Add MAX32657 NS Board

boards/adi/max32657evkit/Kconfig.defconfig

@@ -22,4 +22,24 @@ DT_CHOSEN_Z_CODE_PARTITION := zephyr,code-partition
 config FLASH_LOAD_SIZE
 	default $(dt_chosen_reg_size_hex,$(DT_CHOSEN_Z_CODE_PARTITION))
 
+if BOARD_MAX32657EVKIT_MAX32657_NS
+
+config FLASH_LOAD_OFFSET
+	default $(dt_chosen_reg_addr_hex,$(DT_CHOSEN_Z_CODE_PARTITION))
+
+# MAX32657 has one UART interface,
+# It can be used either on TFM or Zephyr
+# Enabling debug (TFM_SPM_LOG_LEVEL || TFM_PARTITION_LOG_LEVEL) will transfer it to the TFM side
+# Disabling TFM debug will transfer it to the Zephyr side.
+
+choice TFM_SPM_LOG_LEVEL
+	default TFM_SPM_LOG_LEVEL_SILENCE
+endchoice
+
+choice TFM_PARTITION_LOG_LEVEL
+	default TFM_PARTITION_LOG_LEVEL_SILENCE
+endchoice
+
+endif # BOARD_MAX32657EVKIT_MAX32657_NS
+
 endif # BOARD_MAX32657EVKIT

boards/adi/max32657evkit/Kconfig.max32657evkit

@@ -2,4 +2,5 @@
 # SPDX-License-Identifier: Apache-2.0
 
 config BOARD_MAX32657EVKIT
-	select SOC_MAX32657 if BOARD_MAX32657EVKIT_MAX32657
+	select SOC_MAX32657 if BOARD_MAX32657EVKIT_MAX32657 ||	\
+			       BOARD_MAX32657EVKIT_MAX32657_NS

boards/adi/max32657evkit/board.cmake

@@ -1,6 +1,10 @@
 # Copyright (c) 2024-2025 Analog Devices, Inc.
 # SPDX-License-Identifier: Apache-2.0
 
+if(CONFIG_BOARD_MAX32657EVKIT_MAX32657_NS)
+  set_property(TARGET runners_yaml_props_target PROPERTY hex_file tfm_merged.hex)
+endif()
+
 board_runner_args(jlink "--device=MAX32657" "--reset-after-load")
 
 include(${ZEPHYR_BASE}/boards/common/openocd-adi-max32.boards.cmake)

boards/adi/max32657evkit/board.yml

@@ -6,3 +6,5 @@ board:
   vendor: adi
   socs:
   - name: max32657
+    variants:
+    - name: "ns"

boards/adi/max32657evkit/doc/index.rst

@@ -288,6 +288,7 @@ Zephyr board options
 The MAX32657 microcontroller (MCU) is an advanced system-on-chip (SoC)
 featuring an ARM Cortex-M33 architecture that provides Trustzone technology
 which allow define secure and non-secure application.
+Zephyr provides support for building for both Secure (S) and Non-Secure (NS) firmware.
 
 The BOARD options are summarized below:
 
@@ -296,16 +297,18 @@ The BOARD options are summarized below:
 +===============================+===========================================+
 | max32657evkit/max32657        | For building Trust Zone Disabled firmware |
 +-------------------------------+-------------------------------------------+
+| max32657evkit/max32657/ns     | Building with TF-M (includes NS+S images) |
++-------------------------------+-------------------------------------------+
 
 
 BOARD: max32657evkit/max32657
 =============================
 
-Build the zephyr app for ``max32657evkit/max32657`` board will generate secure firmware
+Build the zephyr app for ``max32657evkit/max32657`` board target will generate secure firmware
 for zephyr. In this configuration 960KB of flash is used to store the code and 64KB
 is used for storage section. In this mode tf-m is off and secure mode flag is on
-``:kconfig:option:CONFIG_TRUSTED_EXECUTION_SECURE=y`` and
-``:kconfig:option:CONFIG_BUILD_WITH_TFM=n``
+(:kconfig:option:`CONFIG_TRUSTED_EXECUTION_SECURE` to ``y`` and
+:kconfig:option:`CONFIG_BUILD_WITH_TFM` to ``n``)
 
