From f57a42118292df3db425a1f3ebdae3188fad14a5 Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Mon, 15 Jun 2026 12:16:51 -0600 Subject: [PATCH 1/9] remove erroneous keystore lookup for wolfHSM server --- src/image.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/image.c b/src/image.c index 3bedbef9ea..314b8c3826 100644 --- a/src/image.c +++ b/src/image.c @@ -2271,6 +2271,11 @@ int wolfBoot_verify_authenticity(struct wolfBoot_image *img) defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID) /* Don't care about the key slot, we are using a fixed wolfHSM keyId */ key_slot = 0; +#elif defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) && \ + defined(WOLFBOOT_CERT_CHAIN_VERIFY) + /* Don't care about the key slot, we are using the public key from the + * leaf cert */ + key_slot = 0; #else key_slot = keyslot_id_by_sha(pubkey_hint); if (key_slot < 0) { From e0e08a7dd2da2c01747628de55bec48f2f962c11 Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Mon, 15 Jun 2026 13:48:28 -0600 Subject: [PATCH 2/9] add no keystore option --- Makefile | 15 ++++++++++++++- options.mk | 14 +++++++------- src/image.c | 21 ++++++++++++++++----- 3 files changed, 37 insertions(+), 13 deletions(-) diff --git a/Makefile b/Makefile index 7a7006b38e..3fe8cf02d2 100644 --- a/Makefile +++ b/Makefile @@ -119,6 +119,17 @@ ifneq ($(USER_NVM_INIT),) NVM_CONFIG:=$(USER_NVM_INIT) endif +# Eliminates compilation and linkage of the built-in wolfBoot keystore +WOLFHSM_NO_KEYSTORE := +ifeq ($(WOLFHSM_CLIENT),1) + WOLFHSM_NO_KEYSTORE := 1 +endif +ifeq ($(WOLFHSM_SERVER),1) + ifneq ($(CERT_CHAIN_VERIFY),) + WOLFHSM_NO_KEYSTORE := 1 + endif +endif + ifeq ($(SIGN),NONE) PRIVATE_KEY= else @@ -139,6 +150,8 @@ else endif ifeq ($(FLASH_OTP_KEYSTORE),1) OBJS+=./src/flash_otp_keystore.o + else ifeq ($(WOLFHSM_NO_KEYSTORE),1) + CFLAGS+=-DWOLFBOOT_NO_KEYSTORE else OBJS+=./src/keystore.o endif @@ -548,7 +561,7 @@ wolfboot_stage1.bin: wolfboot.elf stage1/loader_stage1.bin $(Q) cp stage1/loader_stage1.bin wolfboot_stage1.bin wolfboot.elf: include/target.h $(LSCRIPT) $(OBJS) $(BINASSEMBLE) FORCE - $(Q)(test $(SIGN) = NONE) || (test $(FLASH_OTP_KEYSTORE) = 1) || (grep -q $(SIGN_ALG) src/keystore.c) || \ + $(Q)(test $(SIGN) = NONE) || (test $(FLASH_OTP_KEYSTORE) = 1) || (test "$(WOLFHSM_NO_KEYSTORE)" = "1") || (grep -q $(SIGN_ALG) src/keystore.c) || \ (echo "Key mismatch: please run 'make keysclean' to remove all keys if you want to change algorithm" && false) @echo "\t[LD] $@" @echo $(OBJS) diff --git a/options.mk b/options.mk index 37f676d797..81ea8f0335 100644 --- a/options.mk +++ b/options.mk @@ -1390,13 +1390,13 @@ ifeq ($(WOLFHSM_CLIENT),1) # HSM out-of-band KEYGEN_OPTIONS += --exportpubkey --der - # Default to using public keys on the HSM - ifneq ($(WOLFHSM_CLIENT_LOCAL_KEYS),1) - KEYGEN_OPTIONS += --nolocalkeys - CFLAGS += -DWOLFBOOT_USE_WOLFHSM_PUBKEY_ID - # big enough for cert chain - CFLAGS += -DWOLFHSM_CFG_COMM_DATA_LEN=5000 - endif + # wolfHSM clients always use HSM-resident public keys, referenced by key ID or + # authenticated via a certificate chain. Public keys baked into a local + # keystore.c are not supported. + KEYGEN_OPTIONS += --nolocalkeys + CFLAGS += -DWOLFBOOT_USE_WOLFHSM_PUBKEY_ID + # big enough for cert chain + CFLAGS += -DWOLFHSM_CFG_COMM_DATA_LEN=5000 # Ensure wolfHSM is configured to use certificate manager if we are # doing cert chain verification diff --git a/src/image.c b/src/image.c index 314b8c3826..a200973883 100644 --- a/src/image.c +++ b/src/image.c @@ -1076,7 +1076,7 @@ static int