STM32H5: update for TF-PSA-Crypto 1.0.0

RGASTM · RGASTM · commit d4144fea4e51 · 2026-03-05T16:43:49.000+01:00
deactivate hardware crypto acceleration

Change-Id: I398f245445e746161196d5ab276db6ec4625f462
Signed-off-by: Ronan Gabou &lt;ronan.gabou@st.com&gt;
diff --git a/platform/ext/target/stm/common/stm32h5xx/CMakeLists.txt b/platform/ext/target/stm/common/stm32h5xx/CMakeLists.txt
@@ -154,6 +154,21 @@ if(BL2)
             ${STM_COMMON_DIR}/hal/Native_Driver/low_level_rng.c
     )
 
+    # Add sources TF-PSA-Crypto for BL2
+    target_sources(bl2
+        PRIVATE
+            ${TF_PSA_CRYPTO_PATH}/drivers/builtin/src/constant_time.c
+            ${TF_PSA_CRYPTO_PATH}/drivers/builtin/src/cipher.c
+            ${TF_PSA_CRYPTO_PATH}/drivers/builtin/src/cipher_wrap.c
+            ${TF_PSA_CRYPTO_PATH}/drivers/builtin/src/psa_crypto_cipher.c
+    )
+
+    # for BL2 Crypto: provide mbedtls_psa_external_get_random()
+    target_sources(bl2_crypto
+        PRIVATE
+            ${STM_COMMON_DIR}/hal/accelerator/rng.c
+    )
+
     target_compile_options(platform_bl2
         PUBLIC
             ${COMPILER_CMSE_FLAG}
diff --git a/platform/ext/target/stm/stm32h573i_dk/accelerator/CMakeLists.txt b/platform/ext/target/stm/stm32h573i_dk/accelerator/CMakeLists.txt
@@ -7,53 +7,27 @@
 #-------------------------------------------------------------------------------
 
 ############################ Crypto Service ####################################
-if(TFM_PARTITION_CRYPTO)
+
+if (TFM_PARTITION_CRYPTO)
     target_sources(crypto_service_crypto_hw
         PRIVATE
-            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/rsa_alt.c
-            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/ecdsa_alt.c
-            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/gcm_alt.c
-            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/aes_alt.c
-            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/ccm_alt.c
-            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/ecp_alt.c
-            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/ecp_curves_alt.c
-            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/sha1_alt.c
-            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/sha256_alt.c
             ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/stm.c
+            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/rng.c
     )
 
     target_include_directories(crypto_service_crypto_hw
-        PRIVATE
-            ${PLATFORM_DIR}/ext/target/${TFM_PLATFORM}/accelerator/
+		PUBLIC
+            ${PLATFORM_DIR}/ext/target/${TFM_PLATFORM}/accelerator/include
             ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/
+            ${PLATFORM_DIR}/ext/target/stm/common/hal/Native_Driver/
             ${PLATFORM_DIR}/ext/target/${TFM_PLATFORM}/include/
             ${PLATFORM_DIR}/ext/target/stm/common/stm32h5xx/hal/Inc/
-            ${PLATFORM_DIR}/ext/target/stm/common/stm32h5xx/Device/Include/
-            ${PLATFORM_DIR}/include
-            ${CMAKE_BINARY_DIR}/generated
-            ${CMAKE_SOURCE_DIR}/interface/include
-    )
-    target_include_directories(crypto_service_tfpsacrypto
-        PUBLIC
-            ${PLATFORM_DIR}/ext/target/${TFM_PLATFORM}/accelerator/
-            ${PLATFORM_DIR}/ext/target/stm/common/hal/accelerator/
-            ${PLATFORM_DIR}/ext/target/${TFM_PLATFORM}/include/
-            ${PLATFORM_DIR}/ext/target/stm/common/stm32h5xx/hal/Inc/
-            ${PLATFORM_DIR}/ext/target/stm/common/stm32h5xx/Device/Include/
-            ${PLATFORM_DIR}/include
+            ${PLATFORM_DIR}/ext/target/stm/common/stm32h5xx/Device/Include/	
     )
 
-    target_include_directories(psa_crypto_config
-        INTERFACE
-            $<BUILD_INTERFACE:${PLATFORM_DIR}/ext/target/${TFM_PLATFORM}/accelerator/>
-    )
-
-    target_compile_definitions(crypto_service_crypto_hw
-        PRIVATE
-            ST_HW_CONTEXT_SAVING
-            $<$<AND:$<BOOL:${TFM_PARTITION_PROTECTED_STORAGE}>,$<STREQUAL:${PS_CRYPTO_AEAD_ALG},PSA_ALG_GCM>>:BUILD_CRYPTO_TFM>
-        INTERFACE
-            $<$<AND:$<BOOL:${TFM_PARTITION_PROTECTED_STORAGE}>,$<STREQUAL:${PS_CRYPTO_AEAD_ALG},PSA_ALG_GCM>>:PSA_WANT_ALG_GCM>
+    target_include_directories(platform_s
+        PUBLIC
+            ${PLATFORM_DIR}/ext/target/${TFM_PLATFORM}/accelerator/include
     )
 
     target_link_libraries(crypto_service_crypto_hw
@@ -63,18 +37,10 @@ if(TFM_PARTITION_CRYPTO)
             cmsis
     )
 
-    target_link_libraries(crypto_service_tfpsacrypto
-        PUBLIC
-            cmsis
-    )
-
-    target_link_libraries(platform_s
-        PRIVATE
-            crypto_service_crypto_hw
+    # The config files need to access crypto accelerator configurations.
+    target_include_directories(psa_crypto_library_config
+        INTERFACE
+            ${PLATFORM_DIR}/ext/target/${TFM_PLATFORM}/accelerator/include
     )
 
-    target_link_libraries(crypto_service_crypto_hw
-         INTERFACE
-            tfm_config
-    )
 endif()
diff --git a/platform/ext/target/stm/stm32h573i_dk/accelerator/crypto_accelerator_config.h b/platform/ext/target/stm/stm32h573i_dk/accelerator/crypto_accelerator_config.h
diff --git a/platform/ext/target/stm/stm32h573i_dk/accelerator/include/tf_psa_crypto_accelerator_config.h b/platform/ext/target/stm/stm32h573i_dk/accelerator/include/tf_psa_crypto_accelerator_config.h
@@ -0,0 +1,29 @@
+
+/*
+ * SPDX-FileCopyrightText: Copyright The TrustedFirmware-M Contributors
+ * Copyright (c) 2026 STMicroelectronics. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+#ifndef __TF_PSA_CRYPTO_ACCELERATOR_CONFIG_H__
+#define __TF_PSA_CRYPTO_ACCELERATOR_CONFIG_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+/* RNG Config */
+#undef MBEDTLS_ENTROPY_NV_SEED
+#undef MBEDTLS_ENTROPY_NO_SOURCES_OK
+#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+
+/****************************************************************/
+/* Require built-in implementations based on PSA requirements */
+/****************************************************************/
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* __TF_PSA_CRYPTO_ACCELERATOR_CONFIG_H__ */
diff --git a/platform/ext/target/stm/stm32h573i_dk/accelerator/mbedtls_accelerator_config.h b/platform/ext/target/stm/stm32h573i_dk/accelerator/mbedtls_accelerator_config.h
diff --git a/platform/ext/target/stm/stm32h573i_dk/config.cmake b/platform/ext/target/stm/stm32h573i_dk/config.cmake
@@ -12,17 +12,17 @@ set(BL2_HEADER_SIZE                        0x400       CACHE STRING    "Header s
 set(BL2_TRAILER_SIZE                       0x2000      CACHE STRING    "Trailer size")
 set(MCUBOOT_ALIGN_VAL                      16          CACHE STRING    "Align option to build image with imgtool")
 set(MCUBOOT_UPGRADE_STRATEGY        "SWAP_USING_SCRATCH"      CACHE STRING    "Upgrade strategy for images")
+set(MCUBOOT_USE_PSA_CRYPTO                 ON          CACHE BOOL      "Enable the cryptographic abstraction layer to use PSA Crypto APIs")
 set(TFM_PARTITION_PLATFORM                 ON          CACHE BOOL      "Enable platform partition")
 set(MCUBOOT_DATA_SHARING                   ON          CACHE BOOL      "Enable Data Sharing")
 set(MCUBOOT_BOOTSTRAP                      ON          CACHE BOOL      "Allow initial state with images in secondary slots(empty primary slots)")
-set(MCUBOOT_ENC_IMAGES                     ON          CACHE BOOL      "Enable encrypted image upgrade support")
-set(MCUBOOT_ENCRYPT_RSA                    ON          CACHE BOOL      "Use RSA for encrypted image upgrade support")
+set(MCUBOOT_ENC_IMAGES                     OFF          CACHE BOOL      "Enable encrypted image upgrade support")
+set(MCUBOOT_ENCRYPT_RSA                    OFF          CACHE BOOL      "Use RSA for encrypted image upgrade support")
 ################################## Dependencies ########################################
 set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE ON          CACHE BOOL      "Enable Internal Trusted Storage partition")
 set(TFM_PARTITION_CRYPTO                   ON          CACHE BOOL      "Enable Crypto partition")
 set(CRYPTO_HW_ACCELERATOR                  ON          CACHE BOOL      "Whether to enable the crypto hardware accelerator on supported platforms")
 set(TF_PSA_CRYPTO_BUILD_TYPE               minsizerel  CACHE STRING    "Build type of TF-PSA-Crypto library")
-set(PS_CRYPTO_AEAD_ALG                     PSA_ALG_GCM CACHE STRING    "The AEAD algorithm to use for authenticated encryption in Protected Storage")
 set(MCUBOOT_FIH_PROFILE                    LOW         CACHE STRING    "Fault injection hardening profile [OFF, LOW, MEDIUM, HIGH]")
 ################################## LOG LEVEL ###########################################
 set(TFM_SPM_LOG_LEVEL             LOG_LEVEL_INFO       CACHE STRING    "Set default SPM log level as INFO level")
diff --git a/platform/ext/target/stm/stm32h573i_dk/include/flash_layout.h b/platform/ext/target/stm/stm32h573i_dk/include/flash_layout.h
@@ -25,19 +25,20 @@
  */
  /* Flash layout for stm32h573i_dk with BL2 (multiple image boot):
  *
- * 0x0000_0000 SCRATCH (40KB)
- * 0x0001_0000 BL2 - counters(16 KB)
- * 0x0001_4000 BL2 - MCUBoot (48 KB)
+ * 0x0000_0000 SCRATCH (48 KB)
+ * 0x0000_C000 BL2 - counters(16 KB)
+ * 0x0001_0000 BL2 - MCUBoot (96 KB)
  * 0x0002_8000 OTP Write Protect (16 KB)
- * 0x0003_2000 NV counters area (16 KB)
- * 0x0003_6000 Secure Storage Area (16 KB)
- * 0x0003_A000 Internal Trusted Storage Area (16 KB)
- * 0x0003_E000 Secure image     primary slot (100 KB)
- * 0x0007_E000 Non-secure image primary slot (280 KB)
- * 0x000C_E000 Secure image     secondary slot (100 KB)
- * 0x0010_E000 Non-secure image secondary slot (280 KB)
+ * 0x0002_C000 NV counters area (16 KB)
+ * 0x0003_0000 Secure Storage Area (16 KB)
+ * 0x0003_4000 Internal Trusted Storage Area (16 KB)
+ * 0x0003_8000 Secure image     primary slot (320 KB)
+ * 0x0008_8000 Non-secure image primary slot (576 KB)
+ * 0x0011_8000 Secure image     secondary slot (320 KB)
+ * 0x0016_8000 Non-secure image secondary slot (576 KB)
+ * 0x001f_8000 Non-secure free data (32 KB)
  *
- * Bl2 binary is written at 0x1_2000:
+ * Bl2 binary is written at 0x1_0000:
  * it contains bl2_counter init value, OTP write protect, NV counters area init.
  */
 
@@ -58,7 +59,7 @@
 
 /* scratch area */
 #define FLASH_AREA_SCRATCH_OFFSET       (0x0)
-#define FLASH_AREA_SCRATCH_SIZE         (0xC000) /* 40 KB */
+#define FLASH_AREA_SCRATCH_SIZE         (0xC000) /* 48 KB */
 
 /* control scratch area */
 #if (FLASH_AREA_SCRATCH_OFFSET % FLASH_AREA_IMAGE_SECTOR_SIZE) != 0
@@ -153,8 +154,8 @@
 
 /* Secure image primary slot */
 #define FLASH_AREA_0_ID                 (1)
-#define FLASH_AREA_0_DEVICE_ID          (FLASH_DEVICE_ID-FLASH_DEVICE_ID)
-#define FLASH_AREA_0_OFFSET             (FLASH_ITS_AREA_OFFSET+FLASH_ITS_AREA_SIZE)
+#define FLASH_AREA_0_DEVICE_ID          (0)
+#define FLASH_AREA_0_OFFSET             (FLASH_AREA_BEGIN_OFFSET)
 /* Control  Secure image primary slot */
 #if (FLASH_AREA_0_OFFSET  % FLASH_AREA_IMAGE_SECTOR_SIZE) != 0
 #error "FLASH_AREA_0_OFFSET  not aligned on FLASH_AREA_IMAGE_SECTOR_SIZE"
