[nrf noup] secure_fw: platform: Add system off service

cmake/install.cmake

@@ -82,34 +82,40 @@ if (TFM_PARTITION_INTERNAL_TRUSTED_STORAGE)
 endif()
 
 if (TFM_PARTITION_CRYPTO)
-    install(FILES       ${INTERFACE_INC_DIR}/psa/README.rst
-                        ${INTERFACE_INC_DIR}/psa/build_info.h
-                        ${INTERFACE_INC_DIR}/psa/crypto.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_auto_enabled.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_dependencies.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_key_pair_types.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_synonyms.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_composites.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_key_derivation.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_primitives.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_compat.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_driver_common.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_composites.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_key_derivation.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_primitives.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_extra.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_legacy.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_platform.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_se_driver.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_sizes.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_struct.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_types.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_values.h
-            DESTINATION ${INSTALL_INTERFACE_INC_DIR}/psa)
-    install(FILES       ${INTERFACE_INC_DIR}/tfm_crypto_defs.h
-            DESTINATION ${INSTALL_INTERFACE_INC_DIR})
-    install(DIRECTORY   ${INTERFACE_INC_DIR}/mbedtls
-            DESTINATION ${INSTALL_INTERFACE_INC_DIR})
+        if(PSA_CRYPTO_EXTERNAL_CORE)
+                include(${TARGET_PLATFORM_PATH}/../external_core_install.cmake)
+                install(FILES       ${INTERFACE_INC_DIR}/tfm_crypto_defs.h
+                        DESTINATION ${INSTALL_INTERFACE_INC_DIR})
+        else()
+                install(FILES       ${INTERFACE_INC_DIR}/psa/README.rst
+                                        ${INTERFACE_INC_DIR}/psa/build_info.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_auto_enabled.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_dependencies.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_key_pair_types.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_synonyms.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_composites.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_key_derivation.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_primitives.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_compat.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_driver_common.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_composites.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_key_derivation.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_primitives.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_extra.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_legacy.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_platform.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_se_driver.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_sizes.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_struct.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_types.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_values.h
+                        DESTINATION ${INSTALL_INTERFACE_INC_DIR}/psa)
+                install(FILES       ${INTERFACE_INC_DIR}/tfm_crypto_defs.h
+                        DESTINATION ${INSTALL_INTERFACE_INC_DIR})
+                install(DIRECTORY   ${INTERFACE_INC_DIR}/mbedtls
+                        DESTINATION ${INSTALL_INTERFACE_INC_DIR})
+        endif()
 endif()
 
 if (TFM_PARTITION_INITIAL_ATTESTATION)
@@ -294,10 +300,11 @@ else()
         )
 endif()
 
+# PSA_CRYPTO_EXTERNAL_CORE
 target_include_directories(psa_interface
         INTERFACE
         $<INSTALL_INTERFACE:interface/include>
-        )
+)
 
 install(EXPORT tfm-config
         FILE spe_export.cmake

cmake/spe-CMakeLists.cmake

@@ -39,6 +39,15 @@ target_sources(tfm_api_ns
 )
 
 # Include interface headers exported by TF-M
+if(PSA_CRYPTO_EXTERNAL_CORE)
+    include(${TARGET_PLATFORM_PATH}/../external_core.cmake)
+else()
+    target_include_directories(tfm_api_ns
+        PUBLIC
+            ${INTERFACE_INC_DIR}
+    )
+endif()
+
 target_include_directories(tfm_api_ns
     PUBLIC
         ${INTERFACE_INC_DIR}
@@ -107,11 +116,8 @@ target_sources(platform_ns
         $<$<BOOL:${PLATFORM_DEFAULT_UART_STDOUT}>:${CMAKE_CURRENT_SOURCE_DIR}/platform/ext/common/uart_stdout.c>
 )
 
