From ed15e3aee6dad95e3b173c598471970b2a0dc3ab Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Thu, 19 Mar 2026 23:41:49 +0100 Subject: [PATCH 01/19] Fix embedded images built with the clang compiler --- arch.mk | 5 ++++- test-app/Makefile | 14 +++++++++++--- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/arch.mk b/arch.mk index 74663afa57..40e60258d8 100644 --- a/arch.mk +++ b/arch.mk @@ -1288,7 +1288,9 @@ ifeq ($(USE_CLANG),1) CLANG_NEWLIB_INCLUDE?=$(abspath $(dir $(CLANG_LIBC_A))/../include) CC=$(CLANG_DRIVER) - LD=$(CLANG_DRIVER) + # Keep clang for compilation, but use the GNU linker driver so linker-script + # LMAs for RAM sections are preserved and objcopy does not emit sparse images. + LD=$(CLANG_GCC_NAME) AS=$(CLANG_DRIVER) AR=$(CROSS_COMPILE)ar OBJCOPY?=$(CROSS_COMPILE)objcopy @@ -1296,6 +1298,7 @@ ifeq ($(USE_CLANG),1) CFLAGS+=-isystem $(CLANG_NEWLIB_INCLUDE) CFLAGS+=-DWOLFSSL_NO_ATOMIC -DWOLFSSL_NO_ATOMICS + CFLAGS+=-Wno-unknown-attributes -Wno-error=unknown-attributes LDFLAGS+=-nostdlib endif diff --git a/test-app/Makefile b/test-app/Makefile index 3a58795173..7697e90b97 100644 --- a/test-app/Makefile +++ b/test-app/Makefile @@ -102,6 +102,14 @@ LDFLAGS+=-T $(LSCRIPT) -Wl,-gc-sections -Wl,-Map=image.map -nostartfiles # Setup default objcopy flags OBJCOPY_FLAGS+=--gap-fill $(FILL_BYTE) +OBJCOPY_IMAGE_FLAGS:= + +ifeq ($(USE_CLANG),1) + # Clang-built ARM ELFs can keep RAM sections as loadable segments, and raw + # objcopy output then expands the flash-to-RAM gap into a huge sparse image. + # The app image only needs the flash-backed output sections. + OBJCOPY_IMAGE_FLAGS+=-j .text -j .edidx +endif ifeq ($(DEBUG_UART),1) CFLAGS+=-DDEBUG_UART @@ -913,15 +921,15 @@ delta-extra-data:LDFLAGS=-Wl,-Map=image.map image.bin: image.elf @echo "\t[BIN] $@" - $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) -O binary $^ $@ + $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) $(OBJCOPY_IMAGE_FLAGS) -O binary $^ $@ image.hex: image.elf @echo "\t[HEX] $@" - $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) -O ihex $^ $@ + $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) $(OBJCOPY_IMAGE_FLAGS) -O ihex $^ $@ image.srec: image.elf @echo "\t[SREC] $@" - $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) -O srec $^ $@ + $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) $(OBJCOPY_IMAGE_FLAGS) -O srec $^ $@ APP_OBJS := $(patsubst $(WOLFBOOT_LIB_WOLFSSL)/%, \ $(WOLFSSL_LOCAL_OBJDIR)/%, $(APP_OBJS)) From 6082543e5ebc09aaf9b69f44c7f65a36b8b3b747 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Mon, 23 Mar 2026 17:25:17 +0100 Subject: [PATCH 02/19] Added explicit discard list for clang compiler --- arch.mk | 2 ++ hal/clang-discard.ld | 14 ++++++++++++++ hal/stm32l4.ld | 1 + test-app/Makefile | 1 + 4 files changed, 18 insertions(+) create mode 100644 hal/clang-discard.ld diff --git a/arch.mk b/arch.mk index 40e60258d8..e90c06f91b 100644 --- a/arch.mk +++ b/arch.mk @@ -1299,7 +1299,9 @@ ifeq ($(USE_CLANG),1) CFLAGS+=-isystem $(CLANG_NEWLIB_INCLUDE) CFLAGS+=-DWOLFSSL_NO_ATOMIC -DWOLFSSL_NO_ATOMICS CFLAGS+=-Wno-unknown-attributes -Wno-error=unknown-attributes + CFLAGS+=-fno-unwind-tables -fno-asynchronous-unwind-tables LDFLAGS+=-nostdlib + LSCRIPT_FLAGS+=-T hal/clang-discard.ld endif ifeq ($(USE_GCC),1) diff --git a/hal/clang-discard.ld b/hal/clang-discard.ld new file mode 100644 index 0000000000..1217dddbc5 --- /dev/null +++ b/hal/clang-discard.ld @@ -0,0 +1,14 @@ +SECTIONS +{ + /DISCARD/ : + { + *(.ARM.extab* .gnu.linkonce.armextab.*) + *(.eh_frame* .gcc_except_table*) + *(.preinit_array*) + *(.init_array*) + *(.fini_array*) + *(.ctors*) + *(.dtors*) + *(.jcr*) + } +} diff --git a/hal/stm32l4.ld b/hal/stm32l4.ld index 822f01174d..933985c17e 100644 --- a/hal/stm32l4.ld +++ b/hal/stm32l4.ld @@ -15,6 +15,7 @@ SECTIONS . = ALIGN(4); _end_text = .; } > FLASH + .edidx : { . = ALIGN(4); diff --git a/test-app/Makefile b/test-app/Makefile index 7697e90b97..6d865e3fe3 100644 --- a/test-app/Makefile +++ b/test-app/Makefile @@ -109,6 +109,7 @@ ifeq ($(USE_CLANG),1) # objcopy output then expands the flash-to-RAM gap into a huge sparse image. # The app image only needs the flash-backed output sections. OBJCOPY_IMAGE_FLAGS+=-j .text -j .edidx + LDFLAGS+=-T ../hal/clang-discard.ld endif ifeq ($(DEBUG_UART),1) From cd556ce7e64fa307cfa366634ad1a75c349438e9 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Mon, 23 Mar 2026 17:33:56 +0100 Subject: [PATCH 03/19] Added clang pass for arm build tests --- .github/workflows/test-build.