wolfSSL
diff --git a/‎include/user_settings.h‎
Lines changed: 38 additions & 746 deletions b/‎include/user_settings.h‎
Lines changed: 38 additions & 746 deletions
diff --git a/‎include/user_settings/base.h‎
Lines changed: 65 additions & 0 deletions b/‎include/user_settings/base.h‎
Lines changed: 65 additions & 0 deletions
diff --git a/‎include/user_settings/cascade.h‎
Lines changed: 61 additions & 0 deletions b/‎include/user_settings/cascade.h‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎include/user_settings/cert_chain.h‎
Lines changed: 44 additions & 0 deletions b/‎include/user_settings/cert_chain.h‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎include/user_settings/encrypt.h‎
Lines changed: 66 additions & 0 deletions b/‎include/user_settings/encrypt.h‎
Lines changed: 66 additions & 0 deletions
@@ -0,0 +1,65 @@
+/* user_settings/base.h
+ *
+ * Foundation defines that every wolfBoot build needs regardless of which
+ * SIGN/HASH/feature flags are set: alignment, threading, stdlib types,
+ * basic sizing.
+ *
+ *
+ * Copyright (C) 2026 wolfSSL Inc.
+ *
+ * This file is part of wolfBoot.
+ *
+ * wolfBoot is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfBoot is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+#ifndef _WOLFBOOT_USER_SETTINGS_BASE_H_
+#define _WOLFBOOT_USER_SETTINGS_BASE_H_
+
+/* System */
+#define WOLFSSL_GENERAL_ALIGNMENT 4
+#define SINGLE_THREADED
+#define WOLFSSL_USER_MUTEX /* avoid wc_port.c wc_InitAndAllocMutex */
+/* WOLFCRYPT_ONLY: pure crypto, no TLS/SSL stack. The only configuration
+ * that needs the SSL layer (cert manager) is wolfHSM server + cert-chain
+ * verification, where the carve-out moves to user_settings/cert_chain.h
+ * in a later phase. */
+#if !(defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) && \
+        defined(WOLFBOOT_CERT_CHAIN_VERIFY))
+#  define WOLFCRYPT_ONLY
+#endif
+#define SIZEOF_LONG_LONG 8
+#define HAVE_EMPTY_AGGREGATES 0
+#define HAVE_ANONYMOUS_INLINE_AGGREGATES 0
+
+/* Stdlib Types */
+#define CTYPE_USER /* don't let wolfCrypt types.h include ctype.h */
+
+#ifndef WOLFSSL_ARMASM
+#  ifndef toupper
+extern int toupper(int c);
+#  endif
+#  ifndef tolower
+extern int tolower(int c);
+#  endif
+#  define XTOUPPER(c)     toupper((c))
+#  define XTOLOWER(c)     tolower((c))
+#endif
+
+#ifdef USE_FAST_MATH
+    /* wolfBoot only does public asymmetric operations,
+     * so timing resistance and hardening is not required */
+#   define WC_NO_HARDEN
+#endif
+
+#endif /* _WOLFBOOT_USER_SETTINGS_BASE_H_ */
@@ -0,0 +1,61 @@
+/* user_settings/cascade.h
+ *
+ * Lift Make-side feature implications into preprocessor cascades so an
+ * IDE/CMake-only build (which sets only the high-level WOLFBOOT_* flags)
+ * sees the same derived flags that options.mk would set.
+ *
+ * Idempotent: every #define is #ifndef-guarded, so it's a no-op when
+ * options.mk has already emitted the same -D flag.
+ *
+ *
+ * Copyright (C) 2026 wolfSSL Inc.
+ *
+ * This file is part of wolfBoot.
+ *
+ * wolfBoot is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfBoot is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+#ifndef _WOLFBOOT_USER_SETTINGS_CASCADE_H_
+#define _WOLFBOOT_USER_SETTINGS_CASCADE_H_
+
+/* Any feature that requires a hardware TPM 2.0 implies WOLFBOOT_TPM.
+ * Mirrors options.mk:34-92 where the same Make variables force WOLFTPM:=1. */
+#if defined(WOLFBOOT_TPM_VERIFY)   || \
+    defined(WOLFBOOT_MEASURED_BOOT) || \
+    defined(WOLFBOOT_TPM_KEYSTORE) || \
+    defined(WOLFBOOT_TPM_SEAL)
+#  ifndef WOLFBOOT_TPM
+#    define WOLFBOOT_TPM
+#  endif
+#endif
+
+/* WOLFBOOT_NEEDS_* declarations -- positive intent markers reconciled by
+ * user_settings/finalize.h. Fragments may also set these from their own
+ * headers; cascade.h handles the cases that today live as #undef blocks
+ * scattered through user_settings.h. */
+
+/* WOLFCRYPT_TZ_PSA and WOLFBOOT_TZ_FWTPM both keep CMAC and KDF enabled
+ * (today by `#undef NO_CMAC` / `#undef NO_KDF` after the always-on block).
