Introduction Trusted Firmware-M (TF-M) divides memory into secure and non-secure regions. This guide explains how to add a custom non-secure flash region for data import purposes. This is useful for testing or extending TF-M functionality on platforms like FRDM-RW612. This guide is using el2go_import_blob on frdmrw612//ns as a base example. You may use any TFM based example.  Imported as a freestanding application using VSCode.  The initial two steps add a macro in order to easily add a #ifdef statement in the code in case you'd like to toggle the region on/off. TFM does not use the traditional Zephyr kConfig, so it is necessary to follow the steps to ensure the macro is defined correctly. If you want to add the region without the #if statement, skip steps 1-2. Make sure to remove #ifdef TFM_CUSTOM_DATA_IMPORT_REGION #endif from steps 3-5. 1. Enable the Feature via Configuration File: el2go_import_blob/Kconfig config TFM_CUSTOM_DATA_IMPORT_REGION bool "Enable custom flash area for testing" help Validate non-secure region in flash. File: el2go_import_blob/prj.conf CONFIG_TFM_CUSTOM_DATA_IMPORT_REGION=y 2. Update Build System to Pass the Flag File: el2go_import_blob/CMakeLists.txt Append the CMake option: if(CONFIG_TFM_CUSTOM_DATA_IMPORT_REGION) set_property(TARGET zephyr_property_target APPEND PROPERTY TFM_CMAKE_OPTIONS -DUSE_TFM_CUSTOM_DATA_IMPORT_REGION=ON ) endif() File: platform/ext/target/nxp/frdmrw612/config.cmake Add the flag: set(USE_TFM_CUSTOM_DATA_IMPORT_REGION OFF CACHE BOOL "") File: platform/ext/target/nxp/frdmrw612/CMakeLists.txt Add compile definition: if (USE_TFM_CUSTOM_DATA_IMPORT_REGION) set(TFM_CUSTOM_DATA_IMPORT_REGION_COMPILE_DEFINITION "TFM_CUSTOM_DATA_IMPORT_REGION") endif() target_compile_definitions(psa_interface INTERFACE ${TFM_CUSTOM_DATA_IMPORT_REGION_COMPILE_DEFINITION} ) 3. Define the Flash Region File: platform/ext/target/nxp/frdmrw612/partition/flash_layout.h Define address and size: #ifdef TFM_CUSTOM_DATA_IMPORT_REGION #define TFM_CUSTOM_NS_REGION_ADDR (0x08500000) #define TFM_CUSTOM_NS_REGION_SIZE (0x00001000) // 4KB #endif File: platform/ext/target/nxp/frdmrw612/partition/region_defs.h Map the region: #ifdef TFM_CUSTOM_DATA_IMPORT_REGION #define CUSTOM_NS_DATA_REGION_START (TFM_CUSTOM_NS_REGION_ADDR) #define CUSTOM_NS_DATA_REGION_SIZE (TFM_CUSTOM_NS_REGION_SIZE) #endif 4. Update Linker Script File: platform/ext/target/nxp/common/gcc/tfm_common_s.ld Add region base declaration: #ifdef TFM_CUSTOM_DATA_IMPORT_REGION Load$$LR$$LR_CUSTOM_DATA_IMPORT_REGION$$Base = CUSTOM_NS_DATA_REGION_START; #endif   5. Declare and Initialize Region in Code File: platform/ext/target/nxp/common/target_cfg_common.h Add to memory region struct: #ifdef TFM_CUSTOM_DATA_IMPORT_REGION uint32_t custom_ns_data_region_base; uint32_t custom_ns_data_region_limit; #endif File: platform/ext/target/nxp/common/tfm_hal_platform.c Initialize region limits: #ifdef TFM_CUSTOM_DATA_IMPORT_REGION REGION_DECLARE(Load$$LR$$, LR_CUSTOM_DATA_IMPORT_REGION, $$Base); #endif // TFM_CUSTOM_DATA_IMPORT_REGION #ifdef TFM_CUSTOM_DATA_IMPORT_REGION .custom_ns_data_region_base = (uint32_t)&REGION_NAME(Load$$LR$$, LR_CUSTOM_DATA_IMPORT_REGION, $$Base), .custom_ns_data_region_limit = (uint32_t)&REGION_NAME(Load$$LR$$, LR_CUSTOM_DATA_IMPORT_REGION, $$Base) + CUSTOM_NS_DATA_REGION_SIZE - 1, #endif // TFM_CUSTOM_DATA_IMPORT_REGION File: platform/ext/target/nxp/common/tfm_hal_isolation.c Configure SAU: #ifdef TFM_CUSTOM_DATA_IMPORT_REGION SECURE_WRITE_REGISTER(&(SAU->RNR), 7U); SAU->RBAR = (memory_regions.custom_ns_data_region_base & SAU_RBAR_BADDR_Msk); SAU->RLAR = (memory_regions.custom_ns_data_region_limit & SAU_RLAR_LADDR_Msk) | SAU_RLAR_ENABLE_Msk; #endif File: platform/ext/target/nxp/frdmrw612/target_cfg.c Configure MPC: #ifdef TFM_CUSTOM_DATA_IMPORT_REGION enable_mem_rule_for_partition(memory_regions.custom_ns_data_region_base, memory_regions.custom_ns_data_region_limit); #endif 6. Update Device Tree Overlay File: zephyr/samples/el2go_import_blob/frdm_rw612_rw612_ns.overlay Add partition: custom_ns_data: partition@500000 { label = "custom_ns_data"; reg = <0x500000 0x1000>; };     Let's test the region by erasing, writing and reading.   