Add hardware-based DICE on mcxn

Author: yosuke-wolfssl

.github/workflows/test-configs.yml

@@ -273,6 +273,20 @@ jobs:
       config-file: ./config/examples/mcxn-wolfcrypt-tz.config
       board-name: frdmmcxn947
 
+  nxp_mcxn_tz_psa_test:
+    uses: ./.github/workflows/test-build-mcux-sdk-manifests.yml
+    with:
+      arch: arm
+      config-file: ./config/examples/mcxn-tz-psa.config
+      board-name: frdmmcxn947
+
+  nxp_mcxn_tz_psa_hw_test:
+    uses: ./.github/workflows/test-build-mcux-sdk-manifests.yml
+    with:
+      arch: arm
+      config-file: ./config/examples/mcxn-tz-psa-hw.config
+      board-name: frdmmcxn947
+
   nxp_s32k142_test:
     uses: ./.github/workflows/test-build.yml
     with:

arch.mk

@@ -974,6 +974,20 @@ ifeq ($(TARGET),mcxn)
       $(MCUXPRESSO)/drivers/lpuart/fsl_lpuart.o \
       $(MCUXPRESSO_DRIVERS)/drivers/fsl_reset.o
   endif
+
+  ifeq ($(WOLFCRYPT_TZ_PSA),1)
+    ELS_PKC=$(MCUXPRESSO)/components/els_pkc
+    CFLAGS+=\
+      -I$(ELS_PKC)/includes \
+      -I$(ELS_PKC)/src/comps/mcuxClEls/inc \
+      -I$(ELS_PKC)/src/platforms/mcxn \
+      -I$(ELS_PKC)/src/platforms/mcxn/inc
+    OBJS+=\
+      $(ELS_PKC)/src/comps/mcuxClEls/src/mcuxClEls_Common.o \
+      $(ELS_PKC)/src/comps/mcuxClEls/src/mcuxClEls_Kdf.o \
+      $(ELS_PKC)/src/comps/mcuxClEls/src/mcuxClEls_KeyManagement.o \
+      $(ELS_PKC)/src/comps/mcuxClEls/src/mcuxClEls_Ecc.o
+  endif
 endif
 
 ifeq ($(TARGET),nrf5340)

config/examples/mcxn-tz-psa-hw.config

@@ -0,0 +1,50 @@
+ARCH?=ARM
+TZEN?=1
+TARGET?=mcxn
+SIGN?=ECC384
+HASH?=SHA384
+MCUXSDK?=1
+MCUXPRESSO?=$(PWD)/../NXP/mcuxpresso-sdk/mcuxsdk
+MCUXPRESSO_CMSIS?=$(PWD)/../NXP/CMSIS_5/CMSIS
+MCUXPRESSO_CPU?=MCXN947VDF_cm33_core0
+MCUXPRESSO_DRIVERS?=$(MCUXPRESSO)/devices/MCX/MCXN/MCXN947
+MCUXPRESSO_PROJECT_TEMPLATE?=$(MCUXPRESSO)/examples/_boards/frdmmcxn947/project_template
+DEBUG?=0
+DEBUG_UART?=1
+VTOR?=1
+CORTEX_M0?=0
+CORTEX_M33?=1
+NO_ASM?=0
+NO_MPU=1
+EXT_FLASH?=0
+SPI_FLASH?=0
+ALLOW_DOWNGRADE?=0
+NVM_FLASH_WRITEONCE?=1
+NO_ARM_ASM=1
+WOLFBOOT_VERSION?=0
+V?=0
+SPMATH?=1
+RAM_CODE?=1
+DUALBANK_SWAP?=0
+PKA?=1
+WOLFCRYPT_TZ?=1
+WOLFCRYPT_TZ_PSA?=1
+WOLFCRYPT_SECURE_MODE?=1
+WOLFBOOT_DICE_HW?=1
+IMAGE_HEADER_SIZE?=1024
+WOLFBOOT_ATTESTATION_TEST?=1
+WOLFBOOT_UDS_UID_FALLBACK_FORTEST?=0
+
+# 8KB sectors
+WOLFBOOT_SECTOR_SIZE?=0x2000
+
+# Default configuration
+# 192KB boot, 96KB keyvault, 8KB NSC, 72KB partitions, 8KB swap
+WOLFBOOT_KEYVAULT_ADDRESS?=0x30000
+WOLFBOOT_KEYVAULT_SIZE?=0x18000
+WOLFBOOT_NSC_ADDRESS?=0x48000
+WOLFBOOT_NSC_SIZE?=0x2000
+WOLFBOOT_PARTITION_SIZE?=0x12000
+WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x60000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x72000
+WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x84000

