Add support for DICE attestation + PSA attestation

Author: danielinux

CMakeLists.txt

@@ -554,6 +554,7 @@ set(WOLFBOOT_SOURCES "include/loader.h"
                      "include/image.h"
                      "src/string.c"
                      "src/image.c"
+                     "src/dice/dice.c"
                      "src/loader.c")
 
 # build bin-assemble tool Windows

Makefile

@@ -34,6 +34,7 @@ OBJS:= \
 	./src/string.o \
 	./src/image.o \
 	./src/libwolfboot.o \
+	./src/dice/dice.o \
 	./hal/hal.o
 
 ifneq ($(TARGET),library)

docs/STM32-TZ.md

@@ -33,6 +33,15 @@ The `WOLFCRYPT_TZ_PSA` option provides a standard PSA Crypto interface using
 wolfPSA in the secure domain. The key storage uses the same secure flash
 keystore backend as PKCS11, exposed through the wolfPSA store API.
 
+### PSA Initial Attestation (DICE)
+
+When `WOLFBOOT_TZ_PSA=1` is enabled, wolfBoot exposes the PSA Initial
+Attestation API to non-secure applications. The attestation token is built
+using the DICE flow in `src/dice/` and returned as a COSE_Sign1 token.
+
+See [DICE Attestation](DICE.md) for the full protocol description, HAL hooks
+(UDS, UEID, lifecycle, implementation ID), and provisioned IAK support.
+
 ### Image header size
 
 The `IMAGE_HEADER_SIZE` option has to be carefully tuned to accommodate for the

docs/Targets.md

@@ -1379,6 +1379,10 @@ non-secure callables (NSC).
 
 The example configuration for this scenario is available in [/config/examples/stm32h5-tz.config](/config/examples/stm32h5-tz.config).
 
+When `WOLFBOOT_TZ_PSA=1` is enabled, the STM32H5 test application exercises PSA
+Crypto, PSA Protected Storage, and PSA Initial Attestation from the non-secure
+side. See [DICE Attestation](/docs/DICE.md) for details on the attestation flow
+and APIs.
 For more information, see [/docs/STM32-TZ.md](/docs/STM32-TZ.md).
 
 ### Scenario 3: DUALBANK mode

hal/hal.c

@@ -25,6 +25,7 @@
 #include "hal.h"
 #include "string.h"
 #include "printf.h"
+#include "wolfboot/wolfboot.h"
 
 /* Test for internal flash erase/write */
 /* Use TEST_EXT_FLASH to test ext flash (see spi_flash.c or qspi_flash.c) */
@@ -280,3 +281,37 @@ int hal_flash_test_dualbank(void)
 #endif /* DUALBANK_SWAP */
 
 #endif /* TEST_FLASH */
+
+WEAKFUNCTION int hal_uds_derive_key(uint8_t *out, size_t out_len)
+{
+    (void)out;
+    (void)out_len;
+    return -1;
+}
+
+WEAKFUNCTION int hal_attestation_get_lifecycle(uint32_t *lifecycle)
+{
+    (void)lifecycle;
+    return -1;
+}
+
+WEAKFUNCTION int hal_attestation_get_implementation_id(uint8_t *buf, size_t *len)
+{
+    (void)buf;
+    (void)len;
+    return -1;
+}
+
+WEAKFUNCTION int hal_attestation_get_ueid(uint8_t *buf, size_t *len)
+{
+    (void)buf;
+    (void)len;
+    return -1;
+}
+
+WEAKFUNCTION int hal_attestation_get_iak_private_key(uint8_t *buf, size_t *len)
+{
+    (void)buf;
+    (void)len;
+    return -1;
+}

hal/stm32h5.c

@@ -20,6 +20,7 @@
  */
 
 #include <stdint.h>
+#include <stddef.h>
 #include <image.h>
 #include <string.h>
 
@@ -29,6 +30,12 @@
 
 #include "uart_drv.h"
 
+#if defined(WOLFBOOT_HASH_SHA256)
+#include <wolfssl/wolfcrypt/sha256.h>
+#elif defined(WOLFBOOT_HASH_SHA384) || defined(WOLFBOOT_HASH_SHA3_384)
+#include <wolfssl/wolfcrypt/sha512.h>
+#endif
+
 #define PLL_SRC_HSE 1
 
 #if TZ_SECURE()
@@ -152,6 +159,69 @@ int RAMFUNCTION hal_flash_write(uint32_t address, const uint8_t *data, int len)
     return 0;
 }
 
+#define STM32H5_BSEC_BASE 0x46009000u
+#define STM32H5_BSEC_UID0 (*(volatile uint32_t *)(STM32H5_BSEC_BASE + 0x14))
+#define STM32H5_BSEC_UID1 (*(volatile uint32_t *)(STM32H5_BSEC_BASE + 0x18))
+#define STM32H5_BSEC_UID2 (*(volatile uint32_t *)(STM32H5_BSEC_BASE + 0x1C))
+
+int hal_uds_derive_key(uint8_t *out, size_t out_len)
+{
+    uint8_t uid[12];
+#if defined(WOLFBOOT_HASH_SHA256)
+    uint8_t digest[SHA256_DIGEST_SIZE];
+    wc_Sha256 hash;
+#else
+    uint8_t digest[SHA384_DIGEST_SIZE];
+    wc_Sha384 hash;
+#endif
+    size_t copy_len;
+
+    if (out == NULL || out_len == 0) {
+        return -1;
+    }
+
+    uid[0] = (uint8_t)(STM32H5_BSEC_UID0 >> 0);
+    uid[1] = (uint8_t)(STM32H5_BSEC_UID0 >> 8);
+    uid[2] = (uint8_t)(STM32H5_BSEC_UID0 >> 16);
+    uid[3] = (uint8_t)(STM32H5_BSEC_UID0 >> 24);
+    uid[4] = (uint8_t)(STM32H5_BSEC_UID1 >> 0);
+    uid[5] = (uint8_t)(STM32H5_BSEC_UID1 >> 8);
+    uid[6] = (uint8_t)(STM32H5_BSEC_UID1 >> 16);
+    uid[7] = (uint8_t)(STM32H5_BSEC_UID1 >> 24);
+    uid[8] = (uint8_t)(STM32H5_BSEC_UID2 >> 0);
+    uid[9] = (uint8_t)(STM32H5_BSEC_UID2 >> 8);
+    uid[10] = (uint8_t)(STM32H5_BSEC_UID2 >> 16);
+    uid[11] = (uint8_t)(STM32H5_BSEC_UID2 >> 24);
+
+#if defined(WOLFBOOT_HASH_SHA256)
+    wc_InitSha256(&hash);
+    wc_Sha256Update(&hash, uid, sizeof(uid));
+    wc_Sha256Final(&hash, digest);
+    copy_len = sizeof(digest);
+#else
+    wc_InitSha384(&hash);
+    wc_Sha384Update(&hash, uid, sizeof(uid));
+    wc_Sha384Final(&hash, digest);
+    copy_len = sizeof(digest);
+#endif
+
+    if (copy_len > out_len) {
+        copy_len = out_len;
+    }
+    memcpy(out, digest, copy_len);
+    return 0;
+}
+
+int hal_attestation_get_lifecycle(uint32_t *lifecycle)
+{
+    if (lifecycle == NULL) {
+        return -1;
+    }
+
+    *lifecycle = 0x3000u; /* PSA_LIFECYCLE_SECURED (default) */
+    return 0;
+}
+
 void RAMFUNCTION hal_flash_unlock(void)
 {
     hal_flash_wait_complete(0);

hal/stm32l5.c

@@ -20,9 +20,16 @@
  */
 
 #include <stdint.h>
+#include <stddef.h>
 #include <image.h>
 #include <string.h>
 
+#if defined(WOLFBOOT_HASH_SHA256)
+#include <wolfssl/wolfcrypt/sha256.h>
+#elif defined(WOLFBOOT_HASH_SHA384) || defined(WOLFBOOT_HASH_SHA3_384)
+#include <wolfssl/wolfcrypt/sha512.h>
+#endif
+
 #include "hal.h"
 #include "hal/stm32l5.h"
 
@@ -103,6 +110,69 @@ int RAMFUNCTION hal_flash_write(uint32_t address, const uint8_t *data, int len)
     return 0;
 }
 
