Fix USART3 NS-permissions, for STM32L5 test, renamed mislabeled test

danielinux · danielinux · commit 2b235902ceee · 2026-03-20T20:19:56.000+01:00
diff --git a/.github/workflows/trustzone-emulator-tests.yml b/.github/workflows/trustzone-emulator-tests.yml
@@ -27,78 +27,55 @@ jobs:
         run: |
           ./test.sh
 
-      - name: Build and run persistent PKCS11 test app (stm32h5)
-        run: |
-          set -euo pipefail
-
-          build_log=/tmp/m33mu-pkcs11-build.log
-          first_log=/tmp/m33mu-pkcs11-first.log
-          second_log=/tmp/m33mu-pkcs11-second.log
-          persist_dir=/tmp/m33mu-pkcs11-persist
-          rm -f "$build_log" "$first_log" "$second_log"
-          rm -rf "$persist_dir"
-          mkdir -p "$persist_dir"
-
-          dump_log() {
-            local log_file="$1"
-            if [ -f "$log_file" ]; then
-              echo "--- $log_file ---"
-              cat "$log_file"
-            fi
-          }
-
-          make clean distclean >"$build_log" 2>&1 || {
-            dump_log "$build_log"
-            exit 1
-          }
-          cp config/examples/stm32h5-tz.config .config >>"$build_log" 2>&1 || {
-            dump_log "$build_log"
-            exit 1
-          }
-          make PKCS11_TESTAPP=1 >>"$build_log" 2>&1 || {
-            dump_log "$build_log"
-            exit 1
-          }
-
-          (
-            cd "$persist_dir"
-            m33mu "$GITHUB_WORKSPACE/wolfboot.bin" \
-              "$GITHUB_WORKSPACE/test-app/image_v1_signed.bin:0x60000" \
-              --persist --uart-stdout --timeout 120 --expect-bkpt 0x7d \
-              >"$first_log" 2>&1
-          ) || {
-            dump_log "$first_log"
-            exit 1
-          }
-
-          grep -q "pkcs11: first boot path, creating persistent objects" "$first_log" && \
-          grep -q "pkcs11: created persistent PKCS11 objects" "$first_log" && \
-          grep -q "pkcs11: success" "$first_log" && \
-          grep -q "\\[BKPT\\] imm=0x7d" "$first_log" && \
-          grep -q "\\[EXPECT BKPT\\] Success" "$first_log" || {
-            dump_log "$first_log"
-            exit 1
-          }
-
-          (
-            cd "$persist_dir"
-            m33mu "$GITHUB_WORKSPACE/wolfboot.bin" \
-              "$GITHUB_WORKSPACE/test-app/image_v1_signed.bin:0x60000" \
-              --persist --uart-stdout --timeout 120 --expect-bkpt 0x7f \
-              >"$second_log" 2>&1
-          ) || {
-            dump_log "$second_log"
-            exit 1
-          }
-
-          grep -q "pkcs11: second boot path, restoring persistent objects" "$second_log" && \
-          grep -q "pkcs11: restored persistent PKCS11 objects" "$second_log" && \
-          grep -q "pkcs11: success" "$second_log" && \
-          grep -q "\\[BKPT\\] imm=0x7f" "$second_log" && \
-          grep -q "\\[EXPECT BKPT\\] Success" "$second_log" || {
-            dump_log "$second_log"
-            exit 1
-          }
+      - name: Clean build tree for PKCS11 test (stm32h5)
+        run: |
+          make clean distclean
+
+      - name: Configure PKCS11 test (stm32h5)
+        run: |
+          cp config/examples/stm32h5-tz.config .config
+
+      - name: Build persistent PKCS11 test app (stm32h5)
+        run: |
+          make PKCS11_TESTAPP=1
+
+      - name: Prepare PKCS11 persistence directory
+        run: |
+          rm -rf /tmp/m33mu-pkcs11-persist
+          mkdir -p /tmp/m33mu-pkcs11-persist
+          rm -f /tmp/m33mu-pkcs11-first.log /tmp/m33mu-pkcs11-second.log
+
+      - name: Run PKCS11 first boot (stm32h5)
+        run: |
+          cd /tmp/m33mu-pkcs11-persist
+          m33mu "$GITHUB_WORKSPACE/wolfboot.bin" \
+            "$GITHUB_WORKSPACE/test-app/image_v1_signed.bin:0x60000" \
+            --persist --uart-stdout --timeout 120 --expect-bkpt 0x7d \
+            | tee /tmp/m33mu-pkcs11-first.log
+
+      - name: Verify PKCS11 first boot (stm32h5)
+        run: |
+          grep -q "pkcs11: first boot path, creating persistent objects" /tmp/m33mu-pkcs11-first.log
+          grep -q "pkcs11: created persistent PKCS11 objects" /tmp/m33mu-pkcs11-first.log
+          grep -q "pkcs11: success" /tmp/m33mu-pkcs11-first.log
+          grep -q "\\[BKPT\\] imm=0x7d" /tmp/m33mu-pkcs11-first.log
+          grep -q "\\[EXPECT BKPT\\] Success" /tmp/m33mu-pkcs11-first.log
+
+      - name: Run PKCS11 second boot (stm32h5)
+        run: |
+          cd /tmp/m33mu-pkcs11-persist
+          m33mu "$GITHUB_WORKSPACE/wolfboot.bin" \
+            "$GITHUB_WORKSPACE/test-app/image_v1_signed.bin:0x60000" \
+            --persist --uart-stdout --timeout 120 --expect-bkpt 0x7f \
+            | tee /tmp/m33mu-pkcs11-second.log
+
+      - name: Verify PKCS11 second boot (stm32h5)
+        run: |
+          grep -q "pkcs11: second boot path, restoring persistent objects" /tmp/m33mu-pkcs11-second.log
+          grep -q "pkcs11: restored persistent PKCS11 objects" /tmp/m33mu-pkcs11-second.log
+          grep -q "pkcs11: success" /tmp/m33mu-pkcs11-second.log
+          grep -q "\\[BKPT\\] imm=0x7f" /tmp/m33mu-pkcs11-second.log
+          grep -q "\\[EXPECT BKPT\\] Success" /tmp/m33mu-pkcs11-second.log
 
