diff --git a/.github/workflows/test-build-lms.yml b/.github/workflows/test-build-lms.yml index 608a1036e..ff5835473 100644 --- a/.github/workflows/test-build-lms.yml +++ b/.github/workflows/test-build-lms.yml @@ -34,17 +34,6 @@ jobs: run: | sudo apt-get install -y gcc-arm-none-eabi gcc-aarch64-linux-gnu gcc-powerpc-linux-gnu gnu-efi - - name: Create lib hash-sigs - run: | - mkdir -p lib/hash-sigs/lib - - - name: Clone hash-sigs repository - run: | - git clone https://github.com/cisco/hash-sigs.git lib/hash-sigs/src && \ - cd lib/hash-sigs/src && git checkout b0631b8891295bf2929e68761205337b7c031726 && \ - git apply ../../../tools/lms/0001-Patch-to-support-wolfBoot-LMS-build.patch && \ - cd ../../.. - - name: make clean run: | make distclean diff --git a/.github/workflows/test-renode-nrf52.yml b/.github/workflows/test-renode-nrf52.yml index 1759e2ad5..ddfede82a 100644 --- a/.github/workflows/test-renode-nrf52.yml +++ b/.github/workflows/test-renode-nrf52.yml @@ -58,14 +58,29 @@ jobs: - name: Renode Tests RSA4096 run: ./tools/renode/docker-test.sh "SIGN=RSA4096" +# +# LMS and ext_LMS tests +# # LMS TEST - name: Renode Tests LMS-8-5-5 run: ./tools/renode/docker-test.sh "SIGN=LMS LMS_LEVELS=2 LMS_HEIGHT=5 LMS_WINTERNITZ=8 WOLFBOOT_SMALL_STACK=0 IMAGE_SIGNATURE_SIZE=2644 IMAGE_HEADER_SIZE=5288" +# ext_LMS TEST + - name: Renode Tests ext_LMS-8-5-5 + run: ./tools/renode/docker-test.sh "SIGN=ext_LMS LMS_LEVELS=2 LMS_HEIGHT=5 LMS_WINTERNITZ=8 WOLFBOOT_SMALL_STACK=0 IMAGE_SIGNATURE_SIZE=2644 IMAGE_HEADER_SIZE=5288" + +# +# XMSS and ext_XMSS tests +# # XMSS TEST - name: Renode Tests XMSS-SHA2_10_256 run: ./tools/renode/docker-test.sh "SIGN=XMSS XMSS_PARAMS='XMSS-SHA2_10_256' WOLFBOOT_SMALL_STACK=0 IMAGE_SIGNATURE_SIZE=2500 IMAGE_HEADER_SIZE=5000" +# ext_XMSS TEST + - name: Renode Tests ext_XMSS-SHA2_10_256 + run: ./tools/renode/docker-test.sh "SIGN=ext_XMSS XMSS_PARAMS='XMSS-SHA2_10_256' WOLFBOOT_SMALL_STACK=0 IMAGE_SIGNATURE_SIZE=2500 IMAGE_HEADER_SIZE=5000" + + - name: Upload Output Dir uses: actions/upload-artifact@v2 with: diff --git a/config/examples/sim-xmss.config b/config/examples/sim-xmss.config index 57c77f435..461e88b6c 100644 --- a/config/examples/sim-xmss.config +++ b/config/examples/sim-xmss.config @@ -1,5 +1,10 @@ # XMSS/XMSS^MT/HSS signature example, based on sim.config example. # +# XMSS/XMSS^MT is a post-quantum, stateful, hash-based signature scheme. +# +# Use the helper script +# tools/xmss/xmss_siglen.sh +# to calculate your signature length given an xmss parameter string. # ARCH=sim diff --git a/docs/PQ.md b/docs/PQ.md index d2cbb465c..13b2eb950 100644 --- a/docs/PQ.md +++ b/docs/PQ.md @@ -19,42 +19,18 @@ See these links for more info on stateful HBS support and wolfSSL/wolfCrypt: - https://www.wolfssl.com/documentation/manuals/wolfssl/appendix07.html#post-quantum-stateful-hash-based-signatures - https://github.com/wolfSSL/wolfssl-examples/tree/master/pq/stateful_hash_sig +## Supported PQ Signature Methods -## LMS/HSS +These four PQ signature options are supported: +- LMS: uses wolfcrypt implementation from `wc_lms.c`, and `wc_lms_impl.c`. +- XMSS: uses wolfcrypt implementation from `wc_xmss.c`, and `wc_xmss_impl.c`. +- ext_LMS: uses external integration from `ext_lms.c`. +- ext_XMSS: uses external integration from `ext_xmss.c`. +The wolfcrypt implementations are more performant and are recommended. +The external integrations are experimental and for testing interoperability. -### Building with LMS Support - -LMS/HSS support in wolfCrypt requires the hash-sigs library ( https://github.com/cisco/hash-sigs ). -Use the following procedure to prepare hash-sigs for building with wolfBoot: - -``` -$ cd lib -$ mkdir hash-sigs -$ls - CMakeLists.txt hash-sigs wolfssl wolfTPM -$ cd hash-sigs -$ mkdir lib -$ git clone https://github.com/cisco/hash-sigs.git src -$ cd src -$ git checkout b0631b8891295bf2929e68761205337b7c031726 -$ git apply ../../../tools/lms/0001-Patch-to-support-wolfBoot-LMS-build.patch -``` - -Nothing more is needed, as wolfBoot will automatically produce the required -hash-sigs build artifacts. - -Note: the hash-sigs project only builds static libraries: -- hss_verify.a: a single-threaded verify-only static lib. -- hss_lib.a: a single-threaded static lib. -- hss_lib_thread.a: a multi-threaded static lib. - -The keytools utility links against `hss_lib.a`, as it needs full -keygen, signing, and verifying functionality. However wolfBoot -links directly with the subset of objects in the `hss_verify.a` -build rule, as it only requires verify functionality. - -### LMS Config +### LMS/HSS Config A new LMS sim example has been added here: ``` @@ -86,31 +62,8 @@ winternitz: 8 signature length: 2644 ``` -## XMSS/XMSS^MT +### XMSS/XMSS^MT Config -### Building with XMSS Support - -XMSS/XMSS^MT support in wolfCrypt requires a patched version of the -xmss-reference library ( https://github.com/XMSS/xmss-reference.git ). -Use the following procedure to prepare xmss-reference for building with -wolfBoot: - -``` -$ cd lib -$ git clone https://github.com/XMSS/xmss-reference.git xmss -$ ls -CMakeLists.txt wolfPKCS11 wolfTPM wolfssl xmss -$ cd xmss -$ git checkout 171ccbd26f098542a67eb5d2b128281c80bd71a6 -$ git apply ../../tools/xmss/0001-Patch-to-support-wolfSSL-xmss-reference-integration.patch -``` - -The patch creates an addendum readme, `patch_readme.md`, with further comments. - -Nothing more is needed beyond the patch step, as wolfBoot will handle building -the xmss build artifacts it requires. - -### XMSS Config A new XMSS sim example has been added here: ``` config/examples/sim-xmss.config @@ -142,3 +95,59 @@ $ ./tools/xmss/xmss_siglen.sh XMSSMT-SHA2_20/2_256 parameter set: XMSSMT-SHA2_20/2_256 signature length: 4963 ``` + +## Building the external PQ Integrations + +### ext_LMS Support + +The external LMS/HSS support in wolfCrypt requires the hash-sigs library ( https://github.com/cisco/hash-sigs ). +Use the following procedure to prepare hash-sigs for building with wolfBoot: + +``` +$ cd lib +$ mkdir hash-sigs +$ls + CMakeLists.txt hash-sigs wolfssl wolfTPM +$ cd hash-sigs +$ mkdir lib +$ git clone https://github.com/cisco/hash-sigs.git src +$ cd src +$ git checkout b0631b8891295bf2929e68761205337b7c031726 +$ git apply ../../../tools/lms/0001-Patch-to-support-wolfBoot-LMS-build.patch +``` + +Nothing more is needed, as wolfBoot will automatically produce the required +hash-sigs build artifacts. + +Note: the hash-sigs project only builds static libraries: +- hss_verify.a: a single-threaded verify-only static lib. +- hss_lib.a: a single-threaded static lib. +- hss_lib_thread.a: a multi-threaded static lib. + +The keytools utility links against `hss_lib.a`, as it needs full +keygen, signing, and verifying functionality. However wolfBoot +links directly with the subset of objects in the `hss_verify.a` +build rule, as it only requires verify functionality. + + +### ext_XMSS Support + +The external XMSS/XMSS^MT support in wolfCrypt requires a patched version of the +xmss-reference library ( https://github.com/XMSS/xmss-reference.git ). +Use the following procedure to prepare xmss-reference for building with +wolfBoot: + +``` +$ cd lib +$ git clone https://github.com/XMSS/xmss-reference.git xmss +$ ls +CMakeLists.txt wolfPKCS11 wolfTPM wolfssl xmss +$ cd xmss +$ git checkout 171ccbd26f098542a67eb5d2b128281c80bd71a6 +$ git apply ../../tools/xmss/0001-Patch-to-support-wolfSSL-xmss-reference-integration.patch +``` + +The patch creates an addendum readme, `patch_readme.md`, with further comments. + +Nothing more is needed beyond the patch step, as wolfBoot will handle building +the xmss build artifacts it requires. diff --git a/docs/STM32-TZ.md b/docs/STM32-TZ.md index 4ed1b8306..109b04357 100644 --- a/docs/STM32-TZ.md +++ b/docs/STM32-TZ.md @@ -53,7 +53,7 @@ OPTION BYTES BANK: 0 nRST_STOP : 0x1 (No reset generated when entering Stop mode) nRST_STDBY : 0x1 (No reset generated when entering Standby mode) nRST_SHDW : 0x1 (No reset generated when entering the Shutdown mode) - IWDG_SW : 0x1 (Software independant watchdog) + IWDG_SW : 0x1 (Software independent watchdog) IWDG_STOP : 0x1 (IWDG counter active in stop mode) IWDG_STDBY : 0x1 (IWDG counter active in standby mode) WWDG_SW : 0x1 (Software window watchdog) diff --git a/docs/Signing.md b/docs/Signing.md index 8c58acc24..d95b9c705 100644 --- a/docs/Signing.md +++ b/docs/Signing.md @@ -104,6 +104,12 @@ file is in this format. * `--rsa4096` Use rsa4096 for signing the firmware. Assume that the given KEY.DER file is in this format. + * `--lms` Use LMS/HSS for signing the firmware. Assume that the given KEY.DER +file is in this format. + + * `--xmss` Use XMSS/XMSS^MT for signing the firmware. Assume that the given KEY.DER +file is in this format. + * `--no-sign` Disable secure boot signature verification. No signature verification is performed in the bootloader, and the KEY.DER argument should not be supplied. diff --git a/docs/Targets.md b/docs/Targets.md index bc84d8d6f..b1ebb393f 100644 --- a/docs/Targets.md +++ b/docs/Targets.md @@ -1766,7 +1766,7 @@ O.K. Reset or power cycle board. -Once wolfBoot has performaed validation of the partition and booted the D15 Green LED on P3_13 will illuminate. +Once wolfBoot has performed validation of the partition and booted the D15 Green LED on P3_13 will illuminate. ### MCX A: Testing firmware update @@ -1935,10 +1935,10 @@ Flash Allocation: Detailed steps can be found at [Readme.md](../IDE/Renesas/e2studio/RA6M4/Readme.md). ## Renesas RZN2L -This example demonstrates simple secure firmware boot from extarnal flash by wolfBoot. +This example demonstrates simple secure firmware boot from external flash by wolfBoot. A sample application v1 is securely loaded into internal RAM if there is not higher version in update region. A sample application v2 will be loaded when it is in update region.Both versions behave the same except blinking LED Red(v1) or Yellow(v2). They are compiled by e2Studio and running on the target board. -The exmaple uses SPI