Last edited one month ago

How to configure TF-M

Applicable for STM32MP25x lines


1. Article purpose[edit | edit source]

This section details the TF-M stage (Trusted Firmware-M). It explains how to configure and build TF-M in the STM32 MPU context, describes the build process from sources, and shows how to deploy it on the target device.

2. Source code access and build process[edit | edit source]

2.1. Prerequisites[edit | edit source]

2.1.1. Linux® PC[edit | edit source]

2.1.1.1. Installing the build environment[edit | edit source]

Install the dependencies: 

sudo apt-get install -y git curl wget build-essential libssl-dev python3 \
           python3-pip cmake make

Then add the CMake path to the environment: 

export PATH=<CMake path>/bin:$PATH
2.1.1.2. Installing a toolchain[edit | edit source]

If using STM32CubeIDE to build TF-M, installing a toolchain is not necessary, since STM32CubeIDE comes with a built-in toolchain.

If using a command-line interface, download the toolchain and add the GNU Arm toolchain path to the environment: 

export PATH=$PATH:<toolchain installation directory>/sysroots/x86_64-ostl_sdk-linux/usr/share/gcc-arm-none-eabi/bin

2.1.2. Windows® PC[edit | edit source]

2.1.2.1. Installing the build environment[edit | edit source]

Install the dependencies:

Warning DB.png Important
It is recommended to install GNU make in a path without any space characters. Avoid /c/Program Files/, for example.

Then add the CMake path to the environment: 

set PATH=<CMake_Path>/bin;%PATH%
2.1.2.2. Installing a toolchain[edit | edit source]

If using STM32CubeIDE to build TF-M, installing a toolchain is not necessary, since STM32CubeIDE comes with a built-in toolchain.

If using a command-line interface, use the toolchain from STM32CubeIDE and update the path in .bashrc as follows: 

PATH="/c/ST/<STM32 CubeIDE path>/STM32CubeIDE/plugins/com.st.stm32cube.ide.mcu.externaltools.gnu-tools-for-stm32.11.3.rel1.win32_1.1.2.202309201523/tools/bin":$PATH
Info white.png Information
The plugin version may differ from one STM32CubeIDE version to another, so modify it accordingly.

2.2. Installing sources[edit | edit source]

2.2.1. Developer package[edit | edit source]

This feature is unavailable in the developer package.

2.2.2. Official source tree[edit | edit source]

Download the source code from the official Trusted Firmware-M git repository: 

 git clone https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/
Warning white.png Warning
The STM32MP2 platform is not upstreamed.


For the full-featured software, go to the STMicroelectronics github: 

 git clone https://github.com/STMicroelectronics/trusted-firmware-m.git
 git clone https://github.com/STMicroelectronics/tf-m-tests.git


2.2.3. Distribution package[edit | edit source]

It is not possible to build TF-M inside a distribution package.

2.3. Installing Python dependencies[edit | edit source]

From the TF-M source code installed on the PC: 

pip3 install --upgrade pip \
           pip3 install -r tools/requirements.txt

2.4. Build process[edit | edit source]

2.4.1. STM32CubeIDE[edit | edit source]

There is one Cortex®-M33 nonsecure STM32Cube firmware example that uses TF-M services and builds TF-M using STM32CubeIDE.
Refer to the How to build and debug a secure project on the STM32MP25 co-processor in STM32CubeIDE wiki page for a step-by-step build-and-load example with TF-M.

2.4.2. Build command lines[edit | edit source]

The command-line example below uses an STM32MP257F-EV1 board with a medium profile and a 'build' directory to generate secure firmware only (no nonsecure tests).

By default, the following device tree is used: platform/ext/target/stm/common/devicetree/dts/arm/stm/stm32mp257f-ev1.dts 

 cmake -S . -B build_ca35td \
       -DTFM_PLATFORM=stm/stm32mp257f_ev1 \
       -DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake \
       -DTFM_PROFILE=profile_medium \
       -DCMAKE_BUILD_TYPE=Relwithdebinfo\
       -G "Unix Makefiles" \
       -DNS=OFF

 make  -C build_ca35td/ install

2.4.3. External device tree for the STM32MP2 series[edit | edit source]

STMicroelectronics provides device tree configurations for others boards in a dedicated git repository: tfm/stm32mp257f-ev1-ca35tdcid-ostl.dts .

The repository can be used to store custom configurations. Use the following command to build with this external dt repository: 

 git clone https://github.com/STMicroelectronics/dt-stm32mp.git ${DT_PATH}

 cmake -S . -B build_ca35td \
       -DTFM_PLATFORM=stm/stm32mp257f_ev1 \
       -DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake \
       -DTFM_PROFILE=profile_medium \
       -DCMAKE_BUILD_TYPE=Relwithdebinfo\
       -G "Unix Makefiles" \
       -DNS=OFF \
       -DDTS_EXT_DIR=${DT_PATH}/tfm \
       -DDTS_BOARD_S=stm32mp257f-ev1-ca35tdcid-ostl.dts

DT_PATH can be set to any path, but it must not be a relative path. 

 make  -C build_ca35td/ install


Microprocessor unit

Linux® is a registered trademark of Linus Torvalds.

Arm® is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere. Arm logo.png

Cortex®

Device tree

Microprocessor unit

Linux® is a registered trademark of Linus Torvalds.

Arm® is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere. Arm logo.png

Cortex®

Device tree

Retrieved from "https://wiki.stmicroelectronics.cn/stm32mpu/index.php?title=How_to_configure_TF-M&oldid=115603"