wolfSSL
diff --git a/‎.github/workflows/test-configs.yml‎
Lines changed: 7 additions & 0 deletions b/‎.github/workflows/test-configs.yml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎CMakeLists.txt‎
Lines changed: 8 additions & 4 deletions b/‎CMakeLists.txt‎
Lines changed: 8 additions & 4 deletions
diff --git a/‎Makefile‎
Lines changed: 1 addition & 1 deletion b/‎Makefile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎arch.mk‎
Lines changed: 1 addition & 1 deletion b/‎arch.mk‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cmake/wolfboot.cmake‎
Lines changed: 2 additions & 2 deletions b/‎cmake/wolfboot.cmake‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎config/examples/mcxn-tz.config‎
Lines changed: 16 additions & 17 deletions b/‎config/examples/mcxn-tz.config‎
Lines changed: 16 additions & 17 deletions
diff --git a/‎config/examples/mcxn-wolfcrypt-tz.config‎
Lines changed: 56 additions & 0 deletions b/‎config/examples/mcxn-wolfcrypt-tz.config‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎docs/API.md‎
Lines changed: 2 additions & 0 deletions b/‎docs/API.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/Targets.md‎
Lines changed: 8 additions & 1 deletion b/‎docs/Targets.md‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎hal/mcxn.c‎
Lines changed: 59 additions & 5 deletions b/‎hal/mcxn.c‎
Lines changed: 59 additions & 5 deletions
@@ -260,6 +260,13 @@ jobs:
       config-file: ./config/examples/mcxn-tz.config
       board-name: frdmmcxn947
 
+  nxp_mcxn_wolfcrypt_tz_test:
+    uses: ./.github/workflows/test-build-mcux-sdk-manifests.yml
+    with:
+      arch: arm
+      config-file: ./config/examples/mcxn-wolfcrypt-tz.config
+      board-name: frdmmcxn947
+
   nxp_s32k142_test:
     uses: ./.github/workflows/test-build.yml
     with:
 
@@ -668,7 +668,11 @@ if(ARCH STREQUAL "ARM")
     endif()
     if(${WOLFBOOT_TARGET} STREQUAL "stm32u5")
         set(ARCH_FLASH_OFFSET 0x08000000)
-        set(WOLFBOOT_ORIGIN ${ARCH_FLASH_OFFSET})
+        if(TZEN)
+            set(WOLFBOOT_ORIGIN 0x0C000000)
+        else()
+            set(WOLFBOOT_ORIGIN ${ARCH_FLASH_OFFSET})
+        endif()
     endif()
 
     if(${WOLFBOOT_TARGET} STREQUAL "stm32h5")
@@ -696,14 +700,14 @@ if(ARCH STREQUAL "ARM")
             list(APPEND WOLFBOOT_COMPILE_OPTIONS -mcmse)
             list(APPEND WOLFBOOT_LINK_OPTIONS -mcmse)
         endif()
+        list(APPEND WOLFBOOT_LINK_OPTIONS
+            -Wl,--cmse-implib
+            -Wl,--out-implib=${CMAKE_CURRENT_BINARY_DIR}/wolfboot_tz_nsc.o)
 
         # wolfCrypt TrustZone secure mode
         if(WOLFCRYPT_TZ)
             list(APPEND WOLFBOOT_DEFS WOLFCRYPT_SECURE_MODE)
             list(APPEND WOLFBOOT_SOURCES src/wc_callable.c)
-            list(APPEND WOLFBOOT_LINK_OPTIONS
-                -Wl,--cmse-implib
-                -Wl,--out-implib=${CMAKE_CURRENT_BINARY_DIR}/wc_secure_calls.o)
 
