wolfSSL · dgarske · May 8, 2026 · May 8, 2026 · May 11, 2026 · May 29, 2026
diff --git a/hal/stm32_tz.c b/hal/stm32_tz.c
@@ -200,6 +200,12 @@ void hal_tz_release_nonsecure_area(void)
 
 #define SET_GTZC1_MPCBBx_SECCFGR_VCTR(bank,n,val) \
     (*((volatile uint32_t *)(GTZC1_MPCBB##bank##_SECCFGR) + n )) = val
+/* PRIVCFGR_VCTR sits 0x100 bytes (0x40 words) after SECCFGR_VCTR in each
+ * MPCBB block. */
+#define GTZC_MPCBB_PRIVCFGR_WORD_OFFSET (0x100u / sizeof(uint32_t))
+#define SET_GTZC1_MPCBBx_PRIVCFGR_VCTR(bank,n,val) \
+    (*((volatile uint32_t *)(GTZC1_MPCBB##bank##_SECCFGR) + \
+        GTZC_MPCBB_PRIVCFGR_WORD_OFFSET + n )) = val
 
 void hal_gtzc_init(void)
 {
@@ -209,17 +215,32 @@ void hal_gtzc_init(void)
      * 0: Non-secure access only to block
      */
 
-    /* Configure SRAM1 as secure (Low 256 KB) */
+    /* Configure SRAM1 as secure (Low 256 KB).
+     * wolfBoot links its own RAM/RAM_HEAP into the SRAM1 secure alias
+     * (0x30000000-0x3003FFFF, see hal/stm32h5.ld), so SRAM1 must stay
+     * secure for wolfBoot's .bss/stack/heap to remain accessible. */
     for (i = 0; i < 16; i++) {
         SET_GTZC1_MPCBBx_SECCFGR_VCTR(1, i, 0xFFFFFFFF);
     }
 
-    /* Configure SRAM2 as secure (64 KB) */
+    /* Configure SRAM2 as non-secure (64 KB) and unprivileged. SRAM2 is
+     * the ETH DMA arena: the NS wolfIP app pins its ETH descriptors and
+     * buffers (.eth_buffers) into SRAM2. wolfBoot does not use SRAM2.
+     * The PRIVCFGR clear is required because the H5 ETH DMA master is
+     * unprivileged; with the reset default (PRIVCFGR=0xFFFFFFFF) the
+     * DMA's descriptor/buffer reads from SRAM2 raise illegal-access
+     * (TZIC1_SR4 bit 26) and the channel suspends with TPS=6 (TBU). */
     for (i = 0; i < 4; i++) {
-        SET_GTZC1_MPCBBx_SECCFGR_VCTR(2, i, 0xFFFFFFFF);
+        SET_GTZC1_MPCBBx_SECCFGR_VCTR(2, i, 0x0);
+        SET_GTZC1_MPCBBx_PRIVCFGR_VCTR(2, i, 0x0);
     }
 
-    /* Configure SRAM3 as non-secure (320 KB) */
+    /* Configure SRAM3 as non-secure (320 KB) but PRIVILEGED. The NS CPU
+     * runs privileged (Thread mode) and can use SRAM3 freely; only the
+     * unprivileged ETH DMA master needs unprivileged RAM, and its
+     * descriptors/buffers are pinned to SRAM2 (.eth_buffers). Leaving
+     * SRAM3 privileged lets a future NS OS own the unprivileged
+     * boundary. */
     for (i = 0; i < 20; i++) {
         SET_GTZC1_MPCBBx_SECCFGR_VCTR(3, i, 0x0);
     }
@@ -310,8 +331,11 @@ void hal_tz_sau_init(void)
     sau_init_region(1, WOLFBOOT_PARTITION_BOOT_ADDRESS,
             WOLFBOOT_PARTITION_BOOT_ADDRESS + WOLFBOOT_PARTITION_SIZE - 1, 0);
 
-    /* Non-secure RAM region */
-    sau_init_region(2, 0x20050000, 0x2009FFFF, 0);
+    /* Non-secure RAM region: SRAM2 (64 KB) + SRAM3 (320 KB).
+     * Lower bound widened from 0x20050000 to 0x20040000 to cover SRAM2,
+     * which hal_gtzc_init also leaves non-secure. SRAM1 (0x20000000-
+     * 0x2003FFFF) stays secure for wolfBoot's own RAM/heap. */
+    sau_init_region(2, 0x20040000, 0x2009FFFF, 0);
 
     /* Non-secure: internal peripherals */
     sau_init_region(3, 0x40000000, 0x4FFFFFFF, 0);

diff --git a/hal/stm32h5.c b/hal/stm32h5.c
@@ -642,6 +642,23 @@ static void periph_unsecure(void)
     nvic_reg_off = NVIC_USART3_IRQ % 32;
     nvic_itns = ((volatile uint32_t *)(NVIC_ITNS_BASE + 4 * nvic_reg_pos));
     *nvic_itns |= (1 << nvic_reg_off);
+
+    /* H5 product state with TZEN=1 defaults every GPIO pin to secure
+     * via GPIOx_SECCFGR (offset 0x30 in each GPIO block, all 16 bits
+     * = 0xFFFF at reset). Until those bits are cleared, NS code can't
+     * read or write the pin's MODER/AFR/ODR, and the corresponding
+     * clock-enable bit in RCC_AHB2ENR is masked from the NS side.
+     *
+     * Clear SECCFGR for every pin on the ports the wolfIP NS app uses
+     * (RMII + USART3 + LED), then enable GPIOG's clock (the existing
+     * code only covered A/B/C/D). PD8 (USART3 TX) is already cleared
+     * above, but covering all of GPIOD is harmless. */
+    GPIO_SECCFGR(GPIOA_BASE) = 0u;
+    GPIO_SECCFGR(GPIOB_BASE) = 0u;
+    GPIO_SECCFGR(GPIOC_BASE) = 0u;
+    GPIO_SECCFGR(GPIOD_BASE) = 0u;
+    GPIO_SECCFGR(GPIOG_BASE) = 0u;
+    RCC_AHB2_CLOCK_ER |= GPIOG_AHB2_CLOCK_ER;
 }
 #endif /* TZ_SECURE() */