RFC: boards: arm: add Corstone-1000-A320 FVP board support

[npitre]

Add board support for the Arm Corstone-1000-A320 Fixed Virtual Platform (FVP),
featuring the Cortex-A320 (ARMv9.2-A) host processor.

• Full sysbuild integration: TF-M (Secure Enclave, Cortex-M0+) and TF-A
  (Host CPU) are built alongside Zephyr automatically
• Single-core (fvp_corstone1000/a320) and quad-core SMP
  (fvp_corstone1000/a320/smp) variants

Dependencies

• west.yml: points TF-A and TF-M to repos carrying Cortex-A320 support;
  this needs a better resolution
• TF-M patch (included via west patch): DSU-120T PPU driver for Cortex-A320
  host power-on
  (upstream: https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/45749)
• TF-A patch (included via west patch): fix secondary core hold pen cache
  coherency

Currently no Ethos-85 support.

[github-actions]

The following west manifest projects have changed revision in this Pull Request:

Name	Old Revision	New Revision	Diff
trusted-firmware-a	zephyrproject-rtos/trusted-firmware-a@0a29cac (master)	zephyrproject-rtos/trusted-firmware-a#8	zephyrproject-rtos/trusted-firmware-a#8/files
trusted-firmware-m	zephyrproject-rtos/trusted-firmware-m@3ddfef0	zephyrproject-rtos/trusted-firmware-m@27023e9 (zephyr_tf-m_v2.2.2)	zephyrproject-rtos/trusted-firmware-m@3ddfef0e..27023e9c

⛔ DNM label due to: 1 project with PR revision

Note: This message is automatically posted and updated by the Manifest GitHub Action.

[nordicjm]

we do not add patches to zephyr

[nordicjm]

file to go

[npitre]

Done — file removed.

[nordicjm]

file to go

[npitre]

Done — file removed.

[nordicjm]

This should be done using board targets, not a sysbuild Kconfig @tomi-font can probably explain

[tomi-font]

seems the Kconfig is gone -- @npitre do you want to make TF-M optional or always enabled?

[npitre]

TF-M is always required on Corstone-1000 — the Secure Enclave (Cortex-M0+) runs TF-M which handles provisioning, verified boot, and powers on the host CPU via the DSU-120T PPU. Without TF-M, the Cortex-A320 never starts.

The original board variant selection Kconfig that @nordicjm commented on has been removed. The remaining Kconfig.sysbuild only exposes debug/log-level knobs for the TF-M and TF-A builds.

[nordicjm]

The bottom variable seems unused, you might want to use https://github.com/zephyrproject-rtos/zephyr/blob/main/cmake/modules/python.cmake#L14 to find a minimum version

[npitre]

ARMFVP_MIN_VERSION is consumed by cmake/emu/armfvp.cmake — it queries the FVP binary version at configure time and warns if it is below the board-specified minimum. This is the existing mechanism used by other FVP boards (e.g. fvp_base_revc_2xaem).

[nordicjm]

Suggested change

	For early boot debugging before the UART is available, semihosting can be
	used. Add ``CONFIG_SEMIHOST=y`` and ``CONFIG_SEMIHOST_CONSOLE=y`` to the
	board defconfig (replacing ``CONFIG_UART_CONSOLE=y``). The FVP has
	semihosting enabled by default.
	For early boot debugging before the UART is available, semihosting can be used by enabling
	:kconfig:option:`CONFIG_SEMIHOST` and :kconfig:option:`CONFIG_SEMIHOST_CONSOLE`, and disabling
	:kconfig:option:`CONFIG_UART_CONSOLE`. The FVP has
	semihosting enabled by default.

[npitre]

Done — applied the suggested wording.

[nordicjm]

this does not look like something zephyr should have

[npitre]

Done — file removed.

[nordicjm]

this is not how TF-M is built in zephyr, please use the existing infrastructure

[npitre]

The Corstone-1000 is architecturally different from existing Zephyr TF-M boards: TF-M runs on a separate Cortex-M0+ Secure Enclave, not on the same CPU as Zephyr via TrustZone.

The existing Zephyr TF-M sysbuild infrastructure (modules/trusted-firmware-m/) assumes the TrustZone SPE/NSPE split model where TF-M and Zephyr share the same CPU and the same toolchain. On the Corstone-1000:

• TF-M targets a Cortex-M0+ (SE) — requires arm-zephyr-eabi (ARM 32-bit) toolchain
• Zephyr targets a Cortex-A320 (Host) — uses aarch64-zephyr-elf (AArch64) toolchain
• The SE has its own ROM (BL1), flash layout, and provisioning cycle
• Communication between the two CPUs is via a hardware mailbox, not TrustZone secure calls

Zephyr's existing TF-M integration produces SPE/NSPE image pairs for one CPU. Here we need to cross-compile TF-M for a completely different architecture and then package the output (bl1.bin, flash image with GPT partitions) into the FVP's ROM/flash loading scheme.

I don't see how the existing infrastructure can be adapted for this dual-CPU topology without major changes to it. If there's a path I'm missing, I'm happy to hear about it — but given the fundamental architectural mismatch, I believe ExternalProject is the right approach here.

[tomi-font]

How about extending the TF-M integration so that your use case is possible with just some additional configuration? So that the logic for that would be in modules/trusted-firmware-m and not in boards directly.

[npitre]

I looked into what extending modules/trusted-firmware-m would require for this dual-CPU topology. The gap is substantial:

1. Toolchain decoupling — The current code hardcodes TF-M's toolchain to match Zephyr's. We'd need a separate TFM_TOOLCHAIN_* selection mechanism since TF-M targets arm-zephyr-eabi (Cortex-M0+) while Zephyr uses aarch64-zephyr-elf (Cortex-A320).

2. New Kconfig trigger — BUILD_WITH_TFM requires TRUSTED_EXECUTION_NONSECURE + ARM_TRUSTZONE_M, neither of which applies to an AArch64 host. A new entry path would be needed.

3. Different artifact model — The existing infrastructure produces s_veneers.o and merged hex for a shared-CPU TrustZone split. Corstone-1000 needs SE ROM images, GPT flash layout, MCUboot signing of TF-A BL2, and FIP assembly — none of which overlaps with the current post-processing pipeline.

4. Board mapping — TFM_BOARD maps one Zephyr board to one TF-M platform on the same CPU. Here the TF-M platform (arm/corstone1000) targets a completely different processor than Zephyr's.

In practice, the only thing the board-local ExternalProject shares with the standard infrastructure is the ExternalProject_Add call to invoke TF-M's CMake. Everything else — toolchain setup, configuration, artifact consumption, image assembly — is Corstone-1000-specific. Generalizing this into modules/trusted-firmware-m would mean adding a parallel code path that doesn't reuse the existing one, while making the module more complex for all users.

Given that we don't know yet how many other platforms will need this mixed-architecture TF-M model, is the added infrastructure complexity justified at this point? If more dual-CPU boards appear in the future, the board-local logic would be a natural starting point for extracting a shared implementation.

That said, I may be missing a simpler integration path — if you see a way to hook into the existing infrastructure without a major overhaul, I'm all ears.

[tomi-font]

Yeah no I think you know better what it would take. I'm fine with doing it this way if there's no other board in Zephyr which is in the same situation. Though if/when another such board shows up we should build the infrastructure for it so we don't end up with different boards redoing the same thing by themselves.

[wearyzen]

Upstream docker doesn't have the FVP_Corstone-1000-A320 could we add it so that ci can actually test these changes?
For reference other FVPs are added here: https://github.com/zephyrproject-rtos/docker-image/blob/main/Dockerfile.base#L43

[wearyzen]

AFAIR Zephyr doesn't allow fetching code from external repos. TF-M changes should be added to https://github.com/zephyrproject-rtos/trusted-firmware-m following the common guidelines mentioned here: https://docs.zephyrproject.org/latest/develop/modules.html#submitting-changes-to-modules and here: https://github.com/zephyrproject-rtos/mbedtls#additional-patches

[tomi-font]

Yeah, if you want to make additions to TF-A you'll need to make them to Zephyr's fork of it just like you did with TF-M.

[npitre]

Done — submitted zephyrproject-rtos/docker-image#286 to add the Corstone-1000-A320 FVP to the CI container.

[wearyzen]

Done — submitted zephyrproject-rtos/docker-image#286 to add the Corstone-1000-A320 FVP to the CI container.

I see the docker PR is merged, @stephanosio could you please help updating the ci image to include the new FVP so that this PR could be tested?

[wearyzen]

Hi @npitre now that this PR links to TF-A and TF-M PRs, we don't need the patches anymore. So, could you please remove the zephyr/patches folder and patch files from this PR?

[npitre]

@wearyzen The remaining patch (0003) is not covered by the TF-M or TF-A module PRs. It's a fix for a secondary core hold pen cache coherency bug that is still pending upstream review on Gerrit:

https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/48505

Without it, SMP boot fails on the Corstone-1000-A320. Once it gets merged upstream and into the Zephyr TF-A mirror, we can drop this last patch.

[wearyzen]

@wearyzen The remaining patch (0003) is not covered by the TF-M or TF-A module PRs. It's a fix for a secondary core hold pen cache coherency bug that is still pending upstream review on Gerrit:

https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/48505

Without it, SMP boot fails on the Corstone-1000-A320. Once it gets merged upstream and into the Zephyr TF-A mirror, we can drop this last patch.

Ok, I missed that. But then in that case the patch should still be removed and included in the TF-A PR because Zephyr PRs don't allow patches in PR.

[npitre]

@wearyzen Per the module contribution policy, changes to a module's codebase before they have been merged in the upstream project should be limited to urgent fixes such as security vulnerabilities. The hold pen cache coherency fix is currently pending upstream review on Gerrit (https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/48505), so it wouldn't be appropriate to add it to the TF-A mirror PR at this stage. If you know how to speed up the upstream review, that would be welcome.

[wearyzen]

closed and re-opened the PR because this is the simplest way I know to start the CI 🤷
There is a new docker image release https://github.com/zephyrproject-rtos/docker-image/releases/tag/v0.28.8 with Corstone-1000-A320 FVP so we should see some test built with it now.

[wearyzen]

@npitre I tried to run a hello_world with the upstream docker image but it seems gdisk is not installed. Could you please add that to the docker image as well along with anything else that is needed and request for another image spin if it works locally for you in the container?

I also found that TFM build tries to clone QCBOR and T_COSE repositories which is also allowed in Zephyr.
Would you like to turn off the attestation to avoid this? I tried below -DTFM_PARTITION_INITIAL_ATTESTATION=OFF to TFM_CMAKE_ARGS in boards/arm/fvp_corstone1000/sysbuild.cmake and that seems to avoid the clone.

Unless I am doing something wrong, west build -p -b fvp_corstone1000/a320 samples/hello_world --sysbuild -t run does not work as a single command but the split to build and then run works, that looks like a bug.
It would actually be better and more natural if we could just do west build -p -b fvp_corstone1000/a320 samples/hello_world -t run without the --sysbuild or splitting the commands in two.

[npitre]

Thanks for testing this @wearyzen!

I've submitted zephyrproject-rtos/docker-image#287 to add gdisk and uuid-runtime to the container. I verified the full build and FVP run succeed in the container with those additions.

Good catch on the attestation — I've added -DTFM_PARTITION_INITIAL_ATTESTATION=OFF to the TFM_CMAKE_ARGS in this PR.

Regarding west build -p ... --sysbuild -t run — -p + -t run need to be separate steps since pristine wipes the build directory. As for dropping --sysbuild, that would require making sysbuild the default for this board which I can look into.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud