boards: arm: Add support for TF-M in nRF5340 PDK

Adding support for TF-M in the Nordic nRF5340
Application MCU.

Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>

boards/arm/nrf5340dk_nrf5340/CMakeLists.txt

diff --git a/boards/arm/nrf5340dk_nrf5340/CMakeLists.txt b/boards/arm/nrf5340dk_nrf5340/CMakeLists.txt
index d389eed..a2b8fb0 100644
--- a/boards/arm/nrf5340dk_nrf5340/CMakeLists.txt
+++ b/boards/arm/nrf5340dk_nrf5340/CMakeLists.txt
@@ -7,3 +7,82 @@
 zephyr_library()
 zephyr_library_sources(nrf5340_cpunet_reset.c)
 endif()
+
+if (CONFIG_BUILD_WITH_TFM)
+	# Set default image versions if not defined elsewhere
+	if (NOT DEFINED TFM_IMAGE_VERSION_S)
+		set(TFM_IMAGE_VERSION_S 0.0.0+0)
+	endif()
+
+	if (NOT DEFINED TFM_IMAGE_VERSION_NS)
+		set(TFM_IMAGE_VERSION_NS 0.0.0+0)
+	endif()
+
+	set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
+	set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
+	set(TFM_MCUBOOT_DIR "${ZEPHYR_TFM_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
+
+	# Configure which format (full or hash) to include the public key in
+	# the image manifest
+	if(NOT DEFINED TFM_PUBLIC_KEY_FORMAT)
+		set(TFM_PUBLIC_KEY_FORMAT "full")
+	endif()
+
+	# Set srec_cat binary name
+	find_program(SREC_CAT srec_cat)
+	if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
+	    message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
+	endif()
+
+	#Create and sign for concatenated binary image, should align with the TF-M BL2
+	set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
+
+		#Sign secure binary image with public key
+		COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
+			 --layout ${PREPROCESSED_FILE_S}
+			 -k ${CONFIG_TFM_KEY_FILE_S}
+			 --public-key-format ${TFM_PUBLIC_KEY_FORMAT}
+			 --align 1
+			 -v ${TFM_IMAGE_VERSION_S}
+			 --pad
+			 --pad-header
+			 ${ADD_NS_IMAGE_MIN_VER}
+			 -s auto
+			 -H 0x400
+			 ${CMAKE_BINARY_DIR}/tfm/install/outputs/NORDIC_NRF/NRF5340PDK_NRF5340_CPUAPP/tfm_s.bin
+			 ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
+
+		#Sign non-secure binary image with public key
+		COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
+			 --layout ${PREPROCESSED_FILE_NS}
+			 -k ${CONFIG_TFM_KEY_FILE_NS}
+			 --public-key-format ${TFM_PUBLIC_KEY_FORMAT}
+			 --align 1
+			 -v ${TFM_IMAGE_VERSION_NS}
+			 -s auto
+			 ${ADD_S_IMAGE_MIN_VER}
+			 -H 0x400
+			 ${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
+			 ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
+
+		#Create concatenated binary image from the two independently signed binary files
+		COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
+		     --layout ${PREPROCESSED_FILE_S}
+			 -s ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
+			 -n ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
+			 -o ${CMAKE_BINARY_DIR}/tfm_sign.bin
+
+		#Copy mcuboot.bin
+		COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/tfm/bin/bl2.bin ${CMAKE_BINARY_DIR}/mcuboot.bin
+
+		# Generate an intel hex file from the signed output binary
+		COMMAND srec_cat ${CMAKE_BINARY_DIR}/tfm_sign.bin
+			-binary
+			-offset 0x10000
+			-o ${CMAKE_BINARY_DIR}/tfm_sign.hex
+			-intel
+
+		# Copy tfm_sign.hex to zephyr
+		COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/tfm_sign.hex ${CMAKE_BINARY_DIR}/zephyr/${KERNEL_HEX_NAME}
+	)
+endif()

boards/arm/nrf5340dk_nrf5340/board.cmake

diff --git a/boards/arm/nrf5340dk_nrf5340/board.cmake b/boards/arm/nrf5340dk_nrf5340/board.cmake
index dc4ffaf..c0acb1d 100644
--- a/boards/arm/nrf5340dk_nrf5340/board.cmake
+++ b/boards/arm/nrf5340dk_nrf5340/board.cmake
@@ -1,5 +1,12 @@
 # SPDX-License-Identifier: Apache-2.0
 
