diff --git a/include/dfu/pcd.h b/include/dfu/pcd.h index e1275f3012c..b218fddc0b7 100644 --- a/include/dfu/pcd.h +++ b/include/dfu/pcd.h @@ -25,37 +25,18 @@ #include #include +#include #ifdef __cplusplus extern "C" { #endif -#ifdef CONFIG_SOC_SERIES_NRF53X - -#ifdef CONFIG_PCD_CMD_ADDRESS - -#define PCD_CMD_ADDRESS CONFIG_PCD_CMD_ADDRESS - -#else - -#include - -#ifdef PM_PCD_SRAM_ADDRESS -#define PCD_CMD_ADDRESS PM_PCD_SRAM_ADDRESS -#else -/* extra '_' since its in a different domain */ -#define PCD_CMD_ADDRESS PM__PCD_SRAM_ADDRESS -#endif /* PM_PCD_SRAM_ADDRESS */ - -#endif /* CONFIG_PCD_CMD_ADDRESS */ - -#endif /* CONFIG_SOC_SERIES_NRF53X */ - enum pcd_status { PCD_STATUS_COPY = 0, PCD_STATUS_DONE = 1, PCD_STATUS_FAILED = 2, PCD_STATUS_READ_VERSION = 3, + PCD_STATUS_LOCK_DEBUG = 4, }; /** @brief Sets up the PCD command structure with the location and size of the @@ -87,8 +68,10 @@ int pcd_network_core_update(const void *src_addr, size_t len); int pcd_network_core_update_initiate(const void *src_addr, size_t len); /** @brief Lock the RAM section used for IPC with the network core bootloader. + * + * @param lock_conf Lock configuration until next SoC reset. */ -void pcd_lock_ram(void); +void pcd_lock_ram(bool lock_conf); /** @brief Update the PCD CMD to indicate that the operation has completed * successfully. diff --git a/include/dfu/pcd_common.h b/include/dfu/pcd_common.h new file mode 100644 index 00000000000..e0e5ed78883 --- /dev/null +++ b/include/dfu/pcd_common.h @@ -0,0 +1,61 @@ +/* + * Copyright (c) 2024 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +/** @file pcd_common.h + * + * @ingroup pcd + * @{ + * @brief Common definitions for the PCD API. + * + * Common definitions are split out from the main PCD API to allow usage + * from non-Zephyr code. + */ + +#ifndef PCD_COMMON_H__ +#define PCD_COMMON_H__ + +#ifdef CONFIG_SOC_SERIES_NRF53X + +#ifdef CONFIG_PCD_CMD_ADDRESS + +#define PCD_CMD_ADDRESS CONFIG_PCD_CMD_ADDRESS + +#else + +#include + +#ifdef PM_PCD_SRAM_ADDRESS +#define PCD_CMD_ADDRESS PM_PCD_SRAM_ADDRESS +#else +/* extra '_' since its in a different domain */ +#define PCD_CMD_ADDRESS PM__PCD_SRAM_ADDRESS +#endif /* PM_PCD_SRAM_ADDRESS */ + +#endif /* CONFIG_PCD_CMD_ADDRESS */ + +#endif /* CONFIG_SOC_SERIES_NRF53X */ + +/** Magic value written to indicate that a copy should take place. */ +#define PCD_CMD_MAGIC_COPY 0xb5b4b3b6 +/** Magic value written to indicate that debug should be locked. */ +#define PCD_CMD_MAGIC_LOCK_DEBUG 0xb6f249ec +/** Magic value written to indicate that a something failed. */ +#define PCD_CMD_MAGIC_FAIL 0x25bafc15 +/** Magic value written to indicate that a copy is done. */ +#define PCD_CMD_MAGIC_DONE 0xf103ce5d +/** Magic value written to indicate that a version number read should take place. */ +#define PCD_CMD_MAGIC_READ_VERSION 0xdca345ea + +struct pcd_cmd { + uint32_t magic; /* Magic value to identify this structure in memory */ + const void *data; /* Data to copy*/ + size_t len; /* Number of bytes to copy */ + __INTPTR_TYPE__ offset; /* Offset to store the flash image in */ +} __aligned(4); + +#endif /* PCD_COMMON_H__ */ + +/**@} */ diff --git a/modules/trusted-firmware-m/Kconfig.tfm.pm b/modules/trusted-firmware-m/Kconfig.tfm.pm index 20618c6d785..98930931b79 100644 --- a/modules/trusted-firmware-m/Kconfig.tfm.pm +++ b/modules/trusted-firmware-m/Kconfig.tfm.pm @@ -15,7 +15,7 @@ config PM_PARTITION_SIZE_TFM_SRAM # assigning 0x16000 of RAM to TFM will not leave enough RAM for # Matter. So we use 0x13000 of RAM on 54L. default 0x13000 if SOC_SERIES_NRF54LX - default 0x16000 if SOC_SERIES_NRF91X + default 0x16000 if SOC_SERIES_NRF91X || SOC_SERIES_NRF53X default 0x30000 help Memory set aside for the TFM_SRAM partition. diff --git a/modules/trusted-firmware-m/tfm_boards/common/nrf_provisioning.c b/modules/trusted-firmware-m/tfm_boards/common/nrf_provisioning.c index 40c5c412675..5fc34fcdfa9 100644 --- a/modules/trusted-firmware-m/tfm_boards/common/nrf_provisioning.c +++ b/modules/trusted-firmware-m/tfm_boards/common/nrf_provisioning.c @@ -16,6 +16,67 @@ #include "nrf_provisioning.h" #include #include +#ifdef NRF53_SERIES +#include +#include +#include + +#define DEBUG_LOCK_TIMEOUT_MS 3000 +#define USEC_IN_MSEC 1000 +#define USEC_IN_SEC 1000000 + +volatile static struct pcd_cmd *cmd = (struct pcd_cmd *)PCD_CMD_ADDRESS; + +static void pcd_write_cmd_lock_debug(void) +{ + *cmd = (struct pcd_cmd){ + .magic = PCD_CMD_MAGIC_LOCK_DEBUG, + }; +} + +static bool pcd_read_cmd_done(void) +{ + return cmd->magic == PCD_CMD_MAGIC_DONE; +} + +static bool pcd_read_cmd_lock_debug(void) +{ + return cmd->magic == PCD_CMD_MAGIC_LOCK_DEBUG; +} + +static enum tfm_plat_err_t disable_netcore_debug(void) +{ + /* NRF_RESET to secure. It will be configured non-secure after the provisioning is done. */ + spu_peripheral_config_secure(NRF_RESET_S_BASE, SPU_LOCK_CONF_UNLOCKED); + + /* Ensure that the network core is stopped. */ + nrf_reset_network_force_off(NRF_RESET, true); + + /* Debug lock command will be read in b0n startup. */ + pcd_write_cmd_lock_debug(); + + /* Start the network core. */ + nrf_reset_network_force_off(NRF_RESET, false); + + /* Wait 1 second for the network core to start up. */ + NRFX_DELAY_US(USEC_IN_SEC); + + /* Wait for the debug lock to complete. */ + for (uint16_t i = 0; i < DEBUG_LOCK_TIMEOUT_MS; i++) { + if (!pcd_read_cmd_lock_debug()) { + break; + } + NRFX_DELAY_US(USEC_IN_MSEC); + } + + if (!pcd_read_cmd_done()) { + SPMLOG_ERRMSG("Failed to lock debug in network core."); + return TFM_PLAT_ERR_SYSTEM_ERR; + } + + return TFM_PLAT_ERR_SUCCESS; +} +#endif /* NRF53_SERIES */ static enum tfm_plat_err_t verify_debug_disabled(void) { @@ -71,10 +132,18 @@ enum tfm_plat_err_t tfm_plat_provisioning_perform(void) * that secure boot is already enabled at this stage */ + /* Application debug should already be disabled */ if (verify_debug_disabled() != TFM_PLAT_ERR_SUCCESS) { return TFM_PLAT_ERR_SYSTEM_ERR; } +#ifdef NRF53_SERIES + /* Disable network core debug in here */ + if (disable_netcore_debug() != TFM_PLAT_ERR_SUCCESS) { + return TFM_PLAT_ERR_SYSTEM_ERR; + } +#endif + /* Transition to the SECURED lifecycle state */ if (tfm_attest_update_security_lifecycle_otp(TFM_SLC_SECURED) != 0) { return TFM_PLAT_ERR_SYSTEM_ERR; diff --git a/modules/trusted-firmware-m/tfm_boards/partition/region_defs.h b/modules/trusted-firmware-m/tfm_boards/partition/region_defs.h index 4ee3ef6a858..35ad6b2de9a 100644 --- a/modules/trusted-firmware-m/tfm_boards/partition/region_defs.h +++ b/modules/trusted-firmware-m/tfm_boards/partition/region_defs.h @@ -151,23 +151,23 @@ #ifdef PM_MCUBOOT_ADDRESS #define REGION_MCUBOOT_ADDRESS PM_MCUBOOT_ADDRESS -#define REGION_MCUBOOT_END_ADDRESS PM_MCUBOOT_END_ADDRESS +#define REGION_MCUBOOT_LIMIT PM_MCUBOOT_END_ADDRESS - 1 #endif #ifdef PM_B0_ADDRESS #define