TF-M support and limitations in the nRF Connect SDK
This page lists the supported features and limitations of Trusted Firmware-M (TF-M) in the nRF Connect SDK.
TF-M version in the nRF Connect SDK
The nRF Connect SDK v3.3.0 allows you to develop applications with the following versions of security components:
nRF Connect SDK release |
TF-M version |
IronSide Secure Enclave version |
Mbed TLS version |
|---|---|---|---|
v3.3.0 |
v2.2.2 |
v23.7.0+30 |
3.6.6 |
Upcoming release (currently on the |
v2.3.0 |
v23.7.0+30 |
3.6.6 |
For versions used in older releases of the nRF Connect SDK, check the expandable section on the Security page.
Supported TF-M profiles
The Trusted Firmware-M provides several TF-M Profiles for different use cases and levels of TF-M configuration.
The nRF Connect SDK does not follow this classification. Instead, it provides two main configurations for TF-M: minimal and configurable.
Configuration profile |
Support status in the nRF Connect SDK |
Description |
|---|---|---|
Minimal |
Bare-minimal configuration to allow the device to boot securely. Contains only random number generator and allows for a limited number of operations. |
|
Configurable (full) |
Full configuration that allows you to enable or disable different partitions in the TF-M configuration file. See Configurable build for more information. |
|
Not supported |
Basic lightweight TF-M framework with basic Secure Services to keep smallest memory footprint. |
|
Not supported |
Reference implementation to align with security requirements defined in PSA Certified ARoT-less Level 2 protection profile. |
|
Not supported |
Profile Medium aims to securely connect devices to Cloud services with asymmetric cipher support. |
|
Not supported |
Profile Large protects less resource-constrained Arm Cortex-M devices. |
Hardware support matrix for TF-M profiles
The following table lists hardware support and software maturity levels for the minimal and configurable TF-M profiles in the nRF Connect SDK.
TF-M profile support TF-M profile
nRF52810
nRF52811
nRF52820
nRF52832
nRF52833
nRF52840
–
–
–
–
–
–
–
–
–
–
–
–
For board targets supported by TF-M, see Board targets supported by TF-M.
TF-M profile support TF-M profile
nRF5340
Experimental
Supported
For board targets supported by TF-M, see Board targets supported by TF-M.
TF-M profile support TF-M profile
nRF54H20
–
–
For board targets supported by TF-M, see Board targets supported by TF-M.
TF-M profile support TF-M profile
nRF54L05
nRF54L10
nRF54L15
nRF54LM20A
nRF54LM20B
nRF54LV10A
nRF54LS05A
nRF54LS05B
–
Experimental
Experimental
Experimental
Experimental
Experimental
–
–
–
Experimental
Experimental
Experimental
Experimental
Experimental
–
–
For board targets supported by TF-M, see Board targets supported by TF-M.
TF-M profile support TF-M profile
nRF9131
nRF9151
nRF9160
nRF9161
–
Experimental
Experimental
Experimental
Experimental
Supported
Supported
Supported
For the definitions of the maturity levels, see Software maturity levels.
Minimal TF-M configuration
The default configuration of TF-M has all supported features enabled, which results in a significant memory footprint. For this reason, the nRF Connect SDK provides a minimal version of the TF-M secure application, which shows how to configure a reduced version of TF-M.
The secure services supported by the minimal version allow for:
Generating random numbers using the random generator available in the device (see
psa_generate_random()in crypto.h).Using the platform services with tfm_platform_api.h from the non-secure side (except the
tfm_platform_nv_counter_*functions). This includes sending platform-specific service requests using tfm_ioctl_core_api.h and tfm_ioctl_api.h.Reading secure memory from the non-secure application (strictly restricted to a list of allowed addresses). Depending on the device, this lets you read metadata in the bootloader, verify FICR or UICR values, or access a peripheral that is secure-only.
Rebooting from the non-secure side.
See Building and configuring TF-M for more information on building the TF-M secure application with the minimal build.
Configurable TF-M build
The configurable build is the full TF-M implementation that lets you configure all of its features. It does not have the constraints of the minimal build.
When you use the configurable build, you can enable or disable any of the features in the application configuration file. See Configurable build for more information on building the TF-M secure application with the configurable build.
