Skip to content

non-exportable NVM #147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
billphipps merged 2 commits into from
Aug 18, 2025
Merged

non-exportable NVM #147

billphipps merged 2 commits into from
Aug 18, 2025

Conversation

@bigbrett
Copy link
Contributor

@bigbrett bigbrett commented Aug 12, 2025

  • Add support for new "non-exportable" flag to NVM objects, keys, and certs
  • Fixes unrelated tests to accommodate new feature

@bigbrett bigbrett requested a review from Copilot August 12, 2025 15:47
Copilot AI reviewed Aug 12, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for a new "non-exportable" flag to NVM objects, keys, and certificates, preventing sensitive data from being read or exported. The implementation includes comprehensive access control checks across both regular and DMA operations.

  • Adds whNvmFlags parameter to certificate storage APIs to support non-exportable certificates
  • Implements access control enforcement in server-side handlers for NVM, keystore, and certificate operations
  • Updates test cases to use WH_NVM_FLAGS_NONE instead of deprecated WH_NVM_FLAGS_ANY

Reviewed Changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
wolfhsm/wh_server_cert.h Adds flags parameter to certificate addition API
wolfhsm/wh_message_cert.h Updates message structures to include flags field
wolfhsm/wh_client.h Updates client certificate APIs with flags support
test/wh_test_crypto.c Adds comprehensive tests for non-exportable keystore functionality
test/wh_test_clientserver.c Adds tests for non-exportable NVM access protection
test/wh_test_cert.c Adds tests for non-exportable certificate functionality
src/wh_server_nvm.c Implements non-exportable flag enforcement for NVM operations
src/wh_server_keystore.c Implements non-exportable flag enforcement for key operations
src/wh_server_cert.c Implements non-exportable flag enforcement for certificate operations
src/wh_message_cert.c Updates message translation to handle flags field
src/wh_client_cert.c Updates client certificate APIs to support flags
examples/demo/client/wh_demo_client_secboot.c Updates to use proper flags value
examples/demo/client/wh_demo_client_nvm.c Updates to use proper flags value

@bigbrett bigbrett force-pushed the nvm-basic-access-control branch from bb0cb94 to c83d931 Compare August 12, 2025 15:58
@bigbrett bigbrett requested a review from billphipps August 12, 2025 16:17
billphipps
billphipps previously approved these changes Aug 12, 2025
View reviewed changes
@bigbrett bigbrett marked this pull request as draft August 12, 2025 20:56
@bigbrett bigbrett marked this pull request as ready for review August 13, 2025 14:22
@bigbrett bigbrett requested a review from billphipps August 14, 2025 15:15
@billphipps billphipps merged commit de53cde into wolfSSL:main Aug 18, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@billphipps billphipps billphipps approved these changes

Assignees

@billphipps billphipps

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bigbrett @billphipps