       - name: Clean and build stm32u5 (TZ + wolfcrypt)
         run: |
@@ -117,7 +94,7 @@ jobs:
           cp config/examples/stm32l5-wolfcrypt-tz.config .config
           make wolfboot.bin
 
-      - name: Run emu test (stm32u5)
+      - name: Run emu test (stm32l5)
         working-directory: test-app/emu-test-apps
         run: |
           TARGET=stm32l5 ./test.sh
diff --git a/hal/stm32l5.c b/hal/stm32l5.c
@@ -400,11 +400,17 @@ static void clock_pll_on(int powersave)
 #if TZ_SECURE()
 static void periph_unsecure()
 {
+    volatile uint32_t reg;
+
     /*Enable clock for User LED GPIOs */
     RCC_AHB2_CLOCK_ER|= LED_AHB2_ENABLE;
 
     /* Enable clock for LPUART1 */
     RCC_APB1_CLOCK_ER |= UART1_APB1_CLOCK_ER_VAL;
+    /* Enable clock for USART3 used by emu-test-apps on PD8/PD9 */
+    RCC_APB1_CLOCK_ER |= UART3_APB1_CLOCK_ER_VAL;
+    /* Enable clock for GPIO D (USART3 pins) */
+    RCC_AHB2_CLOCK_ER |= GPIOD_AHB2_CLOCK_ER;
 
 
     PWR_CR2 |= PWR_CR2_IOSV;
@@ -423,6 +429,16 @@ static void periph_unsecure()
     GPIO_SECCFGR(GPIOG_BASE) &= ~(1<<UART1_TX_PIN);
     GPIO_SECCFGR(GPIOG_BASE) &= ~(1<<UART1_RX_PIN);
 
+    /* Unsecure USART3 and its pins for the STM32L5 emulator app path. */
+    reg = TZSC_SECCFGR1;
+    if (reg & TZSC_SECCFGR1_USART3SEC) {
+        reg &= ~TZSC_SECCFGR1_USART3SEC;
+        DMB();
+        TZSC_SECCFGR1 = reg;
+    }
+    GPIO_SECCFGR(GPIOD_BASE) &= ~(1u << 8);
+    GPIO_SECCFGR(GPIOD_BASE) &= ~(1u << 9);
+
 }
 #endif
 
diff --git a/hal/stm32l5.h b/hal/stm32l5.h
@@ -183,6 +183,8 @@
 
 #define TZSC_PRIVCFGR1   *((uint32_t *)(0x50032420))
 #define TZSC_PRIVCFG1_LPUARTPRIV (1 << 21)
+#define TZSC_SECCFGR1    *((uint32_t *)(0x50032410))
+#define TZSC_SECCFGR1_USART3SEC (1 << 11)
 
 
 #else
@@ -257,6 +259,7 @@
 
 #define RCC_APB1_CLOCK_ER (*(volatile uint32_t *)(RCC_BASE + 0x5C ))
 #define UART1_APB1_CLOCK_ER_VAL (1 << 0)
+#define UART3_APB1_CLOCK_ER_VAL (1 << 18)
 
 #define UART1_PIN_AF 8
 #define UART1_RX_PIN 8
