• State Suggested Answer
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 86 subscribers
  • Views 410 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 355371
Options

TF-M without UART

Tomasz K

Hi,
I'm working on nRF9151 on custom board, NCS 3.1.0 and I'm building application with TF-M enabled.
I've encountered quite a strange problem. If I remove all UART instances (mainly UART0) mcu becomes secured after jumping to application. I can neither connect with RTT nor flash it without calling nrfjprog recovery. If I flash it, and connect with RTT immediately, while program is still in mcuboot/tf-m I can connect. But if I disconnect I cannot connect anymore, device is secured.

For now I found that I need UART0 defined and enabled (okay) in device tree and CONFIG_SERIAL=y set in prj.conf. If any is missing, cpu secures itself after starting app.

My board do not have any uart interface and unfortunately I need all 4 SPI/I2C/UART instances so I have to disable UART0 at some point.
I have CONFIG_TFM_LOG_LEVEL_SILENCE=y set in prj.conf which should disable any tf-m logging, but problem is still there.

Not sure if that changes anything but I have also CONFIG_TFM_PROFILE_TYPE_NOT_SET=y and CONFIG_TFM_PROFILE_TYPE_MINIMAL=n as I need various operations provided by tf-m.

Am I missing some configuration?

Thanks for help
Tomasz

Parents Reply Children
  • 0 in reply to Simon D-M

    Hi,
    At some point I've already tried with CONFIG_TFM_SECURE_UART without any effect.
    I'm using NCS 3.1.0 
    I can provide tommorow some cleaned up files from devicetre and prj.conf

    Device tree have SPI0, I2C1, SPI2 and SPI3 configured with corresponding pins. Uart is nowhere mentioned, standard includes (as in most examples) are used.

    Part of prj.conf:

    CONFIG_SERIAL=n
CONFIG_LOG=y
CONFIG_CONSOLE=y
CONFIG_RTT_CONSOLE=y
CONFIG_LOG_BACKEND_RTT=y
CONFIG_USE_SEGGER_RTT=y
CONFIG_EXTENDED_LOGS=y

CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y

CONFIG_PSA_CRYPTO_DRIVER_OBERON=y # Fallback to Oberon if CC3XX fails
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y
CONFIG_PSA_WANT_ALG_SHA_256=y
CONFIG_NRF_SECURITY_ADVANCED=y
CONFIG_NORDIC_SECURITY_BACKEND=y


    Rest are config options for network, modem, spi, i2c...

    defconfig file:
    # Copyright (c) 2024 Nordic Semiconductor ASA
# SPDX-License-Identifier: Apache-2.0

# Enable MPU
CONFIG_ARM_MPU=y

# Enable TrustZone-M
CONFIG_ARM_TRUSTZONE_M=y

# Enable GPIO and PINCTRL
CONFIG_GPIO=y
CONFIG_PINCTRL=y
CONFIG_PINCTRL_DYNAMIC=y

# External Flash
CONFIG_SPI=y
CONFIG_SPI_NOR=y
CONFIG_SPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096
CONFIG_FLASH_JESD216_API=y


    ns_defconfig file:
    # Copyright (c) 2024 Nordic Semiconductor ASA
# SPDX-License-Identifier: Apache-2.0

# Enable MPU
CONFIG_ARM_MPU=y

# Enable TrustZone-M
CONFIG_ARM_TRUSTZONE_M=y

# Generate TF-M image 
CONFIG_BUILD_WITH_TFM=y
CONFIG_TFM_PROFILE_TYPE_NOT_SET=y
CONFIG_TFM_LOG_LEVEL_SILENCE=y
CONFIG_TFM_PROFILE_TYPE_MINIMAL=n
CONFIG_TFM_CMAKE_BUILD_TYPE_MINSIZEREL=y

# This Board implies building Non-Secure firmware
CONFIG_TRUSTED_EXECUTION_NONSECURE=y

# Enable GPIO and PINCTRL
CONFIG_GPIO=y
CONFIG_PINCTRL=y
CONFIG_PINCTRL_DYNAMIC=y

# External Flash
CONFIG_SPI=y
CONFIG_SPI_NOR=y
CONFIG_SPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096
CONFIG_FLASH_JESD216_API=y


    Hope that helps at least something. If not, we can always convert ticket to privet and then I can share whole files.

    Best regards
    Tomasz

  • 0 in reply to Tomasz K

    hmmm,
    Maybe I'm incorrectly assuming that it's tf-m fault.
    Looks like somethink is doing: "there is no standard debug uart, therfore this must be release build, I will enable readback protection".
    I have also mcuboot there, maybe it's or app itself is behaving that way?
    Is there such option maybe?

  • +1 in reply to Tomasz K

    Hi,

    Before searching more in depth, I found this erratum [Debug and Trace: Access port gets locked in WFI and WFE] which sounds a bit like your issue. It basically is that the access port gets locked after the device went to idle.

    Can you please try the suggested workaround and tell me if it helped?

    Best regards,

    Simon D-M

  • 0 in reply to Simon D-M

    I don't want to jinx it, but seems like it's working.

    I had to call it as early as possible doing in main.c:

    int const_lat(void)
{
    NRF_POWER->TASKS_CONSTLAT = 1; // Enable constant latency mode
    return 0;
}

SYS_INIT(const_lat, EARLY, 0);

    For debug purposes I think it should be enough.

    Thank you for your help, haven't thought of checking errata, as it looked like some configuration issue. I guess uart was keeping clock active.

    Thanks again
    Tomasz

Related
Terms of service