 +----------+------------------+---------------------------------+
 | Name     | Address[Size]    | Comment                         |
@@ -324,6 +327,172 @@ using :zephyr:code-sample:`blinky` sample:
    :goals: build
 
 
+BOARD: max32657evkit/max32657/ns
+================================
+
+The ``max32657evkit/max32657/ns`` board target is used to build the secure firmware
+image using TF-M (:kconfig:option:`CONFIG_BUILD_WITH_TFM` to ``y``) and
+the non-secure firmware image using Zephyr
+(:kconfig:option:`CONFIG_TRUSTED_EXECUTION_NONSECURE` to ``y``).
+
+Here are the instructions to build zephyr with a non-secure configuration,
+using :zephyr:code-sample:`blinky` sample:
+
+.. zephyr-app-commands::
+   :zephyr-app: samples/basic/blinky/
+   :board: max32657evkit/max32657/ns
+   :goals: build
+
+The above command will:
+ * Build a bootloader image (MCUboot)
+ * Build a TF-M (secure) firmware image
+ * Build Zephyr application as non-secure firmware image
+ * Merge them as ``tfm_merged.hex`` which contain all images.
+
+
+Note:
+
+Zephyr build TF-M with :kconfig:option:`CONFIG_TFM_PROFILE_TYPE_NOT_SET` mode
+that meet most use case configuration especially for BLE related applications.
+if TF-M small profile meet your application requirement you can set TF-M profile as small
+:kconfig:option:`CONFIG_TFM_PROFILE_TYPE_SMALL` to ``y`` to decrease TF-M RAM and flash use.
+
+
+Memory mappings
+---------------
+
+MAX32657 1MB flash and 256KB RAM split to define section for MCUBoot,
+TF-M (S), Zephyr (NS) and storage that used for secure services and configurations.
+Default layout of MAX32657 is listed in below table.
+
++----------+------------------+---------------------------------+
+| Name     | Address[Size]    | Comment                         |
++==========+==================+=================================+
+| boot     | 0x1000000[64K]   | MCU Bootloader                  |
++----------+------------------+---------------------------------+
+| slot0    | 0x1010000[320k]  | Secure image slot0 (TF-M)       |
++----------+------------------+---------------------------------+
+| slot0_ns | 0x1060000[576k]  | Non-secure image slot0 (Zephyr) |
++----------+------------------+---------------------------------+
+| slot1    | 0x10F0000[0k]    | Updates slot0 image             |
++----------+------------------+---------------------------------+
+| slot1_ns | 0x10F0000[0k]    | Updates slot0_ns image          |
++----------+------------------+---------------------------------+
+| storage  | 0x10f0000[64k]   | Persistent storage              |
++----------+------------------+---------------------------------+
+
+
++----------------+------------------+-------------------+
+| RAM            | Address[Size]    | Comment           |
++================+==================+===================+
+| secure_ram     | 0x20000000[64k]  | Secure memory     |
++----------------+------------------+-------------------+
+| non_secure_ram | 0x20010000[192k] | Non-Secure memory |
++----------------+------------------+-------------------+
+
+
+Flash memory layout are defines both on zephyr board file and `Trusted Firmware M`_ (TF-M) project
+these definition shall be match. Zephyr defines it in
+:zephyr_file:`boards/adi/max32657evkit/max32657evkit_max32657_common.dtsi`
+file under flash section. TF-M project define them in
+<zephyr_path>../modules/tee/tf-m/trusted-firmware-m/platform/ext/target/adi/max32657/partition/flash_layout.h file.`
+If you would like to update flash region for your application you shall update related section in
+these files.
+
+Additionally if firmware update feature requires slot1 and slot1_ns section need to be
+defined. On default the section size set as 0 due to firmware update not requires on default.
+
+
+Peripherals and Memory Ownership
+--------------------------------
+
+The ARM Security Extensions model allows system developers to partition device hardware and
+software resources, so that they exist in either the Secure world for the security subsystem,
+or the Normal world for everything else. Correct system design can ensure that no Secure world
+assets can be accessed from the Normal world. A Secure design places all sensitive resources
+in the Secure world, and ideally has robust software running that can protect assets against
