Our project needs to use TEE on nRF5340 which seems to be implemented by TF-M for now and future. After investigating the implementation, I didn't find a service sample that uses a peripheral from the secure world. Specifically, our project needs to get a SPI-wired biometric sensor managed by TEE environment. So far, I can't find either the nRF53's SPIM driver in TF-M's nRF53 platform or a custom service using the physical driver. Do you have an example similar to that or some suggestions how to achieve that?
Jun Li @ Intel Corporation
You can refer to the implementation of the custom service to read memory to see how custom services are added to TF-M. You can add more services here using the same approach to add more services to the existing partition.
Regarding SPIM you can use that from TF-M if it is configured for secure domain. If you for instance use the nrfx SPIM driver it makes sense to add the source files and include folder to the CMakeList.txt for linked to above.
Thanks agin for the help! The implication seems a nice example for me to get started.
A further question: how is the status of integrating CryptoCell with TF-M? Is it fully functional for supporting the mbedTLS on the non-secure world, such as working as a backend for mbedTLS?
Thanks for the suggestions!
One more question: our application RoT will use the SPI master which doesn't have an implementation in the HAL layer. To enable the application RoT to use the SPI driver, should a PSA RoT partition for the SPI driver be added as well, like ioctl partition which is implemented already?
You do not need a separate partition. The ioctl partition is rather generic so I suggest you try to re-use the existing partition.
I read the ioctl's implementation and thought it is just for reading memory block from somewhere. How can I use it to control a SPI device? I guess our application RoT could directly access the spi master driver from nordic SDK?
jli157@intel said:I read the ioctl's implementation and thought it is just for reading memory block from somewhere.
Yes, that is how it is provided in the SDK, but you can modify it to your needs, adding more/arbitrary features in the same partition.
jli157@intel said:How can I use it to control a SPI device?
You can expand it with whatever you need of functionality. If you need to control a SPI device, you can include nrfx SPI driver implementation file in the build and use that to control the SPI peripheral.
(There is ongoing work to make it possible to add new partitions out of tree so this can be done in a cleaner way at some point in the future)
Understood. we can expose the SPI API as a platform service like what you have done on exposing memory access on ioctl.
I've already found an out-of-tree partition solution from one of ARM's TF-M pull requests: https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/10562 which is much useful.
Thank you, Einar!