REGION_B0_ADDRESS PM_B0_ADDRESS -#define REGION_B0_END_ADDRESS PM_B0_END_ADDRESS +#define REGION_B0_LIMIT PM_B0_END_ADDRESS - 1 #endif #ifdef PM_S0_ADDRESS #define REGION_S0_ADDRESS PM_S0_ADDRESS -#define REGION_S0_END_ADDRESS PM_S0_END_ADDRESS +#define REGION_S0_LIMIT PM_S0_END_ADDRESS - 1 #endif #ifdef PM_S1_ADDRESS #define REGION_S1_ADDRESS PM_S1_ADDRESS -#define REGION_S1_END_ADDRESS PM_S1_END_ADDRESS +#define REGION_S1_LIMIT PM_S1_END_ADDRESS - 1 #endif #ifdef PM_PCD_SRAM_ADDRESS #define REGION_PCD_SRAM_ADDRESS PM_PCD_SRAM_ADDRESS -#define REGION_PCD_SRAM_END_ADDRESS PM_PCD_SRAM_END_ADDRESS +#define REGION_PCD_SRAM_LIMIT PM_PCD_SRAM_END_ADDRESS - 1 #endif #endif /* __REGION_DEFS_H__ */ diff --git a/samples/nrf5340/netboot/src/main.c b/samples/nrf5340/netboot/src/main.c index 65349667787..de32b754f7a 100644 --- a/samples/nrf5340/netboot/src/main.c +++ b/samples/nrf5340/netboot/src/main.c @@ -15,6 +15,9 @@ #include #include #include +#ifdef CONFIG_PCD_LOCK_NETCORE_APPROTECT +#include +#endif int main(void) { @@ -41,6 +44,20 @@ int main(void) bool valid = false; uint8_t status = pcd_fw_copy_status_get(); +#ifdef CONFIG_PCD_LOCK_NETCORE_DEBUG + if (status == PCD_STATUS_LOCK_DEBUG) { + nrfx_nvmc_word_write((uint32_t)&NRF_UICR_NS->APPROTECT, + UICR_APPROTECT_PALL_Protected); + + pcd_done(); + + /* Success, waiting to be rebooted */ + while (1) + ; + CODE_UNREACHABLE; + } +#endif + #ifdef CONFIG_PCD_READ_NETCORE_APP_VERSION if (status == PCD_STATUS_READ_VERSION) { err = pcd_find_fw_version(); diff --git a/samples/tfm/tfm_psa_template/Kconfig.sysbuild b/samples/tfm/tfm_psa_template/Kconfig.sysbuild new file mode 100644 index 00000000000..880a31f7804 --- /dev/null +++ b/samples/tfm/tfm_psa_template/Kconfig.sysbuild @@ -0,0 +1,29 @@ +# +# Copyright (c) 2024 Nordic Semiconductor +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +source "${ZEPHYR_BASE}/share/sysbuild/Kconfig" + +if BOARD_NRF5340DK_NRF5340_CPUAPP_NS + +config NRF_DEFAULT_TFM_PSA_TEMPLATE_NETCORE + default y + +config SECURE_BOOT_NETCORE + default y + +config NETCORE_APP_UPDATE + default y + +config MCUBOOT_APP_SYNC_UPDATEABLE_IMAGES + default y + +config PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY + default y + +config MCUBOOT_USE_ALL_AVAILABLE_RAM + default y + +endif diff --git a/samples/tfm/tfm_psa_template/README.rst b/samples/tfm/tfm_psa_template/README.rst index 8b49be3dfd9..0bf7b70a5ca 100644 --- a/samples/tfm/tfm_psa_template/README.rst +++ b/samples/tfm/tfm_psa_template/README.rst @@ -25,6 +25,8 @@ This sample uses Trusted Firmware-M, nRF Secure Immutable bootloader and MCUboot It includes provisioning the device with keys and being able to perform a device firmware update. The sample prints information about the identity of the device and the firmware versions that are currently running. +With nRF5340 this sample also includes the :ref:`B0n bootloader ` and :ref:`tfm_psa_template_net_core` for demonstrating the network core firmware update process. + Building and running ******************** @@ -38,7 +40,7 @@ Build and flash the provisioning image sample to provision the device with the P .. code-block:: console west build -b nrf5340dk/nrf5340/cpuapp nrf/samples/tfm/provisioning_image -d build_provisioning_image - west flash --erase -d build_provisioning_image + west flash --erase --recover -d build_provisioning_image Build and flash the TF-M PSA template sample. Do not flash with ``--erase`` as this will erase the PSA platform security parameters and they will be lost. @@ -145,6 +147,10 @@ See :ref:`ug_fw_update_keys` for more information on how to generate and use key The bootloader and the application can be updated using the :file:`mcumgr` command-line tool. See :zephyr:code-sample:`smp-svr` for installation and usage instructions. +.. note:: + + Remember to rebuild the sample with the updated keys before proceeding with the firmware update. + Application and TF-M firmware update ==================================== @@ -189,7 +195,7 @@ To upload a new bootloader image, build a bootloader targeting the correct bootl .. code-block:: console - west build -b nrf5340dk/nrf5340/cpuapp/ns nrf/samples/tfm/tfm_psa_template \ + west build -b nrf5340dk/nrf5340/cpuapp/ns nrf/samples/tfm/tfm_psa_template -d build_update \ -Dmcuboot_CONFIG_FW_INFO_FIRMWARE_VERSION=2 List the current firmware images and upload a bootloader image that targets the non-active bootloader slot. @@ -198,7 +204,7 @@ List the current firmware images and upload a bootloader image that targets the mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image list mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image upload \ - build/signed_by_mcuboot_and_b0_s1_image.bin + build_update/signed_by_mcuboot_and_b0_s1_image.bin Once the new bootloader image is uploaded, the hash of the image is shown in the image list. Flag the image to be tested on next reboot using its hash. @@ -215,8 +221,87 @@ The verification of the image will happen during the update process. mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 reset +Network core update (nRF5340 only) +================================== + +To upload a new network core image, build the tfm_psa_template_net_core image with an updated firmware image version. + +.. code-block:: console + + west build -b nrf5340dk/nrf5340/cpuapp/ns nrf/samples/tfm/tfm_psa_template -d build_update \ + -Dtfm_psa_template_net_core_CONFIG_FW_INFO_FIRMWARE_VERSION=2 + +Then upload the new network core image to the device. Note that the image is uploaded to the network core slot. + +.. code-block:: console + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image upload \ + build_update/signed_by_mcuboot_and_b0_tfm_psa_template_net_core.bin -e -n 1 + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image list + +Once the network core image is uploaded, the hash of the image is shown in the image list as image 1 in slot 1. +Flag the image to be tested on next reboot using its hash. + +.. code-block:: console + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image test + +Trigger the network core update by initiating a reset. +The verification of the image will happen during the update process. + +.. code-block:: console + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 reset + +Alternatively, you can conduct a manual reset to trigger the network core update. +This allows you to observe the update process in the application and network core console outputs. + +Simultaneous application and network core update (nRF5340 only) +=============================================================== + +When the interface between the application and network core is updated, both the application and network core images must be updated simultaneously. +To do this, build the application image with an updated image version and the network core image