+a wide range of possible software attacks (`1`_).
+
+MPC (Memory Protection Controller) and PPC (Peripheral Protection Controller) are allow to
+protect memory and peripheral. Incase of need peripheral and flash ownership can be updated in
+<zephyr_path>../modules/tee/tf-m/trusted-firmware-m/platform/ext/target/adi/max32657/s_ns_access.cmake`
+file by updating cmake flags to ON/OFF.
+
+As an example for below configuration TRNG, SRAM_0 and SRAM_1 is not going to be accessible
+by non-secure. All others is going to be accessible by NS world.
+
+.. code-block::
+
+  set(ADI_NS_PRPH_GCR         ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_SIR         ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_FCR         ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_WDT         ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_AES         OFF        CACHE BOOL "")
+  set(ADI_NS_PRPH_AESKEY      OFF        CACHE BOOL "")
+  set(ADI_NS_PRPH_CRC         ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_GPIO0       ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_TIMER0      ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_TIMER1      ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_TIMER2      ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_TIMER3      ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_TIMER4      ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_TIMER5      ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_I3C         ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_UART        ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_SPI         ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_TRNG        OFF        CACHE BOOL "")
+  set(ADI_NS_PRPH_BTLE_DBB    ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_BTLE_RFFE   ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_RSTZ        ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_BOOST       ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_BBSIR       ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_BBFCR       ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_RTC         ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_WUT0        ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_WUT1        ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_PWR         ON         CACHE BOOL "")
+  set(ADI_NS_PRPH_MCR         ON         CACHE BOOL "")
+
+  # SRAMs
+  set(ADI_NS_SRAM_0           OFF        CACHE BOOL "Size: 32KB")
+  set(ADI_NS_SRAM_1           OFF        CACHE BOOL "Size: 32KB")
+  set(ADI_NS_SRAM_2           ON         CACHE BOOL "Size: 64KB")
+  set(ADI_NS_SRAM_3           ON         CACHE BOOL "Size: 64KB")
+  set(ADI_NS_SRAM_4           ON         CACHE BOOL "Size: 64KB")
+
+  # Ramfuncs section size
+  set(ADI_S_RAM_CODE_SIZE     "0x800"    CACHE STRING "Default: 2KB")
+
+  # Flash: BL2, TFM and Zephyr are contiguous sections.
+  set(ADI_FLASH_AREA_BL2_SIZE        "0x10000"  CACHE STRING "Default: 64KB")
+  set(ADI_FLASH_S_PARTITION_SIZE     "0x50000"  CACHE STRING "Default: 320KB")
+  set(ADI_FLASH_NS_PARTITION_SIZE    "0x90000"  CACHE STRING "Default: 576KB")
+  set(ADI_FLASH_PS_AREA_SIZE         "0x4000"   CACHE STRING "Default: 16KB")
+  set(ADI_FLASH_ITS_AREA_SIZE        "0x4000"   CACHE STRING "Default: 16KB")
+
+  #
+  # Allow user set S-NS resources ownership by overlay file
+  #
+  if(EXISTS "${CMAKE_BINARY_DIR}/../../s_ns_access_overlay.cmake")
+    include(${CMAKE_BINARY_DIR}/../../s_ns_access_overlay.cmake)
+  endif()
+
+
+As an alternative method (which recommended) user can configurate ownership peripheral by
+an cmake overlay file too without touching TF-M source files. For this path
+create ``s_ns_access_overlay.cmake`` file under your project root folder and put peripheral/memory
+you would like to be accessible by secure world.
+
+As an example if below configuration files been put in the ``s_ns_access_overlay.cmake`` file
+TRNG, SRAM_0 and SRAM_1 will be accessible by secure world only.
+
+.. code-block::
+
+  set(ADI_NS_PRPH_TRNG        OFF        CACHE BOOL "")
+  set(ADI_NS_SRAM_0           OFF        CACHE BOOL "Size: 32KB")
+  set(ADI_NS_SRAM_1           OFF        CACHE BOOL "Size: 32KB")
+
+
 Programming and Debugging
 *************************
 
