os/board/bk7239n: Add Assertion log after TFM fault

[pcs1265]

The CONFIG_TFM_S_TO_NS_DUMP_ENABLE controls the whole logging function when TFM crashes.
But It's not intended to.
So this commit fixes misimplemented CONFIG_TFM_S_TO_NS_DUMP_ENABLE configuration,
and add assertion log after TFM fault log.

Chnages:
Remove conditional compilation guards for CONFIG_TFM_S_TO_NS_DUMP_ENABLE and CONFIG_SECURITY_LEVEL from the TFM dump callback registration and secure fault handlers to ensure they are always included in the build.

Retain the CONFIG_TFM_S_TO_NS_DUMP_ENABLE guard around the rtos_dump_system call and CONFIG_SECURITY_LEVEL around the high security level check.

Replace bk_reboot_reset_reason() with PANIC() in secure fault handlers to generate a proper panic trace instead of a silent reboot.

The valid scenarios are as follows:

• When CONFIG_TFM_S_TO_NS_DUMP_ENABLE=y

  • When SECURITY_LEVEL is HIGH,
    • The board should not print any crash info and reboot.
      • Just call PANIC with setting reboot reason.; PANIC will print log or not by security level
  • When SECURITY_LEVEL is LOW
    • The board should print ALL crash info and reboot.
      • Print all reg/memory dump and call PANIC with setting reboot reason.; PANIC will print log or not by security level

• When CONFIG_TFM_S_TO_NS_DUMP_ENABLE is not set

  • When SECURITY_LEVEL is HIGH,
    • The board should not print any crash info and reboot.
      • Just call PANIC with setting reboot reason.; PANIC will print log or not by security level
  • When SECURITY_LEVEL is LOW
    • The board should print crash info summary (reg dump only. no memory dump) and reboot.
      • Print reg dump only and call PANIC with setting reboot reason.; PANIC will print log or not by security level

[pcs1265]

pcs1265@92f25bb#commitcomment-183016127
@Poly-J, You have leave comment to my commit but please reivew this.
I added conditional compilation to setting reboot reason.

[seokhun-eom24]

Automated nightly Codex PR review
PR: #7300 — os/board/bk7239n: Add Assertion log after TFM fault
PR URL: #7300
GitHub updatedAt: 2026-04-21T13:37:56Z
Refreshed (UTC): 2026-04-21 17:45:37 UTC
Refreshed (KST): 2026-04-22 02:45:37 KST
Comment model: single evolving Codex-authored PR comment

PR #7300 — os/board/bk7239n: Add Assertion log after TFM fault

This review done by codex. AI reviews can be inaccurate.
UTC: 2026-04-21 17:43 UTC
KST (UTC+9): 2026-04-22 02:43 KST

---

Repository: Samsung/TizenRT

Base → Head: master → pr/7300

HEAD Commit: 5c7abf8d31f92ef5f59a755dd60946435e78f9ee

Scope: Review of the bk7239n TFM secure-fault dump path after unconditional callback registration and the switch from direct reboot to PANIC().

---

🔎 Review Summary

Category	Status
Build / Compile Status	⚠️ Not run in this automation
Functional Correctness	❌ Blocking issue found
Validation Coverage	⚠️ Config-off path is still unproven

Final Verdict: ❗ Request Changes

---

🚨 Must-Fix Issues

1. Dump-disabled builds still emit the secure stack memory dump

Item	Details
Location	os/board/bk7239n/src/middleware/arch/cm33/trap_base.c:890
Severity	High
Type	Safety / Functional correctness

Problem
CONFIG_TFM_S_TO_NS_DUMP_ENABLE now gates only rtos_dump_system(), but the callback still unconditionally prints SE_EXC_FRAME_BUF through exception_frame_printf(). That means the "dump disabled" mode still leaks secure stack memory instead of falling back to the intended summary-only register dump.

Impact

• CONFIG_TFM_S_TO_NS_DUMP_ENABLE=n does not actually disable memory dumping on the secure-fault path.
• Fault-time secure stack contents can still be exposed in logs even when the reduced-dump mode is selected.
• The main behavior this PR is trying to restore remains broken for the config-off case.

Evidence

• os/board/bk7239n/src/middleware/arch/cm33/trap_base.c:814-816 only wraps rtos_dump_system(msp, psp) with #ifdef CONFIG_TFM_S_TO_NS_DUMP_ENABLE.
• os/board/bk7239n/src/middleware/arch/cm33/trap_base.c:854-894 still prints the secure-fault context before calling NS_handle_securt_fault().
• os/board/bk7239n/src/middleware/arch/cm33/trap_base.c:890-894 unconditionally dumps ctx->SE_EXC_FRAME_BUF via exception_frame_printf().

Required Fix
Files to edit:

• os/board/bk7239n/src/middleware/arch/cm33/trap_base.c — bk_security_donmain_notifies_non_security_domain_to_dump()

Change outline:

• Keep the register-summary output available for the config-off path.
• Move the secure stack memory dump behind #ifdef CONFIG_TFM_S_TO_NS_DUMP_ENABLE so the config bit actually controls memory dumping.
• Recheck that the low-security, dump-disabled path still ends in PANIC() after printing only the intended summary.

