[nrf noup] target: add eraseprotect support #200
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There are some hardware registers in Nordic platforms which are mapped as secure only. In order to allow the non-secure application to control these registers I added here a secure service which allows 32-bit writes to secure mapped memory. The writes are only allowed on addresses and masks defined in a header list. It is also possible to provide an allowed_values list in order to further limit the accepted values. Renamed: tfm_read_ranges.h -> tfm_platform_user_memory_ranges.h since now it can be used for both reads and writes. The list in the current platforms is empty and might be populated later. Signed-off-by: Georgios Vasilakis <[email protected]> Change-Id: Ifa31ba73ec07b216a7e987653255fcc6e9d3989c (cherry picked from commit 57b3342)
On certain nRF plaforms, like nRF9160, reading UICR registers might need special handling, which is already implemented in nrfx_nvmc_uicr_word_read() so use that, instead on memcpy(). For more information, see nRF9160 Errata 7. Change-Id: Iea9d0bf4184decd5650b4d4b620fbef0c64a55f6 Signed-off-by: Seppo Takalo <[email protected]> (cherry picked from commit ca03e40)
The anomaly only appears on nRF91 platforms and some platforms do not have NVMC so the header cannot be included. Change-Id: I02c73c9a752599ca9be9320dc19f390aea0f767a Signed-off-by: Seppo Takalo <[email protected]> (cherry picked from commit 539dd89)
Add missing capacity in tfm_ps_get_info calls. Change-Id: I37432d204ee87971915471dce9b3a2ebcce057e2 Signed-off-by: Markus Lassila <[email protected]> (cherry picked from commit fafe163)
Some devices do not have RTC peripheral. Change-Id: I53ac17da50e30edbfa76379725036fe16be1f12d Signed-off-by: Nikodem Kastelik <[email protected]> (cherry picked from commit a4e1013e2f8908c8f0e276a3d5fcf39abbec9e72)
Updated nrfjprog commands and mentions of nRF Command Line Tools to nRF Util. NCSDK-30140. Change-Id: Ie76a97c232867bafe0f0675481aa4f9c15a113a8 Signed-off-by: Grzegorz Ferenc <[email protected]> (cherry picked from commit 58331ddc34b4eff5975dfe85e5e0526e6c6e5a30)
Fix a broken link in the maintainers file. Change-Id: Ia3865e36edec3c00893785e4729d4f7937eeb57b Signed-off-by: Tomi Fontanilles <[email protected]> (cherry picked from commit 9c27b32bcebb37fe887b2e89584c9fc16bd4bd1c)
Fix a document reference. Change-Id: I4be1e2aab7f81db0e2b953cbd9261fc5e730fffc Signed-off-by: Tomi Fontanilles <[email protected]> (cherry picked from commit 771317e45ffc0a2c8213a81164ffde975417aa7d)
Similarly to what has been done for psa_can_do_hash() and for the same root cause, exposing the same behaviour. Signed-off-by: Antonio de Angelis <[email protected]> Change-Id: I09e6adfb718951b17c6d3bf77e6b7f5cd1135e0d (cherry picked from commit 7774b0872d66337c4ea293a346c0ab0c8dab56f3)
Fix a path issue with the non secure application config.cmake file. The config.cmake for nRF54L10 and nRF54L15 is the same. To avoid duplicating the file the config.cmake is placed in a common nrf54l folder and it is included by each platforms config.cmake files. This doesn't work for the non secure application because the path does not exist. To fix that install to the non secure application the common file directly. Signed-off-by: Georgios Vasilakis <[email protected]> Change-Id: I36d6bed5d1f2a71ed12f9004485accfcbca1b0d6 (cherry picked from commit 51352be0fde5b1d318bbe26ab03c08227542f399)
The readme file is all uppercase letters, so it must be referenced that way. Change-Id: Ia54e6234c2aa19f076dc72f9602adcfacd77627f Signed-off-by: Tomi Fontanilles <[email protected]> (cherry picked from commit 5d9f340feb9d8fb7ff7e582a7087a8b20f0cea0c)
TF-M checks if p256-m is available during build time using MBEDCRYPTO_PATH which is set to the TF-M repo to use custom Mbed TLS cmake configurations, but this means the script can not be found. But as Mbed TLS software crypto is not used anyway we can hardcode p256-m to be disabled. Ref: NCSDK-28740 Signed-off-by: Sebastian Bøe <[email protected]> Signed-off-by: Markus Swarowsky <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]>
…nifest This commit is [nrf noup] because I would like to user-test this for a few months in case of unintended side-effects before upstreaming. In the TF-M build scripts we run the manifest tool twice, first from CMake and then from ninja. It is bad practice to configure CMake projects like this. Instead, if configuration from CMake is necessary, one should configure from CMake only, and then re-run CMake when necessary, not just the command. This organization has been causing problems for our users as they have been required to rebuild TF-M twice. This is due to this scenario playing out: CMake generates config_impl.cmake by invoking the manifest tool at Configure time. CMake generates build.ninja. Ninja generates config_impl.cmake by invoking the manifest tool at build time. When the user then invokes ninja a second time config_impl.cmake will be newer than build.ninja. But CMake is supposed to be includ'ing config_impl.cmake, so build.ninja is now considered out-of-date wrt. config_impl.cmake. ninja therefore invokes CMake again, and then ninja afterwards. Ref: NCSDK-28740 Signed-off-by: Sebastian Bøe <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]>
