• State Not Answered
  • Replies 14 replies
  • Subscribers 94 subscribers
  • Views 2134 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 333378
Options

Setup secure storage memory for data storage inside TFM

Jithin A

Hi,

We are working on nrf5340 board with NS and TF-M setup and we have SDK v2.7.0

We need to have a flash partition to store the some secure data may be a size of 4KB inside the TF-M.

Please help us or direct us to any reference.

Parents
  • 0

    Hi, any one please guide us through the setup please.

    I see they have an example psa_protected_storage. If I set any partition size to 1KB the example does not work, it just goes into  arch_system_halt().

    How can I modify the partition size?

  • 0 in reply to Jithin A

    Hi,

     

    You seem to have found an example that provides what you are looking for:

    Jithin A said:
    example psa_protected_storage.

    What exactly did you add here?

    Jithin A said:
    If I set any partition size to 1KB the example does not work, it just goes into  arch_system_halt().

    And what is the assert output? 

    I suspect that the data that you added is stacked memory. If yes, then try to adjust your CONFIG_MAIN_STACK_SIZE.

     

    If you want to store larger than 2k objects, you should adjust the CONFIG_TFM_PS_MAX_ASSET_SIZE. This can max. be 4020 due to overhead, and aligning to a flash page.

     

    Kind regards,

    Håkon

  • 0 in reply to Jithin A

    Hi,

     

    You need to expand the partition in order to write larger asset sizes, and you also need to set a different TFM profile.

    This is the configuration I am using now:

    CONFIG_BUILD_WITH_TFM=y
#CONFIG_TFM_PROFILE_TYPE_NOT_SET=y
CONFIG_TFM_PROFILE_TYPE_MEDIUM=y
CONFIG_TFM_PS_MAX_ASSET_SIZE=4000
CONFIG_MAIN_STACK_SIZE=4096

     

    And here is a larger pm_static.yml (store as pm_static.yml this in your project and delete build folder and regenerate the project):

    app:
  address: 0x40000
  end_address: 0xf4000
  region: flash_primary
  size: 0xb4000
otp:
  address: 0xff8100
  end_address: 0xff83fc
  region: otp
  size: 0x2fc
rpmsg_nrf53_sram:
  address: 0x20070000
  end_address: 0x20080000
  placement:
    before:
    - end
  region: sram_primary
  size: 0x10000
sram_nonsecure:
  address: 0x20030000
  end_address: 0x20080000
  orig_span: &id001
  - sram_primary
  - rpmsg_nrf53_sram
  region: sram_primary
  size: 0x50000
  span: *id001
sram_primary:
  address: 0x20030000
  end_address: 0x20070000
  region: sram_primary
  size: 0x40000
sram_secure:
  address: 0x20000000
  end_address: 0x20030000
  orig_span: &id002
  - tfm_sram
  region: sram_primary
  size: 0x30000
  span: *id002
tfm:
  address: 0x0
  end_address: 0x40000
  placement:
    before:
    - app
  region: flash_primary
  size: 0x40000
tfm_its:
  address: 0xf4000
  end_address: 0xf6000
  inside:
  - tfm_storage
  placement:
    align:
      start: 0x4000
    before:
    - tfm_otp_nv_counters
  region: flash_primary
  size: 0x2000
tfm_nonsecure:
  address: 0x40000
  end_address: 0xf4000
  orig_span: &id003
  - app
  region: flash_primary
  size: 0xb4000
  span: *id003
tfm_otp_nv_counters:
  address: 0xf6000
  end_address: 0xf8000
  inside:
  - tfm_storage
  placement:
    align:
      start: 0x4000
    before:
    - tfm_ps
  region: flash_primary
  size: 0x2000
tfm_ps:
  address: 0xf8000
  end_address: 0x100000
  inside:
  - tfm_storage
  placement:
    align:
      start: 0x4000
    before:
    - end
  region: flash_primary
  size: 0x8000
tfm_secure:
  address: 0x0
  end_address: 0x40000
  orig_span: &id004
  - tfm
  region: flash_primary
  size: 0x40000
  span: *id004
tfm_sram:
  address: 0x20000000
  end_address: 0x20030000
  inside:
  - sram_secure
  placement:
    after:
    - start
  region: sram_primary
  size: 0x30000
tfm_storage:
  address: 0xf4000
  end_address: 0x100000
  orig_span: &id005
  - tfm_ps
  - tfm_its
  - tfm_otp_nv_counters
  region: flash_primary
  size: 0xc000
  span: *id005

     

    Kind regards,

    Håkon

  • 0 in reply to Håkon Alseth

    Hi Håkon,

    Thank you for the response.

