platform: nordic: Configure the TAMPC for nRF54L series

.gitignore

@@ -20,3 +20,7 @@ localrepos.cmake
 *.pyc
 
 .clang-format
+**/.DS_Store
+
+# Python venv
+venv

bl2/ext/mcuboot/Kconfig

@@ -137,6 +137,7 @@ config MCUBOOT_CONFIRM_IMAGE
 config MCUBOOT_DIRECT_XIP_REVERT
     bool "Enable the revert mechanism in direct-xip mode"
     default y
+    depends on MCUBOOT_UPGRADE_STRATEGY_DIRECT_XIP
 
 config MCUBOOT_HW_ROLLBACK_PROT
     bool "Enable security counter validation against non-volatile HW counters"

bl2/ext/mcuboot/config/mcuboot-mbedtls-cfg.h

@@ -51,6 +51,7 @@
 #define MBEDTLS_ENTROPY_C
 #define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
 #define MBEDTLS_PSA_CRYPTO_CONFIG
+#define MBEDTLS_PSA_CRYPTO_C
 #if defined(MCUBOOT_SIGN_EC256)
 #define MBEDTLS_PSA_P256M_DRIVER_ENABLED
 #endif

bl2/ext/mcuboot/flash_map_extended.c

@@ -12,6 +12,7 @@
  * Git SHA of the original version: ac55554059147fff718015be9f4bd3108123f50a
  */
 
+#include <assert.h>
 #include <errno.h>
 #include "target.h"
 #include "tfm_hal_device_header.h"
@@ -28,6 +29,9 @@ __WEAK int flash_device_base(uint8_t fd_id, uintptr_t *ret)
                      fd_id, FLASH_DEVICE_ID);
         return -1;
     }
+
+    assert(ret != NULL);
+
     *ret = FLASH_DEVICE_BASE;
     return 0;
 }
@@ -73,6 +77,8 @@ int flash_area_id_to_image_slot(int area_id)
 
 uint8_t flash_area_erased_val(const struct flash_area *fap)
 {
+    assert(fap != NULL);
+
     return DRV_FLASH_AREA(fap)->GetInfo()->erased_value;
 }
 
@@ -100,3 +106,15 @@ int flash_area_read_is_empty(const struct flash_area *fa, uint32_t off,
 
     return 1;
 }
+
+int flash_area_get_sector(const struct flash_area *fa, uint32_t off,
+                          struct flash_sector *sector)
+{
+    assert ((fa != NULL) && (sector != NULL));
+
+    sector->fs_off = (off / DRV_FLASH_AREA(fa)->GetInfo()->sector_size) *
+                     DRV_FLASH_AREA(fa)->GetInfo()->sector_size;
+    sector->fs_size = DRV_FLASH_AREA(fa)->GetInfo()->sector_size;
+
+    return 0;
+}

bl2/ext/mcuboot/include/flash_map/flash_map.h

@@ -64,11 +64,11 @@ extern "C" {
 /*
  * Shared data area between bootloader and runtime firmware.
  */
-#if (defined(BOOT_TFM_SHARED_DATA_BASE) && defined(BOOT_TFM_SHARED_DATA_SIZE))
-#define MCUBOOT_SHARED_DATA_BASE    BOOT_TFM_SHARED_DATA_BASE
-#define MCUBOOT_SHARED_DATA_SIZE    BOOT_TFM_SHARED_DATA_SIZE
+#if (defined(SHARED_BOOT_MEASUREMENT_BASE) && defined(SHARED_BOOT_MEASUREMENT_SIZE))
+#define MCUBOOT_SHARED_DATA_BASE    SHARED_BOOT_MEASUREMENT_BASE
+#define MCUBOOT_SHARED_DATA_SIZE    SHARED_BOOT_MEASUREMENT_SIZE
 #else
-#error "BOOT_TFM_SHARED_DATA_* must be defined by target."
+#error "SHARED_BOOT_MEASUREMENT_* must be defined by target."
 #endif
 
 /**

bl2/ext/mcuboot/mcuboot_default_config.cmake

@@ -35,7 +35,7 @@ set_property(CACHE MCUBOOT_UPGRADE_STRATEGY PROPERTY STRINGS "OVERWRITE_ONLY;SWA
 # platforms requiring specific flash alignmnent
 set_property(CACHE MCUBOOT_ALIGN_VAL PROPERTY STRINGS "1;2;4;8;16;32")
 
