Skip to content

NXP MCXN non-TrustZone + TrustZone port#671

Merged
dgarske merged 10 commits intowolfSSL:masterfrom
mattia-moffa:20260107-mcxn
Jan 26, 2026
Merged

NXP MCXN non-TrustZone + TrustZone port#671
dgarske merged 10 commits intowolfSSL:masterfrom
mattia-moffa:20260107-mcxn

Conversation

@mattia-moffa
Copy link
Copy Markdown
Contributor

@mattia-moffa mattia-moffa commented Jan 22, 2026

Tested on FRDM-MCXN947. This port uses the newer version of the MCUXpresso SDK (https://github.com/nxp-mcuxpresso/mcuxsdk-manifests).

@mattia-moffa mattia-moffa self-assigned this Jan 22, 2026
@mattia-moffa mattia-moffa changed the title MCXN non-TrustZone + TrustZone port NXP MCXN non-TrustZone + TrustZone port Jan 22, 2026
dgarske
dgarske approved these changes Jan 23, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@dgarske dgarske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks great! I'll give it a test drive on the MCX-N shortly.

@dgarske dgarske self-assigned this Jan 23, 2026
dgarske
dgarske requested changes Jan 23, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@dgarske dgarske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All testing without TrustZone works great.

Partition 1 header magic 0xFFFFFFFF invalid at 0x15000
Boot partition: 0xA000 (sz 20076, ver 0x2, type 0x601)
Partition 1 header magic 0xFFFFFFFF invalid at 0x15000
Starting Update (fallback allowed 0)
Partition 1 header magic 0xFFFFFFFF invalid at 0x15000
Boot partition: 0xA000 (sz 20076, ver 0x2, type 0x601)
Booting version: 0x2
Hello from firmware version 2

I got stuck trying to enable TrustZone. I think the MCU Configurator tool can do it and setup the memory partitions, but I don't see this documented in your PR?

Image

@dgarske dgarske assigned mattia-moffa and unassigned dgarske Jan 23, 2026
@mattia-moffa
Copy link
Copy Markdown
Contributor Author

mattia-moffa commented Jan 24, 2026
edited
Loading

The MCX-N doesn't need a hardware-level trustzone configuration like STM32. At reset the CPU always runs in secure mode and lets you setup secure/non-secure regions at runtime, then jump into non-secure code via the BXNS/BLXNS instructions.

The difference between mcxn.config and mcxn-tz.config is that the second one runs the app as non-secure code.

The MCU Configurator tool is more like a code generator that sets up the trustzone configuration code, it's not needed in wolfBoot (at least for now, maybe we could support it in the future).

@mattia-moffa mattia-moffa assigned dgarske and unassigned mattia-moffa Jan 24, 2026
danielinux
danielinux approved these changes Jan 26, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@danielinux danielinux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test OK in emulator

@dgarske dgarske merged commit 810be2d into wolfSSL:master Jan 26, 2026
310 of 311 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danielinux danielinux danielinux approved these changes

@dgarske dgarske dgarske approved these changes

Assignees

@dgarske dgarske

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mattia-moffa @danielinux @dgarske @wolfSSL-Bot