1. Enable the Zephyr flash File: el2go_import_blob/prj.conf   CONFIG_FLASH=y   2. Add some test code to the main source file of the project.  #include <zephyr/drivers/flash.h> const struct device *flash_dev = DEVICE_DT_GET(DT_CHOSEN(zephyr_flash_controller)); static int test_flash_region(void) { uint32_t offset = 0x500000; uint32_t test_data = 0xDEADBEEF; uint32_t read_data; // 1. Erase flash (required before write) flash_erase(flash_dev, offset, 4096); // 2. Write data flash_write(flash_dev, offset, &test_data, sizeof(test_data)); // 3. Read data (this can use memcpy function) memcpy(&read_data, (void *)0x08500000, sizeof(read_data)); if (read_data == test_data) { LOG("✓ Flash test passed with memcpy: 0x%08x\n", read_data); } else { LOG("✗ Flash test failed\n"); } //Flash read operation will have fix to correctly calculate address next release /*flash_read(flash_dev, offset, &read_data, sizeof(read_data)); if (read_data == test_data) { LOG("✓ Flash test passed with flash_read: 0x%08x\n", read_data); } else { LOG("✗ Flash test failed\n"); } */ return 0; }   3. Call the  test_flash_region() function from the main() .  

Recently some Windows users started reporting issues installing the Zephyr SDK, required for building Zephyr applications.  Users first ran into this issue using NXP's MCUXpresso Installer, but had the same issue trying to manually install the Zephyr SDK. The root cause is that setup.cmd and these other tools use wget to download the individual toolchain packages.  And apparently recent changes in Windows or security settings interpret this wget download as unsecure, and wget is blocked. Context The Zephyr SDK is a package of multiple toolchains that support all the hardware platforms and CPU architectures available in Zephyr.  The binary bundle releases for download are available in two options: Minimal and Full.  For example, these bundles can be downloaded here for v0.17.4, currently the latest release. The Full bundle is a large download and includes all the toolchains and other tools in that download package.  The Minimal bundle is much smaller and does not contain any toolchains and allows users to choose the toolchains to download and install.  Minimal has an extra step after download to run the setup script and the user selects the tools to download.  In Windows, this script is setup.cmd. If installing the Minimal bundle and wget downloads are blocked for setup.cmd, then the Zephyr SDK install fails.  MCUXpresso Installer v25.12 and other install options use the Minimal bundle, and can be blocked by this issue. Workaround NXP is working on improving the MCUXpresso Installer to address this issue.  But in the meantime, downloading and installing the Full bundle avoids using wget and avoids this issue.   Download the Full bundle, here for v0.17.4, and extract the bundle in your user folder.  After extracting, the full Windows path will be  C:\Users\<username>\zephyr-sdk-0.17.4 .  West and other build tools will find this folder during the build.  The Zephyr SDK can also be installed elsewhere using an environment variable, see the Zephyr SDK documentation.  After extracting, run the setup.cmd to finish setup.  But with the Full install, setup.cmd will not need to download with wget. Be aware, this article was written when v0.17.4 was the latest release of the Zephyr SDK.  Check here for the latest release. Return to Zephyr Knowledge Hub

