-add wolfHSM RSA4096 configs for sim and AURIX

bigbrett · danielinux · commit 6a1120d0aba3 · 2025-12-10T07:43:32.000+01:00
-various fixes for RSA4096
-remove erroneous coupling between SMALL_STACK and WOLFHSM_SERVER
diff --git a/.github/workflows/test-configs.yml b/.github/workflows/test-configs.yml
@@ -534,7 +534,37 @@ jobs:
     uses: ./.github/workflows/test-build.yml
     with:
       arch: host
-      config-file: ./config/examples/sim-wolfHSM-client.config
+      config-file: ./config/examples/sim-wolfHSM-client-ecc.config
+
+  sim_wolfhsm_client_mldsa_test:
+    uses: ./.github/workflows/test-build.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-wolfHSM-client-mldsa.config
+
+  sim_wolfhsm_client_certchain_ecc_test:
+    uses: ./.github/workflows/test-build.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-wolfHSM-client-certchain-ecc.config
+
+  sim_wolfhsm_client_certchain_rsa4096_test:
+    uses: ./.github/workflows/test-build.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-wolfHSM-client-certchain-rsa4096.config
+
+  sim_wolfhsm_server_certchain_ecc_test:
+    uses: ./.github/workflows/test-build.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-wolfHSM-server-certchain-ecc.config
+
+  sim_wolfhsm_server_certchain_rsa4096_test:
+    uses: ./.github/workflows/test-build.yml
+    with:
+      arch: host
+      config-file: ./config/examples/sim-wolfHSM-server-certchain-rsa4096.config
 
   rp2350_test:
     uses: ./.github/workflows/test-build-pico-sdk.yml
diff --git a/.github/workflows/test-external-library-paths.yml b/.github/workflows/test-external-library-paths.yml
@@ -24,7 +24,7 @@ jobs:
             build-tpm-tools: true
 
           - name: "external wolfHSM"
-            config: "config/examples/sim-wolfHSM-client.config"
+            config: "config/examples/sim-wolfHSM-client-ecc.config"
 
           - name: "Unit tests"
             config: ""
diff --git a/.github/workflows/test-wolfhsm-simulator.yml b/.github/workflows/test-wolfhsm-simulator.yml
@@ -14,14 +14,36 @@ jobs:
     strategy:
       matrix:
         config:
-          - name: "Standard wolfHSM"
-            file: "config/examples/sim-wolfHSM-client.config"
-          - name: "wolfHSM ML-DSA"
+          - name: "wolfHSM client ECC"
+            file: "config/examples/sim-wolfHSM-client-ecc.config"
+            needs_posix_server: true
+            posix_server_nvminit: false
+            needs_nvm_image: false
+          - name: "wolfHSM client ML-DSA"
             file: "config/examples/sim-wolfHSM-client-mldsa.config"
-          - name: "wolfHSM cert chain verify"
-            file: "config/examples/sim-wolfHSM-client-certchain.config"
-          - name: "wolfHSM server cert chain verify"
-            file: "config/examples/sim-wolfHSM-server-certchain.config"
+            needs_posix_server: true
+            posix_server_nvminit: false
+            needs_nvm_image: false
+          - name: "wolfHSM client cert chain verify ECC"
+            file: "config/examples/sim-wolfHSM-client-certchain-ecc.config"
+            needs_posix_server: true
+            posix_server_nvminit: true
+            needs_nvm_image: false
+          - name: "wolfHSM client cert chain verify RSA4096"
+            file: "config/examples/sim-wolfHSM-client-certchain-rsa4096.config"
+            needs_posix_server: true
+            posix_server_nvminit: true
+            needs_nvm_image: false
+          - name: "wolfHSM server cert chain verify ECC"
+            file: "config/examples/sim-wolfHSM-server-certchain-ecc.config"
+            needs_posix_server: false
+            posix_server_nvminit: false
+            needs_nvm_image: true
+          - name: "wolfHSM server cert chain verify RSA4096"
+            file: "config/examples/sim-wolfHSM-server-certchain-rsa4096.config"
+            needs_posix_server: false
+            posix_server_nvminit: false
+            needs_nvm_image: true
 
       fail-fast: false
 
@@ -98,15 +120,15 @@ jobs:
           make clean && make test-sim-internal-flash-with-update
 
       - name: Build example POSIX TCP server
-        if: matrix.config.name != 'wolfHSM server cert chain verify'
+        if: matrix.config.needs_posix_server
         run: cd lib/wolfHSM/examples/posix/wh_posix_server && make WOLFSSL_DIR=../../../../wolfssl
 
       # Start the server in the background
       - name: Run POSIX TCP server
-        if: matrix.config.name != 'wolfHSM server cert chain verify'
+        if: matrix.config.needs_posix_server
         run: |
           cd lib/wolfHSM/examples/posix/wh_posix_server
-          if [ "${{ matrix.config.name }}" = "wolfHSM cert chain verify" ]; then
+          if [ "${{ matrix.config.posix_server_nvminit }}" = "true" ]; then
             tmpfile=$(mktemp)
             echo "obj 1 0xFFFF 0x0000 \"cert CA\" ../../../../../test-dummy-ca/root-cert.der" >> $tmpfile
             ./Build/wh_posix_server.elf --type tcp --nvminit $tmpfile &
@@ -120,7 +142,7 @@ jobs:
       # For testing the wolfHSM server cert chain verify feature, we need to create an NVM image containing our root CA that
       # the internal wolfHSM server can load.
       - name: Create NVM image for wolfHSM server cert chain verify
-        if: matrix.config.name == 'wolfHSM server cert chain verify'
+        if: matrix.config.needs_nvm_image
         run: |
           make -C lib/wolfHSM/tools/whnvmtool
           tmpfile=$(mktemp)
@@ -134,6 +156,6 @@ jobs:
 
       # Kill the server if it is still running
       - name: Kill POSIX TCP server
-        if: always() && matrix.config.name != 'wolfHSM server cert chain verify'
+        if: always() && matrix.config.needs_posix_server
         run: |
           kill $TCP_SERVER_PID || true
diff --git a/config/examples/aurix-tc375-ecc.config b/config/examples/aurix-tc375-ecc.config
diff --git a/config/examples/aurix-tc375-elf-ecc.config b/config/examples/aurix-tc375-elf-ecc.config
diff --git a/config/examples/aurix-tc375-elf-wolfHSM-certs-ecc.config b/config/examples/aurix-tc375-elf-wolfHSM-certs-ecc.config
@@ -31,11 +31,6 @@ CERT_CHAIN_VERIFY=1
 # for actual length
 IMAGE_HEADER_SIZE=2048
 
-# If SIGN=RSA4096, use the below options
-#WOLFBOOT_HUGE_STACK=1
-#IMAGE_HEADER_SIZE=4096
-
-
 ARCH_FLASH_OFFSET=0x800A0000
 WOLFBOOT_SECTOR_SIZE=0x4000
 
diff --git a/config/examples/aurix-tc375-elf-wolfHSM-certs-rsa4096.config b/config/examples/aurix-tc375-elf-wolfHSM-certs-rsa4096.config
@@ -0,0 +1,57 @@
+ARCH?=AURIX_TC3
+TARGET?=aurix_tc3xx
+SIGN?=RSA4096
+HASH?=SHA256
+DEBUG?=0
+NO_ASM?=1
+WOLFBOOT_VERSION?=1
+V?=0
+SPMATH?=1
+RAM_CODE?=1
+EXT_FLASH?=1
+EXT_BOOT=1
+EXT_UPDATE=1
+EXT_SWAP=1
+FLAGS_INVERT=1
+FLASH_MULTI_SECTOR_ERASE=1
+DEBUG_UART=1
+PRINTF_ENABLED=1
+
+# wolfHSM options
+WOLFHSM_CLIENT=1
+
+# ELF loading specific configuration
+ELF=1
+ELF_FLASH_SCATTER=1
+
+# Cert chain options
+CERT_CHAIN_VERIFY=1
+
+# RSA4096 cert chains need the larger header and stack
+WOLFBOOT_HUGE_STACK=1
+IMAGE_HEADER_SIZE=4096
+
+ARCH_FLASH_OFFSET=0x800A0000
+WOLFBOOT_SECTOR_SIZE=0x4000
+
+# ELF memory partitioning (same PFLASH1 space as standard wolfBoot):
+# Standard wolfBoot uses 0x80300000-0x80600000 (3MB) for BOOT+UPDATE+SWAP
+# ELF mode splits this same space into EXEC+BOOT+UPDATE+SWAP:
+# - Execution space: 0x80300000 (~1.5MB) - where app runs after scatter loading
+# - BOOT partition:  0x8047C000 (~0.75MB) - where signed ELF file is stored
+# - UPDATE partition: 0x8053C000 (~0.75MB) - where update ELF file is stored
+# - SWAP sector:      0x805FC000 (16KB) - for atomic updates
+
+# ELF storage partitions (where signed ELF files are stored)
+WOLFBOOT_PARTITION_BOOT_ADDRESS=0x8047C000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x8053C000
+WOLFBOOT_PARTITION_SWAP_ADDRESS=0x805FC000
+WOLFBOOT_PARTITION_SIZE=0xC0000
+
+# ELF execution space (where test app runs after scatter loading)
+# Uses the same space that would be the BOOT partition in standard mode
+# This is only needed to configure the memory regions in the test app linker file
+# (see test-app/tc3tc_app.ld). For custom user apps with a different memory layout
+# and linker file this is not necessary.
+WOLFBOOT_ELF_EXEC_ADDRESS=0x80300000
+WOLFBOOT_ELF_EXEC_SIZE=0x17C000
diff --git a/config/examples/aurix-tc375-elf-wolfHSM-ecc.config b/config/examples/aurix-tc375-elf-wolfHSM-ecc.config
diff --git a/config/examples/aurix-tc375-hsm-ecc.config b/config/examples/aurix-tc375-hsm-ecc.config
diff --git a/config/examples/aurix-tc375-hsm-wolfHSM-certs-ecc.config b/config/examples/aurix-tc375-hsm-wolfHSM-certs-ecc.config
@@ -28,11 +28,6 @@ CERT_CHAIN_VERIFY=1
 # for actual length
 IMAGE_HEADER_SIZE=2048
 
-# If SIGN=RSA4096, use the below options
-#WOLFBOOT_HUGE_STACK=1
-#IMAGE_HEADER_SIZE=4096
-
-
 ARCH_FLASH_OFFSET=0x80028000
 WOLFBOOT_SECTOR_SIZE=0x4000
 WOLFBOOT_PARTITION_SIZE=0x30000
diff --git a/config/examples/aurix-tc375-hsm-wolfHSM-certs-rsa4096.config b/config/examples/aurix-tc375-hsm-wolfHSM-certs-rsa4096.config
@@ -0,0 +1,36 @@
+ARCH?=AURIX_TC3
+TARGET?=aurix_tc3xx
+AURIX_TC3_HSM=1
+SIGN?=RSA4096
+HASH?=SHA256
+DEBUG?=0
+NO_ASM?=1
+WOLFBOOT_VERSION?=1
+V?=0
+SPMATH?=1
+RAM_CODE?=1
+EXT_FLASH?=1
+EXT_BOOT=1
+EXT_UPDATE=1
+EXT_SWAP=1
+FLAGS_INVERT=1
+FLASH_MULTI_SECTOR_ERASE=1
+DEBUG_UART=1
+PRINTF_ENABLED=1
+
+# wolfHSM options
+WOLFHSM_SERVER=1
+
+# Cert chain options
+CERT_CHAIN_VERIFY=1
+
+# RSA4096 cert chains need the larger header and stack
+WOLFBOOT_HUGE_STACK=1
+IMAGE_HEADER_SIZE=4096
+
+ARCH_FLASH_OFFSET=0x80028000
+WOLFBOOT_SECTOR_SIZE=0x4000
+WOLFBOOT_PARTITION_SIZE=0x30000
+WOLFBOOT_PARTITION_BOOT_ADDRESS=0x80038000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x80068000
+WOLFBOOT_PARTITION_SWAP_ADDRESS=0x80098000
diff --git a/config/examples/sim-wolfHSM-client-certchain-ecc.config b/config/examples/sim-wolfHSM-client-certchain-ecc.config
@@ -14,10 +14,6 @@ CERT_CHAIN_VERIFY=1
 # for actual length
 IMAGE_HEADER_SIZE=2048
 
-# If SIGN=RSA4096, use the below options
-#WOLFBOOT_HUGE_STACK=1
-#IMAGE_HEADER_SIZE=4096
-
 # wolfHSM options
 WOLFHSM_CLIENT=1
 
diff --git a/config/examples/sim-wolfHSM-client-certchain-rsa4096.config b/config/examples/sim-wolfHSM-client-certchain-rsa4096.config
@@ -0,0 +1,35 @@
+ARCH=sim
+TARGET=sim
+SIGN?=RSA4096
+HASH?=SHA256
+WOLFBOOT_SMALL_STACK?=0
+SPI_FLASH=0
+DEBUG=0
+SPMATH=1
+
+# Cert chain options
+CERT_CHAIN_VERIFY=1
+
+# RSA4096 cert chains need the larger header and stack
+WOLFBOOT_HUGE_STACK=1
+IMAGE_HEADER_SIZE=4096
+
+# wolfHSM options
+WOLFHSM_CLIENT=1
+
+# sizes should be multiple of system page size
+#WOLFBOOT_PARTITION_SIZE=0x40000
+WOLFBOOT_PARTITION_SIZE=0x100000
+WOLFBOOT_SECTOR_SIZE=0x1000
+WOLFBOOT_PARTITION_BOOT_ADDRESS=0x80000
+# if on external flash, it should be multiple of system page size
+#WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x100000
+#WOLFBOOT_PARTITION_SWAP_ADDRESS=0x180000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x180000
+WOLFBOOT_PARTITION_SWAP_ADDRESS=0x280000
+
+# required for keytools
+WOLFBOOT_FIXED_PARTITIONS=1
+
+# For debugging XMALLOC/XFREE
+#CFLAGS_EXTRA+=-DWOLFBOOT_DEBUG_MALLOC
diff --git a/config/examples/sim-wolfHSM-client-ecc.config b/config/examples/sim-wolfHSM-client-ecc.config
diff --git a/config/examples/sim-wolfHSM-server-certchain-ecc.config b/config/examples/sim-wolfHSM-server-certchain-ecc.config
@@ -14,10 +14,6 @@ CERT_CHAIN_VERIFY=1
 # for actual length
 IMAGE_HEADER_SIZE=2048
 
-# If SIGN=RSA4096, use the below options
-#WOLFBOOT_HUGE_STACK=1
-#IMAGE_HEADER_SIZE=4096
-
 # wolfHSM options
 WOLFHSM_SERVER=1
 
diff --git a/config/examples/sim-wolfHSM-server-certchain-rsa4096.config b/config/examples/sim-wolfHSM-server-certchain-rsa4096.config
@@ -0,0 +1,32 @@
+ARCH=sim
+TARGET=sim
+SIGN?=RSA4096
+HASH?=SHA256
+WOLFBOOT_SMALL_STACK?=0
+SPI_FLASH=0
+DEBUG=0
+SPMATH=1
+
+# Cert chain options
+CERT_CHAIN_VERIFY=1
+
+# RSA4096 cert chains need the larger header and stack
+WOLFBOOT_HUGE_STACK=1
+IMAGE_HEADER_SIZE=4096
+
+# wolfHSM options
+WOLFHSM_SERVER=1
+
+# sizes should be multiple of system page size
+WOLFBOOT_PARTITION_SIZE=0x200000
+WOLFBOOT_SECTOR_SIZE=0x1000
+WOLFBOOT_PARTITION_BOOT_ADDRESS=0x80000
+# if on external flash, it should be multiple of system page size
+WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x280000
+WOLFBOOT_PARTITION_SWAP_ADDRESS=0x480000
+
+# required for keytools
+WOLFBOOT_FIXED_PARTITIONS=1
+
+# For debugging XMALLOC/XFREE
+#CFLAGS_EXTRA+=-DWOLFBOOT_DEBUG_MALLOC
diff --git a/include/user_settings.h b/include/user_settings.h
@@ -505,20 +505,20 @@ extern int tolower(int c);
 #   define WOLFSSL_SP_NO_DYN_STACK
 #endif
 
-#if !defined(WOLFBOOT_SMALL_STACK) && !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
+#if defined(WOLFBOOT_SMALL_STACK)
+#   if defined(WOLFBOOT_HUGE_STACK)
+#       error "Cannot use SMALL_STACK=1 with HUGE_STACK=1"
+#   endif
+#   define WOLFSSL_SMALL_STACK
+#else
 #   if defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
 #       define WOLFSSL_SP_NO_MALLOC
 #       define WOLFSSL_SP_NO_DYN_STACK
 #   endif
-#   if !defined(SECURE_PKCS11)
+#   if !defined(SECURE_PKCS11) && !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
 #       define NO_WOLFSSL_MEMORY
 #       define WOLFSSL_NO_MALLOC
 #   endif
-#else
-#   if defined(WOLFBOOT_HUGE_STACK)
-#       error "Cannot use SMALL_STACK=1 with HUGE_STACK=1"
-#   endif
-#   define WOLFSSL_SMALL_STACK
 #endif
 
 
diff --git a/options.mk b/options.mk
@@ -1009,6 +1009,8 @@ ifneq ($(CERT_CHAIN_VERIFY),)
     endif
     ifeq ($(SIGN),RSA4096)
       CERT_CHAIN_GEN_ALGO+=rsa4096
+      # Reasonably large default
+      CFLAGS += -DWOLFHSM_CFG_MAX_CERT_SIZE=4096
     endif
   endif
   SIGN_OPTIONS += --cert-chain $(CERT_CHAIN_FILE)
