Platform: RSS: Disable ITS, PS and flash OTP on RSS
Disables the ITS and PS partitions and removes the ITS, PS and OTP flash
layouts as they are not required on RSS. Also adds an extra Mbed TLS
config to disable the ITS backend for persistent keys, as well as a
platform-specific manifest for Crypto to remove the ITS dependency.
Change-Id: I6bfeb057e2848625f9e72b05754f7ef4e849a0f5
Signed-off-by: Jamie Fox <jamie.fox@arm.com>
diff --git a/docs/platform/arm/rss/readme.rst b/docs/platform/arm/rss/readme.rst
index 413f135..abc2d2f 100644
--- a/docs/platform/arm/rss/readme.rst
+++ b/docs/platform/arm/rss/readme.rst
@@ -17,8 +17,9 @@
from host flash. BL2 is also responsible for loading initial boot code into
other subsystems within the host.
-This platform port currently supports all TF-M regression tests (Secure and
-Non-secure) using the IPC model with Isolation Level 1 and 2.
+The RSS platform port supports the TF-M Crypto, TF-M Initial Attestation and
+TF-M Platform services along with the corresponding regression tests. It
+supports the IPC model in multi-core topology with Isolation Level 1 and 2.
Building TF-M
-------------
diff --git a/platform/ext/target/arm/rss/config.cmake b/platform/ext/target/arm/rss/config.cmake
index 628cbdb..7af9810 100644
--- a/platform/ext/target/arm/rss/config.cmake
+++ b/platform/ext/target/arm/rss/config.cmake
@@ -26,6 +26,12 @@
set(MCUBOOT_S_IMAGE_FLASH_AREA_NUM 2 CACHE STRING "ID of the flash area containing the primary Secure image")
set(MCUBOOT_NS_IMAGE_FLASH_AREA_NUM 3 CACHE STRING "ID of the flash area containing the primary Non-Secure image")
+set(TFM_PARTITION_PROTECTED_STORAGE OFF CACHE BOOL "Enable Protected Storage partition")
+set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE OFF CACHE BOOL "Enable Internal Trusted Storage partition")
+set(TFM_MANIFEST_LIST ${CMAKE_CURRENT_LIST_DIR}/manifest/tfm_manifest_list.yaml CACHE FILEPATH "TF-M native Secure Partition manifests list file")
+set(TFM_MBEDCRYPTO_PLATFORM_EXTRA_CONFIG_PATH ${CMAKE_CURRENT_LIST_DIR}/mbedtls_extra_config.h CACHE PATH "Config to append to standard Mbed Crypto config, used by platforms to cnfigure feature support")
+
set(TFM_CONFIG_USE_TRUSTZONE OFF CACHE BOOL "Enable use of TrustZone to transition between NSPE and SPE")
set(TFM_MULTI_CORE_TOPOLOGY ON CACHE BOOL "Whether to build for a dual-cpu architecture")
set(TFM_PLAT_SPECIFIC_MULTI_CORE_COMM ON CACHE BOOL "Whether to use a platform specific inter-core communication instead of mailbox in dual-cpu topology")
+set(TEST_NS_MULTI_CORE OFF CACHE BOOL "Whether to build NS regression multi-core tests")
diff --git a/platform/ext/target/arm/rss/manifest/tfm_crypto.yaml b/platform/ext/target/arm/rss/manifest/tfm_crypto.yaml
new file mode 100644
index 0000000..db16c2a
--- /dev/null
+++ b/platform/ext/target/arm/rss/manifest/tfm_crypto.yaml
@@ -0,0 +1,39 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2018-2022, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+
+# Identical to the standard TF-M Crypto manifest except for the removal of the
+# ITS dependency
+{
+ "psa_framework_version": 1.1,
+ "name": "TFM_SP_CRYPTO",
+ "type": "PSA-ROT",
+ "priority": "NORMAL",
+ "model": "SFN",
+ "entry_init": "tfm_crypto_init",
+ "stack_size": "0x1B00",
+ "secure_functions": [
+ {
+ "name": "TFM_CRYPTO_API_DISPATCHER",
+ "signal": "TFM_CRYPTO_API_DISPATCHER",
+ "non_secure_clients": true,
+ "version": 1,
+ "version_policy": "STRICT"
+ }
+ ],
+ "services" : [
+ {
+ "name": "TFM_CRYPTO",
+ "sid": "0x00000080",
+ "non_secure_clients": true,
+ "connection_based": false,
+ "stateless_handle": 1,
+ "version": 1,
+ "version_policy": "STRICT",
+ "mm_iovec": "enable"
+ },
+ ],
+}
diff --git a/platform/ext/target/arm/rss/manifest/tfm_manifest_list.yaml b/platform/ext/target/arm/rss/manifest/tfm_manifest_list.yaml
new file mode 100644
index 0000000..28aafd2
--- /dev/null
+++ b/platform/ext/target/arm/rss/manifest/tfm_manifest_list.yaml
@@ -0,0 +1,85 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2018-2022, Arm Limited. All rights reserved.
