These steps walk through building the Zephyr TF-M sample with PSA crypto for the FRDM-RW612 board using NXP's downstream Zephyr release. This uses the v4.0.0 release. Steps below are provided using CLI or the MCUXpresso extension for VS Code.
Before starting, import/clone the downstream ZSDK repo at https://github.com/nxp-zephyr/nxp-zephyr using the release tag nxp-v4.0.0 . These steps are using the JLink debug probe.
Building and Flashing with CLI
The TF-M samples use the non-secure (NS) board variant when building. Build with this command below (this builds with LOTS of warnings):
west build -b frdm_rw612//ns samples/tfm_integration/psa_crypto/ --pristine
The build generates a file that merges both images into a HEX file named tfm_merged.hex. The command below programs this HEX file to the board:
west flash
See below for the console output printed from this demo
Reprogramming the flash in ISP mode
Once this image is programmed in the flash, it interferes with the JLink debug probe, and reflashing the board will fail. A simple workaround is to force the MCU in ISP mode at boot. In ISP mode, the app firmware does not execute, and the JLink can erase and update the flash.
To enter ISP mode on the FRDM-RW612 board, hold down the ISP button SW3. Then press and release the Reset button SW1. The MCU is now in ISP mode and can be reflashed.
VS Code: Build, Program, and Debug
The current release of the MCUXpresso extension for VS Code is the prerelease of v24.11.51. This release does not yet support out-of-tree boards, and will not provide the option to import the application for the NS board variant. These steps will import for the default FRDM-RW612 variant, and then modify the VS Code file to use the NS variant.
In VS Code, use the MCUXpresso Quickstart panel to Import Example from Repository.
Select the board FRDM_RW612, and the template tfm_integration/psa_crypto.
Before building, the project needs to be modified to use the NS board variant. Open the file CMakePresets.json:
Modify the board name to frdm_rw612//ns for the NS variant. Save the file.
Build the project in VS Code. This build has LOTS of warnings.
The debugger is not aware that the tfm_merged.hex file is used to program the flash. This file must first be programmed to the flash before using the debugger.
In the VS Quickstart Panel, launch the Flash Programmer, and select the Segger probe type to use with JLink.
Select the psa_crypto project, the PROGRAM tab, and browse to the tfm_merged.hex file generated in the sample build folder. Then click Run. This programs the firmware image to flash.
The app will now boot and run, and print the console output shown in the section below. To reprogram the flash, see the ISP section above.
With the image programmed in flash, VS Code can now debug the application. Launch the VS Code debugger. Once connected, you may need to click the Restart button to properly connect and halt at main().
Console output
Once the board is programmed, the app will print the following:
