tf-m: Add Attestation support for nRF54L15 #19040
Conversation
|
The following west manifest projects have changed revision in this Pull Request:
⛔ DNM label due to: 1 project with PR revision Note: This message is automatically posted and updated by the Manifest GitHub Action. |
github-actions
bot
added
the
changelog-entry-required
hellesvik-nordic
force-pushed
the
nrf54l15_attestation
branch
from
2235121 to
716c951
Compare
CI InformationTo view the history of this post, clich the 'edited' button above Inputs:Sources:trusted-firmware-m: PR head: 9c1a5ad73e1b98a3f50b22743ac7bb848f52c504 more detailstrusted-firmware-m:
sdk-nrf:
Github labels
List of changed files detected by CI (19)Outputs:ToolchainVersion: b77d8c1312 Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
hellesvik-nordic
force-pushed
the
nrf54l15_attestation
branch
from
716c951 to
fce97d0
Compare
| @@ -115,7 +115,7 @@ if (${TFM_PARTITION_CRYPTO}) | |||
| tfm_sprt | |||
| ) | |||
|
|
|||
| if (${TFM_PARTITION_INITIAL_ATTESTATION}) | |||
| if ((${TFM_PARTITION_INITIAL_ATTESTATION}) AND CONFIG_IDENTITY_KEY) | |||
There was a problem hiding this comment.
This will not work for other nRF SoCs.
Would it be better to do "if 5340 or 9160 or etc etc"?
Or to define an TFM_IDENTITY_KEY and then set that inside tfm_boards for each of the boards that use this?
There was a problem hiding this comment.
To me it makes sense to use a more generic Kconfig option rather than explicitly naming the affected SOCs. The list will likely change over time, so it's nice to not have a bunch of if SOC_X [...] all over.
|
You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds. Note: This comment is automatically posted by the Documentation Publish GitHub Action. |
| @@ -0,0 +1,13 @@ | |||
| CONFIG_TFM_NRF_PROVISIONING=n | |||
| CONFIG_TFM_DUMMY_PROVISIONING=y | |||
There was a problem hiding this comment.
I should enable nrf_provisioning
| @@ -6,4 +6,4 @@ | |||
|
|
|||
| config SECURE_BOOT_STORAGE | |||
| bool "Library for accessing the bootloader storage" | |||
| select NRFX_RRAMC if SOC_SERIES_NRF54LX | |||
| select NRFX_RRAMC if SOC_SERIES_NRF54LX && !TRUSTED_EXECUTION_NONSECURE | |||
There was a problem hiding this comment.
Is this still needed as you guarded select SECURE_BOOT_STORAGE with if !TRUSTED_EXECUTION_NONSECURE?
(I don't know about this so I can't tell whether or not it makes sense to have this here. Maybe even the whole SECURE_BOOT_STORAGE Kconfig option should depend on !TRUSTED_EXECUTION_NONSECURE?)
| @@ -66,7 +66,7 @@ config TFM_PARTITION_INITIAL_ATTESTATION | |||
| select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT | |||
| select PSA_WANT_ALG_ECDSA | |||
| select PSA_WANT_ECC_SECP_R1_256 | |||
| select SECURE_BOOT_STORAGE | |||
| select SECURE_BOOT_STORAGE if !TRUSTED_EXECUTION_NONSECURE | |||
There was a problem hiding this comment.
| select SECURE_BOOT_STORAGE if !TRUSTED_EXECUTION_NONSECURE | |
| select SECURE_BOOT_STORAGE if TRUSTED_EXECUTION_SECURE |
?
| @@ -115,7 +115,7 @@ if (${TFM_PARTITION_CRYPTO}) | |||
| tfm_sprt | |||
| ) | |||
|
|
|||
| if (${TFM_PARTITION_INITIAL_ATTESTATION}) | |||
| if ((${TFM_PARTITION_INITIAL_ATTESTATION}) AND CONFIG_IDENTITY_KEY) | |||
There was a problem hiding this comment.
