arm-bsp/trusted-firmware-m: corstone1000: add Secure Debug

The Secure Debug functionality can be enabled on MPS3 by using the new corstone1000-mps3-secure-debug.yml kas file. The kas file adds the new secure-debug machine feature. The TF-M recipe adds the needed TF-M build flags and patches in order to make the Secure Debug work. This way, the Corstone-1000 will only boot fully if a debugger is connected and a debug authentication is initiated. Signed-off-by: Bence Balogh <bence.balogh@arm.com> Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-01-11 15:00:39 +00:00 · 2024-08-29 13:05:03 +02:00
parent 11d6e24167
commit 7e94669f60
13 changed files with 366 additions and 8 deletions
--- a/ci/secure-debug.yml
+++ b/ci/secure-debug.yml
@@ -0,0 +1,8 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
+
+header:
+  version: 14
+
+local_conf_header:
+  secure-debug: |
+    MACHINE_FEATURES += "secure-debug"
--- a/meta-arm-bsp/documentation/corstone1000/images/ExternalFlash.png
+++ b/meta-arm-bsp/documentation/corstone1000/images/ExternalFlash.png
--- a/meta-arm-bsp/recipes-bsp/images/corstone1000-flash-firmware-image.bb
+++ b/meta-arm-bsp/recipes-bsp/images/corstone1000-flash-firmware-image.bb
@@ -53,9 +53,11 @@ TFM_SIGN_PRIVATE_KEY = "${libdir}/tfm-scripts/root-RSA-3072_1.pem"
 RE_IMAGE_OFFSET = "0x1000"

 # Offsets for the .nopt image generation
-TFM_OFFSET = "102400"
-FIP_OFFSET = "479232"
-KERNEL_OFFSET = "2576384"
+# These offset values have to be aligned with those in
+# meta-arm/meta-arm-bsp/wic/corstone1000-flash-firmware.wks.in
+TFM_OFFSET = "147456"
+FIP_OFFSET = "475136"
+KERNEL_OFFSET = "2572288"

 do_sign_images() {
    # Sign TF-A BL2
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0014-Platform-CS1000-Increase-BL2-partition-size.patch
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0014-Platform-CS1000-Increase-BL2-partition-size.patch
@@ -0,0 +1,111 @@
+From ddd4abdb3893e284a35303e4a5ac7b6ad2ed8320 Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Tue, 16 Jul 2024 21:04:49 +0200
+Subject: [PATCH] Platform: CS1000: Increase BL2 partition size
+
+Enabling secure debug increases the BL2 code size considerably. This
+patch increases the BL2 partition size to enable secure debug feature
+on Corstone-1000. The TF-M partition size has to be decreased for this.
+The RAM_MPU_REGION_BLOCK_1_SIZE had to be aligned with the changes to
+fully cover the S_DATA.
+
+Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Backport [https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/30406]
+---
+ .../ext/target/arm/corstone1000/CMakeLists.txt     |  9 ++++++---
+ .../target/arm/corstone1000/create-flash-image.sh  | 14 ++++++++------
+ .../arm/corstone1000/partition/flash_layout.h      |  4 ++--
+ 3 files changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/CMakeLists.txt b/platform/ext/target/arm/corstone1000/CMakeLists.txt
+index b13dc26c0e..3ba26e0de7 100644
+--- a/platform/ext/target/arm/corstone1000/CMakeLists.txt
+++ b/platform/ext/target/arm/corstone1000/CMakeLists.txt
+@@ -44,10 +44,13 @@ target_compile_definitions(platform_region_defs
+         # The RAM MPU Region block sizes are calculated manually. The RAM has to be covered
+         # with the MPU regions. These regions also have to be the power of 2 and
+         # the start addresses have to be aligned to these sizes. The sizes can be calculated
+-        # from the S_DATA_START and S_DATA_SIZE defines.
