Hello,
I would like to inform the community that the TF-M v2.3.0 release has been postponed to April 2026 in order to incorporate the forthcoming PSA-Crypto LTS release, anticipated in Q1 2026.
This decision is intended to ensure improved long-term alignment between two projects.
I apologize for any inconvenience the delay may cause and appreciate your understanding.
Best regards,
Anton
Hello,
I have already poted this. but, i can't find my thread.
I’m trying to enable the PLATFORM_PSA_ADAC_SECURE_DEBUG.
1) Platform (arm neoverse RDV3R1 (RSE))
repo init -u https://git.gitlab.arm.com/infra-solutions/reference-design/infra-refdesign… -m <manifest-file-name> -b refs/tags/<RELEASE_TAG> --depth=1
repo sync -c -j $(nproc) --fetch-submodules --force-sync --no-clone-bundle
manifest file: pinned-rdv3r1.xml
release tag: refs/tags/RD-INFRA-2025.07.03
2) Enabling the ADAC Parameter
\\wsl.localhost\Ubuntu-22.04\home\phillip\251020_ws\tf-m\config\config_base.cmake
I changed the parameter from FALSE to TRUE.
set(PLATFORM_PSA_ADAC_SECURE_DEBUG TRUE CACHE BOOL "Whether to use psa-adac secure debug.")
3) Build Command
phillip@phillip3420:~/251020_ws$ ./build-scripts/build-tf-m.sh -p rdv3r1 -f uefi build
4) Error Message
===============================================================================
-- Populating libpsaadac
-- Configuring done (0.0s)
-- Generating done (0.0s)
-- Build files have been written to: /home/phillip/251020_ws/tf-m/cmake_build/rdv3r1/0/lib/ext/libpsaadac-subbuild
[1/9] Creating directories for 'libpsaadac-populate'
[1/9] Performing download step (git clone) for 'libpsaadac-populate'
Cloning into 'libpsaadac-src'...
HEAD is now at 819a254 Platform: Fix prototype for crypto_hw_apply_debug_permissions
[2/9] Performing update step for 'libpsaadac-populate'
-- Already at requested ref: 819a254af6fb5eefdcef194ec85d2c7627451351
[3/9] No patch step for 'libpsaadac-populate'
[5/9] No configure step for 'libpsaadac-populate'
[6/9] No build step for 'libpsaadac-populate'
[7/9] No install step for 'libpsaadac-populate'
[8/9] No test step for 'libpsaadac-populate'
[9/9] Completed 'libpsaadac-populate'
CMake Error at cmake_build/rdv3r1/0/lib/ext/libpsaadac-src/target/trusted-firmware-m/config.cmake:12 (Message):
Platform arm/rse/neoverse_rd/rdv3r1 not supported.
Call Stack (most recent call first):
cmake_build/rdv3r1/0/lib/ext/libpsaadac-src/CMakeLists.txt:34 (include)
-- Configuring incomplete, errors occurred!
+++ handle_error
++++ caller 0
+++ local 'callinfo=93 do_build ./build-scripts/build-tf-m.sh'
+++ local script=./build-scripts/build-tf-m.sh
+++ local lineno=93
+++ local 'func=93 do_build'
+++ func=do_build
+++ echo
+++ echo -en '\e[1m\e[31mBuild failed: error while running do_build at line '
Build failed: error while running do_build at line +++ echo -en '93 in ./build-scripts/build-tf-m.sh for rdv3r1[rdv3r1]'
93 in ./build-scripts/build-tf-m.sh for rdv3r1[rdv3r1]+++ echo -e '[uefi].\e[0m'
[uefi].
+++ echo
+++ exit 1
===============================================================================
5) My opinion
TFM_PLATFORM_PATH is "/home/phillip/251020_ws/tf-m/cmake_build/rdv3r1/0/lib/ext/libpsaadac-src/target/trusted-firmware-m/platform/arm/rse/neoverse_rd/rdv3r1" in my workpace.
But, in the "/home/phillip/251020_ws/tf-m/cmake_build/rdv3r1/0/lib/ext/libpsaadac-src/target/trusted-firmware-m/platform/arm/rse/" directory, there are only two folders, "common" and "tc".
PLATFORM_PSA_ADAC_VERSION should be changed?
(The RD-INFRA-2025.07.03 source code use PLATFORM_PSA_ADAC_VERSION as 819a254)
I would be grateful for any advice or pointers from anyone familiar with this.
Thanks
Best Regards
Phillip
Dear TF-M Community,
I have a question regarding rollback protection in Internal Trusted Storage.
Scenario:
Recently we are seeing an increasing number of products which will come to market without internal Flash; together with this, there is also the requirement to store permanent keys using PSA key management APIs as psa_import_key, which will then in turn use Internal Trusted Storage as place where keys will be written. Considering these requirements there is a necessity to implement the Internal Trusted Storage in external Flash, which brings with it security challenges: the keys stored in external Flash would require confidentiality but also rollback protection.
The encryption of ITS encryption was recently enabled as you can see in the following Pull request https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/15096, but rollback protection is not yet implemented.
Proposal:
Our proposal would be to:
- Add ITS rollback protection as optional feature, since it is not desired feature for product where the ITS storage is internal
- Add rollback protection mechanism to Internal Trusted Storage functions relying on the NV counters APIs called from the platform layer, similar as is already done for Protected Storage
Also, we are open to discuss any other proposal which would help us to fulfill the above requests (ITS in external Flash with still providing confidentiality and rollback protection).
Thanks in advance for the answer and further guidance on the topic.
KR,
Bojan Simoneta
Bojan Simoneta
(He / Him / His)
Principal Embedded SW Engineer
Phone: +433124 299160
Email: bojan.simoneta(a)nxp.com<mailto:bojan.simoneta@nxp.com>
[cid:image006.png@01DC347E.50852920]
NXP Semiconductors Austria GmbH & Co KG | Mikronweg 1, 8101 Gratkorn | Austria |
Sitz: Gratkorn, Österreich | Firmenbuchgericht: Landesgericht für ZRS Graz | Firmenbuchnummer: FN 541474 k | VAT: ATU76231908
Unless otherwise recorded in a signed, written agreement, all sales transactions by NXP are exclusively subject to NXP's Terms and Conditions of Commercial Sale ("NXP Terms") published at: www.nxp.com/profile/terms/index.html<http://www.nxp.com/profile/terms/index.html>. NXP explicitly rejects and disregards any terms and conditions of customer that add to, or differ from, NXP's Terms irrespective of when customer raises its terms. The information contained in this message is confidential. The message is intended solely for the addressee(s). If you are not the intended recipient, any use, dissemination, or reproduction is strictly prohibited and may be unlawful and you are asked to please contact the sender by return e-mail and destroy all copies of the original message.
Hi all,
We are considering moving the TF-M Coverity scan (the results from https://ci.trustedfirmware.org/view/TF-M/job/tf-m-coverity/) to a private instance.
I am sending this out to find out if anyone who is external to Arm uses these results, or would like to see the results in the future. If there is interest in keeping the public one working then we can have both the private and public ones running alongside each other to keep the results visible.
Please let me know if you are a user of the current Coverity system, or wish to be able to view the results in the future so the jobs can be configured accordingly. If no interest is shown then the Coverity scan will be switched over to only the private instance.
Thanks,
Matt Dalzell - Arm
Hello all,
Today we have upgraded the version of Arm GNU Toolchain on the TF-M OpenCI to version 14.3rel1. We ask that you please update your local version to match this to allow for ongoing compatibility.
If you have any questions or issues, please do not hesitate to let me know.
Thanks,
Matt Dalzell - Arm
FYI
From: Saheer Babu via Tf-openci <tf-openci(a)lists.trustedfirmware.org>
Date: Wednesday, 10 September 2025 at 15:17
To: tf-openci(a)lists.trustedfirmware.org <tf-openci(a)lists.trustedfirmware.org>
Subject: [Tf-openci] CI infrastructure scheduled maintenance: 12th Sep 2025
Hi all,
We will be performing upgrade of the clusters hosting review.trustedfirmware.org and ci.trustedfirmware.org on Friday, 12th Sep 2025 at 16:00 GMT+1.
During this maintenance window, both services will be unavailable for approximately 4 hours.
A follow-up email will be sent once the services are fully restored.
Best regards,
Saheer
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
--
Tf-openci mailing list -- tf-openci(a)lists.trustedfirmware.org
To unsubscribe send an email to tf-openci-leave(a)lists.trustedfirmware.org
Hello,
We've identified an issue with the TF-M versioning: it reports the wrong version from Git tags (showing v2.1.3 instead of the correct v2.2.1). As a temporary workaround, please set the version manually. We're working on a fix and will share updates as soon as possible.
Best regards,
Anton Komlev
