TF-M WIP

tomi-font · tomi-font · commit 1db5745088cb · 2026-05-11T08:46:02.000+03:00
Signed-off-by: Tomi Fontanilles &lt;tomi.fontanilles@nordicsemi.no&gt;
diff --git a/modules/trusted-firmware-m/tfm_boards/external_core.cmake b/modules/trusted-firmware-m/tfm_boards/external_core.cmake
@@ -27,25 +27,12 @@ if(TARGET tfm_api_ns)
     )
 endif()
 
-# Duplicates that can be removed
-#set(TFM_MBEDCRYPTO_CONFIG_PATH ${CONFIG_MBEDTLS_CONFIG_FILE})
-#set(TFM_MBEDCRYPTO_PSA_CRYPTO_CONFIG_PATH ${CONFIG_TF_PSA_CRYPTO_CONFIG_FILE})
-#set(TFM_MBEDCRYPTO_PSA_CRYPTO_USER_CONFIG_PATH ${CONFIG_TF_PSA_CRYPTO_USER_CONFIG_FILE})
-
-# Note: This is a duplicate from nrf_security/CMakeLists.txt
-#       with additions of the install-target for Oberon-psa-core includes
 if(TARGET psa_interface)
     set(EXTERNAL_CRYPTO_CORE_HANDLED_PSA_INTERFACE True)
+    include(${NRF_SECURITY_DIR}/cmake/psa_interface_shared_properties.cmake)
     target_include_directories(psa_interface
         INTERFACE
             ${NRF_SECURITY_DIR}/include
-            $<BUILD_INTERFACE:${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include>
-            # Oberon library
-            ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library
-            # Mbed TLS (mbedcrypto) PSA headers
-            ${ZEPHYR_MBEDTLS_MODULE_DIR}/library
-            ${ZEPHYR_MBEDTLS_MODULE_DIR}/include
-            ${ZEPHYR_MBEDTLS_MODULE_DIR}/include/library
     )
 endif()
 
diff --git a/subsys/nrf_security/CMakeLists.txt b/subsys/nrf_security/CMakeLists.txt
@@ -44,7 +44,7 @@ if(CONFIG_BUILD_WITH_TFM OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
 
   # Add replacement platform.c for NS build
   list(APPEND src_zephyr
-    ${ZEPHYR_MBEDTLS_MODULE_DIR}/library/platform.c
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/platform/platform.c
   )
 
   # The current version of the mbed TLS deliverables requires mbedcrypto built
@@ -54,10 +54,7 @@ if(CONFIG_BUILD_WITH_TFM OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
 
   get_cmake_property(all_vars VARIABLES)
 
-  # 1. Non-secure should not build the PSA core or drivers
-  set(CONFIG_MBEDTLS_PSA_CRYPTO_C               False)
-
-  # 2. Enable OBERON_BACKEND, disable CC3XX_BACKEND
+  # Enable OBERON_BACKEND, disable CC3XX_BACKEND
   set(CONFIG_NRF_OBERON                         True)
   set(CONFIG_OBERON_BACKEND                     True)
   set(CONFIG_CC3XX_BACKEND                      False)
@@ -66,7 +63,7 @@ if(CONFIG_BUILD_WITH_TFM OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
   set(CONFIG_NRF_CC3XX_PLATFORM                 False)
   set(CONFIG_PSA_CRYPTO_DRIVER_CC3XX            False)
 
-  # 3. Special case: _ALT in CC3XX, not in OBERON (set  to False)
+  # Special case: _ALT in CC3XX, not in OBERON (set  to False)
   set(CONFIG_MBEDTLS_AES_ALT                    False)
   set(CONFIG_MBEDTLS_CCM_ALT                    False)
   set(CONFIG_MBEDTLS_CHACHAPOLY_ALT             False)
@@ -76,11 +73,11 @@ if(CONFIG_BUILD_WITH_TFM OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
   set(CONFIG_MBEDTLS_DHM_ALT                    False)
   set(CONFIG_MBEDTLS_RSA_ALT                    False)
 
-  # 4. Special case: _ALT in ECJPAKE (only in OBERON, set to True)
-  #    Only has effect if ECJPAKE is enabled
+  # Special case: _ALT in ECJPAKE (only in OBERON, set to True)
+  # Only has effect if ECJPAKE is enabled
   set(CONFIG_MBEDTLS_ECJPAKE_ALT                True)
 
-  # 5. Special case: Handle platform specific configurations
+  # Special case: Handle platform specific configurations
   set(CONFIG_MBEDTLS_PLATFORM_EXIT_ALT                 False)
   set(CONFIG_MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT       False)
 else()
@@ -112,14 +109,7 @@ target_compile_definitions(psa_crypto_library_config
 # The name and intent of this comes from TF-M distribution
 add_library(psa_interface INTERFACE)
 
-target_include_directories(psa_interface
-  INTERFACE
-    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include
-    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library
-    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/core/
-    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/dispatch/
-    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/platform/
-)
+include(cmake/psa_interface_shared_properties.cmake)
 
 # Finally adding the crypto lib
 add_subdirectory(${ZEPHYR_NRFXLIB_MODULE_DIR}/crypto crypto_copy)
diff --git a/subsys/nrf_security/Kconfig.legacy b/subsys/nrf_security/Kconfig.legacy
@@ -55,6 +55,7 @@ config MBEDTLS_PLATFORM_FPRINTF_ALT
 
 config MBEDTLS_PLATFORM_PRINTF_ALT
 	bool
+	default y if BUILD_WITH_TFM
 
 config MBEDTLS_PLATFORM_SNPRINTF_ALT
 	bool
diff --git a/subsys/nrf_security/cmake/generate_configs.cmake b/subsys/nrf_security/cmake/generate_configs.cmake
@@ -85,7 +85,6 @@ macro(generate_mbedcrypto_library_configs)
     kconfig_backup_current_config(CONFIG_MBEDTLS_PSA_CRYPTO_C)
     kconfig_backup_current_config(CONFIG_MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
     kconfig_backup_current_config(CONFIG_MBEDTLS_PSA_CRYPTO_SPM)
-    kconfig_backup_current_config(CONFIG_MBEDTLS_PLATFORM_PRINTF_ALT)
     kconfig_backup_current_config(CONFIG_MBEDTLS_THREADING_C)
     kconfig_backup_current_config(CONFIG_MBEDTLS_THREADING_ALT)
     kconfig_backup_current_config(CONFIG_MBEDTLS_MEMORY_BUFFER_ALLOC_C)
@@ -108,8 +107,6 @@ macro(generate_mbedcrypto_library_configs)
       set(CONFIG_MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER True)
       # CONFIG_MBEDTLS_PSA_CRYPTO_SPM must be set for the library build in TF-M
       set(CONFIG_MBEDTLS_PSA_CRYPTO_SPM True)
-      # CONFIG_MBEDTLS_PLATFORM_PRINTF_ALT must be set for the library build in TF-M
-      set(CONFIG_MBEDTLS_PLATFORM_PRINTF_ALT True)
       # Disable threading for the PSA interface used in TF-M build (NS and S image)
       set(CONFIG_MBEDTLS_THREADING_C False)
       set(CONFIG_MBEDTLS_THREADING_ALT False)
@@ -142,7 +139,6 @@ macro(generate_mbedcrypto_library_configs)
     kconfig_restore_backup_config(CONFIG_MBEDTLS_PSA_CRYPTO_C)
     kconfig_restore_backup_config(CONFIG_MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
     kconfig_restore_backup_config(CONFIG_MBEDTLS_PSA_CRYPTO_SPM)
-    kconfig_restore_backup_config(CONFIG_MBEDTLS_PLATFORM_PRINTF_ALT)
     kconfig_restore_backup_config(CONFIG_MBEDTLS_THREADING_C)
     kconfig_restore_backup_config(CONFIG_MBEDTLS_THREADING_ALT)
     kconfig_restore_backup_config(CONFIG_MBEDTLS_MEMORY_BUFFER_ALLOC_C)
diff --git a/subsys/nrf_security/cmake/nrf_config.cmake b/subsys/nrf_security/cmake/nrf_config.cmake
@@ -19,7 +19,6 @@ kconfig_check_and_set_base(MBEDTLS_THREADING_ALT)
 # Platform configurations for _ALT defines
 kconfig_check_and_set_base(MBEDTLS_PLATFORM_EXIT_ALT)
 kconfig_check_and_set_base(MBEDTLS_PLATFORM_FPRINTF_ALT)
-kconfig_check_and_set_base(MBEDTLS_PLATFORM_PRINTF_ALT)
 kconfig_check_and_set_base(MBEDTLS_PLATFORM_SNPRINTF_ALT)
 kconfig_check_and_set_base(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
 kconfig_check_and_set_base(MBEDTLS_ENTROPY_HARDWARE_ALT)
diff --git a/subsys/nrf_security/cmake/psa_crypto_config.cmake b/subsys/nrf_security/cmake/psa_crypto_config.cmake
@@ -19,6 +19,7 @@ kconfig_check_and_set_base(MBEDTLS_PLATFORM_C)
 
 # TF-M
 kconfig_check_and_set_base_to_one(MBEDTLS_PSA_CRYPTO_SPM)
+kconfig_check_and_set_base_to_one(MBEDTLS_PLATFORM_PRINTF_ALT)
 
