HI,
we are interested in a guide to a clear workflow of integrating CubeMX-generated code for U5 into TFM-based application.
In particular:
1. We have trustzone-enabled CubeMX-generated app with Azure RTOS and TouchGFX. The IDE and compiler are IAR. We want to be able to easily debug and re-build it, as needed, without any much security involved and, even most important, without manipulations with flash loaders and signed binaries every time a single line of code gets changed.
2. Once we are happy with stable code behaviour, then we want to "wrap" it in TFM, by letting the latter to create signed binaries and the loader, as per TFM example for U5 from STM. If any intermittent step((s) required to achieve so: adjusting addressees, locations, etc - we are OK to create custom pre/post builds ourselves. But we'd like to know what exactly steps are needed.
So the questions are:
a). Is there any help/guide/examples or any other support can be expected from STM for that matter?
(Yes, we read through manuals, ANs, and even through Secure workshop). None of those letting you the above task be achieved in a feasible way). If not - can they be provided?
b). Can the gap between widely used CubeMX ecosystem and TFM framework be closed in a painless way with step-by-step guide from STM?
At minimum, a clear explanations on what memory areas TFM loader locks, which access rights assigns, and can they be then coexisting with CubeMX assigned, - may help a lot. What parts of HAL initialization and at which points shall be shared between both and what exactly way? And so forth. Ideally, a simple trust-zone enabled "Hello world" app, running with and without TFM would be extremely helpful and be an answer to all the above.
I.e. something similar to non-trustzone example for SBSFU and L476 in Secure Workshop sessions.
c). What are the TFM dependencies on TFM bootloader? Can be TFM PAS services called without being preloaded first in heavily secured, time-consuming and hard-to-debug way by a bootloader - i.e. from "standalone" application, as described in (1) and (2) above? For instance, this "tfm_core_get_boot_data" fails if secure app is attempted running standalone, without a bootloader.
===============================================
Last , but not least: are there any plans to close finally a long-time reported simple yet very annoying bug in CubeMX when the latter doesn't allow to generate correct TouchGFX code for Azure RTOS in TrustZone-enabled projects? It forces time consuming workarounds after each code re-generation. The Azure RTOS option is still grayed out in CubeMX 6.12.1 after more than 4 CubeMX releases since the bug was reported.
Many thanks in advance.
