How to configure TF-M

Applicable for

1. Article purpose

This section details the TF-M stage (Trusted Firmware-M). It explains how to configure and build TF-M in the STM32 MPU context, describes the build process from sources, and shows how to deploy it on the target device.

2. Source code access and build process

2.1. Prerequisites

2.1.1. Linux^® PC

2.1.1.1. Installing the build environment

Install the dependencies:

sudo apt-get install -y git curl wget build-essential libssl-dev python3 \
           python3-pip cmake make

Then add the CMake path to the environment:

export PATH=<CMake path>/bin:$PATH

2.1.1.2. Installing a toolchain

If using STM32CubeIDE to build TF-M, installing a toolchain is not necessary, since STM32CubeIDE comes with a built-in toolchain.

If using a command-line interface, download the toolchain and add the GNU Arm toolchain path to the environment:

export PATH=$PATH:<toolchain installation directory>/sysroots/x86_64-ostl_sdk-linux/usr/share/gcc-arm-none-eabi/bin

2.1.2. Windows^® PC

2.1.2.1. Installing the build environment

Install the dependencies:

Git client (latest version: https://git-scm.com/download/win)
CMake (native Windows^® version: https://cmake.org/download/)
GNU make (http://gnuwin32.sourceforge.net/packages/make.htm)
Python 3 (native Windows^® version: https://www.python.org/downloads/) and the pip package manager (included in Python version 3.4 and higher)

Important

It is recommended to install GNU make in a path without any space characters. Avoid /c/Program Files/, for example.

Then add the CMake path to the environment:

set PATH=<CMake_Path>/bin;%PATH%

2.1.2.2. Installing a toolchain

If using STM32CubeIDE to build TF-M, installing a toolchain is not necessary, since STM32CubeIDE comes with a built-in toolchain.

If using a command-line interface, use the toolchain from STM32CubeIDE and update the path in .bashrc as follows:

PATH="/c/ST/<STM32 CubeIDE path>/STM32CubeIDE/plugins/com.st.stm32cube.ide.mcu.externaltools.gnu-tools-for-stm32.11.3.rel1.win32_1.1.2.202309201523/tools/bin":$PATH

Information

The plugin version may differ from one STM32CubeIDE version to another, so modify it accordingly.

2.2. Installing sources

2.2.1. Developer package

This feature is unavailable in the developer package.

2.2.2. Official source tree

Download the source code from the official Trusted Firmware-M git repository:

 git clone https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/

Warning

The STM32MP2 platform is not upstreamed.

For the full-featured software, go to the STMicroelectronics github:

 git clone https://github.com/STMicroelectronics/trusted-firmware-m.git
 git clone https://github.com/STMicroelectronics/tf-m-tests.git

2.2.3. Distribution package

It is not possible to build TF-M inside a distribution package.

2.3. Installing Python dependencies

From the TF-M source code installed on the PC:

pip3 install --upgrade pip \
           pip3 install -r tools/requirements.txt

2.4. Build process

2.4.1. STM32CubeIDE

There is one Cortex^®-M33 nonsecure STM32Cube firmware example that uses TF-M services and builds TF-M using STM32CubeIDE.
Refer to the How to build and debug a secure project on the STM32MP25 co-processor in STM32CubeIDE wiki page for a step-by-step build-and-load example with TF-M.

2.4.2. Build command lines

The command-line example below uses an STM32MP257F-EV1 board with a medium profile and a 'build' directory to generate secure firmware only (no nonsecure tests).

By default, the following device tree is used: platform/ext/target/stm/common/devicetree/dts/arm/stm/stm32mp257f-ev1.dts

 cmake -S . -B build_ca35td \
       -DTFM_PLATFORM=stm/stm32mp257f_ev1 \
       -DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake \
       -DTFM_PROFILE=profile_medium \
       -DCMAKE_BUILD_TYPE=Relwithdebinfo\
       -G "Unix Makefiles" \
       -DNS=OFF

 make  -C build_ca35td/ install

2.4.3. External device tree for the STM32MP2 series

STMicroelectronics provides device tree configurations for others boards in a dedicated git repository: tfm/stm32mp257f-ev1-ca35tdcid-ostl.dts .

The repository can be used to store custom configurations. Use the following command to build with this external dt repository:

 git clone https://github.com/STMicroelectronics/dt-stm32mp.git ${DT_PATH}

 cmake -S . -B build_ca35td \
       -DTFM_PLATFORM=stm/stm32mp257f_ev1 \
       -DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake \
       -DTFM_PROFILE=profile_medium \
       -DCMAKE_BUILD_TYPE=Relwithdebinfo\
       -G "Unix Makefiles" \
       -DNS=OFF \
       -DDTS_EXT_DIR=${DT_PATH}/tfm \
       -DDTS_BOARD_S=stm32mp257f-ev1-ca35tdcid-ostl.dts

DT_PATH can be set to any path, but it must not be a relative path.

 make  -C build_ca35td/ install