diff --git a/.github/workflows/test-configs.yml b/.github/workflows/test-configs.yml index 5f3ada4350..c3367da677 100644 --- a/.github/workflows/test-configs.yml +++ b/.github/workflows/test-configs.yml @@ -260,6 +260,13 @@ jobs: config-file: ./config/examples/mcxn-tz.config board-name: frdmmcxn947 + nxp_mcxn_wolfcrypt_tz_test: + uses: ./.github/workflows/test-build-mcux-sdk-manifests.yml + with: + arch: arm + config-file: ./config/examples/mcxn-wolfcrypt-tz.config + board-name: frdmmcxn947 + nxp_s32k142_test: uses: ./.github/workflows/test-build.yml with: diff --git a/CMakeLists.txt b/CMakeLists.txt index 27f173e027..e8c640ad40 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -668,7 +668,11 @@ if(ARCH STREQUAL "ARM") endif() if(${WOLFBOOT_TARGET} STREQUAL "stm32u5") set(ARCH_FLASH_OFFSET 0x08000000) - set(WOLFBOOT_ORIGIN ${ARCH_FLASH_OFFSET}) + if(TZEN) + set(WOLFBOOT_ORIGIN 0x0C000000) + else() + set(WOLFBOOT_ORIGIN ${ARCH_FLASH_OFFSET}) + endif() endif() if(${WOLFBOOT_TARGET} STREQUAL "stm32h5") @@ -696,14 +700,14 @@ if(ARCH STREQUAL "ARM") list(APPEND WOLFBOOT_COMPILE_OPTIONS -mcmse) list(APPEND WOLFBOOT_LINK_OPTIONS -mcmse) endif() + list(APPEND WOLFBOOT_LINK_OPTIONS + -Wl,--cmse-implib + -Wl,--out-implib=${CMAKE_CURRENT_BINARY_DIR}/wolfboot_tz_nsc.o) # wolfCrypt TrustZone secure mode if(WOLFCRYPT_TZ) list(APPEND WOLFBOOT_DEFS WOLFCRYPT_SECURE_MODE) list(APPEND WOLFBOOT_SOURCES src/wc_callable.c) - list(APPEND WOLFBOOT_LINK_OPTIONS - -Wl,--cmse-implib - -Wl,--out-implib=${CMAKE_CURRENT_BINARY_DIR}/wc_secure_calls.o) # PKCS11 TrustZone interface if(WOLFCRYPT_TZ_PKCS11) diff --git a/Makefile b/Makefile index 321322a9fe..cd89afec61 100644 --- a/Makefile +++ b/Makefile @@ -562,7 +562,7 @@ keys: $(PRIVATE_KEY) clean: $(Q)rm -f src/*.o hal/*.o hal/spi/*.o test-app/*.o src/x86/*.o - $(Q)rm -f src/wc_secure_calls.o + $(Q)rm -f src/wolfboot_tz_nsc.o $(Q)rm -f $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/*.o $(WOLFBOOT_LIB_WOLFTPM)/src/*.o $(WOLFBOOT_LIB_WOLFTPM)/hal/*.o $(WOLFBOOT_LIB_WOLFTPM)/examples/pcr/*.o $(Q)rm -f $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/port/Renesas/*.o $(Q)rm -f wolfboot.bin wolfboot.elf wolfboot.map test-update.rom wolfboot.hex wolfboot.srec factory.srec diff --git a/arch.mk b/arch.mk index a9de6d9e0f..af263e7a9f 100644 --- a/arch.mk +++ b/arch.mk @@ -360,13 +360,13 @@ else OBJS+=hal/stm32_tz.o endif CFLAGS+=-mcmse + SECURE_LDFLAGS+=-Wl,--cmse-implib -Wl,--out-implib=./src/wolfboot_tz_nsc.o ifeq ($(WOLFCRYPT_TZ),1) CORTEXM_ARM_EXTRA_OBJS= CORTEXM_ARM_EXTRA_CFLAGS= SECURE_OBJS+=./src/wc_callable.o WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/random.o CFLAGS+=-DWOLFCRYPT_SECURE_MODE - SECURE_LDFLAGS+=-Wl,--cmse-implib -Wl,--out-implib=./src/wc_secure_calls.o endif endif # TZEN=1 ifeq ($(SPMATH),1) diff --git a/cmake/wolfboot.cmake b/cmake/wolfboot.cmake index 553d949a12..e4d2ec742a 100644 --- a/cmake/wolfboot.cmake +++ b/cmake/wolfboot.cmake @@ -52,8 +52,8 @@ function(gen_wolfboot_platform_target PLATFORM_NAME LINKER_SCRIPT_TARGET) ${LINKER_SCRIPT_TARGET}) # TrustZone import library (generated by the linker via --out-implib) - if(TZEN AND WOLFCRYPT_TZ) - set(_wcs_implib "${CMAKE_BINARY_DIR}/wc_secure_calls.o") + if(TZEN) + set(_wcs_implib "${CMAKE_BINARY_DIR}/wolfboot_tz_nsc.o") add_custom_command(TARGET wolfboot_${PLATFORM_NAME} POST_BUILD BYPRODUCTS "${_wcs_implib}" COMMAND ${CMAKE_COMMAND} -E true diff --git a/config/examples/mcxn-tz.config b/config/examples/mcxn-tz.config index 0984ba7e99..bfe4e6db6b 100644 --- a/config/examples/mcxn-tz.config +++ b/config/examples/mcxn-tz.config @@ -10,7 +10,7 @@ MCUXPRESSO_CPU?