In TF-M NS app demo, NS mailbox initialization tfm_ns_mailbox_init() creates semaphore or other RTOS objects.
In the example implementation with CMSIS RTX, tfm_ns_mailbox_init() eventually calls CMSIS RTX v2 osSemaphoreNew() to create semaphore.

According to CMSIS document, osSemaphoreNew() shall be called after RTX kernel initialization osKernelInitialize().
It can be safely called before osKernelStart(), but not before it is initialized (call to osKernelInitialize()).

However, in TF-M NS example, tfm_ns_mailbox_init() is called before RTX kernel init. It can still work by accident because TF-M NS assembly start-up code calls RTX _STARTUP before jumping into main(). RTX _STARTUP provided by Armclagn/GNU Arm toolchain actually executes RTX kernel init and therefore the semaphore creation in NS mailbox init can succeed.

To make sure a proper example of init sequence for other integration scenarios, tfm_ns_mailbox_init() shall be moved after osKernelInitialize(). It is under discussion whether tfm_ns_wait_for_s_cpu_ready() is moved together with tfm_ns_mailbox_init() or only tfm_ns_mailbox_init() is moved. It need further input about any corner case.