To me it makes sense to use a more generic Kconfig option rather than explicitly naming the affected SOCs. The list will likely change over time, so it's nice to not have a bunch of if SOC_X [...] all over.
| #include <bl_storage.h> | ||
|
|
||
|
|
| @@ -132,7 +143,15 @@ enum tfm_plat_err_t tfm_plat_get_boot_seed(uint32_t size, uint8_t *buf) | |||
| if (nrf_err != NRF_CC3XX_PLATFORM_SUCCESS) { | |||
| return TFM_PLAT_ERR_SYSTEM_ERR; | |||
| } | |||
|
|
|||
| #elif defined(CONFIG_PSA_NEED_CRACEN_KMU_DRIVER) | |||
There was a problem hiding this comment.
Please use the same macro when defining and using the boot_seed variables.
|
|
||
| #elif defined(CONFIG_PSA_NEED_CRACEN_KMU_DRIVER) | ||
| if (!boot_seed_set) { | ||
| psa_generate_random(boot_seed, 32); |
There was a problem hiding this comment.
| psa_generate_random(boot_seed, 32); | |
| psa_generate_random(boot_seed, sizeof(boot_seed)); |
| #elif defined(CONFIG_PSA_NEED_CRACEN_KMU_DRIVER) | ||
| if (!boot_seed_set) { | ||
| psa_generate_random(boot_seed, 32); | ||
| boot_seed_set = 1; |
There was a problem hiding this comment.
| boot_seed_set = 1; | |
| boot_seed_set = true; |
| psa_generate_random(boot_seed, 32); | ||
| boot_seed_set = 1; | ||
| } | ||
| memcpy(buf, boot_seed, sizeof(uint8_t) * 32); |
There was a problem hiding this comment.
| memcpy(buf, boot_seed, sizeof(uint8_t) * 32); | |
| memcpy(buf, boot_seed, size); |
maybe?
| set(CONFIG_NRFX_RRAMC ON CACHE BOOL "Enable nrfx drivers for RRAMC") | ||
| add_compile_definitions(CONFIG_NRFX_RRAMC) |
There was a problem hiding this comment.
Hmm, we are already using a very minimal homemade RRAMC driver in TF-M. What are you doing this for exactly?
(Also the add_compile_definitions() line seems a bit weird, why is it needed?)
There was a problem hiding this comment.
CONFIG_NRFX_RRAMC is used in attest_hal.c, which is used in both Zephyr and TF-M. For example here.
If I remove add_compile_definitions(), I get errors such as "CONFIG_NRFX_RRAMC" not defined. I don't know if this is the correct way to add it, I just copied it from cpuarch.cmake.
Do you think I should look for alternative ways to get this config included?
There was a problem hiding this comment.
Ahem you are linking to add_compile_definitions(__NRF_TFM__) in cpuarch.cmake?
There was a problem hiding this comment.
Ah ups. Edited to change file name.
There was a problem hiding this comment.
Hmm okay, you are still linking to the example of __NRF_TFM__, I thought you'd have an example with CONFIG_NRFX_RRAMC. (After grepping I see there is none).
I am not sure, but it seems like this add_compile_definitions() could be unconditionally adding CONFIG_NRFX_RRAMC as a define? Or does it somehow get its value from the set() line above? Do you know how it works?
I'm wondering why don't we do this via Kconfig, as this is a Kconfig option.
This doesn't seem like a natural (or proper) way to do that, but I'm not sure.
What is this needed for exactly? Where do you get errors from?
Add support for PSA Attestation to the nRF54L15. Includes noup changes to TF-M repository. Ref: NCSDK-22598 Signed-off-by: Sigurd Hellesvik <[email protected]>
hellesvik-nordic
force-pushed
the
nrf54l15_attestation
branch
from
fce97d0 to
8b0040b
Compare
Add support for PSA Attestation to the nRF54L15. Includes noup changes to TF-M repository.
Ref: NCSDK-22598