+-        RAM_MPU_REGION_BLOCK_1_SIZE=0x4000
+        # from the S_DATA_START and S_DATA_SIZE defines the following way:
+        # S_DATA_SIZE = RAM_MPU_REGION_BLOCK_1_SIZE + RAM_MPU_REGION_BLOCK_2_SIZE
+        # And the following constraints have to be taken:
+        # S_DATA_START % RAM_MPU_REGION_BLOCK_1_SIZE = 0
+        # (S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE) % RAM_MPU_REGION_BLOCK_2_SIZE = 0
+        RAM_MPU_REGION_BLOCK_1_SIZE=0x10000
+         RAM_MPU_REGION_BLOCK_2_SIZE=0x20000
+-
+ )
+ #========================= Platform common defs ===============================#
+ 
+diff --git a/platform/ext/target/arm/corstone1000/create-flash-image.sh b/platform/ext/target/arm/corstone1000/create-flash-image.sh
+index a6be61384f..06f0d1ec9a 100755
+--- a/platform/ext/target/arm/corstone1000/create-flash-image.sh
+++ b/platform/ext/target/arm/corstone1000/create-flash-image.sh
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ #-------------------------------------------------------------------------------
+-# Copyright (c) 2023, Arm Limited. All rights reserved.
+# Copyright (c) 2023-2024, Arm Limited. All rights reserved.
+ #
+ # SPDX-License-Identifier: BSD-3-Clause
+ #
+@@ -65,6 +65,8 @@ FWU_METADATA_TYPE_UUID="8A7A84A0-8387-40F6-AB41-A8B9A5A60D23"
+ PRIVATE_METADATA_TYPE_UUID="ECB55DC3-8AB7-4A84-AB56-EB0A9974DB42"
+ SE_BL2_TYPE_UUID="64BD8ADB-02C0-4819-8688-03AB4CAB0ED9"
+ TFM_TYPE_UUID="D763C27F-07F6-4FF0-B2F3-060CB465CD4E"
+SE_BL2_PARTITION_SIZE="+144k"
+TFM_S_PARTITION_SIZE="+320K"
+ 
+ # Create the image
+ rm -f $IMAGE
+@@ -81,10 +83,10 @@ sgdisk  --mbrtogpt \
+         --new=3:48:+4K --typecode=3:$FWU_METADATA_TYPE_UUID --partition-guid=3:$(uuidgen) --change-name=3:'Bkup-FWU-Metadata' \
+         --new=4:56:+4K --typecode=4:$PRIVATE_METADATA_TYPE_UUID --partition-guid=4:$(uuidgen) --change-name=4:'private_metadata_replica_1' \
+         --new=5:64:+4k --typecode=5:$PRIVATE_METADATA_TYPE_UUID --partition-guid=5:$(uuidgen) --change-name=5:'private_metadata_replica_2' \
+-        --new=6:72:+100k --typecode=6:$SE_BL2_TYPE_UUID --partition-guid=6:$(uuidgen) --change-name=6:'bl2_primary' \
+-        --new=7:272:+368K --typecode=7:$TFM_TYPE_UUID --partition-guid=7:$(uuidgen) --change-name=7:'tfm_primary' \
+-        --new=8:32784:+100k --typecode=8:$SE_BL2_TYPE_UUID --partition-guid=8:$(uuidgen) --change-name=8:'bl2_secondary' \
+-        --new=9:32984:+368K --typecode=9:$TFM_TYPE_UUID --partition-guid=9:$(uuidgen) --change-name=9:'tfm_secondary' \
+        --new=6:72:$SE_BL2_PARTITION_SIZE --typecode=6:$SE_BL2_TYPE_UUID --partition-guid=6:$(uuidgen) --change-name=6:'bl2_primary' \
+        --new=7:360:$TFM_S_PARTITION_SIZE --typecode=7:$TFM_TYPE_UUID --partition-guid=7:$(uuidgen) --change-name=7:'tfm_primary' \
+        --new=8:32784:$SE_BL2_PARTITION_SIZE --typecode=8:$SE_BL2_TYPE_UUID --partition-guid=8:$(uuidgen) --change-name=8:'bl2_secondary' \
+        --new=9:33072:$TFM_S_PARTITION_SIZE --typecode=9:$TFM_TYPE_UUID --partition-guid=9:$(uuidgen) --change-name=9:'tfm_secondary' \
+         --new=10:65496:65501  --partition-guid=10:$(uuidgen) --change-name=10:'reserved_2' \
+         $IMAGE
+ 
+@@ -93,7 +95,7 @@ sgdisk  --mbrtogpt \
+ # Write partitions
+ # conv=notrunc avoids truncation to keep the geometry of the image.
