Enable NSC veneers when TZEN=1, even without WOLFCRYPT_TZ

Author: mattia-moffa

CMakeLists.txt

@@ -690,14 +690,14 @@ if(ARCH STREQUAL "ARM")
             list(APPEND WOLFBOOT_COMPILE_OPTIONS -mcmse)
             list(APPEND WOLFBOOT_LINK_OPTIONS -mcmse)
         endif()
+        list(APPEND WOLFBOOT_LINK_OPTIONS
+            -Wl,--cmse-implib
+            -Wl,--out-implib=${CMAKE_CURRENT_BINARY_DIR}/wolfboot_tz_nsc.o)
 
         # wolfCrypt TrustZone secure mode
         if(WOLFCRYPT_TZ)
             list(APPEND WOLFBOOT_DEFS WOLFCRYPT_SECURE_MODE)
             list(APPEND WOLFBOOT_SOURCES src/wc_callable.c)
-            list(APPEND WOLFBOOT_LINK_OPTIONS
-                -Wl,--cmse-implib
-                -Wl,--out-implib=${CMAKE_CURRENT_BINARY_DIR}/wc_secure_calls.o)
 
             # PKCS11 TrustZone interface
             if(WOLFCRYPT_TZ_PKCS11)

Makefile

@@ -556,7 +556,7 @@ keys: $(PRIVATE_KEY)
 
 clean:
 	$(Q)rm -f src/*.o hal/*.o hal/spi/*.o test-app/*.o src/x86/*.o
-	$(Q)rm -f src/wc_secure_calls.o
+	$(Q)rm -f src/wolfboot_tz_nsc.o
 	$(Q)rm -f $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/*.o $(WOLFBOOT_LIB_WOLFTPM)/src/*.o $(WOLFBOOT_LIB_WOLFTPM)/hal/*.o $(WOLFBOOT_LIB_WOLFTPM)/examples/pcr/*.o
 	$(Q)rm -f $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/port/Renesas/*.o
 	$(Q)rm -f wolfboot.bin wolfboot.elf wolfboot.map test-update.rom wolfboot.hex wolfboot.srec factory.srec

arch.mk

@@ -353,13 +353,13 @@ else
         OBJS+=hal/stm32_tz.o
       endif
       CFLAGS+=-mcmse
+      SECURE_LDFLAGS+=-Wl,--cmse-implib -Wl,--out-implib=./src/wolfboot_tz_nsc.o
       ifeq ($(WOLFCRYPT_TZ),1)
         CORTEXM_ARM_EXTRA_OBJS=
         CORTEXM_ARM_EXTRA_CFLAGS=
         SECURE_OBJS+=./src/wc_callable.o
         WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/random.o
         CFLAGS+=-DWOLFCRYPT_SECURE_MODE
-        SECURE_LDFLAGS+=-Wl,--cmse-implib -Wl,--out-implib=./src/wc_secure_calls.o
       endif
     endif # TZEN=1
       ifeq ($(SPMATH),1)

cmake/wolfboot.cmake

@@ -52,8 +52,8 @@ function(gen_wolfboot_platform_target PLATFORM_NAME LINKER_SCRIPT_TARGET)
                           ${LINKER_SCRIPT_TARGET})
 
     # TrustZone import library (generated by the linker via --out-implib)
-    if(TZEN AND WOLFCRYPT_TZ)
-        set(_wcs_implib "${CMAKE_BINARY_DIR}/wc_secure_calls.o")
+    if(TZEN)
+        set(_wcs_implib "${CMAKE_BINARY_DIR}/wolfboot_tz_nsc.o")
         add_custom_command(TARGET wolfboot_${PLATFORM_NAME} POST_BUILD
             BYPRODUCTS "${_wcs_implib}"
             COMMAND ${CMAKE_COMMAND} -E true

docs/API.md

@@ -78,6 +78,8 @@ secure domain. For this purpose, wolfBoot provides Non-Secure Callable (NSC)
 APIs that allow code running in the non-secure domain to call into the secure
 domain managed by wolfBoot.
 
+When `TZEN=1` is enabled, these APIs are available to non-secure applications.
+
 These APIs are listed below.
 
 - `void wolfBoot_nsc_success(void)`: wrapper for `wolfBoot_success()`

include/wolfboot/wolfboot.h

@@ -576,7 +576,7 @@ int wolfBoot_set_encrypt_key(const uint8_t *key, const uint8_t *nonce);
 int wolfBoot_get_encrypt_key(uint8_t *key, uint8_t *nonce);
 int wolfBoot_erase_encrypt_key(void);
 
-#if !defined(__WOLFBOOT) && defined(WOLFCRYPT_SECURE_MODE)
+#if !defined(__WOLFBOOT) && defined(TZEN)
 
 /* Applications can access update success/trigger and flash erase/write
  * via non-secure callable, to facilitate updates
@@ -615,7 +615,7 @@ int wolfBoot_nsc_erase_update(uint32_t address, uint32_t len);
 CSME_NSE_API
 int wolfBoot_nsc_write_update(uint32_t address, const uint8_t *buf, uint32_t len);
 
-#endif /* !__WOLFBOOT && WOLFCRYPT_SECURE_MODE */
+#endif /* !__WOLFBOOT && TZEN */
 
 
 #ifdef __cplusplus

src/libwolfboot.c

@@ -2330,7 +2330,7 @@ int wolfBoot_ram_decrypt(uint8_t *src, uint8_t *dst)
 #endif /* MMU */
 #endif /* EXT_ENCRYPTED */
 
-#if defined(__WOLFBOOT) && defined(WOLFCRYPT_SECURE_MODE)
+#if defined(__WOLFBOOT) && defined(TZEN)
 CSME_NSE_API
 void wolfBoot_nsc_success(void)
 {
@@ -2386,4 +2386,4 @@ int wolfBoot_nsc_write_update(uint32_t address, const uint8_t *buf, uint32_t len
     return ret;
 }
 
-#endif
+#endif /* __WOLFBOOT && TZEN */

test-app/CMakeLists.txt

@@ -176,7 +176,7 @@ if(BUILD_TEST_APPS)
         target_include_directories(image PRIVATE ../lib/wolfPKCS11)
     endif()
 
-    # For TrustZone builds, avoid linking the bootloader lib (it defines NSC stubs).
+    # wolfCrypt TrustZone test builds provide extra secure-call wrappers directly.
     if(TZEN AND WOLFCRYPT_TZ)
         target_sources(image PRIVATE ../src/libwolfboot.c)
         if(NOT SIGN STREQUAL "NONE")
@@ -189,11 +189,15 @@ if(BUILD_TEST_APPS)
         target_link_libraries(image PRIVATE wolfboot wolfboothal public_key target)
     endif()
 
-    # For TrustZone builds, the test app is a non-secure application
-    if(TZEN AND WOLFCRYPT_TZ)
-        list(APPEND TEST_APP_COMPILE_DEFINITIONS NONSECURE_APP WOLFBOOT_SECURE_CALLS)
+    # For TrustZone builds, the test app is a non-secure application and links
+    # the CMSE import library generated from the secure bootloader veneers.
+    if(TZEN)
+        list(APPEND TEST_APP_COMPILE_DEFINITIONS NONSECURE_APP)
         add_dependencies(image wolfboot_${PLATFORM_NAME})
-        target_link_libraries(image PRIVATE ${CMAKE_BINARY_DIR}/wc_secure_calls.o)
+        target_link_libraries(image PRIVATE ${CMAKE_BINARY_DIR}/wolfboot_tz_nsc.o)
+    endif()
+    if(TZEN AND WOLFCRYPT_TZ)
+        list(APPEND TEST_APP_COMPILE_DEFINITIONS WOLFBOOT_SECURE_CALLS)
     endif()
 
     if(WOLFCRYPT_TZ_PKCS11)

test-app/Makefile

@@ -165,9 +165,9 @@ ifeq ($(TZEN),1)
     CFLAGS+=-DNONSECURE_APP
     CFLAGS+=-I./
     APP_OBJS+=../hal/$(TARGET)_ns.o
+    APP_OBJS+=../src/wolfboot_tz_nsc.o
     ifeq ($(WOLFCRYPT_TZ),1)
         CFLAGS+=-I"$(WOLFBOOT_LIB_WOLFSSL)"
-        APP_OBJS+=../src/wc_secure_calls.o
         WOLFCRYPT_APP_OBJS+=\
             $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/memory.o \
             $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/hash.o \
@@ -191,11 +191,6 @@ ifeq ($(TZEN),1)
             $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/wolfentropy.o \
             $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/dh.o \
             $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/wc_encrypt.o
-        ifeq ($(TEST_APP_NO_RNG),1)
-            CFLAGS+=-DWC_NO_RNG
-        else
-            WOLFCRYPT_APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/random.o
-        endif
         ifeq ($(WOLFCRYPT_TZ_PKCS11),1)
             CFLAGS+=-DWOLFSSL_USER_SETTINGS -DWOLFTPM_USER_SETTINGS
             CFLAGS+=-DWOLFBOOT_PKCS11_APP -DSECURE_PKCS11 -DWOLFBOOT_TZ_PKCS11
@@ -234,6 +229,12 @@ ifeq ($(TZEN),1)
                 APP_OBJS+=./wcs/sp_cortexm.o
               endif
             endif
+        else
+            ifeq ($(TEST_APP_NO_RNG),1)
+                CFLAGS+=-DWC_NO_RNG
+            else
+                WOLFCRYPT_APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/random.o
+            endif
         endif
         CFLAGS+=-DWOLFBOOT_SECURE_CALLS -Wstack-usage=19184
         LDFLAGS+=--specs=nosys.specs -u _printf_float

test-app/app_mcxn.c

@@ -83,7 +83,7 @@ void main(void)
 
     hal_init();
 
-#ifdef WOLFCRYPT_SECURE_MODE
+#ifdef TZEN
     boot_ver = wolfBoot_nsc_current_firmware_version();
 #else
     boot_ver = wolfBoot_current_firmware_version();
@@ -107,7 +107,7 @@ void main(void)
         /* Blue off */
         gpio_init_output(GPIO1, PORT1, kCLOCK_Gpio1, kCLOCK_Port1, 2U, 1U);
 
-#ifdef WOLFCRYPT_SECURE_MODE
+#ifdef TZEN
         wolfBoot_nsc_success();
 #else
         wolfBoot_success();