This is noup commit as upstream TF-M relies on the mbed TLS PSA Core hat does not support the PAKE API's according to 1.2 at the moment. Once this exists then this can be up streamed, or removed if TF-M adds it themself. Added PAKE API support accoding the PSA crypto spec 1.2 Ref: NCSDK-22416 Ref: NCSDK-28740 Signed-off-by: Markus Swarowsky <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]>
Allows custom key-loader to be used for the PSA core and allows configuring CMAC KDF usage for PS. noup-reason: PSA_ALG_SP800_108_COUNTER_CMAC is not available in upstream. After testing and verifying the solution (determining if we need further changes) we should try to upstream this. Ref: NCSDK-28740 Signed-off-by: Vidar Lillebø <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]>
This commit is a noup because we want an NCS specific error message. Detect wrong headers being included. See comment for details. Ref: NCSDK-28740 Signed-off-by: Sebastian Bøe <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]>
Version check depends on upstream's tagging scheme which differs from NCS's Signed-off-by: Vidar Lillebø <[email protected]>
-This commit adds support for externally built PSA core in TF-M by checking for the CMake variable (cached) PSA_CRYPTO_EXTERNAL_CORE. By setting this define, then a platform-target file called external_core.cmake as well as external_core_install.cmake is called to allow for the following: - Early include of necessary replacement include folders - Support for using generated configuration files for TF-M build -This commit also tries to make psa_crypto_config and psa_crypto_library_config linked in first to ensure that certain folders are included as early as possible in the build Signed-off-by: Frank Audun Kvamtrø <[email protected]> Signed-off-by: Georgios Vasilakis <[email protected]>
-The macro ARRAY_LENGTH is defined without checking if there is already a definition. This commit can be reverted once the proposed fix is handled upstream -This fixes ARRAY_LENGTH in s_io_sorage_tests.c Signed-off-by: Frank Audun Kvamtrø <[email protected]>
-This adds MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS and PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY to tfm_psa_rot_partition_crypto Signed-off-by: Frank Audun Kvamtrø <[email protected]>
…r sharing -Will be squashed in a different commit which was the version that worked before Signed-off-by: Frank Audun Kvamtrø <[email protected]>
Signed-off-by: Georgios Vasilakis <[email protected]>
…nce. Add an option to send the log output from the secure firmware on a UART instance that would be shared with the non-secure application. This option is added where the number of UART instances is limited and the application only cares about the receiving the TF-M log on fatal errors. To allow this option to be enabled the log is disabled in the boot process before the non-secure application is started. It is enabled again when an unrecoverable exception has occurred in the secure firmware. Here is an abandoned upstream PR (with some of the fixes): https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/25905 Note: This has removed any information about cherry-picked items as this is not valid since it is combining efforts form multiple commits Ref: NCSDK-18595 Ref: NCSDK-28740 Signed-off-by: Joakim Andersson <[email protected]> Signed-off-by: Markus Swarowsky <[email protected]> Signed-off-by: Sebastian Bøe <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]>
Adjust CRYPTO_HW_ACCELERATOR build scripts to also support nrf_security. Signed-off-by: Sebastian Bøe <[email protected]> Signed-off-by: Joakim Andersson <[email protected]> (cherry picked from commit c136210) (cherry picked from commit 3834117) Signed-off-by: Joakim Andersson <[email protected]> (cherry picked from commit 2bdad64) Signed-off-by: Markus Swarowsky <[email protected]> Change-Id: Ied8e378ef55fe398ea4e45f65b3c270e9e9cd030 Signed-off-by: Markus Swarowsky <[email protected]> (cherry picked from commit 5903966) Signed-off-by: Markus Swarowsky <[email protected]> (cherry picked from commit a3a03e5) Signed-off-by: Frank Audun Kvamtrø <[email protected]> (cherry picked from commit 3f08f25) Signed-off-by: Tomi Fontanilles <[email protected]>
Get rid of the CMake warning which happens when `TFM_VERSION_MANUAL` mismatches `TFM_VERSION_FULL`. The latter is obtained with Git tags, which cannot be relied on in NCS. Signed-off-by: Tomi Fontanilles <[email protected]>
This is a noup because the upstream commit 77aabb76e4bb1cfa13d1caf913e8335a489d3540 (from the main branch) does not apply cleanly. Fix the use of the aad_size struct parameter in Nordic's ITS encryption HAL. In addition, fix the remaining use of add/add_size as parameter names in the ITS partition code. Signed-off-by: Tomi Fontanilles <[email protected]>
…urity In nRF54L series the GPIOTE peripheral has user selectable security configuration. In addition to this the GPIOTE channels and interrupts can have separate security configuration. This change adds the option to make the GPIOTE20 and GPIOTE30 secure peripherals and to set a mask which defines which channels and interrupts should be configured as secure. Signed-off-by: Georgios Vasilakis <[email protected]> Change-Id: Ia4422506b0c9af70da252262bcdc205ac8829511 (cherry picked from commit 4331b1ad1243caac9c3f4d7ce5a2af7f7cbc4ed1)
There are multiple headers which exist in the Oberon PSA core and
in TF-M. At the same time some of these headers include other headers
with quotes "" which means that the folder include order doesn't have
any effect.