-add_library(platform_ns_definitions INTERFACE)
-
-# these compile definitions must match on the secure and nonsecure side for security
-target_compile_definitions(platform_ns_definitions
-    INTERFACE
+target_compile_definitions(platform_ns
+    PUBLIC
         DOMAIN_NS=1
         $<$<BOOL:${PLATFORM_DEFAULT_CRYPTO_KEYS}>:PLATFORM_DEFAULT_CRYPTO_KEYS>
         $<$<STREQUAL:${CONFIG_TFM_FLOAT_ABI},hard>:CONFIG_TFM_FLOAT_ABI=2>
@@ -120,22 +126,10 @@ target_compile_definitions(platform_ns_definitions
         $<$<BOOL:${CONFIG_TFM_ENABLE_CP10CP11}>:CONFIG_TFM_ENABLE_CP10CP11>
 )
 
-target_link_libraries(platform_ns
-    PUBLIC
-        platform_ns_definitions
-)
-
-if (DEFINED PLATFORM_CUSTOM_NS_FILES)
-    message(STATUS "Using PLATFORM_CUSTOM_NS_FILES: ${PLATFORM_CUSTOM_NS_FILES}")
-else()
-    set(PLATFORM_CUSTOM_NS_FILES FALSE)
-endif()
-
 target_link_libraries(tfm_api_ns
     PUBLIC
         platform_region_defs
-        platform_ns_definitions
-        $<$<NOT:$<BOOL:${PLATFORM_CUSTOM_NS_FILES}>>:platform_ns>
+        platform_ns
 )
 
 if(BL2 AND PLATFORM_DEFAULT_IMAGE_SIGNING)

cmake/version.cmake

@@ -8,38 +8,5 @@
 # The 'TFM_VERSION_MANUAL' is used for fallback when Git tags are not available
 set(TFM_VERSION_MANUAL "2.2.0")
 
-execute_process(COMMAND git describe --tags --always
-    WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
-    OUTPUT_VARIABLE TFM_VERSION_FULL
-    OUTPUT_STRIP_TRAILING_WHITESPACE
-    RESULTS_VARIABLE GIT_RESULT)
-
-if(GIT_RESULT EQUAL 128)
-    # Git execution fails.
-    # Applying a manual version assuming the code tree is a local copy.
-    set(TFM_VERSION_FULL "v${TFM_VERSION_MANUAL}")
-    return()
-endif()
-
-# In a repository cloned with --no-tags option TFM_VERSION_FULL will be a hash
-# only hence checking it for a tag format to accept as valid version.
-
-string(FIND "${TFM_VERSION_FULL}" "TF-M" TFM_TAG)
-if(TFM_TAG EQUAL -1)
-    execute_process(COMMAND git log --format=format:%h -n 1
-        WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
-        OUTPUT_VARIABLE TFM_GIT_HASH
-        OUTPUT_STRIP_TRAILING_WHITESPACE)
-
-    set(TFM_VERSION_FULL "v${TFM_VERSION_MANUAL}+g${TFM_GIT_HASH}")
-endif()
-
-string(REGEX REPLACE "TF-M" "" TFM_VERSION_FULL ${TFM_VERSION_FULL})
-# remove a commit number
-string(REGEX REPLACE "-[0-9]+-g" "+" TFM_VERSION_FULL ${TFM_VERSION_FULL})
-string(REGEX MATCH "[0-9]+\\.[0-9]+\\.[0-9]+" TFM_VERSION ${TFM_VERSION_FULL})
-
-# Check that manually set version is up to date
-if (NOT TFM_VERSION_MANUAL STREQUAL TFM_VERSION)
-    message(WARNING "TFM_VERSION_MANUAL mismatches to actual TF-M version. Please update TFM_VERSION_MANUAL in cmake/version.cmake")
-endif()
+set(TFM_VERSION_FULL "v${TFM_VERSION_MANUAL}")
+set(TFM_VERSION "${TFM_VERSION_MANUAL}")

config/check_config.cmake

@@ -17,6 +17,8 @@ tfm_invalid_config(TFM_MULTI_CORE_TOPOLOGY AND TFM_NS_MANAGE_NSID)
 tfm_invalid_config(TFM_PLAT_SPECIFIC_MULTI_CORE_COMM AND NOT TFM_MULTI_CORE_TOPOLOGY)
 tfm_invalid_config(TFM_ISOLATION_LEVEL EQUAL 3 AND CONFIG_TFM_STACK_WATERMARKS)
 
