doc: tfm: Add documentation regarding configurable build #19562
Conversation
github-actions
bot
added
doc-required
CI InformationTo view the history of this post, clich the 'edited' button above Inputs:Sources:sdk-nrf: PR head: ade80561b3c10732af0e2c63609811e79f1c37ca more detailssdk-nrf:
Github labels
List of changed files detected by CI (6)Outputs:ToolchainVersion: Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
|
You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds. Note: This comment is automatically posted by the Documentation Publish GitHub Action. |
SeppoTakalo
force-pushed
the
tfm_partition_docs
branch
3 times, most recently
from
426dd6c to
536d653
Compare
doc/nrf/releases_and_maturity/migration/migration_guide_spm_to_tf-m.rst
Outdated
Show resolved
Hide resolved
| :align: center | ||
|
|
||
| Partition alignment granularity on different nRF devices. | ||
|
|
||
| When the :ref:`partition_manager` is enabled, it will take into consideration the alignment requirements. |
There was a problem hiding this comment.
Partition manager likely warrants its own chapter in here. I would like to at least give the flow of working with partition manager in here:
- Minimize your partitions
- Copy the partitions.yaml from build directory as static partitions.yaml.
- Modify static partitions.yaml (if necessary) (PS and ITS storage can be set more efficiently, reserve enough space for future updates).
doc/nrf/security/tfm.rst
Outdated
| :align: center | ||
|
|
||
| Example of aligning partitions with flash regions. | ||
|
|
||
| If you are experiencing any partition alignment issues when using the Partition Manager, check the :ref:`known_issues` page on the main branch. | ||
|
|
||
| The partitions which need to be aligned with the TrustZone flash region size are partitions ``tfm_nonsecure`` and ``nonsecure_storage``. |
There was a problem hiding this comment.
tfm_storage also needs to be aligned with this, if it is set after non-secure partition.
SeppoTakalo
force-pushed
the
tfm_partition_docs
branch
from
536d653 to
e15f633
Compare
MarkusLassila
force-pushed
the
tfm_partition_docs
branch
2 times, most recently
from
82f0ec3 to
de44e9e
Compare
doc/nrf/releases_and_maturity/migration/migration_guide_spm_to_tf-m.rst
Outdated
Show resolved
Hide resolved
doc/nrf/releases_and_maturity/migration/migration_guide_spm_to_tf-m.rst
Outdated
Show resolved
Hide resolved
|
More comments/suggestions coming later this week. |
SeppoTakalo
changed the title
SeppoTakalo
force-pushed
the
tfm_partition_docs
branch
2 times, most recently
from
dc41adb to
e06cb9f
Compare
There was a problem hiding this comment.
These images need to be converted to the unified style in Visio. https://nordicsemi.atlassian.net/wiki/spaces/TECHDOC/pages/120293046/Figure+guide If you prefer, I can do it.
There was a problem hiding this comment.
Yes, please.
I don't have a Visio, as it does not exist on Linux.
doc/nrf/releases_and_maturity/migration/migration_guide_spm_to_tf-m.rst
Outdated
Show resolved
Hide resolved
doc/nrf/releases_and_maturity/migration/migration_guide_spm_to_tf-m.rst
Outdated
Show resolved
Hide resolved
doc/nrf/security/tfm.rst
Outdated
| Protect Storage partition | ||
| ------------------------- | ||
|
|
||
| To enable Protect Storage (PS) partition, set the :kconfig:option:`CONFIG_TFM_PARTITION_PROTECTED_STORAGE`. |
There was a problem hiding this comment.
I think 'the' partition for all of these reads better.
SeppoTakalo
force-pushed
the
tfm_partition_docs
branch
from
853ef7a to
dc5176a
Compare
doc/nrf/releases_and_maturity/migration/migration_guide_spm_to_tf-m.rst
Outdated
Show resolved
Hide resolved
| * ``spm_prevalidate_b1_upgrade`` | ||
| * ``spm_busy_wait`` | ||
| * ``spm_set_ns_fatal_error_handler`` | ||
|
|
There was a problem hiding this comment.
It's not clear to me what the user should do with these. Should these be removed from user's app? Should some other steps be taken? It would be good to have some information about this...
There was a problem hiding this comment.
I'm just moving this part away from current TF-M documentation to its own migration page:
https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/security/tfm.html#migrating_from_secure_partition_manager_to_trusted_firmware-m
This same information existed already in nRF Connect SDK 2.0: https://docs.nordicsemi.com/bundle/ncs-2.0.0/page/nrf/ug_tfm.html
| .. note:: | ||
| By default, TF-M configures memory regions as secure memory, while SPM configures memory regions as non-secure. | ||
| The partitions ``tfm_nonsecure``, ``mcuboot_secondary``, and ``nonsecure_storage`` are configured as non-secure flash memory regions. | ||
| The partition ``sram_nonsecure`` is configured as a non-secure RAM region. |
There was a problem hiding this comment.
... and if this note provides information about the no-replacement services above, then I would rephrase it.
I doubt this is the case though, as it reads more general. Maybe we can move this note to somewhere between lines 7 and 9?
|
|
||
| When the TF-M and application use the same UART, the TF-M disables logging after it has booted and it re-enables it again only to log a fatal error. | ||
|
|
||
| Manual connection to Virtual COM ports on the nRF5340 DK |
There was a problem hiding this comment.
This entire section should be moved to the nRF5340 device guide: https://github.com/nrfconnect/sdk-nrf/tree/main/doc/nrf/app_dev/device_guides/nrf53
Add documentation regarding CONFIG_TFM_PROFILE_TYPE_NOT_SET and various TF-M partitions that user need to configure. Signed-off-by: Seppo Takalo <[email protected]>
Current user guide does not need this information anymore. It should be moved to a separate migration guide. Signed-off-by: Seppo Takalo <[email protected]>
Move building, configuring and limitations to appear before background information on TF-M user guide. Signed-off-by: Seppo Takalo <[email protected]>
Unfortunately TF-M rst file in Zephyr does not have cross-reference labels. Signed-off-by: Seppo Takalo <[email protected]>
Add diagram to show the granularity differences between each HW. Signed-off-by: Seppo Takalo <[email protected]>
Add usage examples from tfm_ram_report and tfm_rom_report. Signed-off-by: Markus Lassila <[email protected]>
Add information from TF-M partitions: - CONFIG_TFM_PARTITION_PLATFORM - CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE - CONFIG_TFM_PARTITION_CRYPTO - CONFIG_TFM_PARTITION_PROTECTED_STORAGE - CONFIG_TFM_PARTITION_INITIAL_ATTESTATION Signed-off-by: Markus Lassila <[email protected]>
Fixes from documentation review Signed-off-by: Seppo Takalo <[email protected]> Co-authored-by: Pekka Niskanen <[email protected]>
SeppoTakalo
force-pushed
the
tfm_partition_docs
branch
from
0d0468b to
ade8056
Compare
Add documentation regarding CONFIG_TFM_PROFILE_TYPE_NOT_SET and various TF-M partitions that user need to configure.
NOTE: This is very early phase. This work is still in progress, but I'm just starting the review process very early.