wolfSSL · mattia-moffa · Mar 9, 2026 · Mar 13, 2026 · Mar 13, 2026 · Mar 13, 2026
diff --git a/.github/workflows/test-configs.yml b/.github/workflows/test-configs.yml
@@ -170,6 +170,18 @@ jobs:
       arch: arm
       config-file: ./config/examples/nrf5340_net.config
 
+  nrf54l15_test:
+    uses: ./.github/workflows/test-build.yml
+    with:
+      arch: arm
+      config-file: ./config/examples/nrf54l15.config
+
+  nrf54l15_wolfcrypt_tz_test:
+    uses: ./.github/workflows/test-build.yml
+    with:
+      arch: arm
+      config-file: ./config/examples/nrf54l15-wolfcrypt-tz.config
+
   nxp_p1021_test:
     uses: ./.github/workflows/test-build.yml
     with:

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -395,6 +395,7 @@ if(NOT DEFINED ARM_TARGETS)
                             nrf52840
                             nrf5340
                             nrf5340_net
+                            nrf54l
                             rp2350
                             sama5d3
                             same51
@@ -689,14 +690,14 @@ if(ARCH STREQUAL "ARM")
             list(APPEND WOLFBOOT_COMPILE_OPTIONS -mcmse)
             list(APPEND WOLFBOOT_LINK_OPTIONS -mcmse)
         endif()
+        list(APPEND WOLFBOOT_LINK_OPTIONS
+            -Wl,--cmse-implib
+            -Wl,--out-implib=${CMAKE_CURRENT_BINARY_DIR}/wolfboot_tz_nsc.o)
 
         # wolfCrypt TrustZone secure mode
         if(WOLFCRYPT_TZ)
             list(APPEND WOLFBOOT_DEFS WOLFCRYPT_SECURE_MODE)
             list(APPEND WOLFBOOT_SOURCES src/wc_callable.c)
-            list(APPEND WOLFBOOT_LINK_OPTIONS
-                -Wl,--cmse-implib
-                -Wl,--out-implib=${CMAKE_CURRENT_BINARY_DIR}/wc_secure_calls.o)
 
             # PKCS11 TrustZone interface
             if(WOLFCRYPT_TZ_PKCS11)

diff --git a/Makefile b/Makefile
@@ -556,7 +556,7 @@ keys: $(PRIVATE_KEY)
 
 clean:
 	$(Q)rm -f src/*.o hal/*.o hal/spi/*.o test-app/*.o src/x86/*.o
-	$(Q)rm -f src/wc_secure_calls.o
+	$(Q)rm -f src/wolfboot_tz_nsc.o
 	$(Q)rm -f $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/*.o $(WOLFBOOT_LIB_WOLFTPM)/src/*.o $(WOLFBOOT_LIB_WOLFTPM)/hal/*.o $(WOLFBOOT_LIB_WOLFTPM)/examples/pcr/*.o
 	$(Q)rm -f $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/port/Renesas/*.o
 	$(Q)rm -f wolfboot.bin wolfboot.elf wolfboot.map test-update.rom wolfboot.hex wolfboot.srec factory.srec

diff --git a/arch.mk b/arch.mk
@@ -353,13 +353,13 @@ else
         OBJS+=hal/stm32_tz.o
       endif
       CFLAGS+=-mcmse
+      SECURE_LDFLAGS+=-Wl,--cmse-implib -Wl,--out-implib=./src/wolfboot_tz_nsc.o
       ifeq ($(WOLFCRYPT_TZ),1)
         CORTEXM_ARM_EXTRA_OBJS=
         CORTEXM_ARM_EXTRA_CFLAGS=
         SECURE_OBJS+=./src/wc_callable.o
         WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/random.o
         CFLAGS+=-DWOLFCRYPT_SECURE_MODE
-        SECURE_LDFLAGS+=-Wl,--cmse-implib -Wl,--out-implib=./src/wc_secure_calls.o
       endif
     endif # TZEN=1
       ifeq ($(SPMATH),1)
@@ -805,6 +805,12 @@ ifeq ($(TARGET),nrf5340)
   endif
 endif
 
+ifeq ($(TARGET),nrf54l)
+  ifneq ($(TZEN), 1)
+    LSCRIPT_IN=hal/$(TARGET)-ns.ld
+  endif
+endif
+
 ifeq ($(TARGET),nrf5340_net)
   # Net core doesn't support DSP and FP
   CFLAGS+=-mcpu=cortex-m33+nodsp+nofp

diff --git a/cmake/wolfboot.cmake b/cmake/wolfboot.cmake
@@ -52,8 +52,8 @@ function(gen_wolfboot_platform_target PLATFORM_NAME LINKER_SCRIPT_TARGET)
                           ${LINKER_SCRIPT_TARGET})
 
     # TrustZone import library (generated by the linker via --out-implib)
-    if(TZEN AND WOLFCRYPT_TZ)
-        set(_wcs_implib "${CMAKE_BINARY_DIR}/wc_secure_calls.o")
+    if(TZEN)
+        set(_wcs_implib "${CMAKE_BINARY_DIR}/wolfboot_tz_nsc.o")
         add_custom_command(TARGET wolfboot_${PLATFORM_NAME} POST_BUILD
             BYPRODUCTS "${_wcs_implib}"
             COMMAND ${CMAKE_COMMAND} -E true

diff --git a/config/examples/mcxn-tz.config b/config/examples/mcxn-tz.config
@@ -10,7 +10,7 @@ MCUXPRESSO_CPU?=MCXN947VDF_cm33_core0
 MCUXPRESSO_DRIVERS?=$(MCUXPRESSO)/devices/MCX/MCXN/MCXN947
 MCUXPRESSO_PROJECT_TEMPLATE?=$(MCUXPRESSO)/examples/_boards/frdmmcxn947/project_template
 DEBUG?=0
-DEBUG_UART?=0
+DEBUG_UART?=1
 VTOR?=1
 CORTEX_M0?=0
 CORTEX_M33?=1
@@ -27,29 +27,28 @@ SPMATH?=1
 RAM_CODE?=1
 DUALBANK_SWAP?=0
 PKA?=1
-WOLFCRYPT_TZ?=1
 
 # 8KB sectors
 WOLFBOOT_SECTOR_SIZE?=0x2000
 
 # Default configuration
-# 64KB boot, 80KB keyvault, 8KB NSC, 60KB partitions, 8KB swap
-WOLFBOOT_KEYVAULT_ADDRESS?=0x12000
-WOLFBOOT_KEYVAULT_SIZE?=0x14000
-WOLFBOOT_NSC_ADDRESS?=0x26000
+# 40KB boot, no keyvault, 8KB NSC, 64KB partitions, 8KB swap
+WOLFBOOT_KEYVAULT_ADDRESS?=0xA000
+WOLFBOOT_KEYVAULT_SIZE?=0
+WOLFBOOT_NSC_ADDRESS?=0xA000
 WOLFBOOT_NSC_SIZE?=0x2000
-WOLFBOOT_PARTITION_SIZE?=0xE000
-WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x28000
-WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x36000
-WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x44000
+WOLFBOOT_PARTITION_SIZE?=0x10000
+WOLFBOOT_PARTITION_BOOT_ADDRESS?=0xC000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x1C000
+WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x2C000
 
