Add hardware-based DICE on MCXN

[yosuke-wolfssl]

This PR adds the hardware-based DICE attestation feature on wolfBoot.
Also, this updates existing DICE feature to give users a derived public part of IAK for further verification.

Changes: hardware-based DICE

• New configuration flag WOLFBOOT_DICE_HW is added.
• wolfBoot exposes new HAL hooks and has new code path in src/dice/dice.c if WOLFBOOT_DICE_HW is enabled.
• New section is added in docs/DICE.md to explain this feature.

Changes: MCXN specific

• hal/mcxn.c and test-app/app_mcxn.c are updated for DICE functionality.
• MCXN947-DICE.md is added in docs to explain MCXN specific implementation and how to use.
• New build tests are added into .github/workflows/test-configs.yml

Changes: Public key distribution

• psa_initial_attest_get_iak_pubkey is added as public getter so that user app can get the public key and distribute it in further verification process.
• wolfBoot will cache the derived public key during IAK derivation. This cache is cleared after the read. (read once)
• New HAL hook is exposed for hardware-based scenario as well.

[Copilot]

Pull request overview

This PR adds DICE attestation support for MCXN, including a hardware-backed DICE path via MCXN EdgeLock Secure Subsystem and a new public API for retrieving the read-once IAK public key.

Changes:

• Adds WOLFBOOT_DICE_HW build path, HAL hooks, and MCXN ELS-backed DICE key/signing implementation.
• Adds PSA/TEE API support for psa_initial_attest_get_iak_pubkey().
• Adds MCXN PSA/DICE sample configs, tests, app verification flow, and documentation.

Reviewed changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
src/dice/dice.c	Adds hardware DICE signing path and IAK public-key caching/getter.
hal/mcxn.c	Implements MCXN UUID/UEID handling and ELS-backed CDI/key/signature hooks.
hal/hal.c	Adds weak hardware DICE HAL hook stubs.
include/hal.h	Declares hardware DICE HAL hook API.
include/wolfboot/dice.h	Adds component name macros and public IAK public-key getter.
src/arm_tee_psa_ipc.c	Adds secure-side PSA IPC dispatch for IAK public-key retrieval.
zephyr/src/arm_tee_attest_api.c	Adds non-secure PSA wrapper for IAK public-key retrieval.
zephyr/include/psa/initial_attestation.h	Declares the new PSA attestation public-key getter.
zephyr/include/arm_tee_attest_defs.h	Adds attestation message ID for IAK public-key retrieval.
include/wolfboot/arm_tee_api.h	Narrows CMSE NS entry attribute condition.
test-app/app_mcxn.c	Adds PSA attestation token verification test using retrieved IAK public key.
options.mk	Adds WOLFBOOT_DICE_HW compiler define handling under PSA TrustZone builds.
arch.mk	Adds MCXN ELS PKC include paths and objects for PSA builds.
config/examples/mcxn-tz-psa.config	Adds MCXN TrustZone PSA software-DICE sample config.
config/examples/mcxn-tz-psa-hw.config	Adds MCXN TrustZone PSA hardware-DICE sample config.
.github/workflows/test-configs.yml	Adds MCXN PSA and hardware-DICE build jobs.
docs/DICE.md	Documents hardware DICE keying mode and public-key getter.
docs/Targets.md	Links MCXN DICE documentation from target docs.
docs/MCXN947-DICE.md	Adds MCXN947 DICE sample setup and expected output.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #780

Scan targets checked: wolfboot-bugs
Failed targets: wolfboot-src

⚠️ Review incomplete — one or more scan targets failed before findings could be produced. See the Fenrir PR review detail page for logs.

[yosuke-wolfssl]

Hello @danielinux ,

I finished the implementation.
Could you please review this ?