boards: lpcxpresso55s69: enable TFM with MCUboot

Set building TFM with MCUboot. Set the build configuration to
profile_medium, we need smaller TFM images to fit into flash.
Build MCUboot, TFM, sign it, sign Zephyr NS image and merge all the
images. Also change the other configuration, BL2=OFF, to merge as a
single image.
Update documentation on how to flash the board.

Signed-off-by: Andrei Gansari <andrei.gansari@nxp.com>

boards/arm/lpcxpresso55s69/CMakeLists.txt

@@ -21,8 +21,11 @@ if (CONFIG_BUILD_WITH_TFM)
 		set(TFM_IMAGE_VERSION_NS 0.0.0+0)
 	endif()
 
-	set(PREPROCESSED_FILE "${CMAKE_BINARY_DIR}/tfm/image_macros_preprocessed")
+	if (NOT CONFIG_TFM_BL2_FALSE)
+		set(PREPROCESSED_FILE_S "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_s.dir/signing_layout_s.o")
+		set(PREPROCESSED_FILE_NS "${CMAKE_BINARY_DIR}/tfm/bl2/ext/mcuboot/CMakeFiles/signing_layout_ns.dir/signing_layout_ns.o")
 		set(TFM_MCUBOOT_DIR "${ZEPHYR_TFM_MODULE_DIR}/trusted-firmware-m/bl2/ext/mcuboot")
+	endif()
 
 	# Configure which format (full or hash) to include the public key in
 	# the image manifest
@@ -33,4 +36,65 @@ if (CONFIG_BUILD_WITH_TFM)
 	if(${SREC_CAT} STREQUAL SREC_CAT-NOTFOUND)
 		message(FATAL_ERROR "'srec_cat' not found. Please install it, or add it to $PATH.")
 	endif()
+
+	if (CONFIG_TFM_BL2_FALSE)
+		#merge tfm_s and zephyr_ns to a single image
+		#offset needs to be the same value as flash_layout.h in TFM
+		set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
+			COMMAND ${SREC_CAT}
+			ARGS ${CMAKE_BINARY_DIR}/tfm/bin/tfm_s.bin -Binary
+				${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME} -Binary
+				-offset ${CONFIG_FLASH_LOAD_OFFSET}
+				-o ${CMAKE_BINARY_DIR}/tfm_merged.bin -Binary
+		)
+	else()
+		#Create and sign for concatenated binary image, should align with the TF-M BL2
+		set_property(GLOBAL APPEND PROPERTY extra_post_build_commands
+
+			#Sign secure binary image with public key
+			COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
+				--layout ${PREPROCESSED_FILE_S}
+				-k ${CONFIG_TFM_KEY_FILE_S}
+				--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
+				--align 1
+				-v ${TFM_IMAGE_VERSION_S}
+				--pad
+				--pad-header
+				${ADD_NS_IMAGE_MIN_VER}
+				-s auto
+				-H ${CONFIG_ROM_START_OFFSET}
+				${CMAKE_BINARY_DIR}/tfm/bin/tfm_s.bin
+				${CMAKE_BINARY_DIR}/tfm_s_signed.bin
+
+			#Sign non-secure binary image with public key
+			COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/wrapper/wrapper.py
+				--layout ${PREPROCESSED_FILE_NS}
+				-k ${CONFIG_TFM_KEY_FILE_NS}
+				--public-key-format ${TFM_PUBLIC_KEY_FORMAT}
+				--align 1
+				-v ${TFM_IMAGE_VERSION_NS}
+				-s auto
+				${ADD_S_IMAGE_MIN_VER}
+				-H ${CONFIG_ROM_START_OFFSET}
+				${CMAKE_BINARY_DIR}/zephyr/${KERNEL_BIN_NAME}
+				${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
+
+			#Create concatenated binary image from the two independently signed binary file
+			COMMAND ${PYTHON_EXECUTABLE} ${TFM_MCUBOOT_DIR}/scripts/assemble.py
+				--layout ${PREPROCESSED_FILE_S}
+				-s ${CMAKE_BINARY_DIR}/tfm_s_signed.bin
+				-n ${CMAKE_BINARY_DIR}/zephyr_ns_signed.bin
+				-o ${CMAKE_BINARY_DIR}/tfm_sign.bin
+
+			#Copy mcuboot.bin
+			COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_BINARY_DIR}/tfm/bin/bl2.bin ${CMAKE_BINARY_DIR}/mcuboot.bin
+
+			#Merge mcuboot.bin and tfm_sign.bin for flashing
+			COMMAND ${SREC_CAT}
+			ARGS ${CMAKE_BINARY_DIR}/mcuboot.bin -Binary
+				${CMAKE_BINARY_DIR}/tfm_sign.bin -Binary
+				-offset 0x8000 #slot0_partition
+				-o ${CMAKE_BINARY_DIR}/tfm_merged.bin -Binary
+		)
+	endif()
 endif()

boards/arm/lpcxpresso55s69/Kconfig.defconfig

@@ -66,6 +66,10 @@ config FLASH_LOAD_SIZE
 
 endif # TRUSTED_EXECUTION_NONSECURE || BOARD_LPCXPRESSO55S69_CPU1
 
+config TFM_PROFILE
+	default "profile_medium"
+	depends on BUILD_WITH_TFM
+
 endif # BOARD_LPCXPRESSO55S69_CPU0 || BOARD_LPCXPRESSO55S69_CPU1
 
 if DMA_MCUX_LPC

boards/arm/lpcxpresso55s69/doc/index.rst

@@ -202,16 +202,16 @@ see the following message in the terminal:
 Building and flashing secure/non-secure with Arm |reg| TrustZone |reg|
 ----------------------------------------------------------------------
 The TF-M integration samples can be run using the ``lpcxpresso55s69_ns`` target.
-Next we need to manually flash the secure (``tfm_s.hex``)
+To run we need to manually flash the resulting image (``tfm_merged.bin``) with a
-and non-secure (``zephyr.hex``) images wth a J-Link as follows:
+J-Link as follows (reset and erase are for recovering a locked core):
 
    .. code-block:: console
 
       JLinkExe -device lpc55s69 -if swd -speed 2000 -autoconnect 1
-   J-Link>loadfile build/tfm/install/outputs/LPC55S69/tfm_s.hex
+      J-Link>r
-   J-Link>loadfile build/zephyr/zephyr.hex
+      J-Link>erase
+      J-Link>loadfile build/tfm_merged.bin
 
-NOTE: At present, the LPC55S69 doesn't include support for the MCUBoot bootloader.
 We need to reset the board manually after flashing the image to run this code.
 
 Debugging

boards/arm/lpcxpresso55s69/lpcxpresso55s69_ns_defconfig

@@ -22,7 +22,5 @@ CONFIG_ARM_MPU=n
 # Enable TrustZone-M
 CONFIG_TRUSTED_EXECUTION_NONSECURE=y
 CONFIG_RUNTIME_NMI=y
-# TFM will run without MCUboot
-CONFIG_TFM_BL2_FALSE=y
 
 CONFIG_BUILD_OUTPUT_HEX=y