• State Not Answered
  • Replies 7 replies
  • Subscribers 87 subscribers
  • Views 1887 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 277663
Options

Problems on enabling TF-M's BL2

jli157@intel

A question regarding to nRFSDK 1.7: why does nRFSDK disable using BL2 inside TF-M? If our device needs BL2 with TF-M, how can we enable it?
I can't enable CONFIG_TFM_BL2 if using nrfsdk v1.7.0 since it is disabled by default. 


Should I use nrfsdk-mcuboot to replace it? If so, it seems nrfsdk-mcuboot has not been well aligned to TF-M, right?

Another question is regarding o use the nRF security backend with TF-M: is the CryptoCell is enabled automatically if nRF security backend is enabled? I don't see any static libraries inside "nrfxlib/crypto" have been linked to TF-M. Is TF-M's PSA crypto actually using "cryptocell-312-runtime"? If so, why is the nrf_security backend still needed? 

Parents
  • 0

    Hi,

    BL2 is not supported with TF-M right now. You can use BOOTLOADER_MCUBOOT instead for now. Can you elaborate on what you mean by MCUBoot not being well aligned to TF-M?

    Regarding nrf_security, the CryptoCell is enabled by default when you use TF-M. Checking the build/tfm/build.ninja file will show the linking commands with the crypto libraries.

  • 0 in reply to Einar Thorsrud

    Hi Einar, 

    Thanks for the support again! 

    I just realized that nrfsdk-mcuboot is actually used by Nordic to replace TF-M's BL2 thus the BL2 inside TF-M is disabled. So, will you continue this way in the future or you will enable TF-M's BL2 at sometime? 

    I saw BL2 inside TF-M has some special customized code based on mcuboot, like the shared data with Firmware Update secure partition. Does nrfsdk-mcuboot work with firmware update secure partition? Or you have another plan to support firmware update? 

    Does nrfsdk-mcuboot support using QSPI flash memory as the swap storage on nrf53 DK? 

    As for nrf_security, yes I also found the build script extracts the library nrfxlib/crypto/nrf_cc312_mbedcrypto/lib/cortex-m33/soft-float/no-interrupts/libnrf_cc312_mbedcrypto_0.9.11.a and chooses the object files based on the enabled macros. 

    However, I'm wondering why Nordic chose using the static library instead of the package "cryptocell-312-runtime" inside TF-M to enable CryptoCell for TF-M? Are there some special considerations or some limitations? 

     

    Is it okay I'm using the same thread to ask more questions about nrf_security? I'm still having a couple of questions. Or should I open a new thread? 

  • 0 in reply to jli157@intel

    Hi,

    jli157@intel said:
    I just realized that nrfsdk-mcuboot is actually used by Nordic to replace TF-M's BL2 thus the BL2 inside TF-M is disabled. So, will you continue this way in the future or you will enable TF-M's BL2 at sometime? 

    There are no work on supporting BL2 now. I cannot say if it will come at some point in the future or not, though.

    jli157@intel said:
    I saw BL2 inside TF-M has some special customized code based on mcuboot, like the shared data with Firmware Update secure partition. Does nrfsdk-mcuboot work with firmware update secure partition? Or you have another plan to support firmware update? 

    Perhaps you can elaborate? Is the question here if/how you can update TF-M?

    jli157@intel said:
    Does nrfsdk-mcuboot support using QSPI flash memory as the swap storage on nrf53 DK? 

    Yes, you can have the secondary slot (1) on external flash, and then copy it to slot 0 during activation.

    jli157@intel said:
    However, I'm wondering why Nordic chose using the static library instead of the package "cryptocell-312-runtime" inside TF-M to enable CryptoCell for TF-M? Are there some special considerations or some limitations? 

    The cryptocell-312-runtime is provided by ARM for use on some other devices, but it not and cannot be used on Nordic devices. The nrf_cc312_mbedcrypto is based on ARM libraries but has (among other things) adaptations for the nRF platform.

    jli157@intel said:
    Is it okay I'm using the same thread to ask more questions about nrf_security? I'm still having a couple of questions. Or should I open a new thread? 

    I would prefer it if you make a new thread for separate questions. That makes it easier to maintain the overview, and also makes it easier to delegate some questions to other colleagues of mine.

    Einar

Reply
  • 0 in reply to jli157@intel

    Hi,

    jli157@intel said:
    I just realized that nrfsdk-mcuboot is actually used by Nordic to replace TF-M's BL2 thus the BL2 inside TF-M is disabled. So, will you continue this way in the future or you will enable TF-M's BL2 at sometime? 

    There are no work on supporting BL2 now. I cannot say if it will come at some point in the future or not, though.

    jli157@intel said:
    I saw BL2 inside TF-M has some special customized code based on mcuboot, like the shared data with Firmware Update secure partition. Does nrfsdk-mcuboot work with firmware update secure partition? Or you have another plan to support firmware update? 

    Perhaps you can elaborate? Is the question here if/how you can update TF-M?

    jli157@intel said:
    Does nrfsdk-mcuboot support using QSPI flash memory as the swap storage on nrf53 DK? 

    Yes, you can have the secondary slot (1) on external flash, and then copy it to slot 0 during activation.

    jli157@intel said:
    However, I'm wondering why Nordic chose using the static library instead of the package "cryptocell-312-runtime" inside TF-M to enable CryptoCell for TF-M? Are there some special considerations or some limitations? 

    The cryptocell-312-runtime is provided by ARM for use on some other devices, but it not and cannot be used on Nordic devices. The nrf_cc312_mbedcrypto is based on ARM libraries but has (among other things) adaptations for the nRF platform.

    jli157@intel said:
    Is it okay I'm using the same thread to ask more questions about nrf_security? I'm still having a couple of questions. Or should I open a new thread? 

    I would prefer it if you make a new thread for separate questions. That makes it easier to maintain the overview, and also makes it easier to delegate some questions to other colleagues of mine.

    Einar

Children
No Data
Related
Terms of service