diff --git a/samples/tfm/tfm_psa_template/Kconfig.sysbuild b/samples/tfm/tfm_psa_template/Kconfig.sysbuild new file mode 100644 index 000000000000..4ed795c0e264 --- /dev/null +++ b/samples/tfm/tfm_psa_template/Kconfig.sysbuild @@ -0,0 +1,30 @@ +# +# Copyright (c) 2024 Nordic Semiconductor +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +source "${ZEPHYR_BASE}/share/sysbuild/Kconfig" + +if BOARD_NRF5340DK_NRF5340_CPUAPP_NS + +choice NETCORE + default NETCORE_EMPTY +endchoice + +config SECURE_BOOT_NETCORE + default y + +config NETCORE_APP_UPDATE + default y + +config MCUBOOT_APP_SYNC_UPDATEABLE_IMAGES + default y + +config PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY + default y + +config MCUBOOT_USE_ALL_AVAILABLE_RAM + default y + +endif diff --git a/samples/tfm/tfm_psa_template/README.rst b/samples/tfm/tfm_psa_template/README.rst index 8b49be3dfd90..9f7875e99b50 100644 --- a/samples/tfm/tfm_psa_template/README.rst +++ b/samples/tfm/tfm_psa_template/README.rst @@ -25,6 +25,8 @@ This sample uses Trusted Firmware-M, nRF Secure Immutable bootloader and MCUboot It includes provisioning the device with keys and being able to perform a device firmware update. The sample prints information about the identity of the device and the firmware versions that are currently running. +With nRF5340 this sample also includes the :ref:`B0n bootloader ` and :ref:`empty_net_core ` for demonstrating the network core firmware update process. + Building and running ******************** @@ -38,7 +40,7 @@ Build and flash the provisioning image sample to provision the device with the P .. code-block:: console west build -b nrf5340dk/nrf5340/cpuapp nrf/samples/tfm/provisioning_image -d build_provisioning_image - west flash --erase -d build_provisioning_image + west flash --erase --recover -d build_provisioning_image Build and flash the TF-M PSA template sample. Do not flash with ``--erase`` as this will erase the PSA platform security parameters and they will be lost. @@ -145,6 +147,10 @@ See :ref:`ug_fw_update_keys` for more information on how to generate and use key The bootloader and the application can be updated using the :file:`mcumgr` command-line tool. See :zephyr:code-sample:`smp-svr` for installation and usage instructions. +.. note:: + + Remember to rebuild the sample with the updated keys before proceeding with the firmware update. + Application and TF-M firmware update ==================================== @@ -189,7 +195,7 @@ To upload a new bootloader image, build a bootloader targeting the correct bootl .. code-block:: console - west build -b nrf5340dk/nrf5340/cpuapp/ns nrf/samples/tfm/tfm_psa_template \ + west build -b nrf5340dk/nrf5340/cpuapp/ns nrf/samples/tfm/tfm_psa_template -d build_update \ -Dmcuboot_CONFIG_FW_INFO_FIRMWARE_VERSION=2 List the current firmware images and upload a bootloader image that targets the non-active bootloader slot. @@ -198,7 +204,7 @@ List the current firmware images and upload a bootloader image that targets the mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image list mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image upload \ - build/signed_by_mcuboot_and_b0_s1_image.bin + build_update/signed_by_mcuboot_and_b0_s1_image.bin Once the new bootloader image is uploaded, the hash of the image is shown in the image list. Flag the image to be tested on next reboot using its hash. @@ -215,8 +221,87 @@ The verification of the image will happen during the update process. mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 reset +Network core update (nRF5340 only) +================================== + +To upload a new network core image, build the empty_net_core image with an updated firmware image version. + +.. code-block:: console + + west build -b nrf5340dk/nrf5340/cpuapp/ns nrf/samples/tfm/tfm_psa_template -d build_update \ + -Dempty_net_core_CONFIG_FW_INFO_FIRMWARE_VERSION=2 + +Then upload the new network core image to the device. Note that the image is uploaded to the network core slot. + +.. code-block:: console + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image upload \ + build_update/signed_by_mcuboot_and_b0_empty_net_core.bin -e -n 1 + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image list + +Once the network core image is uploaded, the hash of the image is shown in the image list as image 1 in slot 1. +Flag the image to be tested on next reboot using its hash. + +.. code-block:: console + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image test + +Trigger the network core update by initiating a reset. +The verification of the image will happen during the update process. + +.. code-block:: console + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 reset + +Alternatively, you can conduct a manual reset to trigger the network core update. +This allows you to observe the update process in the application and network core console outputs. + +Simultaneous application and network core update (nRF5340 only) +=============================================================== + +When the interface between the application and network core is updated, both the application and network core images must be updated simultaneously. +To do this, build the application image with an updated image version and the network core image with an updated firmware image version. + +.. code-block:: console + + west build -b nrf5340dk/nrf5340/cpuapp/ns nrf/samples/tfm/tfm_psa_template -d build_update \ + -DCONFIG_MCUBOOT_IMGTOOL_SIGN_VERSION=\"1.2.4\" -Dempty_net_core_CONFIG_FW_INFO_FIRMWARE_VERSION=3 + +Then upload the new application and network core images to the device. Note that the application image is uploaded to the application slot and the network core image is uploaded to the network core slot. + +.. code-block:: console + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image upload \ + build_update/tfm_psa_template/zephyr/zephyr.signed.bin -e -n 0 + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image upload \ + build_update/signed_by_mcuboot_and_b0_empty_net_core.bin -e -n 1 + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image list + +Once the images are uploaded, the hash of the images is shown in the image list. The application image is image 1 in slot 0 and the network core image is image 1 in slot 1. +To allow the application and network core images to be updated simultaneously, first confirm the network core image and then the application image. + +.. code-block:: console + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image confirm + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 image confirm + +Trigger the core updates by initiating a reset. +The verification of the images will happen during the update process. + +.. code-block:: console + + mcumgr --conntype serial --connstring dev=/dev/ttyACM1,baud=115200,mtu=512 reset + +Alternatively, you can conduct a manual reset to trigger the core updates. +This allows you to observe the update process in the application and network core console outputs. + Dependencies ************* * This sample uses the TF-M module found in the :file:`modules/tee/tfm/` folder of the |NCS|. * This sample uses the :ref:`lib_tfm_ioctl_api` library. +* This sample uses the :ref:`subsys_pcd` library with nRF5340. diff --git a/samples/tfm/tfm_psa_template/boards/nrf5340dk_nrf5340_cpuapp_ns.conf b/samples/tfm/tfm_psa_template/boards/nrf5340dk_nrf5340_cpuapp_ns.conf new file mode 100644 index 000000000000..4deae1c7c504 --- /dev/null +++ b/samples/tfm/tfm_psa_template/boards/nrf5340dk_nrf5340_cpuapp_ns.conf @@ -0,0 +1,8 @@ +# +# Copyright (c) 2024 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +CONFIG_FPU=y +CONFIG_BOARD_ENABLE_CPUNET=y diff --git a/samples/tfm/tfm_psa_template/boards/nrf5340dk_nrf5340_cpuapp_ns.overlay b/samples/tfm/tfm_psa_template/boards/nrf5340dk_nrf5340_cpuapp_ns.overlay new file mode 100644 index 000000000000..18f34a962ea1 --- /dev/null +++ b/samples/tfm/tfm_psa_template/boards/nrf5340dk_nrf5340_cpuapp_ns.overlay @@ -0,0 +1,11 @@ +/* + * Copyright (c) 2024 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +/ { + chosen { + nordic,pm-ext-flash = &mx25r64; + }; +}; diff --git a/samples/tfm/tfm_psa_template/sysbuild.conf b/samples/tfm/tfm_psa_template/sysbuild.conf index bc1ff1a8b380..01c39c67965b 100644 --- a/samples/tfm/tfm_psa_template/sysbuild.conf +++ b/samples/tfm/tfm_psa_template/sysbuild.conf @@ -9,4 +9,3 @@ SB_CONFIG_SECURE_BOOT_APPCORE=y SB_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y SB_CONFIG_MCUBOOT_MODE_OVERWRITE_ONLY=y SB_CONFIG_MCUBOOT_UPDATEABLE_IMAGES=2 -SB_CONFIG_MCUBOOT_APP_SYNC_UPDATEABLE_IMAGES=n diff --git a/samples/tfm/tfm_psa_template/sysbuild/b0n/prj.conf b/samples/tfm/tfm_psa_template/sysbuild/b0n/prj.conf new file mode 100644 index 000000000000..6225d73185a4 --- /dev/null +++ b/samples/tfm/tfm_psa_template/sysbuild/b0n/prj.conf @@ -0,0 +1,32 @@ +# +# Copyright (c) 2024 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# +CONFIG_NCS_SAMPLES_DEFAULTS=y + +CONFIG_IS_SECURE_BOOTLOADER=y +CONFIG_MULTITHREADING=n +CONFIG_GPIO=n +CONFIG_ARM_MPU=n +CONFIG_TICKLESS_KERNEL=n +CONFIG_ERRNO=n +CONFIG_SYS_CLOCK_EXISTS=y +CONFIG_FPROTECT=y +CONFIG_FW_INFO=y +CONFIG_SECURE_BOOT_CRYPTO=y +CONFIG_SECURE_BOOT_VALIDATION=y +CONFIG_SECURE_BOOT_STORAGE=y +CONFIG_PCD_NET=y +CONFIG_FLASH=y +CONFIG_FLASH_PAGE_LAYOUT=y +CONFIG_LOG=y + +# To build with a minimal configuration, use the overlay file +# '-DOVERLAY_CONFIG=overlay-minimal-size.conf' + +# Enable locking the network core for debugging +CONFIG_PCD_LOCK_NETCORE_DEBUG=y + +# Prevent downgrade to older version of the network core. +CONFIG_PCD_READ_NETCORE_APP_VERSION=y diff --git a/samples/tfm/tfm_psa_template/sysbuild/mcuboot/boards/nrf5340dk_nrf5340_cpuapp.conf b/samples/tfm/tfm_psa_template/sysbuild/mcuboot/boards/nrf5340dk_nrf5340_cpuapp.conf new file mode 100644 index 000000000000..d162fe3bea3a --- /dev/null +++ b/samples/tfm/tfm_psa_template/sysbuild/mcuboot/boards/nrf5340dk_nrf5340_cpuapp.conf @@ -0,0 +1,23 @@ +# +# Copyright (c) 2024 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +CONFIG_BOOT_MAX_IMG_SECTORS=256 + +CONFIG_PCD_APP=y +CONFIG_PCD_READ_NETCORE_APP_VERSION=y + +CONFIG_UPDATEABLE_IMAGE_NUMBER=2 +CONFIG_NRF53_MULTI_IMAGE_UPDATE=y +CONFIG_BOOT_IMAGE_ACCESS_HOOK_NRF5340=y +CONFIG_BOOT_IMAGE_ACCESS_HOOKS=y + +CONFIG_FLASH_SIMULATOR=y +CONFIG_FLASH_SIMULATOR_DOUBLE_WRITES=y +CONFIG_FLASH_SIMULATOR_STATS=n + +CONFIG_NORDIC_QSPI_NOR=y +CONFIG_NORDIC_QSPI_NOR_FLASH_LAYOUT_PAGE_SIZE=4096 +CONFIG_NORDIC_QSPI_NOR_STACK_WRITE_BUFFER_SIZE=16 diff --git a/samples/tfm/tfm_psa_template/sysbuild/mcuboot/boards/nrf5340dk_nrf5340_cpuapp.overlay b/samples/tfm/tfm_psa_template/sysbuild/mcuboot/boards/nrf5340dk_nrf5340_cpuapp.overlay new file mode 100644 index 000000000000..18f34a962ea1 --- /dev/null +++ b/samples/tfm/tfm_psa_template/sysbuild/mcuboot/boards/nrf5340dk_nrf5340_cpuapp.overlay @@ -0,0 +1,11 @@ +/* + * Copyright (c) 2024 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +/ { + chosen { + nordic,pm-ext-flash = &mx25r64; + }; +}; diff --git a/west.yml b/west.yml index e820d141e340..e135443882b7 100644 --- a/west.yml +++ b/west.yml @@ -140,7 +140,7 @@ manifest: compare-by-default: true - name: mcuboot repo-path: sdk-mcuboot - revision: v2.1.0-ncs1 + revision: pull/330/head path: bootloader/mcuboot - name: qcbor url: https://github.com/laurencelundblade/QCBOR