Added support for fTPM in TrustZone + STM32H5 test app#756
Added support for fTPM in TrustZone + STM32H5 test app#756danielinux wants to merge 1 commit intowolfSSL:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds TrustZone-backed fTPM (wolfTPM FWTPM) support plus an STM32H5 TrustZone emulator test path to exercise PCR extend + seal/unseal via an NSC interface.
Changes:
- Introduces
WOLFCRYPT_TZ_FTPMconfiguration, build wiring, and example config for STM32H5 TrustZone fTPM. - Adds secure-side fTPM callable implementation and non-secure-side TIS/IO callback stub to route commands through NSC.
- Extends the STM32H5 test app and GitHub Actions workflow to run fTPM PCR + sealing tests.
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/config.mk | Adds WOLFCRYPT_TZ_FTPM to config variable list/defaults. |
| options.mk | Adds build flags, object selection, and mutual exclusion rules for WOLFCRYPT_TZ_FTPM. |
| src/ftpm_callable.c | Implements secure-side FWTPM init + NSC transmit entrypoint. |
| include/wolfboot/wcs_ftpm.h | Declares fTPM NSC API and init hook. |
| src/wc_callable.c | Hooks wcs_ftpm_init() into secure init path when enabled. |
| test-app/wcs/ftpm_stub.c | Adds non-secure TIS I/O callback stub that routes to NSC transmit. |
| test-app/app_stm32h5.c | Adds ftpm command + automated test flow for STM32H5 when fTPM enabled. |
| test-app/Makefile | Adds wolfTPM build integration for test app + fTPM-specific flags/objects. |
| test-app/wcs/user_settings.h | Enables relevant secure random path for fTPM builds. |
| include/user_settings.h | Adjusts TPM vs fTPM conditional compilation + enables missing crypto for fTPM. |
| src/loader.c | Avoids initializing discrete TPM path when fTPM is enabled. |
| config/examples/stm32h5-tz-ftpm.config | New example config for STM32H5 TrustZone fTPM. |
| .github/workflows/trustzone-emulator-tests.yml | Adds CI job to run STM32H5 TrustZone emulator fTPM tests. |
| Makefile | Extends clean target to remove FWTPM object directory artifacts. |
| lib/wolfTPM | Bumps wolfTPM submodule revision. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| rspLen = (int)*rspSz; | ||
| int rc = FWTPM_ProcessCommand(&ftpm_ctx, cmd, (int)cmdSz, rsp, &rspLen, 0); | ||
| if (rc >= 0) { | ||
| uint32_t wireSz = ftpm_rsp_size(rsp, rspLen); | ||
| if (wireSz > 0U && wireSz <= *rspSz) { | ||
| *rspSz = wireSz; | ||
| rc = TPM_RC_SUCCESS; | ||
| } | ||
| else if (rspLen >= 0) { | ||
| *rspSz = (uint32_t)rspLen; | ||
| } | ||
| } | ||
| return rc; |
There was a problem hiding this comment.
FWTPM_ProcessCommand() success/failure handling looks inconsistent with the rest of this file (e.g., FWTPM_Init() treats rc == 0 as success). With the current if (rc >= 0) branch, any positive non-zero return code can be incorrectly treated as success and potentially overwritten to TPM_RC_SUCCESS, masking failures. Suggestion (mandatory): align this logic with the FWTPM API contract—typically only treat rc == 0 as success and return a proper TPM error code otherwise; avoid unconditionally mapping non-zero rc to success.
| static uint32_t ftpm_reg_offset(uint32_t addr) | ||
| { | ||
| return (addr - FTPM_TIS_BASE) & 0x0FFFU; | ||
| } |
There was a problem hiding this comment.
ftpm_reg_offset() masks the computed offset, which can cause out-of-range MMIO addresses (e.g., FTPM_TIS_BASE + 0x1000 and above) to wrap back into the valid 0x000–0xFFF range. That can lead to incorrect register behavior for invalid accesses. Suggestion (mandatory): validate that addr - FTPM_TIS_BASE is within the supported window (e.g., < 0x1000) and fail/return an error for out-of-range addresses rather than masking.
| int rspLen; | ||
|
|
||
| if (!ftpm_ready) { | ||
| return TPM_RC_INITIALIZE; | ||
| } | ||
| if (cmd == NULL || rsp == NULL || rspSz == NULL || cmdSz == 0U || | ||
| cmdSz > WCS_FTPM_MAX_COMMAND_SIZE || *rspSz == 0U || | ||
| *rspSz > WCS_FTPM_MAX_COMMAND_SIZE) { | ||
| return BAD_FUNC_ARG; | ||
| } | ||
|
|
||
| rspLen = (int)*rspSz; | ||
| int rc = FWTPM_ProcessCommand(&ftpm_ctx, cmd, (int)cmdSz, rsp, &rspLen, 0); |
There was a problem hiding this comment.
This introduces a mid-block declaration (int rc = ...;) after executable statements, which will fail if the project/toolchain is compiling as C90/C89 (common in embedded builds). Suggestion (recommended): move int rc; up with the other declarations and assign it later to maximize toolchain compatibility.
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #756
Scan targets checked: wolfboot-bugs, wolfboot-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
| return BAD_FUNC_ARG; | ||
| } | ||
|
|
||
| rspLen = (int)*rspSz; |
There was a problem hiding this comment.
🟠 [Medium] Double-fetch on *rspSz from non-secure caller bypasses size validation · Buffer overflows
*rspSz is fetched once to validate <= WCS_FTPM_MAX_COMMAND_SIZE, then re-read at line 131 into rspLen and again at line 135. A non-secure world attacker (via DMA or concurrent NS execution) can change *rspSz between reads so rspLen exceeds 4096 or becomes negative…
Fix: Copy *rspSz into a local at the top, validate the local, and use only the local for both rspLen and the wireSz comparison.
Uh oh!
There was an error while loading. Please reload this page.