ML-DSA default is level 2. The keytools must be able to support all ML-DSA levels at run-time using ML_DSA_LEVEL environment variable. wolfBoot needs to be built with the correct level specified in the .config.

dgarske · dgarske · commit 6bed80fbc2dc · 2024-12-05T14:25:43.000-08:00
diff --git a/tools/keytools/Makefile b/tools/keytools/Makefile
@@ -17,7 +17,7 @@ LDFLAGS =
 OBJDIR = ./
 LIBS =
 
-ML_DSA_LEVEL?=5
+ML_DSA_LEVEL?=2
 CFLAGS+=-DML_DSA_LEVEL=$(ML_DSA_LEVEL)
 
 LMS_LEVELS?=1
diff --git a/tools/keytools/user_settings.h b/tools/keytools/user_settings.h
@@ -86,10 +86,13 @@
 #if 0
     #define WOLFSSL_DILITHIUM_FIPS204_DRAFT
 #endif
+
+/* Default the keygen/sign tool to use ML-DSA level 2 */
 #ifndef ML_DSA_LEVEL
-    #define ML_DSA_LEVEL 5
+    #define ML_DSA_LEVEL 2
 #endif
-/* dilithium needs these sha functions. */
+
+/* Dilithium needs SHAKE128 */
 #define WOLFSSL_SHAKE128
 
 /* LMS */
