Not ready for review: TF-M support for building without PSA ITS

modules/trusted-firmware-m/CMakeLists.txt

@@ -200,6 +200,10 @@ if(NOT CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C)
   set_property(TARGET zephyr_property_target
     APPEND PROPERTY TFM_CMAKE_OPTIONS
     -DCRYPTO_STORAGE_DISABLED=TRUE
+    -DTFM_PARTITION_INTERNAL_TRUSTED_STORAGE=OFF
+    -DPLATFORM_DEFAULT_OTP=OFF
+    -DPLATFORM_DEFAULT_OTP_WRITEABLE=OFF
+    -DPLATFORM_DEFAULT_NV_COUNTERS=OFF
   )
 endif()
 

modules/trusted-firmware-m/Kconfig

@@ -43,7 +43,7 @@ config TFM_PLATFORM_SP_STACK_SIZE
 
 config TFM_PLATFORM_NV_COUNTER_MODULE_DISABLED
 	bool "Disable Non-volatile counter module"
-	default y if TFM_PROFILE_TYPE_MINIMAL
+	default y if !TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
 
 endmenu
 
@@ -201,6 +201,8 @@ config TFM_ITS_ENCRYPTED
 	bool
 	prompt "PSA Internal Trusted Storage with encryption"
 	default y if SOC_SERIES_NRF54LX
+	depends on MBEDTLS_PSA_CRYPTO_STORAGE_C
+	depends on TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
 	select PSA_ITS_ENCRYPTED
 	select PSA_WANT_GENERATE_RANDOM
 	help

modules/trusted-firmware-m/Kconfig.tfm.defconfig

@@ -86,6 +86,8 @@ config TFM_PARTITION_PROTECTED_STORAGE
 config TFM_ITS_ENCRYPTED
 	bool
 	select PSA_WANT_ALG_CHACHA20_POLY1305 if SOC_SERIES_NRF54LX
+	depends on MBEDTLS_PSA_CRYPTO_STORAGE_C
+	depends on TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
 
 config BOOTLOADER_MCUBOOT
 	bool

modules/trusted-firmware-m/tfm_boards/CMakeLists.txt

@@ -160,13 +160,11 @@ if (CONFIG_NRF_SECURE_APPROTECT_LOCK)
 endif()
 
 if (CRYPTO_STORAGE_DISABLED AND TFM_PARTITION_CRYPTO AND NOT TFM_PARTITION_INTERNAL_TRUSTED_STORAGE)
-  # Added here to satisfy the following requirement from tfm_crypto.yaml:
-  #
-  # "dependencies": [
-  #   "TFM_INTERNAL_TRUSTED_STORAGE_SERVICE"
-  # ]
+  # Ensure OTP and NV counter support is also disabled when ITS is not enabled
   target_compile_definitions(platform_s PUBLIC
-    TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_SID=0x00000070)
+    -DPLATFORM_DEFAULT_OTP=OFF
+    -DPLATFORM_DEFAULT_OTP_WRITEABLE=OFF
+    -DPLATFORM_DEFAULT_NV_COUNTERS=OFF)
 endif()
 
 if(BL2)

subsys/nrf_security/Kconfig.psa

@@ -50,7 +50,7 @@ config MBEDTLS_PSA_CRYPTO_SPM
 
 config MBEDTLS_PSA_CRYPTO_STORAGE_C
 	bool "PSA storage for persistent keys" if !BUILD_WITH_TFM
-	default y if BUILD_WITH_TFM
+	default y if BUILD_WITH_TFM && TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
 	help
 	  Corresponds to MBEDTLS_PSA_CRYPTO_STORAGE_C setting in mbed TLS config file.
 
@@ -73,6 +73,7 @@ config MBEDTLS_PSA_KEY_SLOT_COUNT
 config PSA_ITS_ENCRYPTED
 	bool
 	depends on MBEDTLS_PSA_CRYPTO_STORAGE_C
+	depends on TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
 	help
 	  Enables authenticated encryption for PSA Internal Trusted Storage files
 

west.yml

@@ -150,7 +150,7 @@ manifest:
     - name: trusted-firmware-m
       repo-path: sdk-trusted-firmware-m
       path: modules/tee/tf-m/trusted-firmware-m
-      revision: 82e7763eba112a350d58dd52dc39f340a291ffd0
+      revision: pull/181/head
     - name: psa-arch-tests
       repo-path: sdk-psa-arch-tests
       path: modules/tee/tf-m/psa-arch-tests