wolfSSL · dgarske · Jun 18, 2026 · Jun 15, 2026 · Jun 15, 2026 · Jun 15, 2026
diff --git a/.github/workflows/test-wolfhsm-simulator.yml b/.github/workflows/test-wolfhsm-simulator.yml
@@ -91,7 +91,7 @@ jobs:
             ./Build/wh_posix_server.elf --type tcp --nvminit $tmpfile &
           else
             # --flags=0x100 sets the WH_NVM_FLAGS_USAGE_VERIFY flag
-            ./Build/wh_posix_server.elf --type tcp --client 12 --id 255 --flags 0x100 --key ../../../../../wolfboot_signing_private_key_pub.der &
+            ./Build/wh_posix_server.elf --type tcp --client 1 --id 255 --flags 0x100 --key ../../../../../wolfboot_signing_private_key_pub.der &
           fi
           TCP_SERVER_PID=$!
           echo "TCP_SERVER_PID=$TCP_SERVER_PID" >> $GITHUB_ENV

diff --git a/Makefile b/Makefile
@@ -119,6 +119,17 @@ ifneq ($(USER_NVM_INIT),)
   NVM_CONFIG:=$(USER_NVM_INIT)
 endif
 
+# Eliminates compilation and linkage of the built-in wolfBoot keystore
+WOLFBOOT_NO_KEYSTORE :=
+ifeq ($(WOLFHSM_CLIENT),1)
+  WOLFBOOT_NO_KEYSTORE := 1
+endif
+ifeq ($(WOLFHSM_SERVER),1)
+  ifneq ($(CERT_CHAIN_VERIFY),)
+    WOLFBOOT_NO_KEYSTORE := 1
+  endif
+endif
+
 ifeq ($(SIGN),NONE)
   PRIVATE_KEY=
 else
@@ -139,6 +150,14 @@ else
   endif
   ifeq ($(FLASH_OTP_KEYSTORE),1)
     OBJS+=./src/flash_otp_keystore.o
+  else ifeq ($(WOLFBOOT_NO_KEYSTORE),1)
+    CFLAGS+=-DWOLFBOOT_NO_KEYSTORE
+    # No built-in keystore is compiled in, but firmware images must still be
+    # signed (for test/factory builds). src/keystore.o normally triggers
+    # generation of the signing key via 'src/keystore.c: $(PRIVATE_KEY)'.
+    # Without it, tie the key to the bootloader build so the signing key is
+    # still produced before any downstream signing step runs.
+    WOLFBOOT_SIGN_KEY_DEP=$(PRIVATE_KEY)
   else
     OBJS+=./src/keystore.o
   endif
@@ -547,8 +566,8 @@ factory_wstage1.bin: $(BINASSEMBLE) stage1/loader_stage1.bin wolfboot.bin $(BOOT
 wolfboot_stage1.bin: wolfboot.elf stage1/loader_stage1.bin
 	$(Q) cp stage1/loader_stage1.bin wolfboot_stage1.bin
 
-wolfboot.elf: include/target.h $(LSCRIPT) $(OBJS) $(BINASSEMBLE) FORCE
-	$(Q)(test $(SIGN) = NONE) || (test $(FLASH_OTP_KEYSTORE) = 1) || (grep -q $(SIGN_ALG) src/keystore.c) || \
+wolfboot.elf: include/target.h $(LSCRIPT) $(OBJS) $(BINASSEMBLE) $(WOLFBOOT_SIGN_KEY_DEP) FORCE
+	$(Q)(test $(SIGN) = NONE) || (test $(FLASH_OTP_KEYSTORE) = 1) || (test "$(WOLFBOOT_NO_KEYSTORE)" = "1") || (grep -q $(SIGN_ALG) src/keystore.c) || \
 		(echo "Key mismatch: please run 'make keysclean' to remove all keys if you want to change algorithm" && false)
 	@echo "\t[LD] $@"
 	@echo $(OBJS)

diff --git a/config/examples/sim-wolfHSM-client-ecc.config b/config/examples/sim-wolfHSM-client-ecc.config
@@ -23,9 +23,5 @@ WOLFBOOT_FIXED_PARTITIONS=1
 
 WOLFHSM_CLIENT=1
 
-# Uncomment the following to use wolfHSM ephemeral keys from the keystore
-# for image auth
-#WOLFHSM_CLIENT_LOCAL_KEYS=1
-
 # Uncomment for verbose wolfHSM printf statements
 #CFLAGS_EXTRA+=-DDEBUG_CRYPTOCB -DDEBUG_CRYPTOCB_VERBOSE
diff --git a/config/examples/sim-wolfHSM-client-mldsa.config b/config/examples/sim-wolfHSM-client-mldsa.config
@@ -44,9 +44,5 @@ WOLFBOOT_FIXED_PARTITIONS=1
 
