Bluetooth: Mesh: add tf-m support for ble mesh

include/zephyr/bluetooth/mesh/keys.h

@@ -12,15 +12,15 @@
 #define ZEPHYR_INCLUDE_BLUETOOTH_MESH_KEYS_H_
 
 #include <stdint.h>
-#if defined CONFIG_BT_MESH_USES_MBEDTLS_PSA
+#if defined CONFIG_BT_MESH_USES_MBEDTLS_PSA || defined CONFIG_BT_MESH_USES_TFM_PSA
 #include <psa/crypto.h>
 #endif
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
-#if defined CONFIG_BT_MESH_USES_MBEDTLS_PSA
+#if defined CONFIG_BT_MESH_USES_MBEDTLS_PSA || defined CONFIG_BT_MESH_USES_TFM_PSA
 
 /** The structure that keeps representation of key. */
 struct bt_mesh_key {

samples/bluetooth/hci_rpmsg/nrf5340_cpunet_bt_mesh-bt_ll_sw_split.conf

@@ -0,0 +1,33 @@
+CONFIG_IPC_SERVICE=y
+CONFIG_MBOX=y
+
+CONFIG_HEAP_MEM_POOL_SIZE=8192
+
+CONFIG_MAIN_STACK_SIZE=512
+CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=512
+
+CONFIG_BT=y
+CONFIG_BT_HCI_RAW=y
+CONFIG_BT_HCI_RAW_RESERVE=1
+CONFIG_BT_MAX_CONN=16
+
+
+# Workaround: Unable to allocate command buffer when using K_NO_WAIT since
+# Host number of completed commands does not follow normal flow control.
+CONFIG_BT_BUF_CMD_TX_COUNT=10
+
+# Controller
+CONFIG_BT_LL_SW_SPLIT=y
+
+# Disable unused Bluetooth features
+CONFIG_BT_CTLR_DUP_FILTER_LEN=0
+CONFIG_BT_CTLR_LE_ENC=n
+CONFIG_BT_CTLR_LE_PING=n
+CONFIG_BT_DATA_LEN_UPDATE=n
+CONFIG_BT_PHY_UPDATE=n
+CONFIG_BT_CTLR_MIN_USED_CHAN=n
+CONFIG_BT_CTLR_PRIVACY=n
+
+CONFIG_BT_OBSERVER=y
+CONFIG_BT_BROADCASTER=y
+CONFIG_BT_EXT_ADV=y

samples/bluetooth/hci_rpmsg/sample.yaml

@@ -82,3 +82,10 @@ tests:
     platform_allow: nrf5340dk_nrf5340_cpunet
     integration_platforms:
       - nrf5340dk_nrf5340_cpunet
+  sample.bluetooth.hci_rpmsg.mesh.bt_ll_sw_split:
+    harness: bluetooth
+    tags: bluetooth
+    extra_args: CONF_FILE="nrf5340_cpunet_bt_mesh-bt_ll_sw_split.conf"
+    platform_allow: nrf5340dk_nrf5340_cpunet
+    integration_platforms:
+      - nrf5340dk_nrf5340_cpunet

samples/bluetooth/mesh/CMakeLists.txt

@@ -13,3 +13,9 @@ if (BOARD STREQUAL bbc_microbit)
 else()
   target_sources(app PRIVATE src/board.c)
 endif()
+
+if (CONFIG_BUILD_WITH_TFM)
+  target_include_directories(app PRIVATE
+    $<TARGET_PROPERTY:tfm,TFM_BINARY_DIR>/install/interface/include
+  )
+endif()

samples/bluetooth/mesh/README.rst

@@ -44,6 +44,12 @@ For other boards, build and flash the application as follows:
 Refer to your :ref:`board's documentation <boards>` for alternative
 flash instructions if your board doesn't support the ``flash`` target.
 
+To run the application on an :ref:`nrf5340dk_nrf5340`, a Bluetooth controller application
+must also run on the network core. The :ref:`bluetooth-hci-rpmsg-sample` sample
+application may be used. Build this sample with configuration
+:zephyr_file:`samples/bluetooth/hci_rpmg/nrf5340_cpunet_bt_mesh-bt_ll_sw_split.conf`
+to enable mesh support.
+
 Interacting with the sample
 ***************************
 

samples/bluetooth/mesh/boards/nrf5340dk_nrf5340_cpuapp_ns.conf

@@ -0,0 +1,3 @@
+# Known issue: non secure platforms do not work with settings subsystem.
+CONFIG_SETTINGS=n
+CONFIG_BT_SETTINGS=n

samples/bluetooth/mesh/microbit_gatt.conf

@@ -13,7 +13,6 @@ CONFIG_BT_MESH_PB_ADV=n
 
 CONFIG_BT=y
 CONFIG_BT_DEVICE_NAME="Zephyr Mesh"
-CONFIG_BT_TINYCRYPT_ECC=y
 CONFIG_BT_RX_STACK_SIZE=1400
 CONFIG_BT_L2CAP_TX_BUF_COUNT=5
 CONFIG_BT_EXT_ADV=n

samples/bluetooth/mesh/prj.conf

@@ -8,7 +8,6 @@ CONFIG_SETTINGS=y
 CONFIG_HWINFO=y
 
 CONFIG_BT=y
-CONFIG_BT_TINYCRYPT_ECC=y
 CONFIG_BT_L2CAP_TX_BUF_COUNT=5
 CONFIG_BT_PERIPHERAL=y
 CONFIG_BT_OBSERVER=y

samples/bluetooth/mesh/sample.yaml

@@ -7,6 +7,7 @@ tests:
       - bbc_microbit
       - qemu_x86
       - nrf52840dk_nrf52840
+      - nrf5340dk_nrf5340_cpuapp_ns
     integration_platforms:
       - qemu_x86
     tags: bluetooth

samples/bluetooth/mesh_demo/CMakeLists.txt

@@ -12,3 +12,9 @@ target_sources_ifdef(CONFIG_BOARD_BBC_MICROBIT app PRIVATE src/microbit.c)
 if(NODE_ADDR)
   zephyr_compile_definitions(NODE_ADDR=${NODE_ADDR})
 endif()
+
+if (CONFIG_BUILD_WITH_TFM)
+  target_include_directories(app PRIVATE
+    $<TARGET_PROPERTY:tfm,TFM_BINARY_DIR>/install/interface/include
+  )
+endif()

samples/bluetooth/mesh_demo/README.rst

@@ -54,3 +54,9 @@ For other boards, build and flash the application as follows:
 
 Refer to your :ref:`board's documentation <boards>` for alternative
 flash instructions if your board doesn't support the ``flash`` target.
+
+To run the application on an :ref:`nrf5340dk_nrf5340`, a Bluetooth controller application
+must also run on the network core. The :ref:`bluetooth-hci-rpmsg-sample` sample
+application may be used. Build this sample with configuration
+:zephyr_file:`samples/bluetooth/hci_rpmg/nrf5340_cpunet_bt_mesh-bt_ll_sw_split.conf`
+to enable mesh support.

samples/bluetooth/mesh_demo/boards/nrf5340dk_nrf5340_cpuapp_ns.conf

@@ -0,0 +1,3 @@
+# Known issue: non secure platforms do not work with settings subsystem.
+CONFIG_SETTINGS=n
+CONFIG_BT_SETTINGS=n

samples/bluetooth/mesh_demo/prj.conf

@@ -2,10 +2,18 @@ CONFIG_MAIN_STACK_SIZE=512
 CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2048
 
