arm-bsp: corstone1000: Enable secure debug on TF-M v2.2.x

Allow TF-M v2.2.1 to boot with Secure Debug enabled on Corstone-1000 and align the driver implementation with the current psa-adac library. - Add missing DRBG macros to fix the "Failed to generate challenge!" error during Secure Debug. - Fix an unintended platform reset occurring immediately after setting the debug enable bits in the dcu_en register while in SE LCS. Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com> Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com> Signed-off-by: Jon Mason <jon.mason@arm.com>
2026-01-11 15:00:39 +00:00 · 2026-01-07 13:49:31 +00:00
parent b295bd407c
commit d9f9fa431b
12 changed files with 631 additions and 37 deletions
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0011-BL2-Remove-the-weak-function-definition.patch
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0011-BL2-Remove-the-weak-function-definition.patch
@@ -0,0 +1,116 @@
+From bea93292fdd5eecd4d106a4288004493cabd13b2 Mon Sep 17 00:00:00 2001
+From: Maulik Patel <maulik.patel@arm.com>
+Date: Mon, 14 Jul 2025 14:55:09 +0100
+Subject: [PATCH] BL2: Remove the weak function definition
+
+When psa_adac_generate_challenge is called from the psa adac crypto
+library (psa_adac_psa_crypto), linker uses the weak function defined in
+the thin_psa_crypto_core.c since it part of same static library
+(bl2_cc3xx_psa_driver_api).
+
+This weak function is intended to be overridden by the strong function
+defined in the linked library (cc3xx_psa_random).
+
+This commit creates separate static library for the weak function
+mbedtls_psa_external_get_random and links it only when the
+crypto hardware accelerator is not enabled.
+
+Upstream-Status: Backport [aef30c4e6507db792648b01f81bc82d3c54f7d43]
+Signed-off-by: Maulik Patel <maulik.patel@arm.com>
+Change-Id: Ic51944a2f4c9bf0bcc0560a38e40c85444bd8aac
+---
+ bl2/CMakeLists.txt             | 14 ++++++++++++++
+ bl2/src/psa_stub_rng.c         | 24 ++++++++++++++++++++++++
+ bl2/src/thin_psa_crypto_core.c | 16 ----------------
+ 3 files changed, 38 insertions(+), 16 deletions(-)
+ create mode 100644 bl2/src/psa_stub_rng.c
+
+diff --git a/bl2/CMakeLists.txt b/bl2/CMakeLists.txt
+index f6c2f894d0..d852102427 100644
+--- a/bl2/CMakeLists.txt
+++ b/bl2/CMakeLists.txt
+@@ -57,6 +57,19 @@ endif()
+ 
+ ############################### BL2_CRYPTO #####################################
+ 
+# Adds a static library target named 'bl2_fallback_rng' which includes the source file
+# 'src/psa_stub_rng.c'. This source file contains only the __weak stub implementation,
+# serving as a fallback for random number generation in case no other RNG is provided.
+if(NOT CRYPTO_HW_ACCELERATOR)
+    add_library(bl2_fallback_rng STATIC
+        src/psa_stub_rng.c
+    )
+    target_link_libraries(bl2_fallback_rng
+        PUBLIC
+            bl2_crypto_config
+    )
+endif()
+
+ set(is_384_bit_curve "$<STREQUAL:${SIG_LEN},384>")
+ set(is_256_bit_curve "$<STREQUAL:${SIG_LEN},256>")
+ set(build_sha_384    "$<AND:${is_ec_signature},${is_384_bit_curve}>")
+@@ -150,6 +163,7 @@ target_link_libraries(bl2
+         $<$<BOOL:${TEST_BL2}>:mcuboot_tests>
+     PUBLIC
+         bl2_crypto
+        $<$<NOT:$<BOOL:${CRYPTO_HW_ACCELERATOR}>>:bl2_fallback_rng>
+ )
+ 
+ target_compile_options(bl2
+diff --git a/bl2/src/psa_stub_rng.c b/bl2/src/psa_stub_rng.c
+new file mode 100644
+index 0000000000..6ede1ddc59
+--- /dev/null
+++ b/bl2/src/psa_stub_rng.c
+@@ -0,0 +1,24 @@
+/*
+ * SPDX-FileCopyrightText: Copyright The TrustedFirmware-M Contributors
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+/**
+ * \note This source file is derivative work of psa_crypto.c from the Mbed TLS project
+ */
+#include <stdint.h>
+#include "psa/crypto.h"
+
+/* This function is stubbed as no source of randomness is required