    The above suggestion did not work for me, I am seeing the same -132 error when I run the code.

    I removed build directory and rebuilt the project, yet the same result.

    I can confirm the partitions.yml in build/zephyr/partition.yml updated your setup.

  • 0 in reply to Jithin A

    Hi,

     

    Sorry about this, I forgot to erase the partitions when testing, so it had the layout of a former flashed firmware.

    This was my working configuration. I see that there is a problem with the PS partition size, which is for some reason set to 0x4000, while the partition size is actually 0x8000, so I set it explicitly:

    CONFIG_BUILD_WITH_TFM=y
# CONFIG_TFM_PROFILE_TYPE_NOT_SET=y
# CONFIG_TFM_PROFILE_TYPE_MEDIUM=y
CONFIG_TFM_PROFILE_TYPE_SMALL=y
CONFIG_TFM_PS_MAX_ASSET_SIZE=3800
CONFIG_MAIN_STACK_SIZE=4096
CONFIG_PM_PARTITION_SIZE_TFM_PROTECTED_STORAGE=0x8000

     

    Kind regards,

    Håkon

  • 0 in reply to Håkon Alseth

    Hi Håkon

    Thank you that worked for me.

    One last question, I found this TF-M profile table and I see TFM PROTECTED STORAGE is set to OFF in the SMALL profile. If so, how is it working on our setup.

    If I set to any other profile except SMALL, I get -132 error and why is so?

  • 0 in reply to Jithin A

    Hi,

     

    My deepest apologies for sharing incorrect information.

    Note that we recommend to either use minimal or full TFM profile, as shown here:

    https://docs.nordicsemi.com/bundle/ncs-2.7.0/page/nrf/security/tfm.html#minimal_build

      

    If you have CONFIG_TFM_PROFILE_TYPE_NOT_SET that implies a "full" implementation, and you need to adjust this configuration:

    # Adjust even higher if storing larger files
CONFIG_TFM_CRYPTO_IOVEC_BUFFER_SIZE=6400

    Jithin A said:
    I found this TF-M profile table and I see TFM PROTECTED STORAGE is set to OFF in the SMALL profile.

    I think there's an issue with how kconfig shows the tfm subsys vs. what is actually set in the cmake files to the TFM build. I see that the configuration is greyed out, but it does indeed pass this to the tfm image:

    build/$IMAGE_NAME/tfm/CMakeCache.txt:TFM_PARTITION_PROTECTED_STORAGE:BOOL=ON

     

    Sorry for all the back-and-forth in this matter.

     

    Kind regards,

    Håkon

Reply
  • 0 in reply to Jithin A

    Hi,

     

    My deepest apologies for sharing incorrect information.

    Note that we recommend to either use minimal or full TFM profile, as shown here:

    https://docs.nordicsemi.com/bundle/ncs-2.7.0/page/nrf/security/tfm.html#minimal_build

      

    If you have CONFIG_TFM_PROFILE_TYPE_NOT_SET that implies a "full" implementation, and you need to adjust this configuration:

    # Adjust even higher if storing larger files
CONFIG_TFM_CRYPTO_IOVEC_BUFFER_SIZE=6400

    Jithin A said:
    I found this TF-M profile table and I see TFM PROTECTED STORAGE is set to OFF in the SMALL profile.

    I think there's an issue with how kconfig shows the tfm subsys vs. what is actually set in the cmake files to the TFM build. I see that the configuration is greyed out, but it does indeed pass this to the tfm image:

    build/$IMAGE_NAME/tfm/CMakeCache.txt:TFM_PARTITION_PROTECTED_STORAGE:BOOL=ON

     

    Sorry for all the back-and-forth in this matter.

     

    Kind regards,

    Håkon

Children
Related
Terms of service