Question
OEMiRoT – S-only application (no TrustZone isolation): correct configuration of MCUBOOT_APP_IMAGE_NUMBER and FLASH_NS_PARTITION_SIZE
Hi,
I am working with the OEMiRoT reference project (STM32U385) and I need to configure a single Secure application image without TrustZone isolation (S-only application), while still keeping the Secure Data Image enabled.
From flash_layout.h, I see the following:
#define MCUBOOT_APP_IMAGE_NUMBER 1
#define FLASH_NS_PARTITION_SIZE (0x32000) /* default case */
and also this condition:
#if (MCUBOOT_APP_IMAGE_NUMBER == 1) && (FLASH_NS_PARTITION_SIZE == 0)which seems to define the “FULL SECURE” case.
Question
To correctly implement an S-only application (no S/NS split) in OEMiRoT:
- Should I explicitly set both:
- MCUBOOT_APP_IMAGE_NUMBER = 1
- FLASH_NS_PARTITION_SIZE = 0
OR
- Is FLASH_NS_PARTITION_SIZE automatically set to 0 by the OEMiRoT provisioning/build system when selecting the S-only configuration, meaning it should NOT be manually modified in flash_layout.h?
Concern
The header comment suggests that some Flash layout values are automatically generated by the ROT provisioning scripts depending on the selected boot path, so it is unclear whether manual modification is supported or recommended.
Target configuration
- Single Secure application image (no NS image)
- No TrustZone isolation at application level
- Secure Data Image enabled
Any clarification on the correct and recommended configuration flow would be appreciated.