Skip to content

Add Raspberry Pi Compute Module 4 (BCM2711) target#824

Open
dgarske wants to merge 2 commits into
wolfSSL:masterfrom
dgarske:cm4_bcm2711
Open

Add Raspberry Pi Compute Module 4 (BCM2711) target#824
dgarske wants to merge 2 commits into
wolfSSL:masterfrom
dgarske:cm4_bcm2711

Conversation

@dgarske

@dgarske dgarske commented Jul 10, 2026

Copy link
Copy Markdown
Member

Add Raspberry Pi Compute Module 4 (BCM2711) target + wolfCrypt FIPS 140-3

Summary

Adds a wolfBoot target for the Raspberry Pi Compute Module 4 (CM4) - Broadcom BCM2711, quad-core Cortex-A72 (AArch64). wolfBoot replaces the second-stage OS loader (e.g. U-Boot): the VideoCore firmware loads wolfBoot as kernel8.img, and wolfBoot verifies the signed application image before booting it, extending the platform root of trust into the OS. It can optionally perform that verification with the wolfCrypt FIPS 140-3 module.

CM4 target and authenticated boot

  • New cm4 HAL (hal/cm4.c/.h/.ld) for BCM2711: PL011 UART console at the BCM2711 MMIO base (0xFE000000), RAM-boot image handoff, and a fixed load map matching the firmware's 0x80000 entry.
  • Cortex-A72 build support in arch.mk (-mcpu=cortex-a72+crypto, -mstrict-align for MMU-off operation).
  • Example config config/examples/cm4.config (RAM boot, SIGN=ECC384 HASH=SHA384).

Root of trust:

BCM2711 boot ROM -> SPI EEPROM -> VideoCore firmware -> wolfBoot (kernel8.img)
   -> verify (ECDSA P-384 / SHA-384) -> application

eMMC / SD A/B updates

  • config/examples/cm4_sdcard.config drives the BCM2711 EMMC2 controller (0xFE340000) through the generic SDHCI driver for A/B image partitions on the boot medium. Bring-up scaffolding, not yet hardware-validated.

wolfCrypt FIPS 140-3

  • FIPS=1 build option (options.mk) that rebuilds the wolfcrypt object list as the validated module boundary in link order (wolfcrypt_first ... fips/fips_test ... wolfcrypt_last), pointing WOLFBOOT_LIB_WOLFSSL at a FIPS wolfSSL tree.
  • include/user_settings.h FIPS gate: enables the module's algorithm set, keeps the RNG/DRBG enabled, and provides a DRBG entropy seed (/dev/urandom on sim, BCM2711 RNG200 hardware TRNG on CM4).
  • src/loader.c runs the power-on self-test at boot (fipsEntry, since bare-metal has no .init_array) and refuses to boot unless the module is operational; on a self-test failure it prints the runtime in-core hash to seal into verifyCore[].
  • Configs config/examples/sim-fips.config and config/examples/cm4-fips.config.

Documentation

  • docs/Targets.md: CM4 section covering build, signing, config.txt, flashing (microSD / eMMC via rpiboot), and boot output.
  • docs/FIPS.md: building with FIPS, DRBG entropy, in-core hash sealing, and bare-metal notes.

Testing

  • Builds clean with both aarch64-none-elf- and aarch64-linux-gnu-.
  • Signing + verify/update state machine validated on the native sim target with SIGN=ECC384 HASH=SHA384.
  • Authenticated boot validated end-to-end on real CM4 hardware (BCM2711, eMMC, CM4-IO-BASE-B): the firmware loads wolfBoot, which verifies an ECDSA-P384/SHA-384 signed payload and boots it:
wolfBoot CM4 (BCM2711 Cortex-A72) hal_init, EL2
Trying partition 0 at 0x140000
Checking integrity...done
Verifying signature...done
Firmware Valid
Booting at 0x3080000
  • FIPS 140-3 on the simulator: fully validated - sim-fips.config builds, the module reaches operational state (in-core integrity + POST/CASTs pass), and wolfBoot performs FIPS-backed integrity + signature verification and A/B updates.
  • FIPS 140-3 on CM4 hardware: work in progress - the aarch64 FIPS build cross-compiles and flashes; on-target the module POST currently stalls during the in-core check. Does not affect the non-FIPS CM4 target or the sim FIPS path.

Notes

  • FIPS requires a licensed/validated (or FIPS-ready) wolfSSL tree; see docs/FIPS.md.

@dgarske dgarske self-assigned this Jul 10, 2026
Copilot AI review requested due to automatic review settings July 10, 2026 16:24

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new wolfBoot target for the Raspberry Pi Compute Module 4 (BCM2711 / Cortex-A72), including a dedicated HAL, linker script, build flags, example configs, and target documentation to support firmware-loading wolfBoot as kernel8.img and verifying a signed RAM-boot payload.

Changes:

  • Introduces a CM4 HAL (hal/cm4.c/.h/.ld) with PL011 UART console support, RAM-boot partition addresses, and optional SDHCI (eMMC/SD) glue.
  • Extends AArch64 build configuration for TARGET=cm4 with Cortex-A72+crypto flags and ensures the startup path includes the CM4 HAL header.
  • Adds CM4 example configs and a new documentation section describing build/sign/flash/boot flow.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
test-app/app_cm4.c Adds a CM4-specific minimal bare-metal test application entry point.
src/boot_aarch64_start.S Includes the CM4 HAL header when building for TARGET_cm4.
Makefile Declares wolfboot.bin as the primary build artifact for TARGET=cm4.
hal/cm4.ld Adds a CM4 linker script aligned to the firmware load address and fixed partition map.
hal/cm4.h Defines CM4 target startup macros and BCM2711 MMIO base.
hal/cm4.c Implements the CM4 HAL (UART + RAM boot addresses + optional SDHCI platform glue).
docs/Targets.md Documents CM4 build/sign/flash steps and expected boot output.
config/examples/cm4.config Provides a RAM-boot CM4 example configuration (ECC384/SHA384).
config/examples/cm4_sdcard.config Provides an (unvalidated) disk-updater CM4 configuration scaffold for eMMC/SD A/B.
arch.mk Adds Cortex-A72+crypto compiler flags for TARGET=cm4 and enables ARMv8 crypto ASM path.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/Targets.md Outdated
Comment thread hal/cm4.c Outdated
@dgarske dgarske marked this pull request as ready for review July 11, 2026 00:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants