boards: st: stm32wba65i_dk1: Add ns variant for TF-M support

Add variant ns to stm32wba65i_dk1 board to embed TF-M in the SoC
secure world. The flash layout is synced with the layout defined
in Zephyr TF-M integration of platform STM32WBA65I.

Successfully tested against a few samples and test samples:
- samples/tfm_integration/psa_crypto
- samples/tfm_integration/psa_protected_storage
- samples/tfm_integration/tfm_ipc
- samples/tfm_integration/tfm_regression_test
- samples/tfm_integration/tfm_secure_partition
- tests/subsys/secure_storage/psa/crypto
- tests/subsys/secure_storage/psa/its
  (with CONFIG_TFM_ITS_MAX_ASSET_SIZE_OVERRIDE=y
  and CONFIG_TFM_ITS_MAX_ASSET_SIZE=256)

The platforms do not yet support samples/tfm_integration/tfm_psa_test.

Signed-off-by: Etienne Carriere <[email protected]>

Author: etienne-lms

boards/st/stm32wba65i_dk1/Kconfig.defconfig

@@ -10,4 +10,16 @@ config SPI_STM32_INTERRUPT
 	default y
 	depends on SPI
 
+if BUILD_WITH_TFM
+
+# Not defining LIBC malloc arena has the effect of declaring all available RAM
+# as available for malloc.
+# This currently conflicts with TF-M MPU setting, resulting in a hard fault.
+# Define a specific size to avoid this situation.
+
+config COMMON_LIBC_MALLOC_ARENA_SIZE
+	default 2048
+
+endif # BUILD_WITH_TFM
+
 endif # BOARD_STM32WBA65I_DK1

boards/st/stm32wba65i_dk1/board.cmake

@@ -1,7 +1,32 @@
 # Copyright (c) 2025 STMicroelectronics
 # SPDX-License-Identifier: Apache-2.0
 
-board_runner_args(stm32cubeprogrammer "--port=swd" "--reset-mode=hw")
+if(CONFIG_BUILD_WITH_TFM)
+  set(FLASH_BASE_ADDRESS_S 0x0C000000)
+
+  # Flash merged TF-M + Zephyr binary
+  set_property(TARGET runners_yaml_props_target PROPERTY hex_file tfm_merged.hex)
+
+  if (CONFIG_HAS_FLASH_LOAD_OFFSET)
+    MATH(EXPR TFM_HEX_BASE_ADDRESS_NS "${FLASH_BASE_ADDRESS_S}+${CONFIG_FLASH_LOAD_OFFSET}")
+  else()
+    set(TFM_HEX_BASE_ADDRESS_NS ${TFM_FLASH_BASE_ADDRESS_S})
+  endif()
+
+  # System entry point is TF-M vector, located 1kByte after tfm_fmw_partition in DTS
+  get_target_property(TFM_FWM_NODE_NAME devicetree_target "DT_NODELABEL|slot0_secure_partition")
+  string(REGEX REPLACE ".*@([^@]+)$" "\\1" TFM_FWM_OFFSET "${TFM_FWM_NODE_NAME}")
+  if(NOT TFM_FWM_OFFSET)
+    message(FATAL_ERROR "Could not find TF-M firmware offset from node label slot0_secure_partition")
+  endif()
+  math(EXPR TFM_FWM_BOOT_ADDR "0x${TFM_FWM_OFFSET}+${FLASH_BASE_ADDRESS_S}+0x400")
+
+  board_runner_args(stm32cubeprogrammer "--port=swd" "--reset-mode=hw"
+    "--erase" "--start-address=${TFM_FWM_BOOT_ADDR}"
+  )
+else()
+  board_runner_args(stm32cubeprogrammer "--port=swd" "--reset-mode=hw")
+endif()
 
 include(${ZEPHYR_BASE}/boards/common/stm32cubeprogrammer.board.cmake)
 include(${ZEPHYR_BASE}/boards/common/openocd.board.cmake)

boards/st/stm32wba65i_dk1/board.yml

@@ -4,3 +4,5 @@ board:
   vendor: st
   socs:
     - name: stm32wba65xx
+      variants:
+        - name: ns

boards/st/stm32wba65i_dk1/doc/index.rst

@@ -153,6 +153,45 @@ Supported Features
 
 .. zephyr:board-supported-hw::
 
+Zephyr board options
+====================
+
+STM32WBA65I-DK1 board integrates an SoC with Cortex-M33 architecture. Zephyr
+provides support for building for both Secure and Non-Secure firmware.
+
+The BOARD options are summarized below:
+
++---------------------------------+------------------------------------------+
+| BOARD                           | Description                              |
++=================================+==========================================+
+| stm32wba65i_dk1                 | For building TrustZone Disabled firmware |
++---------------------------------+------------------------------------------+
+| stm32wba65i_dk1/stm32wba65xx/ns | For building Non-Secure firmware         |
++---------------------------------+------------------------------------------+
+
+Here are the instructions to build Zephyr with a non-secure configuration,
+using :zephyr:code-sample:`tfm_ipc` sample:
+
+   .. code-block:: console
+
+      $ west build -b stm32wba65i_dk1/stm32wba65xx/ns samples/tfm_integration/tfm_ipc/
+
+Once done, before flashing, you need to first run a generated script that
+will set platform option bytes config and erase platform (among others,
+option bit TZEN will be set).
+
+   .. code-block:: bash
+
+      $ ./build/tfm/api_ns/regression.sh
+      $ west flash
+
+Please note that, after having programmed the board for a TrustZone enabled system
+(e.g. with ``./build/tfm/api_ns/regression.sh``), the SoC TZEN option byte is enabled
+and you will need to operate specific sequence to disable this TZEN Option Byte
+configuration to get your board back in normal state for booting with a TrustZone
+disabled system (e.g. without TF-M support).
+You can still use STM32CubeProgrammer_ to disable the SoC TZEN Option Byte config.
+
 Connections and IOs
 ===================
 

boards/st/stm32wba65i_dk1/stm32wba65i_dk1_stm32wba65xx_ns.dts

@@ -0,0 +1,45 @@
+/*
+ * Copyright (c)  2025 STMicroelectronics
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/dts-v1/;
+#include "stm32wba65i_dk1.dts"
+
+/ {
+	chosen {
+		zephyr,code-partition = &slot0_ns_partition;
+	};
+};
+
+
+&flash0 {
+	/delete-node/ partitions;
+
+	partitions {
+		compatible = "fixed-partitions";
+		#address-cells = <1>;
+		#size-cells = <1>;
+
+		boot_partition: partition@0 {
+			label = "bootstage";
+			reg = <0 DT_SIZE_K(144)>;
+		};
+
+		slot0_secure_partition: partition@24000 {
+			label = "image-secure";
+			reg = <0x24000 DT_SIZE_K(384)>;
+		};
+
+		slot0_ns_partition: partition@84000 {
+			label = "image-non-secure";
+			reg = <0x84000 DT_SIZE_K(384)>;
+		};
+
+		storage_partition: partition@e4000 {
+			label = "storage";
+			reg = <0xe4000 (DT_SIZE_K(112) + DT_SIZE_M(1))>;
+		};
+	};
+};

boards/st/stm32wba65i_dk1/stm32wba65i_dk1_stm32wba65xx_ns.yaml

@@ -0,0 +1,17 @@
+identifier: stm32wba65i_dk1/stm32wba65xx/ns
+name: ST STM32WBA65I Discovery kit with TF-M and non-secure
+type: mcu
+arch: arm
+toolchain:
+  - zephyr
+  - gnuarmemb
+supported:
+  - gpio
+  - adc
+  - rng
+  - arduino_gpio
+  - arduino_i2c
+  - arduino_spi
+ram: 512
+flash: 2048
+vendor: st

boards/st/stm32wba65i_dk1/stm32wba65i_dk1_stm32wba65xx_ns_defconfig

@@ -0,0 +1,34 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) 2025 STMicroelectronics
+
+# enable uart driver
+CONFIG_SERIAL=y
+
+# enable GPIO
+CONFIG_GPIO=y
+
+# console
+CONFIG_CONSOLE=y
+CONFIG_UART_CONSOLE=y
+
+# Enable MPU
+CONFIG_ARM_MPU=y
+
+# Enable HW stack protection
+CONFIG_HW_STACK_PROTECTION=y
+
+# Enable the internal SMPS regulator
+CONFIG_POWER_SUPPLY_DIRECT_SMPS=y
+
+# Enable ADC for joystick
+CONFIG_ADC=y
+
+# TF-M expects Zephyr includes a 1kB header
+CONFIG_ROM_START_OFFSET=0x400
+
+# Enable TZ non-secure configuration
+CONFIG_ARM_TRUSTZONE_M=y
+CONFIG_RUNTIME_NMI=y
+CONFIG_TRUSTED_EXECUTION_NONSECURE=y
+CONFIG_BUILD_WITH_TFM=y
+CONFIG_TFM_BL2=n