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/test-build.yml b/.github/workflows/test-build.yml index 1553e96c87..bc3b46150d 100644 --- a/.github/workflows/test-build.yml +++ b/.github/workflows/test-build.yml @@ -30,6 +30,11 @@ jobs: - name: Trust workspace run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: Install Clang + if: inputs.arch == 'arm' || inputs.arch == 'ARM' + run: | + sudo apt-get install -y clang + - name: make clean run: | make distclean @@ -45,3 +50,11 @@ jobs: - name: Build wolfboot run: | make ${{inputs.make-args}} + + - name: Rebuild wolfboot with Clang + if: inputs.arch == 'arm' || inputs.arch == 'ARM' + run: | + make distclean + cp ${{inputs.config-file}} .config + make -C tools/keytools && make -C tools/bin-assemble + make USE_CLANG=1 USE_GCC=0 ${{inputs.make-args}} From f6ec4765c64bc3b3b1ed442d9c8ddda9cf2372a6 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Mon, 23 Mar 2026 18:33:46 +0100 Subject: [PATCH 04/19] Discard volatile sections during app objcopy when compiling with clang --- Makefile | 9 ++++++++- test-app/Makefile | 6 +++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index a5a81c18b5..09f5505728 100644 --- a/Makefile +++ b/Makefile @@ -25,6 +25,7 @@ DEBUG_UART?=0 LIBS= SIGN_ALG= OBJCOPY_FLAGS= +OBJCOPY_BIN_FLAGS= BIG_ENDIAN?=0 USE_CLANG?=0 ifeq ($(USE_CLANG),1) @@ -197,6 +198,12 @@ ifeq ($(USE_GCC_HEADLESS),1) LSCRIPT_FLAGS+=-T $(LSCRIPT) OBJCOPY_FLAGS+=--gap-fill $(FILL_BYTE) endif + +ifeq ($(USE_CLANG),1) + ifeq ($(ARCH),ARM) + OBJCOPY_BIN_FLAGS+=-j .text -j .ramcode -j .keystore -j .edidx -j .gnu.sgstubs + endif +endif ifeq ($(TARGET),ti_hercules) LSCRIPT_FLAGS+=--run_linker $(LSCRIPT) endif @@ -326,7 +333,7 @@ wolfboot.efi: wolfboot.elf wolfboot.bin: wolfboot.elf @echo "\t[BIN] $@" - $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) -O binary $^ $@ + $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) $(OBJCOPY_BIN_FLAGS) -O binary $^ $@ @echo @echo "\t[SIZE]" $(Q)$(SIZE) wolfboot.elf diff --git a/test-app/Makefile b/test-app/Makefile index 6d865e3fe3..11a8900da7 100644 --- a/test-app/Makefile +++ b/test-app/Makefile @@ -88,7 +88,7 @@ endif include ../arch.mk ifeq ($(USE_CLANG),1) - APP_OBJS+=../src/string.o + APP_NEEDS_STRING:=1 endif # Optional alias for clearer TZ PSA selection in app builds. @@ -114,6 +114,10 @@ endif ifeq ($(DEBUG_UART),1) CFLAGS+=-DDEBUG_UART + APP_NEEDS_STRING:=1 +endif + +ifeq ($(APP_NEEDS_STRING),1) APP_OBJS+=../src/string.o endif From f7b2e5a2794c4aea5b8df4144953dd12ab61d04a Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Mon, 23 Mar 2026 19:09:42 +0100 Subject: [PATCH 05/19] Fix stdlib in clang, limit test to a few targets --- .github/workflows/test-build.yml | 24 ++++++++++++++++++++++-- arch.mk | 1 - test-app/Makefile | 5 ++++- 3 files changed, 26 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test-build.yml b/.github/workflows/test-build.yml index bc3b46150d..f7e9744390 100644 --- a/.github/workflows/test-build.yml +++ b/.github/workflows/test-build.yml @@ -31,7 +31,17 @@ jobs: run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: Install Clang - if: inputs.arch == 'arm' || inputs.arch == 'ARM' + if: | + inputs.config-file == './config/examples/stm32c0.config' || + inputs.config-file == './config/examples/stm32c0-rsa2048.config' || + inputs.config-file == './config/examples/stm32h5.config' || + inputs.config-file == './config/examples/stm32h5-dualbank.config' || + inputs.config-file == './config/examples/stm32h7.config' || + inputs.config-file == './config/examples/stm32h7-octospi.config' || + inputs.config-file == './config/examples/stm32u5.config' || + inputs.config-file == './config/examples/stm32u5-wolfcrypt-tz.config' || + inputs.config-file == './config/examples/stm32u5-nonsecure-dualbank.config' || + inputs.config-file == 'config/examples/stm32n567.config' run: | sudo apt-get install -y clang @@ -52,7 +62,17 @@ jobs: make ${{inputs.make-args}} - name: Rebuild wolfboot with Clang - if: inputs.arch == 'arm' || inputs.arch == 'ARM' + if: | + inputs.config-file == './config/examples/stm32c0.config' || + inputs.config-file == './config/examples/stm32c0-rsa2048.config' || + inputs.config-file == './config/examples/stm32h5.config' || + inputs.config-file == './config/examples/stm32h5-dualbank.config' || + inputs.config-file == './config/examples/stm32h7.config' || + inputs.config-file == './config/examples/stm32h7-octospi.config' || + inputs.config-file == './config/examples/stm32u5.config' || + inputs.config-file == './config/examples/stm32u5-wolfcrypt-tz.config' || + inputs.config-file == './config/examples/stm32u5-nonsecure-dualbank.config' || + inputs.config-file == 'config/examples/stm32n567.config' run: | make distclean cp ${{inputs.config-file}} .config diff --git a/arch.mk b/arch.mk index e90c06f91b..75603949cb 100644 --- a/arch.mk +++ b/arch.mk @@ -1300,7 +1300,6 @@ ifeq ($(USE_CLANG),1) CFLAGS+=-DWOLFSSL_NO_ATOMIC -DWOLFSSL_NO_ATOMICS CFLAGS+=-Wno-unknown-attributes -Wno-error=unknown-attributes CFLAGS+=-fno-unwind-tables -fno-asynchronous-unwind-tables - LDFLAGS+=-nostdlib LSCRIPT_FLAGS+=-T hal/clang-discard.ld endif diff --git a/test-app/Makefile b/test-app/Makefile index 11a8900da7..bbefb6cee2 100644 --- a/test-app/Makefile +++ b/test-app/Makefile @@ -305,7 +305,10 @@ ifeq ($(TZEN),1) WOLFCRYPT_APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/random.o endif endif - CFLAGS+=-DWOLFBOOT_SECURE_CALLS -Wstack-usage=19184 + CFLAGS+=-DWOLFBOOT_SECURE_CALLS + ifneq ($(USE_CLANG),1) + CFLAGS+=-Wstack-usage=19184 + endif LDFLAGS+=--specs=nosys.specs -u _printf_float endif ifeq ($(WOLFCRYPT_TZ_PSA),1) From 9982734c553f4be2ad59389578684f9079e5a377 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Mon, 23 Mar 2026 19:41:33 +0100 Subject: [PATCH 06/19] Exclude stm32c0 (too small for clang) and stm32h5 (no ARMORED support) --- .github/workflows/test-build.yml | 8 -------- arch.mk | 2 +- options.mk | 3 +++ test-app/Makefile | 5 ++--- 4 files changed, 6 insertions(+), 12 deletions(-) diff --git a/.github/workflows/test-build.yml b/.github/workflows/test-build.yml index f7e9744390..b447cb30ab 100644 --- a/.github/workflows/test-build.yml +++ b/.github/workflows/test-build.yml @@ -32,10 +32,6 @@ jobs: - name: Install Clang if: | - inputs.config-file == './config/examples/stm32c0.config' || - inputs.config-file == './config/examples/stm32c0-rsa2048.config' || - inputs.config-file == './config/examples/stm32h5.config' || - inputs.config-file == './config/examples/stm32h5-dualbank.config' || inputs.config-file == './config/examples/stm32h7.config' || inputs.config-file == './config/examples/stm32h7-octospi.config' || inputs.config-file == './config/examples/stm32u5.config' || @@ -63,10 +59,6 @@ jobs: - name: Rebuild wolfboot with Clang if: | - inputs.config-file == './config/examples/stm32c0.config' || - inputs.config-file == './config/examples/stm32c0-rsa2048.config' || - inputs.config-file == './config/examples/stm32h5.config' || - inputs.config-file == './config/examples/stm32h5-dualbank.config' || inputs.config-file == './config/examples/stm32h7.config' || inputs.config-file == './config/examples/stm32h7-octospi.config' || inputs.config-file == './config/examples/stm32u5.config' || diff --git a/arch.mk b/arch.mk index 75603949cb..d884458fd8 100644 --- a/arch.mk +++ b/arch.mk @@ -1300,7 +1300,7 @@ ifeq ($(USE_CLANG),1) CFLAGS+=-DWOLFSSL_NO_ATOMIC -DWOLFSSL_NO_ATOMICS CFLAGS+=-Wno-unknown-attributes -Wno-error=unknown-attributes CFLAGS+=-fno-unwind-tables -fno-asynchronous-unwind-tables - LSCRIPT_FLAGS+=-T hal/clang-discard.ld + LSCRIPT_FLAGS+=-T $(abspath $(WOLFBOOT_ROOT)/hal/clang-discard.ld) endif ifeq ($(USE_GCC),1) diff --git a/options.mk b/options.mk index ff8df2c4ad..bf32d11863 100644 --- a/options.mk +++ b/options.mk @@ -12,6 +12,9 @@ ifeq ($(USE_CLANG),1) ifeq ($(USE_GCC),1) $(error USE_CLANG=1 is incompatible with USE_GCC=1; set USE_GCC=0) endif + ifeq ($(ARMORED),1) + $(error USE_CLANG=1 requires ARMORED=0) + endif endif # Support for Built-in ROT into OTP flash memory diff --git a/test-app/Makefile b/test-app/Makefile index bbefb6cee2..be2dc7bd96 100644 --- a/test-app/Makefile +++ b/test-app/Makefile @@ -109,7 +109,6 @@ ifeq ($(USE_CLANG),1) # objcopy output then expands the flash-to-RAM gap into a huge sparse image. # The app image only needs the flash-backed output sections. OBJCOPY_IMAGE_FLAGS+=-j .text -j .edidx - LDFLAGS+=-T ../hal/clang-discard.ld endif ifeq ($(DEBUG_UART),1) @@ -947,7 +946,7 @@ ifeq ($(ELF_FLASH_SCATTER),1) SQUASHELF_TOOL = ../tools/squashelf/squashelf image-orig.elf: $(APP_OBJS) $(LSCRIPT) @echo "\t[LD] $@" - $(Q)$(LD) $(LDFLAGS) $(APP_OBJS) $(LIBS) $(OUTPUT_FLAG) $@ + $(Q)$(LD) $(LDFLAGS) $(LSCRIPT_FLAGS) $(APP_OBJS) $(LIBS) $(OUTPUT_FLAG) $@ image.elf: image-orig.elf @echo "\t[SQUASHELF] $@" @@ -956,7 +955,7 @@ else # Default behavior when ELF_FLASH_SCATTER is not set image.elf: $(APP_OBJS) $(LSCRIPT) @echo "\t[LD] $@" - $(Q)$(LD) $(LDFLAGS) $(APP_OBJS) $(LIBS) $(OUTPUT_FLAG) $@ + $(Q)$(LD) $(LDFLAGS) $(LSCRIPT_FLAGS) $(APP_OBJS) $(LIBS) $(OUTPUT_FLAG) $@ endif standalone: image.bin From 8583a87c96c661b8d41c9a9942a50e78c2863a09 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Mon, 23 Mar 2026 19:44:43 +0100 Subject: [PATCH 07/19] Concentrate flags for clang in arch.mk --- Makefile | 2 +- arch.mk | 6 ++++++ test-app/Makefile | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 09f5505728..41b6876ef0 100644 --- a/Makefile +++ b/Makefile @@ -201,7 +201,7 @@ endif ifeq ($(USE_CLANG),1) ifeq ($(ARCH),ARM) - OBJCOPY_BIN_FLAGS+=-j .text -j .ramcode -j .keystore -j .edidx -j .gnu.sgstubs + OBJCOPY_BIN_FLAGS+=$(CLANG_ARM_OBJCOPY_FLASH_FLAGS_BOOT) endif endif ifeq ($(TARGET),ti_hercules) diff --git a/arch.mk b/arch.mk index d884458fd8..e8fbf8ec57 100644 --- a/arch.mk +++ b/arch.mk @@ -1301,6 +1301,12 @@ ifeq ($(USE_CLANG),1) CFLAGS+=-Wno-unknown-attributes -Wno-error=unknown-attributes CFLAGS+=-fno-unwind-tables -fno-asynchronous-unwind-tables LSCRIPT_FLAGS+=-T $(abspath $(WOLFBOOT_ROOT)/hal/clang-discard.ld) + # Keep Clang-specific raw-image section selection in one place. Both the + # bootloader and test-app need flash-backed sections only, but the bootloader + # has a few extra output sections that must be preserved. + CLANG_ARM_OBJCOPY_FLASH_FLAGS_BASE:=-j .text -j .edidx + CLANG_ARM_OBJCOPY_FLASH_FLAGS_BOOT:=$(CLANG_ARM_OBJCOPY_FLASH_FLAGS_BASE) -j .ramcode -j .keystore -j .gnu.sgstubs + CLANG_ARM_OBJCOPY_FLASH_FLAGS_APP:=$(CLANG_ARM_OBJCOPY_FLASH_FLAGS_BASE) endif ifeq ($(USE_GCC),1) diff --git a/test-app/Makefile b/test-app/Makefile index be2dc7bd96..a81069bc5c 100644 --- a/test-app/Makefile +++ b/test-app/Makefile @@ -108,7 +108,7 @@ ifeq ($(USE_CLANG),1) # Clang-built ARM ELFs can keep RAM sections as loadable segments, and raw # objcopy output then expands the flash-to-RAM gap into a huge sparse image. # The app image only needs the flash-backed output sections. - OBJCOPY_IMAGE_FLAGS+=-j .text -j .edidx + OBJCOPY_IMAGE_FLAGS+=$(CLANG_ARM_OBJCOPY_FLASH_FLAGS_APP) endif ifeq ($(DEBUG_UART),1) From bcd4d8b9e61841387fc20d0924a06bfb555e4847 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Tue, 24 Mar 2026 10:24:51 +0100 Subject: [PATCH 08/19] Fixed Clang sections in TZEN images --- Makefile | 22 +++++++++++++++++++--- arch.mk | 6 +++--- test-app/Makefile | 4 +++- 3 files changed, 25 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index 41b6876ef0..a287aa98b6 100644 --- a/Makefile +++ b/Makefile @@ -199,9 +199,11 @@ ifeq ($(USE_GCC_HEADLESS),1) OBJCOPY_FLAGS+=--gap-fill $(FILL_BYTE) endif -ifeq ($(USE_CLANG),1) - ifeq ($(ARCH),ARM) - OBJCOPY_BIN_FLAGS+=$(CLANG_ARM_OBJCOPY_FLASH_FLAGS_BOOT) +ifeq ($(ARCH),ARM) + ifeq ($(USE_CLANG),1) + ifneq ($(TZEN),1) + OBJCOPY_BIN_FLAGS+=$(CLANG_ARM_OBJCOPY_FLASH_FLAGS_BOOT) + endif endif endif ifeq ($(TARGET),ti_hercules) @@ -333,7 +335,21 @@ wolfboot.efi: wolfboot.elf wolfboot.bin: wolfboot.elf @echo "\t[BIN] $@" +ifeq ($(USE_CLANG),1) +ifeq ($(TZEN),1) + $(Q)last_load="$$($(CROSS_COMPILE)readelf -Wl $< | awk '/ LOAD / { line = $$0 } END { print line }')"; \ + set -- $$last_load; \ + last_phys=$$(printf '%d' $$4); \ + last_filesz=$$(printf '%d' $$5); \ + padded_filesz=$$((($$last_filesz + 0xff) & ~0xff)); \ + pad_to=$$((last_phys + padded_filesz)); \ + $(OBJCOPY) $(OBJCOPY_FLAGS) $(OBJCOPY_BIN_FLAGS) --pad-to=$$(printf '0x%x' $$pad_to) -O binary $< $@ +else $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) $(OBJCOPY_BIN_FLAGS) -O binary $^ $@ +endif +else + $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) $(OBJCOPY_BIN_FLAGS) -O binary $^ $@ +endif @echo @echo "\t[SIZE]" $(Q)$(SIZE) wolfboot.elf diff --git a/arch.mk b/arch.mk index e8fbf8ec57..bc58702040 100644 --- a/arch.mk +++ b/arch.mk @@ -1301,9 +1301,9 @@ ifeq ($(USE_CLANG),1) CFLAGS+=-Wno-unknown-attributes -Wno-error=unknown-attributes CFLAGS+=-fno-unwind-tables -fno-asynchronous-unwind-tables LSCRIPT_FLAGS+=-T $(abspath $(WOLFBOOT_ROOT)/hal/clang-discard.ld) - # Keep Clang-specific raw-image section selection in one place. Both the - # bootloader and test-app need flash-backed sections only, but the bootloader - # has a few extra output sections that must be preserved. + # Clang-built ARM raw images may otherwise expand ELF loadable gaps into + # oversized binaries on some targets. Keep the section selection scoped to + # the Clang workaround paths only. CLANG_ARM_OBJCOPY_FLASH_FLAGS_BASE:=-j .text -j .edidx CLANG_ARM_OBJCOPY_FLASH_FLAGS_BOOT:=$(CLANG_ARM_OBJCOPY_FLASH_FLAGS_BASE) -j .ramcode -j .keystore -j .gnu.sgstubs CLANG_ARM_OBJCOPY_FLASH_FLAGS_APP:=$(CLANG_ARM_OBJCOPY_FLASH_FLAGS_BASE) diff --git a/test-app/Makefile b/test-app/Makefile index a81069bc5c..c051d7abbe 100644 --- a/test-app/Makefile +++ b/test-app/Makefile @@ -108,7 +108,9 @@ ifeq ($(USE_CLANG),1) # Clang-built ARM ELFs can keep RAM sections as loadable segments, and raw # objcopy output then expands the flash-to-RAM gap into a huge sparse image. # The app image only needs the flash-backed output sections. - OBJCOPY_IMAGE_FLAGS+=$(CLANG_ARM_OBJCOPY_FLASH_FLAGS_APP) + ifneq ($(TZEN),1) + OBJCOPY_IMAGE_FLAGS+=$(CLANG_ARM_OBJCOPY_FLASH_FLAGS_APP) + endif endif ifeq ($(DEBUG_UART),1) From ce24cd2a068ddea6b9bde8f800104dbed5ebe428 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Wed, 25 Mar 2026 06:07:20 +0100 Subject: [PATCH 09/19] CLANG: fix sparse image for test-app in trustzone --- test-app/Makefile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/test-app/Makefile b/test-app/Makefile index c051d7abbe..53b03f1c7e 100644 --- a/test-app/Makefile +++ b/test-app/Makefile @@ -107,8 +107,11 @@ OBJCOPY_IMAGE_FLAGS:= ifeq ($(USE_CLANG),1) # Clang-built ARM ELFs can keep RAM sections as loadable segments, and raw # objcopy output then expands the flash-to-RAM gap into a huge sparse image. - # The app image only needs the flash-backed output sections. - ifneq ($(TZEN),1) + # The app image only needs the flash-backed output sections. TrustZone + # non-secure apps also need the flash-backed .data load image. + ifeq ($(TZEN),1) + OBJCOPY_IMAGE_FLAGS+=-j .text -j .edidx -j .data + else OBJCOPY_IMAGE_FLAGS+=$(CLANG_ARM_OBJCOPY_FLASH_FLAGS_APP) endif endif From 92ed25d1ef5464f6597f485de81e1a87adf66897 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Wed, 25 Mar 2026 06:51:13 +0100 Subject: [PATCH 10/19] Removed clang install + fix path in tests --- .github/workflows/test-build.yml | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/.github/workflows/test-build.yml