@@ -138,13 +138,14 @@ int CSME_NSE_API wcs_wolfhsm_transmit(const uint8_t *cmd, uint32_t cmdSz,
138138 /* The caller is the non-secure world. Validate every caller-supplied
139139 * pointer references non-secure memory before dereferencing it, so a
140140 * compromised NS app cannot trick the secure side into reading or
141- * writing through a secure-world pointer. Check the SAU/IDAU security
142- * attribution only (CMSE_AU_NONSECURE); the NS MPU is not configured in
143- * this demo, so an MPU-based permission check would reject valid
144- * buffers. rspSz is checked first since it is dereferenced below to
145- * obtain the response capacity. */
141+ * writing through a secure-world pointer. Use CMSE_NONSECURE to match the
142+ * sibling veneers (fwtpm_callable.c, pkcs11_callable.c, wc_callable.c):
143+ * the relevant property is the Secure/Non-secure attribution (SAU/IDAU);
144+ * the MPU read/write bits read back as 0 when NO_MPU is set and do not
145+ * constrain Secure accesses to NS memory anyway. rspSz is checked first
146+ * since it is dereferenced below to obtain the response capacity. */
146147 if (cmse_check_address_range ((void * )rspSz , sizeof (* rspSz ),
147- CMSE_AU_NONSECURE ) == NULL ) {
148+ CMSE_NONSECURE ) == NULL ) {
148149 return WH_ERROR_BADARGS ;
149150 }
150151 /* single-fetch *rspSz so it cannot be re-read after validation */
@@ -159,12 +160,12 @@ int CSME_NSE_API wcs_wolfhsm_transmit(const uint8_t *cmd, uint32_t cmdSz,
159160 return WH_ERROR_BADARGS ;
160161 }
161162 if (cmse_check_address_range ((void * )cmd , cmdSz ,
162- CMSE_AU_NONSECURE ) == NULL ) {
163+ CMSE_NONSECURE ) == NULL ) {
163164 * rspSz = 0 ;
164165 return WH_ERROR_BADARGS ;
165166 }
166167 if (cmse_check_address_range (rsp , rsp_capacity ,
167- CMSE_AU_NONSECURE ) == NULL ) {
168+ CMSE_NONSECURE ) == NULL ) {
168169 * rspSz = 0 ;
169170 return WH_ERROR_BADARGS ;
170171 }
0 commit comments