How to configure, build and deploy TF-M

Applicable for

STM32MP21x lines, STM32MP23x lines, STM32MP25x lines

---

1. Article purpose[edit | edit source]

This section details the TF-M stage (Trusted Firmware-M). It explains how to configure and build TF-M in the STM32 MPU context, describes the build process from sources, and shows how to deploy it on the target device.

2. Prerequisites[edit | edit source]

2.1. Linux^® PC[edit | edit source]

2.1.1. Installing the build environment[edit | edit source]

Install the dependencies:

sudo apt-get install -y git curl wget build-essential libssl-dev python3 \
           python3-pip cmake make

Then add the CMake path to the environment:

export PATH=<CMake path>/bin:$PATH

2.1.2. Installing a toolchain[edit | edit source]

If using STM32CubeIDE to build TF-M, installing a toolchain is not necessary, since STM32CubeIDE comes with a built-in toolchain.

If using a command-line interface, download the toolchain and add the GNU Arm toolchain path to the environment:

export PATH=$PATH:<toolchain installation directory>/sysroots/x86_64-ostl_sdk-linux/usr/share/gcc-arm-none-eabi/bin

2.2. Windows^® PC[edit | edit source]

2.2.1. Installing the build environment[edit | edit source]

Install the dependencies:

• Git client (latest version: https://git-scm.com/download/win)
• CMake (native Windows^® version: https://cmake.org/download/)
• GNU make (http://gnuwin32.sourceforge.net/packages/make.htm)
• Python 3 (native Windows^® version: https://www.python.org/downloads/) and the pip package manager (included in Python version 3.4 and higher)

Important

It is recommended to install GNU make in a path without any space characters. Avoid /c/Program Files/, for example.

Then add the CMake path to the environment:

set PATH=<CMake_Path>/bin;%PATH%

2.2.2. Installing a toolchain[edit | edit source]

If using STM32CubeIDE to build TF-M, installing a toolchain is not necessary, since STM32CubeIDE comes with a built-in toolchain.

If using a command-line interface, use the toolchain from STM32CubeIDE and update the path in .bashrc as follows:

PATH="/c/ST/<STM32 CubeIDE path>/STM32CubeIDE/plugins/com.st.stm32cube.ide.mcu.externaltools.gnu-tools-for-stm32.11.3.rel1.win32_1.1.2.202309201523/tools/bin":$PATH

Information

The plugin version may differ from one STM32CubeIDE version to another, so modify it accordingly.

3. Installing sources[edit | edit source]

3.1. Developer package[edit | edit source]

This feature is unavailable in the developer package.

3.2. Downloading source[edit | edit source]

For the full-featured software, go to the STMicroelectronics github:

 git clone https://github.com/STMicroelectronics/trusted-firmware-m.git

Warning

The STM32MP2 platform is not upstreamed.

For the record, the official Trusted Firmware-M git repository (without STM32MP2 support) can be downloaded there:

 git clone https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/

3.3. Distribution package[edit | edit source]

It is not possible to build TF-M inside a distribution package.

4. Installing Python dependencies[edit | edit source]

From the TF-M source code installed on the PC:

pip3 install --upgrade pip \
           pip3 install -r tools/requirements.txt

5. Build process[edit | edit source]

5.1. STM32CubeIDE[edit | edit source]

There is one Cortex^®-M33 nonsecure STM32Cube firmware example that uses TF-M services and builds TF-M using STM32CubeIDE.
Refer to the How to build and debug secure project on Cortex-M33 coprocessor in STM32CubeIDE wiki page for a step-by-step build-and-load example with TF-M.

5.2. Build command lines[edit | edit source]

You can also use TF-M-tests for the tests and non-secure software example. Starting from ecosystem release v6.1.0 , TF-M is based on official release v2.1, for which build system has changed. You will need to fetch TF-M-tests:

 git clone https://github.com/STMicroelectronics/tf-m-tests.git ${TF-M-TESTS_DIRECTORY}

See the Github pages for compilation steps and the different possible build options for STM32MP257-EV1 or STM32MP215F-DK

5.3. External device tree for the STM32MP2 series[edit | edit source]

STMicroelectronics provides device tree configurations for others boards in a dedicated git repository: tfm/stm32mp257f-ev1-ca35tdcid-ostl.dts .

The repository can be used to store custom configurations. Use the following command to build with this external dt repository:

 git clone https://github.com/STMicroelectronics/dt-stm32mp.git ${DT_PATH}

Depending on your configuration, you will need to add build options for the external DT files.

For A35-TD flavor and M33-TD flavor , more information is also given on Github pages for STM32MP257-EV1 or STM32MP215F-DK

5.3.1. Example for A35-TD flavor [edit | edit source]

DT_PATH can be set to any path, but it must not be a relative path.

       -DDTS_EXT_DIR=${DT_PATH}/stm32mp2/a35-td \
       -DDTS_BOARD_S=tfm/stm32mp257f-ev1-ca35tdcid-ostl-s.dts

And optionally, the nonsecure DT

       -DDTS_BOARD_NS=tfm/stm32mp257f-ev1-ca35tdcid-ostl-ns.dts

5.3.2. Example for M33-TD flavor [edit | edit source]

DT_PATH can be set to any path, but it must not be a relative path.

       -DDTS_EXT_DIR=${DT_PATH}/stm32mp2/m33-td \
       -DDTS_BOARD_S=tfm/stm32mp257f-ev1-cm33tdcid-ostl-sdcard-s.dts \
       -DDTS_BOARD_BL2=mcuboot/stm32mp257f-ev1-cm33tdcid-ostl-sdcard-bl2.dts

And optionally, the nonsecure DT

       -DDTS_BOARD_NS=tfm/stm32mp257f-ev1-cm33tdcid-ostl-sdcard-ns.dts