 # Alternate larger configuration for debugging or ARMASM
-# 128KB boot, 80KB keyvault, 8KB NSC, 60KB partitions, 8KB swap
+# 128KB boot, no keyvault, 8KB NSC, 64KB partitions, 8KB swap
 #WOLFBOOT_KEYVAULT_ADDRESS?=0x20000
-#WOLFBOOT_KEYVAULT_SIZE?=0x14000
-#WOLFBOOT_NSC_ADDRESS?=0x34000
+#WOLFBOOT_KEYVAULT_SIZE?=0
+#WOLFBOOT_NSC_ADDRESS?=0x20000
 #WOLFBOOT_NSC_SIZE?=0x2000
-#WOLFBOOT_PARTITION_SIZE?=0xE000
-#WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x36000
-#WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x45000
-#WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x54000
+#WOLFBOOT_PARTITION_SIZE?=0x10000
+#WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x22000
+#WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x32000
+#WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x42000
diff --git a/config/examples/mcxn-wolfcrypt-tz.config b/config/examples/mcxn-wolfcrypt-tz.config
@@ -0,0 +1,56 @@
+ARCH?=ARM
+TZEN?=1
+TARGET?=mcxn
+SIGN?=ECC384
+HASH?=SHA384
+MCUXSDK?=1
+MCUXPRESSO?=$(PWD)/../NXP/mcuxpresso-sdk/mcuxsdk
+MCUXPRESSO_CMSIS?=$(PWD)/../NXP/CMSIS_5/CMSIS
+MCUXPRESSO_CPU?=MCXN947VDF_cm33_core0
+MCUXPRESSO_DRIVERS?=$(MCUXPRESSO)/devices/MCX/MCXN/MCXN947
+MCUXPRESSO_PROJECT_TEMPLATE?=$(MCUXPRESSO)/examples/_boards/frdmmcxn947/project_template
+DEBUG?=0
+DEBUG_UART?=1
+VTOR?=1
+CORTEX_M0?=0
+CORTEX_M33?=1
+NO_ASM?=0
+NO_MPU=1
+EXT_FLASH?=0
+SPI_FLASH?=0
+ALLOW_DOWNGRADE?=0
+NVM_FLASH_WRITEONCE?=1
+NO_ARM_ASM=1
+WOLFBOOT_VERSION?=0
+V?=0
+SPMATH?=1
+RAM_CODE?=1
+DUALBANK_SWAP?=0
+PKA?=1
+WOLFCRYPT_TZ?=1
+WOLFCRYPT_TZ_PKCS11?=1
+
+# 8KB sectors
+WOLFBOOT_SECTOR_SIZE?=0x2000
+
+# Default configuration
+# 192KB boot, 96KB keyvault, 8KB NSC, 64KB partitions, 8KB swap
+WOLFBOOT_KEYVAULT_ADDRESS?=0x30000
+WOLFBOOT_KEYVAULT_SIZE?=0x18000
+WOLFBOOT_NSC_ADDRESS?=0x48000
+WOLFBOOT_NSC_SIZE?=0x2000
+WOLFBOOT_PARTITION_SIZE?=0x10000
+WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x4A000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x5A000
+WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x6A000
+
+# Alternate larger configuration for debugging or ARMASM
+# 320KB boot, 96KB keyvault, 8KB NSC, 64KB partitions, 8KB swap
+#WOLFBOOT_KEYVAULT_ADDRESS?=0x50000
+#WOLFBOOT_KEYVAULT_SIZE?=0x18000
+#WOLFBOOT_NSC_ADDRESS?=0x68000
+#WOLFBOOT_NSC_SIZE?=0x2000
+#WOLFBOOT_PARTITION_SIZE?=0x10000
+#WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x6A000
+#WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x7A000
+#WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x8A000
diff --git a/config/examples/nrf54l15-wolfcrypt-tz.config b/config/examples/nrf54l15-wolfcrypt-tz.config
@@ -0,0 +1,65 @@
+ARCH?=ARM
+TZEN?=1
+TARGET?=nrf54l
+SIGN?=ECC384
+HASH?=SHA384
+WOLFBOOT_VERSION?=1
+VTOR?=1
+CORTEX_M0?=0
+CORTEX_M33?=1
+NO_ASM?=0
+NO_MPU=1
+ALLOW_DOWNGRADE?=0
+NVM_FLASH_WRITEONCE?=0
+DELTA_UPDATES?=0
+
+SPMATH?=1
+RAM_CODE?=1
+
+DUALBANK_SWAP?=0
+FLAGS_HOME=0
+DISABLE_BACKUP=0
+EXT_FLASH?=0
+SPI_FLASH?=0
+QSPI_FLASH?=0
+UART_FLASH?=0
+
+WOLFCRYPT_TZ?=1
+WOLFCRYPT_TZ_PKCS11?=1
+
+# 4096 sector size (the RRAM doesn't have an intrinsic page size)
