STM32H5L added support for TrustZone

Makefile

@@ -78,6 +78,7 @@ endif
 MAIN_TARGET=factory.bin
 TARGET_H_TEMPLATE:=include/target.h.in
 
+ifeq ($(TZEN),1)
 ifeq ($(TARGET),stm32l5)
 	# Don't build a contiguous image
 	MAIN_TARGET:=wolfboot.bin test-app/image_v1_signed.bin
@@ -88,6 +89,12 @@ ifeq ($(TARGET),stm32u5)
 	MAIN_TARGET:=wolfboot.bin test-app/image_v1_signed.bin
 endif
 
+ifeq ($(TARGET),stm32h5)
+	# Don't build a contiguous image
+	MAIN_TARGET:=wolfboot.bin test-app/image_v1_signed.bin
+endif
+endif # TZEN=1
+
 ifeq ($(TARGET),x86_64_efi)
 	MAIN_TARGET:=wolfboot.efi
 endif

arch.mk

@@ -146,8 +146,6 @@ ifeq ($(ARCH),ARM)
       WOLFBOOT_ORIGIN=0x0C000000
     else
       WOLFBOOT_ORIGIN=0x08000000
-    endif
-    ifneq ($(TZEN),1)
       LSCRIPT_IN=hal/$(TARGET)-ns.ld
     endif
   endif
@@ -172,8 +170,6 @@ ifeq ($(ARCH),ARM)
       WOLFBOOT_ORIGIN=0x0C000000
     else
       WOLFBOOT_ORIGIN=0x08000000
-    endif
-    ifneq ($(TZEN),1)
       LSCRIPT_IN=hal/$(TARGET)-ns.ld
     endif
     SPI_TARGET=stm32

docs/Targets.md

@@ -861,6 +861,12 @@ STM32_Programmer_CLI -c port=swd -d test-app/image_v3_signed.bin 0x08110000
 Reboot the board to initiate an update via DUALBANK hw-assisted swap.
 Any version except the first one will also turn on the orange LED.
 
+### TrustZone mode
+
+- set the option bytes to enable trustzone:
+
+`STM32_Programmer_CLI -c port=swd -ob TZEN=0xB4`
+
 
 ## STM32H7
 

hal/stm32_tz.c

@@ -33,12 +33,12 @@
     #include "hal/stm32h5.h"
 #endif
 
+#include "hal/stm32_tz.h"
+
 #include "image.h"
 #include "hal.h"
 #if defined (__ARM_FEATURE_CMSE) && (__ARM_FEATURE_CMSE == 3U) && (!defined(FLAGS_HOME) || !defined(DISABLE_BACKUP))
 
-#define SCB_SHCSR     (*(volatile uint32_t *)(0xE000ED24))
-#define SCB_SHCSR_SECUREFAULT_EN            (1<<19)
 
 static void RAMFUNCTION hal_flash_nonsecure_unlock(void)
 {
@@ -120,6 +120,42 @@ void hal_tz_release_nonsecure_area(void)
 #define release_nonsecure_area(...) do{}while(0)
 #endif
 
+
+
+#ifdef PLATFORM_stm32h5
+#define GTZC1_BASE             (0x50032400)
+#define GTZC1_TZSC             (*(volatile uint32_t *)(GTZC1_BASE + 0x00))
+#define GTZC1_TZIC             (*(volatile uint32_t *)(GTZC1_BASE + 0x0400))
+#define GTZC1_MPCBB1_S         ((volatile uint32_t *)(GTZC1_BASE + 0x0800))
+#define GTZC1_MPCBB2_S         ((volatile uint32_t *)(GTZC1_BASE + 0x0C00))
+#define GTZC1_MPCBB3_S         ((volatile uint32_t *)(GTZC1_BASE + 0x1000))
+
+#define SET_GTZC1_MPCBBx_S_VCTR(bank,n,val) \
+    (*((volatile uint32_t *)(GTZC1_MPCBB##bank##_S) + n ))= val
+
+void hal_gtzc_init(void)
+{
+    int i;
+    /* One bit in the bitmask: 512B */
+
+    /* Configure SRAM1 as secure (Low 256 KB) */
+    for (i = 0; i < 16; i++) {
+        SET_GTZC1_MPCBBx_S_VCTR(1, i, 0xFFFFFFFF);
+    }
+
+    /* Configure SRAM2 as secure (64 KB) */
+    for (i = 0; i < 4; i++) {
+        SET_GTZC1_MPCBBx_S_VCTR(2, i, 0xFFFFFFFF);
+    }
+
+    /* Configure SRAM3 as non-secure (320 KB) */
+    for (i = 0; i < 20; i++) {
+        SET_GTZC1_MPCBBx_S_VCTR(3, i, 0x0);
+    }
+}
+
+#else
+
 #define GTZC_MPCBB1_S_BASE        (0x50032C00)
 #define GTZC_MPCBB1_S_VCTR_BASE   (GTZC_MPCBB1_S_BASE + 0x100)
 
@@ -129,13 +165,14 @@ void hal_tz_release_nonsecure_area(void)
 #define SET_GTZC_MPCBBx_S_VCTR(bank,n,val) \
     (*((volatile uint32_t *)(GTZC_MPCBB##bank##_S_VCTR_BASE ) + n ))= val
 
-
 void hal_gtzc_init(void)
 {
    int i;
-  /* Configure lower half of total RAM as secure
-   * 0x3000 0000 : 0x3001 FFFF - 128KB
-   */
+   /* One bit in the bitmask: 256B */
+
+   /* Configure lower half of total RAM as secure
+    * 0x3000 0000 : 0x3001 FFFF - 128KB
+    */
    for (i = 0; i < 16; i++) {
        SET_GTZC_MPCBBx_S_VCTR(1, i, 0xFFFFFFFF);
    }
@@ -147,43 +184,48 @@ void hal_gtzc_init(void)
        SET_GTZC_MPCBBx_S_VCTR(1, i, 0x0);
    }
 
-  /* Configure SRAM2 as non-secure
-   * 0x2003 0000 : 0x2003 FFFF - 64 KB
-   */
+   /* Configure SRAM2 as non-secure
+    * 0x2003 0000 : 0x2003 FFFF - 64 KB
+    */
    for (i = 0; i < 8; i++) {
        SET_GTZC_MPCBBx_S_VCTR(2, i, 0x0);
    }
 }
+#endif
 
-/* SAU registers, used to define memory mapped regions */
-#define SAU_CTRL   (*(volatile uint32_t *)(0xE000EDD0))
-#define SAU_RNR (*(volatile uint32_t *)(0xE000EDD8)) /** SAU_RNR - region number register **/
-#define SAU_RBAR (*(volatile uint32_t *)(0xE000EDDC)) /** SAU_RBAR - region base address register **/
-#define SAU_RLAR (*(volatile uint32_t *)(0xE000EDE0)) /** SAU_RLAR - region limit address register **/
+#ifdef PLATFORM_stm32h5
 
-#define SAU_REGION_MASK 0x000000FF
-#define SAU_ADDR_MASK 0xFFFFFFE0 /* LS 5 bit are reserved or used for flags */
+void hal_tz_sau_init(void)
+{
+    /* WIP: SAU is set up before staging */
+#if 0
+    /* Non-secure callable: NSC functions area */
+    sau_init_region(0, 0x0C038000, 0x0C040000, 1);
 
-/* Flag for the SAU region limit register */
-#define SAU_REG_ENABLE (1 << 0) /* Indicates that the region is enabled. */
-#define SAU_REG_SECURE (1 << 1) /* When on, the region is S or NSC */
+    /* Secure: application flash area (first bank) */
+    sau_init_region(1, 0x08040000, 0x080FFFFF, 1);
 
-#define SAU_INIT_CTRL_ENABLE (1 << 0)
-#define SAU_INIT_CTRL_ALLNS  (1 << 1)
+    /* Secure: application flash area (second bank) */
+    sau_init_region(2, 0x08140000, 0x081FFFFF, 1);
 
-static void sau_init_region(uint32_t region, uint32_t start_addr,
-        uint32_t end_addr, int secure)
-{
-    uint32_t secure_flag = 0;
-    if (secure)
-        secure_flag = SAU_REG_SECURE;
-    SAU_RNR = region & SAU_REGION_MASK;
-    SAU_RBAR = start_addr & SAU_ADDR_MASK;
-    SAU_RLAR = (end_addr & SAU_ADDR_MASK)
-        | secure_flag | SAU_REG_ENABLE;
-}
+    /* Secure RAM regions in SRAM1/SRAM2 */
+    sau_init_region(3, 0x0A000000, 0x0A04FFFF, 1);
+
+    /* Non-secure RAM region in SRAM3 */
+    sau_init_region(4, 0x0A050000, 0x0A09FFFF, 0);
 
+    /* Non-secure: internal peripherals */
+    sau_init_region(5, 0x40000000, 0x4FFFFFFF, 0);
 
+    /* Enable SAU */
+    SAU_CTRL = SAU_INIT_CTRL_ENABLE;
+
+    /* Enable securefault handler */
+    SCB_SHCSR |= SCB_SHCSR_SECUREFAULT_EN;
+#endif
+}
+
+#else
 void hal_tz_sau_init(void)
 {
     /* Non-secure callable: NSC functions area */
@@ -204,6 +246,40 @@ void hal_tz_sau_init(void)
     /* Enable securefault handler */
     SCB_SHCSR |= SCB_SHCSR_SECUREFAULT_EN;
 
