diff --git a/.github/workflows/baremetal.yml b/.github/workflows/baremetal.yml new file mode 100644 index 0000000000..65400d01f6 --- /dev/null +++ b/.github/workflows/baremetal.yml @@ -0,0 +1,65 @@ +name: Bare-Metal Configuration Tests + +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + baremetal_autotools: + name: Bare-metal build (autotools) + if: github.repository_owner == 'wolfssl' + runs-on: ubuntu-latest + timeout-minutes: 10 + strategy: + fail-fast: false + matrix: + config: [ + '--enable-baremetal --enable-cryptonly', + '--enable-baremetal' + ] + steps: + - uses: actions/checkout@v4 + + - name: Install dependencies + run: sudo apt-get update && sudo apt-get install -y autoconf automake libtool + + - name: autogen + run: ./autogen.sh + + - name: configure + run: CPPFLAGS="-DWOLFSSL_USER_IO -DWOLFSSL_GENSEED_FORTEST -DWOLFSSL_IGNORE_TESTSEED_WARN" ./configure ${{ matrix.config }} + + - name: build + run: make -j$(nproc) + + - name: Run tests + run: ./wolfcrypt/test/testwolfcrypt + + baremetal_cmake: + name: Bare-metal build (CMake) + if: github.repository_owner == 'wolfssl' + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + + - name: Install dependencies + run: sudo apt-get update && sudo apt-get install -y cmake build-essential + + - name: Configure CMake + run: | + mkdir build && cd build + cmake -DWOLFSSL_BAREMETAL=yes -DCMAKE_C_FLAGS="-DWOLFSSL_USER_IO -DWOLFSSL_GENSEED_FORTEST -DWOLFSSL_IGNORE_TESTSEED_WARN" .. + + - name: Build + run: cd build && cmake --build . -j$(nproc) + + - name: Run tests + run: cd build && ./wolfcrypt/test/testwolfcrypt + diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 477c265b30..e801505c5d 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -736,6 +736,7 @@ WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY WOLFSSL_I2D_ECDSA_SIG_ALLOC WOLFSSL_IAR_ARM_TIME WOLFSSL_IGNORE_BAD_CERT_PATH +WOLFSSL_IGNORE_TESTSEED_WARN WOLFSSL_IMX6 WOLFSSL_IMX6_CAAM WOLFSSL_IMX6_CAAM_BLOB diff --git a/CMakeLists.txt b/CMakeLists.txt index d5c3d3d972..85caec6f46 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -328,6 +328,15 @@ else() list(APPEND WOLFSSL_DEFINITIONS "-DSINGLE_THREADED") endif() +# Bare metal +add_option("WOLFSSL_BAREMETAL" + "Enable wolfSSL bare metal build (default: disabled)" + "no" "yes;no") + +if(WOLFSSL_BAREMETAL) + list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_BAREMETAL") +endif() + # DTLS-SRTP add_option("WOLFSSL_SRTP" "Enables wolfSSL DTLS-SRTP (default: disabled)" diff --git a/INSTALL b/INSTALL index a0f649a563..81903447ac 100644 --- a/INSTALL +++ b/INSTALL @@ -319,3 +319,46 @@ We also have vcpkg ports for wolftpm, wolfmqtt and curl. Deprecated. wolfSSL now has its own XMMS/XMSS^MT implementation in wolfCrypt. + +21. Building for Bare-Metal Embedded Systems + + wolfSSL provides a simplified configuration for bare-metal embedded + systems through the --enable-baremetal option. This configuration + disables OS-dependent features and is suitable for microcontrollers + and RTOS environments without POSIX support. + + $ ./autogen.sh + $ ./configure --enable-baremetal + $ make + + The --enable-baremetal option defines the following macros: + + - SINGLE_THREADED: Disables multi-threading support + - NO_DEV_RANDOM: Removes /dev/random dependency + - NO_FILESYSTEM: Disables file system operations + - NO_WRITEV: Disables writev() system call + - NO_STDIO_FILESYSTEM: Removes stdio-based file I/O + - WOLFSSL_NO_SOCK: Disables socket support + - WOLFSSL_NO_GETPID: Removes getpid() dependency + - NO_ASN_TIME: Conditionally defined when WOLFCRYPT_ONLY is also set + (for systems without RTC to bypass certificate date checking) + + For crypto-only builds (no TLS/SSL protocol layer), combine with + --enable-cryptonly: + + $ ./configure --enable-baremetal --enable-cryptonly + + Important: Bare-metal systems must provide their own entropy source. + You