Add hardware-based DICE on mcxn

Author: yosuke-wolfssl

arch.mk

@@ -865,6 +865,15 @@ ifeq ($(TARGET),mcxn)
       $(MCUXPRESSO)/drivers/lpuart/fsl_lpuart.o \
       $(MCUXPRESSO_DRIVERS)/drivers/fsl_reset.o
   endif
+
+  ifeq ($(WOLFCRYPT_TZ_PSA),1)
+    ELS_PKC=$(MCUXPRESSO)/components/els_pkc
+    CFLAGS+=\
+      -I$(ELS_PKC)/includes \
+      -I$(ELS_PKC)/src/comps/mcuxClEls/inc \
+      -I$(ELS_PKC)/src/platforms/mcxn
+    # mcuxClEls_* functions dispatch through the ROM API; verify if .o files are needed.
+  endif
 endif
 
 ifeq ($(TARGET),nrf5340)

config/examples/mcxn-tz-psa.config

@@ -0,0 +1,48 @@
+ARCH?=ARM
+TZEN?=1
+TARGET?=mcxn
+SIGN?=ECC384
+HASH?=SHA384
+MCUXSDK?=1
+MCUXPRESSO?=$(PWD)/../NXP/mcuxpresso-sdk/mcuxsdk
+MCUXPRESSO_CMSIS?=$(PWD)/../NXP/CMSIS_5/CMSIS
+MCUXPRESSO_CPU?=MCXN947VDF_cm33_core0
+MCUXPRESSO_DRIVERS?=$(MCUXPRESSO)/devices/MCX/MCXN/MCXN947
+MCUXPRESSO_PROJECT_TEMPLATE?=$(MCUXPRESSO)/examples/_boards/frdmmcxn947/project_template
+DEBUG?=0
+DEBUG_UART?=1
+VTOR?=1
+CORTEX_M0?=0
+CORTEX_M33?=1
+NO_ASM?=0
+NO_MPU=1
+EXT_FLASH?=0
+SPI_FLASH?=0
+ALLOW_DOWNGRADE?=0
+NVM_FLASH_WRITEONCE?=1
+NO_ARM_ASM=1
+WOLFBOOT_VERSION?=0
+V?=0
+SPMATH?=1
+RAM_CODE?=1
+DUALBANK_SWAP?=0
+PKA?=1
+WOLFCRYPT_TZ?=1
+WOLFCRYPT_TZ_PSA?=1
+WOLFCRYPT_SECURE_MODE?=1
+WOLFBOOT_DICE_HW?=1
+IMAGE_HEADER_SIZE?=1024
+
+# 8KB sectors
+WOLFBOOT_SECTOR_SIZE?=0x2000
+
+# Default configuration
+# 192KB boot, 96KB keyvault, 8KB NSC, 72KB partitions, 8KB swap
+WOLFBOOT_KEYVAULT_ADDRESS?=0x30000
+WOLFBOOT_KEYVAULT_SIZE?=0x18000
+WOLFBOOT_NSC_ADDRESS?=0x48000
+WOLFBOOT_NSC_SIZE?=0x2000
+WOLFBOOT_PARTITION_SIZE?=0x12000
+WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x4A000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x5C000
+WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x6E000

hal/hal.c

@@ -321,3 +321,27 @@ WEAKFUNCTION int hal_attestation_get_iak_private_key(uint8_t *buf, size_t *len)
     (void)len;
     return -1;
 }
+
+#ifdef WOLFBOOT_DICE_HW
+WEAKFUNCTION int hal_dice_update_cdi(const uint8_t *measurement, size_t meas_len)
+{
+    (void)measurement;
+    (void)meas_len;
+    return -1;
+}
+
+WEAKFUNCTION int hal_dice_create_attest_key(void)
+{
+    return -1;
+}
+
+WEAKFUNCTION int hal_dice_sign_hash(const uint8_t *hash, size_t hash_len,
+                                    uint8_t *sig, size_t *sig_len)
+{
+    (void)hash;
+    (void)hash_len;
+    (void)sig;
+    (void)sig_len;
+    return -1;
+}
+#endif /* WOLFBOOT_DICE_HW */

hal/mcxn.c

@@ -40,6 +40,13 @@
 #include "hal/armv8m_tz.h"
 #endif
 
+#if defined(WOLFCRYPT_TZ_PSA) && defined(WOLFBOOT_DICE_HW)
+#include "mcuxClEls.h"
+#include "mcuxClEls_Kdf.h"
+#include "mcuxClEls_Ecc.h"
+#include "mcuxClEls_KeyManagement.h"
+#endif
+
 #ifdef WOLFCRYPT_SECURE_MODE
 void hal_trng_init(void);
 int hal_trng_get_entropy(unsigned char *out, unsigned int len);
@@ -212,7 +219,7 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
     return 0;
 }
 
-#ifdef WOLFCRYPT_SECURE_MODE
+#if defined(WOLFCRYPT_SECURE_MODE) && !defined(NONSECURE_APP)
 #define ELS_CMD_RND_REQ 24U
 
 void hal_trng_init(void)
@@ -383,3 +390,172 @@ void uart_write(const char *buf, unsigned int sz)
         sz -= line_sz + 1U;
     }
 }
+
+#if defined(WOLFCRYPT_TZ_PSA) && defined(WOLFBOOT_DICE_HW)
+
+/* Key slot holding the UDS (pre-loaded by ROM before DICE).
+ * TODO: Verify slot number from MCXN947 RM / ROM source. */
+#define MCXN_ELS_DICE_UDS_KEYSLOT           0U   /* TODO: verify */
+
+/* Key slot pre-loaded by ROM DICE: HKDF(UDS, wolfBoot_hash) -> initial CDI.
+ * TODO: Verify slot number from MCXN947 RM / ROM source. */
+#define MCXN_ELS_DICE_CDI_INITIAL_KEYSLOT   0U   /* TODO: verify */
+
+/* wolfBoot stores the boot-measurement-derived CDI here.
+ * TODO: Confirm this slot is free at runtime (not reserved by ROM or PSA). */
+#define MCXN_ELS_DICE_CDI_DERIVED_KEYSLOT   20U  /* example — verify availability */
+
+/* wolfBoot stores the per-boot IAK (P-256) here.
+ * TODO: Confirm this slot is free at runtime (not reserved by ROM or PSA). */
+#define MCXN_ELS_DICE_IAK_KEYSLOT           21U  /* example — verify availability */
+
+int hal_attestation_get_ueid(uint8_t *buf, size_t *len)
+{
+    /*
+     * Derive 32-byte UEID from UDS via ELS HKDF SP800-56C.
+     * Using the UDS key slot matches the software path hash(UDS) -> UEID.
+     * Output goes to system memory (not a keystore slot).
+     *
+     * buf[0]     = WOLFBOOT_UEID_TYPE_RANDOM (0x01)
+     * buf[1..32] = 32 bytes from ELS HKDF SP800-56C
+     * *len = 33  (= WOLFBOOT_DICE_UEID_LEN)
+     *
+     * TODO: Implement using mcuxClEls_Hkdf_Sp80056c_Async:
+     *   MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(...,
+     *       mcuxClEls_Hkdf_Sp80056c_Async(
+     *           MCXN_ELS_DICE_UDS_KEYSLOT,
+     *           &buf[1],
+     *           (uint8_t*)"WOLFBOOT-UEID", 13));
+     *   mcuxClEls_WaitForOperation(MCUXCLELS_ERROR_FLAGS_CLEAR);
+     *   buf[0] = 0x01;
+     *   *len = 33;
+     */
+    (void)buf;
+    (void)len;
+    return -1; /* placeholder */
+}
+
+int hal_attestation_get_lifecycle(uint32_t *lifecycle)
+{
+    if (lifecycle == NULL)
+        return -1;
+    *lifecycle = 0x3000u; /* PSA_LIFECYCLE_SECURED */
+    return 0;
+}
+
+int hal_dice_update_cdi(const uint8_t *measurement, size_t meas_len)
+{
+    static int cdi_step = 0;
+
+    if (cdi_step == 0) {
+        /*
+         * Component [0] is the wolfBoot hash. The ROM already incorporated
+         * it as: HKDF(UDS, wolfBoot_hash) -> initial_CDI.
+         * Skip re-applying it — doing so would produce the wrong CDI chain.
+         */
+        cdi_step++;
+        return 0;
+    }
+
+    /*
+     * Component [1+]: mix this measurement into the CDI chain via ELS HKDF RFC5869.
+     *
+     * The 32-byte derivation data buffer must be composed as:
+     *   deriv[0..30] = info/label  (31 bytes, zero-padded)
+     *   deriv[31]    = 0x01        (RFC5869 counter byte for single-block expansion)
+     * The SDK does NOT add this formatting automatically.
+     *
+     * NOTE: The exact label policy (truncate SHA-384 to 31 bytes, or pre-hash
+     * to SHA-256 then take first 31 bytes) and alignment with the ROM's approach
+     * for component[0] must be confirmed before finalizing this implementation.
+     * See also: whether a separate RFC5869 Extract step is needed before Expand.
+     *