Instead of relying to the include order of the folders remove the
duplicate files from TF-M since these are not/should not be used.
I removed them with a bash command, just in case is needed:
for i in $(PATH_TO_OBERON/include/psa -name "*.h" -printf "%f\n");
do
rm TFM_PATH/interface/include/psa/$i;
done
This commit removes headers which are updated by the commit:
[nrf noup] crypto: Add PAKE support
The commits cannot be combined because the have different scope
but in the next upmerge this commit can be applied before the
PAKE support and this will reduce the scope of the PAKE noup.
Ref: NCSDK-33148
Signed-off-by: Georgios Vasilakis <[email protected]>
fixup! [nrf noup] tf-m: Enable support for external PSA core Install the tfm_crypto_defs.h from TF-M since now the nrf_security files are removed. Ref: NCSDK-33148 Signed-off-by: Georgios Vasilakis <[email protected]>
The Oberon PSA core provides these two functions: psa_key_derivation_verify_key psa_key_derivation_verify_bytes TF-M is not aware of the Oberon PSA core and it seems that the core that they use doesn't provide these functions at all. So instead of the usual logic of prefixing the PSA core functions with the mbedcrypto__ prefix it skipped these. We cannot skip the prefixing because the Oberon PSA core implements these and thus we will get multiple definitions errors. Ref: NCSDK-33148 Signed-off-by: Georgios Vasilakis <[email protected]>
Add support for enabling eraseprotect on boot. Ref: NCSDK-33195 Signed-off-by: Maximilian Deubel <[email protected]>
| @@ -849,6 +849,15 @@ enum tfm_plat_err_t init_debug(void) | |||
| return TFM_PLAT_ERR_SYSTEM_ERR; | |||
| } | |||
| #endif | |||
| #if defined(NRF_ERASEPROTECT) && !defined(NRF54L_SERIES) | |||
There was a problem hiding this comment.
How does this work with non NS builds when the TF-M is not activated?
I think that the correct place for this would be in the MDK in system_nrf91_approtect.h.
There was a problem hiding this comment.
it needs to be there as well, yes.
There was a problem hiding this comment.
Also note that erase protect will likely only be activated from the first boot after this is set. So the device should be reset after setting this.
There was a problem hiding this comment.
it needs to be there as well, yes.
It does not need to be here. All the images call system_nrf91_approtect.h.
There was a problem hiding this comment.
That said, you will need to convey the Kconfig through TF-M compile definitions to system_nrf91_approtect.h. So you will need the rest of this.
There was a problem hiding this comment.
This becomes a problem if the device is already in the field and protection needs to be applied over FOTA.
There was a problem hiding this comment.
Can you elaborate a bit on the problematic scenario? I am not sure what you mean.
There was a problem hiding this comment.
Let's say someone forgot to lock down devices and they are already in production. They cannot necessarily update the bootloader. So, to lock down those devices, they would have to do it in TF-M.
There was a problem hiding this comment.
SystemInit() which ends up calling the nrf91_handle_approtect is called from TF-M.
I am not 100% on this, but I think that the SystemInit() in the nrfx mdk is actually located in the application side, so it would be updated with application image update. So even if there was no support for erase protect in there, it could be updated and set.
That said, you should definitively start the discussion about having this in MDK with Christian Van Bijeveld.
There was a problem hiding this comment.
The application is running in non-secure mode and cannot access the peripheral needed. This is different from APPROTECT that can be enabled from non-secure mode.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add support for enabling eraseprotect on boot.
Ref: NCSDK-33195