cpu/nrf9160dk Arm TrustZone-M support#22387
Conversation
AnnsAnns
left a comment
There was a problem hiding this comment.
Hello, thank you for your first PR to RIOT, we always welcome new people (esp. if they PR 2 years of work cough)
Please try to rebase your branch onto the newest RIOT as right now this will not pass Murdock (and I am guessing a lot has happened over that time).
| /* | ||
| * Copyright (C) 2021 Mesotic SAS | ||
| * | ||
| * This file is subject to the terms and conditions of the GNU Lesser | ||
| * General Public License v2.1. See the file LICENSE in the top level | ||
| * directory for more details. | ||
| */ |
There was a problem hiding this comment.
| /* | |
| * Copyright (C) 2021 Mesotic SAS | |
| * | |
| * This file is subject to the terms and conditions of the GNU Lesser | |
| * General Public License v2.1. See the file LICENSE in the top level | |
| * directory for more details. | |
| */ | |
| /* | |
| * SPDX-FileCopyrightText: 2021 Mesotic SAS | |
| * SPDX-License-Identifier: LGPL-2.1-only | |
| */ |
The copyright headers should have the SPDX format, see #21515 for more information.
Please adapt the other newly added files too.
| #ifndef BOARD_H | ||
| #define BOARD_H |
There was a problem hiding this comment.
We replaced the classic headerguards with #pragma once that is between the Copyright header and the Doxygen header, see #21335.
Please adapt all newly added header files yourself.
| * @{ | ||
| */ | ||
| #ifndef RTT_DEV | ||
| #define RTT_DEV (0) /**< NRF_RTC0_S */ |
There was a problem hiding this comment.
| #define RTT_DEV (0) /**< NRF_RTC0_S */ | |
| # define RTT_DEV (0) /**< NRF_RTC0_S */ |
The preprocessor commands between #ifndef and #endif should have indentation, see https://guides.riot-os.org/c_tutorials/coding_conventions/#indentation-of-preprocessor-directives for more information.
Please adapt all the newly added files. Added code to existing files that do not have the indentation yet should "fit in". That means that if it's a self contained block, it should have indentation but if it's code added to a big #if-#else if-#endif structure, the indentation can be omitted.
There was a problem hiding this comment.
We switched from the doc.txt format to doc.md. Please check #21220 for more information.
| ``` | ||
| make BOARD=nrf9160dk -C examples/hello-world term | ||
| ``` |
There was a problem hiding this comment.
| ``` | |
| make BOARD=nrf9160dk -C examples/hello-world term | |
| ``` | |
| ```shell | |
| make BOARD=nrf9160dk-ns -C examples/hello-world term | |
| ``` |
Code blocks with backticks do not need indentation. You can also specify the language for syntax highlighting.
There was a problem hiding this comment.
Also, the board should probably be nrf9160dk-ns.
There was a problem hiding this comment.
| TEST_ASSERT_PSA_SUCCESS(psa_sign_hash(privkey_id, ECC_ALG, hash, sizeof(hash), | |
| signature, sizeof(signature), &sig_length)); | |
| /* verify on original message with internal hashing operation */ | |
| TEST_ASSERT_PSA_SUCCESS(psa_verify_message(pubkey_id, ECC_ALG, msg, sizeof(msg), | |
| signature, sig_length)); |
There was a problem hiding this comment.
wrapped three more lines
There was a problem hiding this comment.
This file is missing the copyright and Doxygen headers.
There was a problem hiding this comment.
Please adapt the long lines accordingly.
There was a problem hiding this comment.
This file is missing the copyright and Doxygen headers.
There was a problem hiding this comment.
| #define TEST_ASSERT_PSA_SUCCESS(func_) TEST_ASSERT_MESSAGE(func_ == PSA_SUCCESS, #func_ " failed"); |
That would bring it to 100 characters total.
|
To be honest I wonder if it even makes sense to create a separate Also I wondered if the Then the modules can extend |
Oh, there is already a |
I'm not sure if using trustzone_m is such a good idea because it's information whether a cpu supports trustzone, not whether a specific build is with a secure firmware and should thus be offset in memory. So, iiuc, the question is feature or pseudomodule? |
The feature mechanism works like that: A CPU/board adds peripherals or "features" to the Then usually a module will specify which features it requires to work with the The application would typically specify add a module or pseudomodule to Since your code doesn't really have the intermediate module/driver, it would be possible to define a ifneq (,$(filter trustzone_m,$(USEMODULE)))
FEATURES_REQUIRED += trustzone_m
endifIt should be possible to add that to Perhaps there are better names than two times |
Yes, that works. |
Contribution description
This PR adds an ARM TrustZone-M TEE (Trusted Execution Environment) as the backend for PSA Crypto
Cryptographic operations using PSA Crypto are funneled to the TEE so that cryptographic material like keys can stay hidden from the non secure world / application.
Parts of RIOT involved:
support, and location/algorithm dispatch to the cryptoservice backend.
the RIOT-TEE secure image, and the Trusted Firmware-M / cc3xx driver sources.
selection via a new
NRF_TRUSTZONE_NONSECUREcompile macro, and TrustZone-Mbuild support.
The initial implementation was done by Lena Boeckmann back in 2024. Lenas masters thesis explains a lot of the architectural work: https://inet.haw-hamburg.de/thesis/completed/ma_lena_boeckmann.pdf/view. I've picked up the stale work in early 2026 and have fixed "some details".
Some open issues are that the CryptoService API (PSA Crypto API backend) (authored by Lars Pfau) hasn't yet been merged into RIOT. As a workaround for now (with agreement from Thomas Schmidt and Lars), I'm providing a temporary version of CryptoService on my GitHub.
The idea was to check in whether this is actually something belonging into riot and to gauge how much more work needs to be poured into this.
Testing procedure
I have an nrf9160-DK board. Running the tests/sys/psa_riot_tee test results in 5 Tests passed. The tests cover key import / sign/verify, sealed key generation + sign/verify, AES-128 CBC/ECV round trips and SHA-256
Issues/PRs references
None
Declaration of AI-Tools / LLMs usage:
I've used claude code
I'm not aware of any AI usage in the commits by Lena Boeckmann.
I myself have used Claude (Opus 4.6 - 4.8) sparingly in the commits in march. Mostly as a sparing partner / for more quickly understanding the architecute.
Before opening the pull request i've let Claude Code (max effort) check the commits for any glaring problems. That's how the commits from 16th June 2026 have come up. Those commits were created in agent mode.