diff --git a/modules/trusted-firmware-m/Kconfig.tfm.pm b/modules/trusted-firmware-m/Kconfig.tfm.pm index 20618c6d785d..98930931b799 100644 --- a/modules/trusted-firmware-m/Kconfig.tfm.pm +++ b/modules/trusted-firmware-m/Kconfig.tfm.pm @@ -15,7 +15,7 @@ config PM_PARTITION_SIZE_TFM_SRAM # assigning 0x16000 of RAM to TFM will not leave enough RAM for # Matter. So we use 0x13000 of RAM on 54L. default 0x13000 if SOC_SERIES_NRF54LX - default 0x16000 if SOC_SERIES_NRF91X + default 0x16000 if SOC_SERIES_NRF91X || SOC_SERIES_NRF53X default 0x30000 help Memory set aside for the TFM_SRAM partition. diff --git a/modules/trusted-firmware-m/tfm_boards/common/nrf_provisioning.c b/modules/trusted-firmware-m/tfm_boards/common/nrf_provisioning.c index 40c5c4126753..dd60e9a3f018 100644 --- a/modules/trusted-firmware-m/tfm_boards/common/nrf_provisioning.c +++ b/modules/trusted-firmware-m/tfm_boards/common/nrf_provisioning.c @@ -16,6 +16,51 @@ #include "nrf_provisioning.h" #include #include +#ifdef NRF53_SERIES +#include +#include +#include + +static struct pcd_cmd *cmd = (struct pcd_cmd *)PCD_CMD_ADDRESS; + +static void pcd_write_cmd_lock_debug(void) +{ + cmd->magic = PCD_CMD_MAGIC_LOCK_DEBUG; + cmd->data = NULL; + cmd->len = 0; + cmd->offset = 0; +} + +static bool pcd_read_cmd_done(void) +{ + return cmd->magic == PCD_CMD_MAGIC_DONE; +} + +static enum tfm_plat_err_t disable_netcore_debug(void) +{ + /* NRF_RESET to secure. It will be configured non-secure after the provisioning is done. */ + spu_peripheral_config_secure(NRF_RESET_S_BASE, SPU_LOCK_CONF_UNLOCKED); + + /* Ensure that the network core is stopped. */ + nrf_reset_network_force_off(NRF_RESET, true); + + /* Debug lock command will be read in b0n startup. */ + pcd_write_cmd_lock_debug(); + + /* Start the network core. */ + nrf_reset_network_force_off(NRF_RESET, false); + + /* Wait for the network core to start up. */ + NRFX_DELAY_US(1000000); + + if (!pcd_read_cmd_done()) { + SPMLOG_ERRMSG("Failed to lock debug in network core."); + return TFM_PLAT_ERR_SYSTEM_ERR; + } + + return TFM_PLAT_ERR_SUCCESS; +} +#endif /* NRF53_SERIES */ static enum tfm_plat_err_t verify_debug_disabled(void) { @@ -71,10 +116,18 @@ enum tfm_plat_err_t tfm_plat_provisioning_perform(void) * that secure boot is already enabled at this stage */ + /* Application debug should already be disabled */ if (verify_debug_disabled() != TFM_PLAT_ERR_SUCCESS) { return TFM_PLAT_ERR_SYSTEM_ERR; } +#ifdef NRF53_SERIES + /* Disable network core debug in here */ + if (disable_netcore_debug() != TFM_PLAT_ERR_SUCCESS) { + return TFM_PLAT_ERR_SYSTEM_ERR; + } +#endif + /* Transition to the SECURED lifecycle state */ if (tfm_attest_update_security_lifecycle_otp(TFM_SLC_SECURED) != 0) { return TFM_PLAT_ERR_SYSTEM_ERR; diff --git a/modules/trusted-firmware-m/tfm_boards/partition/region_defs.h b/modules/trusted-firmware-m/tfm_boards/partition/region_defs.h index 4ee3ef6a858f..35ad6b2de9a7 100644 --- a/modules/trusted-firmware-m/tfm_boards/partition/region_defs.h +++ b/modules/trusted-firmware-m/tfm_boards/partition/region_defs.h @@ -151,23 +151,23 @@ #ifdef PM_MCUBOOT_ADDRESS #define REGION_MCUBOOT_ADDRESS PM_MCUBOOT_ADDRESS -#define REGION_MCUBOOT_END_ADDRESS PM_MCUBOOT_END_ADDRESS +#define REGION_MCUBOOT_LIMIT PM_MCUBOOT_END_ADDRESS - 1 #endif #ifdef PM_B0_ADDRESS #define REGION_B0_ADDRESS PM_B0_ADDRESS -#define REGION_B0_END_ADDRESS PM_B0_END_ADDRESS +#define REGION_B0_LIMIT PM_B0_END_ADDRESS - 1 #endif #ifdef PM_S0_ADDRESS #define REGION_S0_ADDRESS PM_S0_ADDRESS -#define REGION_S0_END_ADDRESS PM_S0_END_ADDRESS +#define REGION_S0_LIMIT PM_S0_END_ADDRESS - 1 #endif #ifdef PM_S1_ADDRESS #define REGION_S1_ADDRESS PM_S1_ADDRESS -#define REGION_S1_END_ADDRESS PM_S1_END_ADDRESS +#define REGION_S1_LIMIT PM_S1_END_ADDRESS - 1 #endif #ifdef PM_PCD_SRAM_ADDRESS #define REGION_PCD_SRAM_ADDRESS PM_PCD_SRAM_ADDRESS -#define REGION_PCD_SRAM_END_ADDRESS PM_PCD_SRAM_END_ADDRESS +#define REGION_PCD_SRAM_LIMIT PM_PCD_SRAM_END_ADDRESS - 1 #endif #endif /* __REGION_DEFS_H__ */