Skip to content

Add stm32H5 TrustZone wolfHSM Port#348

Open
aidangarske wants to merge 1 commit into
wolfSSL:mainfrom
aidangarske:wolfhsm-h5-port
Open

Add stm32H5 TrustZone wolfHSM Port#348
aidangarske wants to merge 1 commit into
wolfSSL:mainfrom
aidangarske:wolfhsm-h5-port

Conversation

@aidangarske

@aidangarske aidangarske commented May 1, 2026
edited
Loading

Copy link
Copy Markdown
Member

Description

  • Adds port/stmicro/stm32-tz/wh_transport_nsc.{c,h}: a portable
    synchronous TrustZone non-secure-callable bridge transport for
    ARMv8-M Cortex-M targets. Client Send invokes a host-supplied
    veneer (wcs_wolfhsm_transmit) inline and caches the response;
    client Recv consumes the cached response on the first call.
    Server-side callbacks consume the request the host's veneer parked
    in a static context and write the response back into the non-secure
    caller's buffer.
  • Target-agnostic. The STM32H5-specific glue (NSC veneer, flash
    adapter, secure-side server init, NS test exerciser) lives in the
    matching wolfBoot PR.
  • New STM32_TZ_NSC=1 build flag in test/Makefile compiles the
    transport into the host test build and pulls in a new unit test
    test/wh_test_transport_nsc.c covering BADARGS, NOTREADY, happy-
    path round trip, and the request_pending / rsp_size state
    machine for both callback tables.
  • New CI lane in .github/workflows/build-and-test.yml:
    STM32_TZ_NSC=1 ASAN=1 build + run.
  • Docs: new "STM32 TrustZone (STM32H5 / NSC bridge)" section in
    docs/src/chapter08.md.

Notes

  • Companion wolfBoot PR adds WOLFCRYPT_TZ_WOLFHSM=1 for STM32H5,
    which is the first consumer of this transport. here

Test plan

  • STM32_TZ_NSC=1 ASAN=1 build + make run (CI)
  • Existing CI matrix unaffected (no changes outside the new port)
  • End-to-end on STM32H5 NUCLEO-H563ZI via the wolfBoot PR
  • Nightly test added tests both latest masters also report problem in issues like Nightly wolfBoot TrustZone (m33mu) integration failed #396 if fails

Copilot AI review requested due to automatic review settings May 1, 2026 23:30
@aidangarske aidangarske self-assigned this May 1, 2026

This comment was marked as resolved.

Sign in to view

wolfSSL-Fenrir-bot

This comment was marked as low quality.

Sign in to view

@aidangarske aidangarske marked this pull request as ready for review May 12, 2026 01:43
@aidangarske aidangarske requested a review from danielinux May 12, 2026 01:43
@bigbrett bigbrett self-assigned this May 12, 2026
bigbrett
bigbrett requested changes May 12, 2026
View reviewed changes

@bigbrett bigbrett left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aidangarske thanks for this! I'm little unclear whether any of this stm32H5 specific or is just a generic TZ-M compatible transport? In the docs you say

The transport itself is target-agnostic; the STM32H5-specific glue (NSC veneer, whFlashCb flash adapter, secure-side server init, NS test exerciser) lives in the wolfBoot port.

If this is the case then I don't think you need any mention of STM32H5 in any of this? Unless I'm misunderstanding. If this is meant to be a generic trustzone M transport then I think having under port/tzm or something like that is better, with no mentions of STM32H5 at all.

LMK if I'm misunderstanding

@bigbrett bigbrett removed their assignment May 12, 2026
@bigbrett bigbrett marked this pull request as draft May 13, 2026 14:49
@bigbrett

bigbrett commented May 13, 2026

Copy link
Copy Markdown
Contributor

@aidangarske reverting to draft after our conversation yesterday

@aidangarske aidangarske force-pushed the wolfhsm-h5-port branch 8 times, most recently from c8bce36 to e878a2b Compare May 26, 2026 15:33
@aidangarske aidangarske marked this pull request as ready for review May 26, 2026 17:24
bigbrett
bigbrett requested changes May 28, 2026
View reviewed changes
Comment thread .github/workflows/wolfboot-tz-integration.yml Outdated
Comment thread .github/workflows/wolfboot-tz-integration.yml Outdated
Comment thread port/stmicro/stm32h5-tz/README.md Outdated
Comment thread src/wh_server.c Outdated
Comment thread src/wh_server.c Outdated
Comment thread src/wh_server.c Outdated
Comment thread src/wh_server_keystore.c Outdated
Comment thread test/wh_test_check_struct_padding.c Outdated
Comment thread wolfhsm/wh_settings.h Outdated
Comment thread docs/src/chapter08.md Outdated
@aidangarske aidangarske requested a review from bigbrett June 1, 2026 20:09
@aidangarske aidangarske force-pushed the wolfhsm-h5-port branch 2 times, most recently from ae382bf to 5b3ec25 Compare June 1, 2026 20:41
@danielinux danielinux mentioned this pull request Jun 10, 2026
Open
7 tasks
bigbrett
bigbrett requested changes Jun 11, 2026
View reviewed changes

@bigbrett bigbrett left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! A few nits and a question that might require a change, depending on the answer

Comment thread port/armv8m-tz/README.md Outdated
Comment thread port/stmicro/stm32h5-tz/README.md Outdated
Comment thread port/armv8m-tz/wh_transport_nsc.h Outdated
@aidangarske aidangarske requested a review from bigbrett June 11, 2026 20:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left review comments

@danielinux danielinux Awaiting requested review from danielinux

@bigbrett bigbrett Awaiting requested review from bigbrett

Requested changes must be addressed to merge this pull request.

Assignees

@aidangarske aidangarske

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aidangarske @bigbrett @wolfSSL-Fenrir-bot