with an updated firmware image version. + +.. code-block:: console + + west build -b nrf5340dk/nrf5340/cpuapp/ns nrf/samples/tfm/tfm_psa_template -d build_update \ + -DCONFIG_MCUBOOT_IMGTOOL_SIGN_VERSION=\"1.2.4\" -Dtfm_psa_template_net_core_CONFIG_FW_INFO_FIRMWARE_VERSION=3 + +Then upload the new application and network core images to the device. Note that the application image is uploaded to the application slot and the network core image is uploaded to the network core slot. + +.. code-block:: console + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image upload \ + build_update/tfm_psa_template/zephyr/zephyr.signed.bin -e -n 0 + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image upload \ + build_update/signed_by_mcuboot_and_b0_tfm_psa_template_net_core.bin -e -n 1 + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image list + +Once the images are uploaded, the hash of the images is shown in the image list. The application image is image 1 in slot 0 and the network core image is image 1 in slot 1. +To allow the application and network core images to be updated simultaneously, first confirm the network core image and then the application image. + +.. code-block:: console + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image confirm + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image confirm + +Trigger the core updates by initiating a reset. +The verification of the images will happen during the update process. + +.. code-block:: console + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 reset + +Alternatively, you can conduct a manual reset to trigger the core updates. +This allows you to observe the update process in the application and network core console outputs. + Dependencies ************* * This sample uses the TF-M module found in the :file:`modules/tee/tfm/` folder of the |NCS|. * This sample uses the :ref:`lib_tfm_ioctl_api` library. +* This sample uses the :ref:`subsys_pcd` library with nRF5340. diff --git a/samples/tfm/tfm_psa_template/boards/nrf5340dk_nrf5340_cpuapp_ns.conf b/samples/tfm/tfm_psa_template/boards/nrf5340dk_nrf5340_cpuapp_ns.conf new file mode 100644 index 00000000000..4deae1c7c50 --- /dev/null +++ b/samples/tfm/tfm_psa_template/boards/nrf5340dk_nrf5340_cpuapp_ns.conf @@ -0,0 +1,8 @@ +# +# Copyright (c) 2024 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +CONFIG_FPU=y +CONFIG_BOARD_ENABLE_CPUNET=y diff --git a/samples/tfm/tfm_psa_template/boards/nrf5340dk_nrf5340_cpuapp_ns.overlay b/samples/tfm/tfm_psa_template/boards/nrf5340dk_nrf5340_cpuapp_ns.overlay new file mode 100644 index 00000000000..18f34a962ea --- /dev/null +++ b/samples/tfm/tfm_psa_template/boards/nrf5340dk_nrf5340_cpuapp_ns.overlay @@ -0,0 +1,11 @@ +/* + * Copyright (c) 2024 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +/ { + chosen { + nordic,pm-ext-flash = &mx25r64; + }; +}; diff --git a/samples/tfm/tfm_psa_template/sysbuild.conf b/samples/tfm/tfm_psa_template/sysbuild.conf index bc1ff1a8b38..01c39c67965 100644 --- a/samples/tfm/tfm_psa_template/sysbuild.conf +++ b/samples/tfm/tfm_psa_template/sysbuild.conf @@ -9,4 +9,3 @@ SB_CONFIG_SECURE_BOOT_APPCORE=y SB_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y SB_CONFIG_MCUBOOT_MODE_OVERWRITE_ONLY=y SB_CONFIG_MCUBOOT_UPDATEABLE_IMAGES=2 -SB_CONFIG_MCUBOOT_APP_SYNC_UPDATEABLE_IMAGES=n diff --git a/samples/tfm/tfm_psa_template/sysbuild/b0n/prj.conf