+ * by APIs used in the BLx stages. Nevertheless, an hardwware driver
+ * for a TRNG might override this implementation with a valid one
+ * hence mark it as a weak
+ */
+__attribute__((weak))
+psa_status_t mbedtls_psa_external_get_random(
+    mbedtls_psa_external_random_context_t *context,
+    uint8_t *output, size_t output_size, size_t *output_length)
+{
+    return PSA_ERROR_NOT_SUPPORTED;
+}
+diff --git a/bl2/src/thin_psa_crypto_core.c b/bl2/src/thin_psa_crypto_core.c
+index 4c0c1897a2..07e3e1e07b 100644
+--- a/bl2/src/thin_psa_crypto_core.c
+++ b/bl2/src/thin_psa_crypto_core.c
+@@ -677,19 +677,3 @@ psa_status_t psa_driver_wrapper_export_public_key(
+ 
+     return PSA_SUCCESS;
+ }
+-
+-#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+-/* This function is stubbed as no source of randomness is required
+- * by APIs used in the BLx stages. Nevertheless, an hardwware driver
+- * for a TRNG might override this implementation with a valid one
+- * hence mark it as a weak
+- */
+-__attribute__((weak))
+-psa_status_t mbedtls_psa_external_get_random(
+-    mbedtls_psa_external_random_context_t *context,
+-    uint8_t *output, size_t output_size, size_t *output_length)
+-{
+-    return PSA_ERROR_NOT_SUPPORTED;
+-}
+-#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+-/*!@}*/
+-- 
+2.43.0
+
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0012-Corstone-1000-Enable-different-DRBG-configurations.patch
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0012-Corstone-1000-Enable-different-DRBG-configurations.patch
@@ -0,0 +1,40 @@
+From d60a6b4edda3465d86ec264b2cbfd7d14109ed5f Mon Sep 17 00:00:00 2001
+From: Devaraj Ranganna <devaraj.ranganna@arm.com>
+Date: Thu, 18 Sep 2025 22:07:38 +0100
+Subject: [PATCH 2/2] Corstone-1000: Enable different DRBG configurations
+
+The following DRBG configurations are enabled:
+
+* `CC3XX_CONFIG_DRBG_CTR_ENABLE`
+* `CC3XX_CONFIG_DRBG_HMAC_ENABLE`
+* `CC3XX_CONFIG_DRBG_HASH_ENABLE`
+
+The choice of DRBG is defined by `CC3XX_CONFIG_ENABLE_RANDOM_CTR_DRBG`.
+
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
+---
+ platform/ext/target/arm/corstone1000/cc3xx_config.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/platform/ext/target/arm/corstone1000/cc3xx_config.h b/platform/ext/target/arm/corstone1000/cc3xx_config.h
+index c5654a6bdb..199a99e1ca 100644
+--- a/platform/ext/target/arm/corstone1000/cc3xx_config.h
+++ b/platform/ext/target/arm/corstone1000/cc3xx_config.h
+@@ -87,6 +87,13 @@
+ #error "cc3xx_config: RNG config must select a single DRBG"
+ #endif /* CC3XX_CONFIG_RNG_DRBG_HMAC + CC3XX_CONFIG_RNG_DRBG_CTR + CC3XX_CONFIG_RNG_DRBG_HASH */
+ 
+/* Whether the CTR_DRBG is enabled through the generic interface */
+#define CC3XX_CONFIG_DRBG_CTR_ENABLE
+/* Whether the HMAC_DRBG is enabled through the generic interface */
+#define CC3XX_CONFIG_DRBG_HMAC_ENABLE
+/* Whether the HASH_DRBG is enabled through the generic interface */
+#define CC3XX_CONFIG_DRBG_HASH_ENABLE
+
+ /* Whether an external TRNG should be used in place of the standard CC3XX TRNG */
+ /* #define CC3XX_CONFIG_RNG_EXTERNAL_TRNG */
+ 
+-- 
+2.43.0
+
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0013-bl2-corstone-1000-Remove-psa_adac_to_tfm_apply_permi.patch
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0013-bl2-corstone-1000-Remove-psa_adac_to_tfm_apply_permi.patch
@@ -0,0 +1,51 @@
+From 2165f9db2257905d20722a2b87ceb53f320fc198 Mon Sep 17 00:00:00 2001
+From: Devaraj Ranganna <devaraj.ranganna@arm.com>
+Date: Mon, 22 Sep 2025 12:48:57 +0100
+Subject: [PATCH 1/2] bl2: corstone-1000: Remove
+ `psa_adac_to_tfm_apply_permissions`
+
+The API `psa_adac_to_tfm_apply_permissions` is added to `psa-adac`
+library. Therefore, remove it from
+`platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c`.
+
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
+---
+ .../arm/corstone1000/bl2/boot_hal_bl2.c       | 21 -------------------
+ 1 file changed, 21 deletions(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c b/platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c
+index 2abcfb5fd3..8c4eb80d03 100644
+--- a/platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c
+++ b/platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c
+@@ -111,27 +111,6 @@ static bool fill_flash_map_with_fip_data(uint8_t boot_index) {
+ #endif /* !TFM_S_REG_TEST */
+ 
+ #ifdef PLATFORM_PSA_ADAC_SECURE_DEBUG
+-int psa_adac_to_tfm_apply_permissions(uint8_t permissions_mask[16])
+-{
+-    (void)permissions_mask;
+-
+-    int ret;
+-    uint32_t dcu_reg_values[4];
+-
+-    /* Below values provide same access as when platform is in development
+-       life cycle state */
+-    dcu_reg_values[0] = 0xffffe7fc;
+-    dcu_reg_values[1] = 0x800703ff;
+-    dcu_reg_values[2] = 0xffffffff;
+-    dcu_reg_values[3] = 0xffffffff;
+-
+-    ret = crypto_hw_apply_debug_permissions((uint8_t*)dcu_reg_values, 16);
+-    BOOT_LOG_INF("%s: debug permission apply %s\n\r", __func__,
+-            (ret == 0) ? "success" : "fail");
+-
+-    return ret;
+-}
+-
+ uint8_t secure_debug_rotpk[32];
+ #endif /* PLATFORM_PSA_ADAC_SECURE_DEBUG */
+ 
+-- 
+2.43.0
+
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0014-bl2-corstone-1000-secure-debug-waiting-in-CM-LCS.patch
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0014-bl2-corstone-1000-secure-debug-waiting-in-CM-LCS.patch
@@ -0,0 +1,56 @@
+From fddaf5d297f56305b50b672477cabb840d6f426b Mon Sep 17 00:00:00 2001
+From: Devaraj Ranganna <devaraj.ranganna@arm.com>
+Date: Mon, 22 Sep 2025 12:59:43 +0100
+Subject: [PATCH 2/2] bl2: corstone-1000: secure debug waiting in CM LCS
+
+Currently, when the device is in Secure Enable (SE) LCS state, setting
+`dcu_en` register causes CC-312 reset, which effectively resets the
+device as they are both on same power domain. Therefore, temporarily
+disable moving SE enable before waiting for secure debug notification.
+The device will be in CM provisioned state.
+
+Long-term solution is to implement a solution similar to RSE, secure
+debug handshake is completed and then a reset is triggered and `dcu_en`
+is applied during bl2.
+
+Upstream-Status: Inappropriate [Need to be redesigned]
+Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
+---
+ .../ext/target/arm/corstone1000/bl2/boot_hal_bl2.c  | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c b/platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c
+index 8c4eb80d03..bf7b62881a 100644
+--- a/platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c
+++ b/platform/ext/target/arm/corstone1000/bl2/boot_hal_bl2.c
+@@ -165,7 +165,18 @@ int32_t boot_platform_post_init(void)
+     }
+ 
+ #ifdef PLATFORM_PSA_ADAC_SECURE_DEBUG
+    /*  TODO: Currently, when the device is in Secure Enable (SE) LCS state,
+        setting `dcu_en` register causes CC-312 reset, which effectively resets
+        the device as they are both on same power domain. Therefore, temporarily
+        disable moving SE enable before waiting for secure debug notification.
+        The device will be in CM provisioned state.
+
+        Long-term solution is to implement a solution similar to RSE, secure
+        debug handshake is completed and then a reset is triggered and `dcu_en`
+        is applied during bl2.
+
+     if (!tfm_plat_provisioning_is_required()) {
+    */
+ 
+         plat_err = tfm_plat_otp_read(PLAT_OTP_ID_SECURE_DEBUG_PK, 32, secure_debug_rotpk);
+         if (plat_err != TFM_PLAT_ERR_SUCCESS) {
+@@ -176,7 +187,7 @@ int32_t boot_platform_post_init(void)
+         BOOT_LOG_INF("%s: Corstone-1000 Secure Debug is a %s.\r\n", __func__,
+                 (result == 0) ? "success" : "failure");
+ 
+-    }
+  /*}*/
+ #endif
+ 
+     return 0;
+-- 
+2.43.0
+
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0015-CC3XX-Add-logging-on-cc3xx_dcu.c.patch
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0015-CC3XX-Add-logging-on-cc3xx_dcu.c.patch
@@ -0,0 +1,88 @@
+From 6c2aae4f5dae05d12b834ea8ca5c7da505ffd965 Mon Sep 17 00:00:00 2001
+From: Antonio de Angelis <Antonio.deAngelis@arm.com>
+Date: Thu, 18 Sep 2025 11:17:46 +0100
+Subject: [PATCH 1/4] CC3XX: Add logging on cc3xx_dcu.c
+
+Helps understanding which values are being applied and the
+current status of the system (current DCU opens, DCU locks and
+the restriction mask).
