How to configure TF-M

Applicable for

1. Article purpose↑

This section details the TF-M stage (Trusted Firmware-M). It explains how to configure and build TF-M in the STM32 MPU context, describes the build process from sources, and shows how to deploy it on the target device.

2. Source code access and build process↑

2.1. Prerequisites↑

2.1.1. Linux^® PC↑

2.1.1.1. Installing the build environment↑

Install the dependencies:

sudo apt-get install -y git curl wget build-essential libssl-dev python3 \
           python3-pip cmake make

Then add the CMake path to the environment:

export PATH=<CMake path>/bin:$PATH

2.1.1.2. Installing a toolchain↑

If using STM32CubeIDE to build TF-M, installing a toolchain is not necessary, since STM32CubeIDE comes with a built-in toolchain.

If using a command-line interface, download the toolchain and add the GNU Arm toolchain path to the environment:

export PATH=$PATH:<toolchain installation directory>/sysroots/x86_64-ostl_sdk-linux/usr/share/gcc-arm-none-eabi/bin

2.1.2. Windows^® PC↑

2.1.2.1. Installing the build environment↑

Install the dependencies:

Git client (latest version: https://git-scm.com/download/win)
CMake (native Windows^® version: https://cmake.org/download/)
GNU make (http://gnuwin32.sourceforge.net/packages/make.htm)
Python 3 (native Windows^® version: https://www.python.org/downloads/) and the pip package manager (included in Python version 3.4 and higher)

Important

It is recommended to install GNU make in a path without any space characters. Avoid /c/Program Files/, for example.

Then add the CMake path to the environment:

set PATH=<CMake_Path>/bin;%PATH%

2.1.2.2. Installing a toolchain↑

If using STM32CubeIDE to build TF-M, installing a toolchain is not necessary, since STM32CubeIDE comes with a built-in toolchain.

If using a command-line interface, use the toolchain from STM32CubeIDE and update the path in .bashrc as follows:

PATH="/c/ST/<STM32 CubeIDE path>/STM32CubeIDE/plugins/com.st.stm32cube.ide.mcu.externaltools.gnu-tools-for-stm32.11.3.rel1.win32_1.1.2.202309201523/tools/bin":$PATH

Information

The plugin version may differ from one STM32CubeIDE version to another, so modify it accordingly.

2.2. Installing sources↑

2.2.1. Developer package↑

This feature is unavailable in the developer package.

2.2.2. Official source tree↑

Download the source code from the official Trusted Firmware-M git repository:

 git clone https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/

Warning

The STM32MP2 platform is not upstreamed.

For the full-featured software, go to the STMicroelectronics github:

 git clone https://github.com/STMicroelectronics/trusted-firmware-m.git
 git clone https://github.com/STMicroelectronics/tf-m-tests.git

2.2.3. Distribution package↑

It is not possible to build TF-M inside a distribution package.

2.3. Installing Python dependencies↑

From the TF-M source code installed on the PC:

pip3 install --upgrade pip \
           pip3 install -r tools/requirements.txt

2.4. Build process↑

2.4.1. STM32CubeIDE↑

There is one Cortex^®-M33 nonsecure STM32Cube firmware example that uses TF-M services and builds TF-M using STM32CubeIDE.
Refer to the How to build and debug a secure project on the STM32MP25 co-processor in STM32CubeIDE wiki page for a step-by-step build-and-load example with TF-M.

2.4.2. Build command lines↑

The command-line example below uses an STM32MP257F-EV1 board with a medium profile and a 'build' directory to generate secure firmware only (no nonsecure tests).

By default, the following device tree is used: platform/ext/target/stm/common/devicetree/dts/arm/stm/stm32mp257f-ev1.dts

 cmake -S . -B build_ca35td \
       -DTFM_PLATFORM=stm/stm32mp257f_ev1 \
       -DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake \
       -DTFM_PROFILE=profile_medium \
       -DCMAKE_BUILD_TYPE=Relwithdebinfo\
       -G "Unix Makefiles" \
       -DNS=OFF

 make  -C build_ca35td/ install

2.4.3. External device tree for the STM32MP2 series↑

STMicroelectronics provides device tree configurations for others boards in a dedicated git repository: tfm/stm32mp257f-ev1-ca35tdcid-ostl.dts .

The repository can be used to store custom configurations. Use the following command to build with this external dt repository:

 git clone https://github.com/STMicroelectronics/dt-stm32mp.git ${DT_PATH}

 cmake -S . -B build_ca35td \
       -DTFM_PLATFORM=stm/stm32mp257f_ev1 \
       -DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake \
       -DTFM_PROFILE=profile_medium \
       -DCMAKE_BUILD_TYPE=Relwithdebinfo\
       -G "Unix Makefiles" \
       -DNS=OFF \
       -DDTS_EXT_DIR=${DT_PATH}/tfm \
       -DDTS_BOARD_S=stm32mp257f-ev1-ca35tdcid-ostl.dts

DT_PATH can be set to any path, but it must not be a relative path.

 make  -C build_ca35td/ install