b/.github/workflows/test-build.yml index b447cb30ab..278c923ab2 100644 --- a/.github/workflows/test-build.yml +++ b/.github/workflows/test-build.yml @@ -30,17 +30,6 @@ jobs: - name: Trust workspace run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - - name: Install Clang - if: | - inputs.config-file == './config/examples/stm32h7.config' || - inputs.config-file == './config/examples/stm32h7-octospi.config' || - inputs.config-file == './config/examples/stm32u5.config' || - inputs.config-file == './config/examples/stm32u5-wolfcrypt-tz.config' || - inputs.config-file == './config/examples/stm32u5-nonsecure-dualbank.config' || - inputs.config-file == 'config/examples/stm32n567.config' - run: | - sudo apt-get install -y clang - - name: make clean run: | make distclean @@ -64,7 +53,7 @@ jobs: inputs.config-file == './config/examples/stm32u5.config' || inputs.config-file == './config/examples/stm32u5-wolfcrypt-tz.config' || inputs.config-file == './config/examples/stm32u5-nonsecure-dualbank.config' || - inputs.config-file == 'config/examples/stm32n567.config' + inputs.config-file == './config/examples/stm32n567.config' run: | make distclean cp ${{inputs.config-file}} .config From 7591d675ef6edae9803c71031e699c1ad287520b Mon Sep 17 00:00:00 2001 From: Mattia Moffa Date: Tue, 31 Mar 2026 22:56:47 +0200 Subject: [PATCH 11/19] test-app: add dummy .data and .bss sections when using clang --- test-app/Makefile | 4 ++++ test-app/clang_sections.S | 8 ++++++++ 2 files changed, 12 insertions(+) create mode 100644 test-app/clang_sections.S diff --git a/test-app/Makefile b/test-app/Makefile index 53b03f1c7e..50504ae180 100644 --- a/test-app/Makefile +++ b/test-app/Makefile @@ -114,6 +114,10 @@ ifeq ($(USE_CLANG),1) else OBJCOPY_IMAGE_FLAGS+=$(CLANG_ARM_OBJCOPY_FLASH_FLAGS_APP) endif + # Clang doesn't emit empty .data/.bss sections in object files (GCC does). + # GNU ld mishandles AT() for output sections with no matching input sections, + # setting LMA=VMA instead of the specified flash address. + APP_OBJS+=clang_sections.o endif ifeq ($(DEBUG_UART),1) diff --git a/test-app/clang_sections.S b/test-app/clang_sections.S new file mode 100644 index 0000000000..df04ec8db7 --- /dev/null +++ b/test-app/clang_sections.S @@ -0,0 +1,8 @@ +/* Workaround for GNU ld mishandling AT() on output sections when no input + * object contributes a matching section. Clang does not emit empty .data/.bss + * sections in object files (GCC does), so GNU ld fails to assign the correct + * LMA for the .data output section, producing a huge sparse binary. + * Including this object ensures .data and .bss exist as inputs. + */ +.section .data +.section .bss From 82e814881fddf2344200e1e7fafbfc2d50e02b75 Mon Sep 17 00:00:00 2001 From: Mattia Moffa Date: Tue, 31 Mar 2026 23:10:24 +0200 Subject: [PATCH 12/19] Undo redundant workarounds --- Makefile | 24 +----------------------- arch.mk | 6 ------ test-app/Makefile | 9 --------- 3 files changed, 1 insertion(+), 38 deletions(-) diff --git a/Makefile b/Makefile index a287aa98b6..4fb0d5af59 100644 --- a/Makefile +++ b/Makefile @@ -25,7 +25,6 @@ DEBUG_UART?=0 LIBS= SIGN_ALG= OBJCOPY_FLAGS= -OBJCOPY_BIN_FLAGS= BIG_ENDIAN?=0 USE_CLANG?=0 ifeq ($(USE_CLANG),1) @@ -199,13 +198,6 @@ ifeq ($(USE_GCC_HEADLESS),1) OBJCOPY_FLAGS+=--gap-fill $(FILL_BYTE) endif -ifeq ($(ARCH),ARM) - ifeq ($(USE_CLANG),1) - ifneq ($(TZEN),1) - OBJCOPY_BIN_FLAGS+=$(CLANG_ARM_OBJCOPY_FLASH_FLAGS_BOOT) - endif - endif -endif ifeq ($(TARGET),ti_hercules) LSCRIPT_FLAGS+=--run_linker $(LSCRIPT) endif @@ -335,21 +327,7 @@ wolfboot.efi: wolfboot.elf wolfboot.bin: wolfboot.elf @echo "\t[BIN] $@" -ifeq ($(USE_CLANG),1) -ifeq ($(TZEN),1) - $(Q)last_load="$$($(CROSS_COMPILE)readelf -Wl $< | awk '/ LOAD / { line = $$0 } END { print line }')"; \ - set -- $$last_load; \ - last_phys=$$(printf '%d' $$4); \ - last_filesz=$$(printf '%d' $$5); \ - padded_filesz=$$((($$last_filesz + 0xff) & ~0xff)); \ - pad_to=$$((last_phys + padded_filesz)); \ - $(OBJCOPY) $(OBJCOPY_FLAGS) $(OBJCOPY_BIN_FLAGS) --pad-to=$$(printf '0x%x' $$pad_to) -O binary $< $@ -else - $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) $(OBJCOPY_BIN_FLAGS) -O binary $^ $@ -endif -else - $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) $(OBJCOPY_BIN_FLAGS) -O binary $^ $@ -endif + $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) -O binary $^ $@ @echo @echo "\t[SIZE]" $(Q)$(SIZE) wolfboot.elf diff --git a/arch.mk b/arch.mk index bc58702040..d884458fd8 100644 --- a/arch.mk +++ b/arch.mk @@ -1301,12 +1301,6 @@ ifeq ($(USE_CLANG),1) CFLAGS+=-Wno-unknown-attributes -Wno-error=unknown-attributes CFLAGS+=-fno-unwind-tables -fno-asynchronous-unwind-tables LSCRIPT_FLAGS+=-T $(abspath $(WOLFBOOT_ROOT)/hal/clang-discard.ld) - # Clang-built ARM raw images may otherwise expand ELF loadable gaps into - # oversized binaries on some targets. Keep the section selection scoped to - # the Clang workaround paths only. - CLANG_ARM_OBJCOPY_FLASH_FLAGS_BASE:=-j .text -j .edidx - CLANG_ARM_OBJCOPY_FLASH_FLAGS_BOOT:=$(CLANG_ARM_OBJCOPY_FLASH_FLAGS_BASE) -j .ramcode -j .keystore -j .gnu.sgstubs - CLANG_ARM_OBJCOPY_FLASH_FLAGS_APP:=$(CLANG_ARM_OBJCOPY_FLASH_FLAGS_BASE) endif ifeq ($(USE_GCC),1) diff --git a/test-app/Makefile b/test-app/Makefile index 50504ae180..1e2e76e988 100644 --- a/test-app/Makefile +++ b/test-app/Makefile @@ -105,15 +105,6 @@ OBJCOPY_FLAGS+=--gap-fill $(FILL_BYTE) OBJCOPY_IMAGE_FLAGS:= ifeq ($(USE_CLANG),1) - # Clang-built ARM ELFs can keep RAM sections as loadable segments, and raw - # objcopy output then expands the flash-to-RAM gap into a huge sparse image. - # The app image only needs the flash-backed output sections. TrustZone - # non-secure apps also need the flash-backed .data load image. - ifeq ($(TZEN),1) - OBJCOPY_IMAGE_FLAGS+=-j .text -j .edidx -j .data - else - OBJCOPY_IMAGE_FLAGS+=$(CLANG_ARM_OBJCOPY_FLASH_FLAGS_APP) - endif # Clang doesn't emit empty .data/.bss sections in object files (GCC does). # GNU ld mishandles AT() for output sections with no matching input sections, # setting LMA=VMA instead of the specified flash address. From 1bcac2469fc2bb9dcda32a628bb8c989c94ba9e2 Mon Sep 17 00:00:00 2001 From: Mattia Moffa Date: Fri, 3 Apr 2026 15:55:26 +0200 Subject: [PATCH 13/19] Don't override OBJCOPY_IMAGE_FLAGS --- test-app/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-app/Makefile b/test-app/Makefile index 1e2e76e988..b649696924 100644 --- a/test-app/Makefile +++ b/test-app/Makefile @@ -102,7 +102,7 @@ LDFLAGS+=-T $(LSCRIPT) -Wl,-gc-sections -Wl,-Map=image.map -nostartfiles # Setup default objcopy flags OBJCOPY_FLAGS+=--gap-fill $(FILL_BYTE) -OBJCOPY_IMAGE_FLAGS:= +OBJCOPY_IMAGE_FLAGS?= ifeq ($(USE_CLANG),1) # Clang doesn't emit empty .data/.bss sections in object files (GCC does). From 9778552534a05f821f60751c7a5a6c83dd5272bc Mon Sep 17 00:00:00 2001 From: Mattia Moffa Date: Fri, 3 Apr 2026 16:00:49 +0200 Subject: [PATCH 14/19] Remove redundant comment --- test-app/Makefile | 3 --- 1 file changed, 3 deletions(-) diff --git a/test-app/Makefile b/test-app/Makefile index b649696924..10cf017eec 100644 --- a/test-app/Makefile +++ b/test-app/Makefile @@ -105,9 +105,6 @@ OBJCOPY_FLAGS+=--gap-fill $(FILL_BYTE) OBJCOPY_IMAGE_FLAGS?= ifeq ($(USE_CLANG),1) - # Clang doesn't emit empty .data/.bss sections in object files (GCC does). - # GNU ld mishandles AT() for output sections with no matching input sections, - # setting LMA=VMA instead of the specified flash address. APP_OBJS+=clang_sections.o endif From 8572e207f2585d7f4dbb33647f4fe297633061b6 Mon Sep 17 00:00:00 2001 From: Mattia Moffa Date: Fri, 3 Apr 2026 17:40:00 +0200 Subject: [PATCH 15/19] Use LLVM LDD with clang --- Makefile | 4 ++++ arch.mk | 6 ++---- hal/clang-discard.ld | 14 -------------- hal/lpc55s69.ld | 2 +- hal/mcxn.ld | 2 +- hal/mcxw.ld | 2 +- hal/nrf5340.ld | 2 +- hal/nrf54l.ld | 2 +- hal/rp2350.ld | 2 +- hal/stm32h5.ld | 2 +- hal/stm32l5.ld | 2 +- hal/stm32u5.ld | 2 +- {test-app => src}/clang_sections.S | 0 test-app/Makefile | 13 ++++++------- 14 files changed, 21 insertions(+), 34 deletions(-) delete mode 100644 hal/clang-discard.ld rename {test-app => src}/clang_sections.S (100%) diff --git a/Makefile b/Makefile index 4fb0d5af59..f3adcb3139 100644 --- a/Makefile +++ b/Makefile @@ -42,6 +42,10 @@ OBJS:= \ ./src/libwolfboot.o \ ./hal/hal.o +ifeq ($(USE_CLANG),1) +OBJS+=./src/clang_sections.o +endif + ifeq ($(WOLFCRYPT_TZ_PSA),1) OBJS+=./src/dice/dice.o endif diff --git a/arch.mk b/arch.mk index d884458fd8..6656374320 100644 --- a/arch.mk +++ b/arch.mk @@ -1288,9 +1288,7 @@ ifeq ($(USE_CLANG),1) CLANG_NEWLIB_INCLUDE?=$(abspath $(dir $(CLANG_LIBC_A))/../include) CC=$(CLANG_DRIVER) - # Keep clang for compilation, but use the GNU linker driver so linker-script - # LMAs for RAM sections are preserved and objcopy does not emit sparse images. - LD=$(CLANG_GCC_NAME) + LD=$(CLANG_DRIVER) -fuse-ld=lld AS=$(CLANG_DRIVER) AR=$(CROSS_COMPILE)ar OBJCOPY?=$(CROSS_COMPILE)objcopy @@ -1300,7 +1298,7 @@ ifeq ($(USE_CLANG),1) CFLAGS+=-DWOLFSSL_NO_ATOMIC -DWOLFSSL_NO_ATOMICS CFLAGS+=-Wno-unknown-attributes -Wno-error=unknown-attributes CFLAGS+=-fno-unwind-tables -fno-asynchronous-unwind-tables - LSCRIPT_FLAGS+=-T $(abspath $(WOLFBOOT_ROOT)/hal/clang-discard.ld) + LDFLAGS+=-nostdlib endif ifeq ($(USE_GCC),1) diff --git a/hal/clang-discard.ld b/hal/clang-discard.ld deleted file mode 100644 index 1217dddbc5..0000000000 --- a/hal/clang-discard.ld +++ /dev/null @@ -1,14 +0,0 @@ -SECTIONS -{ - /DISCARD/ : - { - *(.ARM.extab* .gnu.linkonce.armextab.