Generate a firmware for mcuboot with a small non secure partition and a secure partition

Hello Roman,

To be honest, I don't know. Like I said in my first post, I wanted to follow the frdm_rw612 partition distribution because it seems to be the recommended way to do it.

Today I don't use any secure feature because it's still a prototype but soon we will work on the production version and I don't want to make a choice today that will be an issue later.

The FRDM_RW612 has a 640kB secure partition and a 3MB non-secure partition.

My current application size is 2.3MB (no optimization at all).

How can I generate a firmware handling both these partitions?

I read this post: https://community.nxp.com/t5/Wi-Fi-Bluetooth-802-15-4/Zephyr-MCUBoot-TFM-Demo-using-RW612/ta-p/20475...

I also downloaded the "psa_protected_storage" sample to better understand the tfm structure but I'm still not sure to understand how you partition the image.

For example, for the psa_protected_storage, which partition is used to store encrypted data? Is it in the "storage_partition"?

In the post I mention above, it mentions a fw_storage partition. I don't have this partition and yet, I'm able to use the Wifi.

Where are the up-to-date documentation? I'm not trying to do something fancy, just use mcuboot to be able to do OTA but I struggle to find the correct documentation to understand how to do it.

Thanks for your help,

Arthur

Hello @_arthur_.

If you need to do OTA with MCUboot, I suggest to use the "smp_svr" sample which main purpose is to make firmware updates to use with MCUmgr protocol and allow updates via Bluetooth, UDP, UART, etc. This sample works along MCUboot to check for properly signed binaries and update them into your MCU.

To test the sample  you would need to download an MCUmgr client to make the firmware updates, as well as to build and flash separately MCUboot first, and then build and flash the smp_svr sample with the required macros added to the prj.conf file of the smp_svr sample (this will depend on the OTA transport you wish to use). Once this is done, your system should be ready to communicate properly with your MCUmgr client to check a list of uploaded images and to be able to load a new image.

To load a new valid image for MCUboot, I suggest to add the following configurations to the  prj.conf file of the sample you wish to load:

 CONFIG_HEAP_MEM_POOL_SIZE=2048

The following will allow to generate an MCUboot valid signed image just by building your sample:

CONFIG_MCUBOOT_SIGNATURE_KEY_FILE="<path-to-imported-zephyr-mcuboot-sample>/root-rsa-2048.pem"

CONFIG_MCUBOOT_GENERATE_CONFIRMED_IMAGE=y

CONFIG_BOOTLOADER_MCUBOOT=y

Please let me know if this works for you and fits your requirements.

Hello Roman,

The issue is the same with your sample, as soon as I exceed the flash size of 640kB (your default secure partition size) I get this error when I compile:

region `FLASH' overflowed by 15872 bytes

Add BT and UDP support to this smp_svr sample and you will see the error

So all my previous questions still stands to try to understand and solve my issue:

How can I generate an image with a minimal secure partition that will only jump in the non secure area where my main firmware will be?

How can I generate a firmware handling both these partitions?

When using the psa_protected_storage, where is the encrypted data stored? I would like to use this feature.

Moroever, I'll need to have a custom non-volatile partition for files, is it the current storage_partition from your partition table definition in the common.dtsi?

I made some progress. As a short-term solution I invert slotx_partition with slotx_ns_partition in the frdm_rw612_common.dtsi file and I can compile and use a bigger secure partition.

If I change this in my overlay file, it can compile but mcuboot is not able to jump to the image during runtime. I suppose that when mcuboot is generated, it's not using my overlay file in my current project.

Anyway, I'm not sure to understand the difference between a secure and a non-secure partition. Is there any drawbacks to have my whole firmware in a secure partition?

I'm still wondering how I can add the PSA_protected_storage to this project. Which partition will be used for this feature if I add it?

Hello @_arthur_, hope you are doing well.

If you want to re-size your partitions you could do it in an overlay file as you did with the partitions, however you should maintain the structure so MCUboot is able to recognize the images in their destined partitions.

Additionally, please consider that if you wish to use the flash partitioning shared, this is meant to be used with the TF-M stack, which also uses MCUboot as secure bootloader to validate and load images in a secure environment.

For more information about the protected storage, please see the Zephyr reference documentation Secure Storage.

Dear Roman,

You don't reply to my questions, it's difficult to fully understand.

When you say "however you should maintain the structure", you mean having first the secure and partition and following the non-secure partition?

I'm still wondering how I can add the PSA_protected_storage to this project. Which partition will be used for this feature if I add it?

How can I generate an image with a minimal secure partition that will only jump in the non secure area where my main firmware will be?

How can I generate a firmware handling both these partitions?

Dear @_arthur_, I apologize for the generated confusion.

"When you say "however you should maintain the structure", you mean having first the secure and partition and following the non-secure partition?"

Yes, you should maintain the structure of the partitions as is, as well as respect the alignment of the partitions (128kB).

" I'm still wondering how I can add the PSA_protected_storage to this project. Which partition will be used for this feature if I add it?"

As commented before, if you wish to use the PSA protected storage you should use the TF-M stack which uses the partition layout that you are sharing along with MCUboot as a secondary stage bootloader for image validation. Along with TF-M the secure partition is used to save secure keys and also is used for the protected storage as stated in the Trusted Firmware-M Overview.

"How can I generate an image with a minimal secure partition that will only jump in the non secure area where my main firmware will be?"

You could change the partition sizes with an overlay file as long as you comply with the TF-M requirements which can be found at the path "modules/tee/tf-m/trusted-firmware-m/platform/ext/target/".

How can I generate a firmware handling both these partitions?

For detailed information please refer to Trusted Firmware-M documentation and Zephyr documentation as the development would have to be on your own.

Hope this information helps.

Hello Roman,

Thank you, I better understand now.

Is this link something written by your engineering team? https://community.nxp.com/t5/Wi-Fi-Bluetooth-802-15-4/Zephyr-MCUBoot-TFM-Demo-using-RW612/ta-p/20475...

Do I still need to modify the SDK like this? Because I cannot modify the non-secure image like it is described in the "Modify non-secure image" section. The "build" folder does not exist in nxp_zephyr\zephyr\

Moroever, in my frdm_rw612_rw612_ns.dts file, there is a line which delete all the partitions already configured in the frdm_rw612_common.dtsi. It doesn't follow the idea of keeping the partition structure.

Anyway, if I use the non secure board, it doesn't compile because I'm using the storage partition and it doesn't exist anymore with the /delete-node/ line

&w25q512jvfiq {
	/delete-node/ partitions;

	partitions {
		compatible = "fixed-partitions";
		#address-cells = <1>;
		#size-cells = <1>;

		slot0_ns_partition: partition@080C0000 {
			label = "image-0-non-secure";
			reg = <0x080C0000 DT_SIZE_M(3)>;
		};

		/* This partition is reserved for connectivity firmwares storage
		 * and shouldn't be moved.
		 */
		fw_storage: partition@400000 {
			label = "fw_storage";
			reg = <0x400000 0x280000>;
			read-only;
		};
	};
};

 When you say "the development would have to be on your own", you mean that you don't officialy support TF-M? And that's why we need to modify by hand the SDK?

Hello @_arthur_.

Yes, that guide was written by our engineering team meant to be used with Zephyr version 4.0.0, however just as you mention, on further versions (4.2.0 and 4.3.0 as of now) this guide is not needed as BL2 integration (MCUboot as secure bootloader) is included by default in the TFM example shown in the guide. Therefore, on versions 4.2.0 downstream & upstream and 4.3.0 this feature is already supported.

Hope this clears out your doubts.

Hello Roman,

Ok it helps me to better understand.

I'm able to compile my firmware with the tfm by deleting this in the frdm_rw612_rw612_ns.dts file:

&w25q512jvfiq {
	/delete-node/ partitions;

	partitions {
		compatible = "fixed-partitions";
		#address-cells = <1>;
		#size-cells = <1>;

		slot0_ns_partition: partition@080C0000 {
			label = "image-0-non-secure";
			reg = <0x080C0000 DT_SIZE_M(3)>;
		};

		/* This partition is reserved for connectivity firmwares storage
		 * and shouldn't be moved.
		 */
		fw_storage: partition@400000 {
			label = "fw_storage";
			reg = <0x400000 0x280000>;
			read-only;
		};
	};
};

I don't understand the goal to delete the partitions node.

Anyway, if I flash the "tfm_merged.hex", I get this output:

[INF] Starting bootloader
[WRN] This device was provisioned with dummy keys. This device is NOT SECURE
[INF] PSA Crypto init done, sig_type: EC-P256, using builtin keys
[INF] Image index: 1, Swap type: none
[INF] Image index: 0, Swap type: none
[INF] Bootloader chainload address offset: 0x20000
[INF] Image version: v0.0.0
[INF] Jumping to the first image slot
Booting TF-M v2.2.0+g9a6c6f958
[WRN] This device was provisioned with dummy keys. This device is NOT SECURE
[Sec Thread] Secure image initializing!
[INF][PS] Encryption alg: 0x5500100
[INF][Crypto] Provision entropy seed...
[INF][Crypto] Provision entropy seed... complete.

The bl2 seems to boot correctly but then nothing happens. My non secure firmware doesn't boot.

I tried to flash also the file zephyr_ns_signed.hex but the result is the same.

Am I mistaken when I think that

Hello @_arthur_.

Could you please share with me the steps that you are following to build and flash your application with TF-M and BL2? Are you using the sysbuild to build MCUboot?

Additionally, the partitions are destined as you mention, the secure partition is meant to host TF-M's secure services and the non-secure partition would be your non-secure application.

Hello Roman,

Are you able to tell me what am I doing wrong? It's very important for me to find a solution in order to publish a firmware this week.

Thanks for your help

Hello @_arthur_, sorry for the delay.

I have tried generating a basic firmware with TF-M with BL2, and it is working properly. I understand why you are deleting the section that you mentioned from the frdm_rw612_rw612_ns.dts file, however this step is required since this overlay is supposed to set the partition structure used by TF-M in the non-secure "version" of the board, deleting it could generate an incompatible structure and your application might not be loading in a known address for MCUboot.

Could you please share with me your generated dts file of your project? Or a screenshot of the partition section of the dts? It should be located in the following path inside the project: debug/zephyr/zephyr.dts

Thanks for your patience.

Hello Roman,

I'm sorry but I still have the same questions:

1. Do I need to enable sysbuild (and set SB_CONFIG_BOOTLOADER_MCUBOOT="y") or no?

2. Is the content I'm adding into prj.conf correct?

3. What do I need to flash when everything is compiled?

You says that I need to keep the deletion of the partitions node. Then, here is my issues in this scenario:

In my current firmware, I'm using the storage_partition defined in the common.dtsi. When I use the non secure configuration, because you delete all partitions, the storage_partition is not defined anymore, so my code cannot compile. 4. How can I use the storage_partition in this non-secure configuration?

You explicitely said that I must keep the same partition structure defined in the common.dtsi. 5. Therefore, why is fw_storage partition located at 0x400000? It's located into the slot1_partition if I look into the common.dtsi structure.

6. Anyway, what is this fw_storage partition? Why isn't it in the "standard" secure configuration?

I know you don't have much time, please reply to my 6 questions, it will help me to better understand and be autonomous.

If you can share a step by step TF-M with BL2 example to compile and flash a standard firmware using the storage_partition and Wifi/BLE connectivity it would be perfect. Thank you

PS: I didn't share my partition section of the DTS because it doesn't make sense in the current state.

Hello Roman,

I must publish a firmware tomorrow, can I expect a reply? Or it's not ready on your side yet and I need to find a plan B?

Thanks for your help,

Arthur

Hello @_arthur_.

Do I need to enable sysbuild (and set SB_CONFIG_BOOTLOADER_MCUBOOT="y") or no?
No, you do not need to use sysbuild since TF-M build system includes MCUboot by default.
 
Is the content I'm adding into prj.conf correct?
Yes, as an observation, the "CONFIG_BUILD_WITH_TFM" is set by default when creating a project for the non-secure version of the board.
 
What do I need to flash when everything is compiled?
It depends, in the screenshot from the TF-M Build System Zephyr documentation, is a detailed explanation on what is the utility of each generated file:
 

However, consider that for a first-use occasion, you should flash the tfm_merged.hex file which contains a merge of the MCUboot bootloader, TF-M Secure image and your non-secure application.
 
How can I use the storage partition in this non-secure configuration?
It is expected that the user would use the secure storage service provided by TF-M, since the flash layout of the TF-M configuration reserves a space for this storage.
 
Anyway, what is this fw_storage?
The fw_storage partition is reserved for Wi-Fi, BLE and 802.15.4 firmwares storage.

Hope this information helps on your development. Thank you for your patience.

Hello Roman,

Thanks for your feedback. You didn't reply to the question about the partition structure

5. Therefore, why is fw_storage partition located at 0x400000? It's located into the slot1_partition if I look into the common.dtsi structure.

1. This fw_storage seems important, why is it never mentioned in the "secure" configuration?

2. Do I need to do anything special to populate this partition with the necessary firmwares?

Hello Roman,

I tried to compile and flash (tfm_merged.hex) for basic sample. If I use the zephyr/samples/hello_world I get that:

[INF] Starting bootloader
[WRN] This device was provisioned with dummy keys. This device is NOT SECURE
[INF] PSA Crypto init done, sig_type: EC-P256, using builtin keys
[INF] Image index: 1, Swap type: none
[INF] Image index: 0, Swap type: none
[INF] Bootloader chainload address offset: 0x20000
[INF] Image version: v0.0.0
[INF] Jumping to the first image slot
Booting TF-M v2.2.0+g9a6c6f958
[WRN] This device was provisioned with dummy keys. This device is NOT SECURE
[Sec Thread] Secure image initializing!
[INF][PS] Encryption alg: 0x5500100
[INF][Crypto] Provision entropy seed...
[INF][Crypto] Provision entropy seed... complete.
*** Booting Zephyr OS build nxp-v4.1.0-23883-g5fbcfde7cfc2 ***
Hello World! frdm_rw612/rw612/ns

So everything seems to work as expected.

However, if I use an example which uses WiFi like the zephyr/samples/net/wifi/shell then I get the same output as my firmware (which is using WiFi and BLE):

[INF] Starting bootloader
[WRN] This device was provisioned with dummy keys. This device is NOT SECURE
[INF] PSA Crypto init done, sig_type: EC-P256, using builtin keys
[INF] Image index: 1, Swap type: none
[INF] Image index: 0, Swap type: none
[INF] Bootloader chainload address offset: 0x20000
[INF] Image version: v0.0.0
[INF] Jumping to the first image slot
Booting TF-M v2.2.0+g9a6c6f958
[WRN] This device was provisioned with dummy keys. This device is NOT SECURE
[Sec Thread] Secure image initializing!
[INF][PS] Encryption alg: 0x5500100
[INF][Crypto] Provision entropy seed...
[INF][Crypto] Provision entropy seed... complete.

So the root cause of the issue comes from the Wifi and may be linked to my questions about the firmware partition. Can you please share steps to compile an example with Wifi and tf-m?