From 6681e54a6a8f4f58372edf9402d1660776163d50 Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <dan@danielinux.net>
Date: Mon, 27 Jan 2025 10:29:28 +0100
Subject: [PATCH] Working TZ supervisor

---
 IDE/pico-sdk/rp2350/test-app/CMakeLists.txt | 10 +++
 IDE/pico-sdk/rp2350/test-app/runtime.c      | 20 ++++++
 IDE/pico-sdk/rp2350/wolfboot/CMakeLists.txt |  3 +-
 arch.mk                                     |  1 +
 hal/rp2350-app.ld                           | 39 +++--------
 hal/rp2350.c                                | 72 ++++++++++++++-------
 src/boot_arm.c                              |  3 +-
 7 files changed, 95 insertions(+), 53 deletions(-)
 create mode 100644 IDE/pico-sdk/rp2350/test-app/runtime.c

diff --git a/IDE/pico-sdk/rp2350/test-app/CMakeLists.txt b/IDE/pico-sdk/rp2350/test-app/CMakeLists.txt
index 4de7c6938..789ded85c 100644
--- a/IDE/pico-sdk/rp2350/test-app/CMakeLists.txt
+++ b/IDE/pico-sdk/rp2350/test-app/CMakeLists.txt
@@ -1,11 +1,13 @@
 cmake_minimum_required(VERSION 3.13)
 set(WOLFBOOT_PATH ../../../../)
 set(CMAKE_CXX_COMPILER arm-none-eabi-gcc)
+set(LIB_PICO_RUNTIME_INIT=0)
 
 include(${PICO_SDK_PATH}/pico_sdk_init.cmake)
 
 set(PICOTOOL_FETCH_FROM_GIT_PATH ../wolfboot/build/picotool)
 set(BOOT_STAGE2_FILE ${CMAKE_CURRENT_LIST_DIR}/boot2_empty.S)
+set(PICO_NO_RUNTIME 1)
 
 project(blink)
 
@@ -15,8 +17,16 @@ pico_sdk_init()
 
 add_executable(blink
     blink.c
+    runtime.c
 )
 
+target_compile_options(blink PRIVATE
+    -DPICO_RUNTIME_NO_INIT_BOOTROM_RESET=1
+    -DPICO_RUNTIME_NO_INIT_CLOCKS=1
+    -DPICO_TIME_DEFAULT_ALARM_POOL_DISABLED=1
+)
+target_compile_definitions(blink PRIVATE PICO_NO_RUNTIME=1)
+
 pico_set_linker_script(blink ../../../../../hal/rp2350-app.ld)
 target_link_libraries(blink pico_stdlib)
 
diff --git a/IDE/pico-sdk/rp2350/test-app/runtime.c b/IDE/pico-sdk/rp2350/test-app/runtime.c
new file mode 100644
index 000000000..f22aa5e57
--- /dev/null
+++ b/IDE/pico-sdk/rp2350/test-app/runtime.c
@@ -0,0 +1,20 @@
+#include <stdint.h>
+void runtime_init_bootrom_reset(void)
+{
+}
+
+void runtime_init_clocks(void)
+{
+}
+
+
+typedef void (*preinit_fn_t)(void);
+
+void runtime_init_cpasr(void)
+{
+    volatile uint32_t *cpasr_ns = (volatile uint32_t*) 0xE000ED88;
+    *cpasr_ns |= 0xFF;
+}
+
+preinit_fn_t __attribute__((section(".nonsecure_preinit_array"))) *((*nonsecure_preinit)(void)) =
+             { &runtime_init_cpasr };
diff --git a/IDE/pico-sdk/rp2350/wolfboot/CMakeLists.txt b/IDE/pico-sdk/rp2350/wolfboot/CMakeLists.txt
index 5cf1880ab..f661a78ab 100644
--- a/IDE/pico-sdk/rp2350/wolfboot/CMakeLists.txt
+++ b/IDE/pico-sdk/rp2350/wolfboot/CMakeLists.txt
@@ -35,10 +35,11 @@ add_executable(wolfboot
 # Add cflags
 target_compile_options(wolfboot PRIVATE
     -D__WOLFBOOT
-    -D__ARM_ARCH_6M__
     -DWOLFSSL_USER_SETTINGS
     -mcpu=cortex-m33
     -DCORTEX_M33
+    -DTZEN
+    -mcmse
     -DWOLFSSL_SP_ASM
     -DWOLFSSL_SP_ARM_CORTEX_M_ASM
     -DWOLFSSL_ARM_ARCH=8
diff --git a/arch.mk b/arch.mk
index 990cedf07..3d3e24ef9 100644
--- a/arch.mk
+++ b/arch.mk
@@ -228,6 +228,7 @@ ifeq ($(ARCH),ARM)
     WOLFBOOT_ORIGIN=0x10000000
     ifeq ($(TZEN),1)
       LSCRIPT_IN=hal/$(TARGET).ld
+      CFLAGS+=-DTZEN
     else
       LSCRIPT_IN=hal/$(TARGET)-ns.ld
     endif
diff --git a/hal/rp2350-app.ld b/hal/rp2350-app.ld
index b39a3ce90..f2068ae92 100644
--- a/hal/rp2350-app.ld
+++ b/hal/rp2350-app.ld
@@ -23,8 +23,9 @@
 
 MEMORY
 {
+    BOOT(rx) : ORIGIN = 0x10000000, LENGTH = 0x40400
     FLASH(rx) : ORIGIN = 0x10040400, LENGTH = 0x1D0000
-    RAM(rwx) : ORIGIN =  0x20008000, LENGTH = 472k
+    RAM(rwx) : ORIGIN =  0x20010000, LENGTH = 0x6E000
     SCRATCH_X(rwx) : ORIGIN = 0x2007E000, LENGTH = 4k
     SCRATCH_Y(rwx) : ORIGIN = 0x2007F000, LENGTH = 4k
 }
@@ -78,15 +79,16 @@ SECTIONS
         . = ALIGN(4);
         /* preinit data */
         PROVIDE_HIDDEN (__preinit_array_start = .);
-        KEEP(*(SORT(.preinit_array.*)))
-        KEEP(*(.preinit_array))
+        /* KEEP(*(SORT(.preinit_array.*))) */
+        /* KEEP(*(.preinit_array)) */
+        KEEP(*(.nonsecure_preinit_array))
         PROVIDE_HIDDEN (__preinit_array_end = .);
 
         . = ALIGN(4);
         /* init data */
         PROVIDE_HIDDEN (__init_array_start = .);
-        KEEP(*(SORT(.init_array.*)))
-        KEEP(*(.init_array))
+        /* KEEP(*(SORT(.init_array.*))) */
+        /* KEEP(*(.init_array)) */
         PROVIDE_HIDDEN (__init_array_end = .);
 
         . = ALIGN(4);
@@ -100,30 +102,8 @@ SECTIONS
         . = ALIGN(4);
     } > FLASH
 
-    /* Note the boot2 section is optional, and should be discarded if there is
-       no reference to it *inside* the binary, as it is not called by the
-       bootrom. (The bootrom performs a simple best-effort XIP setup and
-       leaves it to the binary to do anything more sophisticated.) However
-       there is still a size limit of 256 bytes, to ensure the boot2 can be
-       stored in boot RAM.
-
-       Really this is a "XIP setup function" -- the name boot2 is historic and
-       refers to its dual-purpose on RP2040, where it also handled vectoring
-       from the bootrom into the user image.
-    */
-
-    .boot2 : {
-        __boot2_start__ = .;
-        *(.boot2)
-        __boot2_end__ = .;
-    } > FLASH
-
-    ASSERT(__boot2_end__ - __boot2_start__ <= 256,
-        "ERROR: Pico second stage bootloader must be no more than 256 bytes in size")
-
     .rodata : {
         *(EXCLUDE_FILE(*libgcc.a: *libc.a:*lib_a-mem*.o *libm.a:) .rodata*)
-        *(.srodata*)
         . = ALIGN(4);
         *(SORT_BY_ALIGNMENT(SORT_BY_NAME(.flashdata*)))
         . = ALIGN(4);
@@ -174,7 +154,6 @@ SECTIONS
         . = ALIGN(4);
 
         *(.data*)
-        *(.sdata*)
 
         . = ALIGN(4);
         *(.after_data.*)
@@ -185,6 +164,7 @@ SECTIONS
         KEEP(*(.mutex_array))
         PROVIDE_HIDDEN (__mutex_array_end = .);
 
+        . = ALIGN(4);
         *(.jcr)
         . = ALIGN(4);
     } > RAM AT> FLASH
@@ -270,7 +250,8 @@ SECTIONS
     .flash_end : {
         KEEP(*(.embedded_end_block*))
         PROVIDE(__flash_binary_end = .);
-    } > FLASH =0xaa
+    } > FLASH
+
 
     /* stack limit is poorly named, but historically is maximum heap ptr */
     __StackLimit = ORIGIN(RAM) + LENGTH(RAM);
diff --git a/hal/rp2350.c b/hal/rp2350.c
index 5bb745af9..77ce5cba6 100644
--- a/hal/rp2350.c
+++ b/hal/rp2350.c
@@ -36,6 +36,15 @@
 
 #define SCB_VTOR_NS (*(volatile uint32_t *)(0xE002ED08))
 
+#define NSACR (*(volatile uint32_t *)(0xE000ED8C))
+#define CPACR (*(volatile uint32_t *)(0xE000ED88))
+
+#define SHCSR (*(volatile uint32_t *)(0xE000ED24))
+#define SHCSR_MEMFAULTENA (1 << 16)
+#define SHCSR_BUSFAULTENA (1 << 17)
+#define SHCSR_USGFAULTENA (1 << 18)
+
+
 #define ACCESS_BITS_DBG (1 << 7)
 #define ACCESS_BITS_DMA (1 << 6)
 #define ACCESS_BITS_CORE1 (1 << 5)
@@ -122,10 +131,19 @@ static void rp2350_configure_sau(void)
     sau_init_region(1, 0x10030000, 0x1003FFFF, 1); /* Non-secure-callable flash */
     sau_init_region(2, 0x10040000, 0x101FFFFF, 0); /* Non-secure flash */
     sau_init_region(3, 0x20000000, 0x20007FFF, 1); /* Secure RAM */
-    sau_init_region(4, 0x20008000, 0x2007FFFF, 0); /* Non-secure RAM */
+    sau_init_region(4, 0x20008000, 0x20081FFF, 0); /* Non-secure RAM */
+    sau_init_region(6, 0x40000000, 0x5FFFFFFF, 0); /* Non-secure peripherals */
+    sau_init_region(7, 0xD0000000, 0xDFFFFFFF, 0); /* Non-secure SIO region */
+
 
     /* Enable SAU */
     SAU_CTRL = 1;
+
+    /* Enable MemFault, BusFault and UsageFault */
+    SHCSR |= SHCSR_MEMFAULTENA | SHCSR_BUSFAULTENA | SHCSR_USGFAULTENA;
+
+    /* Add flag to trap misaligned accesses */
+    *((volatile uint32_t *)0xE000ED14) |= 0x00000008;
 }
 
 static void rp2350_configure_nvic(void)
@@ -142,39 +160,49 @@ static void rp2350_configure_access_control(void)
 {
     int i;
     /* Reset ACCESSCTRL */
-    const uint32_t secure_fl = (ACCESS_BITS_SU | ACCESS_BITS_SP | ACCESS_BITS_DMA | ACCESS_BITS_DBG | ACCESS_BITS_CORE0 | ACCESS_BITS_CORE1 | ACCESS_MAGIC);
-    const uint32_t non_secure_fl = (ACCESS_BITS_NSU | ACCESS_BITS_NSP | ACCESS_BITS_DMA | ACCESS_BITS_DBG | ACCESS_BITS_CORE0 | ACCESS_BITS_CORE1 | ACCESS_MAGIC);
+    const uint32_t secure_fl = (ACCESS_BITS_SU | ACCESS_BITS_SP | ACCESS_BITS_DMA | ACCESS_BITS_DBG | ACCESS_BITS_CORE0 | ACCESS_BITS_CORE1) | ACCESS_MAGIC;
+    const uint32_t non_secure_fl = (ACCESS_BITS_NSU | ACCESS_BITS_NSP | ACCESS_BITS_DMA | ACCESS_BITS_DBG | ACCESS_BITS_CORE0 | ACCESS_BITS_CORE1) | ACCESS_MAGIC;
+
     //ACCESS_CONTROL_CFGRESET = 1;
     /* Corresponding regions for the secure flash and RAM */
-    //for(i = 0; i < 2; i++) {
-    //    ACCESS_CONTROL_SRAM(i) = secure_fl;
-    //}
+    /*
+    for(i = 0; i < 2; i++) {
+        ACCESS_CONTROL_SRAM(i) = secure_fl;
+    }
+    */
     for (i = 0; i < 10; i++) {
         ACCESS_CONTROL_SRAM(i) = non_secure_fl | secure_fl;
     }
-    ACCESS_CONTROL_ROM = secure_fl;
+    ACCESS_CONTROL_ROM = secure_fl | non_secure_fl;
     ACCESS_CONTROL_XIP_MAIN = non_secure_fl | secure_fl;
     ACCESS_CONTROL_DMA = non_secure_fl;
     ACCESS_CONTROL_TRNG = secure_fl;
-    ACCESS_CONTROL_SYSCFG = secure_fl;
+    ACCESS_CONTROL_SYSCFG = secure_fl | non_secure_fl;
     ACCESS_CONTROL_SHA256 = secure_fl;
     ACCESS_CONTROL_GPIOMASK0 = 0xFFFFFFFF;
     ACCESS_CONTROL_GPIOMASK1 = 0xFFFFFFFF;
+    ACCESS_CONTROL_IO_BANK0 = non_secure_fl | secure_fl;
+    ACCESS_CONTROL_IO_BANK1 = non_secure_fl | secure_fl;
+    ACCESS_CONTROL_PADS_BANK0 = non_secure_fl | secure_fl;
 //    ACCESS_CONTROL_FORCE_CORE_NS = (1 << 1); /* Force core 1 to non-secure */
-    ACCESS_CONTROL_PIO0 = non_secure_fl;
-    ACCESS_CONTROL_PIO1 = non_secure_fl;
-    ACCESS_CONTROL_PIO2 = non_secure_fl;
-
-    ACCESS_CONTROL_I2C0   = non_secure_fl;
-    ACCESS_CONTROL_I2C1   = non_secure_fl;
-    ACCESS_CONTROL_PWM    = non_secure_fl;
-    ACCESS_CONTROL_SPI0   = non_secure_fl;
-    ACCESS_CONTROL_SPI1   = non_secure_fl;
-    ACCESS_CONTROL_TIMER0 = non_secure_fl;
-    ACCESS_CONTROL_TIMER1 = non_secure_fl;
-    ACCESS_CONTROL_UART0  = non_secure_fl;
-    ACCESS_CONTROL_UART1  = non_secure_fl;
-    ACCESS_CONTROL_ADC    = non_secure_fl;
+    ACCESS_CONTROL_PIO0 = non_secure_fl | secure_fl;
+    ACCESS_CONTROL_PIO1 = non_secure_fl | secure_fl;
+    ACCESS_CONTROL_PIO2 = non_secure_fl | secure_fl;
+
+    ACCESS_CONTROL_I2C0   = non_secure_fl|secure_fl;
+    ACCESS_CONTROL_I2C1   = non_secure_fl | secure_fl;
+    ACCESS_CONTROL_PWM    = non_secure_fl | secure_fl;
+    ACCESS_CONTROL_SPI0   = non_secure_fl | secure_fl;
+    ACCESS_CONTROL_SPI1   = non_secure_fl | secure_fl;
+    ACCESS_CONTROL_TIMER0 = non_secure_fl | secure_fl;
+    ACCESS_CONTROL_TIMER1 = non_secure_fl | secure_fl;
+    ACCESS_CONTROL_UART0  = non_secure_fl | secure_fl;
+    ACCESS_CONTROL_UART1  = non_secure_fl | secure_fl;
+    ACCESS_CONTROL_ADC    = non_secure_fl | secure_fl;
+    ACCESS_CONTROL_RESETS = non_secure_fl | secure_fl;
+
+    CPACR |= 0x000000FF; /* Enable access to coprocessors CP0-CP7 */
+    NSACR |= 0x000000FF; /* Enable non-secure access to coprocessors CP0-CP7 */
 
 //    ACCESS_CONTROL_LOCK = (1 << 0) | (1 << 1) | (1 << 3);
 }
diff --git a/src/boot_arm.c b/src/boot_arm.c
index a1f2790e4..100f1e621 100644
--- a/src/boot_arm.c
+++ b/src/boot_arm.c
@@ -416,7 +416,8 @@ void isr_empty(void)
 
 #ifdef TZEN
 #include "hal.h"
-#define VTOR (*(volatile uint32_t *)(0xE002ED08))
+//#define VTOR (*(volatile uint32_t *)(0xE002ED08))
+#define VTOR (*(volatile uint32_t *)(0xE000ED08))
 #else
 #define VTOR (*(volatile uint32_t *)(0xE000ED08))
 #endif