+#define STM32L5_UID_BASE 0x1FFF7590u
+#define STM32L5_UID0 (*(volatile uint32_t *)(STM32L5_UID_BASE + 0x0))
+#define STM32L5_UID1 (*(volatile uint32_t *)(STM32L5_UID_BASE + 0x4))
+#define STM32L5_UID2 (*(volatile uint32_t *)(STM32L5_UID_BASE + 0x8))
+
+int hal_uds_derive_key(uint8_t *out, size_t out_len)
+{
+    uint8_t uid[12];
+#if defined(WOLFBOOT_HASH_SHA256)
+    uint8_t digest[SHA256_DIGEST_SIZE];
+    wc_Sha256 hash;
+#else
+    uint8_t digest[SHA384_DIGEST_SIZE];
+    wc_Sha384 hash;
+#endif
+    size_t copy_len;
+
+    if (out == NULL || out_len == 0) {
+        return -1;
+    }
+
+    uid[0] = (uint8_t)(STM32L5_UID0 >> 0);
+    uid[1] = (uint8_t)(STM32L5_UID0 >> 8);
+    uid[2] = (uint8_t)(STM32L5_UID0 >> 16);
+    uid[3] = (uint8_t)(STM32L5_UID0 >> 24);
+    uid[4] = (uint8_t)(STM32L5_UID1 >> 0);
+    uid[5] = (uint8_t)(STM32L5_UID1 >> 8);
+    uid[6] = (uint8_t)(STM32L5_UID1 >> 16);
+    uid[7] = (uint8_t)(STM32L5_UID1 >> 24);
+    uid[8] = (uint8_t)(STM32L5_UID2 >> 0);
+    uid[9] = (uint8_t)(STM32L5_UID2 >> 8);
+    uid[10] = (uint8_t)(STM32L5_UID2 >> 16);
+    uid[11] = (uint8_t)(STM32L5_UID2 >> 24);
+
+#if defined(WOLFBOOT_HASH_SHA256)
+    wc_InitSha256(&hash);
+    wc_Sha256Update(&hash, uid, sizeof(uid));
+    wc_Sha256Final(&hash, digest);
+    copy_len = sizeof(digest);
+#else
+    wc_InitSha384(&hash);
+    wc_Sha384Update(&hash, uid, sizeof(uid));
+    wc_Sha384Final(&hash, digest);
+    copy_len = sizeof(digest);
+#endif
+
+    if (copy_len > out_len) {
+        copy_len = out_len;
+    }
+    memcpy(out, digest, copy_len);
+    return 0;
+}
+
+int hal_attestation_get_lifecycle(uint32_t *lifecycle)
+{
+    if (lifecycle == NULL) {
+        return -1;
+    }
+
+    *lifecycle = 0x3000u; /* PSA_LIFECYCLE_SECURED (default) */
+    return 0;
+}
+
 void RAMFUNCTION hal_flash_unlock(void)
 {
     hal_flash_wait_complete(0);
@@ -412,4 +482,3 @@ void hal_prepare_boot(void)
     periph_unsecure();
 #endif
 }
-

include/hal.h

@@ -29,6 +29,7 @@ extern "C" {
 #endif
 
 #include "target.h"
+#include <stddef.h>
 #include <stdint.h>
 
 /* Architecture specific calls */
@@ -137,6 +138,13 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
 
 #endif
 
+/* Attestation helpers (optional, weak stubs available). */
+int hal_uds_derive_key(uint8_t *out, size_t out_len);
+int hal_attestation_get_lifecycle(uint32_t *lifecycle);
+int hal_attestation_get_implementation_id(uint8_t *buf, size_t *len);
+int hal_attestation_get_ueid(uint8_t *buf, size_t *len);
+int hal_attestation_get_iak_private_key(uint8_t *buf, size_t *len);
+
 #ifdef FLASH_OTP_KEYSTORE
 
 int hal_flash_otp_write(uint32_t flashAddress, const void* data, uint16_t length);

include/wolfboot/dice.h

@@ -0,0 +1,32 @@
+/* dice.h
+ *
+ * DICE helpers and PSA attestation token builder.
+ *
+ * Copyright (C) 2026 wolfSSL Inc.
+ *
+ * This file is part of wolfBoot.
+ */
+
+#ifndef WOLFBOOT_DICE_H
+#define WOLFBOOT_DICE_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int wolfBoot_dice_get_token(const uint8_t *challenge,
+                            size_t challenge_size,
+                            uint8_t *token_buf,
+                            size_t token_buf_size,
+                            size_t *token_size);
+
+int wolfBoot_dice_get_token_size(size_t challenge_size, size_t *token_size);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* WOLFBOOT_DICE_H */

options.mk

@@ -31,6 +31,10 @@ ifeq ($(WOLFBOOT_TPM_KEYSTORE),1)
   endif
 endif
 
+ifeq ($(WOLFBOOT_ATTESTATION_IAK),1)
+  CFLAGS+=-D"WOLFBOOT_ATTESTATION_IAK"
+endif
+
 ## Sealing a secret into the TPM
 ifeq ($(WOLFBOOT_TPM_SEAL),1)
   WOLFTPM:=1
@@ -744,6 +748,8 @@ ifeq ($(WOLFCRYPT_TZ_PSA),1)
   WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/pwdbased.o
   WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/hmac.o
   WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/dh.o
+  WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/chacha.o
+  WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/des3.o
   ifeq ($(findstring random.o,$(WOLFCRYPT_OBJS)),)
     WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/random.o
   endif