+
+Upstream-Status: Backport [7d3931b4f02ea253f065d593743a7c2e0cbca0d7]
+Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
+Change-Id: I426ee064a0008d8031aabdea91fa771b8c892fe4
+
+---
+ .../cc3xx/low_level_driver/src/cc3xx_dcu.c    | 29 +++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+diff --git a/platform/ext/target/arm/drivers/cc3xx/low_level_driver/src/cc3xx_dcu.c b/platform/ext/target/arm/drivers/cc3xx/low_level_driver/src/cc3xx_dcu.c
+index bc23ed6aba..ce9b1afc4a 100644
+--- a/platform/ext/target/arm/drivers/cc3xx/low_level_driver/src/cc3xx_dcu.c
+++ b/platform/ext/target/arm/drivers/cc3xx/low_level_driver/src/cc3xx_dcu.c
+@@ -10,6 +10,9 @@
+ #include <assert.h>
+ #include <string.h>
+ 
+/* FixMe: Remove this when CC3XX_INFO logging gets sorted */
+#define CC3XX_INFO(...)
+
+ /**
+  * @brief Check that the requested permissions are in accordance with the
+  *        hardware restriction mask
+@@ -21,6 +24,12 @@ static cc3xx_err_t check_dcu_restriction_mask(const uint32_t *val)
+ {
+     size_t idx;
+ 
+    CC3XX_INFO("icv_dcu_restriction_mask: 0x%08x_%08x_%08x_%08x\r\n",
+               P_CC3XX->ao.ao_icv_dcu_restriction_mask[0],
+               P_CC3XX->ao.ao_icv_dcu_restriction_mask[1],
+               P_CC3XX->ao.ao_icv_dcu_restriction_mask[2],
+               P_CC3XX->ao.ao_icv_dcu_restriction_mask[3]);
+
+     for (idx = 0; idx < sizeof(P_CC3XX->ao.ao_icv_dcu_restriction_mask) / sizeof(uint32_t); idx++) {
+         if (val[idx] & ~P_CC3XX->ao.ao_icv_dcu_restriction_mask[idx]) {
+             return CC3XX_ERR_DCU_MASK_MISMATCH;
+@@ -42,6 +51,18 @@ static cc3xx_err_t check_dcu_locks(const uint32_t *val)
+     size_t idx;
+     uint32_t dcu_has_to_change;
+ 
+    CC3XX_INFO("Current host_dcu_en: 0x%08x_%08x_%08x_%08x\r\n",
+               P_CC3XX->ao.host_dcu_en[0],
+               P_CC3XX->ao.host_dcu_en[1],
+               P_CC3XX->ao.host_dcu_en[2],
+               P_CC3XX->ao.host_dcu_en[3]);
+
+    CC3XX_INFO("host_dcu_lock: 0x%08x_%08x_%08x_%08x\r\n",
+               P_CC3XX->ao.host_dcu_lock[0],
+               P_CC3XX->ao.host_dcu_lock[1],
+               P_CC3XX->ao.host_dcu_lock[2],
+               P_CC3XX->ao.host_dcu_lock[3]);
+
+     for (idx = 0; idx < sizeof(P_CC3XX->ao.host_dcu_en) / sizeof(uint32_t); idx++) {
+         /* Check if the host_dcu_en has to change */
+         dcu_has_to_change = P_CC3XX->ao.host_dcu_en[idx] ^ val[idx];
+@@ -123,6 +144,12 @@ cc3xx_err_t cc3xx_dcu_set_enabled(const uint8_t *permissions_mask, size_t len)
+         dcu_en_requested[idx] = *((uint32_t *)(permissions_mask + (idx*sizeof(uint32_t))));
+     }
+ 
+    CC3XX_INFO("Requested host_dcu_en: 0x%08x_%08x_%08x_%08x\r\n",
+               dcu_en_requested[0],
+               dcu_en_requested[1],
+               dcu_en_requested[2],
+               dcu_en_requested[3]);
+
+     /* Check the restriction mask for the dcu_en*/
+     err = check_dcu_restriction_mask(dcu_en_requested);
+     if (err != CC3XX_ERR_SUCCESS) {
+@@ -139,6 +166,8 @@ cc3xx_err_t cc3xx_dcu_set_enabled(const uint8_t *permissions_mask, size_t len)
+         P_CC3XX->ao.host_dcu_en[idx] = dcu_en_requested[idx];
+     }
+ 
+    CC3XX_INFO("Requested host_dcu_en applied successfully\r\n");
+
+     return CC3XX_ERR_SUCCESS;
+ }
+ /** @} */ // end of cc3xx_dcu
+-- 
+2.43.0
+
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0016-CC3XX-DCU-Check-dcu_en-against-the-permanent_disable.patch
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0016-CC3XX-DCU-Check-dcu_en-against-the-permanent_disable.patch
@@ -0,0 +1,72 @@
+From b51461b88a0fb4ab60e21fcf7f85503e0a7aade0 Mon Sep 17 00:00:00 2001
+From: Antonio de Angelis <Antonio.deAngelis@arm.com>
+Date: Thu, 18 Sep 2025 13:02:36 +0100
+Subject: [PATCH 2/4] CC3XX: DCU: Check dcu_en against the
+ permanent_disable_mask
+
+Regardless of the lifecycle state, there is a permanent disable
+mask register against which the required DCU_EN need to be checked.
+
+Upstream-Status: Backport [ab8edf16290fc13aa2eb5f5149235613c4f7c9a0]
+Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
+Change-Id: I2b4435d6ae7ebb8238987be06ac0c3b40b6dc991
+
+---
+ .../cc3xx/low_level_driver/src/cc3xx_dcu.c    | 34 ++++++++++++++++++-
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/platform/ext/target/arm/drivers/cc3xx/low_level_driver/src/cc3xx_dcu.c b/platform/ext/target/arm/drivers/cc3xx/low_level_driver/src/cc3xx_dcu.c
+index ce9b1afc4a..089589f278 100644
+--- a/platform/ext/target/arm/drivers/cc3xx/low_level_driver/src/cc3xx_dcu.c
+++ b/platform/ext/target/arm/drivers/cc3xx/low_level_driver/src/cc3xx_dcu.c
+@@ -39,6 +39,32 @@ static cc3xx_err_t check_dcu_restriction_mask(const uint32_t *val)
+     return CC3XX_ERR_SUCCESS;
+ }
+ 
+/**
+ * @brief Check that the requested permissions are in accordance with the
+ *        permanent disable mask. A 1 in the mask means disabled
+ *
+ * @param[in] val Sets of permissions, i.e. host_dcu_en to check as an array of 4 words
+ * @return cc3xx_err_t CC3XX_ERR_SUCCESS or CC3XX_ERR_DCU_MASK_MISMATCH
+ */
+static cc3xx_err_t check_dcu_permanent_disable_mask(const uint32_t *val)
+{
+    size_t idx;
+
+    CC3XX_INFO("permanent_disable_mask: 0x%08x_%08x_%08x_%08x\r\n",
+               P_CC3XX->ao.ao_permanent_disable_mask[0],
+               P_CC3XX->ao.ao_permanent_disable_mask[1],
+               P_CC3XX->ao.ao_permanent_disable_mask[2],
+               P_CC3XX->ao.ao_permanent_disable_mask[3]);
+
+    for (idx = 0; idx < sizeof(P_CC3XX->ao.ao_permanent_disable_mask) / sizeof(uint32_t); idx++) {
+        if (val[idx] & P_CC3XX->ao.ao_permanent_disable_mask[idx]) {
+            return CC3XX_ERR_DCU_MASK_MISMATCH;
+        }
+    }
+
+    return CC3XX_ERR_SUCCESS;
+}
+
+ /**
+  * @brief Check that the requested permissions are in accordance with the
+  *        current status of the DCU locks
+@@ -150,7 +176,13 @@ cc3xx_err_t cc3xx_dcu_set_enabled(const uint8_t *permissions_mask, size_t len)
+                dcu_en_requested[2],
+                dcu_en_requested[3]);
+ 
+-    /* Check the restriction mask for the dcu_en*/
+    /* Check the permanent disable mask for the dcu_en */
+    err = check_dcu_permanent_disable_mask(dcu_en_requested);
+    if (err != CC3XX_ERR_SUCCESS) {
+        return err;
+    }
+
+    /* Check the ICV restriction mask for the dcu_en */
+     err = check_dcu_restriction_mask(dcu_en_requested);
+     if (err != CC3XX_ERR_SUCCESS) {
+         return err;
+-- 
+2.43.0
+
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0017-CC3XX-DCU-Enable-checking-ICV-restriction-mask-confi.patch
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0017-CC3XX-DCU-Enable-checking-ICV-restriction-mask-confi.patch
@@ -0,0 +1,118 @@
+From 7607a80c43e6cdc9aab6aea61dcc6b4a567136b2 Mon Sep 17 00:00:00 2001
+From: Antonio de Angelis <Antonio.deAngelis@arm.com>
+Date: Fri, 19 Sep 2025 10:21:59 +0100
+Subject: [PATCH 3/4] CC3XX: DCU: Enable checking ICV restriction mask
+ configurable
+
+To allow for platforms which might not convey the CM/DM cert
+enable information to the driver to work correctly. The ICV
+restriction mask is a software only feature hence restrictions
+won't be taken into account when the feature is not enabled in FW.
+
+Upstream-Status: Backport [ffb14450be486b5cb9cc8d0cce8903fc3bb5de34]
+Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
+Change-Id: Ie5b7efadf9ef1f722546585669383e660acf97a9
+
+---
+ .../target/arm/corstone1000/cc3xx_config.h    |  3 +++
+ .../cc3xx/low_level_driver/src/cc3xx_dcu.c    | 21 ++++++++++++++-----
+ .../target/arm/musca_b1/cc312/cc3xx_config.h  |  3 +++
+ 3 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/cc3xx_config.h b/platform/ext/target/arm/corstone1000/cc3xx_config.h
+index 199a99e1ca..a63a2df07a 100644
+--- a/platform/ext/target/arm/corstone1000/cc3xx_config.h
+++ b/platform/ext/target/arm/corstone1000/cc3xx_config.h
+@@ -13,6 +13,9 @@
+ #define CC3XX_CONFIG_BASE_ADDRESS (CC3XX_BASE_S)
+ #endif /* CC3XX_CONFIG_BASE_ADDRESS */
+ 
+/* Whether the DCU apply permission function enforces ICV restriction mask */
+#define CC3XX_CONFIG_DCU_ICV_RESTRICTION_MASK_CHECK
+
+ /* Whether uint32_t accesses must be strictly 4-byte aligned */
+ /* CC3XX_CONFIG_STRICT_UINT32_T_ALIGNMENT */
+ 
+diff --git a/platform/ext/target/arm/drivers/cc3xx/low_level_driver/src/cc3xx_dcu.c b/platform/ext/target/arm/drivers/cc3xx/low_level_driver/src/cc3xx_dcu.c
+index 089589f278..f2b70819c0 100644
+--- a/platform/ext/target/arm/drivers/cc3xx/low_level_driver/src/cc3xx_dcu.c
+++ b/platform/ext/target/arm/drivers/cc3xx/low_level_driver/src/cc3xx_dcu.c
+@@ -1,18 +1,26 @@
+ /*
+- * Copyright (c) 2024, The TrustedFirmware-M Contributors. All rights reserved.
+ * SPDX-FileCopyrightText: Copyright The TrustedFirmware-M Contributors
+  *
+  * SPDX-License-Identifier: BSD-3-Clause
+  *
+  */
+ 
+-#include "cc3xx_dcu.h"
+-#include "cc3xx_dev.h"
+#ifndef CC3XX_CONFIG_FILE
+#include "cc3xx_config.h"
+#else
+#include CC3XX_CONFIG_FILE
+#endif
+
+ #include <assert.h>
+ #include <string.h>
+ 
+#include "cc3xx_dcu.h"
+#include "cc3xx_dev.h"
+
+ /* FixMe: Remove this when CC3XX_INFO logging gets sorted */
+ #define CC3XX_INFO(...)
+ 
+#ifdef CC3XX_CONFIG_DCU_ICV_RESTRICTION_MASK_CHECK
+ /**
+  * @brief Check that the requested permissions are in accordance with the
+  *        hardware restriction mask
+@@ -20,7 +28,7 @@
+  * @param[in] val Sets of permissions, i.e. host_dcu_en to check as an array of 4 words
+  * @return cc3xx_err_t CC3XX_ERR_SUCCESS or CC3XX_ERR_DCU_MASK_MISMATCH
+  */
+-static cc3xx_err_t check_dcu_restriction_mask(const uint32_t *val)
+static cc3xx_err_t check_dcu_icv_restriction_mask(const uint32_t *val)
+ {
+     size_t idx;
+ 
+@@ -38,6 +46,7 @@ static cc3xx_err_t check_dcu_restriction_mask(const uint32_t *val)
+ 
+     return CC3XX_ERR_SUCCESS;
+ }
+#endif /* CC3XX_CONFIG_DCU_ICV_RESTRICTION_MASK_CHECK */
+ 
+ /**
+  * @brief Check that the requested permissions are in accordance with the
+@@ -182,11 +191,13 @@ cc3xx_err_t cc3xx_dcu_set_enabled(const uint8_t *permissions_mask, size_t len)
+         return err;
+     }
+ 
+#ifdef CC3XX_CONFIG_DCU_ICV_RESTRICTION_MASK_CHECK
+     /* Check the ICV restriction mask for the dcu_en */
+-    err = check_dcu_restriction_mask(dcu_en_requested);
+    err = check_dcu_icv_restriction_mask(dcu_en_requested);
+     if (err != CC3XX_ERR_SUCCESS) {
+         return err;
+     }
+#endif /* CC3XX_CONFIG_DCU_ICV_RESTRICTION_MASK_CHECK */
+ 
+     /* Check if any dcu_lock has been locked for the corresponding dcu_en */
+     err = check_dcu_locks(dcu_en_requested);
+diff --git a/platform/ext/target/arm/musca_b1/cc312/cc3xx_config.h b/platform/ext/target/arm/musca_b1/cc312/cc3xx_config.h
+index cd38d3e837..6fc7ae0fa0 100644
+--- a/platform/ext/target/arm/musca_b1/cc312/cc3xx_config.h
+++ b/platform/ext/target/arm/musca_b1/cc312/cc3xx_config.h
+@@ -13,6 +13,9 @@
+ #define CC3XX_CONFIG_BASE_ADDRESS (CC3XX_BASE_S)
+ #endif /* CC3XX_CONFIG_BASE_ADDRESS */
+ 
+/* Whether the DCU apply permission function enforces ICV restriction mask */
+#define CC3XX_CONFIG_DCU_ICV_RESTRICTION_MASK_CHECK
+
+ /* Whether uint32_t accesses must be strictly 4-byte aligned */
+ /* CC3XX_CONFIG_STRICT_UINT32_T_ALIGNMENT */
+ 
+-- 
+2.43.0
+
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0018-Platform-ADAC-Musca-B1-and-Corstone-1000-do-not-chec.patch
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/0018-Platform-ADAC-Musca-B1-and-Corstone-1000-do-not-chec.patch
@@ -0,0 +1,49 @@
+From d50f841de57c0848595834ab8cde4c89e4ffc1ca Mon Sep 17 00:00:00 2001
+From: Antonio de Angelis <Antonio.deAngelis@arm.com>
+Date: Fri, 19 Sep 2025 10:31:21 +0100
+Subject: [PATCH 4/4] Platform: ADAC: Musca-B1 and Corstone-1000 do not check
+ ICV restrictions mask
+
+As the permissions being requested in our reference certificates are not
+taking into consideration this aspect yet. As restriction checking is purely
+a FW feature, this means that ICV restrictions are not taken into any
+considerations (i.e. which DCU_EN are exclusively reserved for CM or DM)
+
+Upstream-Status: Backport [392f6752bd70052371278c93693b8c3d95cce0c9]
+Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
+Change-Id: I8ef4e432a395e1938d749082fbd25fa58916211c
+
+---
+ platform/ext/target/arm/corstone1000/cc3xx_config.h   | 2 +-
+ platform/ext/target/arm/musca_b1/cc312/cc3xx_config.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/platform/ext/target/arm/corstone1000/cc3xx_config.h b/platform/ext/target/arm/corstone1000/cc3xx_config.h
+index a63a2df07a..e3f7843986 100644
+--- a/platform/ext/target/arm/corstone1000/cc3xx_config.h
+++ b/platform/ext/target/arm/corstone1000/cc3xx_config.h
+@@ -14,7 +14,7 @@
+ #endif /* CC3XX_CONFIG_BASE_ADDRESS */
+ 
+ /* Whether the DCU apply permission function enforces ICV restriction mask */
+-#define CC3XX_CONFIG_DCU_ICV_RESTRICTION_MASK_CHECK
+/* #define CC3XX_CONFIG_DCU_ICV_RESTRICTION_MASK_CHECK */
+ 
+ /* Whether uint32_t accesses must be strictly 4-byte aligned */
+ /* CC3XX_CONFIG_STRICT_UINT32_T_ALIGNMENT */
+diff --git a/platform/ext/target/arm/musca_b1/cc312/cc3xx_config.h b/platform/ext/target/arm/musca_b1/cc312/cc3xx_config.h
+index 6fc7ae0fa0..1faf4a06e5 100644
+--- a/platform/ext/target/arm/musca_b1/cc312/cc3xx_config.h
+++ b/platform/ext/target/arm/musca_b1/cc312/cc3xx_config.h
+@@ -14,7 +14,7 @@
+ #endif /* CC3XX_CONFIG_BASE_ADDRESS */
+ 
+ /* Whether the DCU apply permission function enforces ICV restriction mask */
+-#define CC3XX_CONFIG_DCU_ICV_RESTRICTION_MASK_CHECK
+/* #define CC3XX_CONFIG_DCU_ICV_RESTRICTION_MASK_CHECK */
+ 
+ /* Whether uint32_t accesses must be strictly 4-byte aligned */
+ /* CC3XX_CONFIG_STRICT_UINT32_T_ALIGNMENT */
+-- 
+2.43.0
+
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0002-ADAC-Link-psa_interface-instead-of-tfm_sprt.patch
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0002-ADAC-Link-psa_interface-instead-of-tfm_sprt.patch
@@ -1,35 +0,0 @@
-From af71103845498eef4f859deba4b904a195f2817f Mon Sep 17 00:00:00 2001
-From: Bence Balogh <bence.balogh@arm.com>
-Date: Mon, 22 Jul 2024 17:33:23 +0200
-Subject: [PATCH] ADAC: Link psa_interface instead of tfm_sprt
-
-The tfm_sprt brings in other functionalities that are not needed for
-the Secure Debug.
-
-The printf() override in tfm_sp_log_raw.c can cause problems because
-it calls tfm_hal_output_sp_log() which triggers an SVC. The SVC calls
-tfm_hal_output_spm_log which relies on an SPM, which might not be
-initialized at that point.
