Adding IPC to TF-M secure peripheral project

I would like to take Nordic's "TF-M secure peripheral partition" sample project, and modify it to take data received from the secure peripheral and send it wirelessly to another device. But I am running into some build errors and am unsure of how to fix it.

I'm working on a Windows 10 machine, with nRF5340DK's, and using NCS v2.5.0. I am using VS Code w/ the nRF Connect extensions for my development environment.

The "TF-M secure peripheral partition" sample project I mentioned comes from the NCS (at nrf/samples/tfm/tfm_secure_peripheral). I modified the sample slightly to get the SPI peripheral to interact with my sensor, and am able to read data from it.

Currently I am working on code to send data from the application core to the network core (before adding the wireless portion). I have previously worked with IPC for this (based off the sample project at NCS, path nrf/samples/ipc/ipc_service), so I am trying to integrate that code into this TF-M project. I tried adding the source code into the secure partition (as I assume it needs access to the data from the secure peripheral) and the build fails with the error looking like the following:

(Note that I trimmed down or modified the output slightly for brevity and privacy)

[77/224] Building C object secure_fw/partitions/partitions/secure_peripheral_partition_1/CMakeFiles/tfm_app_rot_partition_spp.dir/C_/ncs/v2.5.0/modules/tee/tf-m/trusted-firmware-m/platform/ext/common/syscalls_stub.o
[78/224] Building C object secure_fw/partitions/partitions/secure_peripheral_partition_1/CMakeFiles/tfm_app_rot_partition_spp.dir/secure_peripheral_partition.o
FAILED: (...command removed for brevity...)
In file included from C:/ncs/v2.5.0/zephyr/include/zephyr/sys/mem_manage.h:104,
                 from C:/ncs/v2.5.0/zephyr/include/zephyr/sys/device_mmio.h:47,
                 from C:/ncs/v2.5.0/zephyr/include/zephyr/device.h:15,
                 from C:/path_to_secure_peripheral_project/secure_peripheral_partition/secure_peripheral_partition.c:27:
C:/ncs/v2.5.0/zephyr/include/zephyr/sys/mem_manage.h: In function 'z_mem_phys_addr':
C:/ncs/v2.5.0/nrf/modules/tfm/tfm/boards/include/zephyr/sys/__assert.h:52:32: warning: implicit declaration of function 'tfm_core_panic' [-Wimplicit-function-declaration]
   52 | #define __ASSERT_POST_ACTION() tfm_core_panic()
      |                                ^~~~~~~~~~~~~~
C:/ncs/v2.5.0/nrf/modules/tfm/tfm/boards/include/zephyr/sys/__assert.h:93:25: note: in expansion of macro '__ASSERT_POST_ACTION'
   93 |                         __ASSERT_POST_ACTION();                                \
      |                         ^~~~~~~~~~~~~~~~~~~~
C:/ncs/v2.5.0/zephyr/include/zephyr/sys/mem_manage.h:158:9: note: in expansion of macro '__ASSERT'
  158 |         __ASSERT((addr >= CONFIG_SRAM_BASE_ADDRESS) &&
      |         ^~~~~~~~
In file included from C:/path_to_secure_peripheral_project/secure_peripheral_partition/secure_peripheral_partition.c:28:
C:/ncs/v2.5.0/zephyr/include/zephyr/ipc/ipc_service.h: At top level:
C:/ncs/v2.5.0/zephyr/include/zephyr/ipc/ipc_service.h:368:81: error: unknown type name 'k_timeout_t'
  368 | int ipc_service_get_tx_buffer(struct ipc_ept *ept, void **data, uint32_t *size, k_timeout_t wait);
      |                                                                                 ^~~~~~~~~~~
ninja: build stopped: subcommand failed.
FATAL ERROR: command exited with status 1: 'C:\ncs\toolchains\c57af46cb7\opt\bin\cmake.EXE' --build 'c:\path_to_secure_peripheral_project\build'

To try and debug the issue, I've tried adding parts one by one to test. It seems that this error appears once I include the ipc_service.h header, like the following:

/* FILE: secure_peripheral/secure_peripheral_partition.c */

#include <psa/crypto.h>
#include <stdint.h>
/* ... (rest of includes; not shown here for brevity ... */
#include <zephyr/kernel.h>
#include <zephyr/device.h>
#include <zephyr/ipc/ipc_service.h>    // error when add this

/* ... (rest of file) ... */

I tried briefly looking into the CMakeLists.txt files, using the PSA API instead of this IPC code, etc. So far I haven't been able to find where my exact problem is occurring. If I could get some pointers with what to look more closely at, I'd appreciate the help. Thank you in advance!

  • Hello,

    I am not sure if I understand exactly went wrong with what you are trying to do, but either way, I think you're approaching this the wrong way.