Supported TF-M services
The following TF-M services are supported in the nRF Connect SDK:
TF-M service |
Supported API version in the nRF Connect SDK |
Description |
Configuration steps |
|---|---|---|---|
Platform service |
n/a |
Mandatory implementation of the Platform RoT Services. Provides platform-specific services to other TF-M partitions and to non-secure applications. |
|
Crypto |
Provides cryptographic operations like encryption and decryption, hashing, key management, and random number generation. |
||
Internal Trusted Storage (ITS) |
Provides a secure storage mechanism for sensitive data in internal flash, with optional encryption support. |
||
Protected Storage (PS) |
Provides secure storage with encryption, integrity protection, and rollback protection for non-secure applications. |
||
Initial Attestation |
Provides mechanisms to prove the device identity and software state to remote entities. |
||
Firmware Update |
n/a |
The nRF Connect SDK does not implement the PSA Firmware Update API.
Instead, other options are available for the immutable bootloader and the upgradable bootloader.
See Bootloaders and DFU for more information on available bootloaders.
|
n/a |
Isolation Level support
TF-M provides different isolation levels between security domains. The following table lists the isolation level support in Nordic Semiconductor’s implementation of TF-M:
Isolation level |
Support status in the nRF Connect SDK |
Description |
|---|---|---|
Level 1 |
Supported |
SPE isolation - Secure Processing Environment is protected from access by Non-Secure application firmware and hardware. |
Level 2 |
Supported with limitations |
Platform RoT isolation - In addition to Level 1, Platform RoT is protected from Application RoT (App RoT).
Limitation in the nRF Connect SDK: The number of peripherals configured as secure in App RoT is limited by available MPU regions.
|
Level 3 |
Not supported |
Maximum firmware isolation, with each Secure Partition sandboxed and only permitted to access its own resources. |
Differences between TF-M in the nRF Connect SDK and upstream Zephyr
The TF-M implementation in the nRF Connect SDK differs from the implementation in upstream Zephyr. These are the main differences:
Board support:
The Supported TF-M services implemented in the nRF Connect SDK are not recommended for use with boards in upstream Zephyr because these boards have limited TF-M support:
Upstream Zephyr only fully supports TF-M for nRF91 Series DKs and nRF5340 DK.
Upstream Zephyr’s TF-M integration for nRF54L15 is limited to Zephyr’s TF-M IPC and the
config_buildsamples (both part of TF-M Integration).In upstream Zephyr, TF-M integration for boards based on nRF5340 (other than the nRF5340 DK) is not supported.
TF-M configuration:
The nRF Connect SDK allows for more customization of TF-M features:
The nRF Connect SDK provides a minimal build option that is enabled by default for nRF53 and nRF91 Series devices.
The nRF Connect SDK offers a configurable build that allows for more fine-grained control over TF-M features.
Upstream Zephyr uses predefined, basic TF-M profiles that might result in larger memory footprint.
Logging:
The nRF Connect SDK provides enhanced logging capabilities with options to configure UART instances. For nRF5340 and nRF91 Series devices, the nRF Connect SDK allows TF-M and the application to share the same UART for logging.
Security features:
The nRF Connect SDK integrates TF-M with nRF Security to enable hardware acceleration.
The nRF Connect SDK provides additional security hardening measures specific to Nordic Semiconductor devices.
Bootloader integration:
The nRF Connect SDK uses its own version of MCUboot (sdk-mcuboot) that is specifically integrated with TF-M.
Upstream Zephyr uses the standard MCUboot implementation.
Samples:
The nRF Connect SDK provides its own set of TF-M samples.
TF-M Integration samples from upstream Zephyr are not compatible with the Supported TF-M services implemented in the nRF Connect SDK when built from upstream Zephyr.
Limitations of TF-M in the nRF Connect SDK
The following sections summarize the limitations of TF-M in the nRF Connect SDK, organized by category.
Core features
TF-M profiles are not supported.
Isolation level 3 is not supported.
TF-M’s second-stage bootloader (BL2) is not supported. Instead, the nRF Connect SDK uses its own version of MCUboot (sdk-mcuboot), which is supported with TF-M and provides. See MCUboot and NSIB for more information.
For Isolation level 2, the number of peripherals that are configurable as secure in the Application Root of Trust (ARoT) is limited by available MPU regions.
Security services
Firmware Update service is not supported.
Firmware verification is not supported.
Firmware encryption is not supported.
Protected off-chip data storage and retrieval are not supported.
Audit logging is not supported.
Cryptography
The following crypto modules and ciphers are not supported:
AES output feedback (AES-OFB) mode.
AES cipher feedback (AES-CFB) mode.
Development and integration
GCC is the only supported toolchain for building TF-M on Nordic Semiconductor devices.