From 11b4d49e875bb7680b662ad55ce5adc020ff4c22 Mon Sep 17 00:00:00 2001 From: Paul Adelsbach Date: Sun, 22 Mar 2026 21:43:49 -0700 Subject: [PATCH] Update wolfHSM pointer, fix minor issues --- arch.mk | 15 ++++++++-- .../sim-wolfHSM-client-certchain-ecc.config | 6 ++-- ...im-wolfHSM-client-certchain-rsa4096.config | 6 ++-- config/examples/sim-wolfHSM-client-ecc.config | 6 ++-- .../examples/sim-wolfHSM-client-mldsa.config | 6 ++-- hal/sim.c | 4 +-- include/user_settings.h | 16 +++++++---- lib/wolfHSM | 2 +- src/image.c | 7 +++-- src/multiboot.c | 5 ++++ src/xmalloc.c | 28 +++++++++++++++++++ test-app/Makefile | 5 ++++ tools/keytools/sign.c | 5 ++-- 13 files changed, 82 insertions(+), 29 deletions(-) diff --git a/arch.mk b/arch.mk index 9f59e43e5e..74663afa57 100644 --- a/arch.mk +++ b/arch.mk @@ -49,6 +49,8 @@ ifeq ($(ARCH),x86_64) endif else MATH_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_x86_64.o + MATH_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_x86_64_asm.o + WOLFCRYPT_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/cpuid.o endif endif ifeq ($(TARGET),x86_64_efi) @@ -1474,8 +1476,17 @@ ifeq ($(ARCH),sim) LDFLAGS+=-m32 endif ifeq ($(SPMATH),1) - MATH_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_c32.o - CFLAGS+=-DWOLFSSL_SP_DIV_WORD_HALF + ifeq ($(FORCE_32BIT),1) + MATH_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_c32.o + CFLAGS+=-DWOLFSSL_SP_DIV_WORD_HALF + else ifeq ($(shell uname -m),aarch64) + CFLAGS += -DARCH_AARCH64 -DFAST_MEMCPY + MATH_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_c32.o + MATH_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_arm64.o + else + MATH_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_c32.o + CFLAGS+=-DWOLFSSL_SP_DIV_WORD_HALF + endif endif ifeq ($(WOLFHSM_CLIENT),1) WOLFHSM_OBJS += $(WOLFBOOT_LIB_WOLFHSM)/port/posix/posix_transport_tcp.o diff --git a/config/examples/sim-wolfHSM-client-certchain-ecc.config b/config/examples/sim-wolfHSM-client-certchain-ecc.config index 818fb8136b..199a420987 100644 --- a/config/examples/sim-wolfHSM-client-certchain-ecc.config +++ b/config/examples/sim-wolfHSM-client-certchain-ecc.config @@ -19,14 +19,14 @@ WOLFHSM_CLIENT=1 # sizes should be multiple of system page size #WOLFBOOT_PARTITION_SIZE=0x40000 -WOLFBOOT_PARTITION_SIZE=0x100000 +WOLFBOOT_PARTITION_SIZE=0x200000 WOLFBOOT_SECTOR_SIZE=0x1000 WOLFBOOT_PARTITION_BOOT_ADDRESS=0x80000 # if on external flash, it should be multiple of system page size #WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x100000 #WOLFBOOT_PARTITION_SWAP_ADDRESS=0x180000 -WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x180000 -WOLFBOOT_PARTITION_SWAP_ADDRESS=0x280000 +WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x280000 +WOLFBOOT_PARTITION_SWAP_ADDRESS=0x480000 # required for keytools WOLFBOOT_FIXED_PARTITIONS=1 diff --git a/config/examples/sim-wolfHSM-client-certchain-rsa4096.config b/config/examples/sim-wolfHSM-client-certchain-rsa4096.config index 9e837ce2de..774c795704 100644 --- a/config/examples/sim-wolfHSM-client-certchain-rsa4096.config +++ b/config/examples/sim-wolfHSM-client-certchain-rsa4096.config @@ -19,14 +19,14 @@ WOLFHSM_CLIENT=1 # sizes should be multiple of system page