             # PKCS11 TrustZone interface
             if(WOLFCRYPT_TZ_PKCS11)
 
@@ -562,7 +562,7 @@ keys: $(PRIVATE_KEY)
 
 clean:
 	$(Q)rm -f src/*.o hal/*.o hal/spi/*.o test-app/*.o src/x86/*.o
-	$(Q)rm -f src/wc_secure_calls.o
+	$(Q)rm -f src/wolfboot_tz_nsc.o
 	$(Q)rm -f $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/*.o $(WOLFBOOT_LIB_WOLFTPM)/src/*.o $(WOLFBOOT_LIB_WOLFTPM)/hal/*.o $(WOLFBOOT_LIB_WOLFTPM)/examples/pcr/*.o
 	$(Q)rm -f $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/port/Renesas/*.o
 	$(Q)rm -f wolfboot.bin wolfboot.elf wolfboot.map test-update.rom wolfboot.hex wolfboot.srec factory.srec
 
@@ -360,13 +360,13 @@ else
         OBJS+=hal/stm32_tz.o
       endif
       CFLAGS+=-mcmse
+      SECURE_LDFLAGS+=-Wl,--cmse-implib -Wl,--out-implib=./src/wolfboot_tz_nsc.o
       ifeq ($(WOLFCRYPT_TZ),1)
         CORTEXM_ARM_EXTRA_OBJS=
         CORTEXM_ARM_EXTRA_CFLAGS=
         SECURE_OBJS+=./src/wc_callable.o
         WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/random.o
         CFLAGS+=-DWOLFCRYPT_SECURE_MODE
-        SECURE_LDFLAGS+=-Wl,--cmse-implib -Wl,--out-implib=./src/wc_secure_calls.o
       endif
     endif # TZEN=1
       ifeq ($(SPMATH),1)
 
@@ -52,8 +52,8 @@ function(gen_wolfboot_platform_target PLATFORM_NAME LINKER_SCRIPT_TARGET)
                           ${LINKER_SCRIPT_TARGET})
 
     # TrustZone import library (generated by the linker via --out-implib)
-    if(TZEN AND WOLFCRYPT_TZ)
-        set(_wcs_implib "${CMAKE_BINARY_DIR}/wc_secure_calls.o")
+    if(TZEN)
+        set(_wcs_implib "${CMAKE_BINARY_DIR}/wolfboot_tz_nsc.o")
         add_custom_command(TARGET wolfboot_${PLATFORM_NAME} POST_BUILD
             BYPRODUCTS "${_wcs_implib}"
             COMMAND ${CMAKE_COMMAND} -E true
 
@@ -10,7 +10,7 @@ MCUXPRESSO_CPU?=MCXN947VDF_cm33_core0
 MCUXPRESSO_DRIVERS?=$(MCUXPRESSO)/devices/MCX/MCXN/MCXN947
 MCUXPRESSO_PROJECT_TEMPLATE?=$(MCUXPRESSO)/examples/_boards/frdmmcxn947/project_template
 DEBUG?=0
-DEBUG_UART?=0
+DEBUG_UART?=1
 VTOR?=1
 CORTEX_M0?=0
 CORTEX_M33?=1
@@ -27,29 +27,28 @@ SPMATH?=1
 RAM_CODE?=1
 DUALBANK_SWAP?=0
 PKA?=1
-WOLFCRYPT_TZ?=1
 
 # 8KB sectors
 WOLFBOOT_SECTOR_SIZE?=0x2000
 
 # Default configuration
-# 64KB boot, 80KB keyvault, 8KB NSC, 60KB partitions, 8KB swap
-WOLFBOOT_KEYVAULT_ADDRESS?=0x12000
-WOLFBOOT_KEYVAULT_SIZE?=0x14000
-WOLFBOOT_NSC_ADDRESS?=0x26000
+# 40KB boot, no keyvault, 8KB NSC, 64KB partitions, 8KB swap
+WOLFBOOT_KEYVAULT_ADDRESS?=0xA000
+WOLFBOOT_KEYVAULT_SIZE?=0
+WOLFBOOT_NSC_ADDRESS?=0xA000
 WOLFBOOT_NSC_SIZE?=0x2000
-WOLFBOOT_PARTITION_SIZE?=0xE000
-WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x28000
-WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x36000
-WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x44000
+WOLFBOOT_PARTITION_SIZE?=0x10000
+WOLFBOOT_PARTITION_BOOT_ADDRESS?=0xC000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x1C000
+WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x2C000
 