+tfm_invalid_config(CONFIG_TFM_LOG_SHARE_UART AND NOT SECURE_UART1)
+
 ########################## BL1 #################################################
 
 tfm_invalid_config(TFM_BL1_2_IN_OTP AND TFM_BL1_2_IN_FLASH)

config/config_base.cmake

@@ -96,6 +96,8 @@ set(CONFIG_TFM_STACK_WATERMARKS         OFF         CACHE BOOL      "Whether to
 
 set(CONFIG_TFM_BRANCH_PROTECTION_FEAT   BRANCH_PROTECTION_DISABLED   CACHE STRING    "Set default branch protection usage to disabled")
 
+set(CONFIG_TFM_LOG_SHARE_UART           OFF         CACHE BOOL      "Allow TF-M and the non-secure application to share the UART instance. TF-M will use it while it is booting, after which the non-secure application will use it until an eventual fatal error is handled and logged by TF-M. Logging from TF-M will therefore otherwise be suppressed")
+
 ############################ Platform ##########################################
 
 set(NUM_MAILBOX_QUEUE_SLOT              1           CACHE BOOL      "Number of mailbox queue slots")
@@ -139,6 +141,7 @@ set(PS_ENCRYPTION                       ON          CACHE BOOL      "Enable encr
 set(PS_ROLLBACK_PROTECTION              ON          CACHE BOOL      "Enable rollback protection for Protected Storage partition")
 set(PS_SUPPORT_FORMAT_TRANSITION        OFF         CACHE BOOL      "Enable reading the older format of Protected Storage data")
 set(PS_CRYPTO_AEAD_ALG                  PSA_ALG_GCM CACHE STRING    "The AEAD algorithm to use for authenticated encryption in Protected Storage")
+set(PS_CRYPTO_KDF_ALG                   PSA_ALG_HKDF\(PSA_ALG_SHA_256\) CACHE STRING "KDF Algorithm to use for Protect Storage")
 set(PS_AES_KEY_USAGE_LIMIT              0           CACHE STRING    "Number of blocks to use a key for before changing it. 0 for no limit")
 
 set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE OFF      CACHE BOOL      "Enable Internal Trusted Storage partition")

docs/contributing/maintainers.rst

@@ -220,11 +220,11 @@ William Vinnicombe
     :email: `[email protected] <[email protected]>`__
     :github: `Raspberry Pi <https://github.com/raspberrypi>`__
 
-Analog Devices Platform:
-~~~~~~~~~~~~~~~~~~~~~~~~
+Analog Devices Platform
+~~~~~~~~~~~~~~~~~~~~~~~
 
 Sadik Ozer
-    :email: `[email protected]`__
+    :email: `[email protected] <[email protected]>`__
     :github: `ozersa <https://github.com/ozersa>`__
 
 =============

interface/CMakeLists.txt

@@ -19,6 +19,15 @@ configure_file(${CMAKE_CURRENT_SOURCE_DIR}/include/psa/framework_feature.h.in
 
 add_library(psa_interface INTERFACE)
 
+if(PSA_CRYPTO_EXTERNAL_CORE)
+    include(${TARGET_PLATFORM_PATH}/../external_core.cmake)
+else()
+    target_include_directories(psa_interface
+        INTERFACE
+            $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include>
+    )
+endif()
+
 target_include_directories(psa_interface
     INTERFACE
         $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include>