Cleanup initialization code for rp2350.

+ TZEN=1 in config
+ Changed SRAM settings (allocated 256KB to the secure supervisor)
+ Updated documentation
+ Added FLASH_NSC area for sg stubs

Author: danielinux

IDE/pico-sdk/rp2350/README.md

@@ -1,5 +1,27 @@
 ## wolfBoot port for rp2350 (Raspberry pi pico 2)
 
+### Support for TrustZone
+
+By default, TZEN=1 is enabled in the provided configuration. wolfBoot will run
+from the Secure domain, and will stage the application in the Non-Secure domain.
+
+The flash memory is divided as follows:
+
+- wolfBoot partition (0x10000000 - 0x1003FFFF), 224 KB
+- Non-secure callable partition (for secure gateway) (0x10038000 - 0x1003FFFF), 32 KB
+- Boot partition (0x10040000 - 0x1007FFFF), 768 KB
+- Update partition (0x10100000 - 0x1013FFFF), 768 KB
+- Unused flash space (0x101C1000 - 0x101FFFFF), 252 KB
+- Swap space (0x101C0000 - 0x101C0FFF), 4 KB
+
+The SRAM bank0 is assigned to the Secure domain, and enforced using both SAU and `ACCESS_CONTROL` registers.
+
+- Secure SRAM0-3: 0x20000000 - 0x2003FFFF, 256 KB
+- Non-secure SRAM4-7: 0x20040000 - 0x2007FFFF, 256 KB
+- Non-secure stack for application SRAM8-9: 0x20080000 - 0x20081FFF, 8 KB
+
+```
+
 ### Requirements 
 
 #### External debugger
@@ -31,18 +53,10 @@ From wolfBoot root directory, copy the example configuration:
 cp config/examples/rp2350.config .config
 ```
 
-By default, the config file indicates the following partition layout:
-
-```
-wolfBoot partition: 256 KB, at address 0x10000000 to 0x1003FFFF
-Boot partition:     768 KB, at address 0x10040000 to 0x1007FFFF
-Update partition:   768 KB, at address 0x10100000 to 0x1013FFFF
-Swap space:           4 KB, at address 0x101C0000 to 0x101C0FFF
-Unused flash space: 252 KB, at address 0x101C1000 to 0x101FFFFF
-```
-
 You can now edit the .config file to change partition sizes/offsets, algorithms,
-add/remove features, etc.
+disable trustzone, add/remove features, etc.
+
+When TZEN=0, the application will run in the Secure domain.
 
 When the configuration is complete, run `make`. This will:
 
@@ -61,6 +75,7 @@ return to this directory and run:
 
