How to implement a custom service using a SPI interface on TF-M

Hi Sir/Madam, 

Our project needs to use TEE on nRF5340 which seems to be implemented by TF-M for now and future. After investigating the implementation, I didn't find a service sample that uses a peripheral from the secure world. Specifically, our project needs to get a SPI-wired biometric sensor managed by TEE environment. So far, I can't find either the nRF53's SPIM driver in TF-M's nRF53 platform or a custom service using the physical driver. Do you have an example similar to that or some suggestions how to achieve that? 

Thank you!

Jun Li @ Intel Corporation

Parents Reply
  • Hi Einar, 

    Thanks agin for the help! The implication seems a nice example for me to get started. 

    A further question: how is the status of integrating CryptoCell with TF-M? Is it fully functional for supporting the mbedTLS on the non-secure world, such as working as a backend for mbedTLS? 

    Regards, 

    Jun

Children
  • Hi Jun,

    CryptoCell is integrated with TF-M, via the nrf_security module. Here mbed TLS is used as a frontend, and CryptoCell is used for operations that are supported by it. TF-M again sits on top of this.

    You can see this with some SDK examples. If you run Cryptography samples on a device with CryptoCell, that will be used. And if you also build for non-secure on the nRF9160 or nRF5340, TF-M will be used.

    (Note TF-M support in general is experimental in nRF Connect SDK 1.6.x.)

    Einar

  • Hi Einar, 

    Thanks for the suggestions! 

    One more question: our application RoT will use the SPI master which doesn't have an implementation in the HAL layer. To enable the application RoT to use the SPI driver, should a PSA RoT partition for the SPI driver be added as well, like ioctl partition which is implemented already? 

    Regards, 

    Jun

  • Hi Jun,

    You do not need a separate partition. The ioctl partition is rather generic so I suggest you try to re-use the existing partition.

  • Hi Einar, 

    I read the ioctl's implementation and thought it is just for reading memory block from somewhere. How can I use it to control a SPI device? I guess our application RoT could directly access the spi master driver from nordic SDK? 

  • Hi,

    jli157@intel said:
    I read the ioctl's implementation and thought it is just for reading memory block from somewhere.

    Yes, that is how it is provided in the SDK, but you can modify it to your needs, adding more/arbitrary features in the same partition.

    jli157@intel said:
    How can I use it to control a SPI device?

    You can expand it with whatever you need of functionality. If you need to control a SPI device, you can include nrfx SPI driver implementation file in the build and use that to control the SPI peripheral. 

    (There is ongoing work to make it possible to add new partitions out of tree so this can be done in a cleaner way at some point in the future)

Related