Anyone can Contribute to Zephyr, but all contributions must comply with the Coding Style Guidelines.  The editor in Visual Studio Code can be configured to help with these style guidelines.  This article details how to configure the editor. In VS Code, go to File→Preferences→Settings (or use CTRL + , to open them directly). Note that these setting changes can also be restricted to the Zephyr workspace by switching the Settings tab selection from "User" to "Workspace" if desired. The following settings help with Zephyr's style guidelines: Editor: Tab Size: set to 8 Editor: Insert Spaces: turn off Files: Trim Final Newlines: turn on Files: Trim Trailing Whitespace: turn on C_Cpp: Dim Inactive Regions: turn off Return to Zephyr Knowledge Hub

Anyone can Contribute to Zephyr, but all contributions must comply with the Coding Style Guidelines.  This list includes some resources for contributing: Configuring VS Code editor for Zephyr coding style guidelines To contribute, propose changes by submitting a Pull Request (PR), see Contributor Expectations (more to come) Return to Zephyr Knowledge Hub

Introduction Standard Trusted Firmware‑M (TF‑M) targets in Zephyr, including RW61x‑based platforms, assume the presence of BL2 (MCUboot) as the second-stage bootloader. BL2 is responsible for image authentication, upgrade handling, and flash layout enforcement. However, many NXP devices provide a ROM‑based secure boot / dual‑boot mechanism capable of authenticating firmware and directly transferring control to a secure image. In such cases, BL2 is redundant and can be disabled to reduce boot time and flash usage. This article describes how to disable BL2 in TF‑M and configure Zephyr to boot directly from ROM into the TF‑M Secure image, followed by the Non‑Secure application.   Typical TF‑M Boot Flow (With BL2) The default Zephyr TF‑M boot chain is: BootROM → BL2 (MCUboot) → TF‑M Secure → Non‑Secure application BL2: Owns the flash layout (primary/secondary slots) Performs image authentication Manages firmware upgrades Example with samples/tfm_integration/config_build   Target Boot Flow (ROM Boot, No BL2) When using the ROM bootloader: BootROM → TF‑M Secure → Non‑Secure application In this scenario: ROM performs authentication and version checks TF‑M Secure becomes the first executable stage No firmware swapping or secondary slots are required Example with samples/tfm_integration/config_build   Disable BL2 in TF‑M Kconfig Changes Disable BL2 explicitly in the project configurations and update the base address: CONFIG_TFM_BL2=n CONFIG_FLASH_BASE_ADDRESS=0x80A0000   This removes MCUboot from the build and prevents generation of BL2 artifacts.   Secure Image Entry Requirements When BL2 is removed, the ROM must jump directly to the TF‑M Secure vector table. Ensure that: The Secure image is linked at the ROM‑expected address The Secure vector table is valid The Secure reset handler init No BL2 handoff logic is required.   Non‑Secure Image Considerations The TF‑M Secure image will transfer control after initialization. Built as a direct‑boot Zephyr application No MCUboot headers Linked at the Non‑Secure offset defined in the partition layout   Dual Boot Enablement (ROM‑Managed A/B Images) On RW61x‑class devices, the ROM expects the Secure image to start at offset 0x1000 within a bootable slot, with the Non‑Secure image located at offset 0xA0000 . Each boot slot therefore contains a complete Secure + Non‑Secure pair at fixed offsets. The ROM authenticates the slot, jumps to the Secure offset, and TF‑M later transfers control to the Non‑Secure image. BootROM ├─ Authenticate Slot 0 → Secure@+0x1000 → Non‑Secure@+0xA0000 └─ Authenticate Slot 1 → Secure@+0x1000 → Non‑Secure@+0xA0000 No BL2 or runtime image swapping is involved.     Example Flash Layout (Corrected) Slot 0 Slot 0 Base : 0x08000000 Secure Image (0) : 0x08001000  Non‑Secure Image 0 : 0x080A0000    Slot 1 Slot 1 Base : 0x08200000 Secure Image (1) : 0x08201000  Non‑Secure Image 1 : 0x082A0000   Each slot is independently bootable and contains no shared state with the other slot.     ROM Boot Expectations For each slot, the ROM expects: Slot authentication data (signature / manifest) A valid Secure vector table at slot_base + 0x1000 A valid Secure reset handler The ROM never jumps to Non‑Secure directly.     Using the SEC tool to enable dual boot  First we'll create two images one for slot 0 and one for slot 1. The difference will be noted in the text of the non-secure image.  1. Build Zephyr Images (Slot‑A and Slot‑B) For each slot, build: TF‑M Secure image (linked at +0x1000 ) Zephyr Non‑Secure image (linked at +0xA0000 ) Slot 0, I modified the non-secure image to print a quick message identifying the slot it was programmed in.  Slot 1, I modified the non-secure image to print a quick message identifying the slot it was programmed in.  Using the SEC tool, we will use the "Merge Tool" to merge the secure and non-secure binaries with the appropriate offset. 2. Merge Secure + Non‑Secure Images ROM expects one contiguous image per slot, not two independent binaries. In SEC Tool: Open Merge Tool Select: Secure binary(without boot header) → offset 0x1000 Non‑Secure binary → offset 0xA0000 Output a single merged image * If you are using the kconfig options as described above, the FCB will be attached to the secure binary, therefore please ensure that your offset for secure binary considers the FCB location which is offset 0x400 Do this for both slot images. In this example I created merged_imaged_slot_0 and merged_image_slot_1.   3. Assigning Version Metadata Dual‑boot selection is driven entirely by ROM metadata. For each merged image: Set Image Version Example: Slot A version: 1 Slot B version: 2 ROM rules are typically: Boot highest valid version Use fallback slot if authentication fails   Select the merged image for the slot you would like to program first. Select the version that will be used with that slot.    Next, open "Dual Image Boot"   For Slot 0, select "Image 0" and select the offset you would like to use for the slot division. For Slot 1, select "Image 1".   4. Program Slot 0 (Initial Boot) Program Slot 0 only Reset device Expected behavior: ROM authenticates Slot 0 ROM jumps to slot 0 + 0x1000 TF‑M Secure initializes Non‑Secure app runs ✅ Confirms your Secure → Non‑Secure chain works without BL2   5. Program Slot 1 (Upgrade Test) Program Slot 1 Update slot metadata (version > Slot 0) Reset device Expected behavior: ROM selects Slot 1 Slot 1 Secure executes Slot 1 Non‑Secure message appears   Common Mistakes to Avoid Merging images at wrong offsets ( 0x0 instead of 0x1000 ) Forgetting to bump the version for Slot B Leaving MCUboot headers enabled Assuming TF‑M controls slot selection   Conclusion Disabling BL2 in TF‑M and booting directly from ROM is a valid, efficient, and production‑ready configuration when the device ROM already provides secure boot and dual‑boot services. In this architecture, the ROM is the authority for authentication, version selection, and rollback, while TF‑M Secure becomes the first executable firmware stage. When combined with ROM‑managed A/B dual boot, this approach provides: Independent, fully self‑contained Slot A and Slot B images Deterministic boot behavior based on ROM policy (version or fallback) Secure rollback without runtime image swapping No dependency on MCUboot or BL2 infrastructure The key requirements for success are: Explicitly disable BL2 in TF‑M Link the Secure image at the ROM‑required offset ( +0x1000 ) Link the Non‑Secure application at the fixed Non‑Secure offset ( +0xA0000 ) Merge Secure and Non‑Secure binaries into a single slot image Use the SEC tool to: Assign image versions Enable dual‑boot policy Authenticate and sign each slot image In this model, TF‑M and Zephyr are slot‑agnostic: they do not manage upgrades, slot selection, or rollback. All boot decisions are made before execution begins, by the ROM, based on SEC‑provided metadata. This design reduces boot time, simplifies flash layouts, removes firmware‑swap complexity, and aligns well with high‑reliability production systems where firmware updates are performed out‑of‑band and enforced by ROM‑level security.