Skip to content

zephyr integration as TEE. #662

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dgarske merged 2 commits into from
Jan 8, 2026
Merged

zephyr integration as TEE. #662

dgarske merged 2 commits into from
Jan 8, 2026

Conversation

@danielinux
Copy link
Member

@danielinux danielinux commented Jan 7, 2026

  • Integrates wolfPSA as psa_crypto/psa_store engine in TrustZone
  • Provides interface to access APIs from non-secure mode
  • Patches to enable wolfboot as TEE module in zephyr
  • Patches to enable stm32h563-nucleo/ns as target in zephyr
  • psa_crypto zephyr example using wolfboot/wolfPSA as secure engine

@danielinux
zephyr integration as TEE.
af67081 
- Integrates wolfPSA as psa_crypto/psa_store engine in TrustZone
- Provides interface to access APIs from non-secure mode
- Patches to enable wolfboot as TEE module in zephyr
- Patches to enable stm32h563-nucleo/ns as target in zephyr
- psa_crypto zephyr example using wolfboot/wolfPSA as secure engine
dgarske
dgarske requested changes Jan 7, 2026
View reviewed changes
Copy link
Contributor

@dgarske dgarske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried to test the steps on an STM32H563ZI without success. Nothing shows up on UART after programming and reset. Attached are my testing results.
STM32H5-Zephyr-TEE.md

@dgarske dgarske removed their assignment Jan 7, 2026
mattia-moffa
mattia-moffa reviewed Jan 8, 2026
View reviewed changes
@danielinux
Copy link
Member Author

danielinux commented Jan 8, 2026

My apologies, the zephyr patches seems to be incomplete / missing the tee driver and some port files for nucleo-h563zi.

This new patchset should fix. I was able to compile and test from a clean/reset zephyr.

Patchset is tested on zephyr/f8dba1baee3627e55afeb6045f353701b674376e but should also apply cleanly on latest.

@danielinux danielinux force-pushed the zephyr-psa branch 2 times, most recently from d1c7737 to 087a51e Compare January 8, 2026 15:08
dgarske
dgarske approved these changes Jan 8, 2026
View reviewed changes
Copy link
Contributor

@dgarske dgarske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All works now!

*** Booting Zephyr OS build v4.3.0-3416-g9334cedb3de8 ***
[00:00:00.001,000] <inf> app: app_cfg: Creating new config file with UID 0x55CFDA7A
[00:00:00.001,000] <inf> app: att: System IAT size is: 0 bytes.
[00:00:00.001,000] <inf> app: att: Requesting IAT with 64 byte challenge.
[00:00:00.001,000] <inf> app: att: IAT data received: 0 bytes.
[00:00:00.034,000] <inf> app: Persisting SECP256R1 key as #1
[00:00:00.044,000] <inf> app: Retrieving public key for key #1

Build Results

wolfBoot (Secure Side)

Configuration: config/examples/stm32h5-tz-psa.config
Build Command: make wolfboot.bin

   text    data     bss     dec     hex filename
  83848       0   19328  103176   19308 wolfboot.elf

Zephyr (Non-Secure Side)

Board: nucleo_h563zi/stm32h563xx/ns
Sample: samples/wolfboot_integration/psa_crypto

Memory region         Used Size  Region Size  %age Used
           FLASH:      124856 B       640 KB     19.05%
             RAM:       55736 B       256 KB     21.26%

Automatic Image Signing

The Zephyr build process automatically signed the image using the wolfBoot signing tool:

wolfBoot KeyTools (Compiled C version)
wolfBoot version 2070000
Update type:          Firmware
Input image:          zephyr.payload.bin
Selected cipher:      ECC256
Selected hash  :      SHA256
Output  image:        zephyr.payload_v1_signed.bin
Output image(s) successfully created.

Flash Configuration

Option Bytes

Setting Value Description
TZEN 0xB4 TrustZone enabled
SECBOOTADD 0xC0000 Secure boot from 0x0C000000
SECWM1_STRT 0x0 Bank 1 secure watermark start
SECWM1_END 0x2F Bank 1 secure watermark end (384KB)
SECWM2_STRT 0x0 Bank 2 secure watermark start
SECWM2_END 0x7F Bank 2 secure watermark end

Memory Layout

Address Content
0x0C000000 wolfboot.bin (83KB)
0x08060000 zephyr.payload_v1_signed.bin (125KB)

@dgarske dgarske assigned wolfSSL-Bot and unassigned danielinux Jan 8, 2026
@mattia-moffa mattia-moffa removed their assignment Jan 8, 2026
@dgarske dgarske merged commit 4ff0e0a into wolfSSL:master Jan 8, 2026
302 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgarske dgarske dgarske approved these changes

@mattia-moffa mattia-moffa mattia-moffa approved these changes

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@danielinux @dgarske @mattia-moffa @wolfSSL-Bot