image_sha256(struct wolfBoot_image *img, uint8_t *hash) return 0; } -#ifndef WOLFBOOT_NO_SIGN +#if !defined(WOLFBOOT_NO_SIGN) && !defined(WOLFBOOT_NO_KEYSTORE) /** * @brief Calculate the SHA256 hash of the key. @@ -1187,7 +1187,7 @@ static int image_sha384(struct wolfBoot_image *img, uint8_t *hash) return 0; } -#ifndef WOLFBOOT_NO_SIGN +#if !defined(WOLFBOOT_NO_SIGN) && !defined(WOLFBOOT_NO_KEYSTORE) /** * @brief Calculate SHA-384 hash of a public key in the keystore. @@ -1303,7 +1303,7 @@ static int image_sha3_384(struct wolfBoot_image *img, uint8_t *hash) wc_Sha3_384_Free(&sha3_ctx); return 0; } -#ifndef WOLFBOOT_NO_SIGN +#if !defined(WOLFBOOT_NO_SIGN) && !defined(WOLFBOOT_NO_KEYSTORE) /** * @brief Calculate SHA3-384 hash of a public key in the keystore. @@ -2303,8 +2303,17 @@ int wolfBoot_verify_authenticity(struct wolfBoot_image *img) return -1; img->sha_hash = digest; } - key_mask = keystore_get_mask(key_slot); image_part = image_type & HDR_IMG_TYPE_PART_MASK; +#ifdef WOLFBOOT_NO_KEYSTORE + /* No local keystore is linked: there is no per-key partition permission + * mask to consult. Key authorization and usage are enforced by the HSM + * (cert-chain root-of-trust plus per-key usage flags), so the wolfBoot + * keystore mask check does not apply here. */ + (void)key_slot; + (void)key_mask; + (void)image_part; +#else + key_mask = keystore_get_mask(key_slot); /* Check if the key permission mask matches the current partition id */ if (((1U << image_part) & key_mask) != (1U << image_part)) { @@ -2312,6 +2321,7 @@ int wolfBoot_verify_authenticity(struct wolfBoot_image *img) } CONFIRM_MASK_VALID(image_part, key_mask); +#endif #if defined(WOLFBOOT_CERT_CHAIN_VERIFY) && \ (defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) || \ @@ -2515,7 +2525,8 @@ uint8_t* wolfBoot_peek_image(struct wolfBoot_image *img, uint32_t offset, return p; } -#if !defined(WOLFBOOT_NO_SIGN) && !defined(WOLFBOOT_RENESAS_SCEPROTECT) +#if !defined(WOLFBOOT_NO_SIGN) && !defined(WOLFBOOT_RENESAS_SCEPROTECT) && \ + !defined(WOLFBOOT_NO_KEYSTORE) /* Compare fixed-size key hints without early exit to avoid leaking hash prefix * matches through lookup timing. */ From 7195bd80086d5c554fa2bdac08bda3480ca092cc Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Mon, 15 Jun 2026 14:25:39 -0600 Subject: [PATCH 3/9] remove unnecessary wolfHSM PUBKEY_ID macro --- docs/wolfHSM.md | 10 +++------- options.mk | 1 - src/image.c | 52 ++++++++++++++++--------------------------------- 3 files changed, 20 insertions(+), 43 deletions(-) diff --git a/docs/wolfHSM.md b/docs/wolfHSM.md index 6bdc040cac..ed6f2a3997 100644 --- a/docs/wolfHSM.md +++ b/docs/wolfHSM.md @@ -74,16 +74,12 @@ This section describes the configuration options available for wolfHSM integrati This option enables wolfHSM client support in wolfBoot. Without defining this option, support for wolfHSM client mode is not compiled in. +In client mode, wolfBoot always uses HSM-resident public keys for firmware authentication; public keys are never baked into a local `keystore.c`. The key to verify against is referenced either by the reserved key ID defined in the HAL (`hsmKeyIdPubKey`), or, when certificate-chain verification (`WOLFBOOT_CERT_CHAIN_VERIFY`) is enabled, by the leaf key ID resolved from the verified chain. + ### `WOLFBOOT_ENABLE_WOLFHSM_SERVER` This option enables wolfHSM server support in wolfBoot. When defined, wolfBoot includes an embedded wolfHSM server that provides HSM functionality locally within the bootloader. This is mutually exclusive with `WOLFBOOT_ENABLE_WOLFHSM_CLIENT`. -### `WOLFBOOT_USE_WOLFHSM_PUBKEY_ID` - -This option enables use of the reserved wolfHSM public key ID for firmware authentication, and is typically the desired behavior for using wolfHSM. When this option is defined, wolfBoot will use the reserved wolfHSM keyId defined by the HAL (`hsmKeyIdPubKey`). This option is meant to be used in conjunction with the `--nolocalkeys` keygen option, as the key material in the keystore will not be used. - -If this option is not defined, cryptographic operations are still performed on the wolfHSM server, but wolfBoot assumes the key material is present in the keystore and NOT stored on the HSM. This means that wolfBoot will first load keys from the keystore, send the key material to the wolfHSM server at the time of use (cached as ephemeral keys), and finally evict the key from the HSM after usage. This behavior is typically only useful for debugging or testing scenarios, where the keys may not be pre-loaded onto the HSM. The keystore for use in this mode should not be generated with the `--nolocalkeys` option. - ## HAL Implementations In addition to the standard wolfBoot HAL functions, wolfHSM-enabled platforms must also implement or instantiate the following wolfHSM-specific items in the platform HAL: @@ -126,7 +122,7 @@ The wolfBoot simulator supports using wolfHSM with all algorithms mentioned in [ #### wolfHSM Client Mode Build -To build the simulator configured to use wolfHSM client mode, ensure you build with the `WOLFHSM_CLIENT=1` makefile option. This will automatically define `WOLFBOOT_USE_WOLFHSM_PUBKEY_ID`, and requires the public key corresponding to the private key that signed the image to be pre-loaded into the HSM at the keyId specified by `hsmKeyIdPubKey` in the simulator HAL. +To build the simulator configured to use wolfHSM client mode, ensure you build with the `WOLFHSM_CLIENT=1` makefile option. This requires the public key corresponding to the private key that signed the image to be pre-loaded into the HSM at the keyId specified by `hsmKeyIdPubKey` in the simulator HAL. ```sh # Grab the HSM client simulator configuration diff --git a/options.mk b/options.mk index 81ea8f0335..be01ab0aef 100644 --- a/options.mk +++ b/options.mk @@ -1394,7 +1394,6 @@ ifeq ($(WOLFHSM_CLIENT),1) # authenticated via a certificate chain. Public keys baked into a local # keystore.c are not supported. KEYGEN_OPTIONS += --nolocalkeys - CFLAGS += -DWOLFBOOT_USE_WOLFHSM_PUBKEY_ID # big enough for cert chain CFLAGS += -DWOLFHSM_CFG_COMM_DATA_LEN=5000 diff --git a/src/image.c b/src/image.c index a200973883..9f53839f2f 100644 --- a/src/image.c +++ b/src/image.c @@ -214,10 +214,8 @@ static void wolfBoot_verify_signature_ecc(uint8_t key_slot, int ret, verify_res = 0; ecc_key ecc; mp_int r, s; -#if (!defined WOLFBOOT_ENABLE_WOLFHSM_CLIENT && \ - !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)) || \ - (defined WOLFBOOT_ENABLE_WOLFHSM_CLIENT && \ - !defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID)) +#if !defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \ + !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) uint8_t* pubkey = keystore_get_buffer(key_slot); int pubkey_sz = keystore_get_size(key_slot); int point_sz = pubkey_sz / 2; @@ -251,7 +249,7 @@ static void wolfBoot_verify_signature_ecc(uint8_t key_slot, uint8_t tmpSigBuf[ECC_MAX_SIG_SIZE] = {0}; size_t tmpSigSz = sizeof(tmpSigBuf); - #if defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID) || \ + #if defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) || \ (defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) && \ defined(WOLFBOOT_CERT_CHAIN_VERIFY)) (void)key_slot; @@ -281,11 +279,11 @@ static void wolfBoot_verify_signature_ecc(uint8_t key_slot, ret = wh_Client_EccSetKeyId(&ecc, hsmKeyIdPubKey); #endif } - #else + #else /* WOLFBOOT_CERT_CHAIN_VERIFY */ #if defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) ret = wh_Client_EccSetKeyId(&ecc, hsmKeyIdPubKey); #endif - #endif /* WOLFBOOT_USE_WOLFHSM_PUBKEY_ID */ + #endif /* !WOLFBOOT_CERT_CHAIN_VERIFY */ if (ret != 0) { return; } @@ -299,7 +297,7 @@ static void wolfBoot_verify_signature_ecc(uint8_t key_slot, return; } - #endif /* !WOLFBOOT_USE_WOLFHSM_PUBKEY_ID */ + #endif /* WOLFBOOT_ENABLE_WOLFHSM_CLIENT || (SERVER && CERT_CHAIN) */ /* wc_ecc_verify_hash_ex() doesn't trigger a crypto callback, so we need to use wc_ecc_verify_hash instead. Unfortunately, that requires converting the signature to intermediate DER format first */ @@ -436,10 +434,8 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot, #endif #endif /* WOLFBOOT_SIGN_RSAPSS_ANY */ -#if (!defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \ - !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)) || \ - (defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \ - !defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID)) +#if !defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \ + !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) uint8_t *pubkey = keystore_get_buffer(key_slot); int pubkey_sz = keystore_get_size(key_slot); @@ -472,7 +468,7 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot, if (ret != 0) { return; } -#if defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID) || \ +#if defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) || \ (defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) && \ defined(WOLFBOOT_CERT_CHAIN_VERIFY)) (void)key_slot; @@ -519,7 +515,7 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot, wc_FreeRsaKey(&rsa); return; } -#endif /* !WOLFBOOT_USE_WOLFHSM_PUBKEY_ID */ +#endif /* WOLFBOOT_ENABLE_WOLFHSM_CLIENT || (SERVER && CERT_CHAIN) */ XMEMCPY(output, sig, RSA_IMAGE_SIGNATURE_SIZE); #ifdef WOLFBOOT_SIGN_RSAPSS_ANY if (is_pss) { @@ -532,14 +528,7 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot, RSA_VERIFY_FN(ret, wc_RsaSSL_VerifyInline, output, RSA_IMAGE_SIGNATURE_SIZE, &digest_out, &rsa); } -#if defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \ - !defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID) - /* evict the key after use, since we aren't using the RSA import API */ - if (WH_ERROR_OK != wh_Client_KeyEvict(&hsmClientCtx, hsmKeyId)) { - wc_FreeRsaKey(&rsa); - return; - } -#elif defined(WOLFBOOT_CERT_CHAIN_VERIFY) +#if defined(WOLFBOOT_CERT_CHAIN_VERIFY) if (g_leafKeyIdValid) { #if defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) (void)wh_Client_KeyEvict(&hsmClientCtx, g_certLeafKeyId); @@ -548,7 +537,7 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot, #endif g_leafKeyIdValid = 0; } -#endif /* !WOLFBOOT_USE_WOLFHSM_PUBKEY_ID */ +#endif /* WOLFBOOT_CERT_CHAIN_VERIFY */ #else /* wolfCrypt software RSA verify */ ret = wc_InitRsaKey_ex(&rsa, NULL, WOLFBOOT_DEVID_PUBKEY); @@ -735,9 +724,7 @@ static void wolfBoot_verify_signature_ml_dsa(uint8_t key_slot, { int ret = 0; wc_MlDsaKey ml_dsa; -#if !defined WOLFBOOT_ENABLE_WOLFHSM_CLIENT || \ - (defined WOLFBOOT_ENABLE_WOLFHSM_CLIENT && \ - !defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID)) +#if !defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) uint8_t * pubkey = NULL; int pub_len = 0; #endif @@ -747,9 +734,7 @@ static void wolfBoot_verify_signature_ml_dsa(uint8_t key_slot, wolfBoot_printf("info: ML-DSA %d verify_signature: pubkey %d, sig %d\n", ML_DSA_LEVEL, KEYSTORE_PUBKEY_SIZE, ML_DSA_IMAGE_SIGNATURE_SIZE); -#if !defined WOLFBOOT_ENABLE_WOLFHSM_CLIENT || \ - (defined WOLFBOOT_ENABLE_WOLFHSM_CLIENT && \ - !defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID)) +#if !defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) pubkey = keystore_get_buffer(key_slot); if (pubkey == NULL) { @@ -774,8 +759,7 @@ static void wolfBoot_verify_signature_ml_dsa(uint8_t key_slot, } } -#if defined WOLFBOOT_ENABLE_WOLFHSM_CLIENT && \ - defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID) +#if defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) /* Use key slot ID directly with wolfHSM */ #if defined(WOLFBOOT_CERT_CHAIN_VERIFY) /* If using certificate chain verification and we have a verified leaf key @@ -820,8 +804,7 @@ static void wolfBoot_verify_signature_ml_dsa(uint8_t key_slot, ret); } } -#endif /* !defined WOLFBOOT_ENABLE_WOLFHSM_CLIENT && - !defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID) */ +#endif /* WOLFBOOT_ENABLE_WOLFHSM_CLIENT */ /* Make sure sig len matches parameters. */ @@ -2267,8 +2250,7 @@ int wolfBoot_verify_authenticity(struct wolfBoot_image *img) } key_slot = 0; -#elif defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \ - defined(WOLFBOOT_USE_WOLFHSM_PUBKEY_ID) +#elif defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) /* Don't care about the key slot, we are using a fixed wolfHSM keyId */ key_slot = 0; #elif defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) && \ From b52dd5a1d04b7caa3942b0f344a3a4eda9ec63de Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Mon, 15 Jun 2026 17:13:11 -0600 Subject: [PATCH 4/9] make wolfHSM client ID parameterizable and settable via Makefiles --- .github/workflows/test-wolfhsm-simulator.yml | 2 +- docs/wolfHSM.md | 6 ++++-- hal/aurix_tc3xx.c | 10 +++++++++- hal/sim.c | 10 +++++++++- options.mk | 9 +++++++++ tools/scripts/tc3xx/wolfBoot-wolfHSM-keys.nvminit | 3 +++ 6 files changed, 35 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test-wolfhsm-simulator.yml b/.github/workflows/test-wolfhsm-simulator.yml index a5646d1ac1..35e40da06e 100644 --- a/.github/workflows/test-wolfhsm-simulator.yml +++ b/.github/workflows/test-wolfhsm-simulator.yml @@ -91,7 +91,7 @@ jobs: ./Build/wh_posix_server.elf --type tcp --nvminit $tmpfile & else # --flags=0x100 sets the WH_NVM_FLAGS_USAGE_VERIFY flag - ./Build/wh_posix_server.elf --type tcp --client 12 --id 255 --flags 0x100 --key ../../../../../wolfboot_signing_private_key_pub.der & + ./Build/wh_posix_server.elf --type tcp --client 1 --id 255 --flags 0x100 --key ../../../../../wolfboot_signing_private_key_pub.der & fi TCP_SERVER_PID=$! echo "TCP_SERVER_PID=$TCP_SERVER_PID" >> $GITHUB_ENV diff --git a/docs/wolfHSM.md b/docs/wolfHSM.md index ed6f2a3997..77368d773b 100644 --- a/docs/wolfHSM.md +++ b/docs/wolfHSM.md @@ -170,8 +170,10 @@ Next, in a new terminal window, run the wolfHSM POSIX TCP server, loading the pu cd lib/wolfHSM/examples/posix/tcp/wh_server_tcp make WOLFSSL_DIR=../../../../../wolfssl -# Run the server, loading the wolfBoot public key and using the client ID and keyId matching the values declared in `hal/sim.c`) -./Build/wh_server_tcp.elf --client 12 --id 255 --key ../../../../../../wolfboot_signing_private_key_pub.der & +# Run the server, loading the wolfBoot public key. The client ID (--client) must +# match WOLFHSM_CLIENT_ID from the build config (default 1) and the keyId (--id) +# must match hsmKeyIdPubKey in `hal/sim.c` (255 / 0xFF). +./Build/wh_server_tcp.elf --client 1 --id 255 --key ../../../../../../wolfboot_signing_private_key_pub.der & # The server will now be waiting for connections ``` diff --git a/hal/aurix_tc3xx.c b/hal/aurix_tc3xx.c index 71cdc89f21..6d40c525e1 100644 --- a/hal/aurix_tc3xx.c +++ b/hal/aurix_tc3xx.c @@ -95,6 +95,14 @@ static int _connectCb(void* context, whCommConnected connect); static whTransportMemClientContext tmcCtx[1] = {0}; static whTransportClientCb tmcCb[1] = {WH_TRANSPORT_MEM_CLIENT_CB}; +/* wolfHSM client ID presented to the HSM server. Defined by the build system + * (WOLFHSM_CLIENT_ID in options.mk, default 1); must match the client ID the + * keys are provisioned under in the whnvmtool config + * (tools/scripts/tc3xx/wolfBoot-wolfHSM-keys.nvminit). */ +#ifndef WOLFBOOT_WOLFHSM_CLIENT_ID +#error "WOLFBOOT_WOLFHSM_CLIENT_ID is not defined. Set WOLFHSM_CLIENT_ID in your .config or on the make command line." +#endif + /* Globally exported HAL symbols */ whClientContext hsmClientCtx = {0}; const int hsmDevIdHash = WH_DEV_ID_DMA; @@ -768,7 +776,7 @@ int hal_hsm_init_connect(void) .transport_cb = tmcCb, .transport_context = (void*)tmcCtx, .transport_config = (void*)tmcCfg, - .client_id = 1, + .client_id = WOLFBOOT_WOLFHSM_CLIENT_ID, .connect_cb = _connectCb, }}; diff --git a/hal/sim.c b/hal/sim.c index a5d234a311..63bf96d92f 100644 --- a/hal/sim.c +++ b/hal/sim.c @@ -170,11 +170,19 @@ static posixTransportTcpConfig mytcpconfig[1] = {{ .server_port = 23456, }}; +/* wolfHSM client ID presented to the HSM server. Defined by the build system + * (WOLFHSM_CLIENT_ID in options.mk, default 1); must match the client ID the + * server provisions the wolfBoot public key under (the example POSIX server's + * '--client' argument). */ +#ifndef WOLFBOOT_WOLFHSM_CLIENT_ID +#error "WOLFBOOT_WOLFHSM_CLIENT_ID is not defined. Set WOLFHSM_CLIENT_ID in your .config or on the make command line." +#endif + static whCommClientConfig cc_conf[1] = {{ .transport_cb = pttccb, .transport_context = (void*)tcc, .transport_config = (void*)mytcpconfig, - .client_id = 12, + .client_id = WOLFBOOT_WOLFHSM_CLIENT_ID, }}; static whClientConfig c_conf[1] = {{ .comm = cc_conf, diff --git a/options.mk b/options.mk index be01ab0aef..8232b7511d 100644 --- a/options.mk +++ b/options.mk @@ -1397,6 +1397,15 @@ ifeq ($(WOLFHSM_CLIENT),1) # big enough for cert chain CFLAGS += -DWOLFHSM_CFG_COMM_DATA_LEN=5000 + # wolfHSM client ID presented to the HSM server during the connection + # handshake. Single value shared by all targets; defaults to 1. Override in the + # .config or on the make command line. This MUST match the client/user ID the + # server provisions the wolfBoot public key under -- e.g. the whnvmtool + # 'key ...' field (tools/scripts/tc3xx/*.nvminit) or the example + # POSIX server's '--client ' argument. + WOLFHSM_CLIENT_ID ?= 1 + CFLAGS += -DWOLFBOOT_WOLFHSM_CLIENT_ID=$(WOLFHSM_CLIENT_ID) + # Ensure wolfHSM is configured to use certificate manager if we are # doing cert chain verification ifneq ($(CERT_CHAIN_VERIFY),) diff --git a/tools/scripts/tc3xx/wolfBoot-wolfHSM-keys.nvminit b/tools/scripts/tc3xx/wolfBoot-wolfHSM-keys.nvminit index 8966cb739e..c3f0291d78 100644 --- a/tools/scripts/tc3xx/wolfBoot-wolfHSM-keys.nvminit +++ b/tools/scripts/tc3xx/wolfBoot-wolfHSM-keys.nvminit @@ -3,4 +3,7 @@ # Key format is: # key