Hi Andrej,

This approach would make application code to be TF-M specific as applications following the spec are required to just #include “psa/crypto.h” to be able to use PSA Crypto APIs. With the structure you describe they would have to be written specifically for such TF-M’s include structure (i.e. #include psa/tfm/crypto.h).

Since TF-M 1.8.0/mbed TLS 3.4.0 the only differences in the headers are in crypto_struct and crypto_platform, and those headers could be specified through compile defines (MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and MBEDTLS_PSA_CRYPTO_STRUCT_FILE), i.e. not relying on what is found on the include path.

Thanks, Antonio

Hi Antonio,

In our SDK we may not use the multiple-library approach used by Upstream TFM.

So, we are compiling MbedCrypto and TFM in one Secure project (not separate libraries).

To avoid the path conflicts, we have applied the following changes:

1. The conflict name files were moved from the “psa” to “psa/tfm” folder. Moved files:

psa/tfm/crypto.h

psa/tfm/crypto_compat.h

psa/tfm/crypto_extra.h

psa/tfm/crypto_platform.h

psa/tfm/crypto_sizes.h

psa/tfm/crypto_struct.h

psa/tfm/crypto_types.h

psa/tfm/crypto_values.h

2. Changed include “psa” to “psa/tfm” in TFM sources were it is required.

Can something like this applied to the Upstream TFM project?

Best Regards,

Andrej Butok

NXP Semiconductors

Just to a small addition on this: The approach that Kevin describes below (for example adopted in Zephyr) is what we have been recommending, i.e. not link with libmbedcrypto.a as both tfm_api_ns.a and libmbedcrypto.a would export the same PSA Crypto symbols.

In addition to this, since TF-M 1.8.0, by setting the compiler define CONFIG_TFM_CRYPTO_API_RENAME to 1 when building tfm_crypto_api.c in the NS interface, it’s possible to rename the TF-M crypto symbols to a name different than the standard. The aim for this would be to allow some increased flexibility for integrations that might require it.

Thanks, Antonio

[My previous reply was lost in the Internet 😊 ]

> Can all TF-M code be converted into a lib to avoid linking issues? Or is there any other way to solve this problem?

I’m not sure whether it can be general solution to solve this issue. NS interface implementation can vary according to NS application and RTOS. It is expected that NS developers/integrators implement their own NS interface code or modify the reference code.

Besides, NS and S might run on different arch/cpu with different configs.

It is more practical to export it as a source code reference.

Assumed that you are building NS separately from S build, can you please try if this workaround can help?

• Package those TF-M crypto header files into a interface library in NS CMake.
• Link NS interface target to this interface library as a private library.

Best regards,

Hu Ziji

--