config/examples/mcxn-tz-psa.config

@@ -0,0 +1,50 @@
+ARCH?=ARM
+TZEN?=1
+TARGET?=mcxn
+SIGN?=ECC384
+HASH?=SHA384
+MCUXSDK?=1
+MCUXPRESSO?=$(PWD)/../NXP/mcuxpresso-sdk/mcuxsdk
+MCUXPRESSO_CMSIS?=$(PWD)/../NXP/CMSIS_5/CMSIS
+MCUXPRESSO_CPU?=MCXN947VDF_cm33_core0
+MCUXPRESSO_DRIVERS?=$(MCUXPRESSO)/devices/MCX/MCXN/MCXN947
+MCUXPRESSO_PROJECT_TEMPLATE?=$(MCUXPRESSO)/examples/_boards/frdmmcxn947/project_template
+DEBUG?=0
+DEBUG_UART?=1
+VTOR?=1
+CORTEX_M0?=0
+CORTEX_M33?=1
+NO_ASM?=0
+NO_MPU=1
+EXT_FLASH?=0
+SPI_FLASH?=0
+ALLOW_DOWNGRADE?=0
+NVM_FLASH_WRITEONCE?=1
+NO_ARM_ASM=1
+WOLFBOOT_VERSION?=0
+V?=0
+SPMATH?=1
+RAM_CODE?=1
+DUALBANK_SWAP?=0
+PKA?=1
+WOLFCRYPT_TZ?=1
+WOLFCRYPT_TZ_PSA?=1
+WOLFCRYPT_SECURE_MODE?=1
+WOLFBOOT_DICE_HW?=0
+IMAGE_HEADER_SIZE?=1024
+WOLFBOOT_ATTESTATION_TEST?=1
+WOLFBOOT_UDS_UID_FALLBACK_FORTEST?=1
+
+# 8KB sectors
+WOLFBOOT_SECTOR_SIZE?=0x2000
+
+# Default configuration
+# 192KB boot, 96KB keyvault, 8KB NSC, 72KB partitions, 8KB swap
+WOLFBOOT_KEYVAULT_ADDRESS?=0x30000
+WOLFBOOT_KEYVAULT_SIZE?=0x18000
+WOLFBOOT_NSC_ADDRESS?=0x48000
+WOLFBOOT_NSC_SIZE?=0x2000
+WOLFBOOT_PARTITION_SIZE?=0x12000
+WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x60000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x72000
+WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x84000

docs/DICE.md

@@ -34,7 +34,7 @@ measurement value, and a description string.
 
 ## Keying model
 
-wolfBoot supports two keying modes selected at build time.
+wolfBoot supports three keying modes selected at build time.
 
 ### DICE derived key (default for no provisioning)
 
@@ -55,6 +55,17 @@ The attestation service calls `hal_attestation_get_iak_private_key()` to
 retrieve the private key material from secure storage (or a manufacturer
 injection flow). The IAK is used instead of the DICE derived key.
 
+### Hardware-based DICE derived key
+
+Some platforms have secure subsystem which supports hardware engines for DICE functionality.
+Some of them don't expose the secrets like UDS, CDI and attestation key.
+In that case, You can enable hardware-based DICE using `WOLFBOOT_DICE_HW` option.
+
+wolfBoot calls `hal_dice_update_cdi()` to update CDI inside secure subsystem for each component.
+Also, `hal_dice_create_attest_key()` is called to derive the attestation key from updated CDI as well.
+Then, wolfBoot uses `hal_dice_sign_hash` to sign the token.
+User can implement hardware-specific procedures inside the hooks.
+
 ## HAL integration (per-target)
 
 These HAL hooks are optional and have weak stubs for non-TZ boards. Target
@@ -76,6 +87,21 @@ families must implement the appropriate subset based on hardware support.
 - `hal_attestation_get_iak_private_key(uint8_t *buf, size_t *len)`
   - Optional provisioned IAK private key (used in IAK mode only).
 
+If you enable hardware-based DICE, additional hooks are necessary.
+
+- ` hal_dice_update_cdi(const uint8_t *measurement, size_t meas_len, const char *measurement_desc, size_t measurement_desc_len)`
+  - Mixes one boot-component measurement into the platform CDI chain. 
+  - measurement_desc identifies the component (e.g. "wolfboot", "boot-image").
+- `hal_dice_create_attest_key(void)`
+  - Derive and store the attestation key pair from the current CDI state.
+  - The private key must not be exposed outside the platform security boundary.
+- `hal_dice_sign_hash(const uint8_t *hash, size_t hash_len, uint8_t *sig, size_t *sig_len)` 
+  - Sign a pre-computed SHA-256 hash with the platform private attestation key during token generation.
+  - Output: 64-byte raw R||S (big-endian), same format as wolfCrypt ES256.
+- `hal_dice_get_attest_pubkey(uint8_t *buf, size_t *len)`
+  - Optional hook to get the public part of attestation key.
+  - This is called via PSA Initial Attestation dispatch `psa_initial_attest_get_iak_pubkey()`.
+
 ## STM32H5 OBKeys UDS (optional)
 
