• State Suggested Answer
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 86 subscribers
  • Views 410 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 355371
Options

TF-M without UART

Tomasz K

Hi,
I'm working on nRF9151 on custom board, NCS 3.1.0 and I'm building application with TF-M enabled.
I've encountered quite a strange problem. If I remove all UART instances (mainly UART0) mcu becomes secured after jumping to application. I can neither connect with RTT nor flash it without calling nrfjprog recovery. If I flash it, and connect with RTT immediately, while program is still in mcuboot/tf-m I can connect. But if I disconnect I cannot connect anymore, device is secured.

For now I found that I need UART0 defined and enabled (okay) in device tree and CONFIG_SERIAL=y set in prj.conf. If any is missing, cpu secures itself after starting app.

My board do not have any uart interface and unfortunately I need all 4 SPI/I2C/UART instances so I have to disable UART0 at some point.
I have CONFIG_TFM_LOG_LEVEL_SILENCE=y set in prj.conf which should disable any tf-m logging, but problem is still there.

Not sure if that changes anything but I have also CONFIG_TFM_PROFILE_TYPE_NOT_SET=y and CONFIG_TFM_PROFILE_TYPE_MINIMAL=n as I need various operations provided by tf-m.

Am I missing some configuration?

Thanks for help
Tomasz

Parents
  • 0

    Hi Tomasz,

    Can you please try with CONFIG_TFM_SECURE_UART=n ? It should already be at "n" as you enabled CONFIG_TFM_LOG_LEVEL_SILENCE, but we never know.

    If it doesn't work, what NCS SDK version are you using ?

    Can you maybe share some files from your project (devicetree/kconfig/...) ?

    Best regards,

    Simon D-M

  • 0 in reply to Simon D-M

    Hi,
    At some point I've already tried with CONFIG_TFM_SECURE_UART without any effect.
    I'm using NCS 3.1.0 
    I can provide tommorow some cleaned up files from devicetre and prj.conf

    Device tree have SPI0, I2C1, SPI2 and SPI3 configured with corresponding pins. Uart is nowhere mentioned, standard includes (as in most examples) are used.

    Part of prj.conf:

    CONFIG_SERIAL=n
CONFIG_LOG=y
CONFIG_CONSOLE=y
CONFIG_RTT_CONSOLE=y
CONFIG_LOG_BACKEND_RTT=y
CONFIG_USE_SEGGER_RTT=y
CONFIG_EXTENDED_LOGS=y

CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y

CONFIG_PSA_CRYPTO_DRIVER_OBERON=y # Fallback to Oberon if CC3XX fails
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y
CONFIG_PSA_WANT_ALG_SHA_256=y
CONFIG_NRF_SECURITY_ADVANCED=y
CONFIG_NORDIC_SECURITY_BACKEND=y


    Rest are config options for network, modem, spi, i2c...

    defconfig file:
    # Copyright (c) 2024 Nordic Semiconductor ASA
# SPDX-License-Identifier: Apache-2.0

# Enable MPU
CONFIG_ARM_MPU=y

# Enable TrustZone-M
CONFIG_ARM_TRUSTZONE_M=y

# Enable GPIO and PINCTRL
CONFIG_GPIO=y
CONFIG_PINCTRL=y
CONFIG_PINCTRL_DYNAMIC=y

# External Flash
CONFIG_SPI=y
CONFIG_SPI_NOR=y
CONFIG_SPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096
CONFIG_FLASH_JESD216_API=y


    ns_defconfig file:
    # Copyright (c) 2024 Nordic Semiconductor ASA
# SPDX-License-Identifier: Apache-2.0

# Enable MPU
CONFIG_ARM_MPU=y

# Enable TrustZone-M
CONFIG_ARM_TRUSTZONE_M=y

# Generate TF-M image 
CONFIG_BUILD_WITH_TFM=y
CONFIG_TFM_PROFILE_TYPE_NOT_SET=y
CONFIG_TFM_LOG_LEVEL_SILENCE=y
CONFIG_TFM_PROFILE_TYPE_MINIMAL=n
CONFIG_TFM_CMAKE_BUILD_TYPE_MINSIZEREL=y

# This Board implies building Non-Secure firmware
CONFIG_TRUSTED_EXECUTION_NONSECURE=y

# Enable GPIO and PINCTRL
CONFIG_GPIO=y
CONFIG_PINCTRL=y
CONFIG_PINCTRL_DYNAMIC=y

# External Flash
CONFIG_SPI=y
CONFIG_SPI_NOR=y
CONFIG_SPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096
CONFIG_FLASH_JESD216_API=y


    Hope that helps at least something. If not, we can always convert ticket to privet and then I can share whole files.

    Best regards
    Tomasz

Reply
  • 0 in reply to Simon D-M

    Hi,
    At some point I've already tried with CONFIG_TFM_SECURE_UART without any effect.
    I'm using NCS 3.1.0 
    I can provide tommorow some cleaned up files from devicetre and prj.conf

    Device tree have SPI0, I2C1, SPI2 and SPI3 configured with corresponding pins. Uart is nowhere mentioned, standard includes (as in most examples) are used.

    Part of prj.conf:

    CONFIG_SERIAL=n
CONFIG_LOG=y
CONFIG_CONSOLE=y
CONFIG_RTT_CONSOLE=y
CONFIG_LOG_BACKEND_RTT=y
CONFIG_USE_SEGGER_RTT=y
CONFIG_EXTENDED_LOGS=y

CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y

CONFIG_PSA_CRYPTO_DRIVER_OBERON=y # Fallback to Oberon if CC3XX fails
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y
CONFIG_PSA_WANT_ALG_SHA_256=y
CONFIG_NRF_SECURITY_ADVANCED=y
CONFIG_NORDIC_SECURITY_BACKEND=y


    Rest are config options for network, modem, spi, i2c...

    defconfig file:
    # Copyright (c) 2024 Nordic Semiconductor ASA
# SPDX-License-Identifier: Apache-2.0

# Enable MPU
CONFIG_ARM_MPU=y

# Enable TrustZone-M
CONFIG_ARM_TRUSTZONE_M=y

# Enable GPIO and PINCTRL
CONFIG_GPIO=y
CONFIG_PINCTRL=y
CONFIG_PINCTRL_DYNAMIC=y

# External Flash
CONFIG_SPI=y
CONFIG_SPI_NOR=y
CONFIG_SPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096
CONFIG_FLASH_JESD216_API=y


    ns_defconfig file:
    # Copyright (c) 2024 Nordic Semiconductor ASA
# SPDX-License-Identifier: Apache-2.0

# Enable MPU
CONFIG_ARM_MPU=y

# Enable TrustZone-M
CONFIG_ARM_TRUSTZONE_M=y

# Generate TF-M image 
CONFIG_BUILD_WITH_TFM=y
CONFIG_TFM_PROFILE_TYPE_NOT_SET=y
CONFIG_TFM_LOG_LEVEL_SILENCE=y
CONFIG_TFM_PROFILE_TYPE_MINIMAL=n
CONFIG_TFM_CMAKE_BUILD_TYPE_MINSIZEREL=y

# This Board implies building Non-Secure firmware
CONFIG_TRUSTED_EXECUTION_NONSECURE=y

# Enable GPIO and PINCTRL
CONFIG_GPIO=y
CONFIG_PINCTRL=y
CONFIG_PINCTRL_DYNAMIC=y

# External Flash
CONFIG_SPI=y
CONFIG_SPI_NOR=y
CONFIG_SPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096
CONFIG_FLASH_JESD216_API=y


    Hope that helps at least something. If not, we can always convert ticket to privet and then I can share whole files.

    Best regards
    Tomasz

Children
Related
Terms of service