-
-Signed-off-by: Bence Balogh <bence.balogh@arm.com>
-Upstream-Status: Backport [af0acd1af3e2cc81b12931b31367fb95e49e8272]
---
- psa_crypto/CMakeLists.txt | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/psa_crypto/CMakeLists.txt b/psa_crypto/CMakeLists.txt
-index 3e70624..58d95f7 100644
--- a/psa_crypto/CMakeLists.txt
-+++ b/psa_crypto/CMakeLists.txt
-@@ -18,7 +18,7 @@ target_sources(psa_adac_psa_crypto
- target_link_libraries(psa_adac_psa_crypto
-     PRIVATE
-         psa_adac_config
-        tfm_sprt
-+        psa_interface
- )
- 
- target_link_libraries(trusted-firmware-m-psa-adac
-- 
-2.25.1
-
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0002-Fix-psa_key_handle_t-initialization.patch
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0002-Fix-psa_key_handle_t-initialization.patch
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0003-cmake-Update-psa_adac_psa_crypto-dependencies.patch
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/files/corstone1000/psa-adac/0003-cmake-Update-psa_adac_psa_crypto-dependencies.patch
@@ -0,0 +1,30 @@
+From 3c552d0b46559160581e89bf310db0b176e33074 Mon Sep 17 00:00:00 2001
+From: Devaraj Ranganna <devaraj.ranganna@arm.com>
+Date: Thu, 18 Sep 2025 17:45:20 +0100
+Subject: [PATCH] cmake: Update `psa_adac_psa_crypto` dependencies
+
+The auto-generated header files are part of `psa_adac_core` library.
+Therefore, link `psa_adac_psa_crypto` library with `psa_adac_core`
+library.
+
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
+---
+ psa_crypto/CMakeLists.txt | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/psa_crypto/CMakeLists.txt b/psa_crypto/CMakeLists.txt
+index b1c3f5d..efc284d 100644
+--- a/psa_crypto/CMakeLists.txt
+++ b/psa_crypto/CMakeLists.txt
+@@ -20,6 +20,7 @@ target_link_libraries(psa_adac_psa_crypto
+         psa_adac_config
+         $<$<BOOL:${PSA_ADAC_AS_TFM_RUNTIME_SERVICE}>:tfm_sprt>
+         psa_interface
+        psa_adac_core
+ )
+ 
+ target_link_libraries(trusted-firmware-m-psa-adac
+-- 
+2.43.0
+
--- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc
+++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc
@@ -31,6 +31,7 @@ SRC_URI += " \
           "

 FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+SRCREV_tfm-psa-adac:corstone1000 = "f2809ae231be33a1afcd7714f40756c67d846c88"
 SRC_URI:append:corstone1000 = " \
    file://0001-Platform-CS1000-Remove-unused-BL1-files.patch \
    file://0002-Platform-Corstone1000-Fix-BL1-compiler-switch-and-re.patch \
@@ -42,13 +43,21 @@ SRC_URI:append:corstone1000 = " \
    file://0008-Platform-Corstone1000-Increase-BL1-size-and-align-bi.patch \
    file://0009-Platform-CS1K-Adapt-ADAC-enabled-build-to-the-new-BL.patch \
    file://0010-plat-corstone1000-Add-support-for-Cortex-A320-varian.patch \
+    file://0011-BL2-Remove-the-weak-function-definition.patch \
+    file://0012-Corstone-1000-Enable-different-DRBG-configurations.patch \
+    file://0013-bl2-corstone-1000-Remove-psa_adac_to_tfm_apply_permi.patch \
+    file://0014-bl2-corstone-1000-secure-debug-waiting-in-CM-LCS.patch \
+    file://0015-CC3XX-Add-logging-on-cc3xx_dcu.c.patch \
+    file://0016-CC3XX-DCU-Check-dcu_en-against-the-permanent_disable.patch \
+    file://0017-CC3XX-DCU-Enable-checking-ICV-restriction-mask-confi.patch \
+    file://0018-Platform-ADAC-Musca-B1-and-Corstone-1000-do-not-chec.patch \
    "

 FILESEXTRAPATHS:prepend:corstone1000-mps3 := "${THISDIR}/files/corstone1000/psa-adac:"
 SRC_URI:append:corstone1000-mps3 = " \
    file://0001-PSA-revert-header-versions.patch;patchdir=../tfm-psa-adac \
-    file://0002-ADAC-Link-psa_interface-instead-of-tfm_sprt.patch;patchdir=../tfm-psa-adac \
-    file://0003-Fix-psa_key_handle_t-initialization.patch;patchdir=../tfm-psa-adac \
+    file://0002-Fix-psa_key_handle_t-initialization.patch;patchdir=../tfm-psa-adac \
+    file://0003-cmake-Update-psa_adac_psa_crypto-dependencies.patch;patchdir=../tfm-psa-adac \
    "

 do_install() {