Things you will need to build, flash & run these applications:
- The Zephyr SDK (7+ GB), the Zephyr repo (3 GB) along with their metabuild
tool
west. You can follow Zephyr’s Getting started guide.
To flash it onto a NUCLEO-L552ZE-Q (or other hardware):
- The ST-Link driver
- OpenOCD or PyOCD for flashing
- An ARM compiler such as gcc-arm-none-eabi
- For TrustZone support: The STM32CubeProgrammer to set option bytes.
STM32CubeProgrammerneeds to be in the path and java needs to be installed. - Optionally for the emulated target: QEMU supporting ARM architectures
Folder structure:
- The project uses an out-of-tree build for a Zephyr application.
- This requires the Zephyr project to be at
../zephyrproject - This means the following directory structure is assumed:
├── trusted-peripherals │ ├── boards │ ├── driver │ ├── sample │ ├── tests │ ├── src │ ├── Kconfig │ ├── keys.h │ ├── prj.conf │ ├── trusted_peripheral │ ├── CMakeLists.txt │ ├── build_emulated.sh │ ├── build_trusted.sh │ ├── build_untrusted.sh │ ├── flash_trusted.sh │ ├── flash_untrusted.sh │ ├── README.org └── zephyrproject
For the trusted build:
- This application is using a custom tf-m secure partition containing services that can be called from the non-secure Zephyr side.
- This is a proof-of-work of the trusted peripherals API.
- The secure side contains all peripheral code using the STM32 HAL. Most of the STM32 HAL is included inside tf-m, except some of the I2C (and SPI) code - that needs to be included by hand into the TF-M module (see patch below).
- We are forcing the test flash memory layout memory from TF_M to get more flash memory for our ns app (from 32kb to 172kb).
TF-M patch:
- The project required source code and build system changes to TF-M
- The patch
tf-m_8b6146261.patchcontains all changes - The patch needs to be applied to the TF-M module inside Zephyr on commit
8b6146261fe2c0ad61154e20c7e338601eae2208
Scripts:
build_emulated.sh: Builds the trusted/untrusted setup for emulated targetbuild_trusted.sh: Builds the trusted setup for our boardbuild_untrusted.sh: Builds the untrusted setup for our boardflash_untrusted.sh: Flashes the untrusted build to our boardflash_trusted.sh: Flashes the trusted build to our board. NOTE: Make sure to run./build/tfm/regression.shafter building the trusted setup at least once before flashing. This enables TrustZone and sets option bytes.
Folders:
boards: Contains Zephyr overlay files for the L552ZE-Q and the MPS AN521driver: Driver code for the SPI displaysample: Mostly Zephyr TF-M integration sample applications that have been ported by us to our boardsrc: Source code for the normal applicationtests: All our measurements and python scripts to get the mean & std.devtrusted_peripheral: Source code, build scripts and yaml files for our trusted application (i.e., trusted peripherals secure service)