 WOLFHSM_CLIENT=1
 
-# Uncomment the following to use public wolfHSM ephemeral keys from the keystore
-# for image auth
-#WOLFHSM_CLIENT_LOCAL_KEYS=1
-
 # Uncomment for verbose wolfHSM printf statements
 #CFLAGS_EXTRA+=-DDEBUG_CRYPTOCB -DDEBUG_CRYPTOCB_VERBOSE
diff --git a/docs/wolfHSM.md b/docs/wolfHSM.md
@@ -74,16 +74,12 @@ This section describes the configuration options available for wolfHSM integrati
 
 This option enables wolfHSM client support in wolfBoot. Without defining this option, support for wolfHSM client mode is not compiled in.
 
+In client mode, wolfBoot always uses HSM-resident public keys for firmware authentication; public keys are never baked into a local `keystore.c`. The key to verify against is referenced either by the reserved key ID defined in the HAL (`hsmKeyIdPubKey`), or, when certificate-chain verification (`WOLFBOOT_CERT_CHAIN_VERIFY`) is enabled, by the leaf key ID resolved from the verified chain.
+
 ### `WOLFBOOT_ENABLE_WOLFHSM_SERVER`
 
 This option enables wolfHSM server support in wolfBoot. When defined, wolfBoot includes an embedded wolfHSM server that provides HSM functionality locally within the bootloader. This is mutually exclusive with `WOLFBOOT_ENABLE_WOLFHSM_CLIENT`.
 
-### `WOLFBOOT_USE_WOLFHSM_PUBKEY_ID`
-
-This option enables use of the reserved wolfHSM public key ID for firmware authentication, and is typically the desired behavior for using wolfHSM. When this option is defined, wolfBoot will use the reserved wolfHSM keyId defined by the HAL (`hsmKeyIdPubKey`). This option is meant to be used in conjunction with the `--nolocalkeys` keygen option, as the key material in the keystore will not be used.
-
-If this option is not defined, cryptographic operations are still performed on the wolfHSM server, but wolfBoot assumes the key material is present in the keystore and NOT stored on the HSM. This means that wolfBoot will first load keys from the keystore, send the key material to the wolfHSM server at the time of use (cached as ephemeral keys), and finally evict the key from the HSM after usage. This behavior is typically only useful for debugging or testing scenarios, where the keys may not be pre-loaded onto the HSM. The keystore for use in this mode should not be generated with the `--nolocalkeys` option.
-
 ## HAL Implementations
 
 In addition to the standard wolfBoot HAL functions, wolfHSM-enabled platforms must also implement or instantiate the following wolfHSM-specific items in the platform HAL:
@@ -126,7 +122,7 @@ The wolfBoot simulator supports using wolfHSM with all algorithms mentioned in [
 
 #### wolfHSM Client Mode Build
 
-To build the simulator configured to use wolfHSM client mode, ensure you build with the `WOLFHSM_CLIENT=1` makefile option. This will automatically define `WOLFBOOT_USE_WOLFHSM_PUBKEY_ID`, and requires the public key corresponding to the private key that signed the image to be pre-loaded into the HSM at the keyId specified by `hsmKeyIdPubKey` in the simulator HAL.
+To build the simulator configured to use wolfHSM client mode, ensure you build with the `WOLFHSM_CLIENT=1` makefile option. This requires the public key corresponding to the private key that signed the image to be pre-loaded into the HSM at the keyId specified by `hsmKeyIdPubKey` in the simulator HAL.
 
 ```sh
 # Grab the HSM client simulator configuration
@@ -174,8 +170,10 @@ Next, in a new terminal window, run the wolfHSM POSIX TCP server, loading the pu
 cd lib/wolfHSM/examples/posix/tcp/wh_server_tcp
 make WOLFSSL_DIR=../../../../../wolfssl
 
-# Run the server, loading the wolfBoot public key and using the client ID and keyId matching the values declared in `hal/sim.c`)
-./Build/wh_server_tcp.elf --client 12 --id 255 --key ../../../../../../wolfboot_signing_private_key_pub.der &
+# Run the server, loading the wolfBoot public key. The client ID (--client) must
+# match WOLFHSM_CLIENT_ID from the build config (default 1) and the keyId (--id)
+# must match hsmKeyIdPubKey in `hal/sim.c` (255 / 0xFF).
+./Build/wh_server_tcp.elf --client 1 --id 255 --key ../../../../../../wolfboot_signing_private_key_pub.der &
 
 # The server will now be waiting for connections
 ```

diff --git a/hal/aurix_tc3xx.c b/hal/aurix_tc3xx.c
@@ -95,6 +95,14 @@ static int _connectCb(void* context, whCommConnected connect);
 static whTransportMemClientContext tmcCtx[1] = {0};
 static whTransportClientCb         tmcCb[1]  = {WH_TRANSPORT_MEM_CLIENT_CB};
 
