Support for PUF in LPC55S69

.github/workflows/test-configs.yml

@@ -151,6 +151,27 @@ jobs:
       config-file: ./config/examples/lpc55s69-tz.config
       board-name: lpcxpresso55s69
 
+  lpc55s69_tz_psa_test:
+    uses: ./.github/workflows/test-build-mcux-sdk-manifests.yml
+    with:
+      arch: arm
+      config-file: ./config/examples/lpc55s69-tz-psa.config
+      board-name: lpcxpresso55s69
+
+  lpc55s69_hwpuf_test:
+    uses: ./.github/workflows/test-build-mcux-sdk-manifests.yml
+    with:
+      arch: arm
+      config-file: ./config/examples/lpc55s69-hwpuf.config
+      board-name: lpcxpresso55s69
+
+  lpc55s69_benchmark_test:
+    uses: ./.github/workflows/test-build-mcux-sdk-manifests.yml
+    with:
+      arch: arm
+      config-file: ./config/examples/lpc55s69-benchmark.config
+      board-name: lpcxpresso55s69
+
   nrf52840_test:
     uses: ./.github/workflows/test-build.yml
     with:

arch.mk

@@ -1361,6 +1361,7 @@ ifeq ($(TARGET),lpc55s69)
       -I$(MCUXPRESSO)/drivers/iap1 \
       -I$(MCUXPRESSO)/drivers/lpc_gpio \
       -I$(MCUXPRESSO)/drivers/lpc_iocon \
+      -I$(MCUXPRESSO)/drivers/puf \
       -I$(MCUXPRESSO)/drivers/rng_1 \
       -I$(MCUXPRESSO_CMSIS)/Include \
       -I$(MCUXPRESSO_CMSIS)/Core/Include
@@ -1392,6 +1393,14 @@ ifeq ($(TARGET),lpc55s69)
         $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/port/nxp/casper_port.o \
         $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/port/nxp/hashcrypt_port.o
   endif
+  ifeq ($(HWPUF),1)
+    CFLAGS+=-DWOLFSSL_HWPUF -DWOLFSSL_NXP_HWPUF
+    OBJS+=\
+        $(MCUXPRESSO)/drivers/puf/fsl_puf.o \
+        $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/cryptocb.o \
+        $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/hwpuf.o \
+        $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/port/nxp/hwpuf_port.o
+  endif
 endif
 
 ifeq ($(TARGET),psoc6)

config/examples/lpc55s69-benchmark.config

@@ -31,8 +31,6 @@ FLASH_MULTI_SECTOR_ERASE?=1
 # Turn on or off hw acceleration of crypto algs in the lpc55s69
 PKA?=0
 
-# use 1024-byte sector to accommodate RSA4096 signature
-# WOLFBOOT_SECTOR_SIZE?=0x400
 WOLFBOOT_SECTOR_SIZE?=0x200
 
 # use these for test/benchmark

config/examples/lpc55s69-hwpuf.config

@@ -0,0 +1,44 @@
+ARCH?=ARM
+TZEN?=0
+TARGET?=lpc55s69
+SIGN?=ECC384
+HASH?=SHA256
+MCUXSDK?=1
+MCUXPRESSO?=$(PWD)/../NXP/mcuxpresso-sdk/mcuxsdk
+MCUXPRESSO_CMSIS?=$(PWD)/../NXP/CMSIS_5/CMSIS
+MCUXPRESSO_CPU?=LPC55S69JBD100_cm33_core0
+MCUXPRESSO_DRIVERS?=$(MCUXPRESSO)/devices/LPC/LPC5500/LPC55S69
+MCUXPRESSO_PROJECT_TEMPLATE?=$(MCUXPRESSO)/examples/_boards/lpcxpresso55s69/project_template
+DEBUG?=0
+DEBUG_UART?=1
+VTOR?=1
+CORTEX_M0?=0
+CORTEX_M33?=1
+NO_ASM?=0
+NO_MPU=1
+EXT_FLASH?=0
+SPI_FLASH?=0
+ALLOW_DOWNGRADE?=0
+NVM_FLASH_WRITEONCE?=1
+NO_ARM_ASM=1
+WOLFBOOT_VERSION?=0
+V?=0
+SPMATH?=1
+RAM_CODE?=1
+DUALBANK_SWAP?=0
+FLASH_MULTI_SECTOR_ERASE?=1
+
+# Turn on or off hw acceleration of crypto algs in the lpc55s69
+PKA?=0
+# Turn on or off hw puf
+HWPUF?=0
+
+WOLFBOOT_SECTOR_SIZE?=0x200
+
+# use these for test/benchmark
+WOLFBOOT_PARTITION_SIZE?=0x2b000
+WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x10000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x3b000
+WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x66000
+
+WOLFCRYPT_TEST?=1

