The tests is a TF-M application which verifies TF-M functionality on both SPE and NSPE sides.
Thus, tests require an extension of SPE side with test code and extra functionality
for some Non-Secure test cases. To inject that test code into SPE the
CONFIG_TFM_TEST_DIR option is used. When SPE build system sees this option
it adds the corresponding folder via
and includes it to SPE binary.
Also, test configurations should be passed to SPE build to include building Secure Tests.
To hide these complexities to developers, TF-M implements a wrapper CMake in tf-m-tests repository 1 to build the SPE for testing rather than building it from the TF-M repository.
The recommended tf-m-tests repo commit to verify TF-M can be found at
<TF-M source dir>/lib/ext/tf-m-tests/version.txt.
It does not support auto-downloading as builds start from it.
You need to download it manually before building any tests with the following commands:
git clone https://git.trustedfirmware.org/TF-M/tf-m-tests.git git checkout <recommended tf-m-tests commit>
For instructions on configuring, building and executing the regression tests please refer to the documentation in tf-m-tests repository (to be added). The regression test application is located under /tests_reg folder. It is recommended to build both SPE and NSPE from that folder.
The basic commands for building the regression tests will be:
cd </tf-m-tests/tests_reg> cmake -S spe -B build_spe -DTFM_PLATFORM=arm/mps2/an521 \ -DCONFIG_TFM_SOURCE_PATH=<TF-M source dir> \ -DTFM_TOOLCHAIN_FILE=<Absolute path to>/toolchain_ARMCLANG.cmake \ -DTEST_S=ON -DTEST_NS=ON cmake --build build_spe -- install cmake -S . -B build_test -DCONFIG_SPE_PATH=<Absolute path to>/build_spe/api_ns cmake --build build_test
Instead of enable all the supported Secure (
TEST_S) and NS (
TEST_NS) tests, you can also
enable individual test suites by using
For the available test suites, refer to the
default_ns_test_config.cmake files in tf-m-tests repo.
All the test suite config options should be passed to the SPE build command, including NS ones. The SPE building command also accepts all the other config options used to build a single TF-M. All options passing to SPE build does not have to be duplicated in NSPE build, including NS test suite config options. And this also applies to the below PSA API tests.
PSA API tests
PSA API tests from https://github.com/ARM-software/psa-arch-tests use the same
mechanism for SPE extension as the regression tests above utilising
PSA API tests are selected by the TEST_PSA_API variable. Enabling both regression tests and
PSA API tests simultaneously is not supported.
TF-M implements a wrapper CMake for PSA API tests as well. The PSA API test codes are located under /tests_psa_arch folder.
Here is a brief description of the basic flow: Select one of the following test suites to be run.
-DTEST_PSA_API=INTERNAL_TRUSTED_STORAGE -DTEST_PSA_API=PROTECTED_STORAGE -DTEST_PSA_API=STORAGE -DTEST_PSA_API=CRYPTO -DTEST_PSA_API=INITIAL_ATTESTATION -DTEST_PSA_API=IPC
Respectively for the corresponding service. For detailed information, please refer to PSA Certified APIs Architecture Test Suite section 2 in the documentation of psa-arch-tests repository.
For example, to enable the PSA API tests for the Crypto service:
cd </tf-m-tests/tests_psa_arch folder> cmake -S spe -B build_spe -DTFM_PLATFORM=arm/mps2/an521 -DCONFIG_TFM_SOURCE_PATH=<TF-M source dir> -DTEST_PSA_API=CRYPTO cmake --build build_spe -- install cmake -S . -B build_test -DCONFIG_SPE_PATH=<Absolute path to>/build_spe/api_ns cmake --build build_test