From b8f70ad57d10b5ff6e667a8eff1c442756253b2b Mon Sep 17 00:00:00 2001 From: Mattia Moffa Date: Wed, 24 Dec 2025 18:58:33 +0100 Subject: [PATCH 1/2] Various small fixes for nrf5340 TrustZone PKCS11 --- hal/nrf5340.c | 17 +++++++++++++---- hal/nrf5340.h | 2 ++ test-app/Makefile | 9 ++++++++- 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/hal/nrf5340.c b/hal/nrf5340.c index 7dce15ad8f..f1772a4b03 100644 --- a/hal/nrf5340.c +++ b/hal/nrf5340.c @@ -68,10 +68,11 @@ #define USE_IPC_RECV 0 #endif -/* SHM: Shared Memory between network and application cores */ -/* first 64KB (0x10000) is used by wolfBoot and limited in nrf5340.ld */ +/* SHM: Shared Memory between network and application cores. + * Reserve most of single-cycle RAM for wolfBoot; + * use end of RAM (0x3F800 - 0x7FFFF) as shared memory */ #ifndef SHARED_MEM_ADDR - #define SHARED_MEM_ADDR (0x20000000UL + (64 * 1024)) + #define SHARED_MEM_ADDR 0x2003F800 #endif /* Shared memory states (mask, easier to check) */ @@ -875,13 +876,21 @@ static void periph_unsecure() /* Unsecure RTC0 */ SPU_PERIPHID_PERM(RTC0_PERIPHID) &= ~SPU_PERIPHID_PERM_SECATTR; + + /* Unsecure QSPI */ + SPU_PERIPHID_PERM(QSPI_PERIPHID) &= ~SPU_PERIPHID_PERM_SECATTR; } #endif void hal_prepare_boot(void) { - /* Write protect bootloader region of flash */ + /* Write protect bootloader region of flash. + * Not needed in TrustZone configs because the application + * runs in non-secure mode and the bootloader partition is marked as + * secure. */ +#ifndef TZEN hal_flash_protect(WOLFBOOT_ORIGIN, BOOTLOADER_PARTITION_SIZE); +#endif if (enableShm) { #ifdef TARGET_nrf5340_net diff --git a/hal/nrf5340.h b/hal/nrf5340.h index d128ca9b1f..cc30b8228e 100644 --- a/hal/nrf5340.h +++ b/hal/nrf5340.h @@ -371,6 +371,8 @@ void uart_write_sz(const char* c, unsigned int sz); /* QSPI */ #ifdef TARGET_nrf5340_app + #define QSPI_PERIPHID 43 + #if TZ_SECURE() #define QSPI_BASE (0x5002B000) #else diff --git a/test-app/Makefile b/test-app/Makefile index 0a63829f8b..135dbfd5ac 100644 --- a/test-app/Makefile +++ b/test-app/Makefile @@ -306,7 +306,11 @@ ifeq ($(QSPI_FLASH),1) ifeq ($(ARCH),RENESAS_RX) APP_OBJS+=../hal/spi/spi_drv_renesas_rx.o else - APP_OBJS+=../hal/spi/spi_drv_$(SPI_TARGET).o + ifeq ($(TZEN),1) + APP_OBJS+=../hal/spi/spi_drv_$(SPI_TARGET)_ns.o + else + APP_OBJS+=../hal/spi/spi_drv_$(SPI_TARGET).o + endif endif endif @@ -596,6 +600,9 @@ delta-extra-data: image.bin ../hal/$(TARGET)_ns.o: ../hal/$(TARGET).c FORCE $(Q)$(CC) $(CFLAGS) -c -o $(@) ../hal/$(TARGET).c -DNONSECURE_APP +../hal/spi/spi_drv_$(SPI_TARGET)_ns.o: ../hal/spi/spi_drv_$(SPI_TARGET).c FORCE + $(Q)$(CC) $(CFLAGS) -c -o $(@) ../hal/spi/spi_drv_$(SPI_TARGET).c -DNONSECURE_APP + %.o:%.c @echo "\t[CC-$(ARCH)] $@" $(Q)$(CC) $(CFLAGS) -c $(OUTPUT_FLAG) $@ $^ From b8799cd97df800f40178f2cf836e45eb10420ea0 Mon Sep 17 00:00:00 2001 From: Mattia Moffa Date: Wed, 24 Dec 2025 19:09:11 +0100 Subject: [PATCH 2/2] Add documentation --- docs/Targets.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/Targets.md b/docs/Targets.md index 013c934258..87dbd47215 100644 --- a/docs/Targets.md +++ b/docs/Targets.md @@ -2867,11 +2867,14 @@ Tested with the Nordic nRF5340-DK. This device has two cores: 1) Application core: Cortex-M33 at 128MHz, w/TrustZone, 1MB flash, 512KB RAM 2) Network core: Cortex-M33 at 64MHz, 256KB Flash and 64KB RAM -Three different configurations are available at `config/examples`: +Four different configurations are available at `config/examples`: - `nrf5340.config`: for the app core; does not make use of TrustZone, i.e. it always runs in secure mode. - `nrf5340-tz.config`: for the app core; makes use of TrustZone, i.e. boots the application as non-secure code. +- `nrf5340-wolfcrypt-tz.config`: for the app core; same as above, but also + includes a non-secure callable (NSC) wolfPKCS11 API to perform crypto + operations via wolfCrypt and access a secure keyvault provided by wolfBoot. - `nrf5340_net.config`: for the net core. The DK board has two virtual COM ports. Application core and Network core will each output to different VCOM ports.