size #WOLFBOOT_PARTITION_SIZE=0x40000 -WOLFBOOT_PARTITION_SIZE=0x100000 +WOLFBOOT_PARTITION_SIZE=0x200000 WOLFBOOT_SECTOR_SIZE=0x1000 WOLFBOOT_PARTITION_BOOT_ADDRESS=0x80000 # if on external flash, it should be multiple of system page size #WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x100000 #WOLFBOOT_PARTITION_SWAP_ADDRESS=0x180000 -WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x180000 -WOLFBOOT_PARTITION_SWAP_ADDRESS=0x280000 +WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x280000 +WOLFBOOT_PARTITION_SWAP_ADDRESS=0x480000 # required for keytools WOLFBOOT_FIXED_PARTITIONS=1 diff --git a/config/examples/sim-wolfHSM-client-ecc.config b/config/examples/sim-wolfHSM-client-ecc.config index a13f407966..ab92342ac5 100644 --- a/config/examples/sim-wolfHSM-client-ecc.config +++ b/config/examples/sim-wolfHSM-client-ecc.config @@ -8,12 +8,12 @@ DEBUG=0 SPMATH=1 # sizes should be multiple of system page size -WOLFBOOT_PARTITION_SIZE=0x100000 +WOLFBOOT_PARTITION_SIZE=0x200000 WOLFBOOT_SECTOR_SIZE=0x1000 WOLFBOOT_PARTITION_BOOT_ADDRESS=0x80000 # if on external flash, it should be multiple of system page size -WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x180000 -WOLFBOOT_PARTITION_SWAP_ADDRESS=0x280000 +WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x280000 +WOLFBOOT_PARTITION_SWAP_ADDRESS=0x480000 # required for keytools WOLFBOOT_FIXED_PARTITIONS=1 diff --git a/config/examples/sim-wolfHSM-client-mldsa.config b/config/examples/sim-wolfHSM-client-mldsa.config index 581a067f7c..17627f3d05 100644 --- a/config/examples/sim-wolfHSM-client-mldsa.config +++ b/config/examples/sim-wolfHSM-client-mldsa.config @@ -29,12 +29,12 @@ IMAGE_HEADER_SIZE=8192 # # sizes should be multiple of system page size -WOLFBOOT_PARTITION_SIZE=0x100000 +WOLFBOOT_PARTITION_SIZE=0x200000 WOLFBOOT_SECTOR_SIZE=0x2000 WOLFBOOT_PARTITION_BOOT_ADDRESS=0x80000 # if on external flash, it should be multiple of system page size -WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x180000 -WOLFBOOT_PARTITION_SWAP_ADDRESS=0x280000 +WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x280000 +WOLFBOOT_PARTITION_SWAP_ADDRESS=0x480000 # required for keytools WOLFBOOT_FIXED_PARTITIONS=1 diff --git a/hal/sim.c b/hal/sim.c index 74372e760f..18e7e827f9 100644 --- a/hal/sim.c +++ b/hal/sim.c @@ -183,9 +183,7 @@ whCommServerConfig cs_conf[1] = {{ }}; /* Crypto context */ -whServerCryptoContext crypto[1] = {{ - .devId = INVALID_DEVID, -}}; +whServerCryptoContext crypto[1] = {0}; #if defined(WOLFHSM_CFG_SHE_EXTENSION) whServerSheContext she[1] = {{0}}; diff --git a/include/user_settings.h b/include/user_settings.h index 52cc16d487..c681839c07 100644 --- a/include/user_settings.h +++ b/include/user_settings.h @@ -77,8 +77,10 @@ extern int tolower(int c); #if defined(WOLFBOOT_SIGN_ED25519) || defined(WOLFBOOT_SIGN_SECONDARY_ED25519) # define HAVE_ED25519 # define ED25519_SMALL -# define NO_ED25519_SIGN -# define NO_ED25519_EXPORT +# if !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) +# define NO_ED25519_SIGN +# define NO_ED25519_EXPORT +# endif # define USE_SLOW_SHA512 # define WOLFSSL_SHA512 #endif @@ -88,8 +90,10 @@ extern int tolower(int c); # define HAVE_ED448 # define HAVE_ED448_VERIFY # define ED448_SMALL -# define NO_ED448_SIGN -# define NO_ED448_EXPORT +# if !