will need to implement wc_GenerateSeed() with platform-specific + hardware RNG or define CUSTOM_RAND_GENERATE_BLOCK and implement + wc_GenerateRand(). + + For CMake builds: + + $ mkdir build && cd build + $ cmake -DWOLFSSL_BAREMETAL=yes .. + $ cmake --build . + + Or with crypto-only: + + $ cmake -DWOLFSSL_BAREMETAL=yes -DWOLFSSL_CRYPTONLY=yes .. diff --git a/README.md b/README.md index 2e22782295..bc6e6b9255 100644 --- a/README.md +++ b/README.md @@ -287,6 +287,27 @@ https://www.wolfssl.com/docs/security-vulnerabilities/ See INSTALL file for build instructions. More info can be found on-line at: https://wolfssl.com/wolfSSL/Docs.html +## Building + +### Bare-Metal Embedded Systems + +For bare-metal embedded systems (microcontrollers, RTOS without POSIX), use the `--enable-baremetal` configuration: + +```bash +./configure --enable-baremetal +make +``` + +This configuration disables OS-dependent features including file systems, sockets, threading, and process management. For crypto-only builds without the TLS protocol layer, add `--enable-cryptonly`: + +```bash +./configure --enable-baremetal --enable-cryptonly +``` + +**Important:** You must provide a platform-specific entropy source by implementing `wc_GenerateSeed()` or defining `CUSTOM_RAND_GENERATE_BLOCK`. + +See the INSTALL file for complete details. + # Resources [wolfSSL Website](https://www.wolfssl.com/) diff --git a/SCRIPTS-LIST b/SCRIPTS-LIST index f99b7ce1a8..dbb8cbf46d 100644 --- a/SCRIPTS-LIST +++ b/SCRIPTS-LIST @@ -21,7 +21,7 @@ pull_to_vagrant.sh - synchronize to a vm without using git certs/ renewcerts.sh - renews test certs and crls crl/ - gencrls.sh - generates crls, used by renewcerts.sh + gencrls.sh - generates CRL's, used by renewcerts.sh ocsp/ renewcerts.sh - renews ocsp certs ocspd0.sh - ocsp responder for root-ca-cert.pem @@ -33,7 +33,7 @@ certs/ scripts/ external.test - example client test against our website, part of tests google.test - example client test against google, part of tests - resume.test - example sessoin resume test, part of tests + resume.test - example session resume test, part of tests ocsp-stapling.test - example client test against globalsign, part of tests ocsp-stapling1_tls13multi.text - example client test against example server, part of tests ocsp-stapling2.test - example client test against example server, part of tests diff --git a/cmake/options.h.in b/cmake/options.h.in index 7446b1b836..36e2fd666e 100644 --- a/cmake/options.h.in +++ b/cmake/options.h.in @@ -276,6 +276,8 @@ extern "C" { #cmakedefine WOLFSSL_ASIO #undef WOLFSSL_BASE64_ENCODE #cmakedefine WOLFSSL_BASE64_ENCODE +#undef WOLFSSL_BAREMETAL +#cmakedefine WOLFSSL_BAREMETAL #undef WOLFSSL_CAAM #cmakedefine WOLFSSL_CAAM #undef WOLFSSL_CERT_EXT diff --git a/configure.ac b/configure.ac index 5b1f8368e1..5a24e32945 100644 --- a/configure.ac +++ b/configure.ac @@ -1990,6 +1990,17 @@ AS_IF([ test "x$ENABLED_SINGLETHREADED" = "xno" ],[ AS_IF([ test "x$ENABLED_SINGLETHREADED" = "xyes" ],[ AM_CFLAGS="$AM_CFLAGS -DSINGLE_THREADED" ]) +# BARE METAL +AC_ARG_ENABLE([baremetal], + [AS_HELP_STRING([--enable-baremetal],[Enable wolfSSL bare metal build (default: disabled)])], + [ ENABLED_BAREMETAL=$enableval ], + [ ENABLED_BAREMETAL=no ]) + +if test "$ENABLED_BAREMETAL" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_BAREMETAL" +fi + # Enable rwlock AC_ARG_ENABLE([rwlock], [AS_HELP_STRING([--enable-rwlock],[Enable use of rwlock (default: disabled)])], @@ -11082,6 +11093,8 @@ AM_CONDITIONAL([BUILD_MAXQ10XX],[test "x$ENABLED_MAXQ10XX" = "xyes"]) AM_CONDITIONAL([BUILD_ARIA],[test "x$ENABLED_ARIA" = "xyes"]) AM_CONDITIONAL([BUILD_XILINX],[test "x$ENABLED_XILINX" = "xyes"]) AM_CONDITIONAL([BUILD_AUTOSAR],[test "x$ENABLED_AUTOSAR" = "xyes"]) +AM_CONDITIONAL([BUILD_BAREMETAL],[test "x$ENABLED_BAREMETAL" = "xyes"]) + if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes" && (test "$ax_enable_debug" = "yes" || diff --git a/examples/server/server.c b/examples/server/server.c index 06e0aeb6a5..1e7350041e 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -925,8 +925,10 @@ static const char* server_usage_msg[][66] = { "-c Certificate file, default", /* 5 */ "-k Key file, default", /* 6 */ "-A Certificate Authority file, default", /* 7 */ +#ifndef NO_FILESYSTEM "-R Create Ready file for external monitor" " default none\n", /* 8 */ +#endif #ifndef NO_DH "-D Diffie-Hellman Params file, default", /* 9 */ "-Z Minimum DH key bits, default", /* 10 */ diff --git a/scripts/resume.test b/scripts/resume.test index 06f25be003..03924f4c88 100755 --- a/scripts/resume.test +++ b/scripts/resume.test @@ -26,6 +26,8 @@ resume_port=0 no_pid=-1 server_pid=$no_pid counter=0 +has_readyfile=no + # let's use absolute path to a local dir (make distcheck may be in sub dir) # also let's add some randomness by adding pid in case multiple 'make check's # per source tree @@ -33,6 +35,7 @@ ready_file=`pwd`/wolfssl_resume_ready$$ echo "ready file $ready_file" + remove_ready_file() { if test -e "$ready_file"; then echo -e "removing existing ready file" @@ -40,6 +43,18 @@ remove_ready_file() { fi } +check_ready_file_support() { + ./examples/server/server -? 2>&1 | grep -- 'Ready file ' + if [ $? -eq 0 ]; then + has_readyfile=yes + fi + + if [ $has_readyfile != "yes" ]; then + echo -e "\nReady file not supported with build" + exit 77 + fi +} + do_cleanup() { echo "in cleanup" @@ -73,6 +88,8 @@ do_test() { return;; esac + check_ready_file_support + remove_ready_file echo "./examples/server/server -r -R \"$ready_file\" -p $resume_port" ./examples/server/server -r -R "$ready_file" -p $resume_port & diff --git a/tests/api/test_tls.c b/tests/api/test_tls.c index 91cf524599..09710b5a09 100644 --- a/tests/api/test_tls.c +++ b/tests/api/test_tls.c @@ -346,7 +346,7 @@ int test_tls_certreq_order(void) } #if !defined(WOLFSSL_NO_TLS12) && !defined(NO_RSA) && defined(HAVE_ECC) && \ - !defined(NO_WOLFSSL_SERVER) + !defined(NO_WOLFSSL_SERVER) && !defined(NO_FILESYSTEM) /* Called when writing. */ static int CsSend(WOLFSSL* ssl, char* buf, int sz, void* ctx) { @@ -382,7 +382,7 @@ int test_tls12_bad_cv_sig_alg(void) { EXPECT_DECLS; #if !defined(WOLFSSL_NO_TLS12) && !defined(NO_RSA) && defined(HAVE_ECC) && \ - !defined(NO_WOLFSSL_SERVER) + !defined(NO_WOLFSSL_SERVER) && !defined(NO_FILESYSTEM) byte clientMsgs[] = { /* Client Hello */ 0x16, 0x03, 0x03, 0x00, 0xe7, diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c index 9a8a939fb8..5d9c48d4b4 100644 --- a/wolfcrypt/src/random.c +++ b/wolfcrypt/src/random.c @@ -4267,11 +4267,13 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) #endif #ifdef USE_TEST_GENSEED + #ifndef WOLFSSL_IGNORE_TESTSEED_WARN #ifndef _MSC_VER #warning "write a real random seed!!!!, just for testing now" #else #pragma message("Warning: write a real random seed!!!!, just for testing now") #endif + #endif int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) { word32 i; diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 4b2e4e42c7..66cffe7e5a 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -342,6 +342,26 @@ #endif #endif +/* Bare metal configuration */ +#ifdef WOLFSSL_BAREMETAL + #define SINGLE_THREADED + #define NO_DEV_RANDOM + #define NO_FILESYSTEM + #define NO_WRITEV + #define NO_STDIO_FILESYSTEM + #define WOLFSSL_NO_GETPID + #ifndef HAVE_SYS_SOCKET_H + #define WOLFSSL_NO_SOCK + #endif + + #ifdef WOLFCRYPT_ONLY + /* Only disable ASN time checking (by default) if building crypto-only. + * For systems without RTC this can be used to bypass certificate date + * checking. */ + #define NO_ASN_TIME + #endif +#endif + #if !defined(WOLFSSL_CUSTOM_CONFIG) && \ ((defined(BUILDING_WOLFSSL) && defined(WOLFSSL_USE_OPTIONS_H)) || \ (defined(BUILDING_WOLFSSL) && defined(WOLFSSL_OPTIONS_H) && \