 # Alternate larger configuration for debugging or ARMASM
-# 128KB boot, 80KB keyvault, 8KB NSC, 60KB partitions, 8KB swap
+# 128KB boot, no keyvault, 8KB NSC, 64KB partitions, 8KB swap
 #WOLFBOOT_KEYVAULT_ADDRESS?=0x20000
-#WOLFBOOT_KEYVAULT_SIZE?=0x14000
-#WOLFBOOT_NSC_ADDRESS?=0x34000
+#WOLFBOOT_KEYVAULT_SIZE?=0
+#WOLFBOOT_NSC_ADDRESS?=0x20000
 #WOLFBOOT_NSC_SIZE?=0x2000
-#WOLFBOOT_PARTITION_SIZE?=0xE000
-#WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x36000
-#WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x45000
-#WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x54000
+#WOLFBOOT_PARTITION_SIZE?=0x10000
+#WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x22000
+#WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x32000
+#WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x42000
@@ -0,0 +1,56 @@
+ARCH?=ARM
+TZEN?=1
+TARGET?=mcxn
+SIGN?=ECC384
+HASH?=SHA384
+MCUXSDK?=1
+MCUXPRESSO?=$(PWD)/../NXP/mcuxpresso-sdk/mcuxsdk
+MCUXPRESSO_CMSIS?=$(PWD)/../NXP/CMSIS_5/CMSIS
+MCUXPRESSO_CPU?=MCXN947VDF_cm33_core0
+MCUXPRESSO_DRIVERS?=$(MCUXPRESSO)/devices/MCX/MCXN/MCXN947
+MCUXPRESSO_PROJECT_TEMPLATE?=$(MCUXPRESSO)/examples/_boards/frdmmcxn947/project_template
+DEBUG?=0
+DEBUG_UART?=1
+VTOR?=1
+CORTEX_M0?=0
+CORTEX_M33?=1
+NO_ASM?=0
+NO_MPU=1
+EXT_FLASH?=0
+SPI_FLASH?=0
+ALLOW_DOWNGRADE?=0
+NVM_FLASH_WRITEONCE?=1
+NO_ARM_ASM=1
+WOLFBOOT_VERSION?=0
+V?=0
+SPMATH?=1
+RAM_CODE?=1
+DUALBANK_SWAP?=0
+PKA?=1
+WOLFCRYPT_TZ?=1
+WOLFCRYPT_TZ_PKCS11?=1
+
+# 8KB sectors
+WOLFBOOT_SECTOR_SIZE?=0x2000
+
+# Default configuration
+# 192KB boot, 96KB keyvault, 8KB NSC, 64KB partitions, 8KB swap
+WOLFBOOT_KEYVAULT_ADDRESS?=0x30000
+WOLFBOOT_KEYVAULT_SIZE?=0x18000
+WOLFBOOT_NSC_ADDRESS?=0x48000
+WOLFBOOT_NSC_SIZE?=0x2000
+WOLFBOOT_PARTITION_SIZE?=0x10000
+WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x4A000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x5A000
+WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x6A000
+
+# Alternate larger configuration for debugging or ARMASM
+# 320KB boot, 96KB keyvault, 8KB NSC, 64KB partitions, 8KB swap
+#WOLFBOOT_KEYVAULT_ADDRESS?=0x50000
+#WOLFBOOT_KEYVAULT_SIZE?=0x18000
+#WOLFBOOT_NSC_ADDRESS?=0x68000
+#WOLFBOOT_NSC_SIZE?=0x2000
+#WOLFBOOT_PARTITION_SIZE?=0x10000
+#WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x6A000
+#WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x7A000
+#WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x8A000
@@ -78,6 +78,8 @@ secure domain. For this purpose, wolfBoot provides Non-Secure Callable (NSC)
 APIs that allow code running in the non-secure domain to call into the secure
 domain managed by wolfBoot.
 
+When `TZEN=1` is enabled, these APIs are available to non-secure applications.
+
 These APIs are listed below.
 
