NSC veneers when TZEN=1; WOLFCRYPT_TZ_PKCS11 on the NXP MCX N#727
Open
mattia-moffa wants to merge 9 commits intowolfSSL:masterfrom
Open
NSC veneers when TZEN=1; WOLFCRYPT_TZ_PKCS11 on the NXP MCX N#727mattia-moffa wants to merge 9 commits intowolfSSL:masterfrom
mattia-moffa wants to merge 9 commits intowolfSSL:masterfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves TrustZone integration across build systems and platforms by enabling NSC veneers whenever TZEN=1, renaming the generated CMSE import library, and extending MCXN support (TRNG + wolfCrypt/PKCS11 configuration).
Changes:
- Generate/link CMSE import library as
wolfboot_tz_nsc.ofor allTZEN=1builds (not onlyWOLFCRYPT_TZ=1). - Add MCXN TRNG implementation and a new MCXN wolfCrypt+PKCS11 TrustZone example config.
- Update test apps/docs/CI to use the renamed veneers object and revised TrustZone behavior.
Reviewed changes
Copilot reviewed 24 out of 24 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| zephyr/README.md | Updates Zephyr instructions to reference wolfboot_tz_nsc.o. |
| zephyr/CMakeLists.txt | Links Zephyr against the renamed CMSE import library. |
| test-app/emu-test-apps/stm32u585/Makefile | Uses wolfboot_tz_nsc.o for TZ builds. |
| test-app/emu-test-apps/stm32l552/Makefile | Uses wolfboot_tz_nsc.o for TZ builds. |
| test-app/emu-test-apps/stm32h563/Makefile | Uses wolfboot_tz_nsc.o for TZ builds. |
| test-app/emu-test-apps/nrf5340/Makefile | Uses wolfboot_tz_nsc.o for TZ builds. |
| test-app/emu-test-apps/mcxw71/Makefile | Uses wolfboot_tz_nsc.o for TZ builds. |
| test-app/emu-test-apps/common/emu_update.c | Switches update/flash ops to NSC path based on TZEN. |
| test-app/app_stm32h5.c | Switches NSC calls to be controlled by TZEN. |
| test-app/app_mcxn.c | Adds wolfCrypt RNG demo via NSC; switches NSC calls to TZEN. |
| test-app/Makefile | Always links wolfboot_tz_nsc.o for TZ builds; adjusts RNG object selection. |
| test-app/CMakeLists.txt | Links against wolfboot_tz_nsc.o for TZ builds; updates TZ build logic/comments. |
| src/libwolfboot.c | Exposes NSC veneer implementations when __WOLFBOOT && TZEN. |
| include/wolfboot/wolfboot.h | Exposes NSC API declarations when TZEN is set for non-bootloader builds. |
| hal/mcxn.c | Implements MCXN TRNG via ELS RND_REQ. |
| docs/API.md | Documents NSC API availability with TZEN=1. |
| config/examples/mcxn-wolfcrypt-tz.config | Adds MCXN TrustZone wolfCrypt+PKCS11 example configuration. |
| config/examples/mcxn-tz.config | Repartitions MCXN TrustZone layout and enables UART debug by default. |
| cmake/wolfboot.cmake | Generates wolfboot_tz_nsc.o import library whenever TZEN is enabled. |
| arch.mk | Generates wolfboot_tz_nsc.o via --out-implib for all TZ builds. |
| Makefile | Updates clean target to remove wolfboot_tz_nsc.o. |
| CMakeLists.txt | Generates wolfboot_tz_nsc.o in ARM+TZ builds (not only wolfCrypt TZ mode). |
| .github/workflows/test-configs.yml | Adds CI build job for mcxn-wolfcrypt-tz.config. |
Comments suppressed due to low confidence (1)
test-app/Makefile:1
- With
WOLFCRYPT_TZ_PKCS11=1, this Makefile no longer linkswolfcrypt/src/random.o(and does not defineWC_NO_RNG). The PR also adds code intest-app/app_mcxn.cthat callswc_InitRng()/wc_RNG_GenerateBlock(), which will typically requirerandom.oat link time. Consider moving the RNG selection (TEST_APP_NO_RNGvs addingrandom.o) outside theWOLFCRYPT_TZ_PKCS11conditional so PKCS11 builds still provide wolfCrypt RNG symbols (or explicitly defineWC_NO_RNGand avoid RNG usage in the app).