+ dd if=$BIN_DIR/bl2_signed.bin of=${IMAGE}  seek=72 conv=notrunc
+-dd if=$BIN_DIR/tfm_s_signed.bin of=${IMAGE} seek=272 conv=notrunc
+dd if=$BIN_DIR/tfm_s_signed.bin of=${IMAGE} seek=360 conv=notrunc
+ 
+ # Print the gpt table
+ sgdisk -p $IMAGE
+diff --git a/platform/ext/target/arm/corstone1000/partition/flash_layout.h b/platform/ext/target/arm/corstone1000/partition/flash_layout.h
+index 9fc1d9fa63..73c430ce57 100644
+--- a/platform/ext/target/arm/corstone1000/partition/flash_layout.h
+++ b/platform/ext/target/arm/corstone1000/partition/flash_layout.h
+@@ -92,7 +92,7 @@
+ #define FLASH_DEV_NAME_BL1              FLASH_DEV_NAME
+ 
+ /* Static Configurations of the Flash */
+-#define SE_BL2_PARTITION_SIZE           (0x18000)    /* 96 KB */
+#define SE_BL2_PARTITION_SIZE           (0x24000)    /* 144 KB */
+ #define SE_BL2_BANK_0_OFFSET            (0x9000)  /* 72nd LBA */
+ #define SE_BL2_BANK_1_OFFSET            (0x1002000)  /* 32784th LBA */
+ 
+@@ -137,7 +137,7 @@
+ 
+ /* Bank configurations */
+ #define BANK_PARTITION_SIZE             (0xFE0000)   /* 15.875 MB */
+-#define TFM_PARTITION_SIZE              (0x5C000)    /* 368 KB */
+#define TFM_PARTITION_SIZE              (0x50000)    /* 320 KB */
+ 
+ /************************************************************/
+ /* Bank : Images flash offsets are with respect to the bank */
+-- 
+2.25.1
+
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0015-CC312-ADAC-Add-PSA_WANT_ALG_SHA_256-definition.patch
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0015-CC312-ADAC-Add-PSA_WANT_ALG_SHA_256-definition.patch
@@ -0,0 +1,42 @@
+From 756cfad0cc05e7f4c02faa74aea14962aa54420c Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Wed, 31 Jul 2024 13:38:09 +0200
+Subject: [PATCH 2/3] CC312: ADAC: Add PSA_WANT_ALG_SHA_256 definition
+
+The bl2_mbedcrypto_config is linked to the psa_adac_cc312 target so
+the MCUBOOT_PSA_CRYPTO_CONFIG_FILEPATH and
+MCUBOOT_MBEDCRYPTO_CONFIG_FILEPATH configs are used for the ADAC driver
+too. The MCUBOOT_USE_PSA_CRYPTO is OFF by default, that means the
+MCUBOOT_PSA_CRYPTO_CONFIG_FILEPATH is not included during the build so
+the PSA_WANT_ALG_SHA_256 is not defined for the ADAC driver. Because
+of this, the PSA_HASH_MAX_SIZE is not set correctly for the sources
+of the psa_adac_cc312 target. This caused runtime issues.
+
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Pending [Not submitted to upstream yet]
+---
+ platform/ext/accelerator/cc312/psa-adac/CMakeLists.txt | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/platform/ext/accelerator/cc312/psa-adac/CMakeLists.txt b/platform/ext/accelerator/cc312/psa-adac/CMakeLists.txt
+index cb0553b40a..d7f5a54f3c 100644
+--- a/platform/ext/accelerator/cc312/psa-adac/CMakeLists.txt
+++ b/platform/ext/accelerator/cc312/psa-adac/CMakeLists.txt
+@@ -1,5 +1,5 @@
+ #-------------------------------------------------------------------------------
+-# Copyright (c) 2020-2023, Arm Limited. All rights reserved.
+# Copyright (c) 2020-2024, Arm Limited. All rights reserved.
+ #
+ # SPDX-License-Identifier: BSD-3-Clause
+ #
+@@ -32,6 +32,7 @@ target_compile_options(psa_adac_cc312
+         -DCC_IOT
+         -DUSE_MBEDTLS_CRYPTOCELL
+         -D_INTERNAL_CC_NO_RSA_SCHEME_15_SUPPORT
+        -DPSA_WANT_ALG_SHA_256
+ )
+ 
+ target_link_libraries(psa_adac_cc312
+-- 
+2.25.1
+
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0016-Platform-CS1000-Add-crypto-configs-for-ADAC.patch
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0016-Platform-CS1000-Add-crypto-configs-for-ADAC.patch
@@ -0,0 +1,39 @@
+From ea0f0236f1dbe9ff7640c90311a3116e6db33aa2 Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Wed, 31 Jul 2024 13:38:27 +0200
+Subject: [PATCH 3/3] Platform: CS1000: Add crypto configs for ADAC
+
+The psa_adac_psa_crypto target needs the MBEDTLS_CONFIG_FILE and
+MBEDTLS_PSA_CRYPTO_CONFIG_FILE defines in order to build correctly.
+The default crypto config files are used here.
+
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Pending [Not submitted to upstream yet]
+---
+ platform/ext/target/arm/corstone1000/CMakeLists.txt | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/platform/ext/target/arm/corstone1000/CMakeLists.txt b/platform/ext/target/arm/corstone1000/CMakeLists.txt
+index 896961306d..d3652ff40c 100644
+--- a/platform/ext/target/arm/corstone1000/CMakeLists.txt
+++ b/platform/ext/target/arm/corstone1000/CMakeLists.txt
+@@ -409,6 +409,16 @@ if (${PLATFORM_PSA_ADAC_SECURE_DEBUG})
+         PRIVATE
+             platform_bl2
+     )
+
+    target_compile_definitions(psa_adac_psa_crypto
+    PRIVATE
+        MBEDTLS_CONFIG_FILE="${CMAKE_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h"
+        MBEDTLS_PSA_CRYPTO_CONFIG_FILE="${CMAKE_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/crypto_config_default.h"
+    )
+    target_link_libraries(psa_adac_psa_crypto
+        PRIVATE
+            psa_crypto_library_config
+    )
+ endif()
+ 
+ find_package(Python3)
+-- 
+2.25.1
+
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0017-Platform-CS1000-Fix-platform-name-in-logs.patch
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0017-Platform-CS1000-Fix-platform-name-in-logs.patch
@@ -0,0 +1,27 @@
+From 8f0cd9710be508adab91d8b5ab5aa2d39e89c287 Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Wed, 31 Jul 2024 19:57:33 +0200
+Subject: [PATCH] Platform: CS1000: Fix platform name in logs
+
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Pending [Not submitted to upstream yet]
+---
+ platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c b/platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c
+index 8aacd877e4..f5baf08cb4 100644
+--- a/platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c
+++ b/platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c
+@@ -192,7 +192,7 @@ int32_t boot_platform_post_init(void)
+         }
+ 
+         result = tfm_to_psa_adac_corstone1000_secure_debug(secure_debug_rotpk, 32);
+-        BOOT_LOG_INF("%s: dipda_secure_debug is a %s.\r\n", __func__,
+        BOOT_LOG_INF("%s: Corstone-1000 Secure Debug is a %s.\r\n", __func__,
+                 (result == 0) ? "success" : "failure");
+ 
+     }
+-- 
+2.25.1
+
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0001-PSA-revert-header-versions.patch
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0001-PSA-revert-header-versions.patch
@@ -0,0 +1,41 @@
+From 3a53a6ad7b91770a8514082e411e277c03764eb0 Mon Sep 17 00:00:00 2001
+From: Emekcan Aras <emekcan.aras@arm.com>
+Date: Wed, 9 Aug 2023 17:16:03 +0100
+Subject: [PATCH] Revert ADAC cert and token version
+
+Align ADAC certificate versions with versions in secure-debug-manager
+[1] repository. The versions of the certificate and token are checked
+during the authentication process. The debugger connection is refused
+if there is a mismatch between the sent certificate/token and expected
+certificate/token versions.
