1. Article purpose[edit | edit source]
This section details the TF-M stage (Trusted Firmware-M). It explains how to configure and build TF-M in the STM32 MPU context, describes the build process from sources, and shows how to deploy it on the target device.
2. Source code access and build process[edit | edit source]
2.1. Prerequisites[edit | edit source]
2.1.1. Linux® PC[edit | edit source]
2.1.1.1. Installing the build environment[edit | edit source]
Install the dependencies:
sudo apt-get install -y git curl wget build-essential libssl-dev python3 \
python3-pip cmake make
Then add the CMake path to the environment:
export PATH=<CMake path>/bin:$PATH
2.1.1.2. Installing a toolchain[edit | edit source]
If using STM32CubeIDE to build TF-M, installing a toolchain is not necessary, since STM32CubeIDE comes with a built-in toolchain.
If using a command-line interface, download the toolchain and add the GNU Arm toolchain path to the environment:
export PATH=$PATH:<toolchain installation directory>/sysroots/x86_64-ostl_sdk-linux/usr/share/gcc-arm-none-eabi/bin
2.1.2. Windows® PC[edit | edit source]
2.1.2.1. Installing the build environment[edit | edit source]
Install the dependencies:
- Git client (latest version: https://git-scm.com/download/win)
- CMake (native Windows® version: https://cmake.org/download/)
- GNU make (http://gnuwin32.sourceforge.net/packages/make.htm)
- Python 3 (native Windows® version: https://www.python.org/downloads/) and the pip package manager (included in Python version 3.4 and higher)
Then add the CMake path to the environment:
set PATH=<CMake_Path>/bin;%PATH%
2.1.2.2. Installing a toolchain[edit | edit source]
If using STM32CubeIDE to build TF-M, installing a toolchain is not necessary, since STM32CubeIDE comes with a built-in toolchain.
If using a command-line interface, use the toolchain from STM32CubeIDE and update the path in .bashrc as follows:
PATH="/c/ST/<STM32 CubeIDE path>/STM32CubeIDE/plugins/com.st.stm32cube.ide.mcu.externaltools.gnu-tools-for-stm32.11.3.rel1.win32_1.1.2.202309201523/tools/bin":$PATH
 Information
|
| The plugin version may differ from one STM32CubeIDE version to another, so modify it accordingly. |
2.2. Installing sources[edit | edit source]
2.2.1. Developer package[edit | edit source]
This feature is unavailable in the developer package.
2.2.2. Official source tree[edit | edit source]
Download the source code from the official Trusted Firmware-M git repository:
git clone https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/
For the full-featured software, go to the STMicroelectronics github:
git clone https://github.com/STMicroelectronics/trusted-firmware-m.git git clone https://github.com/STMicroelectronics/tf-m-tests.git
2.2.3. Distribution package[edit | edit source]
It is not possible to build TF-M inside a distribution package.
2.3. Installing Python dependencies[edit | edit source]
From the TF-M source code installed on the PC:
pip3 install --upgrade pip \
pip3 install -r tools/requirements.txt
2.4. Build process[edit | edit source]
2.4.1. STM32CubeIDE[edit | edit source]
There is one Cortex®-M33 nonsecure STM32Cube firmware example that uses TF-M services and builds TF-M using STM32CubeIDE.
Refer to the How to build and debug a secure project on the STM32MP25 co-processor in STM32CubeIDE wiki page for a step-by-step build-and-load example with TF-M.
2.4.2. Build command lines[edit | edit source]
The command-line example below uses an STM32MP257F-EV1 board with a medium profile and a 'build' directory to generate secure firmware only (no nonsecure tests).
By default, the following device tree is used: platform/ext/target/stm/common/devicetree/dts/arm/stm/stm32mp257f-ev1.dts
cmake -S . -B build_ca35td \
-DTFM_PLATFORM=stm/stm32mp257f_ev1 \
-DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake \
-DTFM_PROFILE=profile_medium \
-DCMAKE_BUILD_TYPE=Relwithdebinfo\
-G "Unix Makefiles" \
-DNS=OFF
make -C build_ca35td/ install
2.4.3. External device tree for the STM32MP2 series[edit | edit source]
STMicroelectronics provides device tree configurations for others boards in a dedicated git repository: tfm/stm32mp257f-ev1-ca35tdcid-ostl.dts .
The repository can be used to store custom configurations. Use the following command to build with this external dt repository:
git clone https://github.com/STMicroelectronics/dt-stm32mp.git ${DT_PATH}
cmake -S . -B build_ca35td \
-DTFM_PLATFORM=stm/stm32mp257f_ev1 \
-DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake \
-DTFM_PROFILE=profile_medium \
-DCMAKE_BUILD_TYPE=Relwithdebinfo\
-G "Unix Makefiles" \
-DNS=OFF \
-DDTS_EXT_DIR=${DT_PATH}/tfm \
-DDTS_BOARD_S=stm32mp257f-ev1-ca35tdcid-ostl.dts
DT_PATH can be set to any path, but it must not be a relative path.
make -C build_ca35td/ install
Arm® is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere. 
Arm® is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere.