WIP: doc: tfm: Add documentation regarding configurable build #19562
Conversation
github-actions
bot
added
doc-required
CI InformationTo view the history of this post, clich the 'edited' button above Inputs:Sources:more detailsGithub labels
List of changed files detected by CI (0)Outputs:ToolchainVersion: Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
|
You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds. Note: This comment is automatically posted by the Documentation Publish GitHub Action. |
SeppoTakalo
force-pushed
the
tfm_partition_docs
branch
3 times, most recently
from
426dd6c to
536d653
Compare
| The Nordic Secure Partition Manager (SPM) was replaced with Trusted Firmware-M (TF-M) as the default trusted execution solution in the nRF Connect SDK 2.1.0. | ||
| This change was made to enhance the security features of the SDK by integrating the more widely adopted TF-M, which aligns with the Arm Platform Security Architecture (PSA). | ||
|
|
||
| The migration from SPM to TF-M requires changes in the application code and the partition configuration file. |
There was a problem hiding this comment.
| The migration from SPM to TF-M requires changes in the application code and the partition configuration file. | |
| The migration from SPM to TF-M requires changes in the application code and the possible static partition configuration file. |
There was a problem hiding this comment.
I'll remove the reference to file because the partition configuration might also be the one that is generated automatically. So it is either static, or generated, but anyway it is not the same as before SPM.
| * In Isolation level 2 or higher, the number of peripherals configured as secure in Application Root of Trust (ARoT) is limited by the number of available MPU regions. | ||
| * Nordic Semiconductor devices only support the GCC toolchain for building TF-M. | ||
| The minimal version of TF-M is disabled by setting the :kconfig:option:`CONFIG_TFM_PROFILE_TYPE_NOT_SET` option or one of the other build profiles. | ||
| For description of the build profiles, see Trusted Firmware M documentation regarding :ref:`tf-m_profiles`. |
There was a problem hiding this comment.
I think that we should give a direct recommendation to use CONFIG_TFM_PROFILE_TYPE_NOT_SET in here.
There was a problem hiding this comment.
We are not really supporting ARoT-less (no support for TFM_PARTITION_FIRMWARE_UPDATE) or Large (No support for isolation level 3) profiles.
doc/nrf/security/tfm.rst
Outdated
| - Disabled | ||
| * - :kconfig:option:`CONFIG_TFM_PARTITION_FIRMWARE_UPDATE` | ||
| - Provides firmware update services. | ||
| - Disabled |
There was a problem hiding this comment.
We do not really support this partition, so that should be mentioned.
| - Provides platform services. | ||
| - Enabled | ||
| * - :kconfig:option:`CONFIG_TFM_PARTITION_CRYPTO` | ||
| - Provides cryptographic services. |
There was a problem hiding this comment.
I think that it would be beneficial to list which partitions this (and others) require. The functionality is built on top of other partitions and it would be good for the reader to understand this when they start to try to minimize the size.
I know that it is listed in the Kconfig description, but reading that from there is bit clumsy.
| - Provides firmware update services. | ||
| - Disabled | ||
|
|
||
| When cryptographic services are enabled, you can configure what crypto modules to include in TF-M by using the ``CONFIG_TFM_CRYPTO_*`` Kconfig options as explained above. |
There was a problem hiding this comment.
This is missing something.
| :align: center | ||
|
|
||
| Partition alignment granularity on different nRF devices. | ||
|
|
||
| When the :ref:`partition_manager` is enabled, it will take into consideration the alignment requirements. |
There was a problem hiding this comment.
Partition manager likely warrants its own chapter in here. I would like to at least give the flow of working with partition manager in here:
- Minimize your partitions
- Copy the partitions.yaml from build directory as static partitions.yaml.
- Modify static partitions.yaml (if necessary) (PS and ITS storage can be set more efficiently, reserve enough space for future updates).
doc/nrf/security/tfm.rst
Outdated
| :align: center | ||
|
|
||
| Example of aligning partitions with flash regions. | ||
|
|
||
| If you are experiencing any partition alignment issues when using the Partition Manager, check the :ref:`known_issues` page on the main branch. | ||
|
|
||
| The partitions which need to be aligned with the TrustZone flash region size are partitions ``tfm_nonsecure`` and ``nonsecure_storage``. |
There was a problem hiding this comment.
tfm_storage also needs to be aligned with this, if it is set after non-secure partition.
| @@ -254,38 +267,106 @@ We will decrease the size of the (optional) ``mcuboot_pad`` partition and thus t | |||
| address: 0x8000 | |||
| size: 0x4000 | |||
|
|
|||
| Analyzing TF-M partition size | |||
There was a problem hiding this comment.
Some things that are missing:
- ITS + PS partition size
- tfm_ram_report, tfm_rom_report
Add documentation regarding CONFIG_TFM_PROFILE_TYPE_NOT_SET and various TF-M partitions that user need to configure. Signed-off-by: Seppo Takalo <[email protected]>
Current user guide does not need this information anymore. It should be moved to a separate migration guide. Signed-off-by: Seppo Takalo <[email protected]>
Move building, configuring and limitations to appear before background information on TF-M user guide. Signed-off-by: Seppo Takalo <[email protected]>
Unfortunately TF-M rst file in Zephyr does not have cross-reference labels. Signed-off-by: Seppo Takalo <[email protected]>
Add diagram to show the granularity differences between each HW. Signed-off-by: Seppo Takalo <[email protected]>
SeppoTakalo
force-pushed
the
tfm_partition_docs
branch
from
536d653 to
e15f633
Compare
Add documentation regarding CONFIG_TFM_PROFILE_TYPE_NOT_SET and various TF-M partitions that user need to configure.
NOTE: This is very early phase. This work is still in progress, but I'm just starting the review process very early.