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) +# define NO_ED448_SIGN +# define NO_ED448_EXPORT +# endif # define WOLFSSL_SHA3 # define WOLFSSL_SHAKE256 # define WOLFSSL_SHA512 @@ -146,7 +150,6 @@ extern int tolower(int c); #endif # define WOLFSSL_SP_MATH # define WOLFSSL_SP_SMALL -# define SP_WORD_SIZE 32 # define WOLFSSL_HAVE_SP_ECC # define WOLFSSL_KEY_GEN # define HAVE_ECC_KEY_EXPORT @@ -343,8 +346,9 @@ extern int tolower(int c); # define HAVE___UINT128_T # define SP_WORD_SIZE 64 # elif defined(ARCH_x86_64) && !defined(FORCE_32BIT) +# define HAVE___UINT128_T # define SP_WORD_SIZE 64 -# ifndef NO_ASM +# if !defined(NO_ASM) # define WOLFSSL_SP_X86_64_ASM # endif # else diff --git a/lib/wolfHSM b/lib/wolfHSM index 1e47a7ead2..977bf187e7 160000 --- a/lib/wolfHSM +++ b/lib/wolfHSM @@ -1 +1 @@ -Subproject commit 1e47a7ead2758f4e5138fcc704a42b62b1c6b62a +Subproject commit 977bf187e7a57a184493dcd216eb9a328f381865 diff --git a/src/image.c b/src/image.c index 6d87db1616..d5ff5f3e1a 100644 --- a/src/image.c +++ b/src/image.c @@ -816,9 +816,10 @@ static void wolfBoot_verify_signature_ml_dsa(uint8_t key_slot, ML_DSA_LEVEL); /* Finally verify signature. */ - ret = wc_MlDsaKey_Verify(&ml_dsa, sig, ML_DSA_IMAGE_SIGNATURE_SIZE, - img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE, - &verify_res); + ret = wc_MlDsaKey_VerifyCtx(&ml_dsa, sig, ML_DSA_IMAGE_SIGNATURE_SIZE, + NULL, 0, + img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE, + &verify_res); #ifdef WOLFBOOT_ARMORED if (ret == 0) { diff --git a/src/multiboot.c b/src/multiboot.c index d0b5894498..73d1b9c93d 100644 --- a/src/multiboot.c +++ b/src/multiboot.c @@ -379,6 +379,7 @@ uint8_t *mb2_find_header(uint8_t *image, int size) void mb2_jump(uintptr_t entry, uint32_t mb2_boot_info) { +#if defined(__x86_64__) || defined(__i386__) __asm__( "mov $0x36d76289, %%eax\r\n" "mov %0, %%ebx\r\n" @@ -386,6 +387,10 @@ void mb2_jump(uintptr_t entry, uint32_t mb2_boot_info) : : "g"(mb2_boot_info), "g"(entry) : "eax", "ebx"); +#else + (void)entry; + (void)mb2_boot_info; +#endif } #endif /* WOLFBOOT_MULTIBOOT2 */ diff --git a/src/xmalloc.c b/src/xmalloc.c index 95e53633a6..69962d6aec 100644 --- a/src/xmalloc.c +++ b/src/xmalloc.c @@ -75,6 +75,12 @@ struct xmalloc_slot { #define MP_POINT_SIZE (196) #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 8) #define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * 2 * 8 * 6) + #elif SP_WORD_SIZE == 64 + #define MP_POINT_SIZE (200) + #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 4) + #define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * (2 * 4 * 6)) + #define MP_DIGITS_BUFFER_SIZE_2 (MP_DIGIT_SIZE * (2 * 4 * 6)) + #define MP_MONTGOMERY_SIZE (sizeof(int64_t) * 2 * 8) #else #define MP_POINT_SIZE (220) #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 9) @@ -91,6 +97,12 @@ struct xmalloc_slot { #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 12) #define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * 2 * 12 * 6) #define MP_MONTGOMERY_SIZE (sizeof(int64_t) * 12) + #elif SP_WORD_SIZE == 64 + #define MP_POINT_SIZE (344) + #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 7) + #define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * (2 * 7 * 6)) + #define MP_DIGITS_BUFFER_SIZE_2 (MP_DIGIT_SIZE * (2 * 7 * 6)) + #define MP_MONTGOMERY_SIZE (sizeof(int64_t) * 2 * 12) #else #define MP_POINT_SIZE (364) #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 15) @@ -107,6 +119,12 @@ struct xmalloc_slot { #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 17) #define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * 2 * 17 * 6) #define MP_MONTGOMERY_SIZE (sizeof(int64_t) * 12) + #elif SP_WORD_SIZE == 64 + #define MP_POINT_SIZE (440) + #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 9) + #define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * (2 * 9 * 6)) + #define MP_DIGITS_BUFFER_SIZE_2 (MP_DIGIT_SIZE * (2 * 9 * 6)) + #define MP_MONTGOMERY_SIZE (sizeof(int64_t) * 2 * 12) #else #define MP_POINT_SIZE (508) #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 21) @@ -129,7 +147,13 @@ struct xmalloc_slot { #endif static uint8_t mp_points_0[MP_POINT_SIZE * 2]; static uint8_t mp_points_1[MP_POINT_SIZE * 3]; + /* x86_64 SP always uses win_add_sub with 33+2 precomputed points, + * even when WOLFSSL_SP_SMALL is defined */ + #if SP_WORD_SIZE == 64 + static uint8_t mp_points_2[MP_POINT_SIZE * (33 + 2)]; + #else static uint8_t mp_points_2[MP_POINT_SIZE * (16 + 1)]; + #endif static uint8_t mp_digits_buffer_0[MP_DIGITS_BUFFER_SIZE_0]; static uint8_t mp_digits_buffer_1[MP_DIGITS_BUFFER_SIZE_1]; #if !defined(WOLFSSL_SP_ARM_CORTEX_M_ASM) && (defined(WOLFBOOT_SIGN_ECC256) || defined(WOLFBOOT_SIGN_ECC384) || defined(WOLFBOOT_SIGN_ECC521)) @@ -234,7 +258,11 @@ static struct xmalloc_slot xmalloc_pool[] = { { (uint8_t *)mp_digits_buffer_2, MP_DIGITS_BUFFER_SIZE_2, 0 }, { (uint8_t *)mp_montgomery, MP_MONTGOMERY_SIZE, 0 }, #endif + #if SP_WORD_SIZE == 64 + { (uint8_t *)mp_points_2, MP_POINT_SIZE * (33 + 2), 0 }, + #else { (uint8_t *)mp_points_2, MP_POINT_SIZE * (16 + 1), 0 }, + #endif { (uint8_t *)mp_digits_buffer_0, MP_DIGITS_BUFFER_SIZE_0, 0}, { (uint8_t *)mp_digits_buffer_1, MP_DIGITS_BUFFER_SIZE_1, 0}, #ifndef WC_NO_CACHE_RESISTANT diff --git a/test-app/Makefile b/test-app/Makefile index 29fa30eb76..23fcb607ee 100644 --- a/test-app/Makefile +++ b/test-app/Makefile @@ -970,6 +970,11 @@ $(WOLFSSL_LOCAL_OBJDIR)/%.o: %.c $(Q)mkdir -p $(dir $@) $(Q)$(CC) $(WOLFSSL_CFLAGS) -c $(OUTPUT_FLAG) $@ $< +$(WOLFSSL_LOCAL_OBJDIR)/%.o: %.S + @echo "\t[AS-$(ARCH)] $@" + $(Q)mkdir -p $(dir $@) + $(Q)$(CC) $(WOLFSSL_CFLAGS) -c $(OUTPUT_FLAG) $@ $< + clean: $(Q)rm -f *.bin *.elf tags *.o $(LSCRIPT) $(APP_OBJS) wcs/*.o $(Q)rm -rf $(WOLFSSL_LOCAL_OBJDIR) diff --git a/tools/keytools/sign.c b/tools/keytools/sign.c index b0d4778a07..5109c9d9a2 100644 --- a/tools/keytools/sign.c +++ b/tools/keytools/sign.c @@ -1088,8 +1088,9 @@ static int sign_digest(int sign, int hash_algo, if (sign == SIGN_ML_DSA) { /* Nothing else to do, ready to sign. */ if (ret == 0) { - ret = wc_MlDsaKey_Sign(&key.ml_dsa, signature, signature_sz, - digest, digest_sz, &rng); + ret = wc_MlDsaKey_SignCtx(&key.ml_dsa, NULL, 0, + signature, signature_sz, + digest, digest_sz, &rng); } if (ret != 0) { fprintf(stderr, "error signing with ML-DSA: %d\n", ret);