diff --git a/CMakeLists.txt b/CMakeLists.txt index 210bedf49c..fb0f316797 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -659,6 +659,65 @@ if(ARCH STREQUAL "ARM") set(WOLFBOOT_ORIGIN ${ARCH_FLASH_OFFSET}) endif() + if(${WOLFBOOT_TARGET} STREQUAL "stm32h5") + set(ARCH_FLASH_OFFSET 0x08000000) + if(TZEN) + set(WOLFBOOT_ORIGIN 0x0C000000) + else() + set(WOLFBOOT_ORIGIN ${ARCH_FLASH_OFFSET}) + endif() + endif() + + if(${WOLFBOOT_TARGET} STREQUAL "stm32l5") + set(ARCH_FLASH_OFFSET 0x08000000) + if(TZEN) + set(WOLFBOOT_ORIGIN 0x0C000000) + else() + set(WOLFBOOT_ORIGIN ${ARCH_FLASH_OFFSET}) + endif() + endif() + + # TrustZone support for Cortex-M33 targets + if(TZEN) + list(APPEND WOLFBOOT_DEFS TZEN) + if(CMAKE_SYSTEM_PROCESSOR STREQUAL "cortex-m33") + list(APPEND WOLFBOOT_COMPILE_OPTIONS -mcmse) + list(APPEND WOLFBOOT_LINK_OPTIONS -mcmse) + endif() + + # wolfCrypt TrustZone secure mode + if(WOLFCRYPT_TZ) + list(APPEND WOLFBOOT_DEFS WOLFCRYPT_SECURE_MODE) + list(APPEND WOLFBOOT_SOURCES src/wc_callable.c) + list(APPEND WOLFBOOT_LINK_OPTIONS + -Wl,--cmse-implib + -Wl,--out-implib=${CMAKE_CURRENT_BINARY_DIR}/wc_secure_calls.o) + + # PKCS11 TrustZone interface + if(WOLFCRYPT_TZ_PKCS11) + if(WOLFCRYPT_TZ_PSA) + message(FATAL_ERROR "WOLFCRYPT_TZ_PKCS11 and WOLFCRYPT_TZ_PSA are mutually exclusive") + endif() + + list(APPEND WOLFBOOT_DEFS + SECURE_PKCS11 + WOLFSSL_PKCS11_RW_TOKENS + WP11_HASH_PIN_COST=3) + list(APPEND WOLFBOOT_DEFS "CK_CALLABLE=__attribute__\\(\\(cmse_nonsecure_entry\\)\\)") + + list(APPEND WOLFBOOT_INCLUDE_DIRS ${WOLFBOOT_ROOT}/lib/wolfPKCS11) + + list(APPEND WOLFBOOT_SOURCES + src/pkcs11_store.c + src/pkcs11_callable.c + lib/wolfPKCS11/src/crypto.c + lib/wolfPKCS11/src/internal.c + lib/wolfPKCS11/src/slot.c + lib/wolfPKCS11/src/wolfpkcs11.c) + endif() + endif() + endif() + endif() if(ARCH STREQUAL "AARCH64") @@ -1054,8 +1113,17 @@ add_library(user_settings INTERFACE) target_compile_definitions(user_settings INTERFACE ${USER_SETTINGS} ${SIGN_OPTIONS}) add_library(wolfboothal) + +# TrustZone HAL sources for STM32 targets +set(WOLFBOOT_TZ_HAL_SOURCES "") +if(TZEN) + if(${WOLFBOOT_TARGET} MATCHES "^stm32") + set(WOLFBOOT_TZ_HAL_SOURCES hal/stm32_tz.c) + endif() +endif() + target_sources(wolfboothal PRIVATE include/hal.h hal/${WOLFBOOT_TARGET}.c ${WOLFBOOT_FLASH_SOURCES} - ${PARTITION_SOURCE}) + ${PARTITION_SOURCE} ${WOLFBOOT_TZ_HAL_SOURCES}) #--------------------------------------------------------------------------------------------- @@ -1301,6 +1369,9 @@ if(TARGET ${WOLFSSL_TGT}) ) endif() # TARGET ${WOLFSSL_TGT} +set(WOLFBOOT_DEFS_PUBLIC ${WOLFBOOT_DEFS}) +list(REMOVE_ITEM WOLFBOOT_DEFS_PUBLIC __WOLFBOOT) + if(BUILD_TEST_APPS OR BUILD_IMAGE) message(STATUS "Building wolfBoot image") add_subdirectory(test-app) @@ -1356,7 +1427,7 @@ set(WOLFBOOT_VERSION configure_file(include/target.h.in ${CMAKE_CURRENT_BINARY_DIR}/target.h @ONLY) add_library(target INTERFACE) -target_compile_definitions(target INTERFACE ${WOLFBOOT_DEFS}) +target_compile_definitions(target INTERFACE ${WOLFBOOT_DEFS_PUBLIC}) target_include_directories(target BEFORE INTERFACE ${CMAKE_CURRENT_BINARY_DIR} ${CMAKE_CURRENT_SOURCE_DIR}/lib/wolfssl) @@ -1401,8 +1472,9 @@ endif() # generate libwolfboot add_library(wolfboot) target_sources(wolfboot PRIVATE src/libwolfboot.c ${WOLFBOOT_FLASH_SOURCES}) -target_compile_definitions(wolfboot PUBLIC ${WOLFBOOT_DEFS}) -target_compile_options(wolfboot PUBLIC ${EXTRA_COMPILE_OPTIONS}) +target_compile_definitions(wolfboot PUBLIC ${WOLFBOOT_DEFS_PUBLIC}) +target_compile_definitions(wolfboot PRIVATE __WOLFBOOT) +target_compile_options(wolfboot PUBLIC ${WOLFBOOT_COMPILE_OPTIONS} ${EXTRA_COMPILE_OPTIONS}) target_include_directories(wolfboot PUBLIC ${WOLFBOOT_INCLUDE_DIRS}) target_link_libraries(wolfboot wolfboothal target ${WOLFSSL_TGT}) diff --git a/CMakePresets.json b/CMakePresets.json index 796b0f9312..2b2ef32334 100644 --- a/CMakePresets.json +++ b/CMakePresets.json @@ -292,7 +292,6 @@ "generator": "Ninja", "binaryDir": "${sourceDir}/build-stm32h5", "cacheVariables": { - "BUILD_TEST_APPS": "OFF", "ARCH": "ARM", "TZEN": "ON", "WOLFBOOT_TARGET": "stm32h5", @@ -309,7 +308,7 @@ "WOLFBOOT_VERSION": "ON", "V": "OFF", "SPMATH": "ON", - "RAM_CODE": "OFF", + "RAM_CODE": "ON", "DUALBANK_SWAP": "OFF", "WOLFBOOT_PARTITION_SIZE": "0xA0000", "WOLFBOOT_SECTOR_SIZE": "0x2000", @@ -318,12 +317,14 @@ "WOLFBOOT_NSC_ADDRESS": "0x0C05C000", "WOLFBOOT_NSC_SIZE": "0x4000", "WOLFBOOT_PARTITION_BOOT_ADDRESS": "0x08060000", - "WOLFBOOT_PARTITION_UPDATE_ADDRESS": "0x08100000", - "WOLFBOOT_PARTITION_SWAP_ADDRESS": "0x081A0000", + "WOLFBOOT_PARTITION_UPDATE_ADDRESS": "0x0C100000", + "WOLFBOOT_PARTITION_SWAP_ADDRESS": "0x0C1A0000", "FLAGS_HOME": "OFF", "DISABLE_BACKUP": "OFF", "IMAGE_HEADER_SIZE": "1024", - "ARMORED": "ON" + "ARMORED": "ON", + "WOLFCRYPT_TZ": "ON", + "WOLFCRYPT_TZ_PKCS11": "ON" } }, { diff --git a/cmake/toolchain_arm-none-eabi.cmake b/cmake/toolchain_arm-none-eabi.cmake index 21cd3ff138..11f6bbcd95 100644 --- a/cmake/toolchain_arm-none-eabi.cmake +++ b/cmake/toolchain_arm-none-eabi.cmake @@ -47,7 +47,8 @@ endif() if(WOLFBOOT_TARGET STREQUAL "stm32l0") set(CMAKE_SYSTEM_PROCESSOR cortex-m0) set(MCPU_FLAGS "-mcpu=cortex-m0 -mthumb -mlittle-endian -mthumb-interwork ") -elseif(WOLFBOOT_TARGET STREQUAL "stm32u5") +elseif(WOLFBOOT_TARGET STREQUAL "stm32u5" OR WOLFBOOT_TARGET STREQUAL "stm32h5" OR + WOLFBOOT_TARGET STREQUAL "stm32l5") set(CMAKE_SYSTEM_PROCESSOR cortex-m33) set(MCPU_FLAGS "-mcpu=cortex-m33 -mthumb -mlittle-endian -mthumb-interwork -Ihal -DCORTEX_M33") elseif(WOLFBOOT_TARGET STREQUAL "stm32h7") diff --git a/cmake/wolfboot.cmake b/cmake/wolfboot.cmake index 4781b3b193..553d949a12 100644 --- a/cmake/wolfboot.cmake +++ b/cmake/wolfboot.cmake @@ -51,6 +51,15 @@ function(gen_wolfboot_platform_target PLATFORM_NAME LINKER_SCRIPT_TARGET) target_link_libraries(wolfboot_${PLATFORM_NAME} wolfcrypt target wolfboot ${LINKER_SCRIPT_TARGET}) + # TrustZone import library (generated by the linker via --out-implib) + if(TZEN AND WOLFCRYPT_TZ) + set(_wcs_implib "${CMAKE_BINARY_DIR}/wc_secure_calls.o") + add_custom_command(TARGET wolfboot_${PLATFORM_NAME} POST_BUILD + BYPRODUCTS "${_wcs_implib}" + COMMAND ${CMAKE_COMMAND} -E true + ) + endif() + # link with public key if signing is enabled if(NOT SIGN STREQUAL "NONE") target_link_libraries(wolfboot_${PLATFORM_NAME} public_key) @@ -87,7 +96,8 @@ function(gen_wolfboot_signed_image TARGET) add_custom_command( OUTPUT ${TARGET}_v${VERSION}_signed.bin DEPENDS ${INPUT_IMAGE} ${WOLFBOOT_SIGNING_PRIVATE_KEY} ${SIGN_TOOL} - COMMAND ${SIGN_TOOL} ${KEYTOOL_OPTIONS} ${INPUT_IMAGE} ${WOLFBOOT_SIGNING_PRIVATE_KEY} ${VERSION} + COMMAND ${CMAKE_COMMAND} -E env IMAGE_HEADER_SIZE=${IMAGE_HEADER_SIZE} + ${SIGN_TOOL} ${KEYTOOL_OPTIONS} ${INPUT_IMAGE} ${WOLFBOOT_SIGNING_PRIVATE_KEY} ${VERSION} COMMENT "Signing ${TARGET}" ) diff --git a/lib/CMakeLists.txt b/lib/CMakeLists.txt index 436142a74a..2ce75c8e34 100644 --- a/lib/CMakeLists.txt +++ b/lib/CMakeLists.txt @@ -174,6 +174,36 @@ if(NOT WOLFBOOT_SMALL_STACK AND WOLFBOOT_TARGET STREQUAL "unit_test") list(REMOVE_DUPLICATES WOLFCRYPT_SOURCES) endif() +if(WOLFCRYPT_TZ_PKCS11) + list(APPEND WOLFCRYPT_SOURCES + wolfssl/wolfcrypt/src/asn.c + wolfssl/wolfcrypt/src/memory.c + wolfssl/wolfcrypt/src/random.c + wolfssl/wolfcrypt/src/pwdbased.c + wolfssl/wolfcrypt/src/hmac.c + wolfssl/wolfcrypt/src/dh.c) + + if(NOT ENCRYPT_WITH_AES128 AND NOT ENCRYPT_WITH_AES256) + list(APPEND WOLFCRYPT_SOURCES wolfssl/wolfcrypt/src/aes.c) + endif() + + set(_sign "${SIGN}") + set(_sign2 "${SIGN_SECONDARY}") + + if(NOT _sign MATCHES "RSA" AND NOT _sign2 MATCHES "RSA") + list(APPEND WOLFCRYPT_SOURCES ${RSA_EXTRA_SOURCES} wolfssl/wolfcrypt/src/rsa.c) + endif() + + if(NOT _sign MATCHES "ECC" AND NOT _sign2 MATCHES "ECC") + list(APPEND WOLFCRYPT_SOURCES wolfssl/wolfcrypt/src/ecc.c) + endif() + + if(NOT _sign MATCHES "ECC" AND NOT _sign2 MATCHES "ECC" AND + NOT _sign MATCHES "RSA" AND NOT _sign2 MATCHES "RSA") + list(APPEND WOLFCRYPT_SOURCES ${MATH_SOURCES}) + endif() +endif() + # Include SHA256 module because it's implicitly needed by RSA list(APPEND WOLFCRYPT_SOURCES wolfssl/wolfcrypt/src/sha256.c) diff --git a/test-app/CMakeLists.txt b/test-app/CMakeLists.txt index 353514d475..5a64bd683a 100644 --- a/test-app/CMakeLists.txt +++ b/test-app/CMakeLists.txt @@ -53,6 +53,18 @@ if("${WOLFBOOT_TARGET}" STREQUAL "stm32h7") set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/ARM-stm32h7.ld) elseif("${WOLFBOOT_TARGET}" STREQUAL "stm32u5") set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/ARM-stm32u5.ld) +elseif("${WOLFBOOT_TARGET}" STREQUAL "stm32h5") + if(TZEN) + set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/ARM-stm32h5-ns.ld) + else() + set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/ARM-stm32h5.ld) + endif() +elseif("${WOLFBOOT_TARGET}" STREQUAL "stm32l5") + if(TZEN) + set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/ARM-stm32l5-ns.ld) + else() + set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/ARM-stm32l5.ld) + endif() else() set(APP_LSCRIPT_TEMPLATE ${CMAKE_CURRENT_SOURCE_DIR}/${ARCH}.ld) endif() @@ -110,15 +122,112 @@ if(BUILD_TEST_APPS) target_sources(image PRIVATE ${APP_SOURCES}) + # stm32h5-specific sources + if("${WOLFBOOT_TARGET}" STREQUAL "stm32h5") + target_sources(image PRIVATE + ../hal/uart/uart_drv_stm32h5.c + ) + target_compile_definitions(image PRIVATE + APP_HAS_SYSTICK + RAMFUNCTION=__attribute__\(\(used,section\(".ramcode"\),long_call\)\) + ) + target_compile_options(image PRIVATE + -ffunction-sections -fdata-sections -fno-common -mlong-calls + ) + if(TZEN) + target_sources(image PRIVATE + wcs/wolfcrypt_secure.c + ) + if(WOLFCRYPT_TZ) + target_sources(image PRIVATE + ../lib/wolfssl/wolfcrypt/src/logging.c + ../lib/wolfssl/wolfcrypt/test/test.c + ../lib/wolfssl/wolfcrypt/benchmark/benchmark.c + ) + endif() + endif() + endif() + + # stm32l5-specific sources + if("${WOLFBOOT_TARGET}" STREQUAL "stm32l5") + target_sources(image PRIVATE + ../hal/uart/uart_drv_stm32l5.c + ) + target_compile_options(image PRIVATE + -ffunction-sections -fdata-sections -fno-common + ) + endif() + target_include_directories(image PRIVATE ../ ../include ${CMAKE_CURRENT_BINARY_DIR}) - target_link_libraries(image wolfboot target) + if(TZEN) + target_include_directories(image PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/wcs) + endif() + + if(WOLFCRYPT_TZ_PKCS11) + target_include_directories(image PRIVATE ../lib/wolfPKCS11) + endif() + + # For TrustZone builds, avoid linking the bootloader lib (it defines NSC stubs). + if(TZEN AND WOLFCRYPT_TZ) + target_sources(image PRIVATE ../src/libwolfboot.c) + if(NOT SIGN STREQUAL "NONE") + set_source_files_properties(${CMAKE_BINARY_DIR}/keystore.c PROPERTIES GENERATED TRUE) + target_sources(image PRIVATE ${CMAKE_BINARY_DIR}/keystore.c) + add_dependencies(image keystore) + endif() + target_link_libraries(image PRIVATE wolfboothal target) + else() + target_link_libraries(image PRIVATE wolfboot wolfboothal public_key target) + endif() + + # For TrustZone builds, the test app is a non-secure application + if(TZEN AND WOLFCRYPT_TZ) + list(APPEND TEST_APP_COMPILE_DEFINITIONS NONSECURE_APP WOLFBOOT_SECURE_CALLS) + add_dependencies(image wolfboot_${PLATFORM_NAME}) + target_link_libraries(image PRIVATE ${CMAKE_BINARY_DIR}/wc_secure_calls.o) + endif() + + if(WOLFCRYPT_TZ_PKCS11) + list(APPEND TEST_APP_COMPILE_DEFINITIONS WOLFBOOT_PKCS11_APP SECURE_PKCS11) + target_sources(image PRIVATE + wcs/pkcs11_stub.c + wcs/pkcs11_test_ecc.c + ../lib/wolfssl/wolfcrypt/src/ecc.c + ../lib/wolfssl/wolfcrypt/src/rsa.c + ../lib/wolfssl/wolfcrypt/src/asn.c + ../lib/wolfssl/wolfcrypt/src/aes.c + ../lib/wolfssl/wolfcrypt/src/hmac.c + ../lib/wolfssl/wolfcrypt/src/pwdbased.c + ../lib/wolfssl/wolfcrypt/src/hash.c + ../lib/wolfssl/wolfcrypt/src/sha256.c + ../lib/wolfssl/wolfcrypt/src/sha512.c + ../lib/wolfssl/wolfcrypt/src/sha3.c + ../lib/wolfssl/wolfcrypt/src/integer.c + ../lib/wolfssl/wolfcrypt/src/tfm.c + ../lib/wolfssl/wolfcrypt/src/sp_c32.c + ../lib/wolfssl/wolfcrypt/src/sp_int.c + ../lib/wolfssl/wolfcrypt/src/cryptocb.c + ../lib/wolfssl/wolfcrypt/src/wc_pkcs11.c + ../lib/wolfssl/wolfcrypt/src/memory.c + ../lib/wolfssl/wolfcrypt/src/wolfmath.c + ../lib/wolfssl/wolfcrypt/src/dh.c + ../lib/wolfssl/wolfcrypt/src/random.c + ../lib/wolfssl/wolfcrypt/src/coding.c + ../lib/wolfssl/wolfcrypt/src/wc_encrypt.c + ../lib/wolfssl/wolfcrypt/src/wc_port.c + ) + if(SPMATH AND NOT NO_ASM) + list(APPEND TEST_APP_COMPILE_DEFINITIONS WOLFSSL_HAVE_SP_RSA WOLFSSL_HAVE_SP_ECC WOLFSSL_SP_ARM_CORTEX_M_ASM) + target_sources(image PRIVATE ../lib/wolfssl/wolfcrypt/src/sp_cortexm.c) + endif() + endif() target_compile_definitions(image PRIVATE TARGET_${WOLFBOOT_TARGET} - ${TEST_APP_COMPILE_DEFINITIONS} ${WOLFBOOT_DEFS}) + ${TEST_APP_COMPILE_DEFINITIONS} ${WOLFBOOT_DEFS_PUBLIC}) target_compile_options(image PRIVATE -Wall -Wstack-usage=1024 -ffreestanding -Wno-unused -fomit-frame-pointer -nostartfiles)