
merge base: a07b87c923420fdbfbdbff3698a3d30f5c1c33ee
target head (main): a07b87c923420fdbfbdbff3698a3d30f5c1c33ee
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (8) 
modules
│  ├── tee
│  │  ├── tf-m
│  │  │  ├── trusted-firmware-m
│  │  │  │  ├── secure_fw
│  │  │  │  │  ├── partitions
│  │  │  │  │  │  ├── crypto
│  │  │  │  │  │  │  │ tfm_crypto.yaml
│  │  │  │  ├── tools
│  │  │  │  │  │ tfm_manifest_list.yaml
│  ├── trusted-firmware-m
│  │  ├── CMakeLists.txt
│  │  ├── Kconfig
│  │  ├── Kconfig.tfm.defconfig
│  │  ├── tfm_boards
│  │  │  │ CMakeLists.txt
subsys
│  ├── nrf_security
│  │  │ Kconfig.psa
west.yml

Outputs:

Toolchain

Version:
Build docker image:

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • 🟠 Toolchain
  • 🟠 Build twister
  • 🟠 Integration tests
    • 🟠 test-fw-nrfconnect-boot
    • 🟠 test-fw-nrfconnect-chip
    • 🟠 test-fw-nrfconnect-nrf_crypto
    • 🟠 test-fw-nrfconnect-tfm
    • 🟠 test-sdk-find-my
    • 🟠 test-sdk-sidewalk
    • 🟠 test-sdk-mcuboot
    • 🟠 test-sdk-dfu
    • ⚠️ test-fw-nrfconnect-fw-update
    • ⚠️ test-fw-nrfconnect-nrf-iot_cloud
Disabled integration tests
    • desktop52_verification
    • doc-internal
    • test_ble_nrf_config
    • test-fw-nrfconnect-apps
    • test-fw-nrfconnect-ble_mesh
    • test-fw-nrfconnect-ble_samples
    • test-fw-nrfconnect-fem
    • test-fw-nrfconnect-nfc
    • test-fw-nrfconnect-nrf-iot_libmodem-nrf
    • test-fw-nrfconnect-nrf-iot_lwm2m
    • test-fw-nrfconnect-nrf-iot_mosh
    • test-fw-nrfconnect-nrf-iot_nrf_provisioning
    • test-fw-nrfconnect-nrf-iot_positioning
    • test-fw-nrfconnect-nrf-iot_samples
    • test-fw-nrfconnect-nrf-iot_serial_lte_modem
    • test-fw-nrfconnect-nrf-iot_thingy91
    • test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
    • test-fw-nrfconnect-ps
    • test-fw-nrfconnect-rpc
    • test-fw-nrfconnect-rs
    • test-fw-nrfconnect-thread
    • test-fw-nrfconnect-zigbee
    • test-low-level
    • test-sdk-audio
    • test-sdk-pmic-samples
    • test-sdk-wifi
    • test-secdom-samples-public

Note: This message is automatically posted and updated by the CI

@NordicBuilder
Copy link
Contributor

You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds.

Note: This comment is automatically posted by the Documentation Publish GitHub Action.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. DNM manifest manifest-trusted-firmware-m
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@frkv @NordicBuilder