@@ -348,6 +517,34 @@ see the following message in the terminal:
    ***** Booting Zephyr OS build v4.1.0 *****
    Hello World! max32657evkit/max32657
 
+Building and flashing secure/non-secure with Arm |reg| TrustZone |reg|
+----------------------------------------------------------------------
+The TF-M integration samples can be run using the
+``max32657evkit/max32657/ns`` board target. To run we need to manually flash
+the resulting image (``tfm_merged.hex``) with a J-Link as follows
+(reset and erase are for recovering a locked core):
+
+.. zephyr-app-commands::
+   :zephyr-app: samples/hello_world
+   :board: max32657evkit/max32657/ns
+   :goals: build
+
+.. code-block:: console
+
+      west flash --hex-file build/zephyr/tfm_merged.hex
+
+.. code-block:: console
+
+   [INF] Starting bootloader
+   [WRN] This device was provisioned with dummy keys. This device is NOT SECURE
+   [INF] PSA Crypto init done, sig_type: RSA-3072
+   [WRN] Cannot upgrade: slots have non-compatible sectors
+   [WRN] Cannot upgrade: slots have non-compatible sectors
+   [INF] Bootloader chainload address offset: 0x10000
+   [INF] Jumping to the first image slot
+   ***** Booting Zephyr OS build v4.1.0 *****
+   Hello World! max32657evkit/max32657/ns
+
 
 Debugging
 =========
@@ -367,3 +564,12 @@ should see the following message in the terminal:
 
    ***** Booting Zephyr OS build v4.1.0 *****
    Hello World! max32657evkit/max32657
+
+References
+**********
+
+.. _1:
+   https://developer.arm.com/documentation/100935/0100/The-TrustZone-hardware-architecture-
+
+.. _Trusted Firmware M:
+   https://tf-m-user-guide.trustedfirmware.org/building/tfm_build_instruction.html

boards/adi/max32657evkit/max32657evkit_max32657_ns.dts

@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2024-2025 Analog Devices, Inc.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/dts-v1/;
+
+#include <adi/max32/max32657_ns.dtsi>
+#include "max32657evkit_max32657_common.dtsi"
+
+/ {
+	 chosen {
+		zephyr,sram = &non_secure_ram;
+		zephyr,flash = &flash0;
+		zephyr,code-partition = &slot0_ns_partition;
+	 };
+
+	 reserved-memory {
+		#address-cells = <1>;
+		#size-cells = <1>;
+		ranges;
+
+		/* RAM split used by TFM */
+		secure_ram: partition@20000000 {
+			label = "secure-memory";
+			reg = <0x20000000 DT_SIZE_K(64)>;
+		};
+
+		non_secure_ram: partition@20010000 {
+			label = "non-secure-memory";
+			reg = <0x20010000 DT_SIZE_K(192)>;
+		};
+	};
+};
+
+&flash0 {
+	partitions {
+		compatible = "fixed-partitions";
+		#address-cells = <1>;
+		#size-cells = <1>;
+
+		boot_partition: partition@0 {
+			label = "mcuboot";
+			reg = <0x0 DT_SIZE_K(64)>;
+			read-only;
+		};
+
+		slot0_partition: partition@10000 {
+			label = "image-0";
+			reg = <0x10000 DT_SIZE_K(320)>;
+		};
+
+		slot0_ns_partition: partition@60000 {
+			label = "image-0-nonsecure";
+			reg = <0x60000 DT_SIZE_K(576)>;
+		};
+
+		/*
+		 * slot1_partition: partition@f0000 {
+		 *  label = "image-1";
+		 *	reg = <0xf0000 DT_SIZE_K(0)>;
+		 * };
+		 * slot1_ns_partition: partition@f0000 {
+		 *	label = "image-1-nonsecure";
+		 *	reg = <0xf0000 DT_SIZE_K(0)>;
+		 * };
+		 */
+
+		storage_partition: partition@f0000 {
+			label = "storage";
+			reg = <0xf0000 DT_SIZE_K(64)>;
+		};
+	};
+};

boards/adi/max32657evkit/max32657evkit_max32657_ns.yaml

@@ -0,0 +1,13 @@
+identifier: max32657evkit/max32657/ns
+name: max32657evkit-max32657-Non-Secure
+vendor: adi
+type: mcu
+arch: arm
+toolchain:
+  - zephyr
+  - gnuarmemb
+supported:
+  - serial
+  - gpio
+ram: 192
+flash: 576