 ```
 cd wolfboot
+export PICO_SDK_PATH=...
 ./build-wolfboot.sh
 ```
 
@@ -69,7 +84,8 @@ This version of wolfboot incorporates the `.boot2` sequence needed to enable
 the QSPI device, provided by the pico-sdk and always embedded in all
 applications.
 
-wolfboot.bin contains the bootloader, configured as follows:
+wolfboot.bin contains the bootloader, and can be loaded into the RP2350, starting at address 0x10000000.
+The script will automatically upload the binary if a JLink debugger is connected.
 
 ### Building and uploading the application
 
@@ -85,6 +101,13 @@ The linker script included is modified to change the application entry point
 from 0x10000000 to 0x10040400, which is the start of the application code,
 taking into account the wolfBoot header size.
 
+The application is signed with the wolfBoot private key, and the signature is
+stored in the manifest header of the application binary.
+
+The output file `build/blink_v1_signed.bin` is automatically uploaded to the RP2350 if a JLink debugger is connected.
+The application image is stored in the boot partition, starting at address 0x10040000.
+The entry point of the application (0x10040400), set in the linker script `hal/rp2350-app.ld`, is the start of the application code, taking into account the wolfBoot header size.
+
 
 ### Testing the application
 
@@ -93,3 +116,5 @@ every 500ms.
 
 If the above steps are successful, the LED on the board should start blinking.
 
+The code has been tested on a Seeed studio XIAO RP2350 board.
+

IDE/pico-sdk/rp2350/test-app/runtime.c

@@ -1,13 +1,4 @@
 #include <stdint.h>
-void runtime_init_bootrom_reset(void)
-{
-}
-
-void runtime_init_clocks(void)
-{
-}
-
-
 typedef void (*preinit_fn_t)(void);
 
 void runtime_init_cpasr(void)

config/examples/rp2350.config

@@ -1,5 +1,5 @@
 ARCH?=ARM
-TZEN?=0
+TZEN?=1
 TARGET?=rp2350
 SIGN?=ECC256
 HASH?=SHA256

hal/rp2350-app.ld

@@ -25,9 +25,9 @@ MEMORY
 {
     BOOT(rx) : ORIGIN = 0x10000000, LENGTH = 0x40400
     FLASH(rx) : ORIGIN = 0x10040400, LENGTH = 0x1D0000
-    RAM(rwx) : ORIGIN =  0x20010000, LENGTH = 0x6E000
-    SCRATCH_X(rwx) : ORIGIN = 0x2007E000, LENGTH = 4k
-    SCRATCH_Y(rwx) : ORIGIN = 0x2007F000, LENGTH = 4k
+    RAM(rwx) : ORIGIN =  0x20040000, LENGTH = 0x40000
+    SCRATCH_X(rwx) : ORIGIN = 0x20080000, LENGTH = 4k
+    SCRATCH_Y(rwx) : ORIGIN = 0x20081000, LENGTH = 4k
 }
 
 ENTRY(_entry_point)

hal/rp2350.c

@@ -1,9 +1,9 @@
 /* rp2350.c
  *
- * Stubs for custom HAL implementation. Defines the 
- * functions used by wolfboot for a specific target.
+ * Custom HAL implementation. Defines the
+ * functions used by wolfboot for raspberry-pi pico2 (rp2350)
  *
- * Copyright (C) 2021 wolfSSL Inc.
+ * Copyright (C) 2025 wolfSSL Inc.
  *
  * This file is part of wolfBoot.
  *
@@ -110,9 +110,6 @@
 
 #endif
 
-
-
-
 #ifdef __WOLFBOOT
 void hal_init(void)
 {
@@ -121,7 +118,6 @@ void hal_init(void)
 #endif
 }
 
-
 #ifdef TZEN
 static void rp2350_configure_sau(void)
 {
@@ -130,8 +126,8 @@ static void rp2350_configure_sau(void)
     sau_init_region(0, 0x10000000, 0x1002FFFF, 1); /* Secure flash */
     sau_init_region(1, 0x10030000, 0x1003FFFF, 1); /* Non-secure-callable flash */
     sau_init_region(2, 0x10040000, 0x101FFFFF, 0); /* Non-secure flash */
-    sau_init_region(3, 0x20000000, 0x20007FFF, 1); /* Secure RAM */
-    sau_init_region(4, 0x20008000, 0x20081FFF, 0); /* Non-secure RAM */
+    sau_init_region(3, 0x20000000, 0x2003FFFF, 1); /* Secure RAM (Low 256K) */
+    sau_init_region(4, 0x20040000, 0x20081FFF, 0); /* Non-secure RAM (High 256 + 8K) */
     sau_init_region(6, 0x40000000, 0x5FFFFFFF, 0); /* Non-secure peripherals */
     sau_init_region(7, 0xD0000000, 0xDFFFFFFF, 0); /* Non-secure SIO region */
 
@@ -159,37 +155,32 @@ static void rp2350_configure_nvic(void)
 static void rp2350_configure_access_control(void)
 {
     int i;
-    /* Reset ACCESSCTRL */
