-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tf-m: Add Attestation support for nRF54L15 #19040
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -13,3 +13,9 @@ include(${PLATFORM_PATH}/common/${NRF_SOC_VARIANT}/config.cmake) | |
|
||
# Override PS_CRYPTO_KDF_ALG | ||
set(PS_CRYPTO_KDF_ALG PSA_ALG_SP800_108_COUNTER_CMAC CACHE STRING "KDF Algorithm to use") | ||
|
||
set(CONFIG_NRFX_RRAMC ON CACHE BOOL "Enable nrfx drivers for RRAMC") | ||
add_compile_definitions(CONFIG_NRFX_RRAMC) | ||
Comment on lines
+17
to
+18
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hmm, we are already using a very minimal homemade RRAMC driver in TF-M. What are you doing this for exactly? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. CONFIG_NRFX_RRAMC is used in attest_hal.c, which is used in both Zephyr and TF-M. For example here. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ahem you are linking to There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah ups. Edited to change file name. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hmm okay, you are still linking to the example of |
||
|
||
# Override attestation to sign message instead of hash, because CRACEN drivers can not sign a hash. | ||
set(ATTEST_SIGN_MESSAGE ON CACHE BOOL "Sign message instead of hash") |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
CONFIG_TFM_NRF_PROVISIONING=n | ||
CONFIG_TFM_DUMMY_PROVISIONING=y | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I should enable nrf_provisioning |
||
|
||
CONFIG_SPI_NOR=n | ||
CONFIG_TFM_EXCEPTION_INFO_DUMP=y | ||
CONFIG_TFM_CMAKE_BUILD_TYPE_DEBUG=y | ||
CONFIG_TFM_SPM_LOG_LEVEL_DEBUG=y | ||
CONFIG_RESET_ON_FATAL_ERROR=n | ||
CONFIG_PM_PARTITION_SIZE_TFM=0x50800 | ||
# CONFIG_PSA_WANT_ALG_ECDSA_ANY=y | ||
CONFIG_DEBUG=y | ||
CONFIG_DEBUG_THREAD_INFO=y | ||
CONFIG_DEBUG_OPTIMIZATIONS=y |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
CONFIG_PM_PARTITION_SIZE_MCUBOOT=0xb800 | ||
CONFIG_SPI_NOR=n | ||
CONFIG_BOOT_MAX_IMG_SECTORS=256 | ||
|
||
# FPROTECT is set in NSIB instead | ||
CONFIG_FPROTECT=n |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,4 +6,4 @@ | |
|
||
config SECURE_BOOT_STORAGE | ||
bool "Library for accessing the bootloader storage" | ||
select NRFX_RRAMC if SOC_SERIES_NRF54LX | ||
select NRFX_RRAMC if SOC_SERIES_NRF54LX && !TRUSTED_EXECUTION_NONSECURE | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is this still needed as you guarded |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will not work for other nRF SoCs.
Would it be better to do "if 5340 or 9160 or etc etc"?
Or to define an TFM_IDENTITY_KEY and then set that inside tfm_boards for each of the boards that use this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To me it makes sense to use a more generic Kconfig option rather than explicitly naming the affected SOCs. The list will likely change over time, so it's nice to not have a bunch of
if SOC_X [...]
all over.