+
+[1] https://github.com/ARM-software/secure-debug-manager/tree/master
+
+Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
+Upstream-Status: Inappropriate [Add newer dummy token and cert]
+---
+ psa-adac/core/include/psa_adac.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/psa-adac/core/include/psa_adac.h b/psa-adac/core/include/psa_adac.h
+index b190992..b026607 100644
+--- a/psa-adac/core/include/psa_adac.h
+++ b/psa-adac/core/include/psa_adac.h
+@@ -30,10 +30,10 @@ extern "C" {
+  *
+  * Current version numbers for certificate and token format.
+  */
+-#define ADAC_CERT_MAJOR 1u
+-#define ADAC_CERT_MINOR 0u
+-#define ADAC_TOKEN_MAJOR 1u
+-#define ADAC_TOKEN_MINOR 0u
+#define ADAC_CERT_MAJOR 0u
+#define ADAC_CERT_MINOR 1u
+#define ADAC_TOKEN_MAJOR 0u
+#define ADAC_TOKEN_MINOR 1u
+ 
+ /** \brief Key options
+  *
+-- 
+2.17.1
+
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0002-ADAC-Link-psa_interface-instead-of-tfm_sprt.patch
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0002-ADAC-Link-psa_interface-instead-of-tfm_sprt.patch
@@ -0,0 +1,35 @@
+From af71103845498eef4f859deba4b904a195f2817f Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Mon, 22 Jul 2024 17:33:23 +0200
+Subject: [PATCH] ADAC: Link psa_interface instead of tfm_sprt
+
+The tfm_sprt brings in other functionalities that are not needed for
+the Secure Debug.
+
+The printf() override in tfm_sp_log_raw.c can cause problems because
+it calls tfm_hal_output_sp_log() which triggers an SVC. The SVC calls
+tfm_hal_output_spm_log which relies on an SPM, which might not be
+initialized at that point.
+
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Pending [Not submitted to upstream yet]
+---
+ psa_crypto/CMakeLists.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/psa_crypto/CMakeLists.txt b/psa_crypto/CMakeLists.txt
+index 3e70624..58d95f7 100644
+--- a/psa_crypto/CMakeLists.txt
+++ b/psa_crypto/CMakeLists.txt
+@@ -18,7 +18,7 @@ target_sources(psa_adac_psa_crypto
+ target_link_libraries(psa_adac_psa_crypto
+     PRIVATE
+         psa_adac_config
+-        tfm_sprt
+        psa_interface
+ )
+ 
+ target_link_libraries(trusted-firmware-m-psa-adac
+-- 
+2.25.1
+
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0003-Fix-psa_key_handle_t-initialization.patch
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0003-Fix-psa_key_handle_t-initialization.patch
@@ -0,0 +1,32 @@
+From 972bf711ad884607409c225f9338bf25206e29e8 Mon Sep 17 00:00:00 2001
+From: Bence Balogh <bence.balogh@arm.com>
+Date: Wed, 31 Jul 2024 15:56:51 +0200
+Subject: [PATCH] Fix psa_key_handle_t initialization
+
+If the MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER macro is defined in the
+mbedcrypto configuration header file then the psa_key_handle_t is a
+struct. In this case, it is defined in the used configuration header
+so the struct cannot be initialized with -1.
