Update to TF-M 2.3#255
Merged
Merged
Conversation
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
May 22, 2026
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-trusted-firmware-m#255 Signed-off-by: Nordic Builder <pylon@nordicsemi.no>
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
May 22, 2026
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-trusted-firmware-m#255 Signed-off-by: Nordic Builder <pylon@nordicsemi.no>
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
May 22, 2026
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-trusted-firmware-m#255 Signed-off-by: Nordic Builder <pylon@nordicsemi.no>
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
May 23, 2026
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-trusted-firmware-m#255 Signed-off-by: Nordic Builder <pylon@nordicsemi.no>
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
May 23, 2026
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-trusted-firmware-m#255 Signed-off-by: Nordic Builder <pylon@nordicsemi.no>
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
May 25, 2026
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-trusted-firmware-m#255 Signed-off-by: Nordic Builder <pylon@nordicsemi.no>
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
May 25, 2026
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-trusted-firmware-m#255 Signed-off-by: Nordic Builder <pylon@nordicsemi.no>
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
May 26, 2026
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-trusted-firmware-m#255 Signed-off-by: Nordic Builder <pylon@nordicsemi.no>
Vge0rge
force-pushed
the
ncs_tfm_2_3
branch
2 times, most recently
from
b5ff813 to
195b14d
Compare
tomi-font
reviewed
May 27, 2026
tomi-font
reviewed
May 28, 2026
| GIT_PROGRESS TRUE | ||
| ) | ||
|
|
||
| add_subdirectory(${QCBOR_PATH} ${CMAKE_CURRENT_BINARY_DIR}/qcbor) |
Collaborator
There was a problem hiding this comment.
Combine this ([nrf noup] lib: qcbor: Add target) with [nrf noup] cmake: remote_library: Skip calling add_subdirectory? Plus could we just check the library name in the fetch_remote_library function instead so that all the changes would be in the same place?
Contributor
Author
There was a problem hiding this comment.
I would argue that it is better as is. Because I want to avoid calling add_subdirectory to all the other projects that use the same mechanism. So I prefer it like that because if they add a new project later it will fail to build, which I consider an advantage because we will notice it. About the commits it still reads a bit better to me to have them separate but I don't have a strong opinion.
Collaborator
There was a problem hiding this comment.
I agree, what I meant was to do something like that in cmake/remote_library.cmake:
if(NOT ARG_LIB_NAME_UPCASE STREQUAL QCBOR)
list(APPEND ARG_FETCH_CONTENT_ARGS
SOURCE_SUBDIR _fetch_remote_library_no_add_subdirectory)
endif()
Contributor
Author
There was a problem hiding this comment.
This will probably work but I don't really fancy it to be honest. Since we already have to do kind of a hack it is better to be consistent in this and not have target specific details in a generic function.
Collaborator
There was a problem hiding this comment.
Indeed the whole thing is a hack but at least it would all be in one place which to me seems like a better idea. anyway as you want
tomi-font
approved these changes
May 28, 2026
degjorva
approved these changes
May 28, 2026
Contributor
degjorva
left a comment
degjorva
left a comment
There was a problem hiding this comment.
Nothing missing. NOUPs make sense.
This fixes a build issue when building TF-M debug configurations. Adds a weak implementation of "__assert_no_args" which simply calls TF-M core panic. The issue was triggered by the "buildsystem.debug.build" sample on the "nrf54lm20dk/nrf54lm20a/cpuapp/ns". Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no> Signed-off-by: Valerio Setti <vsetti@baylibre.com> (cherry picked from commit 3521061)
psa_panic is the correct call in this case since it works also in case of high isolation level in TF-M. Signed-off-by: Valerio Setti <vsetti@baylibre.com> (cherry picked from commit 1837435)
nrf7120 zephyr mramc driver needs to access some configuration registers in mramc which is secure only, nrf_mramc service is created to access MRAMC initialise and change write config of mramc. MRAMC service functions is added under iotcl service type. Change-Id: I93e411a0a51c8d96f1c5239efa006afab304c72e Signed-off-by: Travis Lam <travis.lam@nordicsemi.no> (cherry picked from commit 66503e7c7c9d644f39a9ca35550d6c5af4792cd5)
Remove multiple TF-M targets that we don't use. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
There are multiple headers which exist in the Oberon PSA core and
in TF-M. At the same time some of these headers include other headers
with quotes "" which means that the folder include order doesn't have
any effect.