+# Set the corresponding TF-M target platform when building for the Non-Secure
+# version of the board (Application MCU).
+if(CONFIG_BOARD_NRF5340PDK_NRF5340_CPUAPPNS)
+  set(TFM_TARGET_PLATFORM "nordic_nrf/nrf5340pdk_nrf5340_cpuapp")
+  set(TFM_PUBLIC_KEY_FORMAT "full")
+endif()
+
 if((CONFIG_BOARD_NRF5340PDK_NRF5340_CPUAPP OR CONFIG_BOARD_NRF5340PDK_NRF5340_CPUAPPNS) OR
   (CONFIG_BOARD_NRF5340DK_NRF5340_CPUAPP OR CONFIG_BOARD_NRF5340DK_NRF5340_CPUAPPNS))
 board_runner_args(nrfjprog "--nrf-family=NRF53" "--tool-opt=--coprocessor CP_APPLICATION")

samples/tfm_integration/psa_level_1/boards/nrf5340pdk_nrf5340_cpuappns.overlay

diff --git a/samples/tfm_integration/psa_level_1/boards/nrf5340pdk_nrf5340_cpuappns.overlay b/samples/tfm_integration/psa_level_1/boards/nrf5340pdk_nrf5340_cpuappns.overlay
new file mode 100644
index 0000000..9211016
--- /dev/null
+++ b/samples/tfm_integration/psa_level_1/boards/nrf5340pdk_nrf5340_cpuappns.overlay
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2020 Nordic Semiconductor ASA.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/* Modify the SRAM partitioning to accommodate the requirements
+ * for the Secure (TF-M) firmware for the configuration that is
+ * used in this sample.
+ */
+
+/* Increase the size of the Secure Firmware (TF-M).
+ * This modification is not required at the moment,
+ * since TF-M region definitions are configured
+ * statically in the TF-M project.
+ */
+&sram0_s {
+	reg = <0x20000000 DT_SIZE_K(256)>;
+};
+
+/* Decrease the size of the Non-Secure Firmware (Zephyr),
+ * and move its starting address to the offset expected by
+ * TF-M.
+ */
+/delete-node/ &sram0_ns;
+/ {
+	reserved-memory {
+		sram0_ns: image_ns@20040000 {
+			reg = <0x20040000 DT_SIZE_K(192)>;
+		};
+	};
+};

samples/tfm_integration/psa_level_1/sample.yaml

diff --git a/samples/tfm_integration/psa_level_1/sample.yaml b/samples/tfm_integration/psa_level_1/sample.yaml
index 58b48d7..4c0ca82 100644
--- a/samples/tfm_integration/psa_level_1/sample.yaml
+++ b/samples/tfm_integration/psa_level_1/sample.yaml
@@ -5,7 +5,7 @@
 tests:
     sample.tfm_ipc:
         tags: introduction
-        platform_allow: mps2_an521_nonsecure lpcxpresso55s69_ns
+        platform_allow: mps2_an521_nonsecure lpcxpresso55s69_ns nrf5340pdk_nrf5340_cpuappns
         harness: console
         harness_config:
           type: multi_line

samples/tfm_integration/tfm_ipc/boards/nrf5340pdk_nrf5340_cpuappns.overlay

diff --git a/samples/tfm_integration/tfm_ipc/boards/nrf5340pdk_nrf5340_cpuappns.overlay b/samples/tfm_integration/tfm_ipc/boards/nrf5340pdk_nrf5340_cpuappns.overlay
new file mode 100644
index 0000000..9211016
--- /dev/null
+++ b/samples/tfm_integration/tfm_ipc/boards/nrf5340pdk_nrf5340_cpuappns.overlay
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2020 Nordic Semiconductor ASA.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/* Modify the SRAM partitioning to accommodate the requirements
+ * for the Secure (TF-M) firmware for the configuration that is
+ * used in this sample.
+ */
+
+/* Increase the size of the Secure Firmware (TF-M).
+ * This modification is not required at the moment,
+ * since TF-M region definitions are configured
+ * statically in the TF-M project.
+ */
+&sram0_s {
+	reg = <0x20000000 DT_SIZE_K(256)>;
+};
+
+/* Decrease the size of the Non-Secure Firmware (Zephyr),
+ * and move its starting address to the offset expected by
+ * TF-M.
+ */
+/delete-node/ &sram0_ns;
+/ {
+	reserved-memory {
+		sram0_ns: image_ns@20040000 {
+			reg = <0x20040000 DT_SIZE_K(192)>;
+		};
+	};
+};

samples/tfm_integration/tfm_ipc/sample.yaml

diff --git a/samples/tfm_integration/tfm_ipc/sample.yaml b/samples/tfm_integration/tfm_ipc/sample.yaml
index 584dff2f..de6bd5b 100644
--- a/samples/tfm_integration/tfm_ipc/sample.yaml
+++ b/samples/tfm_integration/tfm_ipc/sample.yaml
@@ -5,7 +5,7 @@
 tests:
     sample.tfm_ipc:
         tags: introduction
-        platform_allow: mps2_an521_nonsecure lpcxpresso55s69_ns
+        platform_allow: mps2_an521_nonsecure lpcxpresso55s69_ns nrf5340pdk_nrf5340_cpuappns
         harness: console
         harness_config:
           type: multi_line