wolfHSM server support + cert chain auth

.github/workflows/test-configs.yml

@@ -468,7 +468,7 @@ jobs:
     uses: ./.github/workflows/test-build.yml
     with:
       arch: host
-      config-file: ./config/examples/sim-wolfHSM.config
+      config-file: ./config/examples/sim-wolfHSM-client.config
 
   rp2350_test:
     uses: ./.github/workflows/test-build-pico-sdk.yml

.github/workflows/test-wolfhsm-simulator.yml

@@ -15,11 +15,14 @@ jobs:
       matrix:
         config:
           - name: "Standard wolfHSM"
-            file: "config/examples/sim-wolfHSM.config"
+            file: "config/examples/sim-wolfHSM-client.config"
           - name: "wolfHSM ML-DSA"
-            file: "config/examples/sim-wolfHSM-mldsa.config"
+            file: "config/examples/sim-wolfHSM-client-mldsa.config"
           - name: "wolfHSM cert chain verify"
-            file: "config/examples/sim-wolfHSM-certchain.config"
+            file: "config/examples/sim-wolfHSM-client-certchain.config"
+          - name: "wolfHSM server cert chain verify"
+            file: "config/examples/sim-wolfHSM-server-certchain.config"
+
       fail-fast: false
 
     runs-on: ubuntu-latest
@@ -50,39 +53,42 @@ jobs:
         run: |
           make clean && make test-sim-internal-flash-with-update
 
-      # checkout and build wolfHSM examples repo
-      - name: Checkout wolfHSM-examples
-        uses: actions/checkout@v4
-        with:
-          repository: wolfssl/wolfHSM-examples
-          # Make sure to update this when the wolfHSM submodule is updated!
-          ref: wolfHSM-examples-v1.2.0
-          path: wolfHSM-examples
-
       - name: Build example POSIX TCP server
-        run: cd wolfHSM-examples/posix/tcp/wh_server_tcp && make WOLFSSL_DIR=../../../../lib/wolfssl WOLFHSM_DIR=../../../../lib/wolfHSM
+        if: matrix.config.name != 'wolfHSM server cert chain verify'
+        run: cd lib/wolfHSM/examples/posix/tcp/wh_server_tcp && make WOLFSSL_DIR=../../../../../wolfssl
 
       # Start the server in the background
       - name: Run POSIX TCP server
+        if: matrix.config.name != 'wolfHSM server cert chain verify'
         run: |
-          cd wolfHSM-examples/posix/tcp/wh_server_tcp
+          cd lib/wolfHSM/examples/posix/tcp/wh_server_tcp
           if [ "${{ matrix.config.name }}" = "wolfHSM cert chain verify" ]; then
             tmpfile=$(mktemp)
-            echo "obj 1 0xFFFF 0x0000 \"cert CA\" ../../../../test-dummy-ca/root-cert.der" >> $tmpfile
+            echo "obj 1 0xFFFF 0x0000 \"cert CA\" ../../../../../../test-dummy-ca/root-cert.der" >> $tmpfile
             ./Build/wh_server_tcp.elf --nvminit $tmpfile &
           else
-            ./Build/wh_server_tcp.elf --client 12 --id 255 --key ../../../../wolfboot_signing_private_key_pub.der &
+            ./Build/wh_server_tcp.elf --client 12 --id 255 --key ../../../../../../wolfboot_signing_private_key_pub.der &
           fi
           TCP_SERVER_PID=$!
           echo "TCP_SERVER_PID=$TCP_SERVER_PID" >> $GITHUB_ENV
 
+      # For testing the wolfHSM server cert chain verify feature, we need to create an NVM image containing our root CA that
+      # the internal wolfHSM server can load.
+      - name: Create NVM image for wolfHSM server cert chain verify
+        if: matrix.config.name == 'wolfHSM server cert chain verify'
+        run: |
+          make -C lib/wolfHSM/tools/whnvmtool
+          tmpfile=$(mktemp)
+          echo "obj 1 0xFFFF 0x0000 \"cert CA\" test-dummy-ca/root-cert.der" >> $tmpfile
+          ./lib/wolfHSM/tools/whnvmtool/whnvmtool --image=wolfBoot_wolfHSM_NVM.bin --size=16348 --invert-erased-byte $tmpfile
+
       # Run the sunny day update test against the server
       - name: Run sunny day update test
         run: |
           tools/scripts/sim-sunnyday-update.sh
 
       # Kill the server if it is still running
       - name: Kill POSIX TCP server
-        if: always()
+        if: always() && matrix.config.name != 'wolfHSM server cert chain verify'
         run: |
           kill $TCP_SERVER_PID || true