=MCXN947VDF_cm33_core0 MCUXPRESSO_DRIVERS?=$(MCUXPRESSO)/devices/MCX/MCXN/MCXN947 MCUXPRESSO_PROJECT_TEMPLATE?=$(MCUXPRESSO)/examples/_boards/frdmmcxn947/project_template DEBUG?=0 -DEBUG_UART?=0 +DEBUG_UART?=1 VTOR?=1 CORTEX_M0?=0 CORTEX_M33?=1 @@ -27,29 +27,28 @@ SPMATH?=1 RAM_CODE?=1 DUALBANK_SWAP?=0 PKA?=1 -WOLFCRYPT_TZ?=1 # 8KB sectors WOLFBOOT_SECTOR_SIZE?=0x2000 # Default configuration -# 64KB boot, 80KB keyvault, 8KB NSC, 60KB partitions, 8KB swap -WOLFBOOT_KEYVAULT_ADDRESS?=0x12000 -WOLFBOOT_KEYVAULT_SIZE?=0x14000 -WOLFBOOT_NSC_ADDRESS?=0x26000 +# 40KB boot, no keyvault, 8KB NSC, 64KB partitions, 8KB swap +WOLFBOOT_KEYVAULT_ADDRESS?=0xA000 +WOLFBOOT_KEYVAULT_SIZE?=0 +WOLFBOOT_NSC_ADDRESS?=0xA000 WOLFBOOT_NSC_SIZE?=0x2000 -WOLFBOOT_PARTITION_SIZE?=0xE000 -WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x28000 -WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x36000 -WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x44000 +WOLFBOOT_PARTITION_SIZE?=0x10000 +WOLFBOOT_PARTITION_BOOT_ADDRESS?=0xC000 +WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x1C000 +WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x2C000 # Alternate larger configuration for debugging or ARMASM -# 128KB boot, 80KB keyvault, 8KB NSC, 60KB partitions, 8KB swap +# 128KB boot, no keyvault, 8KB NSC, 64KB partitions, 8KB swap #WOLFBOOT_KEYVAULT_ADDRESS?=0x20000 -#WOLFBOOT_KEYVAULT_SIZE?=0x14000 -#WOLFBOOT_NSC_ADDRESS?=0x34000 +#WOLFBOOT_KEYVAULT_SIZE?=0 +#WOLFBOOT_NSC_ADDRESS?=0x20000 #WOLFBOOT_NSC_SIZE?=0x2000 -#WOLFBOOT_PARTITION_SIZE?=0xE000 -#WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x36000 -#WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x45000 -#WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x54000 +#WOLFBOOT_PARTITION_SIZE?=0x10000 +#WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x22000 +#WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x32000 +#WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x42000 diff --git a/config/examples/mcxn-wolfcrypt-tz.config b/config/examples/mcxn-wolfcrypt-tz.config new file mode 100644 index 0000000000..60c88710a8 --- /dev/null +++ b/config/examples/mcxn-wolfcrypt-tz.config @@ -0,0 +1,56 @@ +ARCH?=ARM +TZEN?=1 +TARGET?=mcxn +SIGN?=ECC384 +HASH?=SHA384 +MCUXSDK?=1 +MCUXPRESSO?=$(PWD)/../NXP/mcuxpresso-sdk/mcuxsdk +MCUXPRESSO_CMSIS?=$(PWD)/../NXP/CMSIS_5/CMSIS +MCUXPRESSO_CPU?=MCXN947VDF_cm33_core0 +MCUXPRESSO_DRIVERS?=$(MCUXPRESSO)/devices/MCX/MCXN/MCXN947 +MCUXPRESSO_PROJECT_TEMPLATE?=$(MCUXPRESSO)/examples/_boards/frdmmcxn947/project_template +DEBUG?=0 +DEBUG_UART?=1 +VTOR?=1 +CORTEX_M0?=0 +CORTEX_M33?=1 +NO_ASM?=0 +NO_MPU=1 +EXT_FLASH?=0 +SPI_FLASH?=0 +ALLOW_DOWNGRADE?=0 +NVM_FLASH_WRITEONCE?=1 +NO_ARM_ASM=1 +WOLFBOOT_VERSION?=0 +V?=0 +SPMATH?=1 +RAM_CODE?=1 +DUALBANK_SWAP?=0 +PKA?=1 +WOLFCRYPT_TZ?=1 +WOLFCRYPT_TZ_PKCS11?