TF-M (2.2.2) upmerge 2025.12.12 #3648
Merged
+2,566
−536
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
Dec 16, 2025
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-zephyr#3648 Signed-off-by: Nordic Builder <[email protected]>
|
The following west manifest projects have changed revision in this Pull Request:
Additional metadata changed:
⛔ DNM label due to: 1 removed project and 1 project with metadata changes Note: This message is automatically posted and updated by the Manifest GitHub Action. |
tomi-font
force-pushed
the
tf-m_upmerge_2025.12.12_2.2.2
branch
from
f270082 to
a0cb6f7
Compare
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
Dec 16, 2025
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-zephyr#3648 Signed-off-by: Nordic Builder <[email protected]>
tomi-font
force-pushed
the
tf-m_upmerge_2025.12.12_2.2.2
branch
from
a0cb6f7 to
54407da
Compare
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
Dec 16, 2025
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-zephyr#3648 Signed-off-by: Nordic Builder <[email protected]>
tomi-font
force-pushed
the
tf-m_upmerge_2025.12.12_2.2.2
branch
from
54407da to
1f4f683
Compare
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
Dec 17, 2025
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-zephyr#3648 Signed-off-by: Nordic Builder <[email protected]>
tomi-font
force-pushed
the
tf-m_upmerge_2025.12.12_2.2.2
branch
from
1f4f683 to
f804cd5
Compare
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
Dec 18, 2025
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-zephyr#3648 Signed-off-by: Nordic Builder <[email protected]>
tomi-font
force-pushed
the
tf-m_upmerge_2025.12.12_2.2.2
branch
from
f804cd5 to
7ec8916
Compare
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
Dec 19, 2025
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-zephyr#3648 Signed-off-by: Nordic Builder <[email protected]>
tomi-font
force-pushed
the
tf-m_upmerge_2025.12.12_2.2.2
branch
from
7ec8916 to
155115c
Compare
NordicBuilder
added a commit
to NordicBuilder/sdk-nrf
that referenced
this pull request
Jan 7, 2026
Automatically created by action-manifest-pr GH action from PR: nrfconnect/sdk-zephyr#3648 Signed-off-by: Nordic Builder <[email protected]>
Vge0rge
approved these changes
Jan 7, 2026
Contributor
Vge0rge
left a comment
Vge0rge
left a comment
There was a problem hiding this comment.
I checked the commits (with a script) and they are indeed clean cherry picks, so it looks ok to me.
Zephyr's TF-M has been aligned with upstream TF-M v2.2.0, which adds support for Corstone-320 (CS320). The previous commit also updates TF-M to fix compiler warnings seen with MPS4. So, with this update, enable build and execution of non-secure variants of MPS4-based boards. Signed-off-by: Sudan Landge <[email protected]> (cherry picked from commit 826742f)
Add stm32wba65i-dk1 board support with UART console, LEDs, joystick keys using ADC channel 6. Board YAML file does not list 'supported' tags since the board is very similar to nucleo_wba65ri for which supported features are already covered. Signed-off-by: Etienne Carriere <[email protected]> (cherry picked from commit 1dd6c2b)
Declare stm32wba65i-dk1 and nucleo_wba65ri boards support in TF-M. Both comply with TF-M integration of platform stm/stm32wba65i-dk. Signed-off-by: Etienne Carriere <[email protected]> (cherry picked from commit 0218849)
…GIN_OFFSET Add TF-M directive STM32_FLASH_LAYOUT_BEGIN_OFFSET needed to specify the gap needed by external boot stage resources at flash beginning. The offset tells STM32 TF-M firmware the base offset in the flash where the several TF-M and non-secure image areas shall be located. The CMake directive was introduced mainline TF-M commit [1] and merged in Zephyr TF-M repository [2]. Link: TrustedFirmware-M/trusted-firmware-m@fc035b8 [1] Link: zephyrproject-rtos/trusted-firmware-m@954dc80 [2] Signed-off-by: Etienne Carriere <[email protected]> (cherry picked from commit f4b9e5f)
The --max-sectors option helps catch problems with flash overlap when merging images. If there is a misalignment in flash partitions, the merge process usually fails. This uses information from Zephyr flash partitions and the flash controller to automatically determine the max sectors value and apply it when signing an image. Signed-off-by: BUDKE Gerson Fernando <[email protected]> (cherry picked from commit 99a2e49)
The current behavior when signing an image is to always set --pad and --pad-header for all images unless TFM_USE_NS_APP is set. This does not allow for easy creation of signed images for FOTA applications. Rewrite the PAD parameter as HEADER and TRAILER to simplify the setup of more signing options. Another important reason for this change is that the NS image, when signed without --pad, runs on the hardware but does not perform the MCUboot test, and the FWU never upgrades the image. This fixes the NS image signing process to correctly support TF-M FWU using the PSA API functions. Signed-off-by: BUDKE Gerson Fernando <[email protected]> (cherry picked from commit b21ea79)
The current behavior when signing an image adds --pad but does not confirm the image. This appears to be a mistake, as the user should inspect the image status in the Firmware Upgrade software. If an image is not --confirmed, the FSM cannot infer the correct states. This sets the image as confirmed to resolve the issue. Signed-off-by: BUDKE Gerson Fernando <[email protected]> (cherry picked from commit 6cee10c)
Make variables that define output files explicitly include 'HEX' in the name. This refactoring step allows for the introduction of BIN file generation. Signed-off-by: BUDKE Gerson Fernando <[email protected]> (cherry picked from commit 69f277c)
A fundamental use of Trusted Firmware-M is to provide security for IoT applications, where firmware upgrades (FOTA) are almost always mandatory. The current file signing process does not produce the necessary binaries for multi-image S/NS FWU, since hex images are not suitable for this use case. This introduces the missing signed binary files for use by the FWU partition. The changes were tested in multi-image FWU scenarios, and support for single-image scenarios can be easily added in the future. Signed-off-by: BUDKE Gerson Fernando <[email protected]> (cherry picked from commit 5b4cd27)
Use cmake_parse_arguments() for more idiomatic code. This makes the code more readable and easier to extend with new options. Signed-off-by: BUDKE Gerson Fernando <[email protected]> (cherry picked from commit 7fe5574)
When CONFIG_TFM_MCUBOOT_IMAGE_NUMBER is 1, the process to create the final tfm_merged.bin file is more complex. This prepares the content to introduce the generation of tfm_merged.bin for use in FOTA applications. Signed-off-by: BUDKE Gerson Fernando <[email protected]> (cherry picked from commit d1534c5)
When CONFIG_TFM_MCUBOOT_IMAGE_NUMBER is 1, all images are merged. Currently, there is no tfm_merged.bin file for use in FOTA. This adds file generation to fulfill that requirement. Signed-off-by: BUDKE Gerson Fernando <[email protected]> (cherry picked from commit bbc73af)
Fix formatting errors that cause CI to complain. Signed-off-by: Jordan Yates <[email protected]> (cherry picked from commit 2219a87)
`S_NS_CONFIRMED_HEX_FILE` was never generating a confirmed file, just the same file contents as `S_NS_HEX_FILE`. Since no logic needs a confirmed merge of `tfm_s.hex` and `zephyr.hex`, just remove the logic instead of fixing it. Signed-off-by: Jordan Yates <[email protected]> (cherry picked from commit 15e8305)
Generate a binary version of `tfm_s_zephyr_ns_signed.hex` with objcopy. This file is valid for performing OTA upgrades, unlike `tfm_merged.bin`, which contains BL2. Signed-off-by: Jordan Yates <[email protected]> (cherry picked from commit db339e4)
…ged.hex` Since `tfm_merged.bin` now contains BL2, it can only be used for the same purposes as `tfm_merged.hex` (intial firmware loading). Therefore it should be using the confirmed images that `tfm_merged.hex` does. Since the only difference between the two files with that change is now the output format, we can directly generate `tfm_merged.bin` from `tfm_merged.hex` with `objcopy` instead of going through `mergehex.py`. Signed-off-by: Jordan Yates <[email protected]> (cherry picked from commit 74a23ea)
…ILENCE Explicitly disable the SECURE_UART TFM define when `CONFIG_TFM_LOG_LEVEL_SILENCE=y`. The secure UART is only enabled by default on nRF platforms to match the current TF-M defaults. Signed-off-by: Jordan Yates <[email protected]> (cherry picked from commit 9366e4a)
If the image is not confirmed, there is no need to pad the entire flash slot with empty data. This reduces the size of `tfm_s_zephyr_ns.signed.bin` (the file actually sent for an OTA upgrade) from 100% of the slot size down to the size of the application. Signed-off-by: Jordan Yates <[email protected]> (cherry picked from commit 6fe6a8b)
…O_1.1.0 Fixup to the TF-M 2.2.0 update. Signed-off-by: Tomi Fontanilles <[email protected]> (cherry picked from commit b8aa511)
psa-arch-tests includes device drivers that failed to mark registers with 'volatile'. GCC 14.3 cleverly optimized sequential register accesses using strd/ldrd instructions which caused the drivers to fail. Move the psa-arch-tests repository forward to the version which includes a fix for this. Signed-off-by: Keith Packard <[email protected]> (cherry picked from commit 5505c0d)
This updates the version of picolibc to match that used by SDK 0.17.4. In the Zephyr picolibc fork, that's marked with the zephyr-sdk-0.17.4 tag now, which is on the zephyr-sdk-0.17 branch. Changes since the previous version which impact using the module: * machine/arm: Disable exception tables in ARM string asm code * cmake: Silence messages about core-isa.h * Correct return type of __non_atomic_*_ungetc functions * Delete obsoleted _syslist.h Signed-off-by: Keith Packard <[email protected]> (cherry picked from commit 046232a)
Nothing in Zephyr uses SOF, it is the other way round, SOF uses Zephyr, creating a cyclic dependency in some cases making it difficult to apply changes to areas used by SOF upstream. Part of #91061 Signed-off-by: Anas Nashif <[email protected]> (cherry picked from commit 1a780f9)
During transition to HWMv2 this workaround was added, which should instead be in SOF and not in Zephyr, as CORE_COUNT is a SOF Kconfig. Remove this and instead set the CORE_COUNT in SOF to the MP_MAX_NUM_CPUS. Signed-off-by: Anas Nashif <[email protected]> (cherry picked from commit 71ec5df)
Do not depend on SOF config, use RIMAGE_SCHEMA instead, defined in SOF. Signed-off-by: Anas Nashif <[email protected]> (cherry picked from commit 95b48cd)
…L_ADSP_IPC The SoC specific IPC driver is for host IPC, and not IDC (which is between CPUs). So there is no need to use the IDC devicetree binding to enable the kconfig. Signed-off-by: Daniel Leung <[email protected]> (cherry picked from commit d910306)
This reworks the Intel audio DSP host IPC driver as a backend of the IPC service. This is the first step to rework IPC in SOF (Sound Open Firmware) into using a more generic IPC API instead of a SoC specific one. For now, it keeps the old interface to maintain usability as it is going to be a multiple process to rework IPC over there. Also, the structure of the new IPC backend resembles the SoC specific driver to make it easier to compare between them at this first iteration. Future optimizations will probably be needed once we start modifying the SOF side to utilize the IPC interface. Signed-off-by: Daniel Leung <[email protected]> (cherry picked from commit cf7e2e6)
Those tests are needed for verifying and testing tf-m. While not needed directly by zephyr, they are needed for testing and CI. Signed-off-by: Anas Nashif <[email protected]> (cherry picked from commit a2ccf50)
Tests needed to verify tf-a module. Signed-off-by: Anas Nashif <[email protected]> (cherry picked from commit a7c5339)
Update the TF-M repos to 2.2.2, from version 2.2.0. Signed-off-by: Tomi Fontanilles <[email protected]> (cherry picked from commit ea3697b)
…2WBA65 Update PSA-Arch-tests to support testing STM32U585 and STM32WBA based boards. Signed-off-by: Etienne Carriere <[email protected]> (cherry picked from commit 88cc161)
Enable SRAM5 region in the Global TrustZone controller (GTZC). Signed-off-by: BUDKE Gerson Fernando <[email protected]> (cherry picked from commit 5d6e4d9)
tomi-font
force-pushed
the
tf-m_upmerge_2025.12.12_2.2.2
branch
from
155115c to
73df8fa
Compare
carlescufi
approved these changes
Jan 9, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
13 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
manifest-pr-skip