-set(MCUBOOT_DIRECT_XIP_REVERT           ON          CACHE BOOL      "Enable the revert mechanism in direct-xip mode")
+set(MCUBOOT_DIRECT_XIP_REVERT           OFF         CACHE BOOL      "Enable the revert mechanism in direct-xip mode")
 set(MCUBOOT_HW_ROLLBACK_PROT            ON          CACHE BOOL      "Enable security counter validation against non-volatile HW counters")
 set(MCUBOOT_ENC_IMAGES                  OFF         CACHE BOOL      "Enable encrypted image upgrade support")
 set(MCUBOOT_BOOTSTRAP                   OFF         CACHE BOOL      "Support initial state with empty primary slot and images installed from secondary slots")

bl2/ext/mcuboot/scripts/wrapper/wrapper.py

@@ -100,9 +100,9 @@ def wrap(key, align, version, header_size, pad_header, layout, pad, confirm,
     rom_fixed = macro_parser.evaluate_macro(layout, rom_fixed_re, 0, 1)
 
     if measured_boot_record:
-        if "_s" in layout:
+        if "_s.o" in layout:
             record_sw_type = "SPE"
-        elif "_ns" in layout:
+        elif "_ns.o" in layout:
             record_sw_type = "NSPE"
         else:
             record_sw_type = "NSPE_SPE"

bl2/src/shared_data.c

@@ -170,15 +170,14 @@ static int collect_image_measurement_and_metadata(
  * @param[in]  hdr           Pointer to the image header stored in RAM.
  * @param[in]  fap           Pointer to the flash area where image is stored.
  * @param[in]  active_slot   Which slot is active (to boot).
- * @param[in]  max_app_size  Maximum allowed size of application for update
- *                           slot.
+ * @param[in]  max_app_sizes The maximum sizes of images that can be loaded.
  *
  * @return                0 on success; nonzero on failure.
  */
 int boot_save_shared_data(const struct image_header *hdr,
                           const struct flash_area *fap,
                           const uint8_t active_slot,
-                          const int max_app_size)
+                          const struct image_max_size *max_app_sizes)
 {
     const struct flash_area *temp_fap;
     uint8_t mcuboot_image_id = 0;
@@ -201,7 +200,7 @@ int boot_save_shared_data(const struct image_header *hdr,
 #endif /* TFM_MEASURED_BOOT_API */
 
     (void)active_slot;
-    (void)max_app_size;
+    (void)max_app_sizes;
 
     if (hdr == NULL || fap == NULL) {
         return -1;

bl2/src/thin_psa_crypto_core.c

@@ -165,9 +165,7 @@ psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
 
     status = psa_driver_wrapper_hash_setup(operation, alg);
 
-    if (status != PSA_SUCCESS) {
-        psa_hash_abort(operation);
-    }
+    assert(status == PSA_SUCCESS);
 
     return status;
 }
@@ -189,9 +187,7 @@ psa_status_t psa_hash_update(psa_hash_operation_t *operation,
 
     status = psa_driver_wrapper_hash_update(operation, input, input_length);
 
-    if (status != PSA_SUCCESS) {
-        psa_hash_abort(operation);
-    }
+    assert(status == PSA_SUCCESS);
 
     return status;
 }
@@ -349,28 +345,6 @@ psa_status_t mbedtls_to_psa_error(int ret)
     }
 }
 
-#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-int mbedtls_psa_get_random(void *p_rng,
-                           unsigned char *output,
-                           size_t output_size)
-{
-    /* This function takes a pointer to the RNG state because that's what
-     * classic mbedtls functions using an RNG expect. The PSA RNG manages
-     * its own state internally and doesn't let the caller access that state.
-     * So we just ignore the state parameter, and in practice we'll pass
-     * NULL.
-     */
-    (void) p_rng;
-    psa_status_t status = psa_generate_random(output, output_size);
-
-    if (status == PSA_SUCCESS) {
-        return 0;
-    } else {
-        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
-    }
-}
-#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
-
 psa_status_t psa_generate_random(uint8_t *output,
                                  size_t output_size)
 {
@@ -446,86 +420,6 @@ psa_status_t psa_verify_hash_builtin(
     return PSA_ERROR_NOT_SUPPORTED;
 }
 
-/* Required when Mbed TLS backend converts from PSA to Mbed TLS native */
-mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family,
-                                                size_t bits)
-{
-    switch (family) {
-    case PSA_ECC_FAMILY_SECP_R1:
-        switch (bits) {
-#if defined(PSA_WANT_ECC_SECP_R1_192)
-        case 192:
-            return MBEDTLS_ECP_DP_SECP192R1;
-#endif
-#if defined(PSA_WANT_ECC_SECP_R1_224)
-        case 224:
-            return MBEDTLS_ECP_DP_SECP224R1;
-#endif
-#if defined(PSA_WANT_ECC_SECP_R1_256)
-        case 256:
-            return MBEDTLS_ECP_DP_SECP256R1;
-#endif
-#if defined(PSA_WANT_ECC_SECP_R1_384)
-        case 384:
-            return MBEDTLS_ECP_DP_SECP384R1;
-#endif
-#if defined(PSA_WANT_ECC_SECP_R1_521)
-        case 521:
-            return MBEDTLS_ECP_DP_SECP521R1;
-#endif
-        }
-        break;
-
-    case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
-        switch (bits) {
-#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
-        case 256:
-            return MBEDTLS_ECP_DP_BP256R1;
-#endif
-#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
-        case 384:
-            return MBEDTLS_ECP_DP_BP384R1;
-#endif
-#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
-        case 512:
-            return MBEDTLS_ECP_DP_BP512R1;
-#endif
-        }
-        break;
-
-    case PSA_ECC_FAMILY_MONTGOMERY:
-        switch (bits) {
-#if defined(PSA_WANT_ECC_MONTGOMERY_255)
-        case 255:
-            return MBEDTLS_ECP_DP_CURVE25519;
-#endif
-#if defined(PSA_WANT_ECC_MONTGOMERY_448)
-        case 448:
-            return MBEDTLS_ECP_DP_CURVE448;
-#endif
-        }
-        break;
-
-    case PSA_ECC_FAMILY_SECP_K1:
-        switch (bits) {
-#if defined(PSA_WANT_ECC_SECP_K1_192)
-        case 192:
-            return MBEDTLS_ECP_DP_SECP192K1;
-#endif
-#if defined(PSA_WANT_ECC_SECP_K1_224)
-            /* secp224k1 is not and will not be supported in PSA (#3541). */
-#endif
-#if defined(PSA_WANT_ECC_SECP_K1_256)
-        case 256:
-            return MBEDTLS_ECP_DP_SECP256K1;
-#endif
-        }
-        break;
-    }
-
-    return MBEDTLS_ECP_DP_NONE;
-}
-
 /* We don't need the full driver wrapper, we know the key is already a public key */
 psa_status_t psa_driver_wrapper_export_public_key(
     const psa_key_attributes_t *attributes,