 STM32H5 devices provide OBKeys secure storage areas tied to temporal isolation
@@ -103,6 +129,7 @@ The non-secure application calls the PSA Initial Attestation API wrappers:
 
 - `psa_initial_attest_get_token_size()`
 - `psa_initial_attest_get_token()`
+- `psa_initial_attest_get_iak_pubkey()`
 
 These are provided in `zephyr/include/psa/initial_attestation.h` and are
 implemented as NSC calls in `zephyr/src/arm_tee_attest_api.c`.
@@ -114,9 +141,15 @@ When `WOLFCRYPT_TZ_PSA=1`, the NS application can also use PSA Crypto through
 
 ## Test application
 
+### STM32H5
 The STM32H5 TrustZone test application in `test-app/` exercises PSA crypto,
 attestation, and store access. It requests a token at boot and can perform
 PSA crypto operations from the non-secure side.
 
 See `docs/Targets.md` for the STM32H5 TrustZone scenarios and how to enable
 PSA mode.
+
+### MCXN
+MCXN has TrustZone test application in `test-app/` exercises PSA attestation.
+Default setting is based on hardware secure subsystem called EdgeLock Secure Subsystem.
+See `docs/Targets.md` and `docs/MCXN947-DICE.md` for details.

docs/MCXN947-DICE.md

@@ -0,0 +1,79 @@
+# DICE attestation sample on MCXN947
+
+General concept of wolfBoot in TrustZone secure domain is explained in `docs/STM32-TZ.md`.
+This focuses on a sample of PSA initial attestation for MCXN947.
+Sample application is implemented in `test-app/app_mcxn.c`.
+This supports hardware-based DICE using EdgeLock Secure Subsystem.
+
+## How to build
+Please use `config/examples/mcxn-tz-psa-hw.config` to build wolfBoot.
+You need to update the path of SDK inside the config for your build environment.
+```
+cp config/examples/mcxn-tz-psa-hw.config .config
+make
+```
+
+## How to run
+MCXN947 requires us to enable secure boot to use DICE functionality of ELS.
+So, We need to prepare the specific image file of wolfBoot binary and configuration files of CMPA/CFPA for secure bootROM and ELS.
+Fortunately NXP provides the [secure provisioning tool](https://www.nxp.com/design/design-center/software/development-software/mcuxpresso-software-and-tools-/mcuxpresso-secure-provisioning-tool:MCUXPRESSO-SECURE-PROVISIONING) for such purpose.
+
+At a minimum, you shall configure the following settings and encode the image with signature:
+- Enable Image verification for secure boot (SEC_BOOT_EN == 0b10)
+- Enable DICE (SKIP_DICE == 0b0)
+All of these can be done using the NXP secure provisioning tool.
+
+If you use secure provisioning tool, you can download the prepared image with configuration files to hardware as well.
+Regarding to application image like image_v1_signed.bin, we don't need to encode it like the wolfBoot binary because it's verified by wolfBoot as usual.
+But, we still recommend you to download the application image using the flash programmer tool in the secure provisioning tool for a safe download. You can access it via `Tools > Flash Programmer` on GUI.
+
+Once both images are downloaded successfully, you'll see the log after reboot:
+```
+Boot partition: 0x60000 (sz 31508, ver 0x1, type 0x601)
+Partition 1 header magic 0xFFFFFFFF invalid at 0x72000
+Boot partition: 0x60000 (sz 31508, ver 0x1, type 0x601)
+Booting version: 0x1
+Checking integrity...done
+Verifying signature...done
+Hello from firmware version 1
+Today's lucky number: 0xAF
+PSA crypto init ok
+Start attestation verify test
+[ATTEST] GET_TOKEN: challenge_len=32 out_len=1024
+Boot partition: 0x60000 (sz 31508, ver 0x1, type 0x601)
+Boot partition: 0x60000 (sz 31508, ver 0x1, type 0x601)
+[ATTEST] GET_TOKEN: dice_rc=0 token_len=356
+attest_verify: token_len=356
+        84 43 A1 01 26 A0 59 01 19 A5 0A 58 20 01 02 03 | .C..&.Y....X ...
+        04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 | ................
+        14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 19 01 00 | ............ ...
+        58 21 01 AD 74 46 22 0C D0 5B 7A 1B 33 5E 37 28 | X!..tF"..[z.3^7(
+        0A 54 E6 DF 55 5B 40 A4 57 A0 43 0A 6D A5 AB E7 | .T..U[@.W.C.m...
+        5A 2B 5F 19 09 5C 58 30 E4 F9 83 72 7F A9 C5 CE | Z+_..\X0...r....
+        DD E0 79 A0 AD 0E 32 59 0A EA D3 10 43 BA 12 DD | ..y...2Y....C...
+        76 47 59 D1 42 8B 3A 75 F2 7E 75 CF 7D EE A2 B9 | vGY.B.:u.~u.}...
+        AA AB 7E E9 91 27 F7 21 19 09 5E 19 30 00 19 09 | ..~..'.!..^.0...
+        5F 82 A3 01 67 73 68 61 2D 33 38 34 02 58 30 E4 | _...gsha-384.X0.
+        F9 83 72 7F A9 C5 CE DD E0 79 A0 AD 0E 32 59 0A | ..r......y...2Y.
+        EA D3 10 43 BA 12 DD 76 47 59 D1 42 8B 3A 75 F2 | ...C...vGY.B.:u.
+        7E 75 CF 7D EE A2 B9 AA AB 7E E9 91 27 F7 21 05 | ~u.}.....~..'.!.
+        68 77 6F 6C 66 62 6F 6F 74 A3 01 67 73 68 61 2D | hwolfboot..gsha-
+        33 38 34 02 58 30 D4 F2 89 AD E4 4E 6E EB F4 C6 | 384.X0.....Nn...
+        7D 24 13 AD 6C E6 DC A6 E9 FC 67 4F CC CB DE 52 | }$..l.....gO...R
+        4D FD E2 73 9D 2A D7 B3 DD DF B8 51 F4 43 C5 59 | M..s.*.....Q.C.Y
+        48 8A 30 46 D7 E3 05 6A 62 6F 6F 74 2D 69 6D 61 | H.0F...jboot-ima
+        67 65 58 40 E8 3F 76 44 15 7C 62 76 33 56 6D F7 | geX@.?vD.|bv3Vm.
+        2B E1 57 40 C4 F1 7D 21 D3 E9 90 57 25 8F A3 14 | +.W@..}!...W%...
+        44 ED 1B CE 01 CA EF 52 6B 41 4C 44 DF 4E 04 D4 | D......RkALD.N..
+        AA CC A8 7F 20 3D AA 39 CA 3A 9F C2 B1 C0 28 43 | .... =.9.:....(C
+        DF BB 82 53                                     | ...S
+[ATTEST] GET_IAK_PUBKEY: out_len=65
+[ATTEST] GET_IAK_PUBKEY: dice_rc=0 key_len=65
+attest_verify: IAK pubkey (65 bytes):
+        04 42 9B 43 75 BE B0 E9 A0 39 61 64 68 20 1E FC | .B.Cu....9adh ..
+        B6 68 F4 3E 25 74 F1 E2 CB 3D BD 09 A6 45 A7 E2 | .h.>%t...=...E..
+        6F E1 54 B8 20 61 96 79 6A E8 31 83 3A 82 DE 1C | o.T. a.yj.1.:...
+        87 46 E1 45 49 3D 6F 56 78 F4 14 B6 42 47 DD F1 | .F.EI=oVx...BG..
+        AC                                              | .
+attest_verify: IAK signature verified OK
+```

