zephyr: flash_stm32_ospi Write enable failed when building with TF-M

Describe the bug On b_u585_iot02a: When enabling Trustzone with CONFIG_BUILD_WITH_TFM=y, the flash_stm32_ospi driver will fail in initializing the MX25LM51245 external OSPI flash giving following errors:

[00:00:05.102,000] <err> flash_stm32_ospi: OSPI config auto polling failed
[00:00:05.102,000] <err> flash_stm32_ospi: OSPI write Enable failed
[00:00:05.102,000] <err> flash_stm32_ospi: OSPI mode not config'd (8 rate 2)

My first thought was that must be related to something with the configuration in the secure application. I have not made any changes to the secure application provided in the TF-M module. I’m no expert in Trustzone yet, but when I investigate the hal and secure configurations for target provided under stm32u5xx/bl2/boot_hal_bl2.c, …/low_level_security.c and secure/target_cfg.c i can’t find anything that looks like that the OSPI (which is a securable peripheral) should be configured to be only accessible from secure through the GTZC. After the configuration i also have read the status of the GTZC1_TZSC_SECCFGR3 register where it looks like that the only peripheral that should be secure is HASHSEC and RNGSEC, all other is 0’s which is corresponding fine with what is initialized in target_cfg.c in the function gtzc_init_cfg.

I need the OSPI external flash accessible from non-secure, as I’m using littlefs mounted on it, which is running in non-secure.

So what am i missing? Is it a bug or is there something I misunderstand? I have raised the question both in st community and on the discord channels both ST and TF-M, also without any luck. I’m bit of doubt where/what this issue is related to.

To Reproduce I also tested the issue when building the tfm_integration/tfm_ipc sample (but it’ll be the same for any application for b_u585_iot02a where TF-M is enabled with OSPI), to do this i added the lfs_cfg node to b_u585i_iot02a_ns.dts:

	fstab {
		compatible = "zephyr,fstab";
		lfs_cfg: lfs {
			compatible = "zephyr,fstab,littlefs";
			mount-point = "/lfs";
			partition = <&external_storage_partition>; //This needs to be named in the the mx25lm51245 node in:
                                                                                           //b_u585i_iot02a-common.dtsi                                                                                                                                                            
			read-size = <16>;
			prog-size = <16>;
			cache-size = <64>;
			lookahead-size = <64>;
			block-cycles = <512>;
			automount;
		};
	};

In b_u585i_iot02a-common.dtsi in the mxlm25lm51245 node name partition@0 as:

partitions {
			   compatible = "fixed-partitions";
			   #address-cells = <1>;
			   #size-cells = <1>;

			   external_storage_partition: partition@0 {
			       label = "nor";
			       reg = <0x00000000 DT_SIZE_M(4)>;
			   };
		};

• Add the following to prj.conf for the ipc_sample:

# littlefs
CONFIG_FILE_SYSTEM=y
CONFIG_FILE_SYSTEM_LITTLEFS=y

CONFIG_LOG=y #For seeing the error output from ospi driver

• Build the sample using: west build -p -b b_u585i_iot02a_ns tfm_ipc
• Run the regression script under ./build/tfm/regression.sh
• flash the sample to target using west flash
• Watch log output

Expected behavior As OSPI peripheral is set to non-secure it is expected that the OSPI driver is able to initilize and work from non-secure, just as if the application was build without CONFIG_BUILD_WITH_TFM.

Impact Not able to use external OSPI flash from non-secure, which means that we are not able to build with Trustzone and use the secure features.

Environment (please complete the following information):

• OS: Linux Ubuntu
• Zephyr SDK 0.15.0
• SHA: 5c27067dcd9bc03d911aaf5b1628ab56e1c5f4ca