Hi all,
I have noticed an issue with absolute paths in exported targets: Background:
1. During Secure build some header file paths are added to include directories of tfm_config (and some other targets) – for example TARGET_CONFIG_HEADER_FILE, PROJECT_CONFIG_HEADER_FILE 2. Then tfm_config is exported to install directory and is used in Non-Secure build
There are several issues here:
1. In Non-Secure build exported tfm_config uses absolute paths that ware defined during secure build. This is an issue as NS-interface (api_ns folder) may be built on another machine. 2. Also looking into api_ns folder – I don’t see those files being exported (for example TARGET_CONFIG_HEADER_FILE, PROJECT_CONFIG_HEADER_FILE are not exported to api_ns) * Looking into a code I was able to identify at least these defines that are effected (but list may be longer):
i. TARGET_CONFIG_HEADER_FILE
ii. PROJECT_CONFIG_HEADER_FILE
iii. MBEDTLS_PSA_CRYPTO_CONFIG_FILE
iv. MBEDTLS_CONFIG_FILE
Is there a plan to somehow solve this issue? If so, then what is the schedule on it?
Bohdan Hunko
Cypress Semiconductor Ukraine LLC Senior Engineer CSS ICW SW INT BFS SFW Mobile: +380995019714 Bohdan.Hunko@infineon.commailto:Bohdan.Hunko@infineon.com
Hi Bohdan,
You’re right, TF-M currently uses a mix of relative and absolute paths. There is a plan to switch everything to relative paths where possible, but priority was low since the current solution has been working. With your report, we will revisit that plan. Tentatively, I’d think around Q1’26, though we still need to look into the scope and side effects. Your contribution would be very welcome as well. If you’re planning to work on this, please let me know to avoid duplication.
Best regards, Anton
From: Bohdan.Hunko--- via TF-M tf-m@lists.trustedfirmware.org Sent: Wednesday, December 10, 2025 2:52 PM To: tf-m@lists.trustedfirmware.org Cc: Ivan.Kozemchuk@infineon.com Subject: [TF-M] Issue with absolute paths in exported targets
Hi all,
I have noticed an issue with absolute paths in exported targets: Background:
1. During Secure build some header file paths are added to include directories of tfm_config (and some other targets) – for example TARGET_CONFIG_HEADER_FILE, PROJECT_CONFIG_HEADER_FILE 2. Then tfm_config is exported to install directory and is used in Non-Secure build
There are several issues here:
1. In Non-Secure build exported tfm_config uses absolute paths that ware defined during secure build. This is an issue as NS-interface (api_ns folder) may be built on another machine. 2. Also looking into api_ns folder – I don’t see those files being exported (for example TARGET_CONFIG_HEADER_FILE, PROJECT_CONFIG_HEADER_FILE are not exported to api_ns) * Looking into a code I was able to identify at least these defines that are effected (but list may be longer):
i. TARGET_CONFIG_HEADER_FILE
ii. PROJECT_CONFIG_HEADER_FILE
iii. MBEDTLS_PSA_CRYPTO_CONFIG_FILE
iv. MBEDTLS_CONFIG_FILE
Is there a plan to somehow solve this issue? If so, then what is the schedule on it?
Bohdan Hunko
Cypress Semiconductor Ukraine LLC Senior Engineer CSS ICW SW INT BFS SFW Mobile: +380995019714 Bohdan.Hunko@infineon.commailto:Bohdan.Hunko@infineon.com
Hi Anton,
Thanks for the quick response.
I believe this task can be split into several parts:
1. Ensure that all files that currently use absolute paths are installed to api_ns folder. Here I talk about files that are actually needed to NSPE. 2. In NS side – remove definitions of files that are not needed for NSPE (e.g some of crypto configs use absolute paths and are not needed for NSPE). This can be done as either remove them during NSPE build, or just isolate them by adding them to SPE specific targets that are not exported to NSPE via install TARGET. This way we can ensure that we have clear scope and know that there are no accidental includes of unwanted files in NSPE 3. Actually move to using relative paths
Note that this is just mu view of the issue – your plan may differ. But I still wanted to provide it here to note that as a minimal solution, at least for now, we should be fine with only having step 1. Because having all the needed files in api_ns is a must have – then we can take care of actually using them in our own build system.
Hope this helps.
Bohdan Hunko
Cypress Semiconductor Ukraine LLC Senior Engineer CSS ICW SW INT BFS SFW Mobile: +380995019714 Bohdan.Hunko@infineon.commailto:Bohdan.Hunko@infineon.com
From: Anton Komlev Anton.Komlev@arm.com Sent: Friday, 12 December 2025 12:33 To: Hunko Bohdan (CSS ICW SW INT BFS SFW) Bohdan.Hunko@infineon.com; tf-m@lists.trustedfirmware.org Cc: Kozemchuk Ivan (CSS ICW SW INT BFS SFW) Ivan.Kozemchuk@infineon.com Subject: RE: Issue with absolute paths in exported targets
Caution: This e-mail originated outside Infineon Technologies. Please be cautious when sharing information or opening attachments especially from unknown senders. Refer to our intranet guidehttps://intranet-content.infineon.com/explore/aboutinfineon/rules/informationsecurity/ug/SocialEngineering/Pages/SocialEngineeringElements_en.aspx to help you identify Phishing email.
Hi Bohdan,
You’re right, TF-M currently uses a mix of relative and absolute paths. There is a plan to switch everything to relative paths where possible, but priority was low since the current solution has been working. With your report, we will revisit that plan. Tentatively, I’d think around Q1’26, though we still need to look into the scope and side effects. Your contribution would be very welcome as well. If you’re planning to work on this, please let me know to avoid duplication.
Best regards, Anton
From: Bohdan.Hunko--- via TF-M <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Sent: Wednesday, December 10, 2025 2:52 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: Ivan.Kozemchuk@infineon.commailto:Ivan.Kozemchuk@infineon.com Subject: [TF-M] Issue with absolute paths in exported targets
Hi all,
I have noticed an issue with absolute paths in exported targets: Background:
1. During Secure build some header file paths are added to include directories of tfm_config (and some other targets) – for example TARGET_CONFIG_HEADER_FILE, PROJECT_CONFIG_HEADER_FILE 2. Then tfm_config is exported to install directory and is used in Non-Secure build
There are several issues here:
1. In Non-Secure build exported tfm_config uses absolute paths that ware defined during secure build. This is an issue as NS-interface (api_ns folder) may be built on another machine. 2. Also looking into api_ns folder – I don’t see those files being exported (for example TARGET_CONFIG_HEADER_FILE, PROJECT_CONFIG_HEADER_FILE are not exported to api_ns)
* Looking into a code I was able to identify at least these defines that are effected (but list may be longer):
i. TARGET_CONFIG_HEADER_FILE
ii. PROJECT_CONFIG_HEADER_FILE
iii. MBEDTLS_PSA_CRYPTO_CONFIG_FILE
iv. MBEDTLS_CONFIG_FILE
Is there a plan to somehow solve this issue? If so, then what is the schedule on it?
Bohdan Hunko
Cypress Semiconductor Ukraine LLC Senior Engineer CSS ICW SW INT BFS SFW Mobile: +380995019714 Bohdan.Hunko@infineon.commailto:Bohdan.Hunko@infineon.com
tf-m@lists.trustedfirmware.org
-
Anton Komlev -
Bohdan.Hunko@infineon.com