NSC veneers when TZEN=1; WOLFCRYPT_TZ_PKCS11 on the NXP MCX N#727
Open
mattia-moffa wants to merge 4 commits intowolfSSL:masterfrom
Open
NSC veneers when TZEN=1; WOLFCRYPT_TZ_PKCS11 on the NXP MCX N#727mattia-moffa wants to merge 4 commits intowolfSSL:masterfrom
mattia-moffa wants to merge 4 commits intowolfSSL:masterfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves TrustZone integration across build systems and platforms by enabling NSC veneers whenever TZEN=1, renaming the generated CMSE import library, and extending MCXN support (TRNG + wolfCrypt/PKCS11 configuration).
Changes:
- Generate/link CMSE import library as
wolfboot_tz_nsc.ofor allTZEN=1builds (not onlyWOLFCRYPT_TZ=1). - Add MCXN TRNG implementation and a new MCXN wolfCrypt+PKCS11 TrustZone example config.
- Update test apps/docs/CI to use the renamed veneers object and revised TrustZone behavior.
Reviewed changes
Copilot reviewed 24 out of 24 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| zephyr/README.md | Updates Zephyr instructions to reference wolfboot_tz_nsc.o. |
| zephyr/CMakeLists.txt | Links Zephyr against the renamed CMSE import library. |
| test-app/emu-test-apps/stm32u585/Makefile | Uses wolfboot_tz_nsc.o for TZ builds. |
| test-app/emu-test-apps/stm32l552/Makefile | Uses wolfboot_tz_nsc.o for TZ builds. |
| test-app/emu-test-apps/stm32h563/Makefile | Uses wolfboot_tz_nsc.o for TZ builds. |
| test-app/emu-test-apps/nrf5340/Makefile | Uses wolfboot_tz_nsc.o for TZ builds. |
| test-app/emu-test-apps/mcxw71/Makefile | Uses wolfboot_tz_nsc.o for TZ builds. |
| test-app/emu-test-apps/common/emu_update.c | Switches update/flash ops to NSC path based on TZEN. |
| test-app/app_stm32h5.c | Switches NSC calls to be controlled by TZEN. |
| test-app/app_mcxn.c | Adds wolfCrypt RNG demo via NSC; switches NSC calls to TZEN. |
| test-app/Makefile | Always links wolfboot_tz_nsc.o for TZ builds; adjusts RNG object selection. |
| test-app/CMakeLists.txt | Links against wolfboot_tz_nsc.o for TZ builds; updates TZ build logic/comments. |
| src/libwolfboot.c | Exposes NSC veneer implementations when __WOLFBOOT && TZEN. |
| include/wolfboot/wolfboot.h | Exposes NSC API declarations when TZEN is set for non-bootloader builds. |
| hal/mcxn.c | Implements MCXN TRNG via ELS RND_REQ. |
| docs/API.md | Documents NSC API availability with TZEN=1. |
| config/examples/mcxn-wolfcrypt-tz.config | Adds MCXN TrustZone wolfCrypt+PKCS11 example configuration. |
| config/examples/mcxn-tz.config | Repartitions MCXN TrustZone layout and enables UART debug by default. |
| cmake/wolfboot.cmake | Generates wolfboot_tz_nsc.o import library whenever TZEN is enabled. |
| arch.mk | Generates wolfboot_tz_nsc.o via --out-implib for all TZ builds. |
| Makefile | Updates clean target to remove wolfboot_tz_nsc.o. |
| CMakeLists.txt | Generates wolfboot_tz_nsc.o in ARM+TZ builds (not only wolfCrypt TZ mode). |
| .github/workflows/test-configs.yml | Adds CI build job for mcxn-wolfcrypt-tz.config. |
Comments suppressed due to low confidence (1)
test-app/Makefile:1
- With
WOLFCRYPT_TZ_PKCS11=1, this Makefile no longer linkswolfcrypt/src/random.o(and does not defineWC_NO_RNG). The PR also adds code intest-app/app_mcxn.cthat callswc_InitRng()/wc_RNG_GenerateBlock(), which will typically requirerandom.oat link time. Consider moving the RNG selection (TEST_APP_NO_RNGvs addingrandom.o) outside theWOLFCRYPT_TZ_PKCS11conditional so PKCS11 builds still provide wolfCrypt RNG symbols (or explicitly defineWC_NO_RNGand avoid RNG usage in the app).