config/examples/lpc55s69-tz-psa.config

@@ -0,0 +1,48 @@
+ARCH?=ARM
+TZEN?=1
+TARGET?=lpc55s69
+SIGN?=ECC384
+HASH?=SHA256
+MCUXSDK?=1
+MCUXPRESSO?=$(PWD)/../NXP/mcuxpresso-sdk/mcuxsdk
+MCUXPRESSO_CMSIS?=$(PWD)/../NXP/CMSIS_5/CMSIS
+MCUXPRESSO_CPU?=LPC55S69JBD100_cm33_core0
+MCUXPRESSO_DRIVERS?=$(MCUXPRESSO)/devices/LPC/LPC5500/LPC55S69
+MCUXPRESSO_PROJECT_TEMPLATE?=$(MCUXPRESSO)/examples/_boards/lpcxpresso55s69/project_template
+DEBUG?=0
+DEBUG_UART?=1
+VTOR?=1
+CORTEX_M0?=0
+CORTEX_M33?=1
+NO_ASM?=0
+NO_MPU=1
+EXT_FLASH?=0
+SPI_FLASH?=0
+ALLOW_DOWNGRADE?=0
+NVM_FLASH_WRITEONCE?=1
+NO_ARM_ASM=1
+WOLFBOOT_VERSION?=0
+V?=0
+SPMATH?=1
+RAM_CODE?=1
+DUALBANK_SWAP?=0
+FLASH_MULTI_SECTOR_ERASE?=1
+WOLFCRYPT_TZ?=1
+WOLFCRYPT_TZ_PSA?=1
+WOLFBOOT_ATTESTATION_TEST?=1
+WOLFBOOT_UDS_UID_FALLBACK_FORTEST?=1
+PKA?=0
+HWPUF?=0
+WOLFBOOT_HWPUF_PROVISION?=0
+
+WOLFBOOT_SECTOR_SIZE?=0x200
+
+# 200KB boot, 80KB keyvault, 8KB NSC, 56KB partitions, 512 swap
+WOLFBOOT_KEYVAULT_ADDRESS?=0x10032000
+WOLFBOOT_KEYVAULT_SIZE?=0x14000
+WOLFBOOT_NSC_ADDRESS?=0x10046000
+WOLFBOOT_NSC_SIZE?=0x2000
+WOLFBOOT_PARTITION_SIZE?=0xE000
+WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x00048000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x00056000
+WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x00064000

config/examples/lpc55s69-tz.config

@@ -33,11 +33,9 @@ WOLFCRYPT_TZ_PKCS11?=1
 # Turn on or off hw acceleration of crypto algs in the lpc55s69
 PKA?=0
 
-# use 1024-byte sector to accommodate RSA4096 signature
-# WOLFBOOT_SECTOR_SIZE?=0x400
 WOLFBOOT_SECTOR_SIZE?=0x200
 
-# 200KB boot, 80KB keyvault, 8KB NSC, 56KB partitions, 512/1024 swap
+# 200KB boot, 80KB keyvault, 8KB NSC, 56KB partitions, 512 swap
 WOLFBOOT_KEYVAULT_ADDRESS?=0x10032000
 WOLFBOOT_KEYVAULT_SIZE?=0x14000
 WOLFBOOT_NSC_ADDRESS?=0x10046000

config/examples/lpc55s69.config

@@ -31,12 +31,10 @@ FLASH_MULTI_SECTOR_ERASE?=1
 # Turn on or off hw acceleration of crypto algs in the lpc55s69
 PKA?=0
 