+ * Lift those to positive intent so finalize.h can simply skip the
+ * `#define NO_CMAC` / `#define NO_KDF`. */
+#if defined(WOLFCRYPT_TZ_PSA) || defined(WOLFBOOT_TZ_FWTPM)
+#  ifndef WOLFBOOT_NEEDS_CMAC
+#    define WOLFBOOT_NEEDS_CMAC
+#  endif
+#  ifndef WOLFBOOT_NEEDS_KDF
+#    define WOLFBOOT_NEEDS_KDF
+#  endif
+#endif
+
+#endif /* _WOLFBOOT_USER_SETTINGS_CASCADE_H_ */
@@ -0,0 +1,44 @@
+/* user_settings/cert_chain.h
+ *
+ * wolfCrypt configuration for WOLFBOOT_CERT_CHAIN_VERIFY. This is the
+ * only build mode that links the wolfSSL TLS-layer cert manager (server
+ * side). Client side just uses wolfHSM's cert manager and needs no
+ * extra wolfCrypt config beyond what wolfhsm.h already supplies.
+ *
+ * The companion `WOLFCRYPT_ONLY` carve-out (when the server cert-chain
+ * mode is active) lives in user_settings/base.h.
+ *
+ *
+ * Copyright (C) 2026 wolfSSL Inc.
+ *
+ * This file is part of wolfBoot.
+ *
+ * wolfBoot is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfBoot is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+#ifndef _WOLFBOOT_USER_SETTINGS_CERT_CHAIN_H_
+#define _WOLFBOOT_USER_SETTINGS_CERT_CHAIN_H_
+
+#if defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) && \
+    defined(WOLFBOOT_CERT_CHAIN_VERIFY)
+#  define NO_TLS
+#  define NO_OLD_TLS
+#  define WOLFSSL_NO_TLS12
+#  define WOLFSSL_USER_IO
+#  define WOLFSSL_SP_MUL_D
+#  define WOLFSSL_PEM_TO_DER
+#  define WOLFSSL_ALLOW_NO_SUITES
+#endif
+
+#endif /* _WOLFBOOT_USER_SETTINGS_CERT_CHAIN_H_ */
@@ -0,0 +1,66 @@
+/* user_settings/encrypt.h
+ *
+ * wolfCrypt configuration for image encryption (EXT_ENCRYPTED) and the
+ * SECURE_PKCS11 store. The cipher selection (ChaCha20 vs AES-128 vs
+ * AES-256 vs PKCS#11-backed) lives in options.mk; this fragment owns the
+ * wolfCrypt-side gates that follow from those choices.
+ *
+ *
+ * Copyright (C) 2026 wolfSSL Inc.
+ *
+ * This file is part of wolfBoot.
+ *
+ * wolfBoot is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfBoot is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+#ifndef _WOLFBOOT_USER_SETTINGS_ENCRYPT_H_
+#define _WOLFBOOT_USER_SETTINGS_ENCRYPT_H_
+
+#if defined(EXT_ENCRYPTED)
+#  define HAVE_PWDBASED
+#endif
+
+#if defined(SECURE_PKCS11)
+#  include <time.h>
+#  define HAVE_PWDBASED
+#  define HAVE_PBKDF2
+#  define WOLFPKCS11_CUSTOM_STORE
+#  define WOLFBOOT_SECURE_PKCS11
+#  ifndef WOLFPKCS11_USER_SETTINGS
+#    define WOLFPKCS11_USER_SETTINGS
+#  endif
+#  define WOLFPKCS11_NO_TIME
+#  ifndef WOLFSSL_AES_COUNTER
+#    define WOLFSSL_AES_COUNTER
+#  endif
+#  define HAVE_AESCTR
+#  ifndef WOLFSSL_AES_DIRECT
+#    define WOLFSSL_AES_DIRECT
+#  endif
+#  define WOLFSSL_AES_GCM
+#  define GCM_TABLE_4BIT
+#  define WOLFSSL_AES_128
+#  define HAVE_SCRYPT
+#  define HAVE_AESGCM
+#  define HAVE_PKCS8
+#endif
+
+/* PKCS11 for wolfBoot is always static. */
+#define HAVE_PKCS11_STATIC
+
+/* The NO_PWDBASED fallback (when no fragment opted in) lives in
+ * user_settings/finalize.h so it runs after trustzone.h / tpm.h /
+ * test_bench.h have had a chance to set HAVE_PWDBASED. */
+
+#endif /* _WOLFBOOT_USER_SETTINGS_ENCRYPT_H_ */