+     * TODO: Implement using mcuxClEls_KeyDelete_Async + mcuxClEls_Hkdf_Rfc5869_Async:
+     *
+     *   // Step 1: Free target slot (KDELETE, cmd 0xB)
+     *   MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(...,
+     *       mcuxClEls_KeyDelete_Async(MCXN_ELS_DICE_CDI_DERIVED_KEYSLOT));
+     *   mcuxClEls_WaitForOperation(MCUXCLELS_ERROR_FLAGS_CLEAR);
+     *
+     *   // Step 2: Compose derivation data {label[31 bytes], counter[1 byte]}
+     *   uint8_t deriv[MCUXCLELS_HKDF_RFC5869_DERIVATIONDATA_SIZE] = {0};
+     *   size_t label_len = (meas_len < 31u) ? meas_len : 31u;
+     *   memcpy(deriv, measurement, label_len);
+     *   deriv[31] = 0x01u;
+     *
+     *   // Step 3: Derive new CDI into freed slot
+     *   mcuxClEls_HkdfOption_t opts = {0};
+     *   opts.bits.rtfdrvdat = MCUXCLELS_HKDF_VALUE_RTF_DERIV_DISABLE;
+     *   mcuxClEls_KeyProp_t props = {.word.value =
+     *       MCUXCLELS_KEYPROPERTY_VALUE_HKDF | MCUXCLELS_KEYPROPERTY_VALUE_ACTIVE};
+     *   MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(...,
+     *       mcuxClEls_Hkdf_Rfc5869_Async(opts,
+     *           MCXN_ELS_DICE_CDI_INITIAL_KEYSLOT,
+     *           MCXN_ELS_DICE_CDI_DERIVED_KEYSLOT,
+     *           props, deriv));
+     *   mcuxClEls_WaitForOperation(MCUXCLELS_ERROR_FLAGS_CLEAR);
+     */
+    cdi_step++;
+    (void)measurement;
+    (void)meas_len;
+    return -1; /* placeholder */
+}
+
+int hal_dice_create_attest_key(void)
+{
+    /*
+     * Generate P-256 IAK from derived CDI using ELS KEYGEN.
+     * Private key stays in ELS keystore. Public key written to system memory.
+     *
+     * TODO: Implement using mcuxClEls_KeyDelete_Async + mcuxClEls_EccKeyGen_Async:
+     *
+     *   // Step 1: Free target slot (KDELETE, cmd 0xB)
+     *   MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(...,
+     *       mcuxClEls_KeyDelete_Async(MCXN_ELS_DICE_IAK_KEYSLOT));
+     *   mcuxClEls_WaitForOperation(MCUXCLELS_ERROR_FLAGS_CLEAR);
+     *
+     *   // Step 2: Generate IAK into freed slot from derived CDI
+     *   static uint8_t pub_key[64] __attribute__((aligned(4)));
+     *   mcuxClEls_EccKeyGenOption_t opts = {0};
+     *   opts.bits.kgsrc    = 0; // deterministic from CDI key material
+     *   opts.bits.kgtypedh = 0; // signing key (not DH)
+     *   mcuxClEls_KeyProp_t props = {.word.value =
+     *       MCUXCLELS_KEYPROPERTY_VALUE_ECSGN | MCUXCLELS_KEYPROPERTY_VALUE_ACTIVE};
+     *   MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(...,
+     *       mcuxClEls_EccKeyGen_Async(opts,
+     *           MCXN_ELS_DICE_CDI_DERIVED_KEYSLOT,
+     *           MCXN_ELS_DICE_IAK_KEYSLOT,
+     *           props, NULL, pub_key));
+     *   mcuxClEls_WaitForOperation(MCUXCLELS_ERROR_FLAGS_CLEAR);
+     */
+    return -1; /* placeholder */
+}
+
+int hal_dice_sign_hash(const uint8_t *hash, size_t hash_len,
+                       uint8_t *sig, size_t *sig_len)
+{
+    /*
+     * Sign pre-hashed TBS using ELS ECSIGN with the IAK slot.
+     * Output MUST be 64-byte raw R||S (big-endian), NOT DER-encoded.
+     * This matches WOLFBOOT_DICE_SIG_LEN and is used directly in COSE_Sign1.
+     *
+     * TODO: Implement using mcuxClEls_EccSign_Async:
+     *   static uint8_t sig_buf[64] __attribute__((aligned(4)));
+     *   mcuxClEls_EccSignOption_t opts = {0};
+     *   opts.bits.echashchl = 0; // pre-hashed input (not plain message)
+     *   MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(...,
+     *       mcuxClEls_EccSign_Async(opts,
+     *           MCXN_ELS_DICE_IAK_KEYSLOT,
+     *           hash, NULL, 0, sig_buf));
+     *   mcuxClEls_WaitForOperation(MCUXCLELS_ERROR_FLAGS_CLEAR);
+     *   memcpy(sig, sig_buf, 64);
+     *   *sig_len = 64;
+     */
+    (void)hash;
+    (void)hash_len;
+    (void)sig;
+    (void)sig_len;
+    return -1; /* placeholder */
+}
+
+#endif /* WOLFCRYPT_TZ_PSA && WOLFBOOT_DICE_HW */

