[nrf noup] target: add eraseprotect support

cmake/install.cmake

@@ -72,34 +72,40 @@ if (TFM_PARTITION_INTERNAL_TRUSTED_STORAGE)
 endif()
 
 if (TFM_PARTITION_CRYPTO)
-    install(FILES       ${INTERFACE_INC_DIR}/psa/README.rst
-                        ${INTERFACE_INC_DIR}/psa/build_info.h
-                        ${INTERFACE_INC_DIR}/psa/crypto.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_auto_enabled.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_dependencies.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_key_pair_types.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_synonyms.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_composites.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_key_derivation.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_primitives.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_compat.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_driver_common.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_composites.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_key_derivation.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_primitives.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_extra.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_legacy.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_platform.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_se_driver.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_sizes.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_struct.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_types.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_values.h
-            DESTINATION ${INSTALL_INTERFACE_INC_DIR}/psa)
-    install(FILES       ${INTERFACE_INC_DIR}/tfm_crypto_defs.h
-            DESTINATION ${INSTALL_INTERFACE_INC_DIR})
-    install(DIRECTORY   ${INTERFACE_INC_DIR}/mbedtls
-            DESTINATION ${INSTALL_INTERFACE_INC_DIR})
+        if(PSA_CRYPTO_EXTERNAL_CORE)
+                include(${TARGET_PLATFORM_PATH}/../external_core_install.cmake)
+                install(FILES       ${INTERFACE_INC_DIR}/tfm_crypto_defs.h
+                        DESTINATION ${INSTALL_INTERFACE_INC_DIR})
+        else()
+                install(FILES       ${INTERFACE_INC_DIR}/psa/README.rst
+                                        ${INTERFACE_INC_DIR}/psa/build_info.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_auto_enabled.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_dependencies.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_key_pair_types.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_synonyms.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_composites.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_key_derivation.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_primitives.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_compat.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_driver_common.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_composites.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_key_derivation.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_primitives.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_extra.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_legacy.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_platform.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_se_driver.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_sizes.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_struct.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_types.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_values.h
+                        DESTINATION ${INSTALL_INTERFACE_INC_DIR}/psa)
+                install(FILES       ${INTERFACE_INC_DIR}/tfm_crypto_defs.h
+                        DESTINATION ${INSTALL_INTERFACE_INC_DIR})
+                install(DIRECTORY   ${INTERFACE_INC_DIR}/mbedtls
+                        DESTINATION ${INSTALL_INTERFACE_INC_DIR})
+        endif()
 endif()
 
 if (TFM_PARTITION_INITIAL_ATTESTATION)
@@ -282,10 +288,11 @@ else()
         )
 endif()
 
+# PSA_CRYPTO_EXTERNAL_CORE
 target_include_directories(psa_interface
         INTERFACE
         $<INSTALL_INTERFACE:interface/include>
-        )
+)
 
 install(EXPORT tfm-config
         FILE spe_export.cmake

cmake/spe-CMakeLists.cmake

@@ -34,6 +34,15 @@ target_sources(tfm_api_ns
 )
 
 # Include interface headers exported by TF-M
+if(PSA_CRYPTO_EXTERNAL_CORE)
+    include(${TARGET_PLATFORM_PATH}/../external_core.cmake)
+else()
+    target_include_directories(tfm_api_ns
+        PUBLIC
+            ${INTERFACE_INC_DIR}
+    )
+endif()
+
 target_include_directories(tfm_api_ns
     PUBLIC
         ${INTERFACE_INC_DIR}

cmake/version.cmake

@@ -16,7 +16,7 @@ execute_process(COMMAND git describe --tags --always
 # In a repository cloned with --no-tags option TFM_VERSION_FULL will be a hash
 # only hence checking it for a tag format to accept as valid version.
 
-string(FIND ${TFM_VERSION_FULL} "TF-M" TFM_TAG)
+string(FIND ${TFM_VERSION_FULL} "v" TFM_TAG)
 if(TFM_TAG EQUAL -1)
     set(TFM_VERSION_FULL v${TFM_VERSION_MANUAL})
 endif()
@@ -25,8 +25,3 @@ string(REGEX REPLACE "TF-M" "" TFM_VERSION_FULL ${TFM_VERSION_FULL})
 # remove a commit number
 string(REGEX REPLACE "-[0-9]+-g" "+" TFM_VERSION_FULL ${TFM_VERSION_FULL})
 string(REGEX MATCH "[0-9]+\\.[0-9]+\\.[0-9]+" TFM_VERSION ${TFM_VERSION_FULL})
-
-# Check that manually set version is up to date
-if (NOT TFM_VERSION_MANUAL STREQUAL TFM_VERSION)
-    message(WARNING "TFM_VERSION_MANUAL mismatches to actual TF-M version. Please update TFM_VERSION_MANUAL in cmake/version.cmake")
-endif()

config/check_config.cmake

@@ -17,6 +17,8 @@ tfm_invalid_config(TFM_MULTI_CORE_TOPOLOGY AND TFM_NS_MANAGE_NSID)
 tfm_invalid_config(TFM_PLAT_SPECIFIC_MULTI_CORE_COMM AND NOT TFM_MULTI_CORE_TOPOLOGY)
 tfm_invalid_config(TFM_ISOLATION_LEVEL EQUAL 3 AND CONFIG_TFM_STACK_WATERMARKS)
 
+tfm_invalid_config(CONFIG_TFM_LOG_SHARE_UART AND NOT SECURE_UART1)
+
 ########################## BL1 #################################################
 
 tfm_invalid_config(TFM_BL1_2_IN_OTP AND TFM_BL1_2_IN_FLASH)

config/config_base.cmake

@@ -91,6 +91,7 @@ set(CONFIG_TFM_HALT_ON_CORE_PANIC       OFF         CACHE BOOL       "On fatal e
 
 set(CONFIG_TFM_STACK_WATERMARKS         OFF         CACHE BOOL      "Whether to pre-fill partition stacks with a set value to help determine stack usage")
 
+set(CONFIG_TFM_LOG_SHARE_UART           OFF         CACHE BOOL      "Allow TF-M and the non-secure application to share the UART instance. TF-M will use it while it is booting, after which the non-secure application will use it until an eventual fatal error is handled and logged by TF-M. Logging from TF-M will therefore otherwise be suppressed")
 ############################ Platform ##########################################
 
 set(NUM_MAILBOX_QUEUE_SLOT              1           CACHE BOOL      "Number of mailbox queue slots")
@@ -132,6 +133,7 @@ set(BL2_TRAILER_SIZE                    0x000       CACHE STRING    "BL2 Trailer
 set(TFM_PARTITION_PROTECTED_STORAGE     OFF         CACHE BOOL      "Enable Protected Storage partition")
 set(PS_ENCRYPTION                       ON          CACHE BOOL      "Enable encryption for Protected Storage partition")
 set(PS_CRYPTO_AEAD_ALG                  PSA_ALG_GCM CACHE STRING    "The AEAD algorithm to use for authenticated encryption in Protected Storage")
+set(PS_CRYPTO_KDF_ALG                   PSA_ALG_HKDF\(PSA_ALG_SHA_256\) CACHE STRING "KDF Algorithm to use for Protect Storage")
 
 set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE OFF      CACHE BOOL      "Enable Internal Trusted Storage partition")
 set(ITS_ENCRYPTION                   OFF         CACHE BOOL      "Enable authenticated encryption of ITS files using platform specific APIs")

docs/contributing/maintainers.rst

@@ -220,11 +220,11 @@ William Vinnicombe
     :email: `[email protected] <[email protected]>`__
     :github: `Raspberry Pi <https://github.com/raspberrypi>`__
 
-Analog Devices Platform:
-~~~~~~~~~~~~~~~~~~~~~~~~
+Analog Devices Platform
+~~~~~~~~~~~~~~~~~~~~~~~
 
 Sadik Ozer
-    :email: `[email protected]`__
+    :email: `[email protected] <[email protected]>`__
     :github: `ozersa <https://github.com/ozersa>`__
 
 =============

docs/platform/lairdconnectivity/bl5340_dvk_cpuapp/README.rst

@@ -24,7 +24,7 @@ The following links provide useful information about the BL5340
 BL5340 website:
    https://www.lairdconnect.com/wireless-modules/bluetooth-modules/bluetooth-5-modules/bl5340-series-multi-core-bluetooth-52-802154-nfc-modules
 
-Nordic Semiconductor Infocenter: https://infocenter.nordicsemi.com
+Nordic Semiconductor TechDocs: https://docs.nordicsemi.com
 
 Building TF-M on BL5340 Application MCU
 ---------------------------------------
@@ -74,17 +74,25 @@ To install the J-Link Software and documentation pack, follow the steps below:
 #. When connecting a J-Link-enabled board such as a BL5340 DVK, a serial port
 should come up
 
-nRF Command-Line Tools Installation
-***********************************
+nRF Util Installation
+*********************
 
-The nRF Command-line Tools allow you to control your BL5340 module from the
+nRF Util allows you to control your BL5340 module from the
 command line, including resetting it, erasing or programming the flash memory
 and more.
 
