tf-m: Add Attestation support for nRF54L15 #19040
Conversation
|
The following west manifest projects have been modified in this Pull Request:
Note: This message is automatically posted and updated by the Manifest GitHub Action. |
github-actions
bot
added
the
changelog-entry-required
hellesvik-nordic
force-pushed
the
nrf54l15_attestation
branch
from
2235121
to
716c951
Compare
CI InformationTo view the history of this post, clich the 'edited' button above Inputs:Sources:trusted-firmware-m: PR head: 9c1a5ad73e1b98a3f50b22743ac7bb848f52c504 more detailstrusted-firmware-m:
sdk-nrf:
Github labels
List of changed files detected by CI (19)Outputs:ToolchainVersion: Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
Add support for PSA Attestation to the nRF54L15. Includes noup changes to TF-M repository. Ref: NCSDK-22598 Signed-off-by: Sigurd Hellesvik <[email protected]>
hellesvik-nordic
force-pushed
the
nrf54l15_attestation
branch
from
716c951
to
fce97d0
Compare
| memcpy(buf,boot_seed, sizeof(uint8_t) * 32); | ||
| #else | ||
| return TFM_PLAT_ERR_SYSTEM_ERR; | ||
| #endif |
There was a problem hiding this comment.
My gut feeling says there must be a better way to do this. @frkv do you have any thoughts?
| @@ -115,7 +115,7 @@ if (${TFM_PARTITION_CRYPTO}) | |||
| tfm_sprt | |||
| ) | |||
|
|
|||
| if (${TFM_PARTITION_INITIAL_ATTESTATION}) | |||
| if ((${TFM_PARTITION_INITIAL_ATTESTATION}) AND CONFIG_IDENTITY_KEY) | |||
There was a problem hiding this comment.
This will not work for other nRF SoCs.
Would it be better to do "if 5340 or 9160 or etc etc"?
Or to define an TFM_IDENTITY_KEY and then set that inside tfm_boards for each of the boards that use this?
There was a problem hiding this comment.
To me it makes sense to use a more generic Kconfig option rather than explicitly naming the affected SOCs. The list will likely change over time, so it's nice to not have a bunch of if SOC_X [...] all over.
|
You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds. Note: This comment is automatically posted by the Documentation Publish GitHub Action. |
| @@ -0,0 +1,13 @@ | |||
| CONFIG_TFM_NRF_PROVISIONING=n | |||
| CONFIG_TFM_DUMMY_PROVISIONING=y | |||
There was a problem hiding this comment.
I should enable nrf_provisioning
| @@ -6,4 +6,4 @@ | |||
|
|
|||
| config SECURE_BOOT_STORAGE | |||
| bool "Library for accessing the bootloader storage" | |||
| select NRFX_RRAMC if SOC_SERIES_NRF54LX | |||
| select NRFX_RRAMC if SOC_SERIES_NRF54LX && !TRUSTED_EXECUTION_NONSECURE | |||
There was a problem hiding this comment.
Is this still needed as you guarded select SECURE_BOOT_STORAGE with if !TRUSTED_EXECUTION_NONSECURE?
(I don't know about this so I can't tell whether or not it makes sense to have this here. Maybe even the whole SECURE_BOOT_STORAGE Kconfig option should depend on !TRUSTED_EXECUTION_NONSECURE?)
| @@ -66,7 +66,7 @@ config TFM_PARTITION_INITIAL_ATTESTATION | |||
| select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT | |||
| select PSA_WANT_ALG_ECDSA | |||
| select PSA_WANT_ECC_SECP_R1_256 | |||
| select SECURE_BOOT_STORAGE | |||
| select SECURE_BOOT_STORAGE if !TRUSTED_EXECUTION_NONSECURE | |||
There was a problem hiding this comment.
| select SECURE_BOOT_STORAGE if !TRUSTED_EXECUTION_NONSECURE | |
| select SECURE_BOOT_STORAGE if TRUSTED_EXECUTION_SECURE |
?
| @@ -115,7 +115,7 @@ if (${TFM_PARTITION_CRYPTO}) | |||
| tfm_sprt | |||
| ) | |||
|
|
|||
| if (${TFM_PARTITION_INITIAL_ATTESTATION}) | |||
| if ((${TFM_PARTITION_INITIAL_ATTESTATION}) AND CONFIG_IDENTITY_KEY) | |||
There was a problem hiding this comment.
To me it makes sense to use a more generic Kconfig option rather than explicitly naming the affected SOCs. The list will likely change over time, so it's nice to not have a bunch of if SOC_X [...] all over.
| #include <bl_storage.h> | ||
|
|
||
|
|
| @@ -132,7 +143,15 @@ enum tfm_plat_err_t tfm_plat_get_boot_seed(uint32_t size, uint8_t *buf) | |||
| if (nrf_err != NRF_CC3XX_PLATFORM_SUCCESS) { | |||
| return TFM_PLAT_ERR_SYSTEM_ERR; | |||
| } | |||
|
|
|||
| #elif defined(CONFIG_PSA_NEED_CRACEN_KMU_DRIVER) | |||
There was a problem hiding this comment.
Please use the same macro when defining and using the boot_seed variables.
|
|
||
| #elif defined(CONFIG_PSA_NEED_CRACEN_KMU_DRIVER) | ||
| if (!boot_seed_set) { | ||
| psa_generate_random(boot_seed, 32); |
There was a problem hiding this comment.
| psa_generate_random(boot_seed, 32); | |
| psa_generate_random(boot_seed, sizeof(boot_seed)); |
| #elif defined(CONFIG_PSA_NEED_CRACEN_KMU_DRIVER) | ||
| if (!boot_seed_set) { | ||
| psa_generate_random(boot_seed, 32); | ||
| boot_seed_set = 1; |
There was a problem hiding this comment.
| boot_seed_set = 1; | |
| boot_seed_set = true; |
| psa_generate_random(boot_seed, 32); | ||
| boot_seed_set = 1; | ||
| } | ||
| memcpy(buf, boot_seed, sizeof(uint8_t) * 32); |
There was a problem hiding this comment.
| memcpy(buf, boot_seed, sizeof(uint8_t) * 32); | |
| memcpy(buf, boot_seed, size); |
maybe?
| memcpy(buf,boot_seed, sizeof(uint8_t) * 32); | ||
| #else | ||
| return TFM_PLAT_ERR_SYSTEM_ERR; | ||
| #endif |
| set(CONFIG_NRFX_RRAMC ON CACHE BOOL "Enable nrfx drivers for RRAMC") | ||
| add_compile_definitions(CONFIG_NRFX_RRAMC) |
There was a problem hiding this comment.
Hmm, we are already using a very minimal homemade RRAMC driver in TF-M. What are you doing this for exactly?
(Also the add_compile_definitions() line seems a bit weird, why is it needed?)
Add support for PSA Attestation to the nRF54L15. Includes noup changes to TF-M repository.
Ref: NCSDK-22598