doc: tfm: Add documentation regarding configurable build #19562
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
doc-required
CI InformationTo view the history of this post, clich the 'edited' button above Inputs:Sources:sdk-nrf: PR head: e06cb9f1bc53dae4852f3b9dad58d9f4c340eab6 more detailssdk-nrf:
Github labels
List of changed files detected by CI (6)Outputs:ToolchainVersion: Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
|
You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds. Note: This comment is automatically posted by the Documentation Publish GitHub Action. |
SeppoTakalo
force-pushed
the
tfm_partition_docs
branch
3 times, most recently
from
426dd6c to
536d653
Compare
doc/nrf/releases_and_maturity/migration/migration_guide_spm_to_tf-m.rst
Outdated
Show resolved
Hide resolved
| :align: center | ||
|
|
||
| Partition alignment granularity on different nRF devices. | ||
|
|
||
| When the :ref:`partition_manager` is enabled, it will take into consideration the alignment requirements. |
There was a problem hiding this comment.
Partition manager likely warrants its own chapter in here. I would like to at least give the flow of working with partition manager in here:
- Minimize your partitions
- Copy the partitions.yaml from build directory as static partitions.yaml.
- Modify static partitions.yaml (if necessary) (PS and ITS storage can be set more efficiently, reserve enough space for future updates).
doc/nrf/security/tfm.rst
Outdated
| :align: center | ||
|
|
||
| Example of aligning partitions with flash regions. | ||
|
|
||
| If you are experiencing any partition alignment issues when using the Partition Manager, check the :ref:`known_issues` page on the main branch. | ||
|
|
||
| The partitions which need to be aligned with the TrustZone flash region size are partitions ``tfm_nonsecure`` and ``nonsecure_storage``. |
There was a problem hiding this comment.
tfm_storage also needs to be aligned with this, if it is set after non-secure partition.
SeppoTakalo
force-pushed
the
tfm_partition_docs
branch
from
536d653 to
e15f633
Compare
MarkusLassila
force-pushed
the
tfm_partition_docs
branch
2 times, most recently
from
82f0ec3 to
de44e9e
Compare
peknis
requested changes
Jan 21, 2025
doc/nrf/releases_and_maturity/migration/migration_guide_spm_to_tf-m.rst
Outdated
Show resolved
Hide resolved
doc/nrf/releases_and_maturity/migration/migration_guide_spm_to_tf-m.rst
Outdated
Show resolved
Hide resolved
|
More comments/suggestions coming later this week. |
SeppoTakalo
changed the title
peknis
requested changes
Jan 22, 2025
SeppoTakalo
force-pushed
the
tfm_partition_docs
branch
from
fd7f2f4 to
dc41adb
Compare
Add documentation regarding CONFIG_TFM_PROFILE_TYPE_NOT_SET and various TF-M partitions that user need to configure. Signed-off-by: Seppo Takalo <[email protected]>
Current user guide does not need this information anymore. It should be moved to a separate migration guide. Signed-off-by: Seppo Takalo <[email protected]>
Move building, configuring and limitations to appear before background information on TF-M user guide. Signed-off-by: Seppo Takalo <[email protected]>
Unfortunately TF-M rst file in Zephyr does not have cross-reference labels. Signed-off-by: Seppo Takalo <[email protected]>
Add diagram to show the granularity differences between each HW. Signed-off-by: Seppo Takalo <[email protected]>
Add usage examples from tfm_ram_report and tfm_rom_report. Signed-off-by: Markus Lassila <[email protected]>
Add information from TF-M partitions: - CONFIG_TFM_PARTITION_PLATFORM - CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE - CONFIG_TFM_PARTITION_CRYPTO - CONFIG_TFM_PARTITION_PROTECTED_STORAGE - CONFIG_TFM_PARTITION_INITIAL_ATTESTATION Signed-off-by: Markus Lassila <[email protected]>
Fixes from documentation review Signed-off-by: Seppo Takalo <[email protected]> Co-authored-by: Pekka Niskanen <[email protected]>
SeppoTakalo
force-pushed
the
tfm_partition_docs
branch
from
dc41adb to
e06cb9f
Compare
melwee01
reviewed
Jan 24, 2025
There was a problem hiding this comment.
These images need to be converted to the unified style in Visio. https://nordicsemi.atlassian.net/wiki/spaces/TECHDOC/pages/120293046/Figure+guide If you prefer, I can do it.
There was a problem hiding this comment.
Yes, please.
I don't have a Visio, as it does not exist on Linux.
melwee01
reviewed
Jan 24, 2025
| ############################################################# | ||
|
|
||
| The Nordic Secure Partition Manager (SPM) was replaced with Trusted Firmware-M (TF-M) as the default trusted execution solution in the |NCS| v2.1.0. | ||
| This change was made to enhance the security features of the SDK by integrating the more widely adopted TF-M that aligns with the Arm Platform Security Architecture (PSA). |
There was a problem hiding this comment.
Suggested change
| This change was made to enhance the security features of the SDK by integrating the more widely adopted TF-M that aligns with the Arm Platform Security Architecture (PSA). | |
| This change enhances the security features of the SDK by integrating the more widely adopted TF-M that aligns with the Arm Platform Security Architecture (PSA). |
| The Nordic Secure Partition Manager (SPM) was replaced with Trusted Firmware-M (TF-M) as the default trusted execution solution in the |NCS| v2.1.0. | ||
| This change was made to enhance the security features of the SDK by integrating the more widely adopted TF-M that aligns with the Arm Platform Security Architecture (PSA). | ||
|
|
||
| The migration from SPM to TF-M requires changes in the application code and the partition configuration. |
There was a problem hiding this comment.
Suggested change
| The migration from SPM to TF-M requires changes in the application code and the partition configuration. | |
| Migration from SPM to TF-M requires changes in the application code and the partition configuration. |
| Internal Trusted Storage partition | ||
| ---------------------------------- | ||
|
|
||
| To enable Internal Trusted Storage (ITS) partition, set the :kconfig:option:`CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE` Kconfig option. |
There was a problem hiding this comment.
Suggested change
| To enable Internal Trusted Storage (ITS) partition, set the :kconfig:option:`CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE` Kconfig option. | |
| To enable the Internal Trusted Storage (ITS) partition, set the :kconfig:option:`CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE` Kconfig option. |
|
|
||
| To strengthen data integrity, the metadata of the ITS file (creation flags/size) is used as authenticated data in the encryption process. | ||
|
|
||
| The nonce for the AEAD operation is generated by concatenating a random 8-byte seed and an increasing the 4-byte counter. |
There was a problem hiding this comment.
Suggested change
| The nonce for the AEAD operation is generated by concatenating a random 8-byte seed and an increasing the 4-byte counter. | |
| The nonce for the AEAD operation is generated by concatenating a random 8-byte seed and an increasing the 4-byte counter. |
Either 'an' or 'the' need to go, but I'm not sure which. It depends. Is the 4-byte counter concatenated?
| Protect Storage partition | ||
| ------------------------- | ||
|
|
||
| To enable Protect Storage (PS) partition, set the :kconfig:option:`CONFIG_TFM_PARTITION_PROTECTED_STORAGE`. |
There was a problem hiding this comment.
I think 'the' partition for all of these reads better.
| The :ref:`provisioning_image` sample shows how to switch the device from the **Device Assembly and Test** state to the **PRoT Provisioning** state, and how to provision the device with hardware unique keys (HUKs) and an identity key. | ||
|
|
||
| To switch the device from the **PRoT Provisioning** state to the **Secured** state, set the :kconfig:option:`CONFIG_TFM_NRF_PROVISIONING` Kconfig option for your application. | ||
| In the first boot, TF-M ensures that the keys are stored in the Key Management Unit (KMU) and switches the device to the **Secured** state. |
There was a problem hiding this comment.
Suggested change
| In the first boot, TF-M ensures that the keys are stored in the Key Management Unit (KMU) and switches the device to the **Secured** state. | |
| On the first boot, TF-M ensures that the keys are stored in the Key Management Unit (KMU) and switches the device to the **Secured** state. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add documentation regarding CONFIG_TFM_PROFILE_TYPE_NOT_SET and various TF-M partitions that user need to configure.
NOTE: This is very early phase. This work is still in progress, but I'm just starting the review process very early.