-To install them, visit `nRF Command-Line Tools`_ and select your operating
-system.
+To install nRF Util:
 
-After installing, make sure that ``nrfjprog`` is somewhere in your executable
+1. Visit `nRF Util product page`_.
+2. Download the executable.
+3. Follow the `nRF Util installation instructions`_.
+4. Install ``nrfutil device`` subcommand for programming, flashing, and erasing devices:
+
+   .. code-block:: console
+
+      nrfutil install device
+
+After installing, make sure that ``nrfutil.exe`` is somewhere in your executable
 path to be able to invoke it from anywhere.
 
 BL2, S, and NS application images can be flashed into BL5340 separately or may
@@ -95,7 +103,7 @@ Flashing the BL5340 DVK
 
 To program the flash with a compiled TF-M image (i.e. S, NS or both) after
 having followed the instructions to install the Segger J-Link Software and the
-nRF Command-Line Tools, follow the steps below:
+nRF Util, follow the steps below:
 
 Generate Intel hex files from the output binary (bin) files as follows:
 
@@ -108,27 +116,27 @@ Generate Intel hex files from the output binary (bin) files as follows:
 
 .. code-block:: console
 
-   nrfjprog --eraseall -f nrf53
+   nrfutil device erase --all --x-family nrf53
 
 * Flash the BL2 and the TF-M image binaries from the sample folder of your choice:
 
 .. code-block:: console
 
-   nrfjprog --program <sample folder>/install/outputs/LAIRDCONNECTIVITY/BL5340_DVK_CPUAPP/bl2.hex -f nrf53 --sectorerase
-   nrfjprog --program <sample folder>/install/outputs/LAIRDCONNECTIVITY/BL5340_DVK_CPUAPP/tfm_s_ns_signed.hex -f nrf53 --sectorerase
+   nrfutil device program --x-family nrf53 --firmware <sample folder>/install/outputs/LAIRDCONNECTIVITY/BL5340_DVK_CPUAPP/bl2.hex --options chip_erase_mode=ERASE_RANGES_TOUCHED_BY_FIRMWARE
+   nrfutil device program --x-family nrf53 --firmware <sample folder>/install/outputs/LAIRDCONNECTIVITY/BL5340_DVK_CPUAPP/tfm_s_ns_signed.hex --options chip_erase_mode=ERASE_RANGES_TOUCHED_BY_FIRMWARE
 
 * Reset and start TF-M:
 
 .. code-block:: console
 
-   nrfjprog --reset -f nrf53
+   nrfutil device reset --x-family nrf53
 
 Flashing the BL5340 DVK (Secondary slot in QSPI, with BL2)
 **********************************************************
 
 To program the flash with a compiled TF-M image (i.e. S, NS or both) after
 having followed the instructions to install the Segger J-Link Software and the
-nRF Command-Line Tools to the secondary , follow the steps below:
+nRF Util to the secondary , follow the steps below:
 
 Generate Intel hex files from the output binary (bin) files as follows:
 
@@ -141,20 +149,20 @@ Generate Intel hex files from the output binary (bin) files as follows:
 
 .. code-block:: console
 
-   nrfjprog --eraseall -f nrf53
+   nrfutil device erase --all --x-family nrf53
 
 * Flash the BL2 and the TF-M image binaries from the sample folder of your choice:
 
 .. code-block:: console
 
-   nrfjprog --program <sample folder>/install/outputs/LAIRDCONNECTIVITY/BL5340_DVK_CPUAPP/bl2.hex -f nrf53 --sectorerase
-   nrfjprog --program <sample folder>/install/outputs/LAIRDCONNECTIVITY/BL5340_DVK_CPUAPP/tfm_s_ns_signed.hex -f nrf53 --qspisectorerase
+   nrfutil device program --x-family nrf53 --firmware <sample folder>/install/outputs/LAIRDCONNECTIVITY/BL5340_DVK_CPUAPP/bl2.hex --options chip_erase_mode=ERASE_RANGES_TOUCHED_BY_FIRMWARE
+   nrfutil device program --x-family nrf53 --firmware <sample folder>/install/outputs/LAIRDCONNECTIVITY/BL5340_DVK_CPUAPP/tfm_s_ns_signed.hex --options ext_mem_erase_mode=ERASE_RANGES_TOUCHED_BY_FIRMWARE
 
 * Reset and start TF-M:
 
 .. code-block:: console
 
-   nrfjprog --reset -f nrf53
+   nrfutil device reset --x-family nrf53
 
 
 Secure UART Console on BL5340 DVK
@@ -169,7 +177,9 @@ Non-Secure console output is available via USART0.
 
     By default USART0 and USART1 outputs are routed to separate serial ports.
 
-.. _nRF Command-Line Tools: https://www.nordicsemi.com/Software-and-Tools/Development-Tools/nRF-Command-Line-Tools
+.. _nRF Util product page: https://www.nordicsemi.com/Products/Development-tools/nRF-Util/
+
+.. _nRF Util installation instructions: https://docs.nordicsemi.com/bundle/nrfutil/page/guides/installing.html
 
 .. _J-Link Software and documentation pack: https://www.segger.com/jlink-software.html
 

docs/platform/nordic_nrf/nrf5340dk_nrf5340_cpuapp/README.rst

@@ -22,7 +22,7 @@ The following links provide useful information about the nRF5340
 nRF5340 DK website:
    https://www.nordicsemi.com/Software-and-tools/Development-Kits/nRF5340-DK
 
-Nordic Semiconductor Infocenter: https://infocenter.nordicsemi.com
+Nordic Semiconductor TechDocs: https://docs.nordicsemi.com
 
 
 Building TF-M on nRF5340 Application MCU
@@ -72,17 +72,25 @@ To install the J-Link Software and documentation pack, follow the steps below:
 #. When connecting a J-Link-enabled board such as an nRF5340 DK, a drive
    corresponding to a USB Mass Storage device as well as a serial port should come up
 
-nRF Command-Line Tools Installation
-*************************************
+nRF Util Installation
+*********************
 
-The nRF Command-line Tools allow you to control your nRF5340 device from the command line,
+nRF Util allows you to control your nRF5340 device from the command line,
 including resetting it, erasing or programming the flash memory and more.
 
-To install them, visit `nRF Command-Line Tools`_ and select your operating
-system.
+To install nRF Util:
 
-After installing, make sure that ``nrfjprog`` is somewhere in your executable path
-to be able to invoke it from anywhere.
+1. Visit `nRF Util product page`_.
+2. Download the executable.
+3. Follow the `nRF Util installation instructions`_.
+4. Install ``nrfutil device`` subcommand for programming, flashing, and erasing devices:
+
+   .. code-block:: console
+
+      nrfutil install device
+
+After installing, make sure that ``nrfutil.exe`` is somewhere in your executable
+path to be able to invoke it from anywhere.
 
 BL2, S, and NS application images can be flashed into nRF5340 separately or may be merged
 together into a single binary.
@@ -106,27 +114,27 @@ Generate Intel hex files from the output binary (bin) files as follows:
 
 .. code-block:: console
 
-   nrfjprog --eraseall -f nrf53
+   nrfutil device erase --all --x-family nrf53
 
 * (Optionally) Erase the flash memory and reset flash protection and disable
    the read back protection mechanism if enabled.
 
 .. code-block:: console
 
-   nrfjprog --recover -f nrf53
+   nrfutil device recover --x-family nrf53
 
 * Flash the BL2 and the TF-M image binaries from the sample folder of your choice:
 
 .. code-block:: console
 
-   nrfjprog --program build_spe/bin/bl2.hex -f nrf53 --sectorerase
-   nrfjprog --program build_app/tfm_s_ns_signed.hex -f nrf53 --sectorerase
+   nrfutil device program --x-family nrf53 --firmware build_spe/bin/bl2.hex --options chip_erase_mode=ERASE_RANGES_TOUCHED_BY_FIRMWARE
+   nrfutil device program --x-family nrf53 --firmware build_app/tfm_s_ns_signed.hex --options chip_erase_mode=ERASE_RANGES_TOUCHED_BY_FIRMWARE
 
 * Reset and start TF-M:
 
 .. code-block:: console
 
-   nrfjprog --reset -f nrf53
+   nrfutil device reset --x-family nrf53
 
 
 Secure UART Console on nRF5340 DK
@@ -141,7 +149,9 @@ Non-Secure console output is available via USART0.
 .. note::
    By default USART0 and USART1 outputs are routed to separate serial ports.
 
-.. _nRF Command-Line Tools: https://www.nordicsemi.com/Software-and-Tools/Development-Tools/nRF-Command-Line-Tools
+.. _nRF Util product page: https://www.nordicsemi.com/Products/Development-tools/nRF-Util/
+
+.. _nRF Util installation instructions: https://docs.nordicsemi.com/bundle/nrfutil/page/guides/installing.html
 
 .. _J-Link Software and documentation pack: https://www.segger.com/jlink-software.html