Hi Gowri,
The secure image seems increased very much compared to the default TF-M build. Is new secure partition added in the build? May I know the TF-M version and build command you used? I build tf-m of version(325ec1af) with " -DTFM_PLATFORM=arm/mps2/an521 -DTEST_NS=ON -DTEST_S=ON " command after updating FLASH_S_PARTITION_SIZE to 0xAF000 and FLASH_NS_PARTITION_SIZE to 0x4B000. It works well.
By the way, is the image loaded at the primary slot correctly or loaded at the secondary slot? If it is loaded at primary slot and there is no image in the secondary slot, no swap should happen.
Regards, Sherry Zhang
-----Original Message----- From: Gowri Ramshankar via TF-M tf-m@lists.trustedfirmware.org Sent: Monday, October 23, 2023 7:50 AM To: tf-m@lists.trustedfirmware.org Subject: [TF-M] Increasing the flash partition for the Secure Firmware in TF-M for MPS2-AN521 board emulated using Qemu
Problem: ARoT app is too large, that the image build fails.
Error: /home/gramshan/zephyr-sdk-0.16.1/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld: bin/tfm_s.axf section `.ER_UNPRIV_CODE' will not fit in region `FLASH' /home/gramshan/zephyr-sdk-0.16.1/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld: region `FLASH' overflowed by 114956 bytes Memory region Used Size Region Size %age Used FLASH: 572684 B 447 KB 125.11% RAM: 54556 B 1 MB 5.20%
To overcome this issue, I changed the flash_layout header file (https://github.com/zephyrproject-rtos/trusted-firmware-m/blob/master/platfor...) such that the secure side size is (FLASH_S_PARTITION_SIZE) 700+KB from the 512KB default for the MPS2 AN521 app, and correspondingly update the non-secure side FLASH_NS_PARTITION_SIZEto be 300KB. This builds the tfm_merged.hex file, But fails it to boot the app.
So, I do not use your ARoT, but just built as non-secure app - the 'hello_world' Zephyr app that prints a one line hello_world on the console, but using the modified partition layout. This too fails to boot, in that the "hello world" is not printed. I debugged this to find that it is BL2 that is failing.
I see that the Panic occurs during the image swapping operation, this is because the image to be filled in the primary slot is identified as invalid and the secure boot stops. The TF-M thinks some firmware upgrade is happening, the integrity check fails and panics, thus inducing a Fault Injection Hardening defense.
Now I am stuck with this issue and I do not know how to proceed further, any help on how to change the flash partition sizes in a clean manner would be appreciated. -- TF-M mailing list -- tf-m@lists.trustedfirmware.org To unsubscribe send an email to tf-m-leave@lists.trustedfirmware.org