+WOLFBOOT_SECTOR_SIZE?=0x1000
+
+# Flash layout
+#
+#   0x00000000 - 0x0004EFFF  wolfBoot (316 KB)         secure
+#   0x0004F000 - 0x00064FFF  Keyvault (88 KB)          secure
+#   0x00065000 - 0x00065FFF  NSC region (4 KB)         non-secure callable
+#   0x00066000 - 0x000F0FFF  Boot partition (556 KB)   non-secure
+#   0x000F1000 - 0x0017BFFF  Update partition (556 KB) secure
+#   0x0017C000 - 0x0017CFFF  Swap area (4 KB)          secure
+#
+# The update partition is meant to be written to via wolfBoot's NSC veneers
+
+WOLFBOOT_KEYVAULT_ADDRESS?=0x4F000
+WOLFBOOT_KEYVAULT_SIZE?=0x16000
+
+WOLFBOOT_NSC_ADDRESS?=0x65000
+WOLFBOOT_NSC_SIZE?=0x1000
+
+WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x66000
+WOLFBOOT_PARTITION_SIZE?=0x8B000
+
+WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0xF1000
+WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x17C000
+
+V?=0
+DEBUG?=0
+DEBUG_UART?=1
+USE_GCC=1
+OPTIMIZATION_LEVEL=2
+
+# Use larger block size for swapping sectors (performance improvement)
+CFLAGS_EXTRA+=-DFLASHBUFFER_SIZE=0x1000
+
+#CFLAGS_EXTRA+=-DDEBUG_FLASH
diff --git a/config/examples/nrf54l15.config b/config/examples/nrf54l15.config
@@ -0,0 +1,60 @@
+ARCH?=ARM
+TZEN?=0
+TARGET?=nrf54l
+SIGN?=ECC384
+HASH?=SHA384
+WOLFBOOT_VERSION?=1
+VTOR?=1
+CORTEX_M0?=0
+CORTEX_M33?=1
+NO_ASM?=0
+NO_MPU=1
+ALLOW_DOWNGRADE?=0
+NVM_FLASH_WRITEONCE?=0
+DELTA_UPDATES?=0
+
+SPMATH?=1
+RAM_CODE?=1
+
+DUALBANK_SWAP?=0
+FLAGS_HOME=0
+DISABLE_BACKUP=0
+EXT_FLASH?=0
+SPI_FLASH?=0
+QSPI_FLASH?=0
+UART_FLASH?=0
+
+# 4096 sector size (the RRAM doesn't have an intrinsic page size)
+WOLFBOOT_SECTOR_SIZE?=0x1000
+
+# Reserve the first 64KB of internal flash for wolfBoot itself
+WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x10000
+
+# Application partition spans the remainder of the 1524K internal flash
+# (1524K - 64K - 4K) / 2 = 728K = 0xB6000
+WOLFBOOT_PARTITION_SIZE?=0xB6000
+
+# Flash offset for application update image
+# (64K + 728K) = 792K = 0xC6000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0xC6000
+
+# Flash offset for swap area
+# (1524K - 4K) = 1520K = 0x17C000
+WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x17C000
+
+V?=0
+DEBUG?=0
+DEBUG_UART?=1
+USE_GCC=1
+OPTIMIZATION_LEVEL=2
+
+# Use larger block size for swapping sectors (performance improvement)
+CFLAGS_EXTRA+=-DFLASHBUFFER_SIZE=0x1000
+
+# SPI flash hookup for the DK radio shield
+#CFLAGS_EXTRA+=-DSPI_CS_PORT=0  -DSPI_CS_PIN=25
+#CFLAGS_EXTRA+=-DSPI_SCK_PORT=0 -DSPI_SCK_PIN=29
+#CFLAGS_EXTRA+=-DSPI_MOSI_PORT=0 -DSPI_MOSI_PIN=28
+#CFLAGS_EXTRA+=-DSPI_MISO_PORT=0 -DSPI_MISO_PIN=27
+
+#CFLAGS_EXTRA+=-DDEBUG_FLASH
diff --git a/docs/API.md b/docs/API.md
@@ -78,6 +78,8 @@ secure domain. For this purpose, wolfBoot provides Non-Secure Callable (NSC)
 APIs that allow code running in the non-secure domain to call into the secure
 domain managed by wolfBoot.
 
+When `TZEN=1` is enabled, these APIs are available to non-secure applications.
+
 These APIs are listed below.
 
 - `void wolfBoot_nsc_success(void)`: wrapper for `wolfBoot_success()`