• State Not Answered
  • Replies 7 replies
  • Subscribers 87 subscribers
  • Views 1887 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 277663
Options

Problems on enabling TF-M's BL2

jli157@intel

A question regarding to nRFSDK 1.7: why does nRFSDK disable using BL2 inside TF-M? If our device needs BL2 with TF-M, how can we enable it?
I can't enable CONFIG_TFM_BL2 if using nrfsdk v1.7.0 since it is disabled by default. 


Should I use nrfsdk-mcuboot to replace it? If so, it seems nrfsdk-mcuboot has not been well aligned to TF-M, right?

Another question is regarding o use the nRF security backend with TF-M: is the CryptoCell is enabled automatically if nRF security backend is enabled? I don't see any static libraries inside "nrfxlib/crypto" have been linked to TF-M. Is TF-M's PSA crypto actually using "cryptocell-312-runtime"? If so, why is the nrf_security backend still needed? 

  • 0 in reply to Einar Thorsrud

    Einar, 

    You mean you haven't enabled the firmware update secure partitions (FWU) for firmware update? So, what's Nordic's plan to support FWU? You will use another approach instead of FWU provided by TF-M? 

  • 0 in reply to jli157@intel

    Hi,

    Yes, we do not have a solution for FWU for secure partitions only at the moment. Support for TF-M in nRF Connect SDK is still experimental and some important functionality is still missing. I cannot say which approach we will use for firmware upgrades of secure partitions at the moment, but the team is looking into this.

    Edit: Note that we use a swapping mechanism with MCUboot so that the banked update is stored in a non-secure area. Therefore the application can write the update itself without using a secure service. We bundle TF-M together with the app image, so the current mechanism can be used to update both together.

Related
Terms of service