From 5f919c1b2e0f820bc8f29c2529f79bada4a067e2 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Thu, 19 Mar 2026 08:45:23 +0100 Subject: [PATCH 1/6] Updated submodules --- CMakeLists.txt | 1 + hal/sim.c | 15 ++++++++++++++- include/user_settings.h | 4 +++- lib/wolfPKCS11 | 2 +- lib/wolfPSA | 2 +- lib/wolfTPM | 2 +- lib/wolfssl | 2 +- options.mk | 3 ++- test-app/CMakeLists.txt | 2 +- tools/scripts/sim-sunnyday-update.sh | 2 -- tools/unit-tests/Makefile | 2 +- 11 files changed, 26 insertions(+), 11 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index e8c640ad40..65f0e6c70e 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -717,6 +717,7 @@ if(ARCH STREQUAL "ARM") list(APPEND WOLFBOOT_DEFS SECURE_PKCS11 + WOLFPKCS11_USER_SETTINGS WOLFSSL_PKCS11_RW_TOKENS WP11_HASH_PIN_COST=3) list(APPEND WOLFBOOT_DEFS "CK_CALLABLE=__attribute__\\(\\(cmse_nonsecure_entry\\)\\)") diff --git a/hal/sim.c b/hal/sim.c index 58eb743f6f..74372e760f 100644 --- a/hal/sim.c +++ b/hal/sim.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -87,6 +88,18 @@ uint32_t hal_sim_get_dualbank_state(void); char **main_argv; int main_argc; +static int sim_memfd_create(const char *name, unsigned int flags) +{ +#if defined(__linux__) && defined(SYS_memfd_create) + return (int)syscall(SYS_memfd_create, name, flags); +#else + (void)name; + (void)flags; + errno = ENOSYS; + return -1; +#endif +} + #ifdef WOLFBOOT_ENABLE_WOLFHSM_CLIENT /* Client configuration/contexts */ @@ -558,7 +571,7 @@ void do_boot(const uint32_t *app_offset) exit(0); #else char *envp[1] = {NULL}; - int fd = memfd_create("test_app", 0); + int fd = sim_memfd_create("test_app", 0); size_t wret; if (fd == -1) { wolfBoot_printf( "memfd error\n"); diff --git a/include/user_settings.h b/include/user_settings.h index a513b9e93e..52cc16d487 100644 --- a/include/user_settings.h +++ b/include/user_settings.h @@ -367,7 +367,9 @@ extern int tolower(int c); # define HAVE_PBKDF2 # define WOLFPKCS11_CUSTOM_STORE # define WOLFBOOT_SECURE_PKCS11 -# define WOLFPKCS11_USER_SETTINGS +# ifndef WOLFPKCS11_USER_SETTINGS +# define WOLFPKCS11_USER_SETTINGS +# endif # define WOLFPKCS11_NO_TIME #ifndef WOLFSSL_AES_COUNTER # define WOLFSSL_AES_COUNTER diff --git a/lib/wolfPKCS11 b/lib/wolfPKCS11 index 52be35889a..a1c62599d2 160000 --- a/lib/wolfPKCS11 +++ b/lib/wolfPKCS11 @@ -1 +1 @@ -Subproject commit 52be35889a76ecf208ea6049c04ea8a0a3ce2ae6 +Subproject commit a1c62599d24f40cbdb3e90bf4ef00023be3b4fe9 diff --git a/lib/wolfPSA b/lib/wolfPSA index ac6a40411a..bb36f76632 160000 --- a/lib/wolfPSA +++ b/lib/wolfPSA @@ -1 +1 @@ -Subproject commit ac6a40411a2d2e47bb22ddc687df148d2d2f2192 +Subproject commit bb36f766321230c516af1b50e3264ed290fe5955 diff --git a/lib/wolfTPM b/lib/wolfTPM index 6d5df60e24..9613068816 160000 --- a/lib/wolfTPM +++ b/lib/wolfTPM @@ -1 +1 @@ -Subproject commit 6d5df60e2416a88cdd5dbad1967169aa2a9e6f7a +Subproject commit 9613068816f28ea28e6b974e636b88b9b06a5266 diff --git a/lib/wolfssl b/lib/wolfssl index 8741805e9d..63f6f0511b 160000 --- a/lib/wolfssl +++ b/lib/wolfssl @@ -1 +1 @@ -Subproject commit 8741805e9d1fd9c3014b5b774ad09a77ccb5b0dc +Subproject commit 63f6f0511b76c78f4266d5bee3114506d890cfcc diff --git a/options.mk b/options.mk index 814e1d9987..53ad4977d5 100644 --- a/options.mk +++ b/options.mk @@ -791,6 +791,7 @@ endif ifeq ($(WOLFCRYPT_TZ_PKCS11),1) CFLAGS+=-DSECURE_PKCS11 + CFLAGS+=-DWOLFPKCS11_USER_SETTINGS CFLAGS+=-DWOLFSSL_PKCS11_RW_TOKENS CFLAGS+=-DCK_CALLABLE="__attribute__((cmse_nonsecure_entry))" CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPKCS11) @@ -899,7 +900,6 @@ ifeq ($(WOLFTPM),1) CFLAGS+=-I$(WOLFBOOT_LIB_WOLFTPM) CFLAGS+=-D"WOLFBOOT_TPM" CFLAGS+=-D"WOLFTPM_SMALL_STACK" - CFLAGS+=-D"WOLFTPM_AUTODETECT" ifneq ($(SPI_FLASH),1) # don't use spi if we're using simulator ifeq ($(TARGET),sim) @@ -915,6 +915,7 @@ ifeq ($(WOLFTPM),1) OBJS+=$(WOLFBOOT_LIB_WOLFTPM)/hal/tpm_io_mmio.o # By default, on other architectures, provide SPI driver else + CFLAGS+=-D"WOLFTPM_AUTODETECT" WOLFCRYPT_OBJS+=hal/spi/spi_drv_$(SPI_TARGET).o endif endif diff --git a/test-app/CMakeLists.txt b/test-app/CMakeLists.txt index a24104365b..228e84d6a0 100644 --- a/test-app/CMakeLists.txt +++ b/test-app/CMakeLists.txt @@ -205,7 +205,7 @@ if(BUILD_TEST_APPS) endif() if(WOLFCRYPT_TZ_PKCS11) - list(APPEND TEST_APP_COMPILE_DEFINITIONS WOLFBOOT_PKCS11_APP SECURE_PKCS11) + list(APPEND TEST_APP_COMPILE_DEFINITIONS WOLFBOOT_PKCS11_APP SECURE_PKCS11 WOLFPKCS11_USER_SETTINGS) set(WOLFSSL_PKCS11_SOURCES wcs/pkcs11_stub.c wcs/pkcs11_test_ecc.c diff --git a/tools/scripts/sim-sunnyday-update.sh b/tools/scripts/sim-sunnyday-update.sh index 53036d01b4..40a96d9da0 100755 --- a/tools/scripts/sim-sunnyday-update.sh +++ b/tools/scripts/sim-sunnyday-update.sh @@ -14,5 +14,3 @@ fi echo Test successful. exit 0 - - diff --git a/tools/unit-tests/Makefile b/tools/unit-tests/Makefile index 8a889a8393..667820d9f1 100644 --- a/tools/unit-tests/Makefile +++ b/tools/unit-tests/Makefile @@ -87,7 +87,7 @@ unit-enc-nvm-flagshome:CFLAGS+=-DNVM_FLASH_WRITEONCE -DMOCK_PARTITIONS \ -DEXT_ENCRYPTED -DENCRYPT_WITH_CHACHA -DEXT_FLASH -DHAVE_CHACHA -DFLAGS_HOME unit-enc-nvm-flagshome:WOLFCRYPT_SRC+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/chacha.c unit-delta:CFLAGS+=-DNVM_FLASH_WRITEONCE -DMOCK_PARTITIONS -DDELTA_UPDATES -DDELTA_BLOCK_SIZE=512 -unit-pkcs11_store:CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPKCS11) -DMOCK_PARTITIONS -DMOCK_KEYVAULT -DSECURE_PKCS11 +unit-pkcs11_store:CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPKCS11) -DMOCK_PARTITIONS -DMOCK_KEYVAULT -DSECURE_PKCS11 -DWOLFPKCS11_USER_SETTINGS unit-psa_store:CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPSA) -DMOCK_PARTITIONS -DMOCK_KEYVAULT -DWOLFCRYPT_TZ_PSA unit-update-flash:CFLAGS+=-DMOCK_PARTITIONS -DWOLFBOOT_NO_SIGN -DUNIT_TEST_AUTH \ -DWOLFBOOT_HASH_SHA256 -DPRINTF_ENABLED -DEXT_FLASH -DPART_UPDATE_EXT -DPART_SWAP_EXT From 9fbbdb657a91a5ae72dbef629888465e07a42727 