include/hal.h

@@ -167,6 +167,27 @@ int hal_attestation_get_implementation_id(uint8_t *buf, size_t *len);
 int hal_attestation_get_ueid(uint8_t *buf, size_t *len);
 int hal_attestation_get_iak_private_key(uint8_t *buf, size_t *len);
 
+#ifdef WOLFBOOT_DICE_HW
+/* Hardware DICE hooks — implement these to delegate CDI derivation and
+ * attestation signing to a platform security boundary. */
+
+/* Mix one boot-component measurement into the platform CDI chain.
+ * Called once per component in order (wolfBoot hash first, then boot image hash).
+ * The platform updates its internal CDI state; no CDI material is returned. */
+int hal_dice_update_cdi(const uint8_t *measurement, size_t meas_len);
+
+/* Derive and store the attestation keypair from the current CDI state.
+ * The private key must not be exposed outside the platform security boundary.
+ * Returns 0 on success. */
+int hal_dice_create_attest_key(void);
+
+/* Sign a pre-computed SHA-256 hash with the platform attestation key.
+ * Output: 64-byte raw R||S (big-endian), same format as wolfCrypt ES256.
+ * Must be called after hal_dice_create_attest_key(). */
+int hal_dice_sign_hash(const uint8_t *hash, size_t hash_len,
+                       uint8_t *sig, size_t *sig_len);
+#endif /* WOLFBOOT_DICE_HW */
+
 #ifdef FLASH_OTP_KEYSTORE
 
 int hal_flash_otp_write(uint32_t flashAddress, const void* data, uint16_t length);

options.mk

@@ -876,6 +876,9 @@ endif
 ifeq ($(WOLFCRYPT_TZ_PSA),1)
   CFLAGS+=-DWOLFCRYPT_TZ_PSA
   CFLAGS+=-DWOLFCRYPT_SECURE_MODE
+  ifeq ($(WOLFBOOT_DICE_HW),1)
+    CFLAGS+=-DWOLFBOOT_DICE_HW
+  endif
   CFLAGS+=-DWOLFSSL_PSA_ENGINE
   CFLAGS+=-DWOLFPSA_CUSTOM_STORE
   CFLAGS+=-DNO_DES3 -DNO_DES3_TLS_SUITES