Skip to content

Commit c1887cd

Browse files
mattia-moffamattia-moffa
committed
Various STM32 TrustZone improvements
- New config flags for flash geometry - New script to automatically set option bytes - End of stack address fix for the STM32U5 test app - STM32U5 support for NUCLEO-U575ZI-Q (previously only supported discovery board)
1 parent 4e1c9f0 commit c1887cd

19 files changed

+251
-22
lines changed

Makefile

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -402,6 +402,10 @@ $(LSCRIPT): $(LSCRIPT_IN) FORCE
402402
sed -e "s/@ARCH_FLASH_OFFSET@/$(ARCH_FLASH_OFFSET)/g" | \
403403
sed -e "s/@BOOTLOADER_PARTITION_SIZE@/$(BOOTLOADER_PARTITION_SIZE)/g" | \
404404
sed -e "s/@WOLFBOOT_ORIGIN@/$(WOLFBOOT_ORIGIN)/g" | \
405+
sed -e "s/@WOLFBOOT_KEYVAULT_ADDRESS@/$(WOLFBOOT_KEYVAULT_ADDRESS)/g" | \
406+
sed -e "s/@WOLFBOOT_KEYVAULT_SIZE@/$(WOLFBOOT_KEYVAULT_SIZE)/g" | \
407+
sed -e "s/@WOLFBOOT_NSC_ADDRESS@/$(WOLFBOOT_NSC_ADDRESS)/g" | \
408+
sed -e "s/@WOLFBOOT_NSC_SIZE@/$(WOLFBOOT_NSC_SIZE)/g" | \
405409
sed -e "s/@WOLFBOOT_PARTITION_BOOT_ADDRESS@/$(WOLFBOOT_PARTITION_BOOT_ADDRESS)/g" | \
406410
sed -e "s/@WOLFBOOT_PARTITION_SIZE@/$(WOLFBOOT_PARTITION_SIZE)/g" | \
407411
sed -e "s/@WOLFBOOT_PARTITION_UPDATE_ADDRESS@/$(WOLFBOOT_PARTITION_UPDATE_ADDRESS)/g" | \
@@ -480,6 +484,8 @@ include/target.h: $(TARGET_H_TEMPLATE) FORCE
480484
$(Q)cat $(TARGET_H_TEMPLATE) | \
481485
sed -e "s/@WOLFBOOT_PARTITION_SIZE@/$(WOLFBOOT_PARTITION_SIZE)/g" | \
482486
sed -e "s/@WOLFBOOT_SECTOR_SIZE@/$(WOLFBOOT_SECTOR_SIZE)/g" | \
487+
sed -e "s/@WOLFBOOT_NSC_ADDRESS@/$(WOLFBOOT_NSC_ADDRESS)/g" | \
488+
sed -e "s/@WOLFBOOT_NSC_SIZE@/$(WOLFBOOT_NSC_SIZE)/g" | \
483489
sed -e "s/@WOLFBOOT_PARTITION_BOOT_ADDRESS@/$(WOLFBOOT_PARTITION_BOOT_ADDRESS)/g" | \
484490
sed -e "s/@WOLFBOOT_PARTITION_UPDATE_ADDRESS@/$(WOLFBOOT_PARTITION_UPDATE_ADDRESS)/g" | \
485491
sed -e "s/@WOLFBOOT_PARTITION_SWAP_ADDRESS@/$(WOLFBOOT_PARTITION_SWAP_ADDRESS)/g" | \

config/examples/stm32h5-tz-dualbank-otp-lms.config

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,10 @@ RAM_CODE?=1
2020
DUALBANK_SWAP?=1
2121
WOLFBOOT_PARTITION_SIZE?=0xA0000
2222
WOLFBOOT_SECTOR_SIZE?=0x2000
23+
WOLFBOOT_KEYVAULT_ADDRESS?=0x0C040000
24+
WOLFBOOT_KEYVAULT_SIZE?=0x1C000
25+
WOLFBOOT_NSC_ADDRESS?=0x0C05C000
26+
WOLFBOOT_NSC_SIZE?=0x4000
2327
WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x08060000
2428
WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x0C160000
2529
WOLFBOOT_PARTITION_SWAP_ADDRESS?=0xFFFFFFFF

config/examples/stm32h5-tz-dualbank-otp.config

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,10 @@ RAM_CODE?=1
2020
DUALBANK_SWAP?=1
2121
WOLFBOOT_PARTITION_SIZE?=0xA0000
2222
WOLFBOOT_SECTOR_SIZE?=0x2000
23+
WOLFBOOT_KEYVAULT_ADDRESS?=0x0C040000
24+
WOLFBOOT_KEYVAULT_SIZE?=0x1C000
25+
WOLFBOOT_NSC_ADDRESS?=0x0C05C000
26+
WOLFBOOT_NSC_SIZE?=0x4000
2327
WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x08060000
2428
WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x0C160000
2529
WOLFBOOT_PARTITION_SWAP_ADDRESS?=0xFFFFFFFF

config/examples/stm32h5-tz-dualbank.config

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,10 @@ RAM_CODE?=1
2020
DUALBANK_SWAP?=1
2121
WOLFBOOT_PARTITION_SIZE?=0xA0000
2222
WOLFBOOT_SECTOR_SIZE?=0x2000
23+
WOLFBOOT_KEYVAULT_ADDRESS?=0x0C040000
24+
WOLFBOOT_KEYVAULT_SIZE?=0x1C000
25+
WOLFBOOT_NSC_ADDRESS?=0x0C05C000
26+
WOLFBOOT_NSC_SIZE?=0x4000
2327
WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x08060000
2428
WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x0C160000
2529
WOLFBOOT_PARTITION_SWAP_ADDRESS?=0xFFFFFFFF

config/examples/stm32h5-tz.config

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,10 @@ RAM_CODE?=1
2020
DUALBANK_SWAP?=0
2121
WOLFBOOT_PARTITION_SIZE?=0xA0000
2222
WOLFBOOT_SECTOR_SIZE?=0x2000
23+
WOLFBOOT_KEYVAULT_ADDRESS?=0x0C040000
24+
WOLFBOOT_KEYVAULT_SIZE?=0x1C000
25+
WOLFBOOT_NSC_ADDRESS?=0x0C05C000
26+
WOLFBOOT_NSC_SIZE?=0x4000
2327
WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x08060000
2428
WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x0C100000
2529
WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x0C1A0000

config/examples/stm32l5-wolfcrypt-tz.config

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,10 @@ RAM_CODE?=0
2020
DUALBANK_SWAP?=0
2121
WOLFBOOT_PARTITION_SIZE?=0x1F800
2222
WOLFBOOT_SECTOR_SIZE?=0x800
23+
WOLFBOOT_KEYVAULT_ADDRESS?=0x0C020000
24+
WOLFBOOT_KEYVAULT_SIZE?=0x18000
25+
WOLFBOOT_NSC_ADDRESS?=0xC038000
26+
WOLFBOOT_NSC_SIZE?=0x8000
2327
WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x08040000
2428
WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x805F800
2529
WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x0807F000

config/examples/stm32u5-wolfcrypt-tz.config

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,10 @@ RAM_CODE?=0
2020
DUALBANK_SWAP?=0
2121
WOLFBOOT_PARTITION_SIZE?=0x1F800
2222
WOLFBOOT_SECTOR_SIZE?=0x800
23+
WOLFBOOT_KEYVAULT_ADDRESS?=0x0C020000
24+
WOLFBOOT_KEYVAULT_SIZE?=0x18000
25+
WOLFBOOT_NSC_ADDRESS?=0x0C038000
26+
WOLFBOOT_NSC_SIZE?=0x8000
2327
WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x08040000
2428
WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x805F800
2529
WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x0807F000

config/examples/stm32u5.config

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,10 @@ RAM_CODE?=0
2222
DUALBANK_SWAP?=0
2323
WOLFBOOT_PARTITION_SIZE?=0x1F800
2424
WOLFBOOT_SECTOR_SIZE?=0x800
25+
WOLFBOOT_KEYVAULT_ADDRESS?=0x0C020000
26+
WOLFBOOT_KEYVAULT_SIZE?=0x18000
27+
WOLFBOOT_NSC_ADDRESS?=0x0C038000
28+
WOLFBOOT_NSC_SIZE?=0x8000
2529
WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x08040000
2630
WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x805F800
2731
WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x0807F000

docs/STM32-TZ.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,17 @@ image header size must be supplied as an environment variable. For example:
5555
IMAGE_HEADER_SIZE=1024 ./tools/keytools/sign --sha256 --ecc256 myapp.bin wolfboot_signing_private_key.der 1
5656
```
5757

58+
### Setting option bytes automatically
59+
60+
In order to use wolfBoot with an STM32 device, the device's option bytes need
61+
to be consistent with wolfBoot's configuration. The script at
62+
[tools/scripts/set-stm32-tz-option-bytes.sh](tools/scripts/set-stm32-tz-option-bytes.sh)
63+
will attempt to read the wolfBoot `.config` file and automatically calculate
64+
and set your device's TrustZone-related option bytes according to it, using
65+
`STM32_Programmer_CLI`, which is part of the
66+
[STM32CubeProg](https://www.st.com/en/development-tools/stm32cubeprog.html)
67+
tool.
68+
5869
### NSC API
5970

6071
wolfBoot provides a few Non-Secure Callable functions to allow a non-secure

hal/stm32_tz.c

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@
3737

3838
#include "image.h"
3939
#include "hal.h"
40+
#include "target.h"
4041
#if defined (__ARM_FEATURE_CMSE) && (__ARM_FEATURE_CMSE == 3U) && (!defined(FLAGS_HOME) || !defined(DISABLE_BACKUP))
4142

4243

@@ -297,7 +298,8 @@ void hal_tz_sau_init(void)
297298
/* SAU is set up before staging. Set up all areas as secure. */
298299

299300
/* Non-secure callable: NSC functions area */
300-
sau_init_region(0, 0x0C040000, 0x0C05FFFF, 1);
301+
sau_init_region(0, WOLFBOOT_NSC_ADDRESS,
302+
WOLFBOOT_NSC_ADDRESS + WOLFBOOT_NSC_SIZE - 1, 1);
301303

302304
/* Secure: application flash area (first bank) */
303305
sau_init_region(1, WOLFBOOT_PARTITION_BOOT_ADDRESS, FLASH_BANK2_BASE - 1, 0);
@@ -331,10 +333,11 @@ void hal_tz_sau_init(void)
331333
void hal_tz_sau_init(void)
332334
{
333335
/* Non-secure callable: NSC functions area */
334-
sau_init_region(0, 0x0C038000, 0x0C040000, 1);
336+
sau_init_region(0, WOLFBOOT_NSC_ADDRESS,
337+
WOLFBOOT_NSC_ADDRESS + WOLFBOOT_NSC_SIZE - 1, 1);
335338

336339
/* Non-secure: application flash area */
337-
sau_init_region(1, 0x08040000, 0x0807FFFF, 0);
340+
sau_init_region(1, WOLFBOOT_PARTITION_BOOT_ADDRESS, WOLFBOOT_PARTITION_BOOT_ADDRESS + 2 * WOLFBOOT_PARTITION_SIZE - 1, 0);
338341

339342
/* Non-secure RAM region in SRAM1/SRAM2 */
340343
sau_init_region(2, 0x20020000, 0x2003FFFF, 0);

0 commit comments

Comments
 (0)