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Thu, 19 Mar 2026 17:45:38 +0100 Subject: [PATCH 2/6] Update size checks --- tools/test.mk | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tools/test.mk b/tools/test.mk index 7ebf13e41f..f61941b742 100644 --- a/tools/test.mk +++ b/tools/test.mk @@ -1144,13 +1144,13 @@ test-all: clean test-size-all: - make test-size SIGN=NONE LIMIT=5060 NO_ARM_ASM=1 + make test-size SIGN=NONE LIMIT=5066 NO_ARM_ASM=1 make keysclean - make test-size SIGN=ED25519 LIMIT=11778 NO_ARM_ASM=1 + make test-size SIGN=ED25519 LIMIT=11818 NO_ARM_ASM=1 make keysclean make test-size SIGN=ECC256 LIMIT=18944 NO_ARM_ASM=1 make clean - make test-size SIGN=ECC256 NO_ASM=1 LIMIT=13894 NO_ARM_ASM=1 + make test-size SIGN=ECC256 NO_ASM=1 LIMIT=13914 NO_ARM_ASM=1 make keysclean make test-size SIGN=RSA2048 LIMIT=11916 NO_ARM_ASM=1 make clean @@ -1162,9 +1162,9 @@ test-size-all: make keysclean make test-size SIGN=ECC384 LIMIT=19888 NO_ARM_ASM=1 make clean - make test-size SIGN=ECC384 NO_ASM=1 LIMIT=15270 NO_ARM_ASM=1 + make test-size SIGN=ECC384 NO_ASM=1 LIMIT=15290 NO_ARM_ASM=1 make keysclean - make test-size SIGN=ED448 LIMIT=13846 NO_ARM_ASM=1 + make test-size SIGN=ED448 LIMIT=13862 NO_ARM_ASM=1 make keysclean make test-size SIGN=RSA3072 LIMIT=12056 NO_ARM_ASM=1 make clean @@ -1172,12 +1172,12 @@ test-size-all: make keysclean make test-size SIGN=LMS LMS_LEVELS=2 LMS_HEIGHT=5 LMS_WINTERNITZ=8 \ WOLFBOOT_SMALL_STACK=0 IMAGE_SIGNATURE_SIZE=2644 \ - IMAGE_HEADER_SIZE?=5288 LIMIT=7782 NO_ARM_ASM=1 + IMAGE_HEADER_SIZE?=5288 LIMIT=7798 NO_ARM_ASM=1 make keysclean make test-size SIGN=XMSS XMSS_PARAMS='XMSS-SHA2_10_256' \ IMAGE_SIGNATURE_SIZE=2500 IMAGE_HEADER_SIZE?=4096 \ - LIMIT=8638 NO_ARM_ASM=1 + LIMIT=8658 NO_ARM_ASM=1 make keysclean make clean - make test-size SIGN=ML_DSA ML_DSA_LEVEL=2 LIMIT=19392 \ + make test-size SIGN=ML_DSA ML_DSA_LEVEL=2 LIMIT=19400 \ IMAGE_SIGNATURE_SIZE=2420 IMAGE_HEADER_SIZE?=8192 From cd2ea0ff0826909418c98d447b5d5b8c011094c6 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Thu, 19 Mar 2026 18:10:29 +0100 Subject: [PATCH 3/6] Update wolfTPM with fix --- lib/wolfTPM | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/wolfTPM b/lib/wolfTPM index 9613068816..12d0521977 160000 --- a/lib/wolfTPM +++ b/lib/wolfTPM @@ -1 +1 @@ -Subproject commit 9613068816f28ea28e6b974e636b88b9b06a5266 +Subproject commit 12d0521977032412f6eec5dc91b4e12477d2d7af From d2e211066b784fc292853e683fcaf4c8d6fa3b8d Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Thu, 19 Mar 2026 18:23:05 +0100 Subject: [PATCH 4/6] Remove TPM AUTODETECT also from SPI builds --- options.mk | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/options.mk b/options.mk index 53ad4977d5..54bd364f84 100644 --- a/options.mk +++ b/options.mk @@ -910,12 +910,11 @@ ifeq ($(WOLFTPM),1) OBJS+=$(WOLFBOOT_LIB_WOLFTPM)/src/tpm2_swtpm.o else # Use memory-mapped WOLFTPM on x86-64 - ifeq ($(ARCH),x86_64) + ifeq ($(ARCH),x86_64) CFLAGS+=-DWOLFTPM_MMIO -DWOLFTPM_EXAMPLE_HAL -DWOLFTPM_INCLUDE_IO_FILE OBJS+=$(WOLFBOOT_LIB_WOLFTPM)/hal/tpm_io_mmio.o # By default, on other architectures, provide SPI driver else - CFLAGS+=-D"WOLFTPM_AUTODETECT" WOLFCRYPT_OBJS+=hal/spi/spi_drv_$(SPI_TARGET).o endif endif From c5dfe4c43b6c2f4b7b5ef80a472885640088ba0e Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Thu, 19 Mar 2026 18:57:27 +0100 Subject: [PATCH 5/6] Fix CI false positive Stack usage warnings with wolfTPM --- options.mk | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/options.mk b/options.mk index 54bd364f84..ff8df2c4ad 100644 --- a/options.mk +++ b/options.mk @@ -131,6 +131,10 @@ ifeq ($(WOLFBOOT_SMALL_STACK),1) OBJS+=./src/xmalloc.o endif +# GCC 13 overestimates some wolfTPM wrapper stack usage; keep TPM +# limits above 10 KB to avoid false -Wstack-usage failures. +STACK_USAGE_WOLFTPM=10680 + ECC_OBJS= \ $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/ecc.o @@ -192,7 +196,7 @@ ifeq ($(SIGN),ECC256) STACK_USAGE=4096 else ifeq ($(WOLFTPM),1) - STACK_USAGE=7616 + STACK_USAGE=$(STACK_USAGE_WOLFTPM) else ifneq ($(SPMATH),1) STACK_USAGE=5264 @@ -216,7 +220,7 @@ ifeq ($(SIGN),ECC384) STACK_USAGE=5880 else ifeq ($(WOLFTPM),1) - STACK_USAGE=6680 + STACK_USAGE=$(STACK_USAGE_WOLFTPM) else ifneq ($(SPMATH),1) STACK_USAGE=11248 @@ -240,7 +244,7 @@ ifeq ($(SIGN),ECC521) STACK_USAGE=4096 else ifeq ($(WOLFTPM),1) - STACK_USAGE=6680 + STACK_USAGE=$(STACK_USAGE_WOLFTPM) else ifneq ($(SPMATH),1) STACK_USAGE=11256 @@ -261,7 +265,7 @@ ifeq ($(SIGN),ED25519) WOLFCRYPT_OBJS+=$(ED25519_OBJS) CFLAGS+=-D"WOLFBOOT_SIGN_ED25519" ifeq ($(WOLFTPM),1) - STACK_USAGE=6680 + STACK_USAGE=$(STACK_USAGE_WOLFTPM) else STACK_USAGE?=5000 endif @@ -275,7 +279,7 @@ ifeq ($(SIGN),ED448) SIGN_OPTIONS+=--ed448 WOLFCRYPT_OBJS+= $(ED448_OBJS) ifeq ($(WOLFTPM),1) - STACK_USAGE=6680 + STACK_USAGE=$(STACK_USAGE_WOLFTPM) else ifeq ($(WOLFBOOT_SMALL_STACK),1) STACK_USAGE?=1024 @@ -313,7 +317,7 @@ ifneq ($(findstring RSA2048,$(SIGN)),) endif else ifeq ($(WOLFTPM),1) - STACK_USAGE=9096 + STACK_USAGE=$(STACK_USAGE_WOLFTPM) else ifneq ($(SPMATH),1) STACK_USAGE=35952 @@ -346,7 +350,7 @@ ifneq ($(findstring RSA3072,$(SIGN)),) endif else ifeq ($(WOLFTPM),1) - STACK_USAGE=9096 + STACK_USAGE=$(STACK_USAGE_WOLFTPM) else ifneq ($(SPMATH),1) STACK_USAGE=52592 @@ -383,7 +387,7 @@ ifneq ($(findstring RSA4096,$(SIGN)),) endif else ifeq ($(WOLFTPM),1) - STACK_USAGE=10680 + STACK_USAGE=$(STACK_USAGE_WOLFTPM) else ifneq ($(SPMATH),1) STACK_USAGE=69232 From 16dadd6bc09f39ba914e08f18ccd337d44ba81f2 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Fri, 20 Mar 2026 14:57:15 +0100 Subject: [PATCH 6/6] Up to latest wolfTPM --- lib/wolfTPM | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/wolfTPM b/lib/wolfTPM index 12d0521977..d1756f96c2 160000 --- a/lib/wolfTPM +++ b/lib/wolfTPM @@ -1 +1 @@ -Subproject commit 12d0521977032412f6eec5dc91b4e12477d2d7af +Subproject commit d1756f96c2da425b56cbfac164c7226fb8d00e52