diff --git a/.github/test-spec.yml b/.github/test-spec.yml new file mode 100644 index 00000000000..e29e7d1dbc2 --- /dev/null +++ b/.github/test-spec.yml @@ -0,0 +1,106 @@ +# This is the Jenkins ci variant of the .github/labler.yaml +"CI-iot-samples-test": + - "boards/arm/nrf9160dk_nrf9160/**/*" + - "dts/arm/nordic/nrf9160*" + - "include/net/**/*" + - "subsys/net/lib/**/*" + +"CI-iot-libraries-test": + - "boards/arm/nrf9160dk_nrf9160/**/*" + - "dts/arm/nordic/nrf9160*" + - "include/net/socket_ncs.h" + - "subsys/testsuite/ztest/**/*" + +"CI-lwm2m-test": + - "**/*" + +"CI-boot-dfu-test": + - "subsys/mgmt/mcumgr/**/*" + - "subsys/dfu/**/*" + - "include/mgmt/mcumgr/**/*" + - "include/dfu/**/*" + - "samples/subsys/mgmt/mcumgr/smp_svr/**/*" + +"CI-tfm-test": + - "**/*" + +"CI-ble-test": + - "**/*" + +"CI-mesh-test": + - "subsys/bluetooth/mesh/**/*" + - "include/bluetooth/mesh/**/*" + - "samples/bluetooth/mesh/**/*" + - "samples/bluetooth/mesh_demo/**/*" + - "samples/bluetooth/mesh_provisioner/**/*" + - "tests/bluetooth/mesh/**/*" + - "tests/bluetooth/mesh_shell/**/*" + +"CI-zigbee-test": + - "subsys/mgmt/mcumgr/**/*" + - "subsys/dfu/**/*" + - "include/mgmt/mcumgr/**/*" + - "include/dfu/**/*" + +"CI-thingy91-test": + - "**/*" + +"CI-desktop-test": + - "**/*" + +"CI-crypto-test": + - "**/*" + +"CI-rs-test": + - "**/*" + +"CI-homekit-test": + - "include/dfu/**/*" + - "include/mgmt/mcumgr/**/*" + - "soc/arm/nordic_nrf/**/*" + - "subsys/dfu/**/*" + - "subsys/settings/**/*" + - "subsys/net/lib/openthread/**/*" + - "subsys/mgmt/mcumgr/**/*" + - "samples/hci_rpmsg/**/*" + - "samples/subsys/mgmt/mcumgr/smp_svr/**/*" + - any: + - "subsys/bluetooth/**/*" + - "!subsys/bluetooth/mesh/**/*" + +"CI-thread-test": + - "**/*" + +"CI-nfc-test": + - "**/*" + +"CI-matter-test": + - "**/*" + +"CI-find-my-test": + - "**/*" + +"CI-gazell-test": + - "**/*" + +"CI-rpc-test": + - "**/*" + +"CI-modemshell-test": + - "include/net/**/*" + - "include/posix/**/*" + - "include/shell/**/*" + - "drivers/net/**/*" + - "drivers/serial/**/*" + - "drivers/wifi/**/*" + - "subsys/shell/**/*" + - "subsys/net/**/*" + - "subsys/settings/**/*" + +"CI-positioning-test": + - "include/net/**/*" + - "include/posix/**/*" + - "drivers/net/**/*" + - "drivers/wifi/**/*" + - "subsys/net/**/*" + - "subsys/settings/**/*" diff --git a/.github/workflows/bluetooth-tests.yaml b/.github/workflows/bluetooth-tests.yaml index 2f714c06e3d..06027836a9a 100644 --- a/.github/workflows/bluetooth-tests.yaml +++ b/.github/workflows/bluetooth-tests.yaml @@ -49,11 +49,13 @@ jobs: - name: checkout uses: actions/checkout@v2 with: + path: ./zephyr fetch-depth: 0 - name: west setup env: BASE_REF: ${{ github.base_ref }} + working-directory: ./zephyr run: | git config --global user.email "you@example.com" git config --global user.name "Your Name" @@ -64,6 +66,7 @@ jobs: west update 2>&1 1> west.update.log || west update 2>&1 1> west.update2.log - name: Run Bluetooth Tests with BSIM + working-directory: ./zephyr run: | export ZEPHYR_BASE=${PWD} WORK_DIR=${ZEPHYR_BASE}/bsim_bt_out tests/bluetooth/bsim_bt/compile.sh @@ -75,9 +78,7 @@ jobs: uses: actions/upload-artifact@v2 with: name: bluetooth-test-results - path: | - ./bsim_bt_out/bsim_results.xml - ${{ github.event_path }} + path: ./zephyr/bsim_bt_out/bsim_results.xml - name: Upload Event Details if: always() diff --git a/.github/workflows/clang.yaml b/.github/workflows/clang.yaml index 9ff56b9a845..8cbffd5994a 100644 --- a/.github/workflows/clang.yaml +++ b/.github/workflows/clang.yaml @@ -11,7 +11,7 @@ jobs: with: access_token: ${{ github.token }} clang-build: - runs-on: zephyr_runner + runs-on: ubuntu-latest needs: clang-build-prep container: image: ghcr.io/zephyrproject-rtos/ci:v0.23.3 @@ -21,12 +21,13 @@ jobs: strategy: fail-fast: false matrix: - platform: ["native_posix"] + subset: [1, 2, 3, 4, 5] env: ZEPHYR_SDK_INSTALL_DIR: /opt/toolchains/zephyr-sdk-0.14.2 CLANG_ROOT_DIR: /usr/lib/llvm-12 COMMIT_RANGE: ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} BASE_REF: ${{ github.base_ref }} + MATRIX_SIZE: 5 outputs: report_needed: ${{ steps.twister.outputs.report_needed }} steps: @@ -48,8 +49,10 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 persist-credentials: false + path: ./zephyr - name: Environment Setup + working-directory: ./zephyr run: | echo "$HOME/.local/bin" >> $GITHUB_PATH git config --global user.email "bot@zephyrproject.org" @@ -67,6 +70,7 @@ jobs: west update --path-cache /github/cache/zephyrproject 2>&1 1> west.log || west update --path-cache /github/cache/zephyrproject 2>&1 1> west2.log || ( rm -rf ../modules ../bootloader ../tools && west update --path-cache /github/cache/zephyrproject) - name: Check Environment + working-directory: ./zephyr run: | cmake --version ${CLANG_ROOT_DIR}/bin/clang --version @@ -74,6 +78,7 @@ jobs: ls -la - name: Prepare ccache timestamp/data + working-directory: ./zephyr id: ccache_cache_timestamp shell: cmake -P {0} run: | @@ -85,7 +90,7 @@ jobs: id: cache-ccache uses: nashif/action-s3-cache@master with: - key: ${{ steps.ccache_cache_timestamp.outputs.repo }}-${{ github.ref_name }}-clang-${{ matrix.platform }}-ccache + key: ${{ steps.ccache_cache_timestamp.outputs.repo }}-${{ github.ref_name }}-clang-${{ matrix.subset }}-ccache path: /github/home/.ccache aws-s3-bucket: ccache.zephyrproject.org aws-access-key-id: ${{ secrets.CCACHE_S3_ACCESS_KEY_ID }} @@ -93,11 +98,24 @@ jobs: aws-region: us-east-2 - name: ccache stats initial + working-directory: ./zephyr run: | test -d github/home/.ccache && rm -rf /github/home/.ccache && mv github/home/.ccache /github/home/.ccache ccache -M 10G -s + - name: Build test plan with Twister + working-directory: ./zephyr + id: twister_test_plan + run: | + export ZEPHYR_BASE=${PWD} + export ZEPHYR_TOOLCHAIN_VARIANT=llvm + + # check if we need to run a full twister or not based on files changed + python3 ./scripts/ci/test_plan.py -p native_posix -c origin/${BASE_REF}.. + + - name: Run Tests with Twister + working-directory: ./zephyr id: twister run: | export ZEPHYR_BASE=${PWD} @@ -110,13 +128,14 @@ jobs: if [ -s testplan.json ]; then echo "::set-output name=report_needed::1"; # Full twister but with options based on changes - ./scripts/twister --force-color --inline-logs -M -N -v --load-tests testplan.json --retry-failed 2 + ./scripts/twister --inline-logs -M -N -v --load-tests testplan.json --retry-failed 2 --subset ${{matrix.subset}}/${MATRIX_SIZE} else # if nothing is run, skip reporting step echo "::set-output name=report_needed::0"; fi - name: ccache stats post + working-directory: ./zephyr run: | ccache -s @@ -124,8 +143,8 @@ jobs: if: always() && steps.twister.outputs.report_needed != 0 uses: actions/upload-artifact@v2 with: - name: Unit Test Results (Subset ${{ matrix.platform }}) - path: twister-out/twister.xml + name: Unit Test Results (Subset ${{ matrix.subset }}) + path: zephyr/twister-out/twister.xml clang-build-results: name: "Publish Unit Tests Results" diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml index 6b94870749a..13fe24fcb29 100644 --- a/.github/workflows/compliance.yml +++ b/.github/workflows/compliance.yml @@ -12,7 +12,9 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 + path: ./zephyr - name: Run Maintainers Script + working-directory: ./zephyr id: maintainer env: BASE_REF: ${{ github.base_ref }} @@ -32,6 +34,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 + path: ./zephyr - name: cache-pip uses: actions/cache@v1 @@ -47,12 +50,15 @@ jobs: pip3 install west - name: west setup + working-directory: ./zephyr env: BASE_REF: ${{ github.base_ref }} run: | git config --global user.email "you@example.com" git config --global user.name "Your Name" git remote -v + # Sauce tag checks before rebasing + git log --oneline --first-parent origin/${BASE_REF}..HEAD | grep -E -v "\[nrf (mergeup|fromtree|fromlist|noup)\][ ]" && { echo 'Sauce tag missing or invalid, format is "[nrf ] "'; exit 1; } git rebase origin/${BASE_REF} # debug git log --pretty=oneline | head -n 10 @@ -60,6 +66,7 @@ jobs: west update 2>&1 1> west.update.log || west update 2>&1 1> west.update2.log - name: Run Compliance Tests + working-directory: ./zephyr continue-on-error: true id: compliance env: @@ -69,16 +76,17 @@ jobs: # debug ls -la git log --pretty=oneline | head -n 10 - ./scripts/ci/check_compliance.py -m Devicetree -m Gitlint -m Identity -m Nits -m pylint -m checkpatch -m Kconfig -c origin/${BASE_REF}.. + ./scripts/ci/check_compliance.py -m Devicetree -m Gitlint -m Identity -m Nits -m pylint -m checkpatch -m KconfigBasic -c origin/${BASE_REF}.. - name: upload-results uses: actions/upload-artifact@master continue-on-error: True with: name: compliance.xml - path: compliance.xml + path: zephyr/compliance.xml - name: check-warns + working-directory: ./zephyr run: | if [[ ! -s "compliance.xml" ]]; then exit 1; diff --git a/.github/workflows/doc-build.yml b/.github/workflows/doc-build.yml index df584310a54..ef022cdbbd9 100644 --- a/.github/workflows/doc-build.yml +++ b/.github/workflows/doc-build.yml @@ -44,8 +44,11 @@ jobs: steps: - name: checkout uses: actions/checkout@v2 + with: + path: ./zephyr - name: install-pkgs + working-directory: ./zephyr run: | sudo apt-get update sudo apt-get install -y ninja-build graphviz libclang1-9 libclang-cpp9 @@ -57,20 +60,22 @@ jobs: uses: actions/cache@v1 with: path: ~/.cache/pip - key: pip-${{ hashFiles('scripts/requirements-doc.txt') }} + key: pip-${{ hashFiles('zephyr/scripts/requirements-doc.txt') }} - name: install-pip run: | sudo pip3 install -U setuptools wheel pip - pip3 install -r scripts/requirements-doc.txt + pip3 install -r zephyr/scripts/requirements-doc.txt pip3 install west==${WEST_VERSION} pip3 install cmake==${CMAKE_VERSION} - name: west setup + working-directory: ./zephyr run: | west init -l . - name: build-docs + working-directory: ./zephyr run: | if [[ "$GITHUB_REF" =~ "refs/tags/v" ]]; then DOC_TAG="release" @@ -87,6 +92,7 @@ jobs: DOC_TAG=${DOC_TAG} SPHINXOPTS="-q -W -t publish" make -C doc ${DOC_TARGET} - name: compress-docs + working-directory: ./zephyr run: | tar cfJ html-output.tar.xz --directory=doc/_build html @@ -94,7 +100,7 @@ jobs: uses: actions/upload-artifact@master with: name: html-output - path: html-output.tar.xz + path: zephyr/html-output.tar.xz - name: process-pr if: github.event_name == 'pull_request' @@ -125,6 +131,8 @@ jobs: steps: - name: checkout uses: actions/checkout@v2 + with: + path: ./zephyr - name: install-pkgs run: | @@ -135,20 +143,22 @@ jobs: uses: actions/cache@v1 with: path: ~/.cache/pip - key: pip-${{ hashFiles('scripts/requirements-doc.txt') }} + key: pip-${{ hashFiles('zephyr/scripts/requirements-doc.txt') }} - name: install-pip run: | pip3 install -U setuptools wheel pip - pip3 install -r scripts/requirements-doc.txt + pip3 install -r zephyr/scripts/requirements-doc.txt pip3 install west==${WEST_VERSION} pip3 install cmake==${CMAKE_VERSION} - name: west setup + working-directory: ./zephyr run: | west init -l . - name: build-docs + working-directory: ./zephyr run: | if [[ "$GITHUB_REF" =~ "refs/tags/v" ]]; then DOC_TAG="release" @@ -162,4 +172,4 @@ jobs: uses: actions/upload-artifact@master with: name: pdf-output - path: doc/_build/latex/zephyr.pdf + path: zephyr/doc/_build/latex/zephyr.pdf diff --git a/.github/workflows/twister_tests.yml b/.github/workflows/twister_tests.yml index 19f747b0432..b6e93014bba 100644 --- a/.github/workflows/twister_tests.yml +++ b/.github/workflows/twister_tests.yml @@ -28,6 +28,8 @@ jobs: steps: - name: checkout uses: actions/checkout@v2 + with: + path: ./zephyr - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v1 with: @@ -44,6 +46,7 @@ jobs: run: | pip3 install pytest colorama pyyaml ply mock - name: Run pytest + working-directory: ./zephyr env: ZEPHYR_BASE: ./ ZEPHYR_TOOLCHAIN_VARIANT: zephyr diff --git a/.gitlint b/.gitlint index b8d25ce49b9..8a33f140b2a 100644 --- a/.gitlint +++ b/.gitlint @@ -16,7 +16,7 @@ debug = false extra-path=scripts/gitlint [title-max-length-no-revert] -line-length=75 +line-length=120 [body-min-line-count] min-line-count=1 @@ -42,7 +42,7 @@ words=wip [max-line-length-with-exceptions] # B1 = body-max-line-length -line-length=75 +line-length=120 [body-min-length] min-length=3 diff --git a/CODEOWNERS b/CODEOWNERS index 0e25e88fc68..636ef0897c7 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -14,6 +14,7 @@ # * @galak @nashif /.github/ @nashif @stephanosio +/.github/test-spec.yml @nrfconnect/ncs-test-leads /.github/workflows/ @galak @nashif /MAINTAINERS.yml @MaureenHelm /arch/arc/ @abrodkin @ruuddw @evgeniy-paltsev diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 00000000000..3b9cf002239 --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,5 @@ +@Library("CI_LIB") _ + +def pipeline = new ncs.sdk_zephyr.Main() + +pipeline.run(JOB_NAME) diff --git a/Kconfig.zephyr b/Kconfig.zephyr index 411f1dd153f..d2e48cf7988 100644 --- a/Kconfig.zephyr +++ b/Kconfig.zephyr @@ -120,9 +120,7 @@ config FLASH_LOAD_SIZE endif # HAS_FLASH_LOAD_OFFSET config ROM_START_OFFSET - hex - prompt "ROM start offset" if !BOOTLOADER_MCUBOOT - default 0x200 if BOOTLOADER_MCUBOOT + hex "ROM start offset" default 0 help If the application is built for chain-loading by a bootloader this diff --git a/arch/Kconfig b/arch/Kconfig index 944bb959fb7..db41b4b9289 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -706,6 +706,7 @@ menu "Floating Point Options" config FPU bool "Floating point unit (FPU)" depends on CPU_HAS_FPU + depends on !IS_SPM help This option enables the hardware Floating Point Unit (FPU), in order to support using the floating point registers and instructions. diff --git a/boards/arm/circuitdojo_feather_nrf9160/Kconfig.defconfig b/boards/arm/circuitdojo_feather_nrf9160/Kconfig.defconfig index 73648be3ef1..f37bfbf84fb 100644 --- a/boards/arm/circuitdojo_feather_nrf9160/Kconfig.defconfig +++ b/boards/arm/circuitdojo_feather_nrf9160/Kconfig.defconfig @@ -9,6 +9,21 @@ if BOARD_CIRCUITDOJO_FEATHER_NRF9160 || BOARD_CIRCUITDOJO_FEATHER_NRF9160_NS config BOARD default "circuitdojo_feather_nrf9160" +# By default, if we build for a Non-Secure version of the board, +# enable building with TF-M as the Secure Execution Environment. +config BUILD_WITH_TFM + default y if BOARD_CIRCUITDOJO_FEATHER_NRF9160_NS + +if BUILD_WITH_TFM + +# By default, if we build with TF-M, instruct build system to +# flash the combined TF-M (Secure) & Zephyr (Non Secure) image +config TFM_FLASH_MERGED_BINARY + bool + default y + +endif # BUILD_WITH_TFM + # For the secure version of the board the firmware is linked at the beginning # of the flash, or into the code-partition defined in DT if it is intended to # be loaded by MCUboot. If the secure firmware is to be combined with a non- diff --git a/boards/arm/nrf5340dk_nrf5340/Kconfig.defconfig b/boards/arm/nrf5340dk_nrf5340/Kconfig.defconfig index 9b1e2fc3b1a..7ae0d13054b 100644 --- a/boards/arm/nrf5340dk_nrf5340/Kconfig.defconfig +++ b/boards/arm/nrf5340dk_nrf5340/Kconfig.defconfig @@ -128,6 +128,11 @@ endchoice config HEAP_MEM_POOL_SIZE default 4096 if BT_RPMSG +# Application core does not have dependencies to the Controller. +# BT_HCI_VS must be explicitly enabled. +config BT_HCI_VS + default y if BT + endif # BOARD_NRF5340DK_NRF5340_CPUAPP || BOARD_NRF5340DK_NRF5340_CPUAPP_NS if BOARD_NRF5340DK_NRF5340_CPUNET diff --git a/boards/arm/sparkfun_thing_plus_nrf9160/Kconfig.defconfig b/boards/arm/sparkfun_thing_plus_nrf9160/Kconfig.defconfig index 8ae5b832d89..3d98b1b4cb4 100644 --- a/boards/arm/sparkfun_thing_plus_nrf9160/Kconfig.defconfig +++ b/boards/arm/sparkfun_thing_plus_nrf9160/Kconfig.defconfig @@ -9,6 +9,21 @@ if BOARD_SPARKFUN_THING_PLUS_NRF9160 || BOARD_SPARKFUN_THING_PLUS_NRF9160_NS config BOARD default "sparkfun_thing_plus_nrf9160" +# By default, if we build for a Non-Secure version of the board, +# enable building with TF-M as the Secure Execution Environment. +config BUILD_WITH_TFM + default y if BOARD_SPARKFUN_THING_PLUS_NRF9160_NS + +if BUILD_WITH_TFM + +# By default, if we build with TF-M, instruct build system to +# flash the combined TF-M (Secure) & Zephyr (Non Secure) image +config TFM_FLASH_MERGED_BINARY + bool + default y + +endif # BUILD_WITH_TFM + # For the secure version of the board the firmware is linked at the beginning # of the flash, or into the code-partition defined in DT if it is intended to # be loaded by MCUboot. If the secure firmware is to be combined with a non- diff --git a/boards/arm/thingy53_nrf5340/Kconfig.defconfig b/boards/arm/thingy53_nrf5340/Kconfig.defconfig index c5ae7da4c3b..aafabf0e9c9 100644 --- a/boards/arm/thingy53_nrf5340/Kconfig.defconfig +++ b/boards/arm/thingy53_nrf5340/Kconfig.defconfig @@ -8,6 +8,21 @@ if BOARD_THINGY53_NRF5340_CPUAPP || BOARD_THINGY53_NRF5340_CPUAPP_NS config BOARD default "thingy53_nrf5340_cpuapp" +# By default, if we build for a Non-Secure version of the board, +# enable building with TF-M as the Secure Execution Environment. +config BUILD_WITH_TFM + default y if BOARD_THINGY53_NRF5340_CPUAPP_NS + +if BUILD_WITH_TFM + +# By default, if we build with TF-M, instruct build system to +# flash the combined TF-M (Secure) & Zephyr (Non Secure) image +config TFM_FLASH_MERGED_BINARY + bool + default y + +endif # BUILD_WITH_TFM + # Code Partition: # # For the secure version of the board the firmware is linked at the beginning diff --git a/cmake/extra_flags.cmake b/cmake/extra_flags.cmake index fa03a87fcc9..f60c0b67ce0 100644 --- a/cmake/extra_flags.cmake +++ b/cmake/extra_flags.cmake @@ -1,10 +1,10 @@ # SPDX-License-Identifier: Apache-2.0 -separate_arguments(EXTRA_CPPFLAGS_AS_LIST UNIX_COMMAND ${EXTRA_CPPFLAGS}) -separate_arguments(EXTRA_LDFLAGS_AS_LIST UNIX_COMMAND ${EXTRA_LDFLAGS}) -separate_arguments(EXTRA_CFLAGS_AS_LIST UNIX_COMMAND ${EXTRA_CFLAGS}) -separate_arguments(EXTRA_CXXFLAGS_AS_LIST UNIX_COMMAND ${EXTRA_CXXFLAGS}) -separate_arguments(EXTRA_AFLAGS_AS_LIST UNIX_COMMAND ${EXTRA_AFLAGS}) +string(REPLACE " " ";" EXTRA_CPPFLAGS_AS_LIST "${EXTRA_CPPFLAGS}") +string(REPLACE " " ";" EXTRA_LDFLAGS_AS_LIST "${EXTRA_LDFLAGS}") +string(REPLACE " " ";" EXTRA_CFLAGS_AS_LIST "${EXTRA_CFLAGS}") +string(REPLACE " " ";" EXTRA_CXXFLAGS_AS_LIST "${EXTRA_CXXFLAGS}") +string(REPLACE " " ";" EXTRA_AFLAGS_AS_LIST "${EXTRA_AFLAGS}") if(EXTRA_CPPFLAGS) zephyr_compile_options(${EXTRA_CPPFLAGS_AS_LIST}) diff --git a/cmake/modules/kernel.cmake b/cmake/modules/kernel.cmake index 7b3bcba679b..6b04bb19f28 100644 --- a/cmake/modules/kernel.cmake +++ b/cmake/modules/kernel.cmake @@ -238,3 +238,7 @@ if("${CMAKE_EXTRA_GENERATOR}" STREQUAL "Eclipse CDT4") include(${ZEPHYR_BASE}/cmake/ide/eclipse_cdt4_generator_amendment.cmake) eclipse_cdt4_generator_amendment(1) endif() + +if(ZEPHYR_NRF_MODULE_DIR) + include(${ZEPHYR_NRF_MODULE_DIR}/cmake/partition_manager.cmake) +endif() diff --git a/cmake/modules/unittest.cmake b/cmake/modules/unittest.cmake index c25f75413d3..19bba50d401 100644 --- a/cmake/modules/unittest.cmake +++ b/cmake/modules/unittest.cmake @@ -8,11 +8,11 @@ enable_language(C CXX ASM) # SOURCES: list of source files, default main.c # INCLUDE: list of additional include paths relative to ZEPHYR_BASE -separate_arguments( EXTRA_CFLAGS_AS_LIST UNIX_COMMAND ${EXTRA_CFLAGS}) -separate_arguments( EXTRA_AFLAGS_AS_LIST UNIX_COMMAND ${EXTRA_AFLAGS}) -separate_arguments(EXTRA_CPPFLAGS_AS_LIST UNIX_COMMAND ${EXTRA_CPPFLAGS}) -separate_arguments(EXTRA_CXXFLAGS_AS_LIST UNIX_COMMAND ${EXTRA_CXXFLAGS}) -separate_arguments(EXTRA_LDFLAGS_AS_LIST UNIX_COMMAND ${EXTRA_LDFLAGS}) +string(REPLACE " " ";" EXTRA_CFLAGS_AS_LIST "${EXTRA_CFLAGS}") +string(REPLACE " " ";" EXTRA_AFLAGS_AS_LIST "${EXTRA_AFLAGS}") +string(REPLACE " " ";" EXTRA_CPPFLAGS_AS_LIST "${EXTRA_CPPFLAGS}") +string(REPLACE " " ";" EXTRA_CXXFLAGS_AS_LIST "${EXTRA_CXXFLAGS}") +string(REPLACE " " ";" EXTRA_LDFLAGS_AS_LIST "${EXTRA_LDFLAGS}") set(ENV_ZEPHYR_BASE $ENV{ZEPHYR_BASE}) # This add support for old style boilerplate include. diff --git a/doc/build/kconfig/setting.rst b/doc/build/kconfig/setting.rst index bad7d094d69..6bc9e7c9f8a 100644 --- a/doc/build/kconfig/setting.rst +++ b/doc/build/kconfig/setting.rst @@ -7,8 +7,7 @@ The :ref:`menuconfig and guiconfig interfaces ` can be used to test out configurations during application development. This page explains how to make settings permanent. -All Kconfig options can be searched in the :ref:`Kconfig search page -`. +All Kconfig options can be searched in the Kconfig search page. .. note:: @@ -115,8 +114,7 @@ Assignments in configuration files are only respected if the dependencies for the symbol are satisfied. A warning is printed otherwise. To figure out what the dependencies of a symbol are, use one of the :ref:`interactive configuration interfaces ` (you can jump directly to a symbol with -:kbd:`/`), or look up the symbol in the :ref:`Kconfig search page -`. +:kbd:`/`), or look up the symbol in the Kconfig search page. .. _initial-conf: diff --git a/doc/connectivity/networking/api/mqtt.rst b/doc/connectivity/networking/api/mqtt.rst index b1090c8d394..dcc71e3320b 100644 --- a/doc/connectivity/networking/api/mqtt.rst +++ b/doc/connectivity/networking/api/mqtt.rst @@ -149,6 +149,7 @@ additional configuration information: tls_config->sec_tag_list = m_sec_tags; tls_config->sec_tag_count = ARRAY_SIZE(m_sec_tags); tls_config->hostname = MQTT_BROKER_HOSTNAME; + tls_config->set_native_tls = true; In this sample code, the ``m_sec_tags`` array holds a list of tags, referencing TLS credentials that the MQTT library should use for authentication. We do not specify @@ -161,6 +162,8 @@ Note, that TLS credentials referenced by the ``m_sec_tags`` array must be registered in the system first. For more information on how to do that, refer to :ref:`secure sockets documentation `. +Finally, ``set_native_tls`` can be optionally set to enable native TLS support instead of offloading TLS operations to the modem. + An example of how to use TLS with MQTT is also present in :ref:`mqtt-publisher-sample`. diff --git a/doc/develop/application/index.rst b/doc/develop/application/index.rst index c5d8a922e22..0704ba388cd 100644 --- a/doc/develop/application/index.rst +++ b/doc/develop/application/index.rst @@ -507,9 +507,8 @@ started. See :ref:`setting_configuration_values` for detailed documentation on setting Kconfig configuration values. The :ref:`initial-conf` section on the same page -explains how the initial configuration is derived. See :ref:`kconfig-search` -for a complete list of configuration options. -See :ref:`hardening` for security information related with Kconfig options. +explains how the initial configuration is derived. See :ref:`hardening` for +security information related with Kconfig options. The other pages in the :ref:`Kconfig section of the manual ` are also worth going through, especially if you planning to add new configuration diff --git a/doc/kconfig.rst b/doc/kconfig.rst deleted file mode 100644 index 1123de2adbd..00000000000 --- a/doc/kconfig.rst +++ /dev/null @@ -1,8 +0,0 @@ -:orphan: - -.. _kconfig-search: - -Kconfig Search -============== - -.. kconfig:search:: diff --git a/drivers/flash/soc_flash_nrf.c b/drivers/flash/soc_flash_nrf.c index 2b81f5e9c99..bc414d1fc74 100644 --- a/drivers/flash/soc_flash_nrf.c +++ b/drivers/flash/soc_flash_nrf.c @@ -37,6 +37,11 @@ LOG_MODULE_REGISTER(flash_nrf); #define SOC_NV_FLASH_NODE DT_INST(0, soc_nv_flash) +#if CONFIG_TRUSTED_EXECUTION_NONSECURE && USE_PARTITION_MANAGER +#include +#include +#endif /* CONFIG_TRUSTED_EXECUTION_NONSECURE && USE_PARTITION_MANAGER */ + #ifndef CONFIG_SOC_FLASH_NRF_RADIO_SYNC_NONE #define FLASH_SLOT_WRITE 7500 #if defined(CONFIG_SOC_FLASH_NRF_PARTIAL_ERASE) @@ -137,6 +142,12 @@ static int flash_nrf_read(const struct device *dev, off_t addr, return 0; } +#if CONFIG_TRUSTED_EXECUTION_NONSECURE && USE_PARTITION_MANAGER && PM_APP_ADDRESS + if (addr < PM_APP_ADDRESS) { + return soc_secure_mem_read(data, (void *)addr, len); + } +#endif + memcpy(data, (void *)addr, len); return 0; diff --git a/drivers/ieee802154/ieee802154_nrf5.c b/drivers/ieee802154/ieee802154_nrf5.c index 634bf9a6bec..e31a99395f5 100644 --- a/drivers/ieee802154/ieee802154_nrf5.c +++ b/drivers/ieee802154/ieee802154_nrf5.c @@ -127,6 +127,7 @@ static void nrf5_rx_thread(void *arg1, void *arg2, void *arg3) struct net_pkt *pkt; struct nrf5_802154_rx_frame *rx_frame; uint8_t pkt_len; + uint8_t *psdu; ARG_UNUSED(arg2); ARG_UNUSED(arg3); @@ -190,8 +191,9 @@ static void nrf5_rx_thread(void *arg1, void *arg2, void *arg3) goto drop; } - nrf_802154_buffer_free_raw(rx_frame->psdu); + psdu = rx_frame->psdu; rx_frame->psdu = NULL; + nrf_802154_buffer_free_raw(psdu); if (LOG_LEVEL >= LOG_LEVEL_DBG) { log_stack_usage(&nrf5_radio->rx_thread); @@ -200,8 +202,9 @@ static void nrf5_rx_thread(void *arg1, void *arg2, void *arg3) continue; drop: - nrf_802154_buffer_free_raw(rx_frame->psdu); + psdu = rx_frame->psdu; rx_frame->psdu = NULL; + nrf_802154_buffer_free_raw(psdu); net_pkt_unref(pkt); } @@ -1139,9 +1142,9 @@ void nrf_802154_energy_detection_failed(nrf_802154_ed_error_t error) } #if defined(CONFIG_NRF_802154_SER_HOST) -void nrf_802154_serialization_error(const nrf_802154_ser_err_data_t *p_err) +void nrf_802154_serialization_error(const nrf_802154_ser_err_data_t *err) { - __ASSERT(false, "802.15.4 serialization error"); + __ASSERT(false, "802.15.4 serialization error: %d", err->reason); } #endif diff --git a/dts/arm/nordic/nrf52840.dtsi b/dts/arm/nordic/nrf52840.dtsi index e3ffd3deb40..3577e1fabee 100644 --- a/dts/arm/nordic/nrf52840.dtsi +++ b/dts/arm/nordic/nrf52840.dtsi @@ -5,7 +5,7 @@ / { chosen { - zephyr,entropy = &rng; + zephyr,entropy = &cryptocell; zephyr,flash-controller = &flash_controller; }; diff --git a/dts/arm/nordic/nrf5340_cpuapp.dtsi b/dts/arm/nordic/nrf5340_cpuapp.dtsi index 8f8cdbc2c9a..53b4f8d4051 100644 --- a/dts/arm/nordic/nrf5340_cpuapp.dtsi +++ b/dts/arm/nordic/nrf5340_cpuapp.dtsi @@ -28,7 +28,7 @@ }; chosen { - zephyr,entropy = &rng_hci; + zephyr,entropy = &cryptocell; zephyr,flash-controller = &flash_controller; }; diff --git a/dts/arm/nordic/nrf5340_cpuappns.dtsi b/dts/arm/nordic/nrf5340_cpuappns.dtsi index e7393b3a900..75f3a191607 100644 --- a/dts/arm/nordic/nrf5340_cpuappns.dtsi +++ b/dts/arm/nordic/nrf5340_cpuappns.dtsi @@ -29,7 +29,7 @@ }; chosen { - zephyr,entropy = &rng_hci; + zephyr,entropy = &cryptocell_sw; zephyr,flash-controller = &flash_controller; }; @@ -54,6 +54,14 @@ ipc { #include "nrf5340_cpuapp_ipc.dtsi" }; + + /* For cryptocell access via platform library; see above */ + cryptocell_sw: cryptocell-sw { + compatible = "nordic,nrf-cc312-sw"; + #address-cells = <0>; + label = "CRYPTOCELL_SW"; + status = "okay"; + }; }; &nvic { diff --git a/dts/arm/nordic/nrf9160.dtsi b/dts/arm/nordic/nrf9160.dtsi index a31eb383111..e0f3337f0b4 100644 --- a/dts/arm/nordic/nrf9160.dtsi +++ b/dts/arm/nordic/nrf9160.dtsi @@ -28,6 +28,7 @@ }; chosen { + zephyr,entropy = &cryptocell; zephyr,flash-controller = &flash_controller; }; diff --git a/dts/arm/nordic/nrf9160ns.dtsi b/dts/arm/nordic/nrf9160ns.dtsi index 1742580e76c..b5852787388 100644 --- a/dts/arm/nordic/nrf9160ns.dtsi +++ b/dts/arm/nordic/nrf9160ns.dtsi @@ -29,6 +29,15 @@ chosen { zephyr,flash-controller = &flash_controller; + + /* + * By default, system entropy comes from the entropy_cc310.c + * driver in the nrf repository. This is devicetree glue + * needed to make the system aware of that fact. Individual + * applications can override this by changing this property + * value. + */ + zephyr,entropy = &cryptocell_sw; }; soc { @@ -54,6 +63,14 @@ label = "GPIOTE_1"; }; }; + + + /* For cryptocell access via platform library; see above */ + cryptocell_sw: cryptocell-sw { + compatible = "nordic,nrf-cc310-sw"; + label = "CRYPTOCELL_SW"; + status = "okay"; + }; }; &nvic { diff --git a/dts/bindings/crypto/nordic,nrf-cc310-sw.yaml b/dts/bindings/crypto/nordic,nrf-cc310-sw.yaml new file mode 100644 index 00000000000..a0724a45938 --- /dev/null +++ b/dts/bindings/crypto/nordic,nrf-cc310-sw.yaml @@ -0,0 +1,17 @@ +# Copyright (c) 2020, Nordic Semiconductor ASA +# SPDX-License-Identifier: Apache-2.0 + +description: | + Stub access to cryptocell via platform driver + + Non-secure configurations can use this compatible to declare + devicetree nodes which access the CC310 via callbacks into secure + code. + +compatible: "nordic,nrf-cc310-sw" + +include: base.yaml + +properties: + label: + required: true diff --git a/dts/bindings/crypto/nordic,nrf-cc312-sw.yaml b/dts/bindings/crypto/nordic,nrf-cc312-sw.yaml new file mode 100644 index 00000000000..9c3f936bf20 --- /dev/null +++ b/dts/bindings/crypto/nordic,nrf-cc312-sw.yaml @@ -0,0 +1,17 @@ +# Copyright (c) 2021, Nordic Semiconductor ASA +# SPDX-License-Identifier: Apache-2.0 + +description: | + Stub access to cryptocell via platform driver + + Non-secure configurations can use this compatible to declare + devicetree nodes which access the CC312 via callbacks into secure + code. + +compatible: "nordic,nrf-cc312-sw" + +include: base.yaml + +properties: + label: + required: true diff --git a/include/zephyr/arch/arm/aarch32/cortex_m/scripts/linker.ld b/include/zephyr/arch/arm/aarch32/cortex_m/scripts/linker.ld index eec04a05222..98a8566ed02 100644 --- a/include/zephyr/arch/arm/aarch32/cortex_m/scripts/linker.ld +++ b/include/zephyr/arch/arm/aarch32/cortex_m/scripts/linker.ld @@ -27,6 +27,35 @@ #define RAMABLE_REGION SRAM #endif +#if USE_PARTITION_MANAGER + +#include + +#if CONFIG_NCS_IS_VARIANT_IMAGE && defined(PM_S0_ID) +/* We are linking against S1, create symbol containing the flash ID of S0. + * This is used when writing code operating on the "other" slot. + */ +_image_1_primary_slot_id = PM_S0_ID; + +#else /* ! CONFIG_NCS_IS_VARIANT_IMAGE */ + +#ifdef PM_S1_ID +/* We are linking against S0, create symbol containing the flash ID of S1. + * This is used when writing code operating on the "other" slot. + */ +_image_1_primary_slot_id = PM_S1_ID; +#endif /* PM_S1_ID */ + +#endif /* CONFIG_NCS_IS_VARIANT_IMAGE */ + +#define ROM_ADDR PM_ADDRESS +#define ROM_SIZE PM_SIZE + +#define RAM_SIZE PM_SRAM_SIZE +#define RAM_ADDR PM_SRAM_ADDRESS + +#else /* ! USE_PARTITION_MANAGER */ + #if !defined(CONFIG_XIP) && (CONFIG_FLASH_SIZE == 0) #define ROM_ADDR RAM_ADDR #else @@ -53,6 +82,23 @@ #define RAM_ADDR CONFIG_SRAM_BASE_ADDRESS #endif +#endif /* USE_PARTITION_MANAGER */ + +#if DT_NODE_HAS_STATUS(DT_CHOSEN(zephyr_ccm), okay) +#define CCM_SIZE DT_REG_SIZE(DT_CHOSEN(zephyr_ccm)) +#define CCM_ADDR DT_REG_ADDR(DT_CHOSEN(zephyr_ccm)) +#endif + +#if DT_NODE_HAS_STATUS(DT_CHOSEN(zephyr_itcm), okay) +#define ITCM_SIZE DT_REG_SIZE(DT_CHOSEN(zephyr_itcm)) +#define ITCM_ADDR DT_REG_ADDR(DT_CHOSEN(zephyr_itcm)) +#endif + +#if DT_NODE_HAS_STATUS(DT_CHOSEN(zephyr_dtcm), okay) +#define DTCM_SIZE DT_REG_SIZE(DT_CHOSEN(zephyr_dtcm)) +#define DTCM_ADDR DT_REG_ADDR(DT_CHOSEN(zephyr_dtcm)) +#endif + #if defined(CONFIG_CUSTOM_SECTION_ALIGN) _region_min_align = CONFIG_CUSTOM_SECTION_MIN_ALIGN_SIZE; #else diff --git a/include/zephyr/net/mqtt.h b/include/zephyr/net/mqtt.h index 8282092c9e3..79f7402acd9 100644 --- a/include/zephyr/net/mqtt.h +++ b/include/zephyr/net/mqtt.h @@ -350,6 +350,9 @@ struct mqtt_sec_config { /** Indicates the list of security tags to be used for the session. */ sec_tag_t *sec_tag_list; + /** Indicates the preference for enabling TLS session caching. */ + int session_cache; + /** Peer hostname for ceritificate verification. * May be NULL to skip hostname verification. */ @@ -357,6 +360,9 @@ struct mqtt_sec_config { /** Indicates the preference for copying certificates to the heap. */ int cert_nocopy; + + /** Set socket to native TLS */ + bool set_native_tls; }; /** @brief MQTT transport type. */ diff --git a/include/zephyr/net/socket.h b/include/zephyr/net/socket.h index 9ad8c6425d1..a099fa85082 100644 --- a/include/zephyr/net/socket.h +++ b/include/zephyr/net/socket.h @@ -27,6 +27,7 @@ #include #include #include +#include #include #ifdef __cplusplus @@ -138,6 +139,7 @@ struct zsock_pollfd { */ #define TLS_DTLS_HANDSHAKE_TIMEOUT_MIN 8 #define TLS_DTLS_HANDSHAKE_TIMEOUT_MAX 9 + /** Socket option for preventing certificates from being copied to the mbedTLS * heap if possible. The option is only effective for DER certificates and is * ignored for PEM certificates. diff --git a/include/zephyr/net/socket_ncs.h b/include/zephyr/net/socket_ncs.h new file mode 100644 index 00000000000..2d9c99185ec --- /dev/null +++ b/include/zephyr/net/socket_ncs.h @@ -0,0 +1,101 @@ +/* + * Copyright (c) 2021 Nordic Semiconductor + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#ifndef ZEPHYR_INCLUDE_NET_SOCKET_NCS_H_ +#define ZEPHYR_INCLUDE_NET_SOCKET_NCS_H_ + +/** + * @file + * @brief NCS specific additions to the BSD sockets API definitions + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/* When CONFIG_NET_SOCKETS_OFFLOAD is enabled, offloaded sockets take precedence + * when creating a new socket. Combine this flag with a socket type when + * creating a socket, to enforce native socket creation (e. g. SOCK_STREAM | SOCK_NATIVE). + * If it's desired to create a native TLS socket, but still offload the + * underlying TCP/UDP socket, use e. g. SOCK_STREAM | SOCK_NATIVE_TLS. + */ +#define SOCK_NATIVE 0x80000000 +#define SOCK_NATIVE_TLS 0x40000000 + +/* NCS specific TLS options */ + +/** Socket option to set DTLS handshake timeout, specifically for nRF sockets. + * The option accepts an integer, indicating the total handshake timeout, + * including retransmissions, in seconds. + * Accepted values for the option are: 1, 3, 7, 15, 31, 63, 123. + */ +#define TLS_DTLS_HANDSHAKE_TIMEO 14 + +/* Valid values for TLS_SESSION_CACHE option */ +#define TLS_SESSION_CACHE_DISABLED 0 /**< Disable TLS session caching. */ +#define TLS_SESSION_CACHE_ENABLED 1 /**< Enable TLS session caching. */ + +/* Valid values for TLS_DTLS_HANDSHAKE_TIMEO option */ +#define TLS_DTLS_HANDSHAKE_TIMEO_1S 1 /**< 1 second */ +#define TLS_DTLS_HANDSHAKE_TIMEO_3S 3 /**< 1s + 2s */ +#define TLS_DTLS_HANDSHAKE_TIMEO_7S 7 /**< 1s + 2s + 4s */ +#define TLS_DTLS_HANDSHAKE_TIMEO_15S 15 /**< 1s + 2s + 4s + 8s */ +#define TLS_DTLS_HANDSHAKE_TIMEO_31S 31 /**< 1s + 2s + 4s + 8s + 16s */ +#define TLS_DTLS_HANDSHAKE_TIMEO_63S 63 /**< 1s + 2s + 4s + 8s + 16s + 32s */ +#define TLS_DTLS_HANDSHAKE_TIMEO_123S 123 /**< 1s + 2s + 4s + 8s + 16s + 32s + 60s */ + +/* NCS specific socket options */ + +/** sockopt: disable all replies to unexpected traffics */ +#define SO_SILENCE_ALL 30 +/** sockopt: disable IPv4 ICMP replies */ +#define SO_IP_ECHO_REPLY 31 +/** sockopt: disable IPv6 ICMP replies */ +#define SO_IPV6_ECHO_REPLY 32 +/** sockopt: Release Assistance Indication feature: This will indicate that the + * next call to send/sendto will be the last one for some time. + */ +#define SO_RAI_LAST 50 +/** sockopt: Release Assistance Indication feature: This will indicate that the + * application will not send any more data. + */ +#define SO_RAI_NO_DATA 51 +/** sockopt: Release Assistance Indication feature: This will indicate that + * after the next call to send/sendto, the application is expecting to receive + * one more data packet before this socket will not be used again for some time. + */ +#define SO_RAI_ONE_RESP 52 +/** sockopt: Release Assistance Indication feature: If a client application + * expects to use the socket more it can indicate that by setting this socket + * option before the next send call which will keep the network up longer. + */ +#define SO_RAI_ONGOING 53 +/** sockopt: Release Assistance Indication feature: If a server application + * expects to use the socket more it can indicate that by setting this socket + * option before the next send call. + */ +#define SO_RAI_WAIT_MORE 54 +/** sockopt: Configurable TCP server session timeout in minutes. + * Range is 0 to 135. 0 is no timeout and 135 is 2 h 15 min. Default is 0 (no timeout). + */ +#define SO_TCP_SRV_SESSTIMEO 55 + +/* NCS specific gettaddrinfo() flags */ + +/** Assume `service` contains a Packet Data Network (PDN) ID. + * When specified together with the AI_NUMERICSERV flag, + * `service` shall be formatted as follows: "port:pdn_id" + * where "port" is the port number and "pdn_id" is the PDN ID. + * Example: "8080:1", port 8080 PDN ID 1. + * Example: "42:0", port 42 PDN ID 0. + */ +#define AI_PDNSERV 0x1000 + +#ifdef __cplusplus +} +#endif + +#endif /* ZEPHYR_INCLUDE_NET_SOCKET_NCS_H_ */ diff --git a/include/zephyr/storage/flash_map.h b/include/zephyr/storage/flash_map.h index 5793a6eef11..b56cc76dbdd 100644 --- a/include/zephyr/storage/flash_map.h +++ b/include/zephyr/storage/flash_map.h @@ -257,6 +257,10 @@ const struct device *flash_area_get_device(const struct flash_area *fa); */ uint8_t flash_area_erased_val(const struct flash_area *fa); +#if USE_PARTITION_MANAGER +#include +#else + #define FLASH_AREA_LABEL_EXISTS(label) \ DT_HAS_FIXED_PARTITION_LABEL(label) @@ -282,6 +286,9 @@ uint8_t flash_area_erased_val(const struct flash_area *fa); #define FLASH_AREA_DEVICE(label) \ DEVICE_DT_GET(DT_MTD_FROM_FIXED_PARTITION(DT_NODE_BY_FIXED_PARTITION_LABEL(label))) + +#endif /* USE_PARTITION_MANAGER */ + #ifdef __cplusplus } #endif diff --git a/kernel/atomic_c.c b/kernel/atomic_c.c index 6cacedbcd6b..476f9543b4e 100644 --- a/kernel/atomic_c.c +++ b/kernel/atomic_c.c @@ -34,7 +34,7 @@ static struct k_spinlock lock; /* For those rare CPUs which support user mode, but not native atomic * operations, the best we can do for them is implement the atomic * functions as system calls, since in user mode locking a spinlock is - * forbidden. + * forbidden. */ #ifdef CONFIG_USERSPACE #include diff --git a/modules/hal_nordic/Kconfig.dt b/modules/hal_nordic/Kconfig.dt index 1ace20ac4a6..49ea9861fbc 100644 --- a/modules/hal_nordic/Kconfig.dt +++ b/modules/hal_nordic/Kconfig.dt @@ -8,7 +8,9 @@ DT_COMPAT_NORDIC_NRF_ACL := nordic,nrf-acl DT_COMPAT_NORDIC_NRF_ADC := nordic,nrf-adc DT_COMPAT_NORDIC_NRF_BPROT := nordic,nrf-bprot DT_COMPAT_NORDIC_NRF_CC310 := nordic,nrf-cc310 +DT_COMPAT_NORDIC_NRF_CC310_SW := nordic,nrf-cc310-sw DT_COMPAT_NORDIC_NRF_CC312 := nordic,nrf-cc312 +DT_COMPAT_NORDIC_NRF_CC312_SW := nordic,nrf-cc312-sw DT_COMPAT_NORDIC_NRF_CCM := nordic,nrf-ccm DT_COMPAT_NORDIC_NRF_CLOCK := nordic,nrf-clock DT_COMPAT_NORDIC_NRF_COMP := nordic,nrf-comp diff --git a/modules/mbedtls/Kconfig b/modules/mbedtls/Kconfig index 9ec47a72da3..36da7d46b1b 100644 --- a/modules/mbedtls/Kconfig +++ b/modules/mbedtls/Kconfig @@ -13,7 +13,6 @@ config MBEDTLS_PROMPTLESS mbed TLS menu prompt and instead handle the selection of MBEDTLS from dependent sub-configurations and thus prevent stuck symbol behavior. - menuconfig MBEDTLS bool "mbed TLS Support" if !MBEDTLS_PROMPTLESS help @@ -27,6 +26,7 @@ choice MBEDTLS_IMPLEMENTATION config MBEDTLS_BUILTIN bool "Use Zephyr in-tree mbedTLS version" + depends on ! DISABLE_MBEDTLS_BUILTIN help Link with mbedTLS sources included with Zephyr distribution. Included mbedTLS version is well integrated with and supported @@ -40,6 +40,11 @@ config MBEDTLS_LIBRARY endchoice +# subsystems cannot deselect MBEDTLS_BUILTIN, but they can select +# DISABLE_MBEDTLS_BUILTIN. +config DISABLE_MBEDTLS_BUILTIN + bool + config CUSTOM_MBEDTLS_CFG_FILE bool "Custom mbed TLS configuration file" help @@ -167,4 +172,7 @@ config APP_LINK_WITH_MBEDTLS disabled if the include paths for MBEDTLS are causing aliasing issues for 'app'. +# Add PSA configurations +rsource "Kconfig.psa" + endif # MBEDTLS diff --git a/modules/mbedtls/Kconfig.psa b/modules/mbedtls/Kconfig.psa new file mode 100644 index 00000000000..7da962f17e9 --- /dev/null +++ b/modules/mbedtls/Kconfig.psa @@ -0,0 +1,445 @@ +# +# Copyright (c) 2022 Nordic Semiconductor +# +# SPDX-License-Identifier: Apache-2.0 +# +menu "PSA RNG support" + +config PSA_WANT_ALG_CTR_DRBG + bool + prompt "PSA RNG using CTR_DRBG" + help + Provide CTR_DRBG as the random number generator. + Note: This configuration is currently not described and has no effect. + +config PSA_WANT_ALG_HMAC_DRBG + bool + prompt "PSA RNG using HMAC_DRBG" + help + Provide HMAC_DRBG as the random number generator. + Note: This configuration is currently not described and has no effect. + +endmenu # RNG support + +menu "PSA Key support" + +config PSA_HAS_KEY_SUPPORT + bool + default y + depends on PSA_WANT_KEY_TYPE_DERIVE || \ + PSA_WANT_KEY_TYPE_HMAC || \ + PSA_WANT_KEY_TYPE_AES || \ + PSA_WANT_KEY_TYPE_ARIA || \ + PSA_WANT_KEY_TYPE_CAMELLIA || \ + PSA_WANT_KEY_TYPE_CHACHA20 || \ + PSA_WANT_KEY_TYPE_DES || \ + PSA_WANT_KEY_TYPE_ECC_KEY_PAIR || \ + PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY || \ + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR || \ + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + +config PSA_WANT_KEY_TYPE_DERIVE + bool + prompt "PSA Key derivation support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_KEY_TYPE_HMAC + bool + prompt "PSA Key type HMAC support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + depends on PSA_HAS_MAC_SUPPORT + +config PSA_WANT_KEY_TYPE_AES + bool + prompt "PSA Key Type AES support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + depends on PSA_HAS_CIPHER_SUPPORT || PSA_HAS_AEAD_SUPPORT + +config PSA_WANT_KEY_TYPE_ARIA + bool + default y if !PSA_DEFAULT_OFF + help + Currently not supported + +config PSA_WANT_KEY_TYPE_CAMELLIA + bool + depends on PSA_HAS_CIPHER_SUPPORT + help + Currently not supported + +config PSA_WANT_KEY_TYPE_CHACHA20 + bool + prompt "PSA Key type Chacha20 support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + depends on PSA_WANT_ALG_CHACHA20_POLY1305 + +config PSA_WANT_KEY_TYPE_DES + bool + depends on PSA_HAS_CIPHER_SUPPORT + help + Currently not supported + +config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR + bool + prompt "PSA Key type ECC key pair support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + depends on PSA_HAS_ECC_SUPPORT + +config PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY + bool + prompt "PSA Key type ECC public key support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + depends on PSA_HAS_ECC_SUPPORT + +config PSA_WANT_KEY_TYPE_RAW_DATA + bool + prompt "PSA Key type RAW key support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR + bool + prompt "PSA Key type RSA key pair support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + depends on PSA_HAS_RSA_SUPPORT + +config PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + bool + prompt "PSA Key type RSA Public key support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + depends on PSA_HAS_RSA_SUPPORT + +endmenu # PSA_KEY_DERIVATION + +menu "PSA AEAD support" + +config PSA_HAS_AEAD_SUPPORT + bool + default y + depends on PSA_WANT_ALG_CCM || \ + PSA_WANT_ALG_GCM || \ + PSA_WANT_ALG_CHACHA20_POLY1305 + +config PSA_WANT_ALG_CCM + bool + prompt "PSA AES CCM support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_ALG_GCM + bool + prompt "PSA AES GCM support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_ALG_CHACHA20_POLY1305 + bool + prompt "PSA ChaCha20/Poly1305 support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +endmenu # PSA AEAD support + + +menu "PSA Mac support" + +config PSA_HAS_MAC_SUPPORT + bool + default y + depends on PSA_WANT_ALG_CBC_MAC || \ + PSA_WANT_ALG_CMAC || \ + PSA_WANT_ALG_HMAC + help + Prompt-less configuration that states the PSA APIs enables + a configuration that adds the PSA mac module. + +config PSA_WANT_ALG_CBC_MAC + bool + help + CBC-MAC is not yet supported via the PSA API in Mbed TLS. + +config PSA_WANT_ALG_CMAC + bool + prompt "PSA AES CMAC support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_ALG_HMAC + bool + prompt "PSA HMAC support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +endmenu # PSA Mac support + + +menu "PSA Hash support" + +config PSA_HAS_HASH_SUPPORT + bool + default y + depends on PSA_WANT_ALG_SHA_1 || \ + PSA_WANT_ALG_SHA_224 || \ + PSA_WANT_ALG_SHA_256 || \ + PSA_WANT_ALG_SHA_384 || \ + PSA_WANT_ALG_SHA_512 || \ + PSA_WANT_ALG_RIPEMD160 || \ + PSA_WANT_ALG_MD5 + +config PSA_WANT_ALG_SHA_1 + bool + prompt "PSA SHA1 support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_ALG_SHA_224 + bool + prompt "PSA SHA-224 support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_ALG_SHA_256 + bool + prompt "PSA SSH-256 support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_ALG_SHA_384 + bool + prompt "PSA SHA-384 support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_ALG_SHA_512 + bool + prompt "PSA SHA-512 support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_ALG_RIPEMD160 + bool + prompt "PSA RIPEMD160 support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_ALG_MD5 + bool + prompt "PSA MD5 support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +endmenu # PSA Hash support + +menu "PSA Cipher support" + +config PSA_HAS_CIPHER_SUPPORT + bool + default y + depends on PSA_WANT_ALG_ECB_NO_PADDING || \ + PSA_WANT_ALG_CBC_NO_PADDING || \ + PSA_WANT_ALG_CBC_PKCS7 || \ + PSA_WANT_ALG_CFB || \ + PSA_WANT_ALG_CTR || \ + PSA_WANT_ALG_OFB || \ + PSA_WANT_ALG_CTR || \ + PSA_WANT_ALG_XTS + help + Prompt-less configuration that states the PSA APIs enables + a configuration that adds the PSA Cipher module. + +config PSA_WANT_ALG_ECB_NO_PADDING + bool + prompt "PSA AES ECB (no padding)" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_ALG_CBC_NO_PADDING + bool + prompt "PSA CBC support (without padding)" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_ALG_CBC_PKCS7 + bool + prompt "PSA CBC support (padded with PKCS#7)" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_ALG_CFB + bool + prompt "PSA AES CFB support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_ALG_CTR + bool + prompt "PSA AES CTR mode support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_ALG_OFB + bool + prompt "PSA AES OFB mode support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_ALG_XTS + bool + help + AES XTS is currently not supported + +endmenu # PSA Cipher Support + + +menu "PSA Key derivation support" + +config PSA_HAS_KEY_DERIVATION + bool + default y + depends on PSA_WANT_ALG_HKDF || \ + PSA_WANT_ALG_PBKDF2_HMAC || \ + PSA_WANT_ALG_TLS12_PRF || \ + PSA_WANT_ALG_TLS12_PSK_TO_MS + help + Prompt-less configuration that states the PSA APIs enables + a configuration that adds the PSA key derivation module. + +config PSA_WANT_ALG_HKDF + bool + prompt "PSA HKFD support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + depends on PSA_WANT_ALG_HMAC + +config PSA_WANT_ALG_PBKDF2_HMAC + bool + depends on PSA_WANT_ALG_HMAC + help + PBKDF2-HMAC is not yet supported via the PSA APIs in Mbed TLS. + +config PSA_WANT_ALG_TLS12_PRF + bool + prompt "PSA PRF support (TLS1.2)" if !PSA_PROMPTLESS + +config PSA_WANT_ALG_TLS12_PSK_TO_MS + bool + prompt "PSA TLS 1.2 PSK to MS support" if !PSA_PROMPTLESS + +endmenu # PSA Key derivation support + + +menu "PSA Assymetric support" + +config PSA_HAS_ASYM_ENCRYPT_SUPPORT + bool + default y + depends on PSA_WANT_ALG_RSA_OAEP || \ + PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + help + Prompt-less configuration that states the PSA APIs enables + a configuration that adds the PSA Assymetric encrypt module. + + +config PSA_HAS_ASYM_SIGN_SUPPORT + bool + default y + depends on PSA_WANT_ALG_ECDSA || \ + PSA_WANT_ALG_RSA_PKCS1V15_SIGN || \ + PSA_WANT_ALG_RSA_PSS + + help + Prompt-less configuration that states the PSA APIs enables + a configuration that adds the PSA Assymetric sign module. + +config PSA_HAS_ECC_SUPPORT + bool + depends on PSA_WANT_ALG_ECDH || PSA_WANT_ALG_ECDSA || PSA_WANT_ALG_DETERMINISTIC_ECDSA + default y + help + Prompt-less configuration that states the PSA APIs enables + a configuration that adds the PSA encrypt/sign module for ECC. + +config PSA_WANT_ALG_ECDH + bool + prompt "PSA ECDH support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_ALG_ECDSA + bool + prompt "PSA ECDSA support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_ALG_DETERMINISTIC_ECDSA + bool + prompt "PSA ECDSA support (deterministic mode)" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +menu "Elliptic Curve type support" + depends on PSA_HAS_ECC_SUPPORT + +config PSA_WANT_ECC_BRAINPOOL_P_R1_256 + bool + prompt "PSA ECC Brainpool256r1 support" + +config PSA_WANT_ECC_BRAINPOOL_P_R1_384 + bool "PSA ECC Brainpool384r1 support" + +config PSA_WANT_ECC_BRAINPOOL_P_R1_512 + bool "PSA ECC Brainpool512r1 support" + +config PSA_WANT_ECC_MONTGOMERY_255 + bool "PSA ECC Curve25519 support" + +config PSA_WANT_ECC_MONTGOMERY_448 + bool "PSA ECC Curve448 support" + default n + +config PSA_WANT_ECC_SECP_K1_192 + bool "PSA ECC secp192k1 support" + +config PSA_WANT_ECC_SECP_K1_224 + bool + help + SECP224K1 is buggy via the PSA API in Mbed TLS + See https://github.com/ARMmbed/mbedtls/issues/3541 + +config PSA_WANT_ECC_SECP_K1_256 + bool + prompt "PSA ECC secp256k1 support" if !PSA_PROMPTLESS + +config PSA_WANT_ECC_SECP_R1_192 + bool + prompt "PSA ECC secp192r1" if !PSA_PROMPTLESS + +config PSA_WANT_ECC_SECP_R1_224 + bool + prompt "PSA ECC secp224r1" if !PSA_PROMPTLESS + +config PSA_WANT_ECC_SECP_R1_256 + bool + prompt "PSA ECC secp256r1" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF + +config PSA_WANT_ECC_SECP_R1_384 + bool + prompt "PSA ECC secp384r1" if !PSA_PROMPTLESS + +config PSA_WANT_ECC_SECP_R1_521 + bool + prompt "PSA ECC secp521r1" if !PSA_PROMPTLESS + +endmenu # Elliptic Curve type support + +config PSA_HAS_RSA_SUPPORT + bool + depends on PSA_WANT_ALG_RSA_OAEP || \ + PSA_WANT_ALG_RSA_PKCS1V15_CRYPT || \ + PSA_WANT_ALG_RSA_PKCS1V15_SIGN || \ + PSA_WANT_ALG_RSA_PSS + default y + help + Prompt-less configuration that states the PSA APIs enables + a configuration that adds the PSA encrypt/sign module for RSA. + +config PSA_WANT_ALG_RSA_OAEP + bool + prompt "PSA RSA OAEP support" if !PSA_PROMPTLESS + +config PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + bool + prompt "PSA RSA crypt support (PKCS1V15 mode)" if !PSA_PROMPTLESS + +config PSA_WANT_ALG_RSA_PKCS1V15_SIGN + bool + prompt "PSA RSA signature support (PKCS1V15 mode)" if !PSA_PROMPTLESS + +config PSA_WANT_ALG_RSA_PSS + bool + prompt "PSA RSA (PSS mode)" if !PSA_PROMPTLESS + +endmenu # PSA_ASSYMETRIC_SUPPORT + +config PSA_WANT_ALG_STREAM_CIPHER + bool + prompt "PSA stream cipher support" if !PSA_PROMPTLESS + default y if !PSA_DEFAULT_OFF diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic index 183ec0a07b3..7196b70f217 100644 --- a/modules/mbedtls/Kconfig.tls-generic +++ b/modules/mbedtls/Kconfig.tls-generic @@ -9,6 +9,8 @@ menu "TLS configuration" menu "Supported TLS version" +if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND) + config MBEDTLS_TLS_VERSION_1_0 bool "Support for TLS 1.0" select MBEDTLS_CIPHER @@ -33,6 +35,8 @@ config MBEDTLS_DTLS bool "Support for DTLS" depends on MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2 +endif + config MBEDTLS_SSL_EXPORT_KEYS bool "Support for exporting SSL key block and master secret" depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2 @@ -47,6 +51,8 @@ menu "Ciphersuite configuration" comment "Supported key exchange modes" +if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND) + config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED bool "All available ciphersuite modes" select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED @@ -80,6 +86,8 @@ config MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \ MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED +endif + config MBEDTLS_PSK_MAX_LEN int "Max size of TLS pre-shared keys" default 32 @@ -87,6 +95,8 @@ config MBEDTLS_PSK_MAX_LEN help Max size of TLS pre-shared keys, in bytes. +if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND) + config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED bool "RSA-only based ciphersuite modes" default y if !NET_L2_OPENTHREAD @@ -119,8 +129,12 @@ if MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \ MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || \ MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +endif + comment "Supported elliptic curves" +if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND) + config MBEDTLS_ECP_ALL_ENABLED bool "All available elliptic curves" select MBEDTLS_ECP_DP_SECP192R1_ENABLED @@ -182,6 +196,7 @@ config MBEDTLS_ECP_NIST_OPTIM bool "NSIT curves optimization" endif +endif comment "Supported hash" @@ -206,6 +221,8 @@ config MBEDTLS_HASH_SHA512_ENABLED comment "Supported cipher modes" +if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND) + config MBEDTLS_CIPHER_ALL_ENABLED bool "All available ciphers" select MBEDTLS_CIPHER_AES_ENABLED @@ -269,8 +286,12 @@ config MBEDTLS_CHACHAPOLY_AEAD_ENABLED bool "ChaCha20-Poly1305 AEAD algorithm" depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED +endif + comment "Supported message authentication methods" +if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND) + config MBEDTLS_MAC_ALL_ENABLED bool "All available MAC methods" select MBEDTLS_MAC_MD4_ENABLED @@ -319,10 +340,14 @@ config MBEDTLS_MAC_CMAC_ENABLED bool "CMAC (Cipher-based Message Authentication Code) mode for block ciphers." depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED +endif + endmenu comment "Random number generators" +if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND) + config MBEDTLS_CTR_DRBG_ENABLED bool "CTR_DRBG AES-256-based random generator" depends on MBEDTLS_CIPHER_AES_ENABLED @@ -332,14 +357,20 @@ config MBEDTLS_HMAC_DRBG_ENABLED bool "HMAC_DRBG random generator" select MBEDTLS_MD +endif + comment "Other configurations" config MBEDTLS_CIPHER bool "generic cipher layer." +if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND) + config MBEDTLS_MD bool "generic message digest layer." +endif + config MBEDTLS_GENPRIME_ENABLED bool "prime-number generation code." @@ -357,10 +388,14 @@ config MBEDTLS_HAVE_ASM of asymmetric cryptography, however this might have an impact on the code size. +if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND) + config MBEDTLS_ENTROPY_ENABLED bool "MbedTLS generic entropy pool" depends on MBEDTLS_MAC_SHA256_ENABLED || MBEDTLS_MAC_SHA384_ENABLED || MBEDTLS_MAC_SHA512_ENABLED +endif + config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED bool "MbedTLS optimizations for OpenThread" depends on NET_L2_OPENTHREAD diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h index 93ddfbbd1ad..b69fe914781 100644 --- a/modules/mbedtls/configs/config-tls-generic.h +++ b/modules/mbedtls/configs/config-tls-generic.h @@ -455,6 +455,10 @@ #include CONFIG_MBEDTLS_USER_CONFIG_FILE #endif +#if defined(CONFIG_NRF_CC3XX_PLATFORM) +#define