.. _tfm_psa_template: TF-M: PSA template ################## .. contents:: :local: :depth: 2 This sample provides a template for Arm Platform Security Architecture (PSA) best practices on nRF devices. Requirements ************ The sample supports the following development kits: .. table-from-sample-yaml:: .. include:: /includes/tfm.txt Overview ******** This sample uses Trusted Firmware-M, nRF Secure Immutable bootloader and MCUboot to demonstrate how to implement the best practices that comply with the Arm PSA requirements. It includes provisioning the device with keys and being able to perform a device firmware update. The sample prints information about the identity of the device and the firmware versions that are currently running. Building and running ******************** .. |sample path| replace:: :file:`samples/tfm/tfm_psa_template` .. include:: /includes/build_and_run_ns.txt The sample requires that the device is provisioned using the :ref:`provisioning image ` sample. Build and flash the provisioning image sample to provision the device with the PSA root-of-trust security parameters. .. code-block:: console west build -b nrf5340dk_nrf5340_cpuapp nrf/samples/tfm/provisioning_image -d build_provisioning_image west flash --erase -d build_provisioning_image Build and flash the TF-M PSA template sample. Do not flash with ``--erase`` as this will erase the PSA platform security parameters and they will be lost. .. code-block:: console west build -b nrf5340dk_nrf5340_cpuapp_ns nrf/samples/tfm/tfm_psa_template west flash Testing ======= After programming the sample, the following output is displayed in the console: .. code-block:: console *** Booting Zephyr OS build v3.2.0-rc3-510-g7c71945d42f6 *** Attempting to boot slot 0. Attempting to boot from address 0x8200. Verifying signature against key 0. Hash: 0xde...4b Firmware signature verified. Firmware version 1 *** Booting Zephyr OS build v3.2.0-rc3-510-g7c71945d42f6 *** I: Starting bootloader I: Swap type: none I: Swap type: none I: Bootloader chainload address offset: 0x28000 *** Booting Zephyr OS build v3.2.0-rc3-510-g7c71945d42f6 *** build time: Nov 2 2022 16:26:33 FW info S0: Magic: 0x281ee6de8fcebb4c00003502 Total Size: 60 Size: 0x00009658 Version: 1 address: 0x00008200 boot address: 0x00008200 Valid: 0x9102ffff (CONFIG_FW_INFO_VALID_VAL=0x9102ffff) FW info S1: Failed to retrieve fw_info for address 0x00018000 Active slot: S0 Requesting initial attestation token with 64 byte challenge Received initial attestation token of 360 bytes. 0 1 2 3 4 5 6 7 8 9 A B C D E F D2 84 43 A1 01 26 A0 59 01 1C AA 3A 00 01 24 FF | ..C..&.Y...:..$. 58 40 00 11 22 33 44 55 66 77 88 99 AA BB CC DD | X@.."3DUfw...... EE FF 00 11 22 33 44 55 66 77 88 99 AA BB CC DD | ...."3DUfw...... EE FF 00 11 22 33 44 55 66 77 88 99 AA BB CC DD | ...."3DUfw...... EE FF 00 11 22 33 44 55 66 77 88 99 AA BB CC DD | ...."3DUfw...... EE FF 3A 00 01 24 FB 58 20 26 0A 95 20 6B F8 17 | ..:..$.X &.. k.. 3C 65 E9 12 C1 7F 12 57 C2 26 85 56 0E 27 FE 37 | Trigger the application update by initiating a reset. The verification of the image will happen during the update process. .. code-block:: console mcumgr --conntype serial --connstring dev=/dev/ttyACM2,baud=115200,mtu=512 reset Bootloader firmware update ========================== To upload a new bootloader image, build a bootloader targeting the correct bootloader slot with an updated firmware image version. The bootloader is placed in slot 0 by default, so enable building of the slot 1 bootloader. .. code-block:: console west build -b nrf5340dk_nrf5340_cpuapp_ns nrf/samples/tfm/tfm_psa_template \ -DCONFIG_BUILD_S1_VARIANT=y \ -Dmcuboot_CONFIG_FW_INFO_FIRMWARE_VERSION=2 List the current firmware images and upload a bootloader image that targets the non-active bootloader slot. .. code-block:: console mcumgr --conntype serial --connstring dev=/dev/ttyACM2,baud=115200,mtu=512 image list mcumgr --conntype serial --connstring dev=/dev/ttyACM2,baud=115200,mtu=512 image upload \ build/zephyr/signed_by_mcuboot_and_b0_s1_image_update.bin Once the new bootloader image is uploaded, the hash of the image is shown in the image list. Flag the image to be tested on next reboot using its hash. .. code-block:: console mcumgr --conntype serial --connstring dev=/dev/ttyACM2,baud=115200,mtu=512 image list mcumgr --conntype serial --connstring dev=/dev/ttyACM2,baud=115200,mtu=512 image test Trigger the bootloader update by initiating a reset. The verification of the image will happen during the update process. .. code-block:: console mcumgr --conntype serial --connstring dev=/dev/ttyACM2,baud=115200,mtu=512 reset Dependencies ************* * This sample uses the TF-M module found in the :file:`modules/tee/tfm/` folder of the |NCS|. * This sample uses the :ref:`lib_tfm_ioctl_api` library.