wolfSSL · danielinux · Jul 9, 2025 · Jul 2, 2025 · Jul 7, 2025 · Jul 7, 2025
diff --git a/config/examples/stm32h5-dualbank.config b/config/examples/stm32h5-dualbank.config
@@ -25,3 +25,4 @@ WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x8140000
 WOLFBOOT_PARTITION_SWAP_ADDRESS?=0xFFFFFFFF
 FLAGS_HOME=0
 DISABLE_BACKUP=0
+IMAGE_HEADER_SIZE?=1024
diff --git a/config/examples/stm32h5-tz-dualbank-otp.config b/config/examples/stm32h5-tz-dualbank-otp.config
@@ -28,4 +28,5 @@ DISABLE_BACKUP=0
 FLASH_OTP_KEYSTORE=1
 WOLFCRYPT_TZ=1
 WOLFCRYPT_TZ_PKCS11=1
-ARMORED=1
+ARMORED=1
+IMAGE_HEADER_SIZE?=1024
diff --git a/config/examples/stm32h5-tz.config b/config/examples/stm32h5-tz.config
@@ -27,3 +27,4 @@ FLAGS_HOME=0
 DISABLE_BACKUP=0
 WOLFCRYPT_TZ=1
 WOLFCRYPT_TZ_PKCS11=1
+IMAGE_HEADER_SIZE?=1024
diff --git a/config/examples/stm32h5.config b/config/examples/stm32h5.config
@@ -25,3 +25,4 @@ WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x8140000
 WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x08010000
 FLAGS_HOME=0
 DISABLE_BACKUP=0
+IMAGE_HEADER_SIZE?=1024
diff --git a/docs/STM32-TZ.md b/docs/STM32-TZ.md
@@ -27,6 +27,34 @@ non-secure domain can access wolfCrypt through a standard PKCS11 interface and
 use the crypto library with pre-provisioned keys that are never exposed to the
 non-secure domain.
 
+### Image header size
+
+The `IMAGE_HEADER_SIZE` option has to be carefully tuned to accommodate for the
+interrupt vector table alignment requirements. According to the [ARM Cortex-M33
+documentation](https://developer.arm.com/documentation/100235/0004/the-cortex-m33-processor/exception-model/vector-table):
+
+> The silicon vendor must configure the required alignment of the vector
+> tables, which depends on the number of interrupts implemented. The minimum
+> alignment is 32 words, enough for up to 16 interrupts. For more interrupts,
+> adjust the alignment by rounding up to the next power of two. For example, if
+> you require 21 interrupts, the alignment must be on a 64-word boundary
+> because the required table size is 37 words, and the next power of two is 64.
+
+For example, all the STM32H5 series boards have at least 146 interrupt
+channels; since the next power of two is 256, they require an alignment of 1024
+bytes (256×4). As a result, in this case `IMAGE_HEADER_SIZE` must be set to
+`1024` or a multiple of it.
+
+This detail is already taken care of in the configuration files provided in
+`config/examples`.
+
+In addition to this, when using the signing tool standalone the appropriate
+image header size must be supplied as an environment variable. For example:
+
+```
+IMAGE_HEADER_SIZE=1024 ./tools/keytools/sign --sha256 --ecc256 myapp.bin wolfboot_signing_private_key.der 1
+```
+
 ### Example using STM32L552
 
   - Copy the example configuration for STM32-L5 with support for wolfCrypt in

diff --git a/src/boot_arm.c b/src/boot_arm.c
@@ -416,8 +416,7 @@ void isr_empty(void)
 
 #ifdef TZEN
 #include "hal.h"
-//#define VTOR (*(volatile uint32_t *)(0xE002ED08))
-#define VTOR (*(volatile uint32_t *)(0xE000ED08))
+#define VTOR (*(volatile uint32_t *)(0xE002ED08))
 #else
 #define VTOR (*(volatile uint32_t *)(0xE000ED08))
 #endif