build: include wally in the firmware directly when amalgamating

jgriffiths · jgriffiths · commit 496d0874a70d · 2025-06-19T10:06:53.000+12:00
In many cases we check/assert our arguments before calling wally
functions. By amalgamating wally directly, the compiler can remove
code that redundantly re-checks already asserted conditions.

In some cases further optimizations are possible. For example explicit
rangeproofs do not contain a side channel message and thus the secp code
to generate it (and the 4k stack buffer it uses) can be eliminated.

We perform the wally amalgamation by compiling the external library with
no code, and then including the wally sources in the main firmware
directly. This approach lets us avoid trying to selectively disable the
wally component during amalgamated builds, as this is not supported by
the idf.py build machinery.
diff --git a/components/libwally-core/CMakeLists.txt b/components/libwally-core/CMakeLists.txt
@@ -29,6 +29,10 @@ set_source_files_properties(
     "-Wno-nonnull-compare -Wno-unused-function -Wno-error=maybe-uninitialized -Wno-type-limits -Wno-error=array-parameter"
     )
 
+if(CONFIG_AMALGAMATED_BUILD)
+    target_compile_definitions(${COMPONENT_TARGET} PRIVATE "-DWALLY_NO_AMALGAMATION=1")
+endif()
+
 # fortify/performance flags
 target_compile_definitions(${COMPONENT_TARGET} PRIVATE NDEBUG=1)
 target_compile_options(${COMPONENT_TARGET} PRIVATE "-fstack-protector-strong")
diff --git a/main/CMakeLists.txt b/main/CMakeLists.txt
@@ -31,6 +31,13 @@ else()
     list(APPEND logo_files ${PROJECT_DIR}/logo/icon_qrguide_qvga_large.bin.gz ${PROJECT_DIR}/logo/icon_qrguide_qvga_small.bin.gz)
 endif()
 
+if(CONFIG_AMALGAMATED_BUILD)
+    set(wallydir "${PROJECT_DIR}/components/libwally-core")
+    list(APPEND wallydirs "${wallydir}" "${wallydir}/upstream" "${wallydir}/upstream/src" "${wallydir}/upstream/src/ccan")
+    set(secpdir "${wallydir}/upstream/src/secp256k1/include")
+endif()
+
+
 idf_component_register(SRC_DIRS "."
                                 "process"
                                 "utils"
@@ -45,6 +52,8 @@ idf_component_register(SRC_DIRS "."
                           "${qemudir}"
                           "${attestdir}"
                           "${usbdir}"
+                          "${wallydirs}"
+                          "${secpdir}"
         PRIV_REQUIRES assets libwally-core libsodium esp32-rotary-encoder esp32-quirc bootloader_support app_update nvs_flash bt autogenlang cbor esp_netif esp32_bsdiff esp32_deflate nghttp esp32_bc-ur driver mbedtls http_parser esp_hw_support efuse esp_eth esp_http_server esp_lcd usb vfs app_trace spi_flash
         EMBED_FILES ${PROJECT_DIR}/pinserver_public_key.pub ${logo_files} ${qemu_display_file})
 
diff --git a/main/amalgamated.c b/main/amalgamated.c
@@ -1,7 +1,27 @@
 #ifdef AMALGAMATED_BUILD
 #undef AMALGAMATED_BUILD
+
 #include <stdlib.h>
+void __wrap_abort(void);
 #define abort __wrap_abort
+
+#define BUILD_ELEMENTS 1
+#define BUILD_MINIMAL 1
+#define HAVE_MBEDTLS_SHA256_H
+#define HAVE_MBEDTLS_SHA512_H
+#define ECMULT_WINDOW_SIZE 8
+#define ENABLE_MODULE_ECDH 1
+#define ENABLE_MODULE_ECDSA_S2C 1
+#define ENABLE_MODULE_EXTRAKEYS 1
+#define ENABLE_MODULE_GENERATOR 1
+#define ENABLE_MODULE_RANGEPROOF 1
+#define ENABLE_MODULE_RECOVERY 1
+#define ENABLE_MODULE_SCHNORRSIG 1
+#define ENABLE_MODULE_SURJECTIONPROOF 1
+#define ENABLE_MODULE_WHITELIST 1
+#define HAVE_BUILTIN_POPCOUNT 1
+#include "../components/libwally-core/upstream/src/amalgamation/combined.c"
+
 #include "./aes.c"
 #include "./assets.c"
 #ifdef CONFIG_IDF_TARGET_ESP32S3