+
+Signed-off-by: Bence Balogh <bence.balogh@arm.com>
+Upstream-Status: Pending [Not submitted to upstream yet]
+---
+ psa_crypto/adac_crypto_psa_mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/psa_crypto/adac_crypto_psa_mac.c b/psa_crypto/adac_crypto_psa_mac.c
+index 046fef7..93ab8f9 100644
+--- a/psa_crypto/adac_crypto_psa_mac.c
+++ b/psa_crypto/adac_crypto_psa_mac.c
+@@ -198,7 +198,7 @@ psa_status_t psa_adac_verify_mac(uint8_t key_type,
+                                  size_t mac_size)
+ {
+     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+-    psa_key_handle_t handle = -1;
+    psa_key_handle_t handle = {0};
+     psa_status_t ret = PSA_ERROR_NOT_SUPPORTED;
+     psa_key_type_t type = 0;
+     size_t bits = 0;
+-- 
+2.25.1
+
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc
@@ -11,6 +11,8 @@ TFM_PLATFORM_IS_FVP ?= "FALSE"
 EXTRA_OECMAKE += "-DPLATFORM_IS_FVP=${TFM_PLATFORM_IS_FVP}"
 EXTRA_OECMAKE += "-DCC312_LEGACY_DRIVER_API_ENABLED=OFF"
 EXTRA_OECMAKE:append:corstone1000-fvp = " -DENABLE_MULTICORE=${@bb.utils.contains('MACHINE_FEATURES', 'corstone1000_fvp_smp', 'TRUE', 'FALSE', d)}"
+EXTRA_OECMAKE:append:corstone1000-mps3 = " -DPLATFORM_PSA_ADAC_SECURE_DEBUG=${@bb.utils.contains('MACHINE_FEATURES', 'secure-debug', 'ON', 'OFF', d)}"
+EXTRA_OECMAKE:append:corstone1000-mps3 = " -DPLATFORM_PSA_ADAC_SOURCE_PATH=${S}/../tfm-psa-adac -DPLATFORM_PSA_ADAC_BUILD_PATH=${B}/tfm-psa-adac-build"

 SRC_URI += " \
            file://0001-arm-trusted-firmware-m-disable-address-warnings-into.patch \
@@ -31,6 +33,17 @@ SRC_URI:append:corstone1000 = " \
    file://0011-Platform-Corstone1000-switch-to-metadata-v2.patch \
    file://0012-platform-corstone1000-Increase-flash-PS-area-size.patch \
    file://0013-Platform-CS1000-Fix-Bank-offsets.patch \
+    file://0014-Platform-CS1000-Increase-BL2-partition-size.patch \
+    file://0015-CC312-ADAC-Add-PSA_WANT_ALG_SHA_256-definition.patch \
+    file://0016-Platform-CS1000-Add-crypto-configs-for-ADAC.patch \
+    file://0017-Platform-CS1000-Fix-platform-name-in-logs.patch \
+    "
+
+FILESEXTRAPATHS:prepend:corstone1000-mps3 := "${THISDIR}/files/corstone1000/psa-adac:"
+SRC_URI:append:corstone1000-mps3 = " \
+    file://0001-PSA-revert-header-versions.patch;patchdir=../tfm-psa-adac \
+    file://0002-ADAC-Link-psa_interface-instead-of-tfm_sprt.patch;patchdir=../tfm-psa-adac \
+    file://0003-Fix-psa_key_handle_t-initialization.patch;patchdir=../tfm-psa-adac \
    "

 # TF-M ships patches for external dependencies that needs to be applied
--- a/meta-arm-bsp/wic/corstone1000-flash-firmware.wks.in
+++ b/meta-arm-bsp/wic/corstone1000-flash-firmware.wks.in
@@ -15,9 +15,11 @@ part --source empty --size 4k --align 4 --offset 24k --part-name="Bkup-FWU-Metad
