Merge pull request #655 from mattia-moffa/20251224-nrf5340-tz-fixes

dgarske · web-flow · commit e02d38bdb1e4 · 2025-12-26T07:48:00.000-08:00
Various small fixes for nrf5340 TrustZone PKCS11
diff --git a/docs/Targets.md b/docs/Targets.md
@@ -2867,11 +2867,14 @@ Tested with the Nordic nRF5340-DK. This device has two cores:
 1) Application core: Cortex-M33 at 128MHz, w/TrustZone, 1MB flash, 512KB RAM
 2) Network core: Cortex-M33 at 64MHz, 256KB Flash and 64KB RAM
 
-Three different configurations are available at `config/examples`:
+Four different configurations are available at `config/examples`:
 - `nrf5340.config`: for the app core; does not make use of TrustZone, i.e. it
   always runs in secure mode.
 - `nrf5340-tz.config`: for the app core; makes use of TrustZone, i.e. boots the
   application as non-secure code.
+- `nrf5340-wolfcrypt-tz.config`: for the app core; same as above, but also
+  includes a non-secure callable (NSC) wolfPKCS11 API to perform crypto
+  operations via wolfCrypt and access a secure keyvault provided by wolfBoot.
 - `nrf5340_net.config`: for the net core.
 
 The DK board has two virtual COM ports. Application core and Network core will each output to different VCOM ports.
diff --git a/hal/nrf5340.c b/hal/nrf5340.c
@@ -68,10 +68,11 @@
     #define USE_IPC_RECV  0
 #endif
 
-/* SHM: Shared Memory between network and application cores */
-/* first 64KB (0x10000) is used by wolfBoot and limited in nrf5340.ld */
+/* SHM: Shared Memory between network and application cores.
+ * Reserve most of single-cycle RAM for wolfBoot;
+ * use end of RAM (0x3F800 - 0x7FFFF) as shared memory */
 #ifndef SHARED_MEM_ADDR
-    #define SHARED_MEM_ADDR (0x20000000UL + (64 * 1024))
+    #define SHARED_MEM_ADDR 0x2003F800
 #endif
 
 /* Shared memory states (mask, easier to check) */
@@ -875,13 +876,21 @@ static void periph_unsecure()
 
     /* Unsecure RTC0 */
     SPU_PERIPHID_PERM(RTC0_PERIPHID) &= ~SPU_PERIPHID_PERM_SECATTR;
+
+    /* Unsecure QSPI */
+    SPU_PERIPHID_PERM(QSPI_PERIPHID) &= ~SPU_PERIPHID_PERM_SECATTR;
 }
 #endif
 
 void hal_prepare_boot(void)
 {
-    /* Write protect bootloader region of flash */
+    /* Write protect bootloader region of flash.
+     * Not needed in TrustZone configs because the application
+     * runs in non-secure mode and the bootloader partition is marked as
+     * secure. */
+#ifndef TZEN
     hal_flash_protect(WOLFBOOT_ORIGIN, BOOTLOADER_PARTITION_SIZE);
+#endif
 
     if (enableShm) {
     #ifdef TARGET_nrf5340_net
diff --git a/hal/nrf5340.h b/hal/nrf5340.h
@@ -371,6 +371,8 @@ void uart_write_sz(const char* c, unsigned int sz);
 
 /* QSPI */
 #ifdef TARGET_nrf5340_app
+    #define QSPI_PERIPHID 43
+
     #if TZ_SECURE()
         #define QSPI_BASE         (0x5002B000)
     #else
diff --git a/test-app/Makefile b/test-app/Makefile
@@ -306,7 +306,11 @@ ifeq ($(QSPI_FLASH),1)
   ifeq ($(ARCH),RENESAS_RX)
     APP_OBJS+=../hal/spi/spi_drv_renesas_rx.o
   else
-    APP_OBJS+=../hal/spi/spi_drv_$(SPI_TARGET).o
+    ifeq ($(TZEN),1)
+      APP_OBJS+=../hal/spi/spi_drv_$(SPI_TARGET)_ns.o
+    else
+      APP_OBJS+=../hal/spi/spi_drv_$(SPI_TARGET).o
+    endif
   endif
 endif
 
@@ -596,6 +600,9 @@ delta-extra-data: image.bin
 ../hal/$(TARGET)_ns.o: ../hal/$(TARGET).c FORCE
 	$(Q)$(CC) $(CFLAGS) -c -o $(@) ../hal/$(TARGET).c -DNONSECURE_APP
 
+../hal/spi/spi_drv_$(SPI_TARGET)_ns.o: ../hal/spi/spi_drv_$(SPI_TARGET).c FORCE
+	$(Q)$(CC) $(CFLAGS) -c -o $(@) ../hal/spi/spi_drv_$(SPI_TARGET).c -DNONSECURE_APP
+
 %.o:%.c
 	@echo "\t[CC-$(ARCH)] $@"
 	$(Q)$(CC) $(CFLAGS) -c $(OUTPUT_FLAG) $@ $^
