Add stm32H5 TrustZone wolfHSM Port#348
Draft
aidangarske wants to merge 7 commits into
Draft
Conversation
New port/stmicro/stm32-tz/wh_transport_nsc.{c,h} implementing both
client and server callbacks for a synchronous TrustZone NSC bridge.
The non-secure (client) side calls a single cmse_nonsecure_entry
veneer (wcs_wolfhsm_transmit, provided by the host) which hands the
request to the secure-side server context, runs
wh_Server_HandleRequestMessage once inline, and returns the response
in the same call -- no polling, notify counter, or async
producer/consumer.
Send delivers; Recv returns the cached response. Server-side Recv
hands the request the host's NSC veneer parked in the static context;
Send writes the response back into the NS buffer and stores its size
for the veneer to read.
Used by wolfBoot's WOLFCRYPT_TZ_WOLFHSM=1 lane on STM32H5 (separate
PR against wolfBoot). Gated by WOLFHSM_CFG_PORT_STM32_TZ_NSC so the
file is safe to ship in the wolfHSM tree without forcing every
consumer to link the unresolved wcs_wolfhsm_transmit extern.
The field name is self-describing; the comment was duplicating it.
Add a port section describing the new port/stmicro/stm32-tz NSC bridge transport: synchronous single-call client Send/Recv, server-side static context, target-agnostic transport with the STM32H5 glue (NSC veneer, whFlashCb adapter, secure-side server init, NS test exerciser) living in the wolfBoot port.
Transport (port/stmicro/stm32-tz/wh_transport_nsc):
- _NscServerSend returns WH_ERROR_BADARGS for size validation
(only ABORTED when rsp_buf is NULL), matching the contract.
- _NscClientSend / _NscClientRecv reject calls on an
uninitialized context, giving ctx->initialized a purpose.
- _NscServerRecv clears request_pending on the oversize path
and resets rsp_size on entry to prevent stale-value leaks.
- Drop the redundant cmd_buf staging copy on the client side,
saving WH_COMM_MTU bytes of NS BSS plus a per-request memcpy.
Test:
- New test/wh_test_transport_nsc.c covering BADARGS, NOTREADY,
happy path, and the request_pending / rsp_size state machine
for both callback tables. Wired into whTest_Unit; new
STM32_TZ_NSC=1 build flag compiles the transport source.
Docs:
- chapter08: client Recv consumes the cached response on the
first call (subsequent calls return WH_ERROR_NOTREADY).
This comment was marked as low quality.
This comment was marked as low quality.
Sorry, something went wrong.
aidangarske
force-pushed
the
wolfhsm-h5-port
branch
from
4a42e8f to
e14742d
Compare
bigbrett
requested changes
May 12, 2026
Contributor
bigbrett
left a comment
bigbrett
left a comment
There was a problem hiding this comment.
@aidangarske thanks for this! I'm little unclear whether any of this stm32H5 specific or is just a generic TZ-M compatible transport? In the docs you say
The transport itself is target-agnostic; the STM32H5-specific glue (NSC veneer,
whFlashCbflash adapter, secure-side server init, NS test exerciser) lives in the wolfBoot port.
If this is the case then I don't think you need any mention of STM32H5 in any of this? Unless I'm misunderstanding. If this is meant to be a generic trustzone M transport then I think having under port/tzm or something like that is better, with no mentions of STM32H5 at all.
LMK if I'm misunderstanding
Rename port/stmicro/stm32-tz to port/armv8m-tz to reflect that the transport is target-agnostic across ARMv8-M parts (Cortex-M23/M33/ M35P/M55/M85). The target-specific NSC veneer is provided by the host; the only ARM-flavored thing in the transport is the documented expectation that the extern wcs_wolfhsm_transmit symbol is a cmse_nonsecure_entry on the secure side. Config define renamed WOLFHSM_CFG_PORT_STM32_TZ_NSC -> WOLFHSM_CFG_PORT_ARMV8M_TZ_NSC and make flag STM32_TZ_NSC=1 -> ARMV8M_TZ_NSC=1. wh_settings.h doc, chapter08 port docs, and the CI step name all updated to drop STM32-specific wording. Review fixes folded in: - _NscServerRecv clears ctx->rsp_size up-front so error paths leave no stale response state behind. - _NscClientRecv rejects too-small caller buffers with WH_ERROR_BADARGS instead of WH_ERROR_ABORTED; cached response is preserved for retry. - _NscClientSend returns WH_ERROR_NOTREADY if a prior response has not been consumed; propagates known WH_ERROR_* codes from the veneer. - _NscServerCleanup zeroes the context so stale NS pointers cannot survive a reinit. - Reorder whTransportNscServerContext fields to satisfy -Wpadded. - Cover the new behaviors in wh_test_transport_nsc and add the NSC contexts to the struct padding check.
aidangarske
force-pushed
the
wolfhsm-h5-port
branch
from
e14742d to
16cfc43
Compare
Contributor
|
@aidangarske reverting to draft after our conversation yesterday |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
port/stmicro/stm32-tz/wh_transport_nsc.{c,h}: a portablesynchronous TrustZone non-secure-callable bridge transport for
ARMv8-M Cortex-M targets. Client
Sendinvokes a host-suppliedveneer (
wcs_wolfhsm_transmit) inline and caches the response;client
Recvconsumes the cached response on the first call.Server-side callbacks consume the request the host's veneer parked
in a static context and write the response back into the non-secure
caller's buffer.
adapter, secure-side server init, NS test exerciser) lives in the
matching wolfBoot PR.
STM32_TZ_NSC=1build flag intest/Makefilecompiles thetransport into the host test build and pulls in a new unit test
test/wh_test_transport_nsc.ccovering BADARGS, NOTREADY, happy-path round trip, and the
request_pending/rsp_sizestatemachine for both callback tables.
.github/workflows/build-and-test.yml:STM32_TZ_NSC=1 ASAN=1build + run.docs/src/chapter08.md.Notes
WOLFCRYPT_TZ_WOLFHSM=1for STM32H5,which is the first consumer of this transport. here
Test plan
STM32_TZ_NSC=1 ASAN=1build +make run(CI)