Instead of relying to the include order of the folders remove the
duplicate files from TF-M since these are not/should not be used.
I removed them with a bash command, just in case is needed:
for i in $(find $PATH_TO_OBERON/include -name "*.h" -printf "%f\n")
do
rm $TFM_PATH/interface/include/tf-psa-crypto/$i -f
rm $TFM_PATH/interface/include/psa/$i -f
done
The crypto_driver_contexts_{primitives,composites,key_derivation}.h
headers are also shipped by the Oberon PSA core. Keeping copies in
TF-M risks the wrong version being picked up depending on include
order. Delete the duplicates and stop installing them.
Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
This is noup commit as upstream TF-M relies on the mbed TLS PSA Core hat does not support the PAKE API's according to 1.2 at the moment. Once this exists then this can be up streamed, or removed if TF-M adds it themself. Added PAKE API support accoding the PSA crypto spec 1.2 Ref: NCSDK-22416 Ref: NCSDK-28740 Signed-off-by: Markus Swarowsky <markus.swarowsky@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no> (cherry picked from commit bff602c)
Allows custom key-loader to be used for the PSA core and allows configuring CMAC KDF usage for PS. noup-reason: PSA_ALG_SP800_108_COUNTER_CMAC is not available in upstream. After testing and verifying the solution (determining if we need further changes) we should try to upstream this. Ref: NCSDK-28740 Signed-off-by: Vidar Lillebø <vidar.lillebo@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
-This adds MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS and PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY to tfm_psa_rot_partition_crypto Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
…nce. Add an option to send the log output from the secure firmware on a UART instance that would be shared with the non-secure application. This option is added where the number of UART instances is limited and the application only cares about the receiving the TF-M log on fatal errors. To allow this option to be enabled the log is disabled in the boot process before the non-secure application is started. It is enabled again when an unrecoverable exception has occurred in the secure firmware. Here is an abandoned upstream PR (with some of the fixes): https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/25905 Note: This has removed any information about cherry-picked items as this is not valid since it is combining efforts form multiple commits UART instances would be locked permanently even when TFM_SHARED_INSTANCE was set. Update to allow shared instance for UART on 54L and 71 series devices. TFM_SHARED_INSTANCE is a NCS config which is why this is a noup. Ref: NCSDK-18595 Ref: NCSDK-28740 Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no> Signed-off-by: Markus Swarowsky <markus.swarowsky@nordicsemi.no> Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no> Signed-off-by: Dag Erik Gjørvad <dag.erik.gjorvad@nordicsemi.no>
Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
Adjust CRYPTO_HW_ACCELERATOR build scripts to also support nrf_security. Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no> Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no> Signed-off-by: Markus Swarowsky <markus.swarowsky@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no> Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
The Oberon PSA core provides these two functions: psa_key_derivation_verify_key psa_key_derivation_verify_bytes TF-M is not aware of the Oberon PSA core and it seems that the core that they use doesn't provide these functions at all. So instead of the usual logic of prefixing the PSA core functions with the mbedcrypto__ prefix it skipped these. We cannot skip the prefixing because the Oberon PSA core implements these and thus we will get multiple definitions errors. Ref: NCSDK-33148 Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
The TF-M build system retrieves the latest tag to figure out the TF-M version. It ends up being wrong because in some cases we don't have the latest tags from upstream For example for TF-M 2.1.2 the latest tag was TF-Mv2.1.0, probably because between the two versions upmerges have been done with cherry picks instead of upstream tag merging. Completely stop relying on the tags and only use TFM_VERSION_MANUAL as the version. This fixes the TF-M version printed on boot. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
