- TF-M - lists.trustedfirmware.org

Trying to debug TF-M across NS/S boundary

by Lena Boeckmann

Hi! I found the e-mail below from 2020 and this is exactly where I'm at right now: I have a Zephyr application with TF-M flashed on an nrf9160dk and managed to open a debugging session following the explanation here: https://tf-m-user-guide.trustedfirmware.org/platform/nxp/lpcxpresso55s69/RE… (might be good to mention in the documentation that this also works on other platforms or have a general "Debug with GDB section"). So far I can either debug the secure image or or the non-secure image, but I would actually like to see the communication between the two. Is it even possible to debug across the boundary? I'm not very experienced in using GDB (except for the basics). Is there some kind of TF-M specific tutorial or explanation by now? Or is there anyone who can give me a hint on how to do this? Kind regards, Lena Kevin Townsend wrote: > Hi Anton, > One particular difficulty I've encountered working with TF-M for the Zephyr > certification demo app, and with the LPC55S69 port to upstream TF-M is the > debugging experience with GDB and the dual execution environments. GDB can > be quite powerful if you are familiar with it, but there is a definite > learning curve, and the S and NS separation and the dual binary images > (three with BL2) adds an additional degree of complexity. > I think having a dedicated debugging tutorial around GDB would be very > useful to people adopting TF-M and perhaps new to GDB, just to show how > some basic debugging might happen, how to debug across the NS/S boundary, > etc. > For example, the '--tui' option for GDB may not be very well known, and it > may be useful to highlight (see screenshots at the bottom of this issue: > https://github.com/microbuilder/trusted-firmware-m/issues/1) > Practical, step-by-step debugging documentation just seems like a good > investment to help flatten this inevitable learning curve developing > real-world solutions with TF-M? > Best regards, > Kevin > On Thu, 27 Feb 2020 at 13:13, Anton Komlev via TF-M < > tf-m(a)lists.trustedfirmware.org> wrote: > > A kind reminder. > > Your feedback is valuable all the time with no deadline defined. > > *From:* TF-M tf-m-bounces(a)lists.trustedfirmware.org * On Behalf Of *Anton > > Komlev via TF-M > > *Sent:* 07 February 2020 13:13 > > *To:* tf-m(a)lists.trustedfirmware.org > > *Cc:* nd nd(a)arm.com > > *Subject:* [TF-M] Call for a feedback on TF-M adaptation experience > > Dear All, > > As I mentioned on yesterday’s call, there is a concern on user experience > > related to TF-M use. > > To In order to understand and potentially improve it I am looking for a > > voice of partners who adopted TF-M project. > > Please share your experience and thoughts on parts which are good or might > > be done better to simplify TF-M integration with your project. > > You feedback will be very appreciated in any form – as a response to this > > mail or as a direct mail to me (anton.komlev(a)arm.com) if it’s more > > comfortable for you. > > Thank you in advance, > > Anton > > TF-M mailing list > > TF-M(a)lists.trustedfirmware.org > > https://lists.trustedfirmware.org/mailman/listinfo/tf-m > >

2 years, 5 months

2
1
0 0

Branch release/1.7.x to be deleted

by Anton Komlev

Hi, I plan to delete the branch release/1.7.x at the end of this week (after May 26) following TF-M release process<https://tf-m-user-guide.trustedfirmware.org/releases/release_process.html#r…>. Please let me know if someone is dependent on it and needs more time to detach from it. Thanks, Anton

2 years, 5 months

1
0
0 0

psa_call performance

by Quach, Brian

Hi, Using isolation level 1 and IPC secure partition, I noticed psa_call() overhead for TFM v1.7 is significantly worse for than v1.1. Is this expected? Assuming 1 invec and 0 outvec for the PSA call.... TF-M version Psa_call() round trip cycles v1.1 4038 v1.7 6051 Regards, Brian Quach SimpleLink MCU Texas Instruments Inc.

2 years, 5 months

6
16
0 0

Querying Anyone Using Shared Memory to Share Lifecycle, Bootseed, Hardwareversion Info

by Sherry Zhang

Hi, Currently in the Attestation partition, when encoding the security lifecycle, boot seed, and hardware version claims, these info are searched in the shared memory firstly before calling the platform hal APIs. See the code here<https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/secure_fw/…>. Sharing this information via shared memory is a legacy mechanism and MCUboot does not writes that information when booting. And calling the platform hal APIs way is recommended. I created this patch<https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/21021> removes looking for the security lifecycle, boot seed, and hardware version from shared memory. Before opening this patch for review, I would like to query whether this mechanism is being used by any platform. Is there any platform(which suppose runs a bootloader which is not MCUboot) using this sharing memory mechanism to provide the security lifecycle, boot seed, and hardware version information now? Thanks, Regards, Sherry Zhang

2 years, 5 months

1
0
0 0

Split build

by Bohdan.Hunko＠infineon.com

Hi everyone, Some time ago patch for split build<https://review.trustedfirmware.org/q/topic:%2522split-build%2522> of SPE, NSPE, BL2 was announced. I am interested on when this patch is planned to be merged? Regards, Bohdan Hunko Cypress Semiconductor Ukraine Engineer CSUKR CSS ICW SW FW Mobile: +38099 50 19 714 Bohdan.Hunko(a)infineon.com<mailto:Bohdan.Hunko@infineon.com>