*) - *(.eh_frame* .gcc_except_table*) - *(.preinit_array*) - *(.init_array*) - *(.fini_array*) - *(.ctors*) - *(.dtors*) - *(.jcr*) - } -} diff --git a/hal/lpc55s69.ld b/hal/lpc55s69.ld index 84d2b78b07..bb7a7fce14 100644 --- a/hal/lpc55s69.ld +++ b/hal/lpc55s69.ld @@ -30,7 +30,7 @@ SECTIONS *(.ARM.exidx*) } > FLASH - .gnu.sgstubs : + .gnu.sgstubs ORIGIN(FLASH_NSC) : { . += 0x400; . = ALIGN(4); diff --git a/hal/mcxn.ld b/hal/mcxn.ld index fe21f44ac4..9d9c9feb76 100644 --- a/hal/mcxn.ld +++ b/hal/mcxn.ld @@ -30,7 +30,7 @@ SECTIONS *(.ARM.exidx*) } > FLASH - .gnu.sgstubs : + .gnu.sgstubs ORIGIN(FLASH_NSC) : { . += 0x400; . = ALIGN(4); diff --git a/hal/mcxw.ld b/hal/mcxw.ld index 41f4496f2e..c6c8809a95 100644 --- a/hal/mcxw.ld +++ b/hal/mcxw.ld @@ -30,7 +30,7 @@ SECTIONS *(.ARM.exidx*) } > FLASH - .gnu.sgstubs : + .gnu.sgstubs ORIGIN(FLASH_NSC) : { . += 0x400; . = ALIGN(4); diff --git a/hal/nrf5340.ld b/hal/nrf5340.ld index 98663fa5ee..df216fbb96 100644 --- a/hal/nrf5340.ld +++ b/hal/nrf5340.ld @@ -29,7 +29,7 @@ SECTIONS *(.ARM.exidx*) } > FLASH - .gnu.sgstubs : + .gnu.sgstubs ORIGIN(FLASH_NSC) : { . += 0x400; . = ALIGN(4); diff --git a/hal/nrf54l.ld b/hal/nrf54l.ld index 3a4f2d3a5c..ae2ea18345 100644 --- a/hal/nrf54l.ld +++ b/hal/nrf54l.ld @@ -29,7 +29,7 @@ SECTIONS *(.ARM.exidx*) } > FLASH - .gnu.sgstubs : + .gnu.sgstubs ORIGIN(FLASH_NSC) : { . += 0x400; . = ALIGN(4); diff --git a/hal/rp2350.ld b/hal/rp2350.ld index 5ac320778c..3030d16f82 100644 --- a/hal/rp2350.ld +++ b/hal/rp2350.ld @@ -102,7 +102,7 @@ SECTIONS . = ALIGN(4); } > FLASH - .gnu.sgstubs : + .gnu.sgstubs ORIGIN(FLASH_NSC) : { *(.gnu.sgstubs*) /* Secure Gateway stubs */ . = ALIGN(4); diff --git a/hal/stm32h5.ld b/hal/stm32h5.ld index 046031198f..49684ee545 100644 --- a/hal/stm32h5.ld +++ b/hal/stm32h5.ld @@ -25,7 +25,7 @@ SECTIONS *(.ARM.exidx*) } > FLASH - .gnu.sgstubs : + .gnu.sgstubs ORIGIN(FLASH_NSC) : { . = ALIGN(32); *(.gnu.sgstubs*) /* Secure Gateway stubs */ diff --git a/hal/stm32l5.ld b/hal/stm32l5.ld index 6151b336d0..5f0da10385 100644 --- a/hal/stm32l5.ld +++ b/hal/stm32l5.ld @@ -25,7 +25,7 @@ SECTIONS *(.ARM.exidx*) } > FLASH - .gnu.sgstubs : + .gnu.sgstubs ORIGIN(FLASH_NSC) : { . += 0x400; . = ALIGN(4); diff --git a/hal/stm32u5.ld b/hal/stm32u5.ld index 6151b336d0..5f0da10385 100644 --- a/hal/stm32u5.ld +++ b/hal/stm32u5.ld @@ -25,7 +25,7 @@ SECTIONS *(.ARM.exidx*) } > FLASH - .gnu.sgstubs : + .gnu.sgstubs ORIGIN(FLASH_NSC) : { . += 0x400; . = ALIGN(4); diff --git a/test-app/clang_sections.S b/src/clang_sections.S similarity index 100% rename from test-app/clang_sections.S rename to src/clang_sections.S diff --git a/test-app/Makefile b/test-app/Makefile index 10cf017eec..9daa13afb6 100644 --- a/test-app/Makefile +++ b/test-app/Makefile @@ -102,10 +102,9 @@ LDFLAGS+=-T $(LSCRIPT) -Wl,-gc-sections -Wl,-Map=image.map -nostartfiles # Setup default objcopy flags OBJCOPY_FLAGS+=--gap-fill $(FILL_BYTE) -OBJCOPY_IMAGE_FLAGS?= ifeq ($(USE_CLANG),1) - APP_OBJS+=clang_sections.o + APP_OBJS+=../src/clang_sections.o endif ifeq ($(DEBUG_UART),1) @@ -925,15 +924,15 @@ delta-extra-data:LDFLAGS=-Wl,-Map=image.map image.bin: image.elf @echo "\t[BIN] $@" - $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) $(OBJCOPY_IMAGE_FLAGS) -O binary $^ $@ + $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) -O binary $^ $@ image.hex: image.elf @echo "\t[HEX] $@" - $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) $(OBJCOPY_IMAGE_FLAGS) -O ihex $^ $@ + $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) -O ihex $^ $@ image.srec: image.elf @echo "\t[SREC] $@" - $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) $(OBJCOPY_IMAGE_FLAGS) -O srec $^ $@ + $(Q)$(OBJCOPY) $(OBJCOPY_FLAGS) -O srec $^ $@ APP_OBJS := $(patsubst $(WOLFBOOT_LIB_WOLFSSL)/%, \ $(WOLFSSL_LOCAL_OBJDIR)/%, $(APP_OBJS)) @@ -943,7 +942,7 @@ ifeq ($(ELF_FLASH_SCATTER),1) SQUASHELF_TOOL = ../tools/squashelf/squashelf image-orig.elf: $(APP_OBJS) $(LSCRIPT) @echo "\t[LD] $@" - $(Q)$(LD) $(LDFLAGS) $(LSCRIPT_FLAGS) $(APP_OBJS) $(LIBS) $(OUTPUT_FLAG) $@ + $(Q)$(LD) $(LDFLAGS) $(APP_OBJS) $(LIBS) $(OUTPUT_FLAG) $@ image.elf: image-orig.elf @echo "\t[SQUASHELF] $@" @@ -952,7 +951,7 @@ else # Default behavior when ELF_FLASH_SCATTER is not set image.elf: $(APP_OBJS) $(LSCRIPT) @echo "\t[LD] $@" - $(Q)$(LD) $(LDFLAGS) $(LSCRIPT_FLAGS) $(APP_OBJS) $(LIBS) $(OUTPUT_FLAG) $@ + $(Q)$(LD) $(LDFLAGS) $(APP_OBJS) $(LIBS) $(OUTPUT_FLAG) $@ endif standalone: image.bin From a0a3daedb3dd032164748ab7f7735f83b121f917 Mon Sep 17 00:00:00 2001 From: Mattia Moffa Date: Fri, 3 Apr 2026 17:49:31 +0200 Subject: [PATCH 16/19] Use llvm-ar, llvm-objcopy, llvm-size when USE_CLANG=1 --- arch.mk | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch.mk b/arch.mk index 6656374320..f56e3444f7 100644 --- a/arch.mk +++ b/arch.mk @@ -1290,9 +1290,9 @@ ifeq ($(USE_CLANG),1) CC=$(CLANG_DRIVER) LD=$(CLANG_DRIVER) -fuse-ld=lld AS=$(CLANG_DRIVER) - AR=$(CROSS_COMPILE)ar - OBJCOPY?=$(CROSS_COMPILE)objcopy - SIZE=$(CROSS_COMPILE)size + AR=llvm-ar + OBJCOPY?