add wolfHSM verify key usage flags

bigbrett · bigbrett · commit 547dbb0f5a01 · 2025-11-20T15:00:44.000-07:00
diff --git a/lib/wolfHSM b/lib/wolfHSM
@@ -1 +1 @@
-Subproject commit bfb5d90bb22719709171adbf72b3d67ca7787957
+Subproject commit a9f88c15a73771ff62dcb919573b0a862463e889
diff --git a/src/image.c b/src/image.c
@@ -486,8 +486,8 @@ static void wolfBoot_verify_signature_rsa(uint8_t key_slot,
 #else
     whKeyId hsmKeyId = WH_KEYID_ERASED;
     /* Cache the public key on the server */
-    ret = wh_Client_KeyCache(&hsmClientCtx, 0, NULL, 0, pubkey, pubkey_sz,
-                             &hsmKeyId);
+    ret = wh_Client_KeyCache(&hsmClientCtx, WH_NVM_FLAGS_USAGE_VERIFY, NULL, 0,
+                             pubkey, pubkey_sz, &hsmKeyId);
     if (ret != WH_ERROR_OK) {
         return;
     }
@@ -2102,12 +2102,12 @@ int wolfBoot_verify_authenticity(struct wolfBoot_image *img)
             "verifying cert chain and caching leaf pubkey (using DMA)\n");
         hsm_ret = wh_Client_CertVerifyDmaAndCacheLeafPubKey(
             &hsmClientCtx, cert_chain, cert_chain_size, hsmNvmIdCertRootCA,
-            &g_certLeafKeyId, &cert_verify_result);
+            WH_NVM_FLAGS_USAGE_VERIFY, &g_certLeafKeyId, &cert_verify_result);
 #else
         wolfBoot_printf("verifying cert chain and caching leaf pubkey\n");
         hsm_ret = wh_Client_CertVerifyAndCacheLeafPubKey(
             &hsmClientCtx, cert_chain, cert_chain_size, hsmNvmIdCertRootCA,
-            &g_certLeafKeyId, &cert_verify_result);
+            WH_NVM_FLAGS_USAGE_VERIFY, &g_certLeafKeyId, &cert_verify_result);
 #endif
 #elif defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
         wolfBoot_printf("verifying cert chain and caching leaf pubkey\n");
