Fixes to support botting image on QSPI NOR flash from boot ROM (existing code was only loading to SRAM)

dgarske · dgarske · commit 6585a0b2c8ba · 2026-03-18T16:57:46.000-07:00
diff --git a/arch.mk b/arch.mk
@@ -274,11 +274,10 @@ ifeq ($(ARCH),ARM)
     CORTEX_M55=1
     CFLAGS+=-Ihal
     ARCH_FLASH_OFFSET=0x70000000
-    ifeq ($(TZEN),1)
-      WOLFBOOT_ORIGIN=0x24000000
-    else
-      WOLFBOOT_ORIGIN=0x34000000
-    endif
+    # Boot ROM copies FSBL from NOR to AXISRAM2 at 0x34180400.
+    # Use the same address for both TZEN=0 and TZEN=1 since the Boot ROM
+    # always uses the non-secure alias. SAU is configured in hal_init().
+    WOLFBOOT_ORIGIN=0x34180400
     EXT_FLASH=1
     PART_UPDATE_EXT=1
     PART_SWAP_EXT=1
diff --git a/docs/Targets.md b/docs/Targets.md
@@ -1839,13 +1839,13 @@ XSPI2 NOR Flash (memory-mapped at 0x70000000):
   0x70020000  Boot partition (1MB, app runs from here via XIP)
   0x70120000  Update partition (1MB, device-relative: 0x00120000)
 
-AXISRAM — without TrustZone (non-secure alias):
-  0x34000000  wolfBoot (loaded to SRAM via SWD or Boot ROM FSBL copy)
-  0x34020000  Stack / work area
+AXISRAM2 — without TrustZone (non-secure alias):
+  0x34180400  wolfBoot FSBL (Boot ROM copies from NOR to here)
+  0x341A0400  Stack top (128KB above origin)
 
-AXISRAM — with TrustZone (TZEN=1, secure alias):
-  0x24000000  wolfBoot (secure SRAM — IDAU marks 0x24xxxxxx as secure)
-  0x24020000  Stack / work area (secure)
+AXISRAM2 — with TrustZone (TZEN=1, secure alias):
+  0x24180400  wolfBoot FSBL (secure — IDAU marks 0x24xxxxxx as secure)
+  0x241A0400  Stack top (secure)
   0x34000000  Application SRAM (SAU region: non-secure)
 ```
 
@@ -1866,14 +1866,65 @@ make flash
 ```
 
 `make flash` uses OpenOCD with the stmqspi driver to:
-1. Program the signed application to NOR flash at 0x70020000
-2. Load wolfBoot to SRAM (0x24000000 for TZEN=1, 0x34000000 otherwise)
-3. Start wolfBoot, which verifies and boots the application via XIP
+1. Generate a Boot ROM FSBL header using `STM32_SigningTool_CLI` and program
+   `wolfboot-trusted.bin` to NOR flash at 0x70000000 (for autonomous boot on reset)
+2. Load wolfBoot directly to SRAM for immediate execution
+3. Program the signed application to NOR flash at 0x70020000
+4. Start wolfBoot, which verifies and boots the application via XIP
+
+The Boot ROM copies the FSBL from NOR flash to AXISRAM2 at `0x34180400`.
+wolfBoot is linked at this address so it runs correctly after both
+OpenOCD-initiated and reset-initiated boots.
 
 Prerequisites:
-- OpenOCD 0.12+ with stm32n6x target support (build from source if needed)
+- OpenOCD 0.12+ with stm32n6x target support (build from
+  [openocd-org/openocd](https://github.com/openocd-org/openocd) if needed)
+- `STM32_SigningTool_CLI` (included with STM32CubeIDE) for Boot ROM FSBL header
+  generation. The flash script auto-detects the tool location. Without it,
+  wolfBoot is loaded to SRAM only (no autonomous boot on reset).
 - ST-Link connected to the Nucleo board
 - arm-none-eabi toolchain in PATH
+- OTP fuse VDDIO3_HSLV programmed (see [OTP Configuration](#otp-configuration)
+  below)
+
+### OTP Configuration (One-Time)
+
+The STM32N6 Boot ROM requires OTP fuse configuration to boot from external
+XSPI2 NOR flash. This is a **one-time permanent** operation.
+
+**OTP Word 124** (BSEC_HW_CONFIG) — set bit 15:
+
+| Bit | Name | Value | Description |
+|-----|------|-------|-------------|
+| 15 | VDDIO3_HSLV | 1 | Enable XSPI2 I/O high-speed low-voltage mode |
+
+**Using STM32CubeProgrammer (GUI):**
+
+1. Connect to the board via SWD (JP2/BOOT1 in position 2-3 for development mode)
+2. Select **OTP** in the left menu
+3. Find word 124 and set value to `0x00008000`
+4. Click **Program**
+
+**Using STM32_Programmer_CLI:**
+
+```sh
+STM32_Programmer_CLI -c port=SWD ap=1 \
+    -el <path>/OTP_FUSES_STM32N6xx.stldr \
+    -otp write word=124 value=0x00008000
+```
+
+### Boot Mode Switches (JP1/JP2)
+
+The NUCLEO-N657X0-Q has two boot mode jumpers:
+
+| Mode | JP1 (BOOT0) | JP2 (BOOT1) | Description |
+|------|-------------|-------------|-------------|
+| Development | don't care | 2-3 | Boot ROM waits for debugger (OpenOCD/SWD) |
+| External flash | 1-2 | 1-2 | Boot ROM loads FSBL from XSPI2 NOR flash |
+
+For development, use JP2=2-3 to flash via OpenOCD. After flashing, switch
+both JP1 and JP2 to position 1-2 and press reset for autonomous boot from
+NOR flash.
 
 ### Build Options
 
diff --git a/tools/scripts/stm32n6_flash.sh b/tools/scripts/stm32n6_flash.sh
@@ -44,15 +44,14 @@ OPENOCD_CFG="${WOLFBOOT_ROOT}/config/openocd/openocd_stm32n6.cfg"
 BOOT_ADDR=0x70020000
 UPDATE_ADDR=0x70120000
 
-# Determine SRAM load address from TZEN config
-TZEN_CHECK=$(grep -E '^TZEN\?*=' "${WOLFBOOT_ROOT}/.config" 2>/dev/null | head -1 | sed 's/.*=//;s/[[:space:]]//g')
-if [ "$TZEN_CHECK" = "1" ]; then
-    SRAM_ADDR=0x24000000
-    SRAM_WORK=0x24020000
-else
-    SRAM_ADDR=0x34000000
-    SRAM_WORK=0x34020000
-fi
+# Boot ROM always copies FSBL to AXISRAM2 at this address
+SRAM_ADDR=0x34180400
+
+# STM32_SigningTool_CLI for Boot ROM FSBL header (use latest version)
+SIGN_TOOL=""
+for d in $(ls -rd /opt/st/stm32cubeide_*/plugins/com.st.stm32cube.ide.mcu.externaltools.cubeprogrammer.*/tools/bin 2>/dev/null); do
+    [ -x "$d/STM32_SigningTool_CLI" ] && SIGN_TOOL="$d/STM32_SigningTool_CLI" && break
+done
 
 check_tool() {
     command -v "$1" &>/dev/null || { echo -e "${RED}Error: $1 not found${NC}"; exit 1; }
@@ -109,6 +108,20 @@ sleep 1
 OPENOCD_CMDS="reset init; "
 
 if [ $APP_ONLY -eq 0 ]; then
+    # Generate Boot ROM FSBL header using STM32_SigningTool_CLI
+    if [ -n "$SIGN_TOOL" ]; then
+        TRUSTED_BIN="${WOLFBOOT_ROOT}/wolfboot-trusted.bin"
+        chmod u+w "${TRUSTED_BIN}" 2>/dev/null; rm -f "${TRUSTED_BIN}"
+        echo -e "${CYAN}  Generating FSBL header (STM32_SigningTool_CLI)...${NC}"
+        "$SIGN_TOOL" -bin "${WOLFBOOT_ROOT}/wolfboot.bin" -nk -of 0x80000000 -t fsbl -hv 2.3 -align -la ${SRAM_ADDR} -ep ${SRAM_ADDR} -o "${TRUSTED_BIN}" || true
+        [ -f "${TRUSTED_BIN}" ] || { echo -e "${RED}Failed to generate trusted binary${NC}"; exit 1; }
+        echo -e "${CYAN}  wolfboot-trusted.bin -> NOR 0x70000000${NC}"
+        OPENOCD_CMDS+="flash write_image erase ${TRUSTED_BIN} 0x70000000; "
+    else
+        echo -e "${YELLOW}  STM32_SigningTool_CLI not found, loading wolfBoot to SRAM only${NC}"
+    fi
+
+    # Also load wolfBoot directly to SRAM for immediate execution
     echo -e "${CYAN}  wolfboot.bin -> SRAM ${SRAM_ADDR}${NC}"
     OPENOCD_CMDS+="load_image ${WOLFBOOT_ROOT}/wolfboot.bin ${SRAM_ADDR} bin; "
 fi
@@ -130,7 +143,7 @@ if [ $TEST_UPDATE -eq 1 ]; then
     OPENOCD_CMDS+="flash write_image /tmp/trigger_magic.bin ${TRIGGER_ADDR}; "
 fi
 
-# Boot wolfBoot from SRAM (reset would clear SRAM, so we jump directly)
+# Boot wolfBoot from SRAM (also loaded to NOR for reset persistence)
 if [ $APP_ONLY -eq 0 ]; then
     # Extract initial SP (word 0) and entry point (word 1) from vector table
     INIT_SP=$(od -A n -t x4 -N 4 "${WOLFBOOT_ROOT}/wolfboot.bin" | awk '{print "0x"$1}')