b/samples/tfm/tfm_psa_template/sysbuild/b0n/prj.conf new file mode 100644 index 00000000000..6225d73185a --- /dev/null +++ b/samples/tfm/tfm_psa_template/sysbuild/b0n/prj.conf @@ -0,0 +1,32 @@ +# +# Copyright (c) 2024 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# +CONFIG_NCS_SAMPLES_DEFAULTS=y + +CONFIG_IS_SECURE_BOOTLOADER=y +CONFIG_MULTITHREADING=n +CONFIG_GPIO=n +CONFIG_ARM_MPU=n +CONFIG_TICKLESS_KERNEL=n +CONFIG_ERRNO=n +CONFIG_SYS_CLOCK_EXISTS=y +CONFIG_FPROTECT=y +CONFIG_FW_INFO=y +CONFIG_SECURE_BOOT_CRYPTO=y +CONFIG_SECURE_BOOT_VALIDATION=y +CONFIG_SECURE_BOOT_STORAGE=y +CONFIG_PCD_NET=y +CONFIG_FLASH=y +CONFIG_FLASH_PAGE_LAYOUT=y +CONFIG_LOG=y + +# To build with a minimal configuration, use the overlay file +# '-DOVERLAY_CONFIG=overlay-minimal-size.conf' + +# Enable locking the network core for debugging +CONFIG_PCD_LOCK_NETCORE_DEBUG=y + +# Prevent downgrade to older version of the network core. +CONFIG_PCD_READ_NETCORE_APP_VERSION=y diff --git a/samples/tfm/tfm_psa_template/sysbuild/mcuboot/boards/nrf5340dk_nrf5340_cpuapp.conf b/samples/tfm/tfm_psa_template/sysbuild/mcuboot/boards/nrf5340dk_nrf5340_cpuapp.conf new file mode 100644 index 00000000000..d162fe3bea3 --- /dev/null +++ b/samples/tfm/tfm_psa_template/sysbuild/mcuboot/boards/nrf5340dk_nrf5340_cpuapp.conf @@ -0,0 +1,23 @@ +# +# Copyright (c) 2024 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +CONFIG_BOOT_MAX_IMG_SECTORS=256 + +CONFIG_PCD_APP=y +CONFIG_PCD_READ_NETCORE_APP_VERSION=y + +CONFIG_UPDATEABLE_IMAGE_NUMBER=2 +CONFIG_NRF53_MULTI_IMAGE_UPDATE=y +CONFIG_BOOT_IMAGE_ACCESS_HOOK_NRF5340=y +CONFIG_BOOT_IMAGE_ACCESS_HOOKS=y + +CONFIG_FLASH_SIMULATOR=y +CONFIG_FLASH_SIMULATOR_DOUBLE_WRITES=y +CONFIG_FLASH_SIMULATOR_STATS=n + +CONFIG_NORDIC_QSPI_NOR=y +CONFIG_NORDIC_QSPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096 +CONFIG_NORDIC_QSPI_NOR_STACK_WRITE_BUFFER_SIZE=16 diff --git a/samples/tfm/tfm_psa_template/sysbuild/mcuboot/boards/nrf5340dk_nrf5340_cpuapp.overlay b/samples/tfm/tfm_psa_template/sysbuild/mcuboot/boards/nrf5340dk_nrf5340_cpuapp.overlay new file mode 100644 index 00000000000..18f34a962ea --- /dev/null +++ b/samples/tfm/tfm_psa_template/sysbuild/mcuboot/boards/nrf5340dk_nrf5340_cpuapp.overlay @@ -0,0 +1,11 @@ +/* + * Copyright (c) 2024 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +/ { + chosen { + nordic,pm-ext-flash = &mx25r64; + }; +}; diff --git a/samples/tfm/tfm_psa_template_net_core/CMakeLists.txt b/samples/tfm/tfm_psa_template_net_core/CMakeLists.txt new file mode 100644 index 00000000000..13d858f5342 --- /dev/null +++ b/samples/tfm/tfm_psa_template_net_core/CMakeLists.txt @@ -0,0 +1,12 @@ +# +# Copyright (c) 2024 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +cmake_minimum_required(VERSION 3.20.0) + +find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) +project(tfm_psa_template_net_core) + +target_sources(app PRIVATE src/main.c) diff --git a/samples/tfm/tfm_psa_template_net_core/README.rst b/samples/tfm/tfm_psa_template_net_core/README.rst new file mode 100644 index 00000000000..02054a41f14 --- /dev/null +++ b/samples/tfm/tfm_psa_template_net_core/README.rst @@ -0,0 +1,30 @@ +.. _tfm_psa_template_net_core: + +TF-M: PSA template for network core +################################### + +.. contents:: + :local: + :depth: 2 + +The sample demonstrates the update of the network core firmware as part of the :ref:`tfm_psa_template` sample. +:ref:`tfm_psa_template` sample