 - `void wolfBoot_nsc_success(void)`: wrapper for `wolfBoot_success()`
 
@@ -4349,7 +4349,14 @@ cp config/examples/mcxn.config .config`
 make
 ```
 
-We also provide a TrustZone configuration at `config/examples/mcxn-tz.config`.
+We provide three configuration files:
+- `mcxn.config`: basic configuration file; both wolfBoot and your application
+  run in secure world.
+- `mcxn-tz.config`: wolfBoot runs in secure world, your application runs in
+  non-secure world.
+- `mcxn-wolfcrypt-tz.config`: same as above, but also includes a non-secure
+  callable (NSC) wolfPKCS11 API to perform crypto operations via wolfCrypt and
+  access a secure keyvault provided by wolfBoot.
 
 ### MCX N: Loading the firmware
 
 
@@ -40,6 +40,11 @@
 #include "hal/armv8m_tz.h"
 #endif
 
+#ifdef WOLFCRYPT_SECURE_MODE
+void hal_trng_init(void);
+int hal_trng_get_entropy(unsigned char *out, unsigned int len);
+#endif
+
 static flash_config_t pflash;
 static uint32_t pflash_sector_size = WOLFBOOT_SECTOR_SIZE;
 uint32_t SystemCoreClock;
@@ -104,6 +109,7 @@ void hal_init(void)
 #if defined(TZEN) && !defined(NONSECURE_APP)
     hal_sau_init();
 #endif
+
 }
 
 #ifdef __WOLFBOOT
@@ -207,21 +213,69 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
 }
 
 #ifdef WOLFCRYPT_SECURE_MODE
-/* These functions are stubs for now, because the MCUXpresso SDK doesn't
- * implement drivers for the MCXN's TRNG. */
+#define ELS_CMD_RND_REQ 24U
+
 void hal_trng_init(void)
 {
+    /* Enable ELS and wait for it to be ready */
+    ELS->ELS_CTRL = S50_ELS_CTRL_ELS_EN(1);
+    while (ELS->ELS_STATUS & S50_ELS_STATUS_ELS_BUSY_MASK)
+        ;
 }
 
 void hal_trng_fini(void)
 {
+    /* Don't disable ELS, it might be used by other actors */
+}
+
+static int els_rnd_req(void *out, uint32_t len)
+{
+    while (ELS->ELS_STATUS & S50_ELS_STATUS_ELS_BUSY_MASK)
+        ;
+    ELS->ELS_DMA_RES0 = (uint32_t)(uintptr_t)out;
+    ELS->ELS_DMA_RES0_LEN = len;
+    ELS->ELS_CMDCFG0 = 0;
+    ELS->ELS_CTRL = S50_ELS_CTRL_ELS_EN(1)
+                   | S50_ELS_CTRL_ELS_START(1)
+                   | S50_ELS_CTRL_ELS_CMD(ELS_CMD_RND_REQ);
+    while (ELS->ELS_STATUS & S50_ELS_STATUS_ELS_BUSY_MASK)
+        ;
+    return (ELS->ELS_STATUS & S50_ELS_STATUS_ELS_ERR_MASK) ? -1 : 0;
 }
 
 int hal_trng_get_entropy(unsigned char *out, unsigned int len)
 {
-    (void)out;
-    (void)len;
-    return -1;
+    uint32_t tmp;
+
+    /* Handle unaligned head (up to 3 bytes) via temporary word */
+    if ((uintptr_t)out & 3U) {
+        uint32_t head = 4U - ((uintptr_t)out & 3U);
+        if (head > len)
+            head = len;
+        if (els_rnd_req(&tmp, 4) != 0)
+            return -1;
+        memcpy(out, &tmp, head);
+        out += head;
+        len -= head;
+    }
+
+    /* Bulk aligned portion in one request */
+    if (len >= 4) {
+        uint32_t aligned_len = len & ~3U;
+        if (els_rnd_req(out, aligned_len) != 0)
+            return -1;
+        out += aligned_len;
+        len -= aligned_len;
+    }
+
+    /* Handle remaining tail bytes (1-3) via temporary word */
+    if (len > 0) {
+        if (els_rnd_req(&tmp, 4) != 0)
+            return -1;
+        memcpy(out, &tmp, len);
+    }
+
+    return 0;
 }
 #endif