=llvm-objcopy + SIZE=llvm-size CFLAGS+=-isystem $(CLANG_NEWLIB_INCLUDE) CFLAGS+=-DWOLFSSL_NO_ATOMIC -DWOLFSSL_NO_ATOMICS From 5cd5a19966c339d445206b2e684a8c926caa69de Mon Sep 17 00:00:00 2001 From: Mattia Moffa Date: Fri, 3 Apr 2026 18:51:41 +0200 Subject: [PATCH 17/19] Update test container to 1.3 --- .github/workflows/test-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-build.yml b/.github/workflows/test-build.yml index 278c923ab2..898613ad96 100644 --- a/.github/workflows/test-build.yml +++ b/.github/workflows/test-build.yml @@ -19,7 +19,7 @@ jobs: build: runs-on: ubuntu-latest container: - image: ghcr.io/wolfssl/wolfboot-ci-arm:v1.0 + image: ghcr.io/wolfssl/wolfboot-ci-arm:v1.3 timeout-minutes: 30 steps: From 8bfdf5b5ad129a2fc4aba43370c97643d2be6d3c Mon Sep 17 00:00:00 2001 From: Mattia Moffa Date: Fri, 3 Apr 2026 19:19:13 +0200 Subject: [PATCH 18/19] Explicitly place .keystore --- hal/nrf5340-ns.ld | 6 ++++++ hal/nrf54l-ns.ld | 6 ++++++ hal/stm32h5-ns.ld | 6 ++++++ hal/stm32l5-ns.ld | 6 ++++++ hal/stm32u5-ns.ld | 6 ++++++ 5 files changed, 30 insertions(+) diff --git a/hal/nrf5340-ns.ld b/hal/nrf5340-ns.ld index c65e9c5748..512d57bc7f 100644 --- a/hal/nrf5340-ns.ld +++ b/hal/nrf5340-ns.ld @@ -26,6 +26,12 @@ SECTIONS *(.ARM.exidx*) } > FLASH + .keystore : + { + . = ALIGN(4); + KEEP(*(.keystore*)) + } > FLASH + _stored_data = .; .data : AT (_stored_data) diff --git a/hal/nrf54l-ns.ld b/hal/nrf54l-ns.ld index 0ba2ccd889..f0eb7eff00 100644 --- a/hal/nrf54l-ns.ld +++ b/hal/nrf54l-ns.ld @@ -25,6 +25,12 @@ SECTIONS *(.ARM.exidx*) } > FLASH + .keystore : + { + . = ALIGN(4); + KEEP(*(.keystore*)) + } > FLASH + _stored_data = .; .data : AT (_stored_data) diff --git a/hal/stm32h5-ns.ld b/hal/stm32h5-ns.ld index 0ee538bc73..ce7b51df7c 100644 --- a/hal/stm32h5-ns.ld +++ b/hal/stm32h5-ns.ld @@ -22,6 +22,12 @@ SECTIONS *(.ARM.exidx*) } > FLASH + .keystore : + { + . = ALIGN(4); + KEEP(*(.keystore*)) + } > FLASH + _stored_data = .; .data : AT (_stored_data) { diff --git a/hal/stm32l5-ns.ld b/hal/stm32l5-ns.ld index ee4634d273..29a401b62f 100644 --- a/hal/stm32l5-ns.ld +++ b/hal/stm32l5-ns.ld @@ -22,6 +22,12 @@ SECTIONS *(.ARM.exidx*) } > FLASH + .keystore : + { + . = ALIGN(4); + KEEP(*(.keystore*)) + } > FLASH + _stored_data = .; .data : AT (_stored_data) { diff --git a/hal/stm32u5-ns.ld b/hal/stm32u5-ns.ld index ee4634d273..29a401b62f 100644 --- a/hal/stm32u5-ns.ld +++ b/hal/stm32u5-ns.ld @@ -22,6 +22,12 @@ SECTIONS *(.ARM.exidx*) } > FLASH + .keystore : + { + . = ALIGN(4); + KEEP(*(.keystore*)) + } > FLASH + _stored_data = .; .data : AT (_stored_data) { From e01c613888c6e8cd47c25e1ad98fba5bcdf21d2b Mon Sep 17 00:00:00 2001 From: Mattia Moffa Date: Fri, 3 Apr 2026 20:29:03 +0200 Subject: [PATCH 19/19] Fix CI tests --- hal/stm32h7.ld | 6 ++++++ options.mk | 16 ++++++++++++++-- test-app/ARM-stm32h7.ld | 6 ++++++ test-app/Makefile | 3 ++- 4 files changed, 28 insertions(+), 3 deletions(-) diff --git a/hal/stm32h7.ld b/hal/stm32h7.ld index 29c73711b3..dfde5f78b4 100644 --- a/hal/stm32h7.ld +++ b/hal/stm32h7.ld @@ -22,6 +22,12 @@ SECTIONS *(.ARM.exidx*) } > FLASH + .keystore : + { + . = ALIGN(4); + KEEP(*(.keystore*)) + } > FLASH + _stored_data = .; .data : AT (_stored_data) { diff --git a/options.mk b/options.mk index bf32d11863..41bb6e0f20 100644 --- a/options.mk +++ b/options.mk @@ -803,7 +803,13 @@ ifeq ($(WOLFCRYPT_TZ_PKCS11),1) CFLAGS+=-DCK_CALLABLE="__attribute__((cmse_nonsecure_entry))" CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPKCS11) CFLAGS+=-DWP11_HASH_PIN_COST=3 - LDFLAGS+=--specs=nano.specs + ifeq ($(USE_CLANG),1) + CLANG_MULTILIB_FLAGS:=$(filter -mthumb -mlittle-endian,$(LDFLAGS)) $(filter -mcpu=%,$(CFLAGS)) + LIBS+=$(shell $(CLANG_GCC_NAME) $(CLANG_MULTILIB_FLAGS) -print-file-name=libc.a) + LIBS+=$(shell $(CLANG_GCC_NAME) $(CLANG_MULTILIB_FLAGS) -print-libgcc-file-name) + else + LDFLAGS+=--specs=nano.specs + endif WOLFCRYPT_OBJS+=src/store_sbrk.o WOLFCRYPT_OBJS+=src/pkcs11_store.o WOLFCRYPT_OBJS+=src/pkcs11_callable.o @@ -850,7 +856,13 @@ ifeq ($(WOLFCRYPT_TZ_PSA),1) CFLAGS+=-DNO_DES3 -DNO_DES3_TLS_SUITES WOLFPSA_CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPSA) WOLFPSA_CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPSA)/wolfpsa - LDFLAGS+=--specs=nano.specs + ifeq ($(USE_CLANG),1) + CLANG_MULTILIB_FLAGS:=$(filter -mthumb -mlittle-endian,$(LDFLAGS)) $(filter -mcpu=%,$(CFLAGS)) + LIBS+=$(shell $(CLANG_GCC_NAME) $(CLANG_MULTILIB_FLAGS) -print-file-name=libc.a) + LIBS+=$(shell $(CLANG_GCC_NAME) $(CLANG_MULTILIB_FLAGS) -print-libgcc-file-name) + else + LDFLAGS+=--specs=nano.specs + endif WOLFCRYPT_OBJS+=src/store_sbrk.o WOLFCRYPT_OBJS+=src/psa_store.o WOLFCRYPT_OBJS+=src/arm_tee_psa_veneer.o diff --git a/test-app/ARM-stm32h7.ld b/test-app/ARM-stm32h7.ld index 7c595fabb8..4b44d6bd81 100644 --- a/test-app/ARM-stm32h7.ld +++ b/test-app/ARM-stm32h7.ld @@ -18,6 +18,12 @@ SECTIONS _end_text = .; } > FLASH + .edidx : + { + . = ALIGN(4); + *(.ARM.exidx*) + } > FLASH + _stored_data = .; .data : AT (_stored_data) diff --git a/test-app/Makefile b/test-app/Makefile index 9daa13afb6..5ea762546f 100644 --- a/test-app/Makefile +++ b/test-app/Makefile @@ -303,8 +303,9 @@ ifeq ($(TZEN),1) CFLAGS+=-DWOLFBOOT_SECURE_CALLS ifneq ($(USE_CLANG),1) CFLAGS+=-Wstack-usage=19184 + LDFLAGS+=--specs=nosys.specs endif - LDFLAGS+=--specs=nosys.specs -u _printf_float + LDFLAGS+=-u _printf_float endif ifeq ($(WOLFCRYPT_TZ_PSA),1) CFLAGS+=-DWOLFCRYPT_TZ_PSA -DWOLFSSL_HAVE_PSA