=1 + +# 8KB sectors +WOLFBOOT_SECTOR_SIZE?=0x2000 + +# Default configuration +# 192KB boot, 96KB keyvault, 8KB NSC, 64KB partitions, 8KB swap +WOLFBOOT_KEYVAULT_ADDRESS?=0x30000 +WOLFBOOT_KEYVAULT_SIZE?=0x18000 +WOLFBOOT_NSC_ADDRESS?=0x48000 +WOLFBOOT_NSC_SIZE?=0x2000 +WOLFBOOT_PARTITION_SIZE?=0x10000 +WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x4A000 +WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x5A000 +WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x6A000 + +# Alternate larger configuration for debugging or ARMASM +# 320KB boot, 96KB keyvault, 8KB NSC, 64KB partitions, 8KB swap +#WOLFBOOT_KEYVAULT_ADDRESS?=0x50000 +#WOLFBOOT_KEYVAULT_SIZE?=0x18000 +#WOLFBOOT_NSC_ADDRESS?=0x68000 +#WOLFBOOT_NSC_SIZE?=0x2000 +#WOLFBOOT_PARTITION_SIZE?=0x10000 +#WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x6A000 +#WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x7A000 +#WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x8A000 diff --git a/docs/API.md b/docs/API.md index 99a5586762..342cc1f19d 100644 --- a/docs/API.md +++ b/docs/API.md @@ -78,6 +78,8 @@ secure domain. For this purpose, wolfBoot provides Non-Secure Callable (NSC) APIs that allow code running in the non-secure domain to call into the secure domain managed by wolfBoot. +When `TZEN=1` is enabled, these APIs are available to non-secure applications. + These APIs are listed below. - `void wolfBoot_nsc_success(void)`: wrapper for `wolfBoot_success()` diff --git a/docs/Targets.md b/docs/Targets.md index 0a7ed2eeec..bdfb655d82 100644 --- a/docs/Targets.md +++ b/docs/Targets.md @@ -4349,7 +4349,14 @@ cp config/examples/mcxn.config .config` make ``` -We also provide a TrustZone configuration at `config/examples/mcxn-tz.config`. +We provide three configuration files: +- `mcxn.config`: basic configuration file; both wolfBoot and your application + run in secure world. +- `mcxn-tz.config`: wolfBoot runs in secure world, your application runs in + non-secure world. +- `mcxn-wolfcrypt-tz.config`: same as above, but also includes a non-secure + callable (NSC) wolfPKCS11 API to perform crypto operations via wolfCrypt and + access a secure keyvault provided by wolfBoot. ### MCX N: Loading the firmware diff --git a/hal/mcxn.c b/hal/mcxn.c index e91d20e8b9..8b9842666a 100644 --- a/hal/mcxn.c +++ b/hal/mcxn.c @@ -40,6 +40,11 @@ #include "hal/armv8m_tz.h" #endif +#ifdef WOLFCRYPT_SECURE_MODE +void hal_trng_init(void); +int hal_trng_get_entropy(unsigned char *out, unsigned int len); +#endif + static flash_config_t pflash; static uint32_t pflash_sector_size = WOLFBOOT_SECTOR_SIZE; uint32_t SystemCoreClock; @@ -104,6 +109,7 @@ void hal_init(void) #if defined(TZEN) && !defined(NONSECURE_APP) hal_sau_init(); #endif + } #ifdef __WOLFBOOT @@ -207,21 +213,69 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len) } #ifdef WOLFCRYPT_SECURE_MODE -/* These functions are stubs for now, because the MCUXpresso SDK doesn't - * implement drivers for the MCXN's TRNG. */ +#define ELS_CMD_RND_REQ 24U + void hal_trng_init(void) { + /* Enable ELS and wait for it to be ready */ + ELS->ELS_CTRL = S50_ELS_CTRL_ELS_EN(1); + while (ELS->ELS_STATUS & S50_ELS_STATUS_ELS_BUSY_MASK) + ; } void hal_trng_fini(void) { + /* Don't disable ELS, it might be used by other actors */ +} + +static int els_rnd_req(void *out, uint32_t len) +{ + while (ELS->ELS_STATUS & S50_ELS_STATUS_ELS_BUSY_MASK) + ; + ELS->ELS_DMA_RES0 = (uint32_t)(uintptr_t)out; + ELS->ELS_DMA_RES0_LEN = len; + ELS->ELS_CMDCFG0 = 0; + ELS->ELS_CTRL = S50_ELS_CTRL_ELS_EN(1) + | S50_ELS_CTRL_ELS_START(1) + | S50_ELS_CTRL_ELS_CMD(ELS_CMD_RND_REQ); + while (ELS->ELS_STATUS & S50_ELS_STATUS_ELS_BUSY_MASK) + ; + return (ELS->ELS_STATUS & S50_ELS_STATUS_ELS_ERR_MASK) ? -1 : 0; } int hal_trng_get_entropy(unsigned char *out, unsigned int len) { - (void)out; - (void)len; - return -1; + uint32_t tmp; + + /* Handle unaligned head (up to 3 bytes) via temporary word */ + if ((uintptr_t)out & 3U) { + uint32_t head = 4U - ((uintptr_t)out & 3U); + if (head > len) + head = len; + if (els_rnd_req(&tmp, 4) != 0) + return -1; + memcpy(out, &tmp, head); + out += head; + len -= head; + } + + /* Bulk aligned portion in one request */ + if (len >= 4) { + uint32_t aligned_len = len & ~3U; + if (els_rnd_req(out, aligned_len) != 0) + return -1; + out += aligned_len; + len -= aligned_len; + } + + /* Handle remaining tail bytes (1-3) via temporary word */ + if (len > 0) { + if (els_rnd_req(&tmp, 4) != 0) + return -1; + memcpy(out, &tmp, len); + } + + return 0; } #endif diff --git a/include/wolfboot/wolfboot.h b/include/wolfboot/wolfboot.h index af9d825b19..201b232437 100644 --- a/include/wolfboot/wolfboot.h +++ b/include/wolfboot/wolfboot.h @@ -588,7 +588,7 @@ int wolfBoot_set_encrypt_key(const uint8_t *key, const uint8_t *nonce); int wolfBoot_get_encrypt_key(uint8_t *key, uint8_t *nonce); int wolfBoot_erase_encrypt_key(void); -#if !defined(__WOLFBOOT) && defined(WOLFCRYPT_SECURE_MODE) +#if !defined(__WOLFBOOT) && defined(TZEN) /* Applications can access update success/trigger and flash erase/write * via non-secure callable, to facilitate updates @@ -627,7 +627,7 @@ int wolfBoot_nsc_erase_update(uint32_t address, uint32_t len); CSME_NSE_API int wolfBoot_nsc_write_update(uint32_t address, const uint8_t *buf, uint32_t len); -#endif /* !__WOLFBOOT && WOLFCRYPT_SECURE_MODE */ +#endif /* !__WOLFBOOT && TZEN */ #ifdef __cplusplus diff --git a/src/libwolfboot.c b/src/libwolfboot.c index 9f738ad7bb..773ae5ba1b 100644 --- a/src/libwolfboot.c +++ b/src/libwolfboot.c @@ -2354,7 +2354,7 @@ int wolfBoot_ram_decrypt(uint8_t *src, uint8_t *dst) #endif /* MMU */ #endif /* EXT_ENCRYPTED */ -#if defined(__WOLFBOOT) && defined(WOLFCRYPT_SECURE_MODE) +#if defined(__WOLFBOOT) && defined(TZEN) CSME_NSE_API void wolfBoot_nsc_success(void) { @@ -2410,4 +2410,4 @@ int wolfBoot_nsc_write_update(uint32_t address, const uint8_t *buf, uint32_t len return ret; } -#endif +#endif /* __WOLFBOOT && TZEN */ diff --git a/test-app/CMakeLists.txt b/test-app/CMakeLists.txt index 7dfc02d590..a24104365b 100644 --- a/test-app/CMakeLists.txt +++ b/test-app/CMakeLists.txt @@ -52,7 +52,11 @@ endif() if("${WOLFBOOT_TARGET}" STREQUAL "stm32h7") set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/ARM-stm32h7.ld) elseif("${WOLFBOOT_TARGET}" STREQUAL "stm32u5") - set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/ARM-stm32u5.ld) + if(TZEN) + set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/ARM-stm32u5-ns.ld) + else() + set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/ARM-stm32u5.ld) + endif() elseif("${WOLFBOOT_TARGET}" STREQUAL "stm32h5") if(TZEN) set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/ARM-stm32h5-ns.ld) @@ -177,7 +181,7 @@ if(BUILD_TEST_APPS) endif() # For TrustZone builds, avoid linking the bootloader lib (it defines NSC stubs). - if(TZEN AND WOLFCRYPT_TZ) + if(TZEN) target_sources(image PRIVATE ../src/libwolfboot.c) if(NOT SIGN STREQUAL "NONE") set_source_files_properties(${CMAKE_BINARY_DIR}/keystore.c PROPERTIES GENERATED TRUE) @@ -189,11 +193,15 @@ if(BUILD_TEST_APPS) target_link_libraries(image PRIVATE wolfboot wolfboothal public_key target) endif() - # For TrustZone builds, the test app is a non-secure application - if(TZEN AND WOLFCRYPT_TZ) - list(APPEND TEST_APP_COMPILE_DEFINITIONS NONSECURE_APP WOLFBOOT_SECURE_CALLS) + # For TrustZone builds, the test app is a non-secure application and links + # the CMSE import library generated from the secure bootloader veneers. + if(TZEN) + list(APPEND TEST_APP_COMPILE_DEFINITIONS NONSECURE_APP) add_dependencies(image wolfboot_${PLATFORM_NAME}) - target_link_libraries(image PRIVATE ${CMAKE_BINARY_DIR}/wc_secure_calls.o) + target_link_libraries(image PRIVATE ${CMAKE_BINARY_DIR}/wolfboot_tz_nsc.o) + endif() + if(TZEN AND WOLFCRYPT_TZ) + list(APPEND TEST_APP_COMPILE_DEFINITIONS WOLFBOOT_SECURE_CALLS) endif() if(WOLFCRYPT_TZ_PKCS11) diff --git a/test-app/Makefile b/test-app/Makefile index 1d0b1e5ad5..f75d8bab62 100644 --- a/test-app/Makefile +++ b/test-app/Makefile @@ -218,9 +218,9 @@ ifeq ($(TZEN),1) CFLAGS+=-DNONSECURE_APP CFLAGS+=-I./ APP_OBJS+=../hal/$(TARGET)_ns.o + APP_OBJS+=../src/wolfboot_tz_nsc.o ifeq ($(WOLFCRYPT_TZ),1) CFLAGS+=-I"$(WOLFBOOT_LIB_WOLFSSL)" - APP_OBJS+=../src/wc_secure_calls.o WOLFCRYPT_APP_OBJS+=\ $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/memory.o \ $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/hash.o \ @@ -244,11 +244,6 @@ ifeq ($(TZEN),1) $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/wolfentropy.o \ $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/dh.o \ $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/wc_encrypt.o - ifeq ($(TEST_APP_NO_RNG),1) - CFLAGS+=-DWC_NO_RNG - else - WOLFCRYPT_APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/random.o - endif ifeq ($(WOLFCRYPT_TZ_PKCS11),1) CFLAGS+=-DWOLFSSL_USER_SETTINGS -DWOLFTPM_USER_SETTINGS CFLAGS+=-DWOLFBOOT_PKCS11_APP -DSECURE_PKCS11 -DWOLFBOOT_TZ_PKCS11 @@ -287,6 +282,12 @@ ifeq ($(TZEN),1) APP_OBJS+=./wcs/sp_cortexm.o endif endif + else + ifeq ($(TEST_APP_NO_RNG),1) + CFLAGS+=-DWC_NO_RNG + else + WOLFCRYPT_APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/random.o + endif endif CFLAGS+=-DWOLFBOOT_SECURE_CALLS -Wstack-usage=19184 LDFLAGS+=--specs=nosys.specs -u _printf_float diff --git a/test-app/app_mcxn.c b/test-app/app_mcxn.c index db8f6195fb..c89704d3bb 100644 --- a/test-app/app_mcxn.c +++ b/test-app/app_mcxn.c @@ -28,6 +28,11 @@ #include "wolfboot/wolfboot.h" #include "printf.h" +#ifdef WOLFCRYPT_SECURE_MODE +#include "wolfssl/wolfcrypt/types.h" +#include "wolfssl/wolfcrypt/random.h" +#endif + extern void hal_init(void); static void gpio_init_output(GPIO_Type *gpio, PORT_Type *port, @@ -77,13 +82,35 @@ static void gpio_init_output(GPIO_Type *gpio, PORT_Type *port, PORT_SetPinConfig(port, pin, &pin_config); } +#ifdef WOLFCRYPT_SECURE_MODE +static void print_random_number(void) +{ + WC_RNG rng; + uint32_t rnd; + int ret; + + ret = wc_InitRng(&rng); + if (ret != 0) { + wolfBoot_printf("Random number: init failed (%d)\n", ret); + } + else { + ret = wc_RNG_GenerateBlock(&rng, (byte *)&rnd, sizeof(rnd)); + if (ret != 0) + wolfBoot_printf("Random number: generate failed (%d)\n", ret); + else + wolfBoot_printf("Today's lucky number: 0x%08lx\n", (unsigned long)rnd); + wc_FreeRng(&rng); + } +} +#endif + void main(void) { uint32_t boot_ver; hal_init(); -#ifdef WOLFCRYPT_SECURE_MODE +#ifdef TZEN boot_ver = wolfBoot_nsc_current_firmware_version(); #else boot_ver = wolfBoot_current_firmware_version(); @@ -91,6 +118,10 @@ void main(void) wolfBoot_printf("Hello from firmware version %d\n", boot_ver); +#ifdef WOLFCRYPT_SECURE_MODE + print_random_number(); +#endif + if (boot_ver == 1) { /* Red off */ gpio_init_output(GPIO0, PORT0, kCLOCK_Gpio0, kCLOCK_Port0, 10U, 1U); @@ -107,7 +138,7 @@ void main(void) /* Blue off */ gpio_init_output(GPIO1, PORT1, kCLOCK_Gpio1, kCLOCK_Port1, 2U, 1U); -#ifdef WOLFCRYPT_SECURE_MODE +#ifdef TZEN wolfBoot_nsc_success(); #else wolfBoot_success(); diff --git a/test-app/app_stm32h5.c b/test-app/app_stm32h5.c index 68c1758a0b..69035047ed 100644 --- a/test-app/app_stm32h5.c +++ b/test-app/app_stm32h5.c @@ -318,7 +318,7 @@ static int cmd_update_xmodem(const char *args) printf("Erasing update partition..."); fflush(stdout); -#ifdef WOLFCRYPT_SECURE_MODE +#ifdef TZEN wolfBoot_nsc_erase_update(dst_offset, WOLFBOOT_PARTITION_SIZE); #else hal_flash_unlock(); @@ -387,7 +387,7 @@ static int cmd_update_xmodem(const char *args) if (crc == calc_crc) { /* CRC is valid */ memcpy(xpkt_payload, xpkt + 3, XMODEM_PAYLOAD_SIZE); -#ifdef WOLFCRYPT_SECURE_MODE +#ifdef TZEN ret = wolfBoot_nsc_write_update(dst_offset, xpkt_payload, XMODEM_PAYLOAD_SIZE); #else ret = hal_flash_write(WOLFBOOT_PARTITION_UPDATE_ADDRESS + dst_offset, xpkt_payload, XMODEM_PAYLOAD_SIZE); @@ -425,7 +425,7 @@ static int cmd_update_xmodem(const char *args) } else { printf("Transfer succeeded\r\n"); -#ifdef WOLFCRYPT_SECURE_MODE +#ifdef TZEN update_ver = wolfBoot_nsc_update_firmware_version(); #else update_ver = wolfBoot_update_firmware_version(); @@ -433,7 +433,7 @@ static int cmd_update_xmodem(const char *args) if (update_ver != 0) { printf("New firmware version: 0x%lx\r\n", update_ver); printf("Triggering update...\r\n"); -#ifdef WOLFCRYPT_SECURE_MODE +#ifdef TZEN wolfBoot_nsc_update_trigger(); #else wolfBoot_update_trigger(); @@ -444,7 +444,7 @@ static int cmd_update_xmodem(const char *args) } } -#ifndef WOLFCRYPT_SECURE_MODE +#ifndef TZEN hal_flash_lock(); #endif @@ -535,7 +535,7 @@ static int cmd_info(const char *args) uint16_t hdrSz; uint8_t boot_part_state = IMG_STATE_NEW, update_part_state = IMG_STATE_NEW; -#ifdef WOLFCRYPT_SECURE_MODE +#ifdef TZEN cur_fw_version = wolfBoot_nsc_current_firmware_version(); update_fw_version = wolfBoot_nsc_update_firmware_version(); @@ -597,7 +597,7 @@ static int cmd_info(const char *args) static int cmd_success(const char *args) { -#ifdef WOLFCRYPT_SECURE_MODE +#ifdef TZEN wolfBoot_nsc_success(); #else wolfBoot_success(); @@ -1335,7 +1335,7 @@ void main(void) /* Enable SysTick */ systick_enable(); -#ifdef WOLFCRYPT_SECURE_MODE +#ifdef TZEN app_version = wolfBoot_nsc_current_firmware_version(); #else app_version = wolfBoot_current_firmware_version(); diff --git a/test-app/emu-test-apps/common/emu_update.c b/test-app/emu-test-apps/common/emu_update.c index b342d77bdb..72b5cb25bf 100644 --- a/test-app/emu-test-apps/common/emu_update.c +++ b/test-app/emu-test-apps/common/emu_update.c @@ -109,7 +109,7 @@ static uint32_t emu_current_version(void) { uintptr_t addr = (uintptr_t)WOLFBOOT_PARTITION_BOOT_ADDRESS; -#ifdef WOLFCRYPT_SECURE_MODE +#ifdef TZEN return wolfBoot_nsc_current_firmware_version(); #else if (addr == 0u) { @@ -178,7 +178,7 @@ static void wait_for_update(uint32_t version) memset(page, 0xFF, PAGESIZE); -#ifndef WOLFCRYPT_SECURE_MODE +#ifndef TZEN hal_flash_unlock(); #endif @@ -237,7 +237,7 @@ static void wait_for_update(uint32_t version) if ((page_idx == PAGESIZE) || (next_seq + (uint32_t)psize >= tot_len)) { uint32_t dst = (WOLFBOOT_PARTITION_UPDATE_ADDRESS + recv_seq + (uint32_t)psize) - (uint32_t)page_idx; uint32_t dst_off = (recv_seq + (uint32_t)psize) - (uint32_t)page_idx; -#ifdef WOLFCRYPT_SECURE_MODE +#ifdef TZEN if ((dst_off % WOLFBOOT_SECTOR_SIZE) == 0u) { wolfBoot_nsc_erase_update(dst_off, WOLFBOOT_SECTOR_SIZE); } @@ -255,7 +255,7 @@ static void wait_for_update(uint32_t version) ack(next_seq); if (next_seq >= tot_len) { uint32_t update_ver; -#ifdef WOLFCRYPT_SECURE_MODE +#ifdef TZEN update_ver = wolfBoot_nsc_update_firmware_version(); #else update_ver = wolfBoot_get_blob_version((uint8_t *)WOLFBOOT_PARTITION_UPDATE_ADDRESS); @@ -264,7 +264,7 @@ static void wait_for_update(uint32_t version) __asm volatile("bkpt #0x4D"); break; } -#ifdef WOLFCRYPT_SECURE_MODE +#ifdef TZEN wolfBoot_nsc_update_trigger(); #else wolfBoot_update_trigger(); @@ -274,7 +274,7 @@ static void wait_for_update(uint32_t version) } } -#ifndef WOLFCRYPT_SECURE_MODE +#ifndef TZEN hal_flash_lock(); #endif @@ -293,7 +293,7 @@ int main(void) printf("get_version=%lu\n", (unsigned long)version); if (version == 4u) { -#ifdef WOLFCRYPT_SECURE_MODE +#ifdef TZEN wolfBoot_nsc_success(); #else wolfBoot_success(); @@ -310,7 +310,7 @@ int main(void) } } if (version == 8u) { -#ifdef WOLFCRYPT_SECURE_MODE +#ifdef TZEN wolfBoot_nsc_success(); #else wolfBoot_success(); diff --git a/test-app/emu-test-apps/mcxw71/Makefile b/test-app/emu-test-apps/mcxw71/Makefile index b2831f8018..2505355329 100644 --- a/test-app/emu-test-apps/mcxw71/Makefile +++ b/test-app/emu-test-apps/mcxw71/Makefile @@ -32,8 +32,9 @@ LDFLAGS := -nostdlib -T target.ld -Wl,-gc-sections LDLIBS := -Wl,--start-group -lc -lm -lgcc -lnosys -Wl,--end-group NSC_OBJ := ifeq ($(TZEN),1) + CFLAGS += -DTZEN CFLAGS += -DWOLFCRYPT_SECURE_MODE - NSC_OBJ := ../../../src/wc_secure_calls.o + NSC_OBJ := ../../../src/wolfboot_tz_nsc.o endif VPATH := ../common diff --git a/test-app/emu-test-apps/nrf5340/Makefile b/test-app/emu-test-apps/nrf5340/Makefile index 1b63dad3f3..e074cd1694 100644 --- a/test-app/emu-test-apps/nrf5340/Makefile +++ b/test-app/emu-test-apps/nrf5340/Makefile @@ -28,8 +28,9 @@ LDFLAGS := -nostdlib -T target.ld -Wl,-gc-sections LDLIBS := -Wl,--start-group -lc -lm -lgcc -lnosys -Wl,--end-group NSC_OBJ := ifeq ($(TZEN),1) + CFLAGS += -DTZEN CFLAGS += -DWOLFCRYPT_SECURE_MODE - NSC_OBJ := ../../../src/wc_secure_calls.o + NSC_OBJ := ../../../src/wolfboot_tz_nsc.o endif VPATH := ../common diff --git a/test-app/emu-test-apps/stm32h563/Makefile b/test-app/emu-test-apps/stm32h563/Makefile index d0e3234a96..d16de33bea 100644 --- a/test-app/emu-test-apps/stm32h563/Makefile +++ b/test-app/emu-test-apps/stm32h563/Makefile @@ -28,8 +28,9 @@ LDFLAGS := -nostdlib -T target.ld -Wl,-gc-sections LDLIBS := -Wl,--start-group -lc -lm -lgcc -lnosys -Wl,--end-group NSC_OBJ := ifeq ($(TZEN),1) + CFLAGS += -DTZEN CFLAGS += -DWOLFCRYPT_SECURE_MODE - NSC_OBJ := ../../../src/wc_secure_calls.o + NSC_OBJ := ../../../src/wolfboot_tz_nsc.o endif VPATH := ../common diff --git a/test-app/emu-test-apps/stm32l552/Makefile b/test-app/emu-test-apps/stm32l552/Makefile index 5aec36d6ba..9e89ca360a 100644 --- a/test-app/emu-test-apps/stm32l552/Makefile +++ b/test-app/emu-test-apps/stm32l552/Makefile @@ -28,9 +28,10 @@ LDFLAGS := -nostdlib -T target.ld -Wl,-gc-sections LDLIBS := -Wl,--start-group -lc -lm -lgcc -lnosys -Wl,--end-group NSC_OBJ := ifeq ($(TZEN),1) + CFLAGS += -DTZEN CFLAGS += -DNONSECURE_APP CFLAGS += -DWOLFCRYPT_SECURE_MODE - NSC_OBJ := ../../../src/wc_secure_calls.o + NSC_OBJ := ../../../src/wolfboot_tz_nsc.o endif VPATH := ../common diff --git a/test-app/emu-test-apps/stm32u585/Makefile b/test-app/emu-test-apps/stm32u585/Makefile index 5aec36d6ba..9e89ca360a 100644 --- a/test-app/emu-test-apps/stm32u585/Makefile +++ b/test-app/emu-test-apps/stm32u585/Makefile @@ -28,9 +28,10 @@ LDFLAGS := -nostdlib -T target.ld -Wl,-gc-sections LDLIBS := -Wl,--start-group -lc -lm -lgcc -lnosys -Wl,--end-group NSC_OBJ := ifeq ($(TZEN),1) + CFLAGS += -DTZEN CFLAGS += -DNONSECURE_APP CFLAGS += -DWOLFCRYPT_SECURE_MODE - NSC_OBJ := ../../../src/wc_secure_calls.o + NSC_OBJ := ../../../src/wolfboot_tz_nsc.o endif VPATH := ../common diff --git a/zephyr/CMakeLists.txt b/zephyr/CMakeLists.txt index b2c7b9d204..d20b979c89 100644 --- a/zephyr/CMakeLists.txt +++ b/zephyr/CMakeLists.txt @@ -32,7 +32,7 @@ zephyr_library_include_directories( ${WOLFBOOT_MODULE_DIR}/include ) -set(WOLFBOOT_CMSE_VENEERS ${WOLFBOOT_MODULE_DIR}/src/wc_secure_calls.o) +set(WOLFBOOT_CMSE_VENEERS ${WOLFBOOT_MODULE_DIR}/src/wolfboot_tz_nsc.o) if(EXISTS ${WOLFBOOT_CMSE_VENEERS}) zephyr_library_link_libraries(${WOLFBOOT_CMSE_VENEERS}) else() diff --git a/zephyr/README.md b/zephyr/README.md index cc0d2d109f..e7dfb849ca 100644 --- a/zephyr/README.md +++ b/zephyr/README.md @@ -49,7 +49,7 @@ cp config/examples/stm32h5-tz-psa.config .config make clean wolfboot.bin ``` -This also produces `src/wc_secure_calls.o`, which Zephyr links for CMSE veneers. +This also produces `src/wolfboot_tz_nsc.o`, which Zephyr links for CMSE veneers. ## 4) Build the PSA crypto sample with wolfBoot as an extra module @@ -101,7 +101,7 @@ wolfboot/src/arm_tee_psa_ipc.c ### PSA symbols missing during Zephyr build Make sure: -- You built wolfBoot first (for `wc_secure_calls.o`). +- You built wolfBoot first (for `wolfboot_tz_nsc.o`). - You passed `-DZEPHYR_EXTRA_MODULES=/path/to/wolfboot`. ### Kconfig warnings about WOLFBOOT_* symbols