Last edited 4 months ago

How to configure TF-M

Applicable for STM32MP25x lines

1. Article purpose[edit | edit source]

This section details the TF-M stage (Trusted Firmware-M). It explains how to configure and build TF-M in STM32 MPU context, describes the build process from sources, and shows how to deploy it on your target.

2. Source code access and build process[edit | edit source]

2.1. Prerequisites[edit | edit source]

2.1.1. Linux® PC[edit | edit source]

2.1.1.1. Install build environment[edit | edit source]

install dependencies:

 sudo apt-get install -y git curl wget build-essential libssl-dev python3 \
           python3-pip cmake make

add CMake path into environment:

 export PATH=<CMake path>/bin:$PATH
2.1.1.2. Install python dependencies[edit | edit source]

From the TF-M source code installed in your PC:

 pip3 install --upgrade pip \
           pip3 install -r tools/requirements.txt
2.1.1.3. Install a toolchain[edit | edit source]

If you use STM32CubeIDE to build TFM, you do not need to install a toolchain as STM32CubeIDE uses its own toolchain
If you build by command line, you have to download your own toolchain and add GNU arm path into environment:

 export PATH=$PATH:<toolchain installation directory>/sysroots/x86_64-ostl_sdk-linux/usr/share/gcc-arm-none-eabi/bin

2.1.2. Windows PC[edit | edit source]

2.1.2.1. Install build environment[edit | edit source]

install dependencies:

- Git client latest version (https://git-scm.com/download/win)
- CMake (`native Windows version <https://cmake.org/download/>`)
- GNU make (http://gnuwin32.sourceforge.net/packages/make.htm)
- Python3 `(native Windows version) <https://www.python.org/downloads/>` and
         the pip package manager (from Python 3.4 it's included)

add CMake path into environment:

 set PATH=<CMake_Path>\bin;%PATH%
2.1.2.2. Install python dependencies[edit | edit source]

From the TF-M source code installed in your PC:

 cd trusted-firmware-m \
           pip3 install -r tools/requirements.txt
2.1.2.3. Install a toolchain[edit | edit source]

If you use STM32CubeIDE, you do not need to install a toolchain as STM32CubeIDE uses its own toolchain
If you build by command line, you can use the toolchain from STM32CubeIDE and you need to update the path as follow in your .bashrc:

- PATH="/c/ST/<STM32 CubeIDE path>/STM32CubeIDE\plugins\com.st.stm32cube.ide.mcu.externaltools.gnu-tools-for-stm32.11.3.rel1.win32_1.1.2.202309201523\tools\bin":$PATH

Note: plugin version can differ from a STM32CubeIDE version to another, so you should adapt it accordingly

2.2. Install sources[edit | edit source]

2.2.1. From the Developer package[edit | edit source]

Not available in developer package.

2.2.2. Official source tree[edit | edit source]

Download the source code from the official Trusted Firmware-A git repository.

  git clone https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/
Warning white.png Warning
The STM32MP2 platform is not upstreamed.


For a full-featured software, go to STMicroelectronics github:

  git clone https://github.com/STMicroelectronics/trusted-firmware-m.git
  git clone https://github.com/STMicroelectronics/tf-m-tests.git


2.2.3. Distribution Package[edit | edit source]

Not possible to build TF-M inside distribution package.

2.3. Build process[edit | edit source]

2.3.1. With STM32CubeIDE[edit | edit source]

There is one M33 STM32Cube FW non-secure example which use TFM services and build TFM through STM32CubeIDE
Please have a look at the following How_to_build_and_debug_secure_project_on_STM32MP25_co-processor_in_STM32CubeIDE for a step-by-step build and load example with TFM.

2.3.2. With Build command lines[edit | edit source]

Please find an example stm32mp257f_ev1 board in profile medium with 'build' directory to generate Secure firmware only (no NS tests) :
By default, the following device tree is used : platform/ext/target/stm/common/devicetree/dts/arm/stm/stm32mp257f-ev1.dts

  cmake -S . -B build_ca35td \
       -DTFM_PLATFORM=stm/stm32mp257f_ev1 \
       -DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake \
       -DTFM_PROFILE=profile_medium \
       -DCMAKE_BUILD_TYPE=Relwithdebinfo\
       -G "Unix Makefiles" \
       -DNS=OFF
  make  -C build_ca35td/ install

2.3.3. External device tree for STM32MP2 series[edit | edit source]

ST provides others boards device tree configurations in a dedicated git repository: tfm/stm32mp257f-ev1-ca35tdcid-ostl.dts .
You can use it store your ow one. please, use this command to build with this external dt repository:

  git clone https://github.com/STMicroelectronics/dt-stm32mp.git ${DT_PATH}
  cmake -S . -B build_ca35td \
       -DTFM_PLATFORM=stm/stm32mp257f_ev1 \
       -DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake \
       -DTFM_PROFILE=profile_medium \
       -DCMAKE_BUILD_TYPE=Relwithdebinfo\
       -G "Unix Makefiles" \
       -DNS=OFF \
       -DDTS_EXT_DIR=${DT_PATH}/tfm \
       -DDTS_BOARD_S=stm32mp257f-ev1-ca35tdcid-ostl.dts

Here DT_PATH can be chosen to whatever you wish, but it must not be a relative path.

  make  -C build_ca35td/ install