TF-M sources integration to Mbed-OS

[mikisch81]

Description

This PR introduces TF-M sources into Mbed-OS according to ISGDEVPREQ-1027.

TF-M sources were imported into mbed-os tree using the same Importer script as CMSIS, afterwards a series of patches were applied which fix some issues and align the code to work with Mbed-OS.

The TF-M sources were imported from the feature-ipc branch of the TF-M repository, hash 45e5276bc04036654693cbf335829aa15a64ed5f.

Commit 34433bc added a manifest json file which lists the files/folder needed to import and a list of SHAs to apply afterwards.

We did not import TF-M partitions (Crypto, Attestation, etc..) as we are re-using the existing partitions in Mbed-OS (Internal-storage, PSA-Crypto and Platform), commit 42d8f2b adds an auto-generation tool which generated in
commit c855263 all the partitions' header files needed by TF-M core.

Pull request type

[ ] Fix
[ ] Refactor
[ ] Target update
[X] Functionality change
[ ] Docs update
[ ] Test update
[ ] Breaking change

Release notes

The PSA program offers a reference implementation (TF-M) aimed at facilitating the deployment of PSA among RTOS vendors. TF-M is an OS-agnostic project, it presents generic methods to achieve PSA secure partitioning and offer PSA secure services like attestation, secure storage, or crypto. Integrating TF-M allows Mbed OS to achieve PSA compatibility.

Mbed OS has imported the TF-M core to be used by its' own secure services.

Currently only v8m targets can run TF-M, for porting TF-M to be used by a target please refer TF-M integration guide.

Reviewers

@gaborkertesz @ashok-rao @deepikabhavnani @ARMmbed/mbed-os-psa @ARMmbed/mbed-os-tools

[ciarmcom]

@mikisch81, thank you for your changes.
@deepikabhavnani @ashok-rao @ARMmbed/mbed-os-tools @ARMmbed/mbed-os-core @ARMmbed/mbed-os-maintainers please review.

[ciarmcom]

@mikisch81, thank you for your changes.
@deepikabhavnani @ashok-rao @ARMmbed/mbed-os-tools @ARMmbed/mbed-os-core @ARMmbed/mbed-os-maintainers please review.

[ciarmcom]

@mikisch81, thank you for your changes.
@deepikabhavnani @ashok-rao @ARMmbed/mbed-os-tools @ARMmbed/mbed-os-core @ARMmbed/mbed-os-maintainers please review.

[deepikabhavnani]

Thanks for splitting. Looks good to me 👍

[0xc0170]

[X] Functionality change

Please add release notes section, following https://os.mbed.com/docs/mbed-os/v5.11/contributing/workflow.html#functionality-change

[cmonr]

@mikisch81 Good news!

Last 7 commits are from pending PRs to Mbed-OS and should not be reviewed here:

Those two PRs are now merged in to Mbed OS, so rebasing this PR will make them disappear from this PR!

Please do so to make review of this PR a bit cleaner.

[mikisch81]

Rebased this PR on top of master to get all the dependent PRs in.

[mikisch81]

Latest update removes the workaround we did in crypto partition and adds another patch to TF-M sources which fix an internal TF-M issue.

[mikisch81]

@0xc0170 Added release notes

[bridadan]

The tools/tfm folder looks very similar to the existing tools/spm code in terms of the json and py files. Are there plans to merge these in a coming PR? Lots of the code appears to be duplicated.

[bridadan]

Was this rename intentional?

[orenc17]

yes, ITS is the correct name

[bridadan]

This file is identical to the file found here: https://github.com/ARMmbed/mbed-os/tree/master/tools/spm

[orenc17]

it's basically is a duplicate with minor changes, we'll remove the unneeded duplicates

[bridadan]

This file is identical: https://github.com/ARMmbed/mbed-os/blob/master/tools/spm/__init__.py

[bridadan]

This file shares most of the same codes as this one: https://github.com/ARMmbed/mbed-os/blob/master/tools/spm/generate_partition_code.py

There are a decent amount of changes though.

[mikisch81]

Eventually everything under tools/spm will be removed when TFM will support dual-core, it will be easier to remove if it does not share stuff with tools/tfm.

[bridadan]

General question: any reason for going with .inc instead of .h? Mbed OS generally sticks with .h I believe.

[cmonr]

+1
The only other file that uses a .inc suffix in Mbed OS is features/FEATURE_BLE/targets/TARGET_CORDIO_LL/thirdparty/uecc/asm_arm.inc, and even that's third party.

