stm32h5: cede SRAM2 + clear GPIO SECCFGR for NS apps (TZEN=1)

Author: dgarske

hal/stm32_tz.c

@@ -209,14 +209,20 @@ void hal_gtzc_init(void)
      * 0: Non-secure access only to block
      */
 
-    /* Configure SRAM1 as secure (Low 256 KB) */
+    /* Configure SRAM1 as secure (Low 256 KB).
+     * wolfBoot links its own RAM/RAM_HEAP into the SRAM1 secure alias
+     * (0x30000000-0x3003FFFF, see hal/stm32h5.ld), so SRAM1 must stay
+     * secure for wolfBoot's .bss/stack/heap to remain accessible. */
     for (i = 0; i < 16; i++) {
         SET_GTZC1_MPCBBx_SECCFGR_VCTR(1, i, 0xFFFFFFFF);
     }
 
-    /* Configure SRAM2 as secure (64 KB) */
+    /* Configure SRAM2 as non-secure (64 KB).
+     * wolfBoot does not use SRAM2; ceding it to the NS application
+     * widens the NS RAM window from 320 KB (SRAM3 only) to 384 KB
+     * (SRAM2 + SRAM3). */
     for (i = 0; i < 4; i++) {
-        SET_GTZC1_MPCBBx_SECCFGR_VCTR(2, i, 0xFFFFFFFF);
+        SET_GTZC1_MPCBBx_SECCFGR_VCTR(2, i, 0x0);
     }
 
     /* Configure SRAM3 as non-secure (320 KB) */
@@ -310,8 +316,11 @@ void hal_tz_sau_init(void)
     sau_init_region(1, WOLFBOOT_PARTITION_BOOT_ADDRESS,
             WOLFBOOT_PARTITION_BOOT_ADDRESS + WOLFBOOT_PARTITION_SIZE - 1, 0);
 
-    /* Non-secure RAM region */
-    sau_init_region(2, 0x20050000, 0x2009FFFF, 0);
+    /* Non-secure RAM region: SRAM2 (64 KB) + SRAM3 (320 KB).
+     * Lower bound widened from 0x20050000 to 0x20040000 to cover SRAM2,
+     * which hal_gtzc_init also leaves non-secure. SRAM1 (0x20000000-
+     * 0x2003FFFF) stays secure for wolfBoot's own RAM/heap. */
+    sau_init_region(2, 0x20040000, 0x2009FFFF, 0);
 
     /* Non-secure: internal peripherals */
     sau_init_region(3, 0x40000000, 0x4FFFFFFF, 0);

hal/stm32h5.c

@@ -642,6 +642,23 @@ static void periph_unsecure(void)
     nvic_reg_off = NVIC_USART3_IRQ % 32;
     nvic_itns = ((volatile uint32_t *)(NVIC_ITNS_BASE + 4 * nvic_reg_pos));
     *nvic_itns |= (1 << nvic_reg_off);
+
+    /* H5 product state with TZEN=1 defaults every GPIO pin to secure
+     * via GPIOx_SECCFGR (offset 0x30 in each GPIO block, all 16 bits
+     * = 0xFFFF at reset). Until those bits are cleared, NS code can't
+     * read or write the pin's MODER/AFR/ODR, and the corresponding
+     * clock-enable bit in RCC_AHB2ENR is masked from the NS side.
+     *
+     * Clear SECCFGR for every pin on the ports the wolfIP NS app uses
+     * (RMII + USART3 + LED), then enable GPIOG's clock (the existing
+     * code only covered A/B/C/D). PD8 (USART3 TX) is already cleared
+     * above, but covering all of GPIOD is harmless. */
+    GPIO_SECCFGR(GPIOA_BASE) = 0u;
+    GPIO_SECCFGR(GPIOB_BASE) = 0u;
+    GPIO_SECCFGR(GPIOC_BASE) = 0u;
+    GPIO_SECCFGR(GPIOD_BASE) = 0u;
+    GPIO_SECCFGR(GPIOG_BASE) = 0u;
+    RCC_AHB2_CLOCK_ER |= GPIOG_AHB2_CLOCK_ER;
 }
 #endif /* TZ_SECURE() */