2 years, 5 months

4
5
0 0

How to solve the link error while enable both mbedTLS and TF-M crypto interfaces in NSPE

by Edward Yang

Hi experts, Recently we're developing an example demo based on TF-M, the application scenario is simplified as below. MbedTLS module in NSPE is used to guarantee the secure communication with AWS cloud, while TF-M in SPE provides data encryption/decryption and sensitive data storage services. So both TF-M interfaces and mbedtls module are enabled on NSPE, there will be two implementations of PSA Crypto and this will result in a link error. The red box displays files with conflicts between mbedtls and TF-M, which prevent the project from compiling. Can all TF-M code be converted into a lib to avoid linking issues? Or is there any other way to solve this problem? Best Regards, Poppy Wu http://www.mxic.com.cn

2 years, 5 months

5
6
0 0

Re: [tfm_test_repo]why should the sha_1 not be supported at secure test suite

by zhilei.wang＠bekencorp.com

Hi, Antonio, Get it. Thank you very much Best Regards zhilei.wang | bekencorp From: Antonio De Angelis via TF-M Date: 2023-05-11 20:35 To: tf-m CC: nd Subject: [TF-M] Re: [tfm_test_repo]why should the sha_1 not be supported at secure test suite Hi Zhilei, The configuration of the TF-M Crypto service that it’s tested by default is just an example, and the SHA-1 algorithm is allowed from the PSA spec point of view; in our case we have decided to not enable SHA-1 support due to the fact that it’s widely accepted to have known collision attacks [1], NIST deprecating it in 2011 [2], and having exposed weaknesses since long, 2005 [3], i.e. to encourage by default having a look into more robust alternatives. Anyway, TF-M’s test 1010 just aims at testing the interface for the correct error response, nothing more. If your deployment still supports PSA_ALG_SHA_1, I’d recommend to just ignore the output of TEST_1010. On our side, we could gate the test not to run when PSA_WANT_ALG_SHA_1 is defined. Thanks, Antonio [1] SHAttered [2] NIST Retires SHA-1 Cryptographic Algorithm | NIST [3] 010.pdf (iacr.org) From: zhilei.wang(a)bekencorp.com <zhilei.wang(a)bekencorp.com> Sent: Thursday, May 11, 2023 13:44 To: tf-m <tf-m(a)lists.trustedfirmware.org> Cc: Antonio De Angelis <Antonio.DeAngelis(a)arm.com>; Summer Qin <Summer.Qin(a)arm.com>; poppywu <poppywu(a)mxic.com.cn> Subject: [tfm_test_repo]why should the sha_1 not be supported at secure test suite Hi, Why should the sha_1 not be supported at secure test suite? Our soc has a cypto accelerator, that supports sha_1/224 and so on. The following is the detail. File: \tfm\lib\ext\tfm_test_repo-src\test\secure_fw\suites\crypto\secure\crypto_sec_interface_testsuite.c Function: static void tfm_crypto_test_1010(struct test_result_t *ret) { psa_unsupported_hash_test(PSA_ALG_SHA_1, ret); } Thanks and best regards, zhilei.wang bekencorp

2 years, 5 months

1
0
0 0

[tfm_test_repo]why should the sha_1 not be supported at secure test suite

by zhilei.wang＠bekencorp.com

Hi, Why should the sha_1 not be supported at secure test suite? Our soc has a cypto accelerator, that supports sha_1/224 and so on. The following is the detail. File: \tfm\lib\ext\tfm_test_repo-src\test\secure_fw\suites\crypto\secure\crypto_sec_interface_testsuite.c Function: static void tfm_crypto_test_1010(struct test_result_t *ret) { psa_unsupported_hash_test(PSA_ALG_SHA_1, ret); } Thanks and best regards, zhilei.wang bekencorp

2 years, 5 months

2
1
0 0

TF-M Confidential AI presentation next tech forum?

by Kevin Townsend

Hi, I'd like to propose presenting some of the work we've done around "Confidential AI" with TF-M and Zephyr during the next TF Tech Forum call. I think I'll probably need 30 minutes or so, and can take some questions after time and agenda permitting. If you're not familiar with the project, it's an attempt at trying to determine how open standards and open source software (Zephyr, TF-M, MCUBoot, etc.) can be used together in a practical, end-to-end security use case ... in this case, running inference on sensor data in the secure partition, and transmitting sensitive data from S to NS to the cloud. Relevant repos are here, but of course I'll try to give a meaningful overview of all of this during the call since the project has several related components: - https://github.com/Linaro/zephyr_confidential_ai - https://github.com/Linaro/lite_bootstrap_server Thanks and best regards, Kevin Townsend Tech Lead - LITE, Vertical Technologies Linaro.org │ Open source software for ARM SoCs

2 years, 6 months

1
0
0 0

SP FPU config

by Quach, Brian

Hi, Is it correct that CONFIG_TFM_FP_ARCH_ASM is 'empty string' when using FP_ARCH_FPV5_SP_D16? I'm wondering if it should be set to "FPv5-SP" ############################## FP Arch ######################################### config FP_ARCH_FPV5_D16 def_bool n help FPv5-D16 config FP_ARCH_FPV5_SP_D16 def_bool n help FPv5-SP-D16 config CONFIG_TFM_FP_ARCH string default "fpv5-d16" if FP_ARCH_FPV5_D16 default "fpv5-sp-d16" if FP_ARCH_FPV5_SP_D16 default "" config CONFIG_TFM_FP_ARCH_ASM string default "FPv5_D16" if FP_ARCH_FPV5_D16 default "" Regards, Brian Quach SimpleLink MCU Texas Instruments Inc. 12500 TI Blvd, MS F-4000 Dallas, TX 75243 214-479-4076

2 years, 6 months

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

TF-M