Example patch:

diff --git a/os/board/bk7239n/src/middleware/arch/cm33/trap_base.c b/os/board/bk7239n/src/middleware/arch/cm33/trap_base.c
@@
-    uint32_t buflen = (sizeof(ctx->SE_EXC_FRAME_BUF) >>2);
-
-    BK_DUMP_OUT(">>>>SE stack mem dump begin, stack_top=%08x, stack end=%08x\r\n", ctx->SE_EXC_FRAME_BUF, &(ctx->SE_EXC_FRAME_BUF[FRAME_BUF_LEN -1]));
-    exception_frame_printf((uint32_t*)(ctx->SE_EXC_FRAME_BUF), buflen);
-    BK_DUMP_OUT("<<<<SE stack mem dump end. stack_top=%08x, stack end=%08x\r\n", ctx->SE_EXC_FRAME_BUF, &(ctx->SE_EXC_FRAME_BUF[FRAME_BUF_LEN -1]));
+#ifdef CONFIG_TFM_S_TO_NS_DUMP_ENABLE
+    uint32_t buflen = (sizeof(ctx->SE_EXC_FRAME_BUF) >> 2);
+    BK_DUMP_OUT(">>>>SE stack mem dump begin, stack_top=%08x, stack end=%08x\r\n", ctx->SE_EXC_FRAME_BUF, &(ctx->SE_EXC_FRAME_BUF[FRAME_BUF_LEN - 1]));
+    exception_frame_printf((uint32_t *)ctx->SE_EXC_FRAME_BUF, buflen);
+    BK_DUMP_OUT("<<<<SE stack mem dump end. stack_top=%08x, stack end=%08x\r\n", ctx->SE_EXC_FRAME_BUF, &(ctx->SE_EXC_FRAME_BUF[FRAME_BUF_LEN - 1]));
+#endif

Inference:

• Static review proves the secure stack memory dump is still unconditional. If the intended "summary-only" mode should also trim additional register/context lines, that broader reduction still needs to be aligned with the author, but the memory dump itself is already a confirmed bug.

Validation Method

• Build or boot a bk7239n image with CONFIG_TFM_S_TO_NS_DUMP_ENABLE=n.
• Trigger the secure-fault callback path and inspect the log.
• After the fix, the log should still show the register summary, but it must no longer print the SE stack mem dump begin/end block or the SE_EXC_FRAME_BUF contents.

---

🟡 Nice-to-Have Improvements

1. Add explicit validation coverage for the new `CONFIG_TFM_S_TO_NS_DUMP_ENABLE=n` behavior

Item	Details
Location	build/configs/bk7239n/loadable_all/defconfig:280
Severity	Medium
Type	Validation / Process

Problem
All checked-in bk7239n defconfigs still enable CONFIG_TFM_S_TO_NS_DUMP_ENABLE, so the config-off behavior this PR changes is not exercised by any in-tree reference configuration.

Impact

• Regressions in the CONFIG_TFM_S_TO_NS_DUMP_ENABLE=n path can slip through review because no checked-in config currently covers it.
• The high-level behavior matrix described in the PR body remains hard to verify mechanically.

Recommended Action

• Add one validation target or scripted config fragment that flips CONFIG_TFM_S_TO_NS_DUMP_ENABLE=n for bk7239n.
• Record the expected secure-fault output for both dump-enabled and dump-disabled runs so future reviews can compare against a concrete matrix.

Expected Output

Area	Example Target / Check	Result
bk7239n build coverage	loadable_all with CONFIG_TFM_S_TO_NS_DUMP_ENABLE=n	Not Run
Fault-path log check	Secure fault with dump enabled	Not Run
Fault-path log check	Secure fault with dump disabled	Not Run

---

✅ Notable Improvements

✔ Callback registration now matches the intended bk7239n default configuration

• os/board/bk7239n/src/components/bk_init/components_init.c:345-346 now always registers the secure-to-non-secure dump callback instead of accidentally skipping it whenever CONFIG_SECURITY_LEVEL is unset.
• That change aligns with current bk7239n defconfigs, which keep CONFIG_SECURITY_LEVEL unset while still enabling the TFM dump feature.

✔ The reboot reason is preserved before escalating into the common panic path

• os/board/bk7239n/src/middleware/arch/cm33/trap_base.c:817-820 and :827-830 write BK_SECURE_FAULT_REBOOT_REASON before calling PANIC().
• os/arch/arm/src/common/up_reboot_reason.c:31-36 only writes REBOOT_SYSTEM_ASSERT when no reason was set earlier, so the secure-fault cause survives the assert flow instead of degrading into a silent reboot.

---

🧾 Final Assessment

Must-Fix Summary

• CONFIG_TFM_S_TO_NS_DUMP_ENABLE=n still dumps the secure stack buffer, so the patch does not fully implement the reduced-dump mode it claims to restore.

Nice-to-Have Summary

• The new config-off behavior should be covered by at least one repeatable bk7239n validation target or log-capture matrix.

Residual Risk / Test Gap

• Static review only; no build or board-level crash-path validation was run in this automation.
• All in-tree bk7239n defconfigs currently keep CONFIG_TFM_S_TO_NS_DUMP_ENABLE=y, so the config-off path has no checked-in coverage today.

---

📌 Final Verdict

❗ Request Changes

The reboot-handling direction looks better, but the patch still leaves the secure stack memory dump active when CONFIG_TFM_S_TO_NS_DUMP_ENABLE is disabled. That keeps the core config split partially broken, so this should be fixed before merge.

[Poly-J]

pcs1265@92f25bb#commitcomment-183016127 @Poly-J, You have leave comment to my commit but please reivew this. I added conditional compilation to setting reboot reason.

Hello @pcs1265
Thank you for your feedback. Indeed, this conditional compilation should be added here.