mcu/nrf5340: Add scripts to export/import NSC code

This modifies tfm package so it produces library that can be used to build non-secure code that will call tfm functions provided by secure code (mcuboot) Signed-off-by: Jerzy Kasenberg <[email protected]>
apache · Oct 31, 2024 · 7f0a540 · 7f0a540
1 parent 7eb9a8e
commit 7f0a540
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 1 deletion.
diff --git a/hw/mcu/nordic/nrf5340/tfm/pkg.yml b/hw/mcu/nordic/nrf5340/tfm/pkg.yml
@@ -32,9 +32,16 @@ pkg.cflags.(!BOOT_LOADER && MCU_APP_SECURE && TFM_EXPORT_NSC):
 pkg.cflags.(!BOOT_LOADER && !MCU_APP_SECURE):
     - -mcmse
 
-pkg.lflags.(MCU_APP_SECURE && TFM_EXPORT_NSC):
+pkg.lflags.TFM_EXPORT_NSC:
     - -utfm_uicr_otp_read
     - -utfm_uicr_otp_write
     - -utfm_gpio_pin_mcu_select
     - -utfm_uicr_protect_device
     - -utfm_ficr_xosc32mtrim_read
+    - -Wl,--out-implib=bin/tfm_s_CMSE_lib.o -Wl,--cmse-implib
+
+pkg.post_link_cmds.TFM_EXPORT_NSC:
+    scripts/create_tfmlib.sh: 100
+
+pkg.pre_link_cmds.TFM_IMPORT_NSC:
+    scripts/import_tfmlib.sh: 100
diff --git a/hw/mcu/nordic/nrf5340/tfm/scripts/create_tfmlib.sh b/hw/mcu/nordic/nrf5340/tfm/scripts/create_tfmlib.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+AR=${MYNEWT_AR_PATH}
+
+pushd ${MYNEWT_PROJECT_ROOT}
+
+if [ -f ${MYNEWT_PROJECT_ROOT}/bin/tfm_s_CMSE_lib.o ] ; then
+  mv ${MYNEWT_PROJECT_ROOT}/bin/tfm_s_CMSE_lib.o ${MYNEWT_PKG_BIN_DIR}/
+  ${AR} rcs ${MYNEWT_BIN_DIR}/tfm_s_CMSE_lib.a ${MYNEWT_PKG_BIN_DIR}/tfm_s_CMSE_lib.o
+fi
+
+popd
diff --git a/hw/mcu/nordic/nrf5340/tfm/scripts/import_tfmlib.sh b/hw/mcu/nordic/nrf5340/tfm/scripts/import_tfmlib.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+if [ "${MYNEWT_VAL_TFM_SECURE_BOOT_TARGET}" != "" ] ; then
+  export IMPORT_LIBRARY=${MYNEWT_PROJECT_ROOT}/bin/targets/${MYNEWT_VAL_TFM_SECURE_BOOT_TARGET}/tfm_s_CMSE_lib.a
+
+  pushd ${MYNEWT_PROJECT_ROOT}
+
+  if [ -f ${IMPORT_LIBRARY} ] ; then
+    cp -u ${IMPORT_LIBRARY} ${MYNEWT_BUILD_GENERATED_DIR}/bin/
+  fi
+
+  popd
+fi
diff --git a/hw/mcu/nordic/nrf5340/tfm/src/tfm.c b/hw/mcu/nordic/nrf5340/tfm/src/tfm.c
@@ -21,6 +21,8 @@
 #include <nrf_gpio.h>
 #include <tfm/tfm.h>
 
+#if MYNEWT_VAL(TFM_EXPORT_NSC) || MYNEWT_VAL(MCU_APP_SECURE) || MYNEWT_VAL(BOOT_LOADER)
+
 int SECURE_CALL
 tfm_uicr_otp_read(uint8_t n, uint32_t *ret)
 {
@@ -110,3 +112,5 @@ tfm_ficr_xosc32mtrim_read(uint32_t *xosc32mtrim)
 
     return 0;
 }
+
+#endif
diff --git a/hw/mcu/nordic/nrf5340/tfm/syscfg.yml b/hw/mcu/nordic/nrf5340/tfm/syscfg.yml
@@ -24,6 +24,11 @@ syscfg.defs:
             If set to 1 secure function will be exported and can be used by
             non secure code.
         value:
+    TFM_IMPORT_NSC:
+        description: >
+            Application is non-secure and needs to import library generated
+            from secure code.
+        value:
     TFM_MCU_SEL_GPIO0:
         description: >
             Bit mask of GPIO0 pins that can be assigned between cores by non secure code.
@@ -40,3 +45,8 @@ syscfg.defs:
         description: >
             Maximum address of UICR OTP that can be accessed by non-secure core.
         value: 191
+
+    TFM_SECURE_BOOT_TARGET:
+        description: >
+            Mynewt target that holds TFM secure code.
+        value: