Support stm32h5 TrustZone build via CMake

Author: mattia-moffa

CMakeLists.txt

@@ -659,6 +659,65 @@ if(ARCH STREQUAL "ARM")
         set(WOLFBOOT_ORIGIN ${ARCH_FLASH_OFFSET})
     endif()
 
+    if(${WOLFBOOT_TARGET} STREQUAL "stm32h5")
+        set(ARCH_FLASH_OFFSET 0x08000000)
+        if(TZEN)
+            set(WOLFBOOT_ORIGIN 0x0C000000)
+        else()
+            set(WOLFBOOT_ORIGIN ${ARCH_FLASH_OFFSET})
+        endif()
+    endif()
+
+    if(${WOLFBOOT_TARGET} STREQUAL "stm32l5")
+        set(ARCH_FLASH_OFFSET 0x08000000)
+        if(TZEN)
+            set(WOLFBOOT_ORIGIN 0x0C000000)
+        else()
+            set(WOLFBOOT_ORIGIN ${ARCH_FLASH_OFFSET})
+        endif()
+    endif()
+
+    # TrustZone support for Cortex-M33 targets
+    if(TZEN)
+        list(APPEND WOLFBOOT_DEFS TZEN)
+        if(CMAKE_SYSTEM_PROCESSOR STREQUAL "cortex-m33")
+            list(APPEND WOLFBOOT_COMPILE_OPTIONS -mcmse)
+            list(APPEND WOLFBOOT_LINK_OPTIONS -mcmse)
+        endif()
+
+        # wolfCrypt TrustZone secure mode
+        if(WOLFCRYPT_TZ)
+            list(APPEND WOLFBOOT_DEFS WOLFCRYPT_SECURE_MODE)
+            list(APPEND WOLFBOOT_SOURCES src/wc_callable.c)
+            list(APPEND WOLFBOOT_LINK_OPTIONS
+                -Wl,--cmse-implib
+                -Wl,--out-implib=${CMAKE_CURRENT_BINARY_DIR}/wc_secure_calls.o)
+
+            # PKCS11 TrustZone interface
+            if(WOLFCRYPT_TZ_PKCS11)
+                if(WOLFCRYPT_TZ_PSA)
+                    message(FATAL_ERROR "WOLFCRYPT_TZ_PKCS11 and WOLFCRYPT_TZ_PSA are mutually exclusive")
+                endif()
+
+                list(APPEND WOLFBOOT_DEFS
+                    SECURE_PKCS11
+                    WOLFSSL_PKCS11_RW_TOKENS
+                    WP11_HASH_PIN_COST=3)
+                list(APPEND WOLFBOOT_DEFS "CK_CALLABLE=__attribute__\\(\\(cmse_nonsecure_entry\\)\\)")
+
+                list(APPEND WOLFBOOT_INCLUDE_DIRS ${WOLFBOOT_ROOT}/lib/wolfPKCS11)
+
+                list(APPEND WOLFBOOT_SOURCES
+                    src/pkcs11_store.c
+                    src/pkcs11_callable.c
+                    lib/wolfPKCS11/src/crypto.c
+                    lib/wolfPKCS11/src/internal.c
+                    lib/wolfPKCS11/src/slot.c
+                    lib/wolfPKCS11/src/wolfpkcs11.c)
+            endif()
+        endif()
+    endif()
+
 endif()
 
 if(ARCH STREQUAL "AARCH64")
@@ -1054,8 +1113,17 @@ add_library(user_settings INTERFACE)
 target_compile_definitions(user_settings INTERFACE ${USER_SETTINGS} ${SIGN_OPTIONS})
 
 add_library(wolfboothal)
+
+# TrustZone HAL sources for STM32 targets
+set(WOLFBOOT_TZ_HAL_SOURCES "")
+if(TZEN)
+    if(${WOLFBOOT_TARGET} MATCHES "^stm32")
+        set(WOLFBOOT_TZ_HAL_SOURCES hal/stm32_tz.c)
+    endif()
+endif()
+
 target_sources(wolfboothal PRIVATE include/hal.h hal/${WOLFBOOT_TARGET}.c ${WOLFBOOT_FLASH_SOURCES}
-                                   ${PARTITION_SOURCE})
+                                   ${PARTITION_SOURCE} ${WOLFBOOT_TZ_HAL_SOURCES})
 
 
 #---------------------------------------------------------------------------------------------
@@ -1352,11 +1420,14 @@ set(WOLFBOOT_VERSION
     ${WOLFBOOT_VERSION}
     CACHE INTERNAL "")
 
+set(WOLFBOOT_DEFS_PUBLIC ${WOLFBOOT_DEFS})
+list(REMOVE_ITEM WOLFBOOT_DEFS_PUBLIC __WOLFBOOT)
+
 # generate target.h
 configure_file(include/target.h.in ${CMAKE_CURRENT_BINARY_DIR}/target.h @ONLY)
 
 add_library(target INTERFACE)
-target_compile_definitions(target INTERFACE ${WOLFBOOT_DEFS})
+target_compile_definitions(target INTERFACE ${WOLFBOOT_DEFS_PUBLIC})
 target_include_directories(target BEFORE INTERFACE
                                     ${CMAKE_CURRENT_BINARY_DIR}
                                     ${CMAKE_CURRENT_SOURCE_DIR}/lib/wolfssl)
@@ -1401,8 +1472,9 @@ endif()
 # generate libwolfboot
 add_library(wolfboot)
 target_sources(wolfboot PRIVATE src/libwolfboot.c ${WOLFBOOT_FLASH_SOURCES})
-target_compile_definitions(wolfboot PUBLIC ${WOLFBOOT_DEFS})
-target_compile_options(wolfboot PUBLIC ${EXTRA_COMPILE_OPTIONS})
+target_compile_definitions(wolfboot PUBLIC ${WOLFBOOT_DEFS_PUBLIC})
+target_compile_definitions(wolfboot PRIVATE __WOLFBOOT)
+target_compile_options(wolfboot PUBLIC ${WOLFBOOT_COMPILE_OPTIONS} ${EXTRA_COMPILE_OPTIONS})
 target_include_directories(wolfboot PUBLIC ${WOLFBOOT_INCLUDE_DIRS})
 target_link_libraries(wolfboot wolfboothal target ${WOLFSSL_TGT})
 

CMakePresets.json

@@ -292,7 +292,6 @@
       "generator": "Ninja",
       "binaryDir": "${sourceDir}/build-stm32h5",
       "cacheVariables": {
-        "BUILD_TEST_APPS": "OFF",
         "ARCH": "ARM",
         "TZEN": "ON",
         "WOLFBOOT_TARGET": "stm32h5",
@@ -309,7 +308,7 @@
         "WOLFBOOT_VERSION": "ON",
         "V": "OFF",
         "SPMATH": "ON",
-        "RAM_CODE": "OFF",
+        "RAM_CODE": "ON",
         "DUALBANK_SWAP": "OFF",
         "WOLFBOOT_PARTITION_SIZE": "0xA0000",
         "WOLFBOOT_SECTOR_SIZE": "0x2000",
@@ -318,12 +317,14 @@
         "WOLFBOOT_NSC_ADDRESS": "0x0C05C000",
         "WOLFBOOT_NSC_SIZE": "0x4000",
         "WOLFBOOT_PARTITION_BOOT_ADDRESS": "0x08060000",
-        "WOLFBOOT_PARTITION_UPDATE_ADDRESS": "0x08100000",
-        "WOLFBOOT_PARTITION_SWAP_ADDRESS": "0x081A0000",
+        "WOLFBOOT_PARTITION_UPDATE_ADDRESS": "0x0C100000",
+        "WOLFBOOT_PARTITION_SWAP_ADDRESS": "0x0C1A0000",
         "FLAGS_HOME": "OFF",
         "DISABLE_BACKUP": "OFF",
         "IMAGE_HEADER_SIZE": "1024",
-        "ARMORED": "ON"
+        "ARMORED": "ON",
+        "WOLFCRYPT_TZ": "ON",
+        "WOLFCRYPT_TZ_PKCS11": "ON"
       }
     },
     {

cmake/toolchain_arm-none-eabi.cmake

@@ -47,7 +47,8 @@ endif()
 if(WOLFBOOT_TARGET STREQUAL "stm32l0")
     set(CMAKE_SYSTEM_PROCESSOR cortex-m0)
     set(MCPU_FLAGS "-mcpu=cortex-m0 -mthumb -mlittle-endian -mthumb-interwork ")
-elseif(WOLFBOOT_TARGET STREQUAL "stm32u5")
+elseif(WOLFBOOT_TARGET STREQUAL "stm32u5" OR WOLFBOOT_TARGET STREQUAL "stm32h5" OR
+       WOLFBOOT_TARGET STREQUAL "stm32l5")
     set(CMAKE_SYSTEM_PROCESSOR cortex-m33)
     set(MCPU_FLAGS "-mcpu=cortex-m33 -mthumb -mlittle-endian -mthumb-interwork -Ihal -DCORTEX_M33")
 elseif(WOLFBOOT_TARGET STREQUAL "stm32h7")

cmake/wolfboot.cmake

@@ -51,6 +51,15 @@ function(gen_wolfboot_platform_target PLATFORM_NAME LINKER_SCRIPT_TARGET)
     target_link_libraries(wolfboot_${PLATFORM_NAME} wolfcrypt target wolfboot
                           ${LINKER_SCRIPT_TARGET})
 
+    # TrustZone import library (generated by the linker via --out-implib)
+    if(TZEN AND WOLFCRYPT_TZ)
+        set(_wcs_implib "${CMAKE_BINARY_DIR}/wc_secure_calls.o")
+        add_custom_command(TARGET wolfboot_${PLATFORM_NAME} POST_BUILD
+            BYPRODUCTS "${_wcs_implib}"
+            COMMAND ${CMAKE_COMMAND} -E true
+        )
+    endif()
+
     # link with public key if signing is enabled
     if(NOT SIGN STREQUAL "NONE")
         target_link_libraries(wolfboot_${PLATFORM_NAME} public_key)
@@ -87,7 +96,8 @@ function(gen_wolfboot_signed_image TARGET)
     add_custom_command(
         OUTPUT ${TARGET}_v${VERSION}_signed.bin
         DEPENDS ${INPUT_IMAGE} ${WOLFBOOT_SIGNING_PRIVATE_KEY} ${SIGN_TOOL}
-        COMMAND ${SIGN_TOOL} ${KEYTOOL_OPTIONS} ${INPUT_IMAGE} ${WOLFBOOT_SIGNING_PRIVATE_KEY} ${VERSION}
+        COMMAND ${CMAKE_COMMAND} -E env IMAGE_HEADER_SIZE=${IMAGE_HEADER_SIZE}
+                ${SIGN_TOOL} ${KEYTOOL_OPTIONS} ${INPUT_IMAGE} ${WOLFBOOT_SIGNING_PRIVATE_KEY} ${VERSION}
         COMMENT "Signing ${TARGET}"
     )
 

lib/CMakeLists.txt

@@ -174,6 +174,36 @@ if(NOT WOLFBOOT_SMALL_STACK AND WOLFBOOT_TARGET STREQUAL "unit_test")
     list(REMOVE_DUPLICATES WOLFCRYPT_SOURCES)
 endif()
 
