wolfSSL · dgarske · May 8, 2026 · May 8, 2026
diff --git a/hal/stm32_tz.c b/hal/stm32_tz.c
@@ -200,6 +200,9 @@ void hal_tz_release_nonsecure_area(void)
 
 #define SET_GTZC1_MPCBBx_SECCFGR_VCTR(bank,n,val) \
     (*((volatile uint32_t *)(GTZC1_MPCBB##bank##_SECCFGR) + n )) = val
+/* PRIVCFGR_VCTR sits 0x100 after SECCFGR_VCTR in each MPCBB block. */
+#define SET_GTZC1_MPCBBx_PRIVCFGR_VCTR(bank,n,val) \
+    (*((volatile uint32_t *)(GTZC1_MPCBB##bank##_SECCFGR) + 64 + n )) = val
 
 void hal_gtzc_init(void)
 {
@@ -209,19 +212,31 @@ void hal_gtzc_init(void)
      * 0: Non-secure access only to block
      */
 
-    /* Configure SRAM1 as secure (Low 256 KB) */
+    /* Configure SRAM1 as secure (Low 256 KB).
+     * wolfBoot links its own RAM/RAM_HEAP into the SRAM1 secure alias
+     * (0x30000000-0x3003FFFF, see hal/stm32h5.ld), so SRAM1 must stay
+     * secure for wolfBoot's .bss/stack/heap to remain accessible. */
     for (i = 0; i < 16; i++) {
         SET_GTZC1_MPCBBx_SECCFGR_VCTR(1, i, 0xFFFFFFFF);
     }
 
-    /* Configure SRAM2 as secure (64 KB) */
+    /* Configure SRAM2 as non-secure (64 KB) and unprivileged.
+     * wolfBoot does not use SRAM2; ceding it to the NS application
+     * widens the NS RAM window from 320 KB (SRAM3 only) to 384 KB
+     * (SRAM2 + SRAM3). The PRIVCFGR clear is required because the
+     * H5 ETH DMA master is unprivileged; with the reset default
+     * (PRIVCFGR=0xFFFFFFFF) the DMA's descriptor/buffer reads from
+     * SRAM2 raise illegal-access (TZIC1_SR4 bit 26) and the channel
+     * suspends with TPS=6 (TBU). */
     for (i = 0; i < 4; i++) {
-        SET_GTZC1_MPCBBx_SECCFGR_VCTR(2, i, 0xFFFFFFFF);
+        SET_GTZC1_MPCBBx_SECCFGR_VCTR(2, i, 0x0);
+        SET_GTZC1_MPCBBx_PRIVCFGR_VCTR(2, i, 0x0);
     }
 
-    /* Configure SRAM3 as non-secure (320 KB) */
+    /* Configure SRAM3 as non-secure (320 KB) and unprivileged. */
     for (i = 0; i < 20; i++) {
         SET_GTZC1_MPCBBx_SECCFGR_VCTR(3, i, 0x0);
+        SET_GTZC1_MPCBBx_PRIVCFGR_VCTR(3, i, 0x0);
     }
 }
 
@@ -310,8 +325,11 @@ void hal_tz_sau_init(void)
     sau_init_region(1, WOLFBOOT_PARTITION_BOOT_ADDRESS,
             WOLFBOOT_PARTITION_BOOT_ADDRESS + WOLFBOOT_PARTITION_SIZE - 1, 0);
 
-    /* Non-secure RAM region */
-    sau_init_region(2, 0x20050000, 0x2009FFFF, 0);
+    /* Non-secure RAM region: SRAM2 (64 KB) + SRAM3 (320 KB).
+     * Lower bound widened from 0x20050000 to 0x20040000 to cover SRAM2,
+     * which hal_gtzc_init also leaves non-secure. SRAM1 (0x20000000-
+     * 0x2003FFFF) stays secure for wolfBoot's own RAM/heap. */
+    sau_init_region(2, 0x20040000, 0x2009FFFF, 0);
 
     /* Non-secure: internal peripherals */
     sau_init_region(3, 0x40000000, 0x4FFFFFFF, 0);

diff --git a/hal/stm32h5.c b/hal/stm32h5.c
@@ -642,6 +642,23 @@ static void periph_unsecure(void)
     nvic_reg_off = NVIC_USART3_IRQ % 32;
     nvic_itns = ((volatile uint32_t *)(NVIC_ITNS_BASE + 4 * nvic_reg_pos));
     *nvic_itns |= (1 << nvic_reg_off);
+
+    /* H5 product state with TZEN=1 defaults every GPIO pin to secure
+     * via GPIOx_SECCFGR (offset 0x30 in each GPIO block, all 16 bits
+     * = 0xFFFF at reset). Until those bits are cleared, NS code can't
+     * read or write the pin's MODER/AFR/ODR, and the corresponding
+     * clock-enable bit in RCC_AHB2ENR is masked from the NS side.
+     *
+     * Clear SECCFGR for every pin on the ports the wolfIP NS app uses
+     * (RMII + USART3 + LED), then enable GPIOG's clock (the existing
+     * code only covered A/B/C/D). PD8 (USART3 TX) is already cleared
+     * above, but covering all of GPIOD is harmless. */
+    GPIO_SECCFGR(GPIOA_BASE) = 0u;
+    GPIO_SECCFGR(GPIOB_BASE) = 0u;
+    GPIO_SECCFGR(GPIOC_BASE) = 0u;
+    GPIO_SECCFGR(GPIOD_BASE) = 0u;
+    GPIO_SECCFGR(GPIOG_BASE) = 0u;
+    RCC_AHB2_CLOCK_ER |= GPIOG_AHB2_CLOCK_ER;
 }
 #endif /* TZ_SECURE() */