MBEDTLS_PLATFORM_ZEROIZE_ALT +#endif + #include "mbedtls/check_config.h" #endif /* MBEDTLS_CONFIG_H */ diff --git a/modules/trusted-firmware-m/CMakeLists.txt b/modules/trusted-firmware-m/CMakeLists.txt index 27620c7911f..92f0e3f594e 100644 --- a/modules/trusted-firmware-m/CMakeLists.txt +++ b/modules/trusted-firmware-m/CMakeLists.txt @@ -325,7 +325,9 @@ if (CONFIG_BUILD_WITH_TFM) interface/interface.c ) # Non-Secure interface to request system reboot - zephyr_library_sources_ifdef(CONFIG_TFM_PARTITION_PLATFORM src/reboot.c) + if (CONFIG_TFM_PARTITION_PLATFORM AND NOT CONFIG_TFM_PARTITION_PLATFORM_CUSTOM_REBOOT) + zephyr_library_sources(src/reboot.c) + endif() zephyr_library_sources_ifndef(CONFIG_TFM_PSA_TEST_NONE src/zephyr_tfm_psa_test.c) zephyr_include_directories( diff --git a/modules/trusted-firmware-m/Kconfig.tfm b/modules/trusted-firmware-m/Kconfig.tfm index 99224cc3aae..cb7373b9cbe 100644 --- a/modules/trusted-firmware-m/Kconfig.tfm +++ b/modules/trusted-firmware-m/Kconfig.tfm @@ -167,6 +167,15 @@ config TFM_ITS_MAX_ASSET_SIZE Maximum size (in bytes) of a single asset to be stored in Internal Trusted Storage (ITS). +config TFM_PARTITION_PLATFORM_CUSTOM_REBOOT + bool "Use custom reboot handler" + depends on TFM_PARTITION_PLATFORM + help + Do not include the default zephyr implementation of calling the TF-M + platform reset service. + Instead the application will have to override the weak ARM + implementation of sys_arch_reset(). + config TFM_BL2_NOT_SUPPORTED bool help diff --git a/modules/trusted-firmware-m/Kconfig.tfm.crypto_modules b/modules/trusted-firmware-m/Kconfig.tfm.crypto_modules index 1b4f7e1b17a..eb33b9101bd 100644 --- a/modules/trusted-firmware-m/Kconfig.tfm.crypto_modules +++ b/modules/trusted-firmware-m/Kconfig.tfm.crypto_modules @@ -17,6 +17,7 @@ config TFM_CRYPTO_RNG_MODULE_ENABLED config TFM_CRYPTO_KEY_MODULE_ENABLED bool "KEY crypto module" default y + depends on PSA_HAS_KEY_SUPPORT && NRF_SECURITY help Enables the KEY crypto module within the crypto partition. Unset this option if the functionality provided by 'crypto_key.c' @@ -25,6 +26,7 @@ config TFM_CRYPTO_KEY_MODULE_ENABLED config TFM_CRYPTO_AEAD_MODULE_ENABLED bool "AEAD crypto module" default y + depends on PSA_HAS_AEAD_SUPPORT && NRF_SECURITY help Enables the AEAD crypto module within the crypto partition. Unset this option if the functionality provided by 'crypto_aead.c' @@ -33,6 +35,7 @@ config TFM_CRYPTO_AEAD_MODULE_ENABLED config TFM_CRYPTO_MAC_MODULE_ENABLED bool "MAC crypto module" default y + depends on PSA_HAS_MAC_SUPPORT && NRF_SECURITY help Enables the MAC crypto module within the crypto partition. Unset this option if the functionality provided by 'crypto_mac.c' @@ -41,6 +44,7 @@ config TFM_CRYPTO_MAC_MODULE_ENABLED config TFM_CRYPTO_HASH_MODULE_ENABLED bool "HASH crypto module" default y + depends on PSA_HAS_HASH_SUPPORT && NRF_SECURITY help Enables the HASH crypto module within the crypto partition. Unset this option if the functionality provided by 'crypto_hash.c' @@ -49,6 +53,7 @@ config TFM_CRYPTO_HASH_MODULE_ENABLED config TFM_CRYPTO_CIPHER_MODULE_ENABLED bool "CIPHER crypto module" default y + depends on PSA_HAS_CIPHER_SUPPORT && NRF_SECURITY help Enables the CIPHER crypto module within the crypto partition. Unset this option if the functionality provided by 'crypto_cipher.c' @@ -57,6 +62,7 @@ config TFM_CRYPTO_CIPHER_MODULE_ENABLED config TFM_CRYPTO_ASYM_ENCRYPT_MODULE_ENABLED bool "ASYM ENCRYPT crypto module" default y + depends on PSA_HAS_ASYM_ENCRYPT_SUPPORT && NRF_SECURITY help Enables the ASYM ENCRYPT crypto module within the crypto partition. Unset this option if the encrypt functionality provided by 'crypto_asymmetric.c' @@ -65,6 +71,7 @@ config TFM_CRYPTO_ASYM_ENCRYPT_MODULE_ENABLED config TFM_CRYPTO_ASYM_SIGN_MODULE_ENABLED bool "ASYM SIGN crypto module" default y + depends on PSA_HAS_ASYM_SIGN_SUPPORT && NRF_SECURITY help Enables the ASYM SIGN crypto module within the crypto partition. Unset this option if the sign functionality provided by 'crypto_asymmetric.c' @@ -73,6 +80,7 @@ config TFM_CRYPTO_ASYM_SIGN_MODULE_ENABLED config TFM_CRYPTO_KEY_DERIVATION_MODULE_ENABLED bool "KEY DERIVATION crypto module" default y + depends on PSA_HAS_KEY_DERIVATION && NRF_SECURITY help Enables the KEY_DERIVATION crypto module within the crypto partition. Unset this option if the functionality provided by 'crypto_key_derivation.c' diff --git a/samples/bluetooth/hci_pwr_ctrl/child_image/hci_rpmsg.conf b/samples/bluetooth/hci_pwr_ctrl/child_image/hci_rpmsg.conf new file mode 100644 index 00000000000..e6749ae6399 --- /dev/null +++ b/samples/bluetooth/hci_pwr_ctrl/child_image/hci_rpmsg.conf @@ -0,0 +1 @@ +CONFIG_BT_CTLR_TX_PWR_DYNAMIC_CONTROL=y diff --git a/samples/subsys/mgmt/mcumgr/smp_svr/child_image/hci_rpmsg.conf b/samples/subsys/mgmt/mcumgr/smp_svr/child_image/hci_rpmsg.conf new file mode 100644 index 00000000000..98260877332 --- /dev/null +++ b/samples/subsys/mgmt/mcumgr/smp_svr/child_image/hci_rpmsg.conf @@ -0,0 +1,10 @@ +# +# Copyright (c) 2022 Nordic Semiconductor +# +# SPDX-License-Identifier: Apache-2.0 +# + +CONFIG_BT_MAX_CONN=2 +CONFIG_BT_BUF_ACL_RX_SIZE=502 +CONFIG_BT_BUF_ACL_TX_SIZE=502 +CONFIG_BT_CTLR_DATA_LENGTH_MAX=251 diff --git a/scripts/ci/check_compliance.py b/scripts/ci/check_compliance.py index 3a0e890bbe7..dbc66789394 100755 --- a/scripts/ci/check_compliance.py +++ b/scripts/ci/check_compliance.py @@ -259,6 +259,13 @@ def get_modules(self, modules_file): modules = [name for name in os.listdir(modules_dir) if os.path.exists(os.path.join(modules_dir, name, 'Kconfig'))] + nrf_modules_dir = ZEPHYR_BASE + '/../nrf/modules' + nrf_modules = [] + if os.path.exists(nrf_modules_dir): + nrf_modules = [name for name in os.listdir(nrf_modules_dir) if + os.path.exists(os.path.join(nrf_modules_dir, name, + 'Kconfig'))] + with open(modules_file, 'r') as fp_module_file: content = fp_module_file.read() @@ -268,6 +275,15 @@ def get_modules(self, modules_file): re.sub('[^a-zA-Z0-9]', '_', module).upper(), modules_dir + '/' + module + '/Kconfig' )) + for module in nrf_modules: + fp_module_file.write("ZEPHYR_{}_KCONFIG = {}\n".format( + re.sub('[^a-zA-Z0-9]', '_', module).upper(), + nrf_modules_dir + '/' + module + '/Kconfig' + )) + fp_module_file.write("NCS_{}_KCONFIG = {}\n".format( + re.sub('[^a-zA-Z0-9]', '_', module).upper(), + modules_dir + '/' + module + '/Kconfig' + )) fp_module_file.write(content) def parse_kconfig(self): diff --git a/soc/arm/common/cortex_m/arm_mpu_regions.c b/soc/arm/common/cortex_m/arm_mpu_regions.c index 477dc30566c..d44c2ee05b3 100644 --- a/soc/arm/common/cortex_m/arm_mpu_regions.c +++ b/soc/arm/common/cortex_m/arm_mpu_regions.c @@ -9,6 +9,9 @@ #include #include "arm_mpu_mem_cfg.h" +#if USE_PARTITION_MANAGER +#include +#endif static const struct arm_mpu_region mpu_regions[] = { /* Region 0 */ @@ -22,6 +25,14 @@ static const struct arm_mpu_region mpu_regions[] = { #endif /* Region 1 */ MPU_REGION_ENTRY("SRAM_0", +#if USE_PARTITION_MANAGER + PM_SRAM_ADDRESS, +#if defined(CONFIG_ARMV8_M_BASELINE) || defined(CONFIG_ARMV8_M_MAINLINE) + REGION_RAM_ATTR(PM_SRAM_ADDRESS, PM_SRAM_SIZE)), +#else + REGION_RAM_ATTR(REGION_SRAM_SIZE)), +#endif +#else CONFIG_SRAM_BASE_ADDRESS, #if defined(CONFIG_ARMV8_M_BASELINE) || defined(CONFIG_ARMV8_M_MAINLINE) REGION_RAM_ATTR(CONFIG_SRAM_BASE_ADDRESS, \ @@ -30,6 +41,8 @@ static const struct arm_mpu_region mpu_regions[] = { REGION_RAM_ATTR(REGION_SRAM_SIZE)), #endif +#endif /* USE_PARTITION_MANAGER */ + /* DT-defined regions */ LINKER_DT_REGION_MPU(ARM_MPU_REGION_INIT) }; diff --git a/soc/arm/nordic_nrf/Kconfig.peripherals b/soc/arm/nordic_nrf/Kconfig.peripherals index f5ae9041b6e..3b2c3c438ee 100644 --- a/soc/arm/nordic_nrf/Kconfig.peripherals +++ b/soc/arm/nordic_nrf/Kconfig.peripherals @@ -13,10 +13,10 @@ config HAS_HW_NRF_BPROT def_bool $(dt_compat_enabled,$(DT_COMPAT_NORDIC_NRF_BPROT)) config HAS_HW_NRF_CC310 - def_bool $(dt_compat_enabled,$(DT_COMPAT_NORDIC_NRF_CC310)) + def_bool $(dt_compat_enabled,$(DT_COMPAT_NORDIC_NRF_CC310)) || $(dt_compat_enabled,$(DT_COMPAT_NORDIC_NRF_CC310_SW)) config HAS_HW_NRF_CC312 - def_bool $(dt_compat_enabled,$(DT_COMPAT_NORDIC_NRF_CC312)) + def_bool $(dt_compat_enabled,$(DT_COMPAT_NORDIC_NRF_CC312)) || $(dt_compat_enabled,$(DT_COMPAT_NORDIC_NRF_CC312_SW)) config HAS_HW_NRF_CCM def_bool $(dt_compat_enabled,$(DT_COMPAT_NORDIC_NRF_CCM)) diff --git a/subsys/bluetooth/Kconfig.adv b/subsys/bluetooth/Kconfig.adv index 5033b4d755c..7523742a204 100644 --- a/subsys/bluetooth/Kconfig.adv +++ b/subsys/bluetooth/Kconfig.adv @@ -5,9 +5,8 @@ # SPDX-License-Identifier: Apache-2.0 config BT_EXT_ADV - bool "Extended Advertising and Scanning support [EXPERIMENTAL]" + bool "Extended Advertising and Scanning support" depends on !BT_CTLR || BT_CTLR_ADV_EXT_SUPPORT - select EXPERIMENTAL help Select this to enable Extended Advertising API support. This enables support for advertising with multiple advertising sets, diff --git a/subsys/bluetooth/controller/Kconfig b/subsys/bluetooth/controller/Kconfig index 0dbd9357042..f0bca487b8f 100644 --- a/subsys/bluetooth/controller/Kconfig +++ b/subsys/bluetooth/controller/Kconfig @@ -95,7 +95,8 @@ choice BT_LL_CHOICE Select the Bluetooth Link Layer to compile. config BT_LL_SW_SPLIT - bool "Software-based BLE Link Layer" + bool "Software-based BLE Link Layer [EXPERIMENTAL]" + select EXPERIMENTAL select ENTROPY_GENERATOR select NRF_HW_TIMER0_RESERVED select NRF_HW_RTC0_RESERVED diff --git a/subsys/bluetooth/host/Kconfig.l2cap b/subsys/bluetooth/host/Kconfig.l2cap index baaac75903e..408434b6d09 100644 --- a/subsys/bluetooth/host/Kconfig.l2cap +++ b/subsys/bluetooth/host/Kconfig.l2cap @@ -48,7 +48,8 @@ config BT_L2CAP_DYNAMIC_CHANNEL allowing the creation of dynamic L2CAP Channels. config BT_L2CAP_ECRED - bool "L2CAP Enhanced Credit Based Flow Control support" + bool "L2CAP Enhanced Credit Based Flow Control support [EXPERIMENTAL]" + select EXPERIMENTAL depends on BT_L2CAP_DYNAMIC_CHANNEL help This option enables support for LE Connection oriented Channels with diff --git a/subsys/fs/littlefs_fs.c b/subsys/fs/littlefs_fs.c index 17c81cb62a9..2cc92e3396b 100644 --- a/subsys/fs/littlefs_fs.c +++ b/subsys/fs/littlefs_fs.c @@ -902,6 +902,12 @@ static const struct fs_file_system_t littlefs_fs = { .statvfs = littlefs_statvfs, }; +#ifdef USE_PARTITION_MANAGER +#define _LFS_USE_NCS_PM 1 +#else +#define _LFS_USE_NCS_PM 0 +#endif + #define DT_DRV_COMPAT zephyr_fstab_littlefs #define FS_PARTITION(inst) DT_PHANDLE_BY_IDX(DT_DRV_INST(inst), partition, 0) #define FS_PARTITION_LABEL(inst) DT_STRING_TOKEN(FS_PARTITION(inst), label) @@ -937,7 +943,11 @@ struct fs_mount_t FS_FSTAB_ENTRY(DT_DRV_INST(inst)) = { \ .type = FS_LITTLEFS, \ .mnt_point = DT_INST_PROP(inst, mount_point), \ .fs_data = &fs_data_##inst, \ - .storage_dev = (void *)FLASH_AREA_ID(FS_PARTITION_LABEL(inst)), \ + .storage_dev = (void *) (_LFS_USE_NCS_PM ?\ + COND_CODE_1(FLASH_AREA_LABEL_EXISTS(littlefs_storage), \ + (FLASH_AREA_ID(littlefs_storage)), \ + (FLASH_AREA_ID(storage))) :\ + FLASH_AREA_ID(FS_PARTITION_LABEL(inst))), \ .flags = FSTAB_ENTRY_DT_MOUNT_FLAGS(DT_DRV_INST(inst)), \ }; diff --git a/subsys/ipc/ipc_service/backends/ipc_rpmsg_static_vrings.c b/subsys/ipc/ipc_service/backends/ipc_rpmsg_static_vrings.c index 3cd21bff0d3..2888c935430 100644 --- a/subsys/ipc/ipc_service/backends/ipc_rpmsg_static_vrings.c +++ b/subsys/ipc/ipc_service/backends/ipc_rpmsg_static_vrings.c @@ -611,8 +611,8 @@ static int backend_init(const struct device *instance) return 0; } -#define DEFINE_BACKEND_DEVICE(i) \ - static struct backend_config_t backend_config_##i = { \ +#define BACKEND_CONFIG_POPULATE(i) \ + { \ .role = DT_ENUM_IDX_OR(DT_DRV_INST(i), role, ROLE_HOST), \ .shm_size = DT_REG_SIZE(DT_INST_PHANDLE(i, memory_region)), \ .shm_addr = DT_REG_ADDR(DT_INST_PHANDLE(i, memory_region)), \ @@ -627,8 +627,10 @@ static int backend_init(const struct device *instance) .buffer_size = DT_INST_PROP_OR(i, zephyr_buffer_size, \ RPMSG_BUFFER_SIZE), \ .id = i, \ - }; \ - \ + } + +#define BACKEND_DEVICE_DEFINE(i) \ + static struct backend_config_t backend_config_##i = BACKEND_CONFIG_POPULATE(i); \ static struct backend_data_t backend_data_##i; \ \ DEVICE_DT_INST_DEFINE(i, \ @@ -640,20 +642,23 @@ static int backend_init(const struct device *instance) CONFIG_IPC_SERVICE_REG_BACKEND_PRIORITY, \ &backend_ops); -DT_INST_FOREACH_STATUS_OKAY(DEFINE_BACKEND_DEVICE) +DT_INST_FOREACH_STATUS_OKAY(BACKEND_DEVICE_DEFINE) -#define BACKEND_CONFIG_INIT(n) &backend_config_##n, +#define BACKEND_CONFIG_DEFINE(i) BACKEND_CONFIG_POPULATE(i), #if defined(CONFIG_IPC_SERVICE_BACKEND_RPMSG_SHMEM_RESET) static int shared_memory_prepare(const struct device *arg) { - static const struct backend_config_t *config[] = { - DT_INST_FOREACH_STATUS_OKAY(BACKEND_CONFIG_INIT) + const struct backend_config_t *backend_config; + const struct backend_config_t backend_configs[] = { + DT_INST_FOREACH_STATUS_OKAY(BACKEND_CONFIG_DEFINE) }; - for (int i = 0; i < DT_NUM_INST_STATUS_OKAY(DT_DRV_COMPAT); i++) { - if (config[i]->role == ROLE_HOST) { - memset((void *) config[i]->shm_addr, 0, VDEV_STATUS_SIZE); + for (backend_config = backend_configs; + backend_config < backend_configs + ARRAY_SIZE(backend_configs); + backend_config++) { + if (backend_config->role == ROLE_HOST) { + memset((void *) backend_config->shm_addr, 0, VDEV_STATUS_SIZE); } } diff --git a/subsys/ipc/rpmsg_service/rpmsg_backend.h b/subsys/ipc/rpmsg_service/rpmsg_backend.h index ab5df7c4297..b4adec43445 100644 --- a/subsys/ipc/rpmsg_service/rpmsg_backend.h +++ b/subsys/ipc/rpmsg_service/rpmsg_backend.h @@ -13,8 +13,35 @@ extern "C" { #endif +#if CONFIG_PARTITION_MANAGER_ENABLED + +#include "pm_config.h" + +#if defined(PM_RPMSG_NRF53_SRAM_ADDRESS) || defined(PM__RPMSG_NRF53_SRAM_ADDRESS) + +#if defined(PM_RPMSG_NRF53_SRAM_ADDRESS) +#define VDEV_START_ADDR PM_RPMSG_NRF53_SRAM_ADDRESS +#define VDEV_SIZE PM_RPMSG_NRF53_SRAM_SIZE +#else +/* The current image is a child image in a different domain than the image + * which defined the required values. To reach the values of the parent domain + * we use the 'PM__' variant of the define. + */ +#define VDEV_START_ADDR PM__RPMSG_NRF53_SRAM_ADDRESS +#define VDEV_SIZE PM__RPMSG_NRF53_SRAM_SIZE +#endif /* defined(PM_RPMSG_NRF53_SRAM_ADDRESS) */ + +#else #define VDEV_START_ADDR CONFIG_RPMSG_SERVICE_SHM_BASE_ADDRESS #define VDEV_SIZE CONFIG_RPMSG_SERVICE_SHM_SIZE +#endif /* defined(PM_RPMSG_NRF53_SRAM_ADDRESS) || defined(PM__RPMSG_NRF53_SRAM_ADDRESS) */ + +#else + +#define VDEV_START_ADDR CONFIG_RPMSG_SERVICE_SHM_BASE_ADDRESS +#define VDEV_SIZE CONFIG_RPMSG_SERVICE_SHM_SIZE + +#endif /* CONFIG_PARTITION_MANAGER_ENABLED */ #define VDEV_STATUS_ADDR VDEV_START_ADDR #define VDEV_STATUS_SIZE 0x400 diff --git a/subsys/net/lib/lwm2m/Kconfig b/subsys/net/lib/lwm2m/Kconfig index 779ac992eb5..4f76fe21344 100644 --- a/subsys/net/lib/lwm2m/Kconfig +++ b/subsys/net/lib/lwm2m/Kconfig @@ -44,9 +44,6 @@ config LWM2M_SHELL config LWM2M_DTLS_SUPPORT bool "DTLS support in the LwM2M client" - select TLS_CREDENTIALS - select NET_SOCKETS_SOCKOPT_TLS - select NET_SOCKETS_ENABLE_DTLS choice prompt "LwM2M Security object version" diff --git a/subsys/net/lib/lwm2m/lwm2m_engine.c b/subsys/net/lib/lwm2m/lwm2m_engine.c index dc39c364513..d1e28b558bf 100644 --- a/subsys/net/lib/lwm2m/lwm2m_engine.c +++ b/subsys/net/lib/lwm2m/lwm2m_engine.c @@ -5862,7 +5862,7 @@ static void socket_loop(void) } } -#if defined(CONFIG_LWM2M_DTLS_SUPPORT) +#if defined(CONFIG_LWM2M_DTLS_SUPPORT) && defined(CONFIG_TLS_CREDENTIALS) static int load_tls_credential(struct lwm2m_ctx *client_ctx, uint16_t res_id, enum tls_credential_type type) { @@ -5898,7 +5898,7 @@ static int load_tls_credential(struct lwm2m_ctx *client_ctx, uint16_t res_id, return ret; } -#endif /* CONFIG_LWM2M_DTLS_SUPPORT */ +#endif /* CONFIG_LWM2M_DTLS_SUPPORT && CONFIG_TLS_CREDENTIALS*/ int lwm2m_socket_start(struct lwm2m_ctx *client_ctx) { @@ -5915,7 +5915,9 @@ int lwm2m_socket_start(struct lwm2m_ctx *client_ctx) if (ret < 0) { return ret; } - } else { + } +#if defined(CONFIG_TLS_CREDENTIALS) + else { ret = load_tls_credential(client_ctx, 3, TLS_CREDENTIAL_PSK_ID); if (ret < 0) { return ret; @@ -5926,6 +5928,7 @@ int lwm2m_socket_start(struct lwm2m_ctx *client_ctx) return ret; } } +#endif /* CONFIG_TLS_CREDENTIALS */ #endif /* CONFIG_LWM2M_DTLS_SUPPORT */ if (client_ctx->sock_fd < 0) { diff --git a/subsys/net/lib/lwm2m/lwm2m_rw_senml_cbor.c b/subsys/net/lib/lwm2m/lwm2m_rw_senml_cbor.c index 1c0b2f8b30e..3955e562cd8 100644 --- a/subsys/net/lib/lwm2m/lwm2m_rw_senml_cbor.c +++ b/subsys/net/lib/lwm2m/lwm2m_rw_senml_cbor.c @@ -837,7 +837,7 @@ int do_composite_read_op_senml_cbor(struct lwm2m_message *msg) lwm2m_engine_clear_duplicate_path(&lwm_path_list, &lwm_path_free_list); - return do_composite_read_op_for_parsed_path_senml_cbor(msg, &lwm_path_free_list); + return do_composite_read_op_for_parsed_path_senml_cbor(msg, &lwm_path_list); } diff --git a/subsys/net/lib/mqtt/mqtt_transport_socket_tls.c b/subsys/net/lib/mqtt/mqtt_transport_socket_tls.c index 59b11a5b7ed..b5bd419307d 100644 --- a/subsys/net/lib/mqtt/mqtt_transport_socket_tls.c +++ b/subsys/net/lib/mqtt/mqtt_transport_socket_tls.c @@ -22,10 +22,15 @@ int mqtt_client_tls_connect(struct mqtt_client *client) { const struct sockaddr *broker = client->broker; struct mqtt_sec_config *tls_config = &client->transport.tls.config; + int type = SOCK_STREAM; int ret; + if (tls_config->set_native_tls) { + type |= SOCK_NATIVE_TLS; + } + client->transport.tls.sock = zsock_socket(broker->sa_family, - SOCK_STREAM, IPPROTO_TLS_1_2); + type, IPPROTO_TLS_1_2); if (client->transport.tls.sock < 0) { return -errno; } @@ -78,6 +83,16 @@ int mqtt_client_tls_connect(struct mqtt_client *client) } } + if (tls_config->session_cache == TLS_SESSION_CACHE_ENABLED) { + ret = zsock_setsockopt(client->transport.tls.sock, SOL_TLS, + TLS_SESSION_CACHE, + &tls_config->session_cache, + sizeof(tls_config->session_cache)); + if (ret < 0) { + goto error; + } + } + if (tls_config->cert_nocopy != TLS_CERT_NOCOPY_NONE) { ret = zsock_setsockopt(client->transport.tls.sock, SOL_TLS, TLS_CERT_NOCOPY, &tls_config->cert_nocopy,