 # Convert CRACEN driver configuration
 kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_CRACEN)
diff --git a/subsys/nrf_security/cmake/psa_interface_shared_properties.cmake b/subsys/nrf_security/cmake/psa_interface_shared_properties.cmake
@@ -0,0 +1,14 @@
+#
+# Copyright (c) 2026 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+target_include_directories(psa_interface
+  INTERFACE
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/include
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/library
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/core
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/dispatch
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/platform
+)
diff --git a/subsys/nrf_security/configs/nrf-config.h.template b/subsys/nrf_security/configs/nrf-config.h.template
@@ -25,7 +25,6 @@
 /* Platform configurations for _ALT defines */
 #cmakedefine MBEDTLS_PLATFORM_EXIT_ALT
 #cmakedefine MBEDTLS_PLATFORM_FPRINTF_ALT
-#cmakedefine MBEDTLS_PLATFORM_PRINTF_ALT
 #cmakedefine MBEDTLS_PLATFORM_SNPRINTF_ALT
 #cmakedefine MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
 #cmakedefine MBEDTLS_ENTROPY_HARDWARE_ALT
diff --git a/subsys/nrf_security/configs/psa_crypto_config.h.template b/subsys/nrf_security/configs/psa_crypto_config.h.template
@@ -22,6 +22,7 @@
 
 /* TF-M */
 #cmakedefine MBEDTLS_PSA_CRYPTO_SPM
+#cmakedefine MBEDTLS_PLATFORM_PRINTF_ALT
 
 /* RSA */
 #cmakedefine PSA_MAX_RSA_KEY_BITS @PSA_MAX_RSA_KEY_BITS@
diff --git a/subsys/nrf_security/src/CMakeLists.txt b/subsys/nrf_security/src/CMakeLists.txt
@@ -28,6 +28,7 @@ target_include_directories(psa_crypto_config
   INTERFACE
     ${PSA_CRYPTO_CONFIG_INTERFACE_PATH}
     ${NRF_SECURITY_DIR}/include
+    ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}/core
 )
 
 # Add fallback include folders from Mbed TLS for driver context structures
@@ -171,8 +172,7 @@ endif()
 # Add drivers (for legacy and PSA crypto build)
 add_subdirectory(drivers)
 
-# Add legacy Mbed TLS APIs
-if(CONFIG_MBEDTLS_LEGACY_CRYPTO_C OR (CONFIG_NRF_OBERON AND CONFIG_BUILD_WITH_TFM))
+if(CONFIG_MBEDTLS_LEGACY_CRYPTO_C)
   add_subdirectory(legacy)
 endif()
 
diff --git a/subsys/nrf_security/src/core/nrf_oberon/CMakeLists.txt b/subsys/nrf_security/src/core/nrf_oberon/CMakeLists.txt
@@ -20,27 +20,18 @@ append_with_prefix(src_crypto_core_oberon ${ZEPHYR_OBERON_PSA_CRYPTO_MODULE_DIR}
   psa_crypto_storage.c
 )
 
-add_library(psa_core STATIC
-    ${src_crypto_core_oberon}
-)
-
-# Add the nordic version of psa_crypto_driver_wrappers with the core (out of tree)
-target_sources(psa_core
-  PRIVATE
-    ${NRF_SECURITY_DIR}/src/psa_crypto_driver_wrappers.c
+append_with_prefix(src_crypto_core_oberon ${NRF_SECURITY_DIR}/src/
+  psa_crypto_driver_wrappers.c
 )
 
 if(CONFIG_MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
-  target_sources(psa_core
-    PRIVATE
-      ${NRF_SECURITY_DIR}/src/mbedtls_psa_platform.c
+  append_with_prefix(src_crypto_core_oberon ${NRF_SECURITY_DIR}/src/
+    mbedtls_psa_platform.c
   )
 endif()
 
-target_link_libraries(psa_core
-  PRIVATE
-    psa_crypto_library_config
-    psa_interface
+add_library(psa_core STATIC
+    ${src_crypto_core_oberon}
 )
 
 target_compile_definitions(psa_core
diff --git a/subsys/nrf_security/tfm/CMakeLists.txt b/subsys/nrf_security/tfm/CMakeLists.txt
@@ -61,9 +61,6 @@ endif()
 set(CONFIG_MBEDTLS_THREADING_ALT                    False)
 set(CONFIG_MBEDTLS_THREADING_C                      False)
 
-# mbedtls_printf is used to print messages including error information.
-set(MBEDTLS_PLATFORM_PRINTF_ALT                     True)
-
 # Set the a define stating that KEY_ID encodes owner
 set(CONFIG_MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER  True)
 
diff --git a/west.yml b/west.yml
@@ -150,7 +150,7 @@ manifest:
     - name: trusted-firmware-m
       repo-path: sdk-trusted-firmware-m
       path: modules/tee/tf-m/trusted-firmware-m
-      revision: 7c7180bd5ac51bea384adfb6bd98979f948b692c
+      revision: pull/253/head
     - name: psa-arch-tests
       repo-path: sdk-psa-arch-tests
       path: modules/tee/tf-m/psa-arch-tests
