STM32 BARE: cleanup pass -- diag docs and dead-code removal

dgarske · dgarske · commit 426414795bb4 · 2026-05-21T18:45:06.000-07:00
- Document the WC_STM32_PKA_DIAG and WC_STM32_SAES_DIAG opt-in debug
  gates near the top of the BARE block in stm32.c. Both go through the
  board's board_putc retarget and stay off by default; useful for
  diagnosing PKA init / op timeout / OUT_ERROR and AES/SAES CCF poll
  timeout when bringing up a new board.

- Remove the WOLFSSL_STM32_DHUK_FORCE_SAES_S diagnostic gate. It was
  added to test whether the DHUK NS-decrypt hang was caused by the
  SAES &lt;-&gt; SAES_NS alias choice on TZEN=0 silicon. The test returned
  a negative result -- the alias is not the gating factor -- so the
  gate has no remaining use. The hand-off in
  /tmp/stm32-dhuk-tz-harness-2026-05-19.md captures the conclusion
  and the next-step TZ path.

- Drop the orphan WOLFSSL_STM32_DHUK_FORCE_SAES_S entry from
  .wolfssl_known_macro_extras and re-verify LC_ALL=C lex order.
diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras
@@ -967,7 +967,6 @@ WOLFSSL_STM32C5
 WOLFSSL_STM32F3
 WOLFSSL_STM32F427_RNG
 WOLFSSL_STM32U0
-WOLFSSL_STM32_DHUK_FORCE_SAES_S
 WOLFSSL_STM32_DHUK_UNWRAP
 WOLFSSL_STRONGEST_HASH_SIG
 WOLFSSL_STSAFE_TAKES_SLOT
diff --git a/wolfcrypt/src/port/st/stm32.c b/wolfcrypt/src/port/st/stm32.c
@@ -51,7 +51,16 @@
  * PKA_HandleTypeDef and the PKA_ECC / PKA_ECDSA IO typedefs are
  * provided by <wolfssl/wolfcrypt/port/st/stm32.h> above. The HAL_PKA_*
  * entry points are implemented further down in this file under the
- * matching guard. */
+ * matching guard.
+ *
+ * BARE debug switches (off by default, opt-in at -D):
+ *   WC_STM32_PKA_DIAG   -- printf on PKA init / op timeout / OUT_ERROR.
+ *                          Useful when bringing up a new PKA-capable
+ *                          board or diagnosing curve-load failures.
+ *   WC_STM32_SAES_DIAG  -- printf on AES/SAES CCF poll timeout.
+ *                          DEBUG_STM32_BARE_GCM is treated as a synonym.
+ * Neither emits any code unless -D is set; both go through the board's
+ * board_putc retarget so they appear on the same UART as test output. */
 #else
 #if defined(WOLFSSL_STM32L5)
 #include <stm32l5xx_hal_conf.h>
@@ -2276,13 +2285,6 @@ int wc_Stm32_Aes_Gcm(struct Aes* aes, byte* out, const byte* in, word32 sz,
         CMSIS device header"
 #endif
 
-/* Diagnostic: force SAES = SAES_S alias (secure). CMSIS binds SAES
- * to SAES_NS on non-CMSE builds; use this gate to test the S alias. */
-#if defined(WOLFSSL_STM32_DHUK_FORCE_SAES_S) && defined(SAES_S)
-    #undef SAES
-    #define SAES SAES_S
-#endif
-
 #ifndef STM32_BARE_SAES_TIMEOUT
     #define STM32_BARE_SAES_TIMEOUT 0x10000
 #endif
