• State Verified Answer
  • Replies 14 replies
  • Subscribers 74 subscribers
  • Views 769 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 331159
Options

Flash Partition Management with Trusted Firmware-M

vytautas

Backround: We are planning to use TF-M with a two-stage bootloader (NSIB & MCUBoot) using dual-slots for secure and non-secure images. We need to support configurable fixed flash partitions (i.e. for event or configuration storage) and would like to retain the option to use an external flash in the future.

I have read through the nRF Connect SDK documentation, however it is not clear to me how the Partition Managed is used to configure fixed flash partitions for targets using TF-M. Could you please provide an example partition configuration on the nRF9160 (using internal flash) with: dual-slots for secure / non-secure images, secure storage (i.e. certificates), event storage (for telemetry) and configuration?

Parents
  • 0

    Hi,

    I will continue to help with this ticket.

    With TF-M, flash is parted into two parts: Secure flash (For TF-M) and Non-Secure flash (for app). 

    EDIT: Might not be as simple. SPU is 32kB parts of the flash, so as you can see from the below report, TF-M also has stuff after the app, meaning that there are multiple parts here, not just 2 halves. Each part has to be either NSPE or SPE though.


    See An Introduction to Trusted Firmware-M (TF-M) if to learn background on this.

    So if you intend to use a custom flash partition in your app, just put it in the NSPE flash.

    The partition manager is dynamic, so it can partition stuff for you.
    The PSA Template sample is my goto "TF-M with all features" sample, so I will use that to show you:

    Here is what I do:

    1. Build the sample
    2. Check build/partitions.yml, just to have a look
    3. Create pm_static.yml: 
      1. custom_partition:
  address: 0xfc000
  end_address: 0x100000
  region: flash_primary
  size: 0x4000
    4. Delete build folder -> build sample again
    5. "west build -t partition_manager_report"

    6. Check build/partitions.yml again.

    7. For release, copy build/parititons.yml -> pm_static.yml to freeze finished partitioning (required for DFU).

    Does this make sense?

Reply
  • 0

    Hi,

    I will continue to help with this ticket.

    With TF-M, flash is parted into two parts: Secure flash (For TF-M) and Non-Secure flash (for app). 

    EDIT: Might not be as simple. SPU is 32kB parts of the flash, so as you can see from the below report, TF-M also has stuff after the app, meaning that there are multiple parts here, not just 2 halves. Each part has to be either NSPE or SPE though.


    See An Introduction to Trusted Firmware-M (TF-M) if to learn background on this.

    So if you intend to use a custom flash partition in your app, just put it in the NSPE flash.

    The partition manager is dynamic, so it can partition stuff for you.
    The PSA Template sample is my goto "TF-M with all features" sample, so I will use that to show you:

    Here is what I do:

    1. Build the sample
    2. Check build/partitions.yml, just to have a look
    3. Create pm_static.yml: 
      1. custom_partition:
  address: 0xfc000
  end_address: 0x100000
  region: flash_primary
  size: 0x4000
    4. Delete build folder -> build sample again
    5. "west build -t partition_manager_report"

    6. Check build/partitions.yml again.

    7. For release, copy build/parititons.yml -> pm_static.yml to freeze finished partitioning (required for DFU).

    Does this make sense?

Children
No Data
Related
Terms of service