Makefile

@@ -54,7 +54,7 @@ endif
 WOLFCRYPT_OBJS:=
 SECURE_OBJS:=
 PUBLIC_KEY_OBJS:=
-WOLFHSM_CLIENT_OBJS:=
+WOLFHSM_OBJS:=
 ifneq ("$(NO_LOADER)","1")
   OBJS+=./src/loader.o
 endif
@@ -67,7 +67,7 @@ include options.mk
 
 OBJS+=$(WOLFCRYPT_OBJS)
 OBJS+=$(PUBLIC_KEY_OBJS)
-OBJS+=$(WOLFHSM_CLIENT_OBJS)
+OBJS+=$(WOLFHSM_OBJS)
 
 CFLAGS+= \
   -I"." -I"include/" -I"lib/wolfssl" \

arch.mk

@@ -1130,7 +1130,7 @@ ifeq ($(ARCH),sim)
     CFLAGS+=-DWOLFSSL_SP_DIV_WORD_HALF
   endif
   ifeq ($(WOLFHSM_CLIENT),1)
-    WOLFHSM_CLIENT_OBJS += $(LIBDIR)/wolfHSM/port/posix/posix_transport_tcp.o
+    WOLFHSM_OBJS += $(LIBDIR)/wolfHSM/port/posix/posix_transport_tcp.o
   endif
 endif
 

config/examples/sim-wolfHSM-certchain.config → config/examples/sim-wolfHSM-client-certchain.config

@@ -4,7 +4,8 @@ SIGN?=ECC256
 HASH?=SHA256
 WOLFBOOT_SMALL_STACK?=0
 SPI_FLASH=0
-DEBUG=1
+DEBUG=0
+SPMATH=1
 
 # Cert chain options
 CERT_CHAIN_VERIFY=1

config/examples/sim-wolfHSM-mldsa.config → config/examples/sim-wolfHSM-client-mldsa.config

@@ -4,7 +4,8 @@ SIGN?=ML_DSA
 HASH?=SHA256
 WOLFBOOT_SMALL_STACK?=0
 SPI_FLASH=0
-DEBUG=1
+DEBUG=0
+SPMATH=1
 
 #
 # ML-DSA config examples:

config/examples/sim-wolfHSM.config → config/examples/sim-wolfHSM-client.config

@@ -5,6 +5,7 @@ HASH?=SHA256
 WOLFBOOT_SMALL_STACK?=0
 SPI_FLASH=0
 DEBUG=0
+SPMATH=1
 
 # sizes should be multiple of system page size
 WOLFBOOT_PARTITION_SIZE=0x100000

config/examples/sim-wolfHSM-server-certchain.config

@@ -0,0 +1,37 @@
+ARCH=sim
+TARGET=sim
+SIGN?=ECC256
+HASH?=SHA256
+WOLFBOOT_SMALL_STACK?=0
+SPI_FLASH=0
+DEBUG=0
+SPMATH=1
+
+# Cert chain options
+CERT_CHAIN_VERIFY=1
+CERT_CHAIN_GEN=1
+
+# Ensure header is large enough to hold the cert chain (check sign tool output)
+# for actual length
+IMAGE_HEADER_SIZE=2048
+
+# If SIGN=RSA4096, use the below options
+#WOLFBOOT_HUGE_STACK=1
+#IMAGE_HEADER_SIZE=4096
+
+# wolfHSM options
+WOLFHSM_SERVER=1
+
+# sizes should be multiple of system page size
+WOLFBOOT_PARTITION_SIZE=0x200000
+WOLFBOOT_SECTOR_SIZE=0x1000
+WOLFBOOT_PARTITION_BOOT_ADDRESS=0x80000
+# if on external flash, it should be multiple of system page size
+WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x280000
+WOLFBOOT_PARTITION_SWAP_ADDRESS=0x480000
+
+# required for keytools
+WOLFBOOT_FIXED_PARTITIONS=1
+
+# For debugging XMALLOC/XFREE
+#CFLAGS_EXTRA+=-DWOLFBOOT_DEBUG_MALLOC

docs/HAL.md

@@ -145,3 +145,6 @@ implementation in new ports must return immediately without performing any actio
 if the content of the bootloader partition in the two banks already match.
 
 
+### wolfHSM HAL extensions
+
+Refer to [wolfHSM.md](wolfHSM.md) for the wolfHSM-specific HAL functions and an overview of wolfHSM compatibility.