Booting TF-M v2.1.1 [WRN] This device was provisioned with dummy keys. This device is NOT SECURE [Sec Thread] Secure image initializing! [INF][PS] Encryption alg: 0x5500200 [INF][Crypto] Provision entropy seed... [INF][Crypto] Provision entropy seed... complete. *** Booting Zephyr OS build nxp-v4.0.0 *** [00:18:23.434,135] <inf> app: att: System IAT size is: 367 bytes. [00:18:23.434,145] <inf> app: att: Requesting IAT with 64 byte challenge. [00:18:23.439,264] <inf> app: att: IAT data received: 367 bytes. 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 D2 84 43 A1 01 26 A0 59 01 23 AA 3A 00 01 24 FF ..C..&.Y.#.:..$. 00000010 58 40 00 11 22 33 44 55 66 77 88 99 AA BB CC DD X@.."3DUfw...... 00000020 EE FF 00 11 22 33 44 55 66 77 88 99 AA BB CC DD ...."3DUfw...... 00000030 EE FF 00 11 22 33 44 55 66 77 88 99 AA BB CC DD ...."3DUfw...... 00000040 EE FF 00 11 22 33 44 55 66 77 88 99 AA BB CC DD ...."3DUfw...... 00000050 EE FF 3A 00 01 24 FB 58 20 A0 A1 A2 A3 A4 A5 A6 ..:..$.X ....... 00000060 A7 A8 A9 AA AB AC AD AE AF B0 B1 B2 B3 B4 B5 B6 ................ 00000070 B7 B8 B9 BA BB BC BD BE BF 3A 00 01 25 00 58 21 .........:..%.X! 00000080 01 D1 C4 11 B1 5F 2D F0 38 6A A3 00 6A 74 D6 B4 ....._-.8j..jt.. 00000090 4A EA DE 02 56 0A E8 DB 67 F0 75 2C B4 75 21 F5 J...V...g.u,.u!. 000000A0 A1 3A 00 01 24 FA 58 20 AA AA AA AA AA AA AA AA .:..$.X ........ 000000B0 BB BB BB BB BB BB BB BB CC CC CC CC CC CC CC CC ................ 000000C0 DD DD DD DD DD DD DD DD 3A 00 01 24 F8 3A 3B FF ........:..$.:;. 000000D0 FF FF 3A 00 01 24 F9 19 30 00 3A 00 01 24 FE 01 ..:..$..0.:..$.. 000000E0 3A 00 01 24 F7 71 50 53 41 5F 49 4F 54 5F 50 52 :..$.qPSA_IOT_PR 000000F0 4F 46 49 4C 45 5F 31 3A 00 01 25 01 77 77 77 77 OFILE_1:..%.wwww 00000100 2E 74 72 75 73 74 65 64 66 69 72 6D 77 61 72 65 .trustedfirmware 00000110 2E 6F 72 67 3A 00 01 24 FC 73 30 36 30 34 35 36 .org:..$.s060456 00000120 35 32 37 32 38 32 39 2D 31 30 30 31 30 58 40 7D 5272829-10010X@} 00000130 BF CA 23 43 CA 0F E7 45 53 C9 75 83 F0 EA 33 C8 ..#C...ES.u...3. 00000140 37 B9 35 5F 21 C7 C3 B3 2F 16 7A 91 94 CA 8D 13 7.5_!.../.z..... 00000150 2A 01 84 E7 C6 82 69 97 86 0C 7A 1C BD 98 9F 88 *.....i...z..... 00000160 A9 EA AB 0F DB F9 1D 9D C8 EE 5D D6 77 93 AF ..........].w.. [00:18:23.620,682] <inf> app: Persisting SECP256R1 key as #1 [00:18:23.635,930] <err> app: Already exists [00:18:23.636,006] <err> app: Function: 'crp_gen_key_secp256r1' [00:18:23.636,011] <err> app: Failed to generate key. [00:18:23.653,441] <inf> app: Calculating SHA-256 hash of value 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 50 6C 65 61 73 65 20 68 61 73 68 20 61 6E 64 20 Please hash and 00000010 73 69 67 6E 20 74 68 69 73 20 6D 65 73 73 61 67 sign this messag 00000020 65 2E e. 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 9D 08 E3 E6 DB 1C 12 39 C0 9B 9A 83 84 83 72 7A .......9......rz 00000010 EA 96 9E 1D 13 72 1E 4D 35 75 CC D4 C8 01 41 9C .....r.M5u....A. [00:18:23.702,711] <inf> app: Signing SHA-256 hash 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 15 A3 E4 C2 AF 1B D2 AF 28 31 2C 42 9B A6 41 06 ........(1,B..A. 00000010 13 B4 45 E7 5D A9 A2 1D 2A 82 72 78 A3 B7 57 5A ..E.]...*.rx..WZ 00000020 A5 81 F8 66 76 F0 DB 46 E2 67 2E 55 0A A7 F8 55 ...fv..F.g.U...U 00000030 13 F1 74 1C C9 05 36 AF 97 4B E1 8E 29 8B 86 0A ..t...6..K..)... [00:18:23.749,169] <inf> app: Verifying signature for SHA-256 hash [00:18:23.771,732] <inf> app: Signature verified. [00:18:23.911,110] <inf> app: Destroyed persistent key #1 [00:18:23.917,526] <inf> app: Generating 256 bytes of random data. 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 BB C4 36 83 E4 85 A1 90 C8 F5 43 E1 7D 70 FA 7E ..6.......C.}p.~ 00000010 2F 84 A2 98 F5 9E FB 9B F6 6F B1 FB 1C 4C 49 2D /........o...LI- 00000020 5C A0 24 3C A5 47 87 EA 6F B7 31 AA 07 53 59 89 \.$<.G..o.1..SY. 00000030 6E 7A FF 5B C3 FA B1 33 3D 67 08 F4 36 8F D2 96 nz.[...3=g..6... 00000040 BE 36 C6 36 84 C2 53 54 76 30 92 8F F6 AF 74 5A .6.6..STv0....tZ 00000050 63 4D 8F 64 ED 55 F9 5A 64 DC EF F1 44 69 78 45 cM.d.U.Zd...DixE 00000060 05 A3 70 AD 20 78 59 85 A2 FD 5F 05 08 6D 5A 80 ..p. xY..._..mZ. 00000070 19 16 52 9C EC C1 C8 EC FD 1B 4B 1E 1E 6C 7A 7F ..R.......K..lz. 00000080 D4 83 74 17 BC D5 76 08 D7 55 35 75 5E 07 DE 50 ..t...v..U5u^..P 00000090 11 0E 38 19 79 27 BB 42 B0 32 67 FC FE 18 10 0F ..8.y'.B.2g..... 000000A0 09 55 A3 6A B0 34 22 4C 23 24 DF 14 87 F1 1C 48 .U.j.4"L#$.....H 000000B0 0F 1E 75 A5 B4 C2 B4 D5 68 EB 8A D9 EE 92 FE 0D ..u.....h....... 000000C0 09 FC 1D 39 F1 A0 79 E0 01 BF C0 D7 F5 94 3A 17 ...9..y.......:. 000000D0 8F 83 39 E0 33 BA 82 C3 65 7C C0 D4 82 D5 56 5B ..9.3...e|....V[ 000000E0 44 C9 61 BC 75 58 3D 1D 6F B2 BB EE 2B 8C 97 E2 D.a.uX=.o...+... 000000F0 12 57 EA BF 0A FE 6E AA FF 03 D4 C6 0B 74 12 23 .W....n......t.# [00:18:24.035,192] <inf> app: Initialising PSA crypto [00:18:24.040,673] <inf> app: PSA crypto init completed [00:18:24.046,396] <inf> app: Persisting SECP256R1 key as #1 [00:18:24.193,132] <inf> app: Retrieving public key for key #1 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 04 7B C3 8E 36 E3 11 88 C1 4E 36 4C 9E 37 41 3A .{..6....N6L.7A: 00000010 0B 1A 59 2E 2A AA C4 B6 FD E5 16 62 75 27 C7 49 ..Y.*......bu'.I 00000020 EA FC 9B 7A 06 9D 4A 1A F0 F8 18 C4 6D E1 DC FE ...z..J.....m... 00000030 52 59 EE 55 7F 38 83 CC CF 15 63 2B 16 CA 79 DA RY.U.8....c+..y. 00000040 7B { [00:18:24.245,819] <inf> app: Adding subject name to CSR [00:18:24.251,632] <inf> app: Adding subject name to CSR completed [00:18:24.258,199] <inf> app: Adding EC key to PK container [00:18:24.264,362] <inf> app: Adding EC key to PK container completed [00:18:24.271,223] <inf> app: Create device Certificate Signing Request [00:18:24.296,971] <inf> app: Create device Certificate Signing Request completd [00:18:24.304,898] <inf> app: Certificate Signing Request: -----BEGIN CERTIFICATE REQUEST----- MIHpMIGQAgEAMC4xDzANBgNVBAoMBkxpbmFybzEbMBkGA1UEAwwSRGV2aWNlIENl cnRpZmljYXRlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEe8OONuMRiMFONkye N0E6CxpZLiqqxLb95RZidSfHSer8m3oGnUoa8PgYxG3h3P5SWe5VfziDzM8VYysW ynnae6AAMAoGCCqGSM49BAMCA0gAMEUCIQC9LqdaYIJqBw4Pvqyd5vrYnUmjLFhY LidxcY0g8x4LyAIgLUUnRyBduyCFFUl0RaXHrUbDarPLk35XO5kBnJxDfFQ= -----END CERTIFICATE REQUEST----- [00:18:24.346,162] <inf> app: Encoding CSR as json [00:18:24.351,600] <inf> app: Encoding CSR as json completed [00:18:24.357,605] <inf> app: Certificate Signing Request in JSON: {"CSR":"-----BEGIN CERTIFICATE REQUEST-----\nMIHpMIGQAgEAMC4xDzANBgNVBAoMBkxpbm} [00:18:24.400,811] <inf> app: Done.
View full article