-    const uint32_t secure_fl = (ACCESS_BITS_SU | ACCESS_BITS_SP | ACCESS_BITS_DMA | ACCESS_BITS_DBG | ACCESS_BITS_CORE0 | ACCESS_BITS_CORE1) | ACCESS_MAGIC;
+    const uint32_t secure_fl = (ACCESS_BITS_SU | ACCESS_BITS_SP | ACCESS_BITS_DMA | ACCESS_BITS_DBG | ACCESS_BITS_CORE0) | ACCESS_MAGIC;
     const uint32_t non_secure_fl = (ACCESS_BITS_NSU | ACCESS_BITS_NSP | ACCESS_BITS_DMA | ACCESS_BITS_DBG | ACCESS_BITS_CORE0 | ACCESS_BITS_CORE1) | ACCESS_MAGIC;
 
-    //ACCESS_CONTROL_CFGRESET = 1;
-    /* Corresponding regions for the secure flash and RAM */
-    /*
-    for(i = 0; i < 2; i++) {
+    /* Set access control to Secure for lower RAM (0x20000000 - 0x2003FFFF) */
+    for (i = 0; i < 4; i ++)
         ACCESS_CONTROL_SRAM(i) = secure_fl;
-    }
-    */
-    for (i = 0; i < 10; i++) {
+
+    /* Set access control to Non-secure for upper RAM (0x20040000 - 0x20081FFF) */
+    for (i = 4; i < 10; i++)
         ACCESS_CONTROL_SRAM(i) = non_secure_fl | secure_fl;
-    }
+
+    /* Set access control for peripherals */
     ACCESS_CONTROL_ROM = secure_fl | non_secure_fl;
     ACCESS_CONTROL_XIP_MAIN = non_secure_fl | secure_fl;
     ACCESS_CONTROL_DMA = non_secure_fl;
     ACCESS_CONTROL_TRNG = secure_fl;
-    ACCESS_CONTROL_SYSCFG = secure_fl | non_secure_fl;
+    ACCESS_CONTROL_SYSCFG = secure_fl;
     ACCESS_CONTROL_SHA256 = secure_fl;
-    ACCESS_CONTROL_GPIOMASK0 = 0xFFFFFFFF;
-    ACCESS_CONTROL_GPIOMASK1 = 0xFFFFFFFF;
     ACCESS_CONTROL_IO_BANK0 = non_secure_fl | secure_fl;
     ACCESS_CONTROL_IO_BANK1 = non_secure_fl | secure_fl;
     ACCESS_CONTROL_PADS_BANK0 = non_secure_fl | secure_fl;
-//    ACCESS_CONTROL_FORCE_CORE_NS = (1 << 1); /* Force core 1 to non-secure */
     ACCESS_CONTROL_PIO0 = non_secure_fl | secure_fl;
     ACCESS_CONTROL_PIO1 = non_secure_fl | secure_fl;
     ACCESS_CONTROL_PIO2 = non_secure_fl | secure_fl;
 
-    ACCESS_CONTROL_I2C0   = non_secure_fl|secure_fl;
+    ACCESS_CONTROL_I2C0   = non_secure_fl |secure_fl;
     ACCESS_CONTROL_I2C1   = non_secure_fl | secure_fl;
     ACCESS_CONTROL_PWM    = non_secure_fl | secure_fl;
     ACCESS_CONTROL_SPI0   = non_secure_fl | secure_fl;
@@ -201,10 +192,18 @@ static void rp2350_configure_access_control(void)
     ACCESS_CONTROL_ADC    = non_secure_fl | secure_fl;
     ACCESS_CONTROL_RESETS = non_secure_fl | secure_fl;
 
+    /* Force core 1 to non-secure */
+    ACCESS_CONTROL_FORCE_CORE_NS = (1 << 1) | ACCESS_MAGIC;
+
+    /* GPIO masks: Each bit represents "NS allowed" for a GPIO pin */
+    ACCESS_CONTROL_GPIOMASK0 = 0xFFFFFFFF;
+    ACCESS_CONTROL_GPIOMASK1 = 0xFFFFFFFF;
+
     CPACR |= 0x000000FF; /* Enable access to coprocessors CP0-CP7 */
     NSACR |= 0x000000FF; /* Enable non-secure access to coprocessors CP0-CP7 */
 
-//    ACCESS_CONTROL_LOCK = (1 << 0) | (1 << 1) | (1 << 3);
+    /* Lock access control */
+    ACCESS_CONTROL_LOCK = non_secure_fl | secure_fl;
 }
 #endif
 

hal/rp2350.ld

@@ -23,10 +23,12 @@
 
 MEMORY
 {
-    FLASH(rx) : ORIGIN = 0x10000000, LENGTH = 256k
-    RAM(rwx) : ORIGIN =  0x20000000, LENGTH = 24k
-    SCRATCH_X(rwx) : ORIGIN = 0x20006000, LENGTH = 4k 
-    SCRATCH_Y(rwx) : ORIGIN = 0x20007000, LENGTH = 4k
+    FLASH(rx)      : ORIGIN = 0x10000000, LENGTH = 0x38000
+    FLASH_NSC(rx)  : ORIGIN = 0x10038000, LENGTH = 0x8000
+
+    RAM(rwx)       : ORIGIN = 0x20000000, LENGTH = 0x3E000
+    SCRATCH_X(rwx) : ORIGIN = 0x2003E000, LENGTH = 4k
+    SCRATCH_Y(rwx) : ORIGIN = 0x2003F000, LENGTH = 4k
 }
 
 ENTRY(_entry_point)
@@ -100,6 +102,12 @@ SECTIONS
         . = ALIGN(4);
     } > FLASH
 
+    .gnu.sgstubs :
+    {
+        *(.gnu.sgstubs*)   /* Secure Gateway stubs */
+        . = ALIGN(4);
+    } >FLASH_NSC
+
     /* Note the boot2 section is optional, and should be discarded if there is
        no reference to it *inside* the binary, as it is not called by the
        bootrom. (The bootrom performs a simple best-effort XIP setup and