runs in the application core and is responsible for updating this sample in the network core. + +Requirements +************ + +The sample supports the following development kits: + +.. table-from-sample-yaml:: + +Building and running +******************** + +.. |sample path| replace:: :file:`samples/tfm/tfm_psa_template` + +.. include:: /includes/build_and_run.txt + +Testing +======= + +The sample does not build firmware for the application core and because of that the sample cannot be tested separately. diff --git a/samples/tfm/tfm_psa_template_net_core/prj.conf b/samples/tfm/tfm_psa_template_net_core/prj.conf new file mode 100644 index 00000000000..265b4c656b6 --- /dev/null +++ b/samples/tfm/tfm_psa_template_net_core/prj.conf @@ -0,0 +1,7 @@ +# +# Copyright (c) 2024 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +# Empty for now diff --git a/samples/tfm/tfm_psa_template_net_core/sample.yaml b/samples/tfm/tfm_psa_template_net_core/sample.yaml new file mode 100644 index 00000000000..52c9edbb575 --- /dev/null +++ b/samples/tfm/tfm_psa_template_net_core/sample.yaml @@ -0,0 +1,11 @@ +sample: + description: Minimal image for network core + name: TFM PSA Template Network Core +tests: + sample.tfm.psa_template_net_core: + sysbuild: true + build_only: true + integration_platforms: + - nrf5340dk/nrf5340/cpunet + platform_allow: nrf5340dk/nrf5340/cpunet + tags: ci_build sysbuild diff --git a/samples/tfm/tfm_psa_template_net_core/src/main.c b/samples/tfm/tfm_psa_template_net_core/src/main.c new file mode 100644 index 00000000000..6f295d98fbc --- /dev/null +++ b/samples/tfm/tfm_psa_template_net_core/src/main.c @@ -0,0 +1,13 @@ +/* + * Copyright (c) 2024 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#include + +int main(void) +{ + printk("Network core firmware version: %d\r\n", CONFIG_FW_INFO_FIRMWARE_VERSION); + return 0; +} diff --git a/subsys/pcd/Kconfig b/subsys/pcd/Kconfig index 0771e7b7161..09c4e0b1464 100644 --- a/subsys/pcd/Kconfig +++ b/subsys/pcd/Kconfig @@ -38,6 +38,7 @@ config PCD_READ_NETCORE_APP_VERSION config PCD_USE_CONSTANTS bool "Use KConfig constants rather than pm_config.h" + depends on !PCD_LOCK_NETCORE_DEBUG config PCD_CMD_ADDRESS hex "PCD Command Address in RAM" @@ -62,6 +63,10 @@ config PCD_BUF_SIZE help Must be <= the page size of the flash device. +config PCD_LOCK_NETCORE_DEBUG + bool "Include PCD command to lock network core debug" + default n + endif # PCD_NET endmenu diff --git a/subsys/pcd/src/pcd.c b/subsys/pcd/src/pcd.c index b75f6e29770..d25015de060 100644 --- a/subsys/pcd/src/pcd.c +++ b/subsys/pcd/src/pcd.c @@ -18,15 +18,6 @@ LOG_MODULE_REGISTER(pcd, CONFIG_PCD_LOG_LEVEL); -/** Magic value written to indicate that a copy should take place. */ -#define PCD_CMD_MAGIC_COPY 0xb5b4b3b6 -/** Magic value written to indicate that a something failed. */ -#define PCD_CMD_MAGIC_FAIL 0x25bafc15 -/** Magic value written to indicate that a copy is done. */ -#define PCD_CMD_MAGIC_DONE 0xf103ce5d -/** Magic value written to indicate that a version number read should take place. */ -#define PCD_CMD_MAGIC_READ_VERSION 0xdca345ea - #ifdef CONFIG_PCD_APP #include @@ -49,13 +40,6 @@ K_TIMER_DEFINE(network_core_finished_check_timer, #endif /* CONFIG_PCD_APP */ -struct pcd_cmd { - uint32_t magic; /* Magic value to identify this structure in memory */ - const void *data; /* Data to copy*/ - size_t len; /* Number of bytes to copy */ - off_t offset; /* Offset to store the flash image in */ -} __aligned(4); - static struct pcd_cmd *cmd = (struct pcd_cmd *)PCD_CMD_ADDRESS; void pcd_fw_copy_invalidate(void) @@ -71,6 +55,8 @@ enum pcd_status pcd_fw_copy_status_get(void) return PCD_STATUS_READ_VERSION; } else if (cmd->magic == PCD_CMD_MAGIC_DONE) { return PCD_STATUS_DONE; + } else if (cmd->magic == PCD_CMD_MAGIC_LOCK_DEBUG) { + return PCD_STATUS_LOCK_DEBUG; } return PCD_STATUS_FAILED; @@ -278,12 +264,11 @@ int pcd_network_core_update(const void *src_addr, size_t len) return network_core_update(src_addr, len, true); } -void pcd_lock_ram(void) +void pcd_lock_ram(bool lock_conf) { uint32_t region = PCD_CMD_ADDRESS/CONFIG_NRF_SPU_RAM_REGION_SIZE; - nrf_spu_ramregion_set(NRF_SPU, region, false, NRF_SPU_MEM_PERM_READ, - true); + nrf_spu_ramregion_set(NRF_SPU, region, false, NRF_SPU_MEM_PERM_READ, lock_conf); } #endif /* CONFIG_PCD_APP */ diff --git a/sysbuild/Kconfig.netcore b/sysbuild/Kconfig.netcore index 4d91905adca..c5e8e5a3003 100644 --- a/sysbuild/Kconfig.netcore +++ b/sysbuild/Kconfig.netcore @@ -48,6 +48,10 @@ config SUPPORT_NETCORE_IPC_RADIO bool default y +config SUPPORT_NETCORE_TFM_PSA_TEMPLATE + bool + default y + config NRF_DEFAULT_EMPTY bool @@ -66,6 +70,9 @@ config NRF_DEFAULT_MULTIPROTOCOL config NRF_DEFAULT_IPC_RADIO bool +config NRF_DEFAULT_TFM_PSA_TEMPLATE_NETCORE + bool + choice NETCORE prompt "Netcore image" default NETCORE_HCI_IPC if NRF_DEFAULT_BLUETOOTH && NETCORE_REMOTE_BOARD_NAME != "" @@ -73,6 +80,7 @@ choice NETCORE default NETCORE_802154_RPMSG if NRF_DEFAULT_802154 && NETCORE_REMOTE_BOARD_NAME != "" default NETCORE_MULTIPROTOCOL_RPMSG if NRF_DEFAULT_MULTIPROTOCOL && NETCORE_REMOTE_BOARD_NAME != "" default NETCORE_IPC_RADIO if NRF_DEFAULT_IPC_RADIO && NETCORE_REMOTE_BOARD_NAME != "" + default NETCORE_TFM_PSA_TEMPLATE if NRF_DEFAULT_TFM_PSA_TEMPLATE_NETCORE && NETCORE_REMOTE_BOARD_NAME != "" default NETCORE_EMPTY if NRF_DEFAULT_EMPTY && NETCORE_REMOTE_BOARD_NAME != "" depends on SUPPORT_NETCORE && !EXTERNAL_CONFIGURED_NETCORE @@ -137,6 +145,12 @@ config NETCORE_IPC_RADIO_IEEE802154 endif # NETCORE_IPC_RADIO +config NETCORE_TFM_PSA_TEMPLATE + bool "tfm_psa_template_net_core" + depends on SUPPORT_NETCORE_TFM_PSA_TEMPLATE + help + Include tfm_psa_template_net_core as the netcore image to use. + endchoice if !NETCORE_NONE @@ -149,6 +163,7 @@ config NETCORE_IMAGE_NAME default "802154_rpmsg" if NETCORE_802154_RPMSG default "multiprotocol_rpmsg" if NETCORE_MULTIPROTOCOL_RPMSG default "ipc_radio" if NETCORE_IPC_RADIO + default "tfm_psa_template_net_core" if NETCORE_TFM_PSA_TEMPLATE help Name of netcore image. @@ -160,6 +175,7 @@ config NETCORE_IMAGE_PATH default "${ZEPHYR_BASE}/samples/boards/nrf/ieee802154/802154_rpmsg" if NETCORE_802154_RPMSG default "${ZEPHYR_NRF_MODULE_DIR}/samples/nrf5340/multiprotocol_rpmsg" if NETCORE_MULTIPROTOCOL_RPMSG default "${ZEPHYR_NRF_MODULE_DIR}/applications/ipc_radio" if NETCORE_IPC_RADIO + default "${ZEPHYR_NRF_MODULE_DIR}/samples/tfm/tfm_psa_template_net_core" if NETCORE_TFM_PSA_TEMPLATE help Source directory of netcore image. diff --git a/west.yml b/west.yml index e820d141e34..e135443882b 100644 --- a/west.yml +++ b/west.yml @@ -140,7 +140,7 @@ manifest: compare-by-default: true - name: mcuboot repo-path: sdk-mcuboot - revision: v2.1.0-ncs1 + revision: pull/330/head path: bootloader/mcuboot - name: qcbor url: https://github.com/laurencelundblade/QCBOR