-# use 1024-byte sector to accommodate RSA4096 signature
-# WOLFBOOT_SECTOR_SIZE?=0x400
 WOLFBOOT_SECTOR_SIZE?=0x200
 
 # Default configuration
-# 44KB boot, 52KB partitions, 512/1024 swap
+# 44KB boot, 52KB partitions, 512 swap
 WOLFBOOT_PARTITION_SIZE?=0xB000
 WOLFBOOT_PARTITION_BOOT_ADDRESS?=0xD000
 WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x18000

docs/Targets.md

@@ -2841,6 +2841,57 @@ Basic hardware acceleration supported:
 
 See [Test and Benchmark](#lpc55s69-test-and-benchmark) for a comparison with and without hardware acceleration.
 
+### LPC55S69: Hardware PUF (HWPUF)
+
+wolfBoot / wolfCrypt provide support for the LPC55S69's SRAM PUF (Physically
+Unclonable Function), which provides root of trust, identity, and key
+generation & storage, without the need to expose keys during manufacturing.
+Keys of size 128, 192, and 256 bits are supported.
+To turn on HWPUF, set HWPUF=1 in the config file (see below).
+
+### LPC55S69: Example Configurations
+
+#### The following example configurations are provided:
+
+- [lpc55s69.config](/config/examples/lpc55s69.config):
+  - Both wolfBoot and the test-app live in the non-secure realm
+  - Set PKA=1 in the config file to turn on hardware acceleration
+  (off by default)
+
+- [lpc55s69-benchmark.config](/config/examples/lpc55s69-benchmark.config):
+  - Same as `lpc55s69.config`, but turns on test and benchmark code
+  - Set PKA=1 in the config file to turn on hardware acceleration
+  (off by default)
+
+- [lpc55s69-hwpuf.config](/config/examples/lpc55s69-hwpuf.config):
+  - Same as `lpc55s69.config`, but turns on test code showing how to use the
+  hwpuf api
+  - Set HWPUF=1 in the config file to turn on HWPUF support (off by default)
+
+- [lpc55s69-tz.config](/config/examples/lpc55s69-tz.config):
+  - wolfBoot lives in the secure realm, test-app lives in the non-secure realm
+  - Provides a standard PKCS #11 api to interface with crypto algs in the secure
+  realm
+
+- [lpc55s69-tz-psa.config](/config/examples/lpc55s69-tz-psa.config):
+  - wolfBoot lives in the secure realm, test-app lives in the non-secure realm
+  - Provides a standard PSA api to interface with crypto algs in the secure
+  realm
+  - Provides an example of PSA Attestation
+  - To turn on HWPUF for use with attestation, set the following in the config
+  file:
+    - WOLFBOOT_UDS_UID_FALLBACK_FORTEST=0
+    - HWPUF=1
+    - WOLFBOOT_HWPUF_PROVISION=1
+
+#### Summary of configurables applicable to all lpc55s69 example configurations:
+- `PKA` : Turn on/off hardware acceleration of crypto algs
+- `HWPUF` : Turn on/off support for the hardware PUF
+- `WOLFBOOT_HWPUF_PROVISION` : Turn on/off auto-provisioning of the HWPUF on
+first boot.  Performs PUF enrollment and generates a UDS key for device
+attestation.  Stores PUF keycodes in a known flash location and uses them when
+necessary.
+
 ### LPC55S69: Configuring and compiling
 
 Copy the example configuration file and build with make:
@@ -2850,9 +2901,6 @@ cp config/examples/lpc55s69.config .config
 make
 ```
 
-We also provide a TrustZone configuration at `config/examples/lpc55s69-tz.config`
-and a benchmarking configuration at `config/examples/lpc55s69-benchmark.config`.
-
 ### LPC55S69: Loading the firmware
 
 Download and install the LinkServer tool: