Running applications with Trusted Firmware-M

On nRF5340 and nRF9160, you can use Trusted Firmware-M (TF-M) as an alternative to Secure Partition Manager for running an application from the non-secure area of the memory.


TF-M is the reference implementation of Platform Security Architecture (PSA).

It provides a highly configurable set of software components to create a Trusted Execution Environment. This is achieved by a set of secure run time services such as Secure Storage, Cryptography, Audit Logs, and Attestation. Additionally, secure boot via MCUboot in TF-M ensures integrity of run time software and supports firmware upgrade.

For official documentation, see TF-M documentation.

The TF-M implementation in nRF Connect SDK is currently demonstrated in the TF-M Hello World sample.


TF-M is one of the images that are built as part of a multi-image application. For more information about multi-image builds, see Multi-image builds.

To add TF-M to your build, enable the CONFIG_BUILD_WITH_TFM configuration option by adding it to your prj.conf file.


If you use menuconfig to enable CONFIG_BUILD_WITH_TFM, you must also enable its dependencies.

You must build TF-M using a non-secure build target. The following targets are currently supported:

  • nrf5340dk_nrf5340_cpuappns

  • nrf9160dk_nrf9160ns

When building for nrf9160dk_nrf9160ns, UART1 must be disabled in the non-secure application, because it is used by the TF-M secure application. Otherwise, the non-secure application will fail to run. The recommended way to do this is to copy the .overlay file from the TF-M Hello World sample.


The procedure for programming an application with TF-M is the same as for other multi-image applications in nRF Connect SDK.

After building the application, a merged.hex file is created that contains MCUboot, TF-M, and the application. The merged.hex file can be then programmed using SES. When using the command line, the file is programmed automatically when you call ninja flash or west flash.


TF-M employs two UART interfaces for logging: one for the secure part (MCUboot and TF-M), and one for the non-secure application. The logs arrive on different COM ports on the host PC.

On the nRF5340 DK, you must connect specific wires on the board to receive secure logs on the host PC. Wire the pins P0.25 and P0.26 to RxD and TxD respectively.