Add WOLFCRYPT_TZ_WOLFHSM scaffolding for STM32H5

  - New WOLFCRYPT_TZ_WOLFHSM build flag, mutually exclusive with
    WOLFCRYPT_TZ_PKCS11 / _PSA / _FWTPM
  - Extract WOLFHSM_CLIENT_OBJS and WOLFHSM_SERVER_OBJS shared
    variables; legacy WOLFHSM_CLIENT/SERVER blocks now reference them
    to share file lists with the new TZ engine
  - New config/examples/stm32h5-tz-wolfhsm.config (one-line delta
    from stm32h5-tz-fwtpm.config)
  - NS test-app RNG seed routes through wcs_get_random (same pattern
    as PKCS11 / fwTPM)

  No NSC entries or wolfHSM-specific code yet — Phase 0 only wires up
  the build flag and validates existing-engine compatibility. Builds
  cleanly with stm32h5-tz-wolfhsm.config; existing TZ configs and the
  sim wolfHSM client/server configs continue to build.

  The four files to stage:
  - options.mk (mutex guards, shared-vars refactor, TZ_WOLFHSM block)
  - test-app/Makefile (NS-side TZ_WOLFHSM block + alias)
  - test-app/wcs/user_settings.h (RNG seed CFG)
  - config/examples/stm32h5-tz-wolfhsm.config (new)

Author: aidangarske

config/examples/stm32h5-tz-wolfhsm.config

@@ -0,0 +1,35 @@
+ARCH?=ARM
+TZEN?=1
+TARGET?=stm32h5
+SIGN?=ECC256
+HASH?=SHA256
+DEBUG?=0
+VTOR?=1
+CORTEX_M0?=0
+CORTEX_M33?=1
+NO_ASM?=0
+NO_MPU=1
+EXT_FLASH?=0
+SPI_FLASH?=0
+ALLOW_DOWNGRADE?=0
+NVM_FLASH_WRITEONCE?=1
+WOLFBOOT_VERSION?=1
+V?=0
+SPMATH?=1
+RAM_CODE?=1
+DUALBANK_SWAP?=0
+WOLFBOOT_PARTITION_SIZE?=0xA0000
+WOLFBOOT_SECTOR_SIZE?=0x2000
+WOLFBOOT_KEYVAULT_ADDRESS?=0x0C040000
+WOLFBOOT_KEYVAULT_SIZE?=0x1C000
+WOLFBOOT_NSC_ADDRESS?=0x0C05C000
+WOLFBOOT_NSC_SIZE?=0x4000
+WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x08060000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x0C100000
+WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x0C1A0000
+FLAGS_HOME=0
+DISABLE_BACKUP=0
+WOLFCRYPT_TZ=1
+WOLFCRYPT_TZ_WOLFHSM=1
+IMAGE_HEADER_SIZE?=1024
+ARMORED=1

options.mk

@@ -919,12 +919,24 @@ ifeq ($(WOLFCRYPT_TZ_PKCS11),1)
   ifeq ($(WOLFCRYPT_TZ_FWTPM),1)
     $(error WOLFCRYPT_TZ_PKCS11 and WOLFCRYPT_TZ_FWTPM are mutually exclusive)
   endif
+  ifeq ($(WOLFCRYPT_TZ_WOLFHSM),1)
+    $(error WOLFCRYPT_TZ_PKCS11 and WOLFCRYPT_TZ_WOLFHSM are mutually exclusive)
+  endif
 endif
 
 ifeq ($(WOLFCRYPT_TZ_PSA),1)
   ifeq ($(WOLFCRYPT_TZ_FWTPM),1)
     $(error WOLFCRYPT_TZ_PSA and WOLFCRYPT_TZ_FWTPM are mutually exclusive)
   endif
+  ifeq ($(WOLFCRYPT_TZ_WOLFHSM),1)
+    $(error WOLFCRYPT_TZ_PSA and WOLFCRYPT_TZ_WOLFHSM are mutually exclusive)
+  endif
+endif
+
+ifeq ($(WOLFCRYPT_TZ_FWTPM),1)
+  ifeq ($(WOLFCRYPT_TZ_WOLFHSM),1)
+    $(error WOLFCRYPT_TZ_FWTPM and WOLFCRYPT_TZ_WOLFHSM are mutually exclusive)
+  endif
 endif
 
 ifeq ($(WOLFCRYPT_TZ_PKCS11),1)
@@ -1078,6 +1090,22 @@ ifeq ($(WOLFCRYPT_TZ_FWTPM),1)
   STACK_USAGE=20000
 endif
 
+ifeq ($(WOLFCRYPT_TZ_WOLFHSM),1)
+  CFLAGS+=-DWOLFCRYPT_TZ_WOLFHSM
+  CFLAGS+=-DWOLFCRYPT_SECURE_MODE
+  CFLAGS+=-DWOLFHSM_CFG_ENABLE_SERVER
+  CFLAGS+=-DWOLFHSM_CFG_COMM_DATA_LEN=1280
+  CFLAGS+=-I"$(WOLFBOOT_LIB_WOLFHSM)"
+  ifeq ($(USE_CLANG),1)
+    CLANG_MULTILIB_FLAGS:=$(filter -mthumb -mlittle-endian,$(LDFLAGS)) $(filter -mcpu=%,$(CFLAGS))
+    LIBS+=$(shell $(CLANG_GCC_NAME) $(CLANG_MULTILIB_FLAGS) -print-file-name=libc.a)
+    LIBS+=$(shell $(CLANG_GCC_NAME) $(CLANG_MULTILIB_FLAGS) -print-libgcc-file-name)
+  else
+    LDFLAGS+=--specs=nano.specs
+  endif
+  STACK_USAGE=20000
+endif
+
 OBJS+=$(PUBLIC_KEY_OBJS)
 ifneq ($(STAGE1),1)
   OBJS+=$(UPDATE_OBJS)
@@ -1273,6 +1301,44 @@ ifneq ($(WOLFBOOT_PART_ID),)
   SIGN_OPTIONS+=--id $(WOLFBOOT_PART_ID)
 endif
 
+# Shared wolfHSM client/server object lists. Both the legacy WOLFHSM_CLIENT=1 /
+# WOLFHSM_SERVER=1 flags and the WOLFCRYPT_TZ_WOLFHSM=1 TZ engine reference
+# these to avoid object-list duplication.
+WOLFHSM_CLIENT_OBJS := \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_client.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_client_nvm.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_client_cryptocb.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_client_crypto.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_client_dma.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_crypto.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_dma.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_utils.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_comm.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_comm.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_nvm.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_customcb.o
+
+WOLFHSM_SERVER_OBJS := \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_utils.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_comm.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_nvm.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_nvm_flash.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_keyid.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_flash_unit.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_crypto.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server_nvm.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server_crypto.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server_counter.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server_keystore.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server_customcb.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_customcb.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_keystore.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_crypto.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_counter.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_nvm.o \
+  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_comm.o
+
 # wolfHSM client options
 ifeq ($(WOLFHSM_CLIENT),1)
   WOLFCRYPT_OBJS += \
@@ -1289,19 +1355,7 @@ ifeq ($(WOLFHSM_CLIENT),1)
     CFLAGS += -DWOLFHSM_CFG_COMM_DATA_LEN=5000
   endif
 
-  WOLFHSM_OBJS += \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_client.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_client_nvm.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_client_cryptocb.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_client_crypto.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_client_dma.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_crypto.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_dma.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_utils.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_comm.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_comm.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_nvm.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_customcb.o
+  WOLFHSM_OBJS += $(WOLFHSM_CLIENT_OBJS)
   #includes
   CFLAGS += -I"$(WOLFBOOT_LIB_WOLFHSM)"
   # defines
@@ -1341,26 +1395,7 @@ ifeq ($(WOLFHSM_SERVER),1)
     CFLAGS += -DWOLFHSM_CFG_COMM_DATA_LEN=5000
   endif
 
-  WOLFHSM_OBJS += \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_utils.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_comm.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_nvm.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_nvm_flash.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_keyid.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_flash_unit.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_crypto.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server_nvm.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server_crypto.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server_counter.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server_keystore.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server_customcb.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_customcb.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_keystore.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_crypto.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_counter.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_nvm.o \
-    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_comm.o
+  WOLFHSM_OBJS += $(WOLFHSM_SERVER_OBJS)
 
   #includes
   CFLAGS += -I"$(WOLFBOOT_LIB_WOLFHSM)"

test-app/Makefile

@@ -109,6 +109,11 @@ ifeq ($(WOLFCRYPT_TZ_FWTPM),1)
   WOLFCRYPT_TZ_FWTPM=1
 endif
 
+ifeq ($(WOLFCRYPT_TZ_WOLFHSM),1)
+  WOLFCRYPT_TZ=1
+  WOLFCRYPT_TZ_WOLFHSM=1
+endif
+
 # Setup default linker flags
 LDFLAGS+=-T $(LSCRIPT) -Wl,-gc-sections -Wl,-Map=image.map -nostartfiles
 
@@ -355,6 +360,12 @@ ifeq ($(TZEN),1)
             $(WOLFTPM_LOCAL_OBJDIR)/%, $(WOLFTPM_APP_OBJS))
         APP_OBJS+=$(sort $(WOLFTPM_APP_OBJS))
     endif
+    ifeq ($(WOLFCRYPT_TZ_WOLFHSM),1)
+        CFLAGS+=-DWOLFCRYPT_TZ_WOLFHSM
+        CFLAGS+=-DWOLFHSM_CFG_ENABLE_CLIENT
+        CFLAGS+=-DWOLFHSM_CFG_COMM_DATA_LEN=1280
+        CFLAGS+=-I"$(WOLFBOOT_LIB_WOLFHSM)"
+    endif
     WOLFCRYPT_APP_OBJS := $(patsubst $(WOLFBOOT_LIB_WOLFSSL)/%, \
         $(WOLFSSL_LOCAL_OBJDIR)/%, $(WOLFCRYPT_APP_OBJS))
     ifneq ($(WOLFCRYPT_TZ_PKCS11),1)

test-app/wcs/user_settings.h

@@ -156,7 +156,8 @@ extern int tolower(int c);
 #define HAVE_PKCS8
 #define HAVE_PKCS12
 
-#if defined(SECURE_PKCS11) || defined(WOLFBOOT_TZ_FWTPM)
+#if defined(SECURE_PKCS11) || defined(WOLFBOOT_TZ_FWTPM) || \
+    defined(WOLFCRYPT_TZ_WOLFHSM)
 
 static inline int wcs_cmse_get_random(unsigned char* output, int sz)
 {