docs/Targets.md

@@ -6107,6 +6107,9 @@ mon reset
 c
 ```
 
+### MCX N: DICE attestation
+Sample application for DICE attestation is available on MCXN947.
+Please find the details in `docs/MCXN947-DICE.md`.
 
 ## NXP S32K1XX
 

hal/hal.c

@@ -321,3 +321,38 @@ WEAKFUNCTION int hal_attestation_get_iak_private_key(uint8_t *buf, size_t *len)
     (void)len;
     return -1;
 }
+
+#ifdef WOLFBOOT_DICE_HW
+WEAKFUNCTION int hal_dice_update_cdi(const uint8_t *measurement, size_t meas_len,
+                                     const char *measurement_desc,
+                                     size_t measurement_desc_len)
+{
+    (void)measurement;
+    (void)meas_len;
+    (void)measurement_desc;
+    (void)measurement_desc_len;
+    return -1;
+}
+
+WEAKFUNCTION int hal_dice_create_attest_key(void)
+{
+    return -1;
+}
+
+WEAKFUNCTION int hal_dice_sign_hash(const uint8_t *hash, size_t hash_len,
+                                    uint8_t *sig, size_t *sig_len)
+{
+    (void)hash;
+    (void)hash_len;
+    (void)sig;
+    (void)sig_len;
+    return -1;
+}
+
+WEAKFUNCTION int hal_dice_get_attest_pubkey(uint8_t *buf, size_t *len)
+{
+    (void)buf;
+    (void)len;
+    return -1;
+}
+#endif /* WOLFBOOT_DICE_HW */