+if(WOLFCRYPT_TZ_PKCS11)
+    list(APPEND WOLFCRYPT_SOURCES
+        wolfssl/wolfcrypt/src/asn.c
+        wolfssl/wolfcrypt/src/memory.c
+        wolfssl/wolfcrypt/src/random.c
+        wolfssl/wolfcrypt/src/pwdbased.c
+        wolfssl/wolfcrypt/src/hmac.c
+        wolfssl/wolfcrypt/src/dh.c)
+
+    if(NOT ENCRYPT_WITH_AES128 AND NOT ENCRYPT_WITH_AES256)
+        list(APPEND WOLFCRYPT_SOURCES wolfssl/wolfcrypt/src/aes.c)
+    endif()
+
+    set(_sign "${SIGN}")
+    set(_sign2 "${SIGN_SECONDARY}")
+
+    if(NOT _sign MATCHES "RSA" AND NOT _sign2 MATCHES "RSA")
+        list(APPEND WOLFCRYPT_SOURCES ${RSA_EXTRA_SOURCES} wolfssl/wolfcrypt/src/rsa.c)
+    endif()
+
+    if(NOT _sign MATCHES "ECC" AND NOT _sign2 MATCHES "ECC")
+        list(APPEND WOLFCRYPT_SOURCES wolfssl/wolfcrypt/src/ecc.c)
+    endif()
+
+    if(NOT _sign MATCHES "ECC" AND NOT _sign2 MATCHES "ECC" AND
+       NOT _sign MATCHES "RSA" AND NOT _sign2 MATCHES "RSA")
+        list(APPEND WOLFCRYPT_SOURCES ${MATH_SOURCES})
+    endif()
+endif()
+
 # Include SHA256 module because it's implicitly needed by RSA
 list(APPEND WOLFCRYPT_SOURCES wolfssl/wolfcrypt/src/sha256.c)
 

test-app/CMakeLists.txt

@@ -53,6 +53,18 @@ if("${WOLFBOOT_TARGET}" STREQUAL "stm32h7")
     set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/ARM-stm32h7.ld)
 elseif("${WOLFBOOT_TARGET}" STREQUAL "stm32u5")
     set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/ARM-stm32u5.ld)
+elseif("${WOLFBOOT_TARGET}" STREQUAL "stm32h5")
+    if(TZEN)
+        set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/ARM-stm32h5-ns.ld)
+    else()
+        set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/ARM-stm32h5.ld)
+    endif()
+elseif("${WOLFBOOT_TARGET}" STREQUAL "stm32l5")
+    if(TZEN)
+        set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/ARM-stm32l5-ns.ld)
+    else()
+        set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/ARM-stm32l5.ld)
+    endif()
 else()
     set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/${ARCH}.ld)
 endif()
@@ -110,15 +122,108 @@ if(BUILD_TEST_APPS)
 
     target_sources(image PRIVATE ${APP_SOURCES})
 
+    # stm32h5-specific sources
+    if("${WOLFBOOT_TARGET}" STREQUAL "stm32h5")
+        target_sources(image PRIVATE
+            ../hal/uart/uart_drv_stm32h5.c
+            ../src/keystore.c
+        )
+        target_compile_definitions(image PRIVATE
+            APP_HAS_SYSTICK
+            RAMFUNCTION=__attribute__\(\(used,section\(".ramcode"\),long_call\)\)
+        )
+        target_compile_options(image PRIVATE
+            -ffunction-sections -fdata-sections -fno-common -mlong-calls
+        )
+        if(TZEN)
+            target_sources(image PRIVATE
+                wcs/wolfcrypt_secure.c
+            )
+            if(WOLFCRYPT_TZ)
+                target_sources(image PRIVATE
+                    ../lib/wolfssl/wolfcrypt/src/logging.c
+                    ../lib/wolfssl/wolfcrypt/test/test.c
+                    ../lib/wolfssl/wolfcrypt/benchmark/benchmark.c
+                )
+            endif()
+        endif()
+    endif()
+
+    # stm32l5-specific sources
+    if("${WOLFBOOT_TARGET}" STREQUAL "stm32l5")
+        target_sources(image PRIVATE
+            ../hal/uart/uart_drv_stm32l5.c
+        )
+        target_compile_options(image PRIVATE
+            -ffunction-sections -fdata-sections -fno-common
+        )
+    endif()
+
     target_include_directories(image PRIVATE
         ../
         ../include
         ${CMAKE_CURRENT_BINARY_DIR})
 
-    target_link_libraries(image wolfboot target)
+    if(TZEN)
+        target_include_directories(image PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/wcs)
+    endif()
+
+    if(WOLFCRYPT_TZ_PKCS11)
+        target_include_directories(image PRIVATE ../lib/wolfPKCS11)
+    endif()
+
+    # For TrustZone builds, avoid linking the bootloader lib (it defines NSC stubs).
+    if(TZEN AND WOLFCRYPT_TZ)
+        target_sources(image PRIVATE ../src/libwolfboot.c)
+        target_link_libraries(image PRIVATE wolfboothal target)
+    else()
+        target_link_libraries(image PRIVATE wolfboot wolfboothal public_key target)
+    endif()
+
+    # For TrustZone builds, the test app is a non-secure application
+    if(TZEN AND WOLFCRYPT_TZ)
+        list(APPEND TEST_APP_COMPILE_DEFINITIONS NONSECURE_APP WOLFBOOT_SECURE_CALLS)
+        add_dependencies(image wolfboot_${PLATFORM_NAME})
+        target_link_libraries(image PRIVATE ${CMAKE_BINARY_DIR}/wc_secure_calls.o)
+    endif()
+
+    if(WOLFCRYPT_TZ_PKCS11)
+        list(APPEND TEST_APP_COMPILE_DEFINITIONS WOLFBOOT_PKCS11_APP SECURE_PKCS11)
+        target_sources(image PRIVATE
+            wcs/pkcs11_stub.c
+            wcs/pkcs11_test_ecc.c
+            ../lib/wolfssl/wolfcrypt/src/ecc.c
+            ../lib/wolfssl/wolfcrypt/src/rsa.c
+            ../lib/wolfssl/wolfcrypt/src/asn.c
+            ../lib/wolfssl/wolfcrypt/src/aes.c
+            ../lib/wolfssl/wolfcrypt/src/hmac.c
+            ../lib/wolfssl/wolfcrypt/src/pwdbased.c
+            ../lib/wolfssl/wolfcrypt/src/hash.c
+            ../lib/wolfssl/wolfcrypt/src/sha256.c
+            ../lib/wolfssl/wolfcrypt/src/sha512.c
+            ../lib/wolfssl/wolfcrypt/src/sha3.c
+            ../lib/wolfssl/wolfcrypt/src/integer.c
+            ../lib/wolfssl/wolfcrypt/src/tfm.c
+            ../lib/wolfssl/wolfcrypt/src/sp_c32.c
+            ../lib/wolfssl/wolfcrypt/src/sp_int.c
+            ../lib/wolfssl/wolfcrypt/src/cryptocb.c
+            ../lib/wolfssl/wolfcrypt/src/wc_pkcs11.c
+            ../lib/wolfssl/wolfcrypt/src/memory.c
+            ../lib/wolfssl/wolfcrypt/src/wolfmath.c
+            ../lib/wolfssl/wolfcrypt/src/dh.c
+            ../lib/wolfssl/wolfcrypt/src/random.c
+            ../lib/wolfssl/wolfcrypt/src/coding.c
+            ../lib/wolfssl/wolfcrypt/src/wc_encrypt.c
+            ../lib/wolfssl/wolfcrypt/src/wc_port.c
+        )
+        if(SPMATH AND NOT NO_ASM)
+            list(APPEND TEST_APP_COMPILE_DEFINITIONS WOLFSSL_HAVE_SP_RSA WOLFSSL_HAVE_SP_ECC WOLFSSL_SP_ARM_CORTEX_M_ASM)
+            target_sources(image PRIVATE ../lib/wolfssl/wolfcrypt/src/sp_cortexm.c)
+        endif()
+    endif()
 
     target_compile_definitions(image PRIVATE TARGET_${WOLFBOOT_TARGET}
-                                                ${TEST_APP_COMPILE_DEFINITIONS} ${WOLFBOOT_DEFS})
+                                                ${TEST_APP_COMPILE_DEFINITIONS} ${WOLFBOOT_DEFS_PUBLIC})
 
     target_compile_options(image PRIVATE -Wall -Wstack-usage=1024 -ffreestanding -Wno-unused -fomit-frame-pointer
                                             -nostartfiles)