NSC veneers when TZEN=1; WOLFCRYPT_TZ_PKCS11 on the NXP MCX N#726
Closed
mattia-moffa wants to merge 16 commits intowolfSSL:masterfrom
Closed
NSC veneers when TZEN=1; WOLFCRYPT_TZ_PKCS11 on the NXP MCX N#726mattia-moffa wants to merge 16 commits intowolfSSL:masterfrom
mattia-moffa wants to merge 16 commits intowolfSSL:masterfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves TrustZone (TZEN) integration by always generating/linking CMSE NSC veneers when TZEN=1 (not only when WOLFCRYPT_TZ=1), renames the generated import library object accordingly, and extends/updates target support (notably adding Nordic nRF54L15 and improving NXP MCXN TRNG support).
Changes:
- Generate and consume CMSE import library when
TZEN=1, and rename the veneers/import object fromwc_secure_calls.otowolfboot_tz_nsc.o. - Update test applications/Zephyr integration to link the renamed import object and use NSC APIs based on
TZEN. - Add Nordic nRF54L15 support (HAL, SPI driver, linker scripts, configs, docs, CI) and implement MCXN
hal_trng_*using ELS.
Reviewed changes
Copilot reviewed 35 out of 35 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| zephyr/README.md | Updates Zephyr docs to reference wolfboot_tz_nsc.o. |
| zephyr/CMakeLists.txt | Links Zephyr module against renamed CMSE import object. |
| test-app/emu-test-apps/stm32u585/Makefile | Updates emu test app to link wolfboot_tz_nsc.o. |
| test-app/emu-test-apps/stm32l552/Makefile | Updates emu test app to link wolfboot_tz_nsc.o. |
| test-app/emu-test-apps/stm32h563/Makefile | Updates emu test app to link wolfboot_tz_nsc.o. |
| test-app/emu-test-apps/nrf5340/Makefile | Updates emu test app to link wolfboot_tz_nsc.o. |
| test-app/emu-test-apps/mcxw71/Makefile | Updates emu test app to link wolfboot_tz_nsc.o. |
| test-app/emu-test-apps/common/emu_update.c | Switches emu update flow to use NSC APIs when TZEN. |
| test-app/app_stm32h5.c | Switches STM32H5 test-app NSC usage gating to TZEN. |
| test-app/app_nrf54l.c | Adds a bare-metal test app for the new nRF54L target. |
| test-app/app_mcxn.c | Adds wolfCrypt RNG demo call and uses NSC APIs when TZEN. |
| test-app/Makefile | Links wolfboot_tz_nsc.o for TZ builds; adjusts RNG object selection and linker script selection for nRF54L. |
| test-app/CMakeLists.txt | Always links CMSE import library when TZEN; refines TrustZone test-app linking logic. |
| test-app/ARM-nrf54l-ns.ld | Adds non-secure test-app linker script for nRF54L TZ builds. |
| src/libwolfboot.c | Exposes wolfBoot NSC veneer entrypoints when __WOLFBOOT && TZEN. |
| include/wolfboot/wolfboot.h | Exposes NSC API prototypes to apps when TZEN. |
| include/spi_drv.h | Adds SPI driver include for nRF54L. |
| hal/spi/spi_drv_nrf54l.h | Adds nRF54L SPI pinmux definitions for SPI flash usage. |
| hal/spi/spi_drv_nrf54l.c | Adds nRF54L SPIM-based SPI backend implementation. |
| hal/nrf54l.ld | Adds nRF54L secure/TZ linker script with keyvault + NSC regions. |
| hal/nrf54l.h | Adds nRF54L register definitions and TZ-secure/non-secure addressing helpers. |
| hal/nrf54l.c | Adds nRF54L HAL (clocks, flash, UART, TZ setup, TRNG). |
| hal/nrf54l-ns.ld | Adds nRF54L non-TZ linker script variant. |
| hal/mcxn.c | Implements MCXN TRNG via ELS RND_REQ DMA instead of stubbed entropy. |
| docs/Targets.md | Documents the new Nordic nRF54L15 target and its memory layouts/build steps. |
| docs/API.md | Clarifies NSC API availability when TZEN=1. |
| config/examples/nrf54l15.config | Adds nRF54L15 non-TZ example configuration. |
| config/examples/nrf54l15-wolfcrypt-tz.config | Adds nRF54L15 TZ + wolfCrypt + PKCS11 example configuration. |
| config/examples/mcxn-wolfcrypt-tz.config | Adds MCXN TZ + wolfCrypt + PKCS11 example configuration. |
| config/examples/mcxn-tz.config | Repartitions MCXN TZ config and enables debug UART. |
| cmake/wolfboot.cmake | Updates CMake build to treat wolfboot_tz_nsc.o as the TZ import byproduct. |
| arch.mk | Generates CMSE import library for any TZEN=1 build; adds nRF54L linker-script selection. |
| Makefile | Cleans wolfboot_tz_nsc.o instead of wc_secure_calls.o. |
| CMakeLists.txt | Adds nrf54l target; generates CMSE import library for any TZEN=1 build. |
| .github/workflows/test-configs.yml | Adds CI build coverage for the two nRF54L15 example configs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| uintptr_t addr = (uintptr_t)WOLFBOOT_PARTITION_BOOT_ADDRESS; | ||
|
|
||
| #ifdef WOLFCRYPT_SECURE_MODE | ||
| #ifdef TZEN |
Comment on lines
+64
to
+70
| uint8_t RAMFUNCTION spi_read(void) | ||
| { | ||
| while (!spi_rx_ready) | ||
| ; | ||
| spi_rx_ready = 0; | ||
| return spi_rx_byte; | ||
| } |
Comment on lines
+244
to
+256
| ELS->ELS_DMA_RES0 = (uint32_t)(uintptr_t)out; | ||
| ELS->ELS_DMA_RES0_LEN = aligned_len; | ||
| ELS->ELS_CMDCFG0 = 0; | ||
| ELS->ELS_CTRL = S50_ELS_CTRL_ELS_EN(1) | ||
| | S50_ELS_CTRL_ELS_START(1) | ||
| | S50_ELS_CTRL_ELS_CMD(ELS_CMD_RND_REQ); | ||
|
|
||
| while (ELS->ELS_STATUS & S50_ELS_STATUS_ELS_BUSY_MASK) | ||
| ; | ||
|
|
||
| status = ELS->ELS_STATUS; | ||
| if (status & S50_ELS_STATUS_ELS_ERR_MASK) | ||
| return -1; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Various TrustZone improvements:
TZEN=1, not only whenWOLFCRYPT_TZ=1wc_secure_calls.otowolfboot_tz_nsc.o, since it's no longer just for wolfCrypt callshal_trng_*for NXP MCXNmcxn-wolfcrypt-tz.configwithWOLFCRYPT_TZ=1andWOLFCRYPT_TZ_PKCS11=1mcxn-tz.config