cmake/install.cmake

@@ -7,9 +7,6 @@
 #
 #-------------------------------------------------------------------------------
 
-# Skip "up-to-date" prints to avoid flooding the build output. Just print "installing"
-set(CMAKE_INSTALL_MESSAGE LAZY)
-
 install(DIRECTORY ${CMAKE_BINARY_DIR}/bin/
         DESTINATION bin
 )
@@ -75,33 +72,40 @@ if (TFM_PARTITION_INTERNAL_TRUSTED_STORAGE)
 endif()
 
 if (TFM_PARTITION_CRYPTO)
-    install(FILES       ${INTERFACE_INC_DIR}/psa/README.rst
-                        ${INTERFACE_INC_DIR}/psa/build_info.h
-                        ${INTERFACE_INC_DIR}/psa/crypto.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_auto_enabled.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_key_pair_types.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_synonyms.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_composites.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_key_derivation.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_primitives.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_compat.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_driver_common.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_composites.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_key_derivation.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_primitives.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_extra.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_legacy.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_platform.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_se_driver.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_sizes.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_struct.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_types.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_values.h
-            DESTINATION ${INSTALL_INTERFACE_INC_DIR}/psa)
-    install(FILES       ${INTERFACE_INC_DIR}/tfm_crypto_defs.h
-            DESTINATION ${INSTALL_INTERFACE_INC_DIR})
-    install(DIRECTORY   ${INTERFACE_INC_DIR}/mbedtls
-            DESTINATION ${INSTALL_INTERFACE_INC_DIR})
+        if(PSA_CRYPTO_EXTERNAL_CORE)
+                include(${TARGET_PLATFORM_PATH}/../external_core_install.cmake)
+                install(FILES       ${INTERFACE_INC_DIR}/tfm_crypto_defs.h
+                        DESTINATION ${INSTALL_INTERFACE_INC_DIR})
+        else()
+                install(FILES       ${INTERFACE_INC_DIR}/psa/README.rst
+                                        ${INTERFACE_INC_DIR}/psa/build_info.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_auto_enabled.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_dependencies.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_key_pair_types.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_synonyms.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_composites.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_key_derivation.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_primitives.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_compat.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_driver_common.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_composites.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_key_derivation.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_primitives.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_extra.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_legacy.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_platform.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_se_driver.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_sizes.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_struct.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_types.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_values.h
+                        DESTINATION ${INSTALL_INTERFACE_INC_DIR}/psa)
+                install(FILES       ${INTERFACE_INC_DIR}/tfm_crypto_defs.h
+                        DESTINATION ${INSTALL_INTERFACE_INC_DIR})
+                install(DIRECTORY   ${INTERFACE_INC_DIR}/mbedtls
+                        DESTINATION ${INSTALL_INTERFACE_INC_DIR})
+        endif()
 endif()
 
 if (TFM_PARTITION_INITIAL_ATTESTATION)
@@ -284,10 +288,11 @@ else()
         )
 endif()
 
+# PSA_CRYPTO_EXTERNAL_CORE
 target_include_directories(psa_interface
         INTERFACE
         $<INSTALL_INTERFACE:interface/include>
-        )
+)
 
 install(EXPORT tfm-config
         FILE spe_export.cmake

cmake/spe-CMakeLists.cmake

@@ -34,6 +34,15 @@ target_sources(tfm_api_ns
 )
 
 # Include interface headers exported by TF-M
+if(PSA_CRYPTO_EXTERNAL_CORE)
+    include(${TARGET_PLATFORM_PATH}/../external_core.cmake)
+else()
+    target_include_directories(tfm_api_ns
+        PUBLIC
+            ${INTERFACE_INC_DIR}
+    )
+endif()
+
 target_include_directories(tfm_api_ns
     PUBLIC
         ${INTERFACE_INC_DIR}