    The communication between the devices shouldn't be considered secure. You should therefore allow the communication to reach the non-secure app first, then forward this to TFM. I guess doing it this way also has the added benefit of being a little less complex than what you were trying to do.

    Regards,

    Elfving

  • I'm a bit confused with your suggestion. Where would the part about sending the data from the application core to the network core be? Did you mean that I take the data from the secure app, send it to the non-secure app, and then send it to the network core?

    To clarify some more, my original plan for secure communication between the 2 nRF5340DK's is to perform encryption (using TF-M's libraries and such) on one device, use ESB to wirelessly send it to the other device, and perform decryption on the other device. But again, the issue I have at the moment is regarding communication between the cores of a single nRF5340 (which I imagine must be figured out before I consider communication between the network cores of 2 nRF5340's).

  • (OP replying) Instead of adding IPC code to the secure partition, I tried adding it to the non-secure partition (I will look into transferring data between secure/non-secure later). It builds and can flash on my board; for quick testing, I flashed the entire IPC sample project (application and network core) and then flashed my main project (which should overwrite only application core).

    But it's not able to complete the setup of my endpoint. It keeps hanging at my k_sem_take() function call; if I change the timeout to K_NO_WAIT, I get -EBUSY (device is busy). Any thoughts on debugging this?

  • afok-esmart said:
    Did you mean that I take the data from the secure app, send it to the non-secure app, and then send it to the network core?

    Yes. You could go at it like this:

    • Send something from a peripheral to the appcore (or alternatively use a secure peripheral)
    • Send this from the app to TFM using a secure service
    • Encrypt data in TFM
    • Send encrypted data to app
    • Send encrypted data from app over BLE/ESB.

    , and the opposite one the other end.

    afok-esmart said:
    But again, the issue I have at the moment is regarding communication between the cores of a single nRF5340 (which I imagine must be figured out before I consider communication between the network cores of 2 nRF5340's).

    I am still not sure why you need this functionality, besides what is allready happening in the BLE stack.

    Regards,

    Elfving

  • Ok, thank you for the clarification.

    Per my project requirements, I need ESB and not BLE (for the faster throughput). From my understanding, ESB functions cannot be called within the application core, and there needs to be some code for sending it over between cores. But I will double check this on my end to be sure.

    -------

    EDIT #1 - On my end, I cannot build ESB for app core. When I took the ESB PTX sample project (nrf/samples/esb/esb_ptx), and tried building for app core, I got this error:

    -- Generated devicetree_generated.h: c:/<path_to_esb_ptx_proj>/build_nrf53/zephyr/include/generated/devicetree_generated.h
    -- Including generated dts.cmake file: c:/<path_to_esb_ptx_proj>/build_nrf53/zephyr/dts.cmake
    
    warning: MPSL (defined at C:/ncs/v2.5.0/nrfxlib\mpsl/Kconfig:7) has direct dependencies SOC_SERIES_BSIM_NRFXX || SOC_SERIES_NRF52X || SOC_NRF5340_CPUNET with value n, but is currently being y-selected by the following symbols:
     - ESB (defined at C:/ncs/v2.5.0/nrf\subsys\esb/Kconfig:7), with value y, direct dependencies y (value: y)
    
    error: Aborting due to Kconfig warnings
    
    Parsing c:/<path_to_esb_ptx_proj>/Kconfig
    Loaded configuration 'C:/ncs/v2.5.0/zephyr/boards/arm/nrf5340dk_nrf5340/nrf5340dk_nrf5340_cpuapp_defconfig'
    Merged configuration 'c:/<path_to_esb_ptx_proj>/prj.conf'
    CMake Error at C:/ncs/v2.5.0/zephyr/cmake/modules/kconfig.cmake:348 (message):
      command failed with return code: 1
    Call Stack (most recent call first):
      C:/ncs/v2.5.0/nrf/cmake/modules/kconfig.cmake:29 (include)
      C:/ncs/v2.5.0/zephyr/cmake/modules/zephyr_default.cmake:129 (include)
      C:/ncs/v2.5.0/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:66 (include)
      C:/ncs/v2.5.0/zephyr/share/zephyr-package/cmake/ZephyrConfig.cmake:92 (include_boilerplate)
      CMakeLists.txt:8 (find_package)
    
    
    -- Configuring incomplete, errors occurred!
    FATAL ERROR: command exited with status 1: 'C:\ncs\toolchains\c57af46cb7\opt\bin\cmake.EXE' -DWEST_PYTHON=C:/ncs/toolchains/c57af46cb7/opt/bin/python.exe '-Bc:\nrf_projs\esb_ptx_v01\build_nrf53' -GNinja -DBOARD=nrf5340dk_nrf5340_cpuapp -DNCS_TOOLCHAIN_VERSION=NONE -DCONF_FILE=c:/<path_to_esb_ptx_proj>/prj.conf '-Sc:\nrf_projs\esb_ptx_v01'

Related