 CONFIG_BT=y
-CONFIG_BT_TINYCRYPT_ECC=y
 CONFIG_BT_OBSERVER=y
 CONFIG_BT_BROADCASTER=y
 
+CONFIG_BT_CTLR_DUP_FILTER_LEN=0
+CONFIG_BT_CTLR_LE_ENC=n
+CONFIG_BT_CTLR_LE_PING=n
+CONFIG_BT_DATA_LEN_UPDATE=n
+CONFIG_BT_PHY_UPDATE=n
+CONFIG_BT_CTLR_MIN_USED_CHAN=n
+CONFIG_BT_CTLR_PRIVACY=n
+CONFIG_BT_CTLR_CHAN_SEL_2=n
+
 CONFIG_BT_MESH=y
 CONFIG_BT_MESH_RELAY=y
 CONFIG_BT_MESH_SUBNET_COUNT=1

samples/bluetooth/mesh_demo/sample.yaml

@@ -7,6 +7,7 @@ tests:
       - bbc_microbit
       - qemu_x86
       - nrf52840dk_nrf52840
+      - nrf5340dk_nrf5340_cpuapp_ns
     integration_platforms:
       - qemu_x86
       - bbc_microbit

samples/bluetooth/mesh_provisioner/CMakeLists.txt

@@ -7,3 +7,9 @@ find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
 project(mesh_provisioner)
 
 target_sources(app PRIVATE src/main.c)
+
+if (CONFIG_BUILD_WITH_TFM)
+  target_include_directories(app PRIVATE
+    $<TARGET_PROPERTY:tfm,TFM_BINARY_DIR>/install/interface/include
+  )
+endif()

samples/bluetooth/mesh_provisioner/README.rst

@@ -52,3 +52,9 @@ For other boards, build and flash the application as follows:
 
 Refer to your :ref:`board's documentation <boards>` for alternative
 flash instructions if your board doesn't support the ``flash`` target.
+
+To run the application on an :ref:`nrf5340dk_nrf5340`, a Bluetooth controller application
+must also run on the network core. The :ref:`bluetooth-hci-rpmsg-sample` sample
+application may be used. Build this sample with configuration
+:zephyr_file:`samples/bluetooth/hci_rpmg/nrf5340_cpunet_bt_mesh-bt_ll_sw_split.conf`
+to enable mesh support.

samples/bluetooth/mesh_provisioner/boards/nrf5340dk_nrf5340_cpuapp_ns.conf

@@ -0,0 +1,3 @@
+# Known issue: non secure platforms do not work with settings subsystem.
+CONFIG_SETTINGS=n
+CONFIG_BT_SETTINGS=n

samples/bluetooth/mesh_provisioner/prj.conf

@@ -5,11 +5,19 @@ CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2048
 CONFIG_MAIN_THREAD_PRIORITY=-2
 
 CONFIG_BT=y
-CONFIG_BT_TINYCRYPT_ECC=y
 #CONFIG_BT_DEBUG_LOG=y
 CONFIG_BT_OBSERVER=y
 CONFIG_BT_BROADCASTER=y
 
+CONFIG_BT_CTLR_DUP_FILTER_LEN=0
+CONFIG_BT_CTLR_LE_ENC=n
+CONFIG_BT_CTLR_LE_PING=n
+CONFIG_BT_DATA_LEN_UPDATE=n
+CONFIG_BT_PHY_UPDATE=n
+CONFIG_BT_CTLR_MIN_USED_CHAN=n
+CONFIG_BT_CTLR_PRIVACY=n
+CONFIG_BT_CTLR_CHAN_SEL_2=n
+
 CONFIG_BT_MESH=y
 CONFIG_BT_MESH_SUBNET_COUNT=1
 CONFIG_BT_MESH_APP_KEY_COUNT=1

samples/bluetooth/mesh_provisioner/sample.yaml

@@ -6,6 +6,7 @@ tests:
     platform_allow:
       - qemu_x86
       - nrf52840dk_nrf52840
+      - nrf5340dk_nrf5340_cpuapp_ns
     integration_platforms:
       - qemu_x86
     tags: bluetooth

subsys/bluetooth/mesh/CMakeLists.txt

@@ -119,8 +119,16 @@ zephyr_library_sources_ifdef(CONFIG_BT_MESH_OD_PRIV_PROXY_SRV sol_pdu_rpl_srv.c)
 
 zephyr_library_sources_ifdef(CONFIG_BT_MESH_SOLICITATION solicitation.c)
 
-zephyr_library_sources_ifdef(CONFIG_BT_MESH_USES_TINYCRYPT crypto_tc.c)
-
-zephyr_library_sources_ifdef(CONFIG_BT_MESH_USES_MBEDTLS_PSA crypto_psa.c)
+if (CONFIG_BT_MESH_USES_TINYCRYPT)
+    zephyr_library_sources(crypto_tc.c)
+else()
+    zephyr_library_sources(crypto_psa.c)
+endif()
 
 zephyr_library_link_libraries_ifdef(CONFIG_MBEDTLS mbedTLS)
+
+if (CONFIG_BUILD_WITH_TFM)
+  target_include_directories(${ZEPHYR_CURRENT_LIBRARY} PRIVATE
+    $<TARGET_PROPERTY:tfm,TFM_BINARY_DIR>/install/interface/include
+  )
+endif()

subsys/bluetooth/mesh/Kconfig

@@ -15,6 +15,7 @@ if BT_MESH
 
 choice BT_MESH_CRYPTO_LIB
 	prompt "Crypto library selection for mesh security"
+	default BT_MESH_USES_TFM_PSA if BUILD_WITH_TFM
 	default BT_MESH_USES_TINYCRYPT
 
 config BT_MESH_USES_TINYCRYPT
@@ -53,9 +54,18 @@ config BT_MESH_USES_MBEDTLS_PSA
 	  on Zephyr's settings subsystem.
 	  Not possible to use for embedded devices yet.
 
+config BT_MESH_USES_TFM_PSA
+	bool "Use TF-M PSA [EXPERIMENTAL]"
+	select EXPERIMENTAL
+	depends on BUILD_WITH_TFM
+	help
+	  Use TF-M that implements PSA security framework. Support of TF-M is
+	  experimental. It is only possible to use with platforms that TF-M supports.
+	  For more platform details see TF-M documentation.
+
 endchoice
 
-if BT_MESH_USES_MBEDTLS_PSA
+if BT_MESH_USES_MBEDTLS_PSA || BT_MESH_USES_TFM_PSA
 
 config BT_MESH_PSA_KEY_ID_USER_MIN_OFFSET
 	int "Offset of BLE Mesh key id range regarding PSA_KEY_ID_USER_MIN"
@@ -69,7 +79,7 @@ config BT_MESH_PSA_KEY_ID_USER_MIN_OFFSET
 	  for each application key, and two ids for the device key and device key candidate.
 	  It should consider the Mesh Configuration Database instances if database enabled.
 
-endif # BT_MESH_USES_MBEDTLS_PSA
+endif # BT_MESH_USES_MBEDTLS_PSA || BT_MESH_USES_TFM_PSA
 
 # Virtual option enabled whenever Generic Provisioning layer is needed
 config BT_MESH_PROV

subsys/bluetooth/mesh/keys.h

@@ -13,7 +13,7 @@ enum bt_mesh_key_type {
 	BT_MESH_KEY_TYPE_DEV
 };
 
-#if defined CONFIG_BT_MESH_USES_MBEDTLS_PSA
+#if defined CONFIG_BT_MESH_USES_MBEDTLS_PSA || defined CONFIG_BT_MESH_USES_TFM_PSA
 
 int bt_mesh_key_import(enum bt_mesh_key_type type, const uint8_t in[16], struct bt_mesh_key *out);
 int bt_mesh_key_export(uint8_t out[16], const struct bt_mesh_key *in);