ML-DSA default is level 2. The keytools must be able to support all ML-DSA levels at run-time using ML_DSA_LEVEL environment variable. wolfBoot needs to be built with the correct level specified in the .config.

dgarske · dgarske · commit cc17b31623f2 · 2024-12-05T14:07:15.000-08:00
diff --git a/tools/keytools/Makefile b/tools/keytools/Makefile
@@ -17,9 +17,6 @@ LDFLAGS =
 OBJDIR = ./
 LIBS =
 
-ML_DSA_LEVEL?=5
-CFLAGS+=-DML_DSA_LEVEL=$(ML_DSA_LEVEL)
-
 LMS_LEVELS?=1
 LMS_HEIGHT?=10
 LMS_WINTERNITZ?=8
diff --git a/tools/keytools/user_settings.h b/tools/keytools/user_settings.h
@@ -86,10 +86,13 @@
 #if 0
     #define WOLFSSL_DILITHIUM_FIPS204_DRAFT
 #endif
+
+/* Default the keygen/sign tool to use ML-DSA level 2 */
 #ifndef ML_DSA_LEVEL
-    #define ML_DSA_LEVEL 5
+    #define ML_DSA_LEVEL 2
 #endif
-/* dilithium needs these sha functions. */
+
+/* Dilithium needs SHAKE128 */
 #define WOLFSSL_SHAKE128
 
 /* LMS */