+}
+#endif
+
+void hal_tz_sau_ns_region(void)
+{
+#ifdef PLATFORM_stm32h5
+    /* Disable SAU */
+    SAU_CTRL &= ~SAU_INIT_CTRL_ENABLE;
+
+    /* Non-secure callable: NSC functions area */
+    sau_init_region(0, 0x0C038000, 0x0C040000, 1);
+
+    /* Non-secure: application flash area (first bank) */
+    sau_init_region(1, 0x08040000, 0x080FFFFF, 0);
+
+    /* Non-secure: application flash area (second bank) */
+    sau_init_region(2, 0x08140000, 0x081FFFFF, 0);
+
+    /* Secure RAM regions in SRAM1/SRAM2 */
+    sau_init_region(3, 0x0A000000, 0x0A04FFFF, 1);
+
+    /* Non-secure RAM region in SRAM3 */
+    sau_init_region(4, 0x0A050000, 0x0A09FFFF, 0);
+
+    /* Non-secure: internal peripherals */
+    sau_init_region(5, 0x40000000, 0x4FFFFFFF, 0);
+
+    /* Enable SAU */
+    SAU_CTRL = SAU_INIT_CTRL_ENABLE;
+
+    /* Enable securefault handler */
+    SCB_SHCSR |= SCB_SHCSR_SECUREFAULT_EN;
+#endif
+
 }
 
 #ifdef WOLFCRYPT_SECURE_MODE
@@ -237,14 +313,10 @@ static void hsi48_on(void)
 #endif
 }
 
-
 void hal_trng_init(void)
 {
     uint32_t reg_val;
     hsi48_on();
-#ifdef PLATFORM_stm32u5
-    #define RCC_AHB2_CLOCK_ER RCC_AHB2ENR1_CLOCK_ER
-#endif
     RCC_AHB2_CLOCK_ER |= TRNG_AHB2_CLOCK_ER;
 
     reg_val = TRNG_CR;

hal/stm32_tz.h

@@ -0,0 +1,57 @@
+/* stm32_tz.h
+ *
+ * Copyright (C) 2024 wolfSSL Inc.
+ *
+ * This file is part of wolfBoot.
+ *
+ * wolfBoot is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfBoot is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef STM32_TZ_INCLUDED
+#define STM32_TZ_INCLUDED
+#include <stdint.h>
+
+/* SAU registers, used to define memory mapped regions */
+#define SAU_CTRL   (*(volatile uint32_t *)(0xE000EDD0))
+#define SAU_RNR (*(volatile uint32_t *)(0xE000EDD8)) /** SAU_RNR - region number register **/
+#define SAU_RBAR (*(volatile uint32_t *)(0xE000EDDC)) /** SAU_RBAR - region base address register **/
+#define SAU_RLAR (*(volatile uint32_t *)(0xE000EDE0)) /** SAU_RLAR - region limit address register **/
+
+#define SAU_REGION_MASK 0x000000FF
+#define SAU_ADDR_MASK 0xFFFFFFE0 /* LS 5 bit are reserved or used for flags */
+
+/* Flag for the SAU region limit register */
+#define SAU_REG_ENABLE (1 << 0) /* Indicates that the region is enabled. */
+#define SAU_REG_SECURE (1 << 1) /* When on, the region is S or NSC */
+
+#define SAU_INIT_CTRL_ENABLE (1 << 0)
+#define SAU_INIT_CTRL_ALLNS  (1 << 1)
+
+#define SCB_SHCSR     (*(volatile uint32_t *)(0xE000ED24))
+#define SCB_SHCSR_SECUREFAULT_EN            (1<<19)
+
+static inline void sau_init_region(uint32_t region, uint32_t start_addr,
+        uint32_t end_addr, int secure)
+{
+    uint32_t secure_flag = 0;
+    if (secure)
+        secure_flag = SAU_REG_SECURE;
+    SAU_RNR = region & SAU_REGION_MASK;
+    SAU_RBAR = start_addr & SAU_ADDR_MASK;
+    SAU_RLAR = (end_addr & SAU_ADDR_MASK)
+        | secure_flag | SAU_REG_ENABLE;
+}
+
+#endif

hal/stm32h5-ns.ld

@@ -1,7 +1,7 @@
 MEMORY
 {
     FLASH (rx) : ORIGIN = 0x08000000, LENGTH = @BOOTLOADER_PARTITION_SIZE@
-    RAM (rwx) : ORIGIN = 0x20000000, LENGTH = 0x00020000 /* mapping TCM only */
+    RAM (rwx) : ORIGIN = 0x0A000000, LENGTH = 0x00020000 /* mapping TCM only */
 }
 
 SECTIONS