Secure Partition Manager
The Secure Partition Manager sample provides a reference use of the System Protection Unit peripheral. This firmware is required to set up an nRF device with Trusted Execution (nRF5340 and nRF9160) so that it can run user applications in the non-secure domain.
An alternative for using the SPM is Trusted Firmware-M (TF-M). See Running applications with Trusted Firmware-M.
The sample supports the following development kits:
The sample uses the SPM to configure secure attributions and jump into the non-secure application.
The SPM utilizes the SPU peripheral to configure security attributions for flash, SRAM, and peripherals. After the configuration setup is complete, the sample loads the application firmware that is located on the device.
See the Secure Partition Manager (SPM) subsystem for information about the security attribution configuration that is applied.
If your application requires a different security attribution configuration, you must update the SPM sample code to reflect this.
The SPM can provide the application firmware with access to Secure Services. See the Secure Partition Manager (SPM) library for information about the available services. For an example code using them, see nRF9160: Secure Services.
The application firmware must be located in the
slot_nsflash partition. For more details, see the partition configuration file for the chosen board (for example, nrf9160dk_nrf9160_partition_conf.dts for the nRF9160 DK). If you build your application firmware with the nRF Connect SDK, this requirement is automatically fulfilled.
The application firmware must be built as a non-secure firmware for the build target (for example,
nrf9160dk_nrf9160_nsfor the nRF9160 DK).
The sample is automatically built by the non-secure applications when the non-secure build target is used (for example,
However, it is not a part of the non-secure application.
Instead of programming SPM and the non-secure application at the same time, you might want to program them individually.
To do this, disable the automatic building of SPM by setting the option
CONFIG_SPM=n in the
prj.conf file of the application.
If this results in a single-image build, the start address of the non-secure application will change. The security attribution configuration for the flash will change when SPM is not built as a sub-image.
This sample can be found under
samples/spm in the nRF Connect SDK folder structure.
See Building and programming an application for information about how to build and program the application.
The sample is built as a secure firmware image for the
nrf5340dk_nrf5340 build targets.
See Automatic building of SPM if you want to program it independently from the non-secure application firmware.