Merged
Conversation
Member
danielinux
commented
Jan 7, 2026
danielinux
commented
- Integrates wolfPSA as psa_crypto/psa_store engine in TrustZone
- Provides interface to access APIs from non-secure mode
- Patches to enable wolfboot as TEE module in zephyr
- Patches to enable stm32h563-nucleo/ns as target in zephyr
- psa_crypto zephyr example using wolfboot/wolfPSA as secure engine
- Integrates wolfPSA as psa_crypto/psa_store engine in TrustZone - Provides interface to access APIs from non-secure mode - Patches to enable wolfboot as TEE module in zephyr - Patches to enable stm32h563-nucleo/ns as target in zephyr - psa_crypto zephyr example using wolfboot/wolfPSA as secure engine
dgarske
requested changes
Jan 7, 2026
Contributor
dgarske
left a comment
dgarske
left a comment
There was a problem hiding this comment.
I tried to test the steps on an STM32H563ZI without success. Nothing shows up on UART after programming and reset. Attached are my testing results.
STM32H5-Zephyr-TEE.md
mattia-moffa
reviewed
Jan 8, 2026
Member
Author
|
My apologies, the zephyr patches seems to be incomplete / missing the tee driver and some port files for nucleo-h563zi. This new patchset should fix. I was able to compile and test from a clean/reset zephyr. Patchset is tested on zephyr/f8dba1baee3627e55afeb6045f353701b674376e but should also apply cleanly on latest. |
danielinux
force-pushed
the
zephyr-psa
branch
2 times, most recently
from
d1c7737 to
087a51e
Compare
dgarske
approved these changes
Jan 8, 2026
Contributor
dgarske
left a comment
dgarske
left a comment
There was a problem hiding this comment.
All works now!
*** Booting Zephyr OS build v4.3.0-3416-g9334cedb3de8 ***
[00:00:00.001,000] <inf> app: app_cfg: Creating new config file with UID 0x55CFDA7A
[00:00:00.001,000] <inf> app: att: System IAT size is: 0 bytes.
[00:00:00.001,000] <inf> app: att: Requesting IAT with 64 byte challenge.
[00:00:00.001,000] <inf> app: att: IAT data received: 0 bytes.
[00:00:00.034,000] <inf> app: Persisting SECP256R1 key as #1
[00:00:00.044,000] <inf> app: Retrieving public key for key #1
Build Results
wolfBoot (Secure Side)
Configuration: config/examples/stm32h5-tz-psa.config
Build Command: make wolfboot.bin
text data bss dec hex filename
83848 0 19328 103176 19308 wolfboot.elf
Zephyr (Non-Secure Side)
Board: nucleo_h563zi/stm32h563xx/ns
Sample: samples/wolfboot_integration/psa_crypto
Memory region Used Size Region Size %age Used
FLASH: 124856 B 640 KB 19.05%
RAM: 55736 B 256 KB 21.26%
Automatic Image Signing
The Zephyr build process automatically signed the image using the wolfBoot signing tool:
wolfBoot KeyTools (Compiled C version)
wolfBoot version 2070000
Update type: Firmware
Input image: zephyr.payload.bin
Selected cipher: ECC256
Selected hash : SHA256
Output image: zephyr.payload_v1_signed.bin
Output image(s) successfully created.
Flash Configuration
Option Bytes
| Setting | Value | Description |
|---|---|---|
| TZEN | 0xB4 | TrustZone enabled |
| SECBOOTADD | 0xC0000 | Secure boot from 0x0C000000 |
| SECWM1_STRT | 0x0 | Bank 1 secure watermark start |
| SECWM1_END | 0x2F | Bank 1 secure watermark end (384KB) |
| SECWM2_STRT | 0x0 | Bank 2 secure watermark start |
| SECWM2_END | 0x7F | Bank 2 secure watermark end |
Memory Layout
| Address | Content |
|---|---|
| 0x0C000000 | wolfboot.bin (83KB) |
| 0x08060000 | zephyr.payload_v1_signed.bin (125KB) |
mattia-moffa
approved these changes
Jan 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.