+/* wolfHSM client ID presented to the HSM server. Defined by the build system
+ * (WOLFHSM_CLIENT_ID in options.mk, default 1); must match the client ID the
+ * keys are provisioned under in the whnvmtool config
+ * (tools/scripts/tc3xx/wolfBoot-wolfHSM-keys.nvminit). */
+#ifndef WOLFBOOT_WOLFHSM_CLIENT_ID
+#error "WOLFBOOT_WOLFHSM_CLIENT_ID is not defined. Set WOLFHSM_CLIENT_ID in your .config or on the make command line."
+#endif
+
 /* Globally exported HAL symbols */
 whClientContext hsmClientCtx = {0};
 const int       hsmDevIdHash = WH_DEV_ID_DMA;
@@ -768,7 +776,7 @@ int hal_hsm_init_connect(void)
         .transport_cb      = tmcCb,
         .transport_context = (void*)tmcCtx,
         .transport_config  = (void*)tmcCfg,
-        .client_id         = 1,
+        .client_id         = WOLFBOOT_WOLFHSM_CLIENT_ID,
         .connect_cb        = _connectCb,
     }};
 

diff --git a/hal/sim.c b/hal/sim.c
@@ -170,11 +170,19 @@ static posixTransportTcpConfig        mytcpconfig[1] = {{
            .server_port      = 23456,
 }};
 
+/* wolfHSM client ID presented to the HSM server. Defined by the build system
+ * (WOLFHSM_CLIENT_ID in options.mk, default 1); must match the client ID the
+ * server provisions the wolfBoot public key under (the example POSIX server's
+ * '--client' argument). */
+#ifndef WOLFBOOT_WOLFHSM_CLIENT_ID
+#error "WOLFBOOT_WOLFHSM_CLIENT_ID is not defined. Set WOLFHSM_CLIENT_ID in your .config or on the make command line."
+#endif
+
 static whCommClientConfig cc_conf[1] = {{
     .transport_cb      = pttccb,
     .transport_context = (void*)tcc,
     .transport_config  = (void*)mytcpconfig,
-    .client_id         = 12,
+    .client_id         = WOLFBOOT_WOLFHSM_CLIENT_ID,
 }};
 static whClientConfig     c_conf[1]  = {{
          .comm = cc_conf,

diff --git a/options.mk b/options.mk
@@ -1390,13 +1390,21 @@ ifeq ($(WOLFHSM_CLIENT),1)
   # HSM out-of-band
   KEYGEN_OPTIONS += --exportpubkey --der
 
-  # Default to using public keys on the HSM
-  ifneq ($(WOLFHSM_CLIENT_LOCAL_KEYS),1)
-    KEYGEN_OPTIONS += --nolocalkeys
-    CFLAGS += -DWOLFBOOT_USE_WOLFHSM_PUBKEY_ID
-    # big enough for cert chain
-    CFLAGS += -DWOLFHSM_CFG_COMM_DATA_LEN=5000
-  endif
+  # wolfHSM clients always use HSM-resident public keys, referenced by key ID or
+  # authenticated via a certificate chain. Public keys baked into a local
+  # keystore.c are not supported.
+  KEYGEN_OPTIONS += --nolocalkeys
+  # big enough for cert chain
+  CFLAGS += -DWOLFHSM_CFG_COMM_DATA_LEN=5000
+
+  # wolfHSM client ID presented to the HSM server during the connection
+  # handshake. Single value shared by all targets; defaults to 1. Override in the
+  # .config or on the make command line. This MUST match the client/user ID the
+  # server provisions the wolfBoot public key under -- e.g. the whnvmtool
+  # 'key <clientId> ...' field (tools/scripts/tc3xx/*.nvminit) or the example
+  # POSIX server's '--client <id>' argument.
+  WOLFHSM_CLIENT_ID ?= 1
+  CFLAGS += -DWOLFBOOT_WOLFHSM_CLIENT_ID=$(WOLFHSM_CLIENT_ID)
 
   # Ensure wolfHSM is configured to use certificate manager if we are
   # doing cert chain verification
@@ -1410,6 +1418,13 @@ endif
 
 # wolfHSM server options
 ifeq ($(WOLFHSM_SERVER),1)
+  # Currently, cert chain auth is the only supported auth mechanism for wolfHSM
+  # server mode
+  ifeq ($(CERT_CHAIN_VERIFY),)
+    $(error WOLFHSM_SERVER=1 requires CERT_CHAIN_VERIFY=1: wolfHSM server mode \
+            only supports certificate-chain authentication)
+  endif
+
   WOLFCRYPT_OBJS += \
     $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/cryptocb.o \
     $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/coding.o \