TFM_CRYPTO depends on TFM_INTERNAL_TRUSTED_STORAGE_SERVICE. This means it is not possible to not use ITS. This is changed to a weak dependency to make it possible to support using crypto without ITS. This is a noup as it is not possible to do this change upstream. There are platforms upstream that depend on this dependency. Signed-off-by: Dag Erik Gjørvad <dag.erik.gjorvad@nordicsemi.no>
Add the tfm_platform_system_off APIs in a similar manner as the existing tfm_platform_system_reset. This API should enable implementations to allow setting the TF-M to the lowest power mode using their own HAL APIs. Right now this will work for isolation level 1 (SFN mode). In the IPC mode there is a need for better TF-M support for this. There is a discussion with the TF-M owners to add logic to TF-M so that it can inform all the partitions in order to make sure that it is safe to go to system off mode. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
Added key wrap support according to PSA Crypto spec v1.4 This commit is noup since upstream TF-M relies on PSA core that does not support key wrap APIs now. This commit can be up streamed or removed in future. Ref: NCSDK-29189 Ref: NCSDK-28740 Change-Id: Id814e9a7b3610ef1ba941afbaf056c1652144999 Signed-off-by: Anton Zyma <anton.zyma@nordicsemi.no>
nrf-squash! [nrf noup] crypto: Add PAKE support Fixes the build time error stating that PAKE is enabled, but not all prerequisites if WPA3 is the only activated PAKE algorithm. Ref: NCSDK-38330 Signed-off-by: Anton Zyma <anton.zyma@nordicsemi.no>
This can be very useful for this repo as well so lets enable it. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
The previous version of the remote_library only runs add_subdirectory if the content of the source code was not populated. The version introduced by TF-M v2.3 which uses the command FetchContent_MakeAvailable always runs add_subdirectory when a CMakeLists.txt exist in the *_SOURCE_DIR folder. The cmsis and tf-psa-crypto projects that we include through this mechanism cannot and should not use their own CMakeLists.txt files because ther builds is handled by NCS. By setting the *_SOURCE_DIR folder to a non existent folder the add_subdirectory call is avoided. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
When an external PSA core (e.g. Oberon-PSA-Crypto via nRF Security) is selected with PSA_CRYPTO_EXTERNAL_CORE, that core supplies its own TF_PSA_CRYPTO_CONFIG_FILE definition and library include directories through external_core.cmake. Defining the same symbols again from the upstream psa_crypto_config / psa_crypto_library_config targets causes a redefinition conflict on the command line. Guard the upstream wiring with NOT PSA_CRYPTO_EXTERNAL_CORE so the external core remains the sole source of these definitions. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
Pull TF-PSA-Crypto implementation from:
${ZEPHYR_NRF_MODULE_DIR}/subsys/nrf_security/tfm
We cannot use the TF_PSA_CRYPTO_PATH here because this points to
the Oberon PSA cmake logic and we don't use that.
Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
When building the TF-M PSA tests: west build -p -b nrf9160dk/nrf9160/ns -T tfm.psa_test_storage_lvl1 . This produces a warning inside the Nordic HAL. This commit can be dropped if the warning does not appear in the next version of the HAL. This is the same thing that 4fdf89b did for the secure image. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
This is a workaround, TF-M v2.3 introduced a patch file for the CMSIS where it includes missing definitions for CPPWR. 0001-Add-missing-CPPWR-definitions-243.patch I don't want want to fork CMSIS just for that, or try to update CMSIS for the whole Zephyr with this PR. So I patched the relevant code for the cortex-m33 in TF-M in the file that uses it. This is not ideal but also not a big issue because the patch has been submitted and merged in the upstream repo: ARM-software/CMSIS_6#243 So this commit can be dropped when Zephyr updates to a version that includes this change. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
Since 5f519e7 removes the add_subdirectory call from the fetch remote targets we need to manually add it for qcbor. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
tomi-font
reviewed
Jun 2, 2026
Collaborator
tomi-font
left a comment
tomi-font
left a comment
There was a problem hiding this comment.
Minor thing, but I would force-push the zephyr_tf-m_v2.3.0 branch to 18374359a845da32700fde30e8d76a737df59f84 which contains both zep noups you just added plus the 7120 MRAMC service fromtree.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.