Our project needs to use TEE on nRF5340 which seems to be implemented by TF-M for now and future. After investigating the implementation, I didn't find a service sample that uses a peripheral from the secure world. Specifically, our project needs to get a SPI-wired biometric sensor managed by TEE environment. So far, I can't find either the nRF53's SPIM driver in TF-M's nRF53 platform or a custom service using the physical driver. Do you have an example similar to that or some suggestions how to achieve that?
Jun Li @ Intel Corporation
You can refer to the implementation of the custom service to read memory to see how custom services are added to TF-M. You can add more services here using the same approach to add more services to the existing partition.
Regarding SPIM you can use that from TF-M if it is configured for secure domain. If you for instance use the nrfx SPIM driver it makes sense to add the source files and include folder to the CMakeList.txt for linked to above.
Thanks agin for the help! The implication seems a nice example for me to get started.
A further question: how is the status of integrating CryptoCell with TF-M? Is it fully functional for supporting the mbedTLS on the non-secure world, such as working as a backend for mbedTLS?
CryptoCell is integrated with TF-M, via the nrf_security module. Here mbed TLS is used as a frontend, and CryptoCell is used for operations that are supported by it. TF-M again sits on top of this.
You can see this with some SDK examples. If you run Cryptography samples on a device with CryptoCell, that will be used. And if you also build for non-secure on the nRF9160 or nRF5340, TF-M will be used.
(Note TF-M support in general is experimental in nRF Connect SDK 1.6.x.)
Thanks for the suggestions!
One more question: our application RoT will use the SPI master which doesn't have an implementation in the HAL layer. To enable the application RoT to use the SPI driver, should a PSA RoT partition for the SPI driver be added as well, like ioctl partition which is implemented already?
You do not need a separate partition. The ioctl partition is rather generic so I suggest you try to re-use the existing partition.
I read the ioctl's implementation and thought it is just for reading memory block from somewhere. How can I use it to control a SPI device? I guess our application RoT could directly access the spi master driver from nordic SDK?