 part --source empty --size 4k --align 4 --offset 28k --part-name="private_metadata_replica_2" --uuid 3CC3B456-DEC8-4CE3-BC5C-965483CE4828 --part-type ECB55DC3-8AB7-4A84-AB56-EB0A9974DB42
 part --source empty --size 4k --align 4 --offset 32k --part-name="private_metadata_replica_2" --uuid DCE9C503-8DFD-4DCB-8889-647E49641552 --part-type ECB55DC3-8AB7-4A84-AB56-EB0A9974DB42

-part --source rawcopy --size 100k --sourceparams="file=bl2_signed.bin" --offset 36k --align 4 --part-name="bl2_primary" --uuid 9A3A8FBF-55EF-439C-80C9-A3F728033929 --part-type 64BD8ADB-02C0-4819-8688-03AB4CAB0ED9
+# The size has to be aligned to TF-M's SE_BL2_PARTITION_SIZE (tfm/platform/ext/target/arm/corstone1000/partition/flash_layout.h)
+part --source rawcopy --size 144k --sourceparams="file=bl2_signed.bin" --offset 36k --align 4 --part-name="bl2_primary" --uuid 9A3A8FBF-55EF-439C-80C9-A3F728033929 --part-type 64BD8ADB-02C0-4819-8688-03AB4CAB0ED9

-part --source rawcopy --size 368k --sourceparams="file=tfm_s_signed.bin" --align 4 --part-name="tfm_primary" --uuid 07F9616C-1233-439C-ACBA-72D75421BF70 --part-type D763C27F-07F6-4FF0-B2F3-060CB465CD4E
+# The size has to be aligned to TF-M's TFM_PARTITION_SIZE (tfm/platform/ext/target/arm/corstone1000/partition/flash_layout.h)
+part --source rawcopy --size 320k --sourceparams="file=tfm_s_signed.bin" --align 4 --part-name="tfm_primary" --uuid 07F9616C-1233-439C-ACBA-72D75421BF70 --part-type D763C27F-07F6-4FF0-B2F3-060CB465CD4E

 # Rawcopy of the FIP binary
 part --source rawcopy --size 2 --sourceparams="file=signed_fip-corstone1000.bin" --align 4 --part-name="FIP_A" --uuid B9C7AC9D-40FF-4675-956B-EEF4DE9DF1C5 --part-type B5EB19BD-CF56-45E8-ABA7-7ADB228FFEA7
@@ -27,8 +29,8 @@ part --source rawcopy --size 12 --sourceparams="file=Image.gz-initramfs-${MACHIN


 # The offset has to be aligned to TF-M's SE_BL2_BANK_1_OFFSET define (tfm/platform/ext/target/arm/corstone1000/partition/flash_layout.h)
-part --source empty --size 100k --offset 16392k --align 4 --part-name="bl2_secondary" --uuid 3F0C49A4-48B7-4D1E-AF59-3E4A3CE1BA9F --part-type 64BD8ADB-02C0-4819-8688-03AB4CAB0ED9
-part --source empty --size 368k --align 4 --part-name="tfm_secondary" --uuid 009A6A12-64A6-4F0F-9882-57CD79A34A3D --part-type D763C27F-07F6-4FF0-B2F3-060CB465CD4E
+part --source empty --size 144k --offset 16392k --align 4 --part-name="bl2_secondary" --uuid 3F0C49A4-48B7-4D1E-AF59-3E4A3CE1BA9F --part-type 64BD8ADB-02C0-4819-8688-03AB4CAB0ED9
+part --source empty --size 320k --align 4 --part-name="tfm_secondary" --uuid 009A6A12-64A6-4F0F-9882-57CD79A34A3D --part-type D763C27F-07F6-4FF0-B2F3-060CB465CD4E
 part --source empty --size 2 --align 4 --part-name="FIP_B" --uuid 9424E370-7BC9-43BB-8C23-71EE645E1273 --part-type B5EB19BD-CF56-45E8-ABA7-7ADB228FFEA7
 part --source empty --size 12 --align 4 --part-name="kernel_secondary" --uuid A2698A91-F9B1-4629-9188-94E4520808F8 --part-type 8197561D-6124-46FC-921E-141CC5745B05

--- a/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m-2.1.0-src.inc
+++ b/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m-2.1.0-src.inc
@@ -5,7 +5,8 @@ LICENSE = "BSD-2-Clause & BSD-3-Clause & Apache-2.0"
 LIC_FILES_CHKSUM = "file://license.rst;md5=07f368487da347f3c7bd0fc3085f3afa \
                    file://../tf-m-tests/license.rst;md5=4481bae2221b0cfca76a69fb3411f390 \
                    file://../mbedtls/LICENSE;md5=379d5819937a6c2f1ef1630d341e026d \
-                    file://../mcuboot/LICENSE;md5=b6ee33f1d12a5e6ee3de1e82fb51eeb8"
+                    file://../mcuboot/LICENSE;md5=b6ee33f1d12a5e6ee3de1e82fb51eeb8 \
+                    file://../tfm-psa-adac/license.rst;md5=07f368487da347f3c7bd0fc3085f3afa"

 SRC_URI_TRUSTED_FIRMWARE_M ?= "git://git.trustedfirmware.org/TF-M/trusted-firmware-m.git;protocol=https"
 SRC_URI_TRUSTED_FIRMWARE_M_EXTRAS ?= "git://git.trustedfirmware.org/TF-M/tf-m-extras.git;protocol=https"
@@ -14,6 +15,7 @@ SRC_URI_TRUSTED_FIRMWARE_M_CMSIS ?= "git://github.com/ARM-software/CMSIS_6.git;p
 SRC_URI_TRUSTED_FIRMWARE_M_MBEDTLS ?= "gitsm://github.com/ARMmbed/mbedtls.git;protocol=https"
 SRC_URI_TRUSTED_FIRMWARE_M_MCUBOOT ?= "git://github.com/mcu-tools/mcuboot.git;protocol=https"
 SRC_URI_TRUSTED_FIRMWARE_M_QCBOR ?= "git://github.com/laurencelundblade/QCBOR.git;protocol=https"
+SRC_URI_TRUSTED_FIRMWARE_M_PSA_ADAC ?= "git://git.trustedfirmware.org/shared/psa-adac.git;protocol=https"
 SRC_URI  = "${SRC_URI_TRUSTED_FIRMWARE_M};branch=${SRCBRANCH_tfm};name=tfm;destsuffix=git/tfm \
            ${SRC_URI_TRUSTED_FIRMWARE_M_EXTRAS};branch=${SRCBRANCH_tfm-extras};name=tfm-extras;destsuffix=git/tfm-extras \
            ${SRC_URI_TRUSTED_FIRMWARE_M_TESTS};branch=${SRCBRANCH_tfm-tests};name=tfm-tests;destsuffix=git/tf-m-tests \
@@ -21,6 +23,7 @@ SRC_URI  = "${SRC_URI_TRUSTED_FIRMWARE_M};branch=${SRCBRANCH_tfm};name=tfm;dests
            ${SRC_URI_TRUSTED_FIRMWARE_M_MBEDTLS};branch=${SRCBRANCH_mbedtls};name=mbedtls;destsuffix=git/mbedtls \
            ${SRC_URI_TRUSTED_FIRMWARE_M_MCUBOOT};branch=${SRCBRANCH_mcuboot};name=mcuboot;destsuffix=git/mcuboot \
            ${SRC_URI_TRUSTED_FIRMWARE_M_QCBOR};branch=${SRCBRANCH_qcbor};name=qcbor;destsuffix=git/qcbor \
+            ${SRC_URI_TRUSTED_FIRMWARE_M_PSA_ADAC};branch=${SRCBRANCH_tfm-psa-adac};name=tfm-psa-adac;destsuffix=git/tfm-psa-adac \
            "

 # The required dependencies are documented in tf-m/config/config_base.cmake
@@ -45,6 +48,9 @@ SRCREV_mcuboot = "9c99326b9756dbcc35b524636d99ed5f3e6cb29b"
 # QCBOR v1.2
 SRCBRANCH_qcbor ?= "master"
 SRCREV_qcbor = "b0e7033268e88c9f27146fa9a1415ef4c19ebaff"
+# PSA-ADAC (intermediate SHA, default value for PLATFORM_PSA_ADAC_VERSION in TF-M)
+SRCBRANCH_tfm-psa-adac = "master"
+SRCREV_tfm-psa-adac = "5f5490cebe66ae997f316f83c3fbf1f97deef625"

 SRCREV_FORMAT = "tfm"