diff --git a/modules/trusted-firmware-m/Kconfig.tfm.defconfig b/modules/trusted-firmware-m/Kconfig.tfm.defconfig index d0e37c1e676e..b09dea9c3425 100644 --- a/modules/trusted-firmware-m/Kconfig.tfm.defconfig +++ b/modules/trusted-firmware-m/Kconfig.tfm.defconfig @@ -66,7 +66,7 @@ config TFM_PARTITION_INITIAL_ATTESTATION select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT select PSA_WANT_ALG_ECDSA select PSA_WANT_ECC_SECP_R1_256 - select SECURE_BOOT_STORAGE + select SECURE_BOOT_STORAGE if TRUSTED_EXECUTION_SECURE config TFM_PARTITION_PROTECTED_STORAGE bool diff --git a/modules/trusted-firmware-m/tfm_boards/CMakeLists.txt b/modules/trusted-firmware-m/tfm_boards/CMakeLists.txt index 4cf9a85bb92c..a1e5b76d89ee 100644 --- a/modules/trusted-firmware-m/tfm_boards/CMakeLists.txt +++ b/modules/trusted-firmware-m/tfm_boards/CMakeLists.txt @@ -115,7 +115,7 @@ if (${TFM_PARTITION_CRYPTO}) tfm_sprt ) - if (${TFM_PARTITION_INITIAL_ATTESTATION}) + if ((${TFM_PARTITION_INITIAL_ATTESTATION}) AND CONFIG_IDENTITY_KEY) target_sources(platform_s PRIVATE ${ZEPHYR_NRF_MODULE_DIR}/lib/identity_key/identity_key.c diff --git a/modules/trusted-firmware-m/tfm_boards/common/attest_hal.c b/modules/trusted-firmware-m/tfm_boards/common/attest_hal.c index 4fe9c93fa73b..9cc9a9f12d9a 100644 --- a/modules/trusted-firmware-m/tfm_boards/common/attest_hal.c +++ b/modules/trusted-firmware-m/tfm_boards/common/attest_hal.c @@ -8,16 +8,29 @@ #include #include +#include +#include #include "tfm_attest_hal.h" #include "tfm_plat_boot_seed.h" #include "tfm_plat_device_id.h" #include "tfm_plat_otp.h" -#include #include "tfm_strnlen.h" #include "nrf_provisioning.h" -#include #include +#ifdef CONFIG_NRFX_NVMC +#include +#endif +#ifdef CONFIG_HAS_HW_NRF_CC3XX +#include +#endif + +#if defined(CONFIG_CRACEN_HW_PRESENT) +static bool boot_seed_set = false; +static uint8_t boot_seed[BOOT_SEED_SIZE]; +#endif + + static enum tfm_security_lifecycle_t map_bl_storage_lcs_to_tfm_slc(enum lcs lcs) { switch (lcs) { @@ -122,8 +135,11 @@ enum tfm_plat_err_t tfm_attest_hal_get_profile_definition(uint32_t *size, uint8_ enum tfm_plat_err_t tfm_plat_get_boot_seed(uint32_t size, uint8_t *buf) { +#if defined(CONFIG_HAS_HW_NRF_CC3XX) int nrf_err; + _Static_assert(NRF_CC3XX_PLATFORM_TFM_BOOT_SEED_SIZE == BOOT_SEED_SIZE, + "NRF_CC3XX_PLATFORM_TFM_BOOT_SEED_SIZE must match BOOT_SEED_SIZE"); if (size != NRF_CC3XX_PLATFORM_TFM_BOOT_SEED_SIZE) { return TFM_PLAT_ERR_INVALID_INPUT; } @@ -132,7 +148,26 @@ enum tfm_plat_err_t tfm_plat_get_boot_seed(uint32_t size, uint8_t *buf) if (nrf_err != NRF_CC3XX_PLATFORM_SUCCESS) { return TFM_PLAT_ERR_SYSTEM_ERR; } +#elif defined(CONFIG_CRACEN_HW_PRESENT) + psa_status_t psa_err = PSA_SUCCESS; + if (size != BOOT_SEED_SIZE) { + return TFM_PLAT_ERR_INVALID_INPUT; + } + + if (!boot_seed_set) { + psa_err = psa_generate_random(boot_seed, sizeof(boot_seed)); + + if (psa_err != PSA_SUCCESS) { + return TFM_PLAT_ERR_SYSTEM_ERR; + } + + boot_seed_set = true; + } + memcpy(buf, boot_seed, sizeof(uint8_t) * size); +#else +#error "No crypto hardware to generate boot seed available." +#endif return TFM_PLAT_ERR_SUCCESS; } diff --git a/modules/trusted-firmware-m/tfm_boards/nrf54l15_cpuapp/config.cmake b/modules/trusted-firmware-m/tfm_boards/nrf54l15_cpuapp/config.cmake index f63893e5df94..ab02f1ef26d6 100644 --- a/modules/trusted-firmware-m/tfm_boards/nrf54l15_cpuapp/config.cmake +++ b/modules/trusted-firmware-m/tfm_boards/nrf54l15_cpuapp/config.cmake @@ -13,3 +13,9 @@ include(${PLATFORM_PATH}/common/${NRF_SOC_VARIANT}/config.cmake) # Override PS_CRYPTO_KDF_ALG set(PS_CRYPTO_KDF_ALG PSA_ALG_SP800_108_COUNTER_CMAC CACHE STRING "KDF Algorithm to use") + +set(CONFIG_NRFX_RRAMC ON CACHE BOOL "Enable nrfx drivers for RRAMC") +add_compile_definitions(CONFIG_NRFX_RRAMC) + +# Override attestation to sign message instead of hash, because CRACEN drivers can not sign a hash. +set(ATTEST_SIGN_MESSAGE ON CACHE BOOL "Sign message instead of hash") diff --git a/modules/trusted-firmware-m/tfm_config.h.in b/modules/trusted-firmware-m/tfm_config.h.in index c8756a95f58f..55fd74363a7c 100644 --- a/modules/trusted-firmware-m/tfm_config.h.in +++ b/modules/trusted-firmware-m/tfm_config.h.in @@ -100,6 +100,9 @@ /* The stack size of the Initial Attestation Secure Partition */ #cmakedefine ATTEST_STACK_SIZE @ATTEST_STACK_SIZE@ +/* Sign message instead of message hash */ +#cmakedefine01 ATTEST_SIGN_MESSAGE + /* Set the initial attestation token profile */ /* The TF-M config_base.h configuration will do * #define ATTEST_TOKEN_PROFILE_PSA_IOT_1 1, if non of the token profiles are diff --git a/samples/tfm/tfm_psa_template/boards/nrf54l15dk_nrf54l15_cpuapp_ns.conf b/samples/tfm/tfm_psa_template/boards/nrf54l15dk_nrf54l15_cpuapp_ns.conf new file mode 100644 index 000000000000..85c4903403a7 --- /dev/null +++ b/samples/tfm/tfm_psa_template/boards/nrf54l15dk_nrf54l15_cpuapp_ns.conf @@ -0,0 +1,13 @@ +CONFIG_TFM_NRF_PROVISIONING=n +CONFIG_TFM_DUMMY_PROVISIONING=y + +CONFIG_SPI_NOR=n +CONFIG_TFM_EXCEPTION_INFO_DUMP=y +CONFIG_TFM_CMAKE_BUILD_TYPE_DEBUG=y +CONFIG_TFM_SPM_LOG_LEVEL_DEBUG=y +CONFIG_RESET_ON_FATAL_ERROR=n +CONFIG_PM_PARTITION_SIZE_TFM=0x50800 +# CONFIG_PSA_WANT_ALG_ECDSA_ANY=y +CONFIG_DEBUG=y +CONFIG_DEBUG_THREAD_INFO=y +CONFIG_DEBUG_OPTIMIZATIONS=y diff --git a/samples/tfm/tfm_psa_template/sysbuild/mcuboot/boards/nrf54l15dk_nrf54l15_cpuapp.conf b/samples/tfm/tfm_psa_template/sysbuild/mcuboot/boards/nrf54l15dk_nrf54l15_cpuapp.conf new file mode 100644 index 000000000000..3859f86e53de --- /dev/null +++ b/samples/tfm/tfm_psa_template/sysbuild/mcuboot/boards/nrf54l15dk_nrf54l15_cpuapp.conf @@ -0,0 +1,6 @@ +CONFIG_PM_PARTITION_SIZE_MCUBOOT=0xb800 +CONFIG_SPI_NOR=n +CONFIG_BOOT_MAX_IMG_SECTORS=256 + +# FPROTECT is set in NSIB instead +CONFIG_FPROTECT=n diff --git a/subsys/bootloader/bl_storage/Kconfig b/subsys/bootloader/bl_storage/Kconfig index 38b7f6404e85..8becfdd4889c 100644 --- a/subsys/bootloader/bl_storage/Kconfig +++ b/subsys/bootloader/bl_storage/Kconfig @@ -6,4 +6,4 @@ config SECURE_BOOT_STORAGE bool "Library for accessing the bootloader storage" - select NRFX_RRAMC if SOC_SERIES_NRF54LX + select NRFX_RRAMC if SOC_SERIES_NRF54LX && !TRUSTED_EXECUTION_NONSECURE diff --git a/west.yml b/west.yml index 5189551ac7be..55a2f79e7cee 100644 --- a/west.yml +++ b/west.yml @@ -150,7 +150,7 @@ manifest: - name: trusted-firmware-m repo-path: sdk-trusted-firmware-m path: modules/tee/tf-m/trusted-firmware-m - revision: 82e7763eba112a350d58dd52dc39f340a291ffd0 + revision: pull/180/head - name: psa-arch-tests repo-path: sdk-psa-arch-tests path: modules/tee/tf-m/psa-arch-tests