+# Copyright (c) 2021, Cypress Semiconductor Corporation. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+
+# The "manifest" field must be relative path to this file or absolute path.
+#
+# Files per Secure Partition are generated to:
+# - "output_path", if it is a absolute path - not recommanded
+# - generated_file_root/"output_path", if "output_path" is relative path
+# - generated_file_root/, if "output_path" is not specified
+# * generated_file_root is the path passed to tfm_parse_manifest_list.py
+# by -o/--outdir
+
+{
+ "name": "TF-M secure partition manifests",
+ "type": "manifest_list",
+ "version_major": 0,
+ "version_minor": 1,
+ "manifest_list": [
+ {
+ "name": "Non-Secure Mailbox Agent",
+ "short_name": "TFM_NS_AGENT_MAILBOX",
+ "manifest": "${CMAKE_SOURCE_DIR}/secure_fw/partitions/ns_agent_mailbox/ns_agent_mailbox.yaml",
+ "output_path": "secure_fw/partitions/ns_agent_mailbox",
+ "conditional": "@TFM_MULTI_CORE_TOPOLOGY@",
+ "version_major": 0,
+ "version_minor": 1,
+ "pid": 0,
+ "linker_pattern": {
+ "library_list": [
+ "*tfm_*ns_agent_mailbox.*"
+ ],
+ }
+ },
+ {
+ "name": "TFM Crypto Service",
+ "short_name": "TFM_SP_CRYPTO",
+ "manifest": "${CMAKE_SOURCE_DIR}/platform/ext/target/arm/rss/manifest/tfm_crypto.yaml",
+ "output_path": "secure_fw/partitions/crypto",
+ "conditional": "@TFM_PARTITION_CRYPTO@",
+ "version_major": 0,
+ "version_minor": 1,
+ "pid": 259,
+ "linker_pattern": {
+ "library_list": [
+ "*tfm_*partition_crypto.*"
+ ]
+ }
+ },
+ {
+ "name": "TFM Platform Service",
+ "short_name": "TFM_SP_PLATFORM",
+ "manifest": "${CMAKE_SOURCE_DIR}/secure_fw/partitions/platform/tfm_platform.yaml",
+ "output_path": "secure_fw/partitions/platform",
+ "conditional": "@TFM_PARTITION_PLATFORM@",
+ "version_major": 0,
+ "version_minor": 1,
+ "pid": 260,
+ "linker_pattern": {
+ "library_list": [
+ "*tfm_*partition_platform.*"
+ ]
+ }
+ },
+ {
+ "name": "TFM Initial Attestation Service",
+ "short_name": "TFM_SP_INITIAL_ATTESTATION",
+ "manifest": "${CMAKE_SOURCE_DIR}/secure_fw/partitions/initial_attestation/tfm_initial_attestation.yaml",
+ "output_path": "secure_fw/partitions/initial_attestation",
+ "conditional": "@TFM_PARTITION_INITIAL_ATTESTATION@",
+ "version_major": 0,
+ "version_minor": 1,
+ "pid": 261,
+ "linker_pattern": {
+ "library_list": [
+ "*tfm_*partition_attestation.*"
+ ]
+ }
+ },
+ ]
+}
diff --git a/platform/ext/target/arm/rss/mbedtls_extra_config.h b/platform/ext/target/arm/rss/mbedtls_extra_config.h
new file mode 100644
index 0000000..daba3fc
--- /dev/null
+++ b/platform/ext/target/arm/rss/mbedtls_extra_config.h
@@ -0,0 +1,9 @@
+/*
+ * Copyright (c) 2022, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+/* RSS does not have ITS */
+#undef MBEDTLS_PSA_CRYPTO_STORAGE_C
diff --git a/platform/ext/target/arm/rss/partition/flash_layout.h b/platform/ext/target/arm/rss/partition/flash_layout.h
index 038d64b..968bcc5 100644
--- a/platform/ext/target/arm/rss/partition/flash_layout.h
+++ b/platform/ext/target/arm/rss/partition/flash_layout.h
@@ -31,10 +31,7 @@
* 0x312C_0000 SCP BL1 primary slot (512 KB)
* 0x3134_0000 AP BL1 secondary slot (512 KB)
* 0x313C_0000 SCP BL1 secondary slot (512 KB)
- * 0x3144_0000 Protected Storage Area (20 KB)
- * 0x3144_5000 Internal Trusted Storage Area (16 KB)
- * 0x3144_9000 OTP / NV counters area (8 KB)
- * 0x3144_B000 Unused
+ * 0x3144_0000 Unused
*/
/* This header file is included from linker scatter file as well, where only a
@@ -136,22 +133,6 @@
/* Scratch area is not used with RAM loading firmware upgrade */
#define FLASH_AREA_IMAGE_SCRATCH 255
-/* Protected Storage (PS) Service definitions */
-#define FLASH_PS_AREA_OFFSET (FLASH_AREA_9_OFFSET + \
- FLASH_AREA_9_SIZE)
-#define FLASH_PS_AREA_SIZE (0x5000) /* 20 KB */
-
-/* Internal Trusted Storage (ITS) Service definitions */
-#define FLASH_ITS_AREA_OFFSET (FLASH_PS_AREA_OFFSET + \
- FLASH_PS_AREA_SIZE)
-#define FLASH_ITS_AREA_SIZE (0x4000) /* 16 KB */
-
-/* OTP_definitions */
-#define FLASH_OTP_NV_COUNTERS_AREA_OFFSET (FLASH_ITS_AREA_OFFSET + \
- FLASH_ITS_AREA_SIZE)
-#define FLASH_OTP_NV_COUNTERS_AREA_SIZE (FLASH_AREA_IMAGE_SECTOR_SIZE * 2)
-#define FLASH_OTP_NV_COUNTERS_SECTOR_SIZE FLASH_AREA_IMAGE_SECTOR_SIZE
-
/* Offset and size definition in flash area used by assemble.py */
#define SECURE_IMAGE_OFFSET (0x0)
#define SECURE_IMAGE_MAX_SIZE FLASH_S_PARTITION_SIZE
@@ -172,51 +153,4 @@
/* Smallest flash programmable unit in bytes */
#define TFM_HAL_FLASH_PROGRAM_UNIT (0x1)
-/* Protected Storage (PS) Service definitions
- * Note: Further documentation of these definitions can be found in the
- * TF-M PS Integration Guide.
- */
-#define TFM_HAL_PS_FLASH_DRIVER Driver_FLASH0
-
-/* In this target the CMSIS driver requires only the offset from the base
- * address instead of the full memory address.
- */
-/* Base address of dedicated flash area for PS */
-#define TFM_HAL_PS_FLASH_AREA_ADDR FLASH_PS_AREA_OFFSET
-/* Size of dedicated flash area for PS */
-#define TFM_HAL_PS_FLASH_AREA_SIZE FLASH_PS_AREA_SIZE
-#define PS_RAM_FS_SIZE TFM_HAL_PS_FLASH_AREA_SIZE
-/* Number of physical erase sectors per logical FS block */
-#define TFM_HAL_PS_SECTORS_PER_BLOCK (1)
-/* Smallest flash programmable unit in bytes */
-#define TFM_HAL_PS_PROGRAM_UNIT (0x1)
-
-/* Internal Trusted Storage (ITS) Service definitions
- * Note: Further documentation of these definitions can be found in the
- * TF-M ITS Integration Guide. The ITS should be in the internal flash, but is
- * allocated in the external flash just for development platforms that don't
- * have internal flash available.
- */
-#define TFM_HAL_ITS_FLASH_DRIVER Driver_FLASH0
-
-/* In this target the CMSIS driver requires only the offset from the base
- * address instead of the full memory address.
- */
-/* Base address of dedicated flash area for ITS */
-#define TFM_HAL_ITS_FLASH_AREA_ADDR FLASH_ITS_AREA_OFFSET
-/* Size of dedicated flash area for ITS */
-#define TFM_HAL_ITS_FLASH_AREA_SIZE FLASH_ITS_AREA_SIZE
-#define ITS_RAM_FS_SIZE TFM_HAL_ITS_FLASH_AREA_SIZE
-/* Number of physical erase sectors per logical FS block */
-#define TFM_HAL_ITS_SECTORS_PER_BLOCK (1)
-/* Smallest flash programmable unit in bytes */
-#define TFM_HAL_ITS_PROGRAM_UNIT (0x1)
-
-/* OTP / NV counter definitions */
-#define TFM_OTP_NV_COUNTERS_AREA_SIZE (FLASH_OTP_NV_COUNTERS_AREA_SIZE / 2)
-#define TFM_OTP_NV_COUNTERS_AREA_ADDR FLASH_OTP_NV_COUNTERS_AREA_OFFSET
-#define TFM_OTP_NV_COUNTERS_SECTOR_SIZE FLASH_OTP_NV_COUNTERS_SECTOR_SIZE
-#define TFM_OTP_NV_COUNTERS_BACKUP_AREA_ADDR (TFM_OTP_NV_COUNTERS_AREA_ADDR + \
- TFM_OTP_NV_COUNTERS_AREA_SIZE)
-
#endif /* __FLASH_LAYOUT_H__ */