|
| 1 | +# Makefile - top-level wrapper for the wolfHSM TrustZone demo on STM32H5 |
| 2 | +# |
| 3 | +# Copyright (C) 2026 wolfSSL Inc. |
| 4 | +# |
| 5 | +# This file is part of wolfBoot. |
| 6 | +# |
| 7 | +# wolfBoot is free software; you can redistribute it and/or modify |
| 8 | +# it under the terms of the GNU General Public License as published by |
| 9 | +# the Free Software Foundation; either version 3 of the License, or |
| 10 | +# (at your option) any later version. |
| 11 | +# |
| 12 | +# wolfBoot is distributed in the hope that it will be useful, |
| 13 | +# but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 14 | +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 15 | +# GNU General Public License for more details. |
| 16 | + |
| 17 | +# This Makefile is a convenience wrapper around the top-level wolfBoot |
| 18 | +# build. It stages the stm32h5-tz-wolfhsm config, builds the secure |
| 19 | +# wolfBoot image (with the wolfHSM server linked in) and the non-secure |
| 20 | +# test application (which connects to the server via the ARMv8-M NSC |
| 21 | +# bridge and runs whTest_ClientConfig), and stages both binaries here |
| 22 | +# for flashing. |
| 23 | +# |
| 24 | +# Quick start: |
| 25 | +# make # build wolfboot.bin + test app, stage in ./out/ |
| 26 | +# ./load.sh # flash to a NUCLEO-H563ZI and open a serial console |
| 27 | +# make emu # run the m33mu emulator over the built binaries |
| 28 | +# make clean # drop staged artifacts (keeps the wolfBoot tree) |
| 29 | +# make distclean # also wipe wolfBoot build state |
| 30 | + |
| 31 | +PORT_DIR := $(abspath $(dir $(lastword $(MAKEFILE_LIST)))) |
| 32 | +WOLFBOOT_ROOT := $(abspath $(PORT_DIR)/../../..) |
| 33 | +CONFIG_EXAMPLE := $(WOLFBOOT_ROOT)/config/examples/stm32h5-tz-wolfhsm.config |
| 34 | +CONFIG_TARGET := $(WOLFBOOT_ROOT)/.config |
| 35 | +OUT_DIR := $(PORT_DIR)/out |
| 36 | + |
| 37 | +# Default to the lib/wolfHSM submodule (matches wolfBoot's own |
| 38 | +# Makefile). Override with `make WOLFBOOT_LIB_WOLFHSM=...` to point |
| 39 | +# at a different wolfHSM checkout. |
| 40 | +WOLFBOOT_LIB_WOLFHSM ?= $(WOLFBOOT_ROOT)/lib/wolfHSM |
| 41 | + |
| 42 | +WOLFBOOT_BIN := $(WOLFBOOT_ROOT)/wolfboot.bin |
| 43 | +TEST_APP_BIN := $(WOLFBOOT_ROOT)/test-app/image_v1_signed.bin |
| 44 | + |
| 45 | +# Address the test app must be flashed to. Read from the staged .config |
| 46 | +# so it stays in sync with what wolfBoot itself was built against. |
| 47 | +BOOT_ADDR := 0x08060000 |
| 48 | + |
| 49 | +# Forward extra options to the wolfBoot top-level make. Example: |
| 50 | +# make WOLFBOOT_MAKE_FLAGS='V=1' |
| 51 | +WOLFBOOT_MAKE_FLAGS ?= |
| 52 | + |
| 53 | +.PHONY: all build stage clean distclean emu flash help |
| 54 | + |
| 55 | +all: build stage |
| 56 | + |
| 57 | +# Stage the config and run the wolfBoot top-level build. wolfBoot itself |
| 58 | +# emits wolfboot.bin (secure image) and test-app/image_v1_signed.bin |
| 59 | +# (the non-secure test application). With WOLFCRYPT_TZ_WOLFHSM=1 in the |
| 60 | +# staged config, the non-secure app calls cmd_wolfhsm_test(), which |
| 61 | +# initialises the wolfHSM client over the NSC bridge and runs the |
| 62 | +# wolfHSM client test suite against the in-secure-world server. |
| 63 | +# |
| 64 | +# We `cd` into WOLFBOOT_ROOT rather than using `$(MAKE) -C ...` because |
| 65 | +# the wolfBoot sign step shells out with `./tools/keytools/sign`, which |
| 66 | +# resolves against the original process cwd. From a sub-directory the |
| 67 | +# relative path fails; cd-ing keeps the resolution correct. |
| 68 | +build: $(CONFIG_TARGET) |
| 69 | + @echo "==> wolfBoot build (stm32h5-tz-wolfhsm)" |
| 70 | + @echo "==> WOLFBOOT_LIB_WOLFHSM=$(WOLFBOOT_LIB_WOLFHSM)" |
| 71 | + cd $(WOLFBOOT_ROOT) && $(MAKE) wolfboot.bin WOLFBOOT_LIB_WOLFHSM=$(WOLFBOOT_LIB_WOLFHSM) $(WOLFBOOT_MAKE_FLAGS) |
| 72 | + cd $(WOLFBOOT_ROOT) && $(MAKE) test-app/image_v1_signed.bin WOLFBOOT_LIB_WOLFHSM=$(WOLFBOOT_LIB_WOLFHSM) $(WOLFBOOT_MAKE_FLAGS) |
| 73 | + |
| 74 | +$(CONFIG_TARGET): $(CONFIG_EXAMPLE) |
| 75 | + @echo "==> Staging config: $(CONFIG_EXAMPLE) -> $(CONFIG_TARGET)" |
| 76 | + cp $(CONFIG_EXAMPLE) $(CONFIG_TARGET) |
| 77 | + |
| 78 | +# Copy the produced binaries into ./out so this directory is the single |
| 79 | +# place the user has to look. Also drop the boot address into a small |
| 80 | +# manifest so load.sh and CI scripts do not have to re-parse .config. |
| 81 | +stage: build |
| 82 | + @mkdir -p $(OUT_DIR) |
| 83 | + cp $(WOLFBOOT_BIN) $(OUT_DIR)/wolfboot.bin |
| 84 | + cp $(TEST_APP_BIN) $(OUT_DIR)/image_v1_signed.bin |
| 85 | + @echo "BOOT_ADDR=$(BOOT_ADDR)" > $(OUT_DIR)/manifest.env |
| 86 | + @echo "WOLFBOOT_BIN=$(OUT_DIR)/wolfboot.bin" >> $(OUT_DIR)/manifest.env |
| 87 | + @echo "TEST_APP_BIN=$(OUT_DIR)/image_v1_signed.bin" >> $(OUT_DIR)/manifest.env |
| 88 | + @echo "==> Staged in $(OUT_DIR):" |
| 89 | + @ls -l $(OUT_DIR) |
| 90 | + |
| 91 | +# Convenience: invoke load.sh from anywhere. |
| 92 | +flash: stage |
| 93 | + $(PORT_DIR)/load.sh |
| 94 | + |
| 95 | +# Run the wolfBoot m33mu emulator harness over the produced binaries. |
| 96 | +# This uses wolfBoot's own emulator script so the test path is identical |
| 97 | +# to what runs in CI. |
| 98 | +emu: stage |
| 99 | + cd $(WOLFBOOT_ROOT)/test-app/emu-test-apps && \ |
| 100 | + TARGET=stm32h5 ./test.sh |
| 101 | + |
| 102 | +clean: |
| 103 | + rm -rf $(OUT_DIR) |
| 104 | + |
| 105 | +distclean: clean |
| 106 | + cd $(WOLFBOOT_ROOT) && $(MAKE) clean distclean |
| 107 | + rm -f $(CONFIG_TARGET) |
| 108 | + |
| 109 | +help: |
| 110 | + @echo "Targets:" |
| 111 | + @echo " make Build wolfboot.bin + signed test app, stage in ./out" |
| 112 | + @echo " make flash Build (if needed) and flash via load.sh" |
| 113 | + @echo " make emu Build (if needed) and run wolfBoot m33mu harness" |
| 114 | + @echo " make clean Drop ./out" |
| 115 | + @echo " make distclean Also clean the wolfBoot tree and drop .config" |
0 commit comments