[mikisch81]

These are the partition header files used by TF-M.
TF-M actually generated these files according to their secure partitions manifests.
But because we use our own partitions we need to generate those headers ourselves.
So in order not to change TF-M imported code we keep the same suffix.

[bridadan]

So in order not to change TF-M imported code we keep the same suffix.

Good enough for me!

[bridadan]

Actually, I'm not even sure if our build system picks up .inc files. Looking here: https://github.com/ARMmbed/mbed-os/blob/master/tools/resources/__init__.py#L413-L432

Seems like it won't be brought in as an include directory, does that sound right @theotherjimmy ?

[bridadan]

@mikisch81 I believe that's working because there are other .h files present in the directory, so it is being picked up as an include path. If you removed all of the other .h files and just had .inc files, I don't believe the build system would keep that directory as an include path.

[mikisch81]

One of the generated files is an .h file, so you are probably right, but all these files are generated together and shouldn't move or change afterwards.
We can ask TFM why the inc extension instead of regular .h.

[mikisch81]

@bridadan We really need to avoid changing imported TF-M code, the only exceptions should be blocking issues (like bugs or porting issues).

[bridadan]

If this is a TF-M imported thing then I understand. We should get an issue filed to add .inc to our list of header file types in our build system.

[bridadan]

PR up for this issue: #9715

[cmonr]

@ARMmbed/mbed-os-maintainers Heads up, another large block of code that's about to be ignored by astyle

Might need to talk with techleads about why components seems to be special in regards to code styling.

[mikisch81]

Everything under TARGET_TFM is imported from an external source, so it should be ignored by astyle as I see it.

[0xc0170]

LGTM

[mikisch81]

The tools/tfm folder looks very similar to the existing tools/spm code in terms of the json and py files. Are there plans to merge these in a coming PR? Lots of the code appears to be duplicated.

@bridadan tools/spm contains code generation tools for the 5.11 spm dual-core implementation, in 5.12 we integrate TFM v8m spm implementation which generate different files. Because we still need to support dual-core spm (we are currently in the process of contributing dual-core spm to TFM) we need to keep both generation tools.

[bridadan]

I understand @mikisch81. Definitely want to keep compatibility with what was delivered in 5.11. In the future are the tfm and spm tools expected to merge? Or will they always stay separate for versioning reasons?

Looking at the main generate_partition_code.py files, they seem to share over 50% of the same code. If the goal is to merge these tools one day, perhaps the two files could make use of a common module?

[mikisch81]

@bridadan as soon as TFM will have dual-core support we will do a new import and regenerate the needed files again. There is no versioning constraint here

[mikisch81]

Looking at the main generate_partition_code.py files, they seem to share over 50% of the same code. If the goal is to merge these tools one day, perhaps the two files could make use of a common module?

I am working on consolidating tools/spm and tools/tfm together, will update PR when ready.

[mikisch81]

Rebased PR on top of master

[mikisch81]

This needs to be added here : https://github.com/ARMmbed/mbed-os/blob/master/LICENSE . Also the 3rd party code needs license files in its folder (see https://os.mbed.com/docs/mbed-os/v5.11/contributing/license.html - Using different license). Briefly, add bsd 3 clause license file and LICENSE file to describe the license as in the license guide.

@0xc0170 Done

[0xc0170]

I'll run CI. @SenRamakri / @donatieng final review call

[0xc0170]

CI started meanwhile

[ashok-rao]

Approved based on email discussions. Musca related items will be coming in #9221

[mbed-ci]

Test run: SUCCESS

Summary: 12 of 12 test jobs passed
Build number : 3
Build artifacts

[SenRamakri]

I have minor comments/questions and would be good if you can answer them, but they are not blockers, so approved.

[SenRamakri]

Does these enums require Doxygen comments?

[mikisch81]

This file is also imported.

[SenRamakri]

Should TFM_STACK_SIZE be configurable, driven from config files? On what basis we are hardcoding this to 1024?

[mikisch81]

Actually each partitions' stack size is configured in their manifest, this is one of our patches to TFM code, see commit fc78640, so TFM_STACK_SIZE is not used anymore.

[SenRamakri]

Minor thing, but can't we just break here(right after fail_cnt++) instead of looping again? Or is it really required to call err_handler for each error?

[mikisch81]

This file is imported from TFM repository (same as cmsis code), we added patches but they are mainly fixes for issues which were raised during the Musca port.

[SenRamakri]

FixMe?? Should this be fixed?

[mikisch81]

This file is also imported.

[cmonr]

Final review responses look alright. Merging.