Add OTA demonstrator

[yosuke-wolfssl]

This PR adds OTA Demonstrator with wolfSSL products, Zephyr and TrustZone.
It's stored in new dm-wolfssl-ota-client-with-zephyr folder and tested on MCXN947.
OTA Demo consists of the following things:

• OTA client app based on Zephyr and wolfSSL, wolfMQTT
• Simple ota server app with wolfMQTT
• Docker file of simple MQTT broker for test
• Patch and configuration file for wolfBoot, which is secure boot loader running in secure world.

[Copilot]

Pull request overview

Adds a new OTA demonstrator project (dm-wolfssl-ota-client-with-zephyr) for FRDM-MCXN947 that combines Zephyr (Non-Secure), wolfSSL/wolfMQTT, and wolfBoot (Secure world) to download and apply firmware updates via MQTT.

Changes:

• Introduces Zephyr-based OTA client app that downloads an update image into wolfBoot slot1 and triggers an update.
• Adds a host-side “fwserver” tool to publish an erase command + firmware chunks over MQTT/TLS.
• Adds a Dockerized Mosquitto broker setup plus wolfBoot patch/config and demo documentation/assets.

Reviewed changes

Copilot reviewed 39 out of 42 changed files in this pull request and generated 15 comments.

Show a summary per file

File	Description
dm-wolfssl-ota-client-with-zephyr/wolfbootConfig/0001-Update-configs-and-memory-map.patch	wolfBoot patch adjusting SAU regions, ENET non-secure IRQs, flash origin, and RAM layout.
dm-wolfssl-ota-client-with-zephyr/wolfbootConfig/.config	wolfBoot build configuration for MCXN947 + TrustZone settings and partitions.
dm-wolfssl-ota-client-with-zephyr/src/user_settings.h	wolfSSL/wolfMQTT configuration header tuned for Zephyr + TLS + algorithms.
dm-wolfssl-ota-client-with-zephyr/src/system_init_ns.c	Early non-secure SoC init hook for MCXN947 (coprocessors/ECC/cache/glitch detect).
dm-wolfssl-ota-client-with-zephyr/src/mqttClient/mqttport.h	wolfMQTT portability layer additions for Zephyr sockets/filesystem wrappers.
dm-wolfssl-ota-client-with-zephyr/src/mqttClient/mqttport.c	Zephyr filesystem wrapper implementation for wolfMQTT examples.
dm-wolfssl-ota-client-with-zephyr/src/mqttClient/mqttnet.h	Network context definitions and init/deinit declarations for wolfMQTT client side.
dm-wolfssl-ota-client-with-zephyr/src/mqttClient/mqttexample.h	Shared example context/types and defaults used by the OTA client.
dm-wolfssl-ota-client-with-zephyr/src/mqttClient/mqttexample.c	Shared helpers including TLS setup/verify callback and file-loading helper.
dm-wolfssl-ota-client-with-zephyr/src/mqttClient/fwclient.h	Firmware client public API definitions.
dm-wolfssl-ota-client-with-zephyr/src/mqttClient/fwclient.c	OTA client implementation: erase/update-slot writing, chunking, and update trigger.
dm-wolfssl-ota-client-with-zephyr/src/mqttClient/firmware.h	Firmware transfer protocol definitions (topics, headers, QoS, sizes).
dm-wolfssl-ota-client-with-zephyr/src/main.c	Zephyr app entry: network bring-up + OTA client invocation + wolfBoot trigger.
dm-wolfssl-ota-client-with-zephyr/sample.yaml	Zephyr sample metadata and test tags.
dm-wolfssl-ota-client-with-zephyr/prj.conf	Zephyr Kconfig for networking, wolfSSL/wolfMQTT, and non-secure TrustZone build.
dm-wolfssl-ota-client-with-zephyr/mqttBroker/dockerfile	Container recipe for Mosquitto-based test broker.
dm-wolfssl-ota-client-with-zephyr/mqttBroker/certs/server.key	Broker TLS private key (currently committed).
dm-wolfssl-ota-client-with-zephyr/mqttBroker/certs/server.csr	Broker CSR used for generating the certificate.
dm-wolfssl-ota-client-with-zephyr/mqttBroker/certs/server.crt	Broker TLS server certificate.
dm-wolfssl-ota-client-with-zephyr/mqttBroker/certs/ca.srl	CA serial file for certificate issuance.
dm-wolfssl-ota-client-with-zephyr/mqttBroker/certs/ca.key	CA private key (currently committed).
dm-wolfssl-ota-client-with-zephyr/mqttBroker/certs/ca.crt	CA certificate for broker TLS chain.
dm-wolfssl-ota-client-with-zephyr/fwserver/mqttport.h	Host-side wolfMQTT port header for fwserver build.
dm-wolfssl-ota-client-with-zephyr/fwserver/mqttport.c	Host-side port implementation (filesystem wrappers).
dm-wolfssl-ota-client-with-zephyr/fwserver/mqttnet.h	Host-side network context/type definitions for fwserver.
dm-wolfssl-ota-client-with-zephyr/fwserver/mqttexample.h	Host-side example context/types and defaults.
dm-wolfssl-ota-client-with-zephyr/fwserver/mqttexample.c	Host-side TLS setup/verify callback and helpers.
dm-wolfssl-ota-client-with-zephyr/fwserver/fwserver.h	fwserver public API header (currently naming/guard mismatch).
dm-wolfssl-ota-client-with-zephyr/fwserver/fwserver.c	fwserver implementation: publish erase command + chunked firmware messages.
dm-wolfssl-ota-client-with-zephyr/fwserver/firmware.h	Host-side firmware protocol definitions and publish delay.
dm-wolfssl-ota-client-with-zephyr/fwserver/CMakeLists.txt	Standalone CMake build for fwserver linking against wolfMQTT/wolfSSL tree.
dm-wolfssl-ota-client-with-zephyr/dm-wolfssl-ota-client-with-zephyr.xml	Demo metadata descriptor for the Application Code Hub ecosystem.
dm-wolfssl-ota-client-with-zephyr/app.overlay	DT overlay overriding memory/partitions and ENET MAC behavior for wolfBoot map.
dm-wolfssl-ota-client-with-zephyr/README.md	End-to-end setup/run documentation for wolfBoot + Zephyr OTA demo.
dm-wolfssl-ota-client-with-zephyr/LICENSE.txt	License text for the demo’s distribution.
dm-wolfssl-ota-client-with-zephyr/Images/mcxn-OTA.svg	Sequence diagram asset for OTA flow.
dm-wolfssl-ota-client-with-zephyr/CMakeLists.txt	Zephyr app build configuration and wolfBoot NSC linkage wiring.
.gitignore	Adds **/svd to ignored outputs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[night1rider]

Apologies for not getting to this last week. I was at a tradeshow all week and did not have time to review this demo.

For the most part it looks like a good demo! I was able to get it to work; however, I want to suggest some changes to make it more streamlined.

Could the demo be tightened so there are less fewer manual steps?
Specifically:

• Add wolfBoot to west.yml so west update pulls it. Then you can reference it in CMakeLists.txt to do extra steps automatically. I found that mcux-sdk (e.g. revision: MCUX_2.16.000, path: bootloader/nxp/frdm_mcxn947/mcuxsdk) will also need to be pulled, since wolfBoot's MCXN HAL needs the boards/frdmmcxn947/project_template files that aren't in mcux-sdk-ng.
• Can you fold the two LinkServer calls (wolfboot.bin at 0x10000000 plus signed app at 0x10010000) into a single Flash button step? Could sysbuild help here (https://docs.zephyrproject.org/latest/build/sysbuild/index.html)? You could try adding hooks to the project's CMakeLists.txt to produce a factory.hex file if sysbuild cannot be used.
• Build both v1 and v2 at the same time (maybe with extra CMake hooks).
• Add a sys_reboot(SYS_REBOOT_COLD) (with CONFIG_REBOOT=y in prj.conf) after wolfBoot_nsc_update_trigger() in src/main.c:374. Otherwise the swap waits for someone to press the reset button.

Also, has this been tested on Windows?

Thanks!

[yosuke-wolfssl]

Hello @night1rider ,
I'm sorry for being late to respond.
Now, I updated this to reduce the manual steps. Almost all procedures are automatically executed once users trigger the CMake build.
Only one step left is to flash the image using LinkServer, but it's also getting easier because the factory.bin is now generated. Users need only one command for flash.
Can you review this again please ?

[night1rider]

Hello @yosuke-wolfssl, I worked on reviewing this Friday (06/05), but ran into some issues with the factory.bin produced from the build.

After flashing factory.bin at 0x0, a fresh build does not boot. Exact serial:

Partition 1 header magic 0xFFFFFFFF invalid at 0xD0000
Boot partition: 0x10000 (sz 313996, ver 0x1, type 0x601)
Booting version: 0x1
2�ɷ��&�z��u�BB����.�2B��c���te�M�����l������ ��m;���H7�#�h��̶�.�PYb~�Boot partition: 0x10000 (sz 313996, ver 0x1, type 0x601)
Partition 1 header magic 0xFFFFFFFF invalid at 0xD0000
Boot partition: 0x10000 (sz 313996, ver 0x1, type 0x601)
Booting version: 0x1
2�y���&�z�д�h8c�����F��BB��F��?�˾...

This will keep repeating and never reaches *** Booting Zephyr OS ***.

Any ideas what is causing this?

Also the west.yml doesn't pull wolfBoot (or mcux-sdk). The west.yml at the repo root only lists Zephyr and the wolfSSL modules, so west update never fetches wolfBoot. Could you add wolfBoot and the mcux-sdk to west.yml so a fresh west update pulls everything?

[night1rider]

Small things, but otherwise good!

I was able to use windows after installing some specific windows tools to create the fwserver application and signing tools. I used WSL+Docker to run the broker container.

I will put up a follow up PR to add the needed tools in the main readme for windows, non of what I did required changes to the project/source.

[night1rider]

Nice!