-include ../.config
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refactors and broadens TrustZone (TZEN) support by enabling NSC veneers whenever TZEN=1, renaming the generated CMSE import library, and improving NXP MCX N support (TRNG + new wolfCrypt TZ/PKCS11 config).
Changes:
- Enable and rename the TrustZone CMSE import library from
wc_secure_calls.otowolfboot_tz_nsc.oacross build systems (Make/CMake/Zephyr) and docs. - Switch NSC call sites/guards to key off
TZENand expand NSC veneer availability beyond wolfCrypt-only use. - Add MCXN TRNG implementation and introduce
mcxn-wolfcrypt-tz.configplus CI coverage for it; adjust MCXN TZ partitioning and app behavior.
Reviewed changes
Copilot reviewed 24 out of 24 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| zephyr/README.md | Updates Zephyr integration docs to reference the renamed CMSE import library. |
| zephyr/CMakeLists.txt | Switches Zephyr link target to the renamed wolfboot_tz_nsc.o. |
| test-app/emu-test-apps/stm32u585/Makefile | Updates NSC import object name for TZ builds. |
| test-app/emu-test-apps/stm32l552/Makefile | Updates NSC import object name for TZ builds. |
| test-app/emu-test-apps/stm32h563/Makefile | Updates NSC import object name for TZ builds. |
| test-app/emu-test-apps/nrf5340/Makefile | Updates NSC import object name for TZ builds. |
| test-app/emu-test-apps/mcxw71/Makefile | Updates NSC import object name for TZ builds. |
| test-app/emu-test-apps/common/emu_update.c | Switches NSC decision points from WOLFCRYPT_SECURE_MODE to TZEN. |
| test-app/app_stm32h5.c | Switches update/info/success NSC call gates from WOLFCRYPT_SECURE_MODE to TZEN. |
| test-app/app_mcxn.c | Uses TZEN for NSC bootloader calls and adds a wolfCrypt RNG demo when in secure mode. |
| test-app/Makefile | Links wolfboot_tz_nsc.o for TZ builds and adjusts RNG object selection logic. |
| test-app/CMakeLists.txt | Always uses NSC import library when TZEN and links wolfboot_tz_nsc.o. |
| src/libwolfboot.c | Builds NSC veneer functions when TZEN (not only wolfCrypt secure mode). |
| include/wolfboot/wolfboot.h | Exposes NSC API declarations when TZEN is enabled for non-secure apps. |
| hal/mcxn.c | Implements TRNG entropy functions using ELS hardware and removes prior stub behavior. |
| docs/Targets.md | Documents the three MCXN configs including the new wolfCrypt TZ/PKCS11 variant. |
| docs/API.md | Clarifies NSC API availability when TZEN=1. |
| config/examples/mcxn-wolfcrypt-tz.config | Adds new MCXN config enabling WOLFCRYPT_TZ + WOLFCRYPT_TZ_PKCS11. |
| config/examples/mcxn-tz.config | Repartitions MCXN TZ layout (no keyvault) and enables UART debug by default. |
| cmake/wolfboot.cmake | Generates wolfboot_tz_nsc.o import library whenever TZEN is enabled. |
| arch.mk | Emits CMSE import library as wolfboot_tz_nsc.o for any TZ build. |
| Makefile | Updates clean target to remove wolfboot_tz_nsc.o. |
| CMakeLists.txt | Emits wolfboot_tz_nsc.o import library for TZ builds; adjusts stm32u5 origin when TZEN. |
| .github/workflows/test-configs.yml | Adds CI build job for mcxn-wolfcrypt-tz.config. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Various TrustZone improvements:
TZEN=1, not only whenWOLFCRYPT_TZ=1wc_secure_calls.otowolfboot_tz_nsc.o, since it's no longer just for wolfCrypt callshal_trng_*for NXP MCXNmcxn-wolfcrypt-tz.configwithWOLFCRYPT_TZ=1andWOLFCRYPT_TZ_PKCS11=1mcxn-tz.config