wolfPKCS11 test

.github/workflows/trustzone-emulator-tests.yml

@@ -8,7 +8,7 @@ jobs:
   trustzone-emulator-tests:
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/danielinux/m33mu-ci:1.5
+      image: ghcr.io/danielinux/m33mu-ci:1.8
     steps:
       - uses: actions/checkout@v4
 
@@ -27,6 +27,56 @@ jobs:
         run: |
           ./test.sh
 
+      - name: Clean build tree for PKCS11 test (stm32h5)
+        run: |
+          make clean distclean
+
+      - name: Configure PKCS11 test (stm32h5)
+        run: |
+          cp config/examples/stm32h5-tz.config .config
+
+      - name: Build persistent PKCS11 test app (stm32h5)
+        run: |
+          make PKCS11_TESTAPP=1
+
+      - name: Prepare PKCS11 persistence directory
+        run: |
+          rm -rf /tmp/m33mu-pkcs11-persist
+          mkdir -p /tmp/m33mu-pkcs11-persist
+          rm -f /tmp/m33mu-pkcs11-first.log /tmp/m33mu-pkcs11-second.log
+
+      - name: Run PKCS11 first boot (stm32h5)
+        run: |
+          cd /tmp/m33mu-pkcs11-persist
+          m33mu "$GITHUB_WORKSPACE/wolfboot.bin" \
+            "$GITHUB_WORKSPACE/test-app/image_v1_signed.bin:0x60000" \
+            --persist --uart-stdout --timeout 120 --expect-bkpt 0x7d \
+            | tee /tmp/m33mu-pkcs11-first.log
+
+      - name: Verify PKCS11 first boot (stm32h5)
+        run: |
+          grep -q "pkcs11: first boot path, creating persistent objects" /tmp/m33mu-pkcs11-first.log
+          grep -q "pkcs11: created persistent PKCS11 objects" /tmp/m33mu-pkcs11-first.log
+          grep -q "pkcs11: success" /tmp/m33mu-pkcs11-first.log
+          grep -q "\\[BKPT\\] imm=0x7d" /tmp/m33mu-pkcs11-first.log
+          grep -q "\\[EXPECT BKPT\\] Success" /tmp/m33mu-pkcs11-first.log
+
+      - name: Run PKCS11 second boot (stm32h5)
+        run: |
+          cd /tmp/m33mu-pkcs11-persist
+          m33mu "$GITHUB_WORKSPACE/wolfboot.bin" \
+            "$GITHUB_WORKSPACE/test-app/image_v1_signed.bin:0x60000" \
+            --persist --uart-stdout --timeout 120 --expect-bkpt 0x7f \
+            | tee /tmp/m33mu-pkcs11-second.log
+
+      - name: Verify PKCS11 second boot (stm32h5)
+        run: |
+          grep -q "pkcs11: second boot path, restoring persistent objects" /tmp/m33mu-pkcs11-second.log
+          grep -q "pkcs11: restored persistent PKCS11 objects" /tmp/m33mu-pkcs11-second.log
+          grep -q "pkcs11: success" /tmp/m33mu-pkcs11-second.log
+          grep -q "\\[BKPT\\] imm=0x7f" /tmp/m33mu-pkcs11-second.log
+          grep -q "\\[EXPECT BKPT\\] Success" /tmp/m33mu-pkcs11-second.log
+
       - name: Clean and build stm32u5 (TZ + wolfcrypt)
         run: |
           make clean distclean
@@ -44,7 +94,7 @@ jobs:
           cp config/examples/stm32l5-wolfcrypt-tz.config .config
           make wolfboot.bin
 
-      - name: Run emu test (stm32u5)
+      - name: Run emu test (stm32l5)
         working-directory: test-app/emu-test-apps
         run: |
           TARGET=stm32l5 ./test.sh

config/examples/mcxn-tz.config

@@ -32,23 +32,23 @@ PKA?=1
 WOLFBOOT_SECTOR_SIZE?=0x2000
 
 # Default configuration
-# 40KB boot, no keyvault, 8KB NSC, 64KB partitions, 8KB swap
+# 40KB boot, no keyvault, 8KB NSC, 72KB partitions, 8KB swap
 WOLFBOOT_KEYVAULT_ADDRESS?=0xA000
 WOLFBOOT_KEYVAULT_SIZE?=0
 WOLFBOOT_NSC_ADDRESS?=0xA000
 WOLFBOOT_NSC_SIZE?=0x2000
-WOLFBOOT_PARTITION_SIZE?=0x10000
+WOLFBOOT_PARTITION_SIZE?=0x12000
 WOLFBOOT_PARTITION_BOOT_ADDRESS?=0xC000
-WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x1C000
-WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x2C000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x1E000
+WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x30000
 
 # Alternate larger configuration for debugging or ARMASM
-# 128KB boot, no keyvault, 8KB NSC, 64KB partitions, 8KB swap
+# 128KB boot, no keyvault, 8KB NSC, 72KB partitions, 8KB swap
 #WOLFBOOT_KEYVAULT_ADDRESS?=0x20000
 #WOLFBOOT_KEYVAULT_SIZE?=0
 #WOLFBOOT_NSC_ADDRESS?=0x20000
 #WOLFBOOT_NSC_SIZE?=0x2000
-#WOLFBOOT_PARTITION_SIZE?=0x10000
+#WOLFBOOT_PARTITION_SIZE?=0x12000
 #WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x22000
-#WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x32000
-#WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x42000
+#WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x34000
+#WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x46000

config/examples/mcxn-wolfcrypt-tz.config

@@ -34,23 +34,23 @@ WOLFCRYPT_TZ_PKCS11?=1
 WOLFBOOT_SECTOR_SIZE?=0x2000
 
 # Default configuration
-# 192KB boot, 96KB keyvault, 8KB NSC, 64KB partitions, 8KB swap
+# 192KB boot, 96KB keyvault, 8KB NSC, 72KB partitions, 8KB swap
 WOLFBOOT_KEYVAULT_ADDRESS?=0x30000
 WOLFBOOT_KEYVAULT_SIZE?=0x18000
 WOLFBOOT_NSC_ADDRESS?=0x48000
 WOLFBOOT_NSC_SIZE?=0x2000
-WOLFBOOT_PARTITION_SIZE?=0x10000
+WOLFBOOT_PARTITION_SIZE?=0x12000
 WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x4A000
-WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x5A000
-WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x6A000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x5C000
+WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x6E000
 
 # Alternate larger configuration for debugging or ARMASM
-# 320KB boot, 96KB keyvault, 8KB NSC, 64KB partitions, 8KB swap
+# 320KB boot, 96KB keyvault, 8KB NSC, 72KB partitions, 8KB swap
 #WOLFBOOT_KEYVAULT_ADDRESS?=0x50000
 #WOLFBOOT_KEYVAULT_SIZE?=0x18000
 #WOLFBOOT_NSC_ADDRESS?=0x68000
 #WOLFBOOT_NSC_SIZE?=0x2000
-#WOLFBOOT_PARTITION_SIZE?=0x10000
+#WOLFBOOT_PARTITION_SIZE?=0x12000
 #WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x6A000
-#WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x7A000
-#WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x8A000
+#WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x7C000
+#WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x8E000

hal/stm32l5.c

@@ -400,11 +400,17 @@ static void clock_pll_on(int powersave)
 #if TZ_SECURE()
 static void periph_unsecure()
 {
+    volatile uint32_t reg;
+
     /*Enable clock for User LED GPIOs */
     RCC_AHB2_CLOCK_ER|= LED_AHB2_ENABLE;
 
     /* Enable clock for LPUART1 */
     RCC_APB1_CLOCK_ER |= UART1_APB1_CLOCK_ER_VAL;
+    /* Enable clock for USART3 used by emu-test-apps on PD8/PD9 */
+    RCC_APB1_CLOCK_ER |= UART3_APB1_CLOCK_ER_VAL;
+    /* Enable clock for GPIO D (USART3 pins) */
+    RCC_AHB2_CLOCK_ER |= GPIOD_AHB2_CLOCK_ER;
 
 
     PWR_CR2 |= PWR_CR2_IOSV;
@@ -423,6 +429,16 @@ static void periph_unsecure()
     GPIO_SECCFGR(GPIOG_BASE) &= ~(1<<UART1_TX_PIN);
     GPIO_SECCFGR(GPIOG_BASE) &= ~(1<<UART1_RX_PIN);
 
+    /* Unsecure USART3 and its pins for the STM32L5 emulator app path. */
+    reg = TZSC_SECCFGR1;
+    if (reg & TZSC_SECCFGR1_USART3SEC) {
+        reg &= ~TZSC_SECCFGR1_USART3SEC;
+        DMB();
+        TZSC_SECCFGR1 = reg;
+    }
+    GPIO_SECCFGR(GPIOD_BASE) &= ~(1u << 8);
+    GPIO_SECCFGR(GPIOD_BASE) &= ~(1u << 9);
+
 }
 #endif
 

hal/stm32l5.h

@@ -181,8 +181,10 @@
 #define FLASH_NS_SR          (*(volatile uint32_t *)(FLASH_NS_BASE + 0x20))
 #define FLASH_NS_CR          (*(volatile uint32_t *)(FLASH_NS_BASE + 0x28))
 
-#define TZSC_PRIVCFGR1   *((uint32_t *)(0x50032420))
-#define TZSC_PRIVCFG1_LPUARTPRIV (1 << 21)
+#define TZSC_PRIVCFGR1   (*(volatile uint32_t *)(0x50032420))
+#define TZSC_PRIVCFG1_LPUARTPRIV (1u << 21)
+#define TZSC_SECCFGR1    (*(volatile uint32_t *)(0x50032410))
+#define TZSC_SECCFGR1_USART3SEC (1u << 11)
 
 
 #else
@@ -257,6 +259,7 @@
 
 #define RCC_APB1_CLOCK_ER (*(volatile uint32_t *)(RCC_BASE + 0x5C ))
 #define UART1_APB1_CLOCK_ER_VAL (1 << 0)
+#define UART3_APB1_CLOCK_ER_VAL (1 << 18)
 
 #define UART1_PIN_AF 8
 #define UART1_RX_PIN 8

test-app/CMakeLists.txt

@@ -205,10 +205,17 @@ if(BUILD_TEST_APPS)
     endif()
 
     if(WOLFCRYPT_TZ_PKCS11)
-        list(APPEND TEST_APP_COMPILE_DEFINITIONS WOLFBOOT_PKCS11_APP SECURE_PKCS11 WOLFPKCS11_USER_SETTINGS)
+        list(APPEND TEST_APP_COMPILE_DEFINITIONS
+            WOLFBOOT_PKCS11_APP
+            SECURE_PKCS11
+            WOLFBOOT_TZ_PKCS11
+            WOLFPKCS11_USER_SETTINGS)
+        if(PKCS11_TESTAPP)
+            list(APPEND TEST_APP_COMPILE_DEFINITIONS WOLFBOOT_PKCS11_TESTAPP)
+        endif()
         set(WOLFSSL_PKCS11_SOURCES
+            test_pkcs11.c
             wcs/pkcs11_stub.c
-            wcs/pkcs11_test_ecc.c
             ../lib/wolfssl/wolfcrypt/src/ecc.c
             ../lib/wolfssl/wolfcrypt/src/rsa.c
             ../lib/wolfssl/wolfcrypt/src/asn.c

test-app/Makefile

@@ -247,8 +247,11 @@ ifeq ($(TZEN),1)
         ifeq ($(WOLFCRYPT_TZ_PKCS11),1)
             CFLAGS+=-DWOLFSSL_USER_SETTINGS -DWOLFTPM_USER_SETTINGS
             CFLAGS+=-DWOLFBOOT_PKCS11_APP -DSECURE_PKCS11 -DWOLFBOOT_TZ_PKCS11
+            ifeq ($(PKCS11_TESTAPP),1)
+                CFLAGS+=-DWOLFBOOT_PKCS11_TESTAPP
+            endif
             CFLAGS+=-I"$(WOLFBOOT_LIB_WOLFPKCS11)"
-            APP_OBJS+=./wcs/pkcs11_test_ecc.o
+            APP_OBJS+=./test_pkcs11.o
             APP_OBJS+=./wcs/pkcs11_stub.o
             APP_OBJS+=./wcs/ecc.o
             APP_OBJS+=./wcs/rsa.o

test-app/app_stm32h5.c

@@ -41,12 +41,7 @@
 #endif
 
 #ifdef WOLFBOOT_TZ_PKCS11
-#include "wcs/user_settings.h"
-#include "wolfssl/wolfcrypt/settings.h"
-#include "wolfssl/wolfcrypt/wc_pkcs11.h"
-#include "wolfssl/wolfcrypt/random.h"
-extern const char pkcs11_library_name[];
-extern const CK_FUNCTION_LIST wolfpkcs11nsFunctionList;
+#include "test_pkcs11.h"
 #endif
 
 #ifdef WOLFCRYPT_SECURE_MODE
@@ -192,8 +187,6 @@ void extra_led_off(void)
     GPIOF_BSRR |= (1 << (LED_EXTRA_PIN + 16));
 }
 
-extern int ecdsa_sign_verify(int devId);
-
 /* Command line commands */
 static int cmd_help(const char *args);
 static int cmd_info(const char *args);
@@ -837,98 +830,8 @@ static int run_psa_boot_attestation(void)
 #ifdef WOLFBOOT_TZ_PKCS11
 static int cmd_login_pkcs11(const char *args)
 {
-    int ret = -1;
-    unsigned int devId = 0;
-    Pkcs11Token token;
-    Pkcs11Dev PKCS11_d;
-    unsigned long session;
-    char TokenPin[] = "0123456789ABCDEF";
-    char UserPin[] = "ABCDEF0123456789";
-    char SoPinName[] = "SO-PIN";
-    static int pkcs11_initialized = 0;
-
-    if (pkcs11_initialized) {
-        printf("PKCS11 already initialized.\r\n");
-        return 0;
-    }
-
-    printf("PKCS11 Login\r\n");
-
-    printf("Initializing wolfCrypt...");
-    fflush(stdout);
-    wolfCrypt_Init();
-    printf("Done.\r\n");
-
-    PKCS11_d.heap = NULL,
-    PKCS11_d.func = (CK_FUNCTION_LIST *)&wolfpkcs11nsFunctionList;
-
-    printf("Initializing EccKey token...");
-    fflush(stdout);
-    ret = wc_Pkcs11Token_Init(&token, &PKCS11_d, 1, "EccKey",
-            (const byte*)TokenPin, strlen(TokenPin));
-
-    if (ret == 0) {
-        printf("Done.\r\n");
-        printf("Initializing token...");
-        fflush(stdout);
-        ret = wolfpkcs11nsFunctionList.C_InitToken(1,
-                (byte *)TokenPin, strlen(TokenPin), (byte *)SoPinName);
-    }
-    if (ret == 0) {
-        printf("Done.\r\n");
-        printf("Opening session...");
-        fflush(stdout);
-        ret = wolfpkcs11nsFunctionList.C_OpenSession(1,
-                CKF_SERIAL_SESSION | CKF_RW_SESSION,
-                NULL, NULL, &session);
-    }
-
-    if (ret == 0) {
-        printf("Done.\r\n");
-        printf("Logging in as SO...");
-        ret = wolfpkcs11nsFunctionList.C_Login(session, CKU_SO,
-                (byte *)TokenPin,
-                strlen(TokenPin));
-    }
-    if (ret == 0) {
-        extra_led_on();
-        printf("Done.\r\n");
-        printf("Setting PIN...");
-        ret = wolfpkcs11nsFunctionList.C_InitPIN(session,
-                (byte *)TokenPin,
-                strlen(TokenPin));
-    }
-    if (ret == 0) {
-        printf("Done.\r\n");
-        printf("Logging out...");
-        ret = wolfpkcs11nsFunctionList.C_Logout(session);
-    }
-    if (ret == 0) {
-        printf("Done.\r\n");
-        printf("Registering crypto calls with wolfCrypt...");
-        ret = wc_CryptoDev_RegisterDevice(devId, wc_Pkcs11_CryptoDevCb,
-                &token);
-    }
-    if (ret == 0) {
-        printf("Done.\r\n");
-#ifdef HAVE_ECC
-        printf("Testing ECC...");
-        ret = ecdsa_sign_verify(devId);
-        if (ret != 0) {
-            ret = -1;
-            printf("Failed.\r\n");
-        }
-        else {
-            usr_led_on();
-            printf("Done.\r\n");
-        }
-#endif
-    }
-    if (ret == 0) {
-        printf("PKCS11 initialization completed successfully.\r\n");
-        pkcs11_initialized = 1;
-    }
-    return ret;
+    (void)args;
+    return test_pkcs11_start();
 }
 #endif /* WOLFBOOT_TZ_PKCS11 */
 
@@ -1377,6 +1280,16 @@ void main(void)
     (void)run_psa_boot_attestation();
 #endif
 
+#ifdef WOLFBOOT_PKCS11_TESTAPP
+    ret = test_pkcs11_start();
+    if (ret == PKCS11_TEST_FIRST_BOOT_OK)
+        asm volatile ("bkpt #0x7d");
+    else if (ret == PKCS11_TEST_SECOND_BOOT_OK)
+        asm volatile ("bkpt #0x7f");
+    else
+        asm volatile ("bkpt #0x7e");
+#endif
+
     console_loop();
 
     while(1)