-include ../.config
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+222
to
+223
| while (ELS->ELS_STATUS & S50_ELS_STATUS_ELS_BUSY_MASK) | ||
| ; |
| return -1; | ||
| /* Implemented as a RND_REQ command to the ELS */ | ||
|
|
||
| uint32_t aligned_len = len & ~3U; |
Comment on lines
+239
to
+240
| while (ELS->ELS_STATUS & S50_ELS_STATUS_ELS_BUSY_MASK) | ||
| ; |
Comment on lines
+244
to
+245
| ELS->ELS_DMA_RES0 = (uint32_t)(uintptr_t)out; | ||
| ELS->ELS_DMA_RES0_LEN = aligned_len; |
Comment on lines
+235
to
+277
| uint32_t aligned_len = len & ~3U; | ||
| uint32_t status; | ||
|
|
||
| /* Wait for ELS to be ready */ | ||
| while (ELS->ELS_STATUS & S50_ELS_STATUS_ELS_BUSY_MASK) | ||
| ; | ||
|
|
||
| /* Handle the word-aligned portion */ | ||
| if (aligned_len > 0) { | ||
| ELS->ELS_DMA_RES0 = (uint32_t)(uintptr_t)out; | ||
| ELS->ELS_DMA_RES0_LEN = aligned_len; | ||
| ELS->ELS_CMDCFG0 = 0; | ||
| ELS->ELS_CTRL = S50_ELS_CTRL_ELS_EN(1) | ||
| | S50_ELS_CTRL_ELS_START(1) | ||
| | S50_ELS_CTRL_ELS_CMD(ELS_CMD_RND_REQ); | ||
|
|
||
| while (ELS->ELS_STATUS & S50_ELS_STATUS_ELS_BUSY_MASK) | ||
| ; | ||
|
|
||
| status = ELS->ELS_STATUS; | ||
| if (status & S50_ELS_STATUS_ELS_ERR_MASK) | ||
| return -1; | ||
| } | ||
|
|
||
| /* Handle remaining bytes (1-3) with a temporary word */ | ||
| if (len > aligned_len) { | ||
| uint32_t tmp; | ||
|
|
||
| ELS->ELS_DMA_RES0 = (uint32_t)(uintptr_t)&tmp; | ||
| ELS->ELS_DMA_RES0_LEN = 4; | ||
| ELS->ELS_CMDCFG0 = 0; | ||
| ELS->ELS_CTRL = S50_ELS_CTRL_ELS_EN(1) | ||
| | S50_ELS_CTRL_ELS_START(1) | ||
| | S50_ELS_CTRL_ELS_CMD(ELS_CMD_RND_REQ); | ||
|
|
||
| while (ELS->ELS_STATUS & S50_ELS_STATUS_ELS_BUSY_MASK) | ||
| ; | ||
|
|
||
| status = ELS->ELS_STATUS; | ||
| if (status & S50_ELS_STATUS_ELS_ERR_MASK) | ||
| return -1; | ||
|
|
||
| memcpy(out + aligned_len, &tmp, len - aligned_len); |
Comment on lines
+251
to
+252
| while (ELS->ELS_STATUS & S50_ELS_STATUS_ELS_BUSY_MASK) | ||
| ; |
Comment on lines
+270
to
+271
| while (ELS->ELS_STATUS & S50_ELS_STATUS_ELS_BUSY_MASK) | ||
| ; |
| } | ||
|
|
||
| #ifdef WOLFCRYPT_SECURE_MODE | ||
| void print_random_number(void) |
| int wolfBoot_erase_encrypt_key(void); | ||
|
|
||
| #if !defined(__WOLFBOOT) && defined(WOLFCRYPT_SECURE_MODE) | ||
| #if !defined(__WOLFBOOT) && defined(TZEN) |
Comment on lines
+179
to
181
| # wolfCrypt TrustZone test builds provide extra secure-call wrappers directly. | ||
| if(TZEN AND WOLFCRYPT_TZ) | ||
| target_sources(image PRIVATE ../src/libwolfboot.c) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Various TrustZone improvements:
TZEN=1, not only whenWOLFCRYPT_TZ=1wc_secure_calls.otowolfboot_tz_nsc.o, since it's no longer just for wolfCrypt callshal_trng_*for NXP MCXNmcxn-wolfcrypt-tz.configwithWOLFCRYPT_TZ=1andWOLFCRYPT_TZ_PKCS11=1mcxn-tz.config