Hi Antonio,

What do you mean by “sample application hello world”? Is it a Zephyr sample app?

Have you tried to build & test the regular tf-m test suite? You can enable in cmake command line: -DTEST_NS=ON -DTEST_S=ON. Are these working on your board? I recommend to use -DCMAKE_BUILD_TYPE= Debug for easier debugging.

I recommend to check these details:

Is the NS app linked to the correct address range? It should be on Musca-A NS app from 0x002A0000.

Does secure firmware get right the address of NS Reset_Handler? You can check the value of ‘ns_entry’ in tf-m/secure_fw/spm/cmsis_func/arch.c:22

Is the switch over to NS Reset_Handler() is successful?
Might there is a crash in the NS code. Try to step over NS code.

Tamas

From: Antonio Ken IANNILLO <antonioken.iannillo@uni.lu>
Sent: 2020. november 16., hétfő 15:38
To: Tamas Ban <Tamas.Ban@arm.com>
Cc: tf-m@lists.trustedfirmware.org
Subject: Re: [TF-M] Combine secure and non-secure image

Thanks all.

I succeeded to merge and sign with Tamas’ commands.

I also succeeded to make it run on the board, but it stops after initializing the secure world.

Even if I just add a simple non secure application (hello world), I got these messages and only these:

[Sec Thread] Secure image initializing!

Booting TFM v1.1

[Crypto] MBEDTLS_TEST_NULL_ENTROPY is not suitable for production!

That I suppose they are the correct output from the secure world. I was expecting, after this, the output from the non secure world.

Am I missing something?

I tried also to use the sample application hello world but the result is the same.

Best,

Antonio

----

Date: Fri, 13 Nov 2020 15:35:30 +0000

From: Tamas Ban <Tamas.Ban@arm.com>

To: "tf-m@lists.trustedfirmware.org" <tf-m@lists.trustedfirmware.org>

Cc: nd <nd@arm.com>

Subject: Re: [TF-M] Combine secure and non-secure image

Message-ID:

<VI1PR08MB42069F5DD7AED23892CA5F08E2E60@VI1PR08MB4206.eurprd08.prod.outlook.com>

Content-Type: text/plain; charset="utf-8"

Hi Antonio,

Required steps on Musca-A (only single image boot is supported by MCUboot due to RAM_LOAD upgrade mode limitation):

- Concatenate zephyr.bin + tfm_s.bin.

[ 93%] Generating tfm_s_ns.bin

cd /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot && ../../../../py_env/bin/python3 /home/tamban01/repo/tf-m/bl2/ext/mcuboot/scripts/assemble.py --layout /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s_ns.o -s /home/tamban01/repo/tf-m/build/bin/tfm_s.bin -n /home/tamban01/repo/tf-m/build/bin/tfm_ns.bin -o tfm_s_ns.bin

* Signing the concatenated binary:

[ 94%] Generating tfm_s_ns_signed.bin

cd /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot && ../../../../py_env/bin/python3 /home/tamban01/repo/tf-m/bl2/ext/mcuboot/scripts/wrapper/wrapper.py -v 1.1.0 --layout /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s_ns.o -k /home/tamban01/repo/tf-m/bl2/ext/mcuboot/root-RSA-3072.pem --public-key-format full --align 1 --pad --pad-header -H 0x400 -s auto -d "(0, 0.0.0+0)" -d "(1, 0.0.0+0)" tfm_s_ns.bin /home/tamban01/repo/tf-m/build/bl2/ext/mcuboot/tfm_s_ns_signed.bin

* Combine bl2.bin and tfm_s_ns.bin:

srec_cat build/bin/bl2.bin -Binary -offset 0x200000 build/bin/tfm_s_ns_signed.bin -Binary -offset 0x220000 -o tfm.hex -Intel

Tamas

From: Kevin Townsend <kevin.townsend@linaro.org>
Date: Friday, 13 November 2020 at 16:32
To: Antonio Ken IANNILLO <antonioken.iannillo@uni.lu>
Cc: "tf-m@lists.trustedfirmware.org" <tf-m@lists.trustedfirmware.org>
Subject: Re: [TF-M] Combine secure and non-secure image

Hi Antonio,

I'm not sure if this helps, but here is an example of how we sign the binaries for the MPS2 AN521, for example, after building the TF-M and Zephyr NS images, plus MCUBoot:

https://github.com/zephyrproject-rtos/zephyr/blob/966015f503d1438c25d59793762495452be5ebbc/boards/arm/mps2_an521/CMakeLists.txt

Best regards,

Kevin

On Fri, 13 Nov 2020 at 16:19, Antonio Ken IANNILLO via TF-M <tf-m@lists.trustedfirmware.org> wrote:

Hi all,

I abandoned the idea to build at once tf-m and zephyr and switched to separated compilations.

Now, I have both secure and non-secure binaries but I’m not sure how to concatenate and sign them.

I found the assemble.py script but I don’t know whether it is the correct one or where to find the signing_layout.

To be more specific, for my current target musca-a (going to switch to musca-s as soon as it arrives):

I built TF-M
I imported and included in my zephyr application both libpsa_api_ns.a and libtfm_s_veneers.a
I build my zephyr application

Now (I suppose) I have to

·         merge zephyr.bin with tfm_s.bin

·         sign the merged binary

·         concatenate with bl2

I could not find any reference how to correctly do these last steps.

Best,

--

Antonio Ken Iannillo

Research Scientist – SEDAN group

SnT – Interdisciplinary Centre for Security, Reliability and Trust

UNIVERSITÉ DU LUXEMBOURG

CAMPUS KIRCHBERG
29, avenue John F. Kennedy
L-1855 Luxembourg Kirchberg
T +352 46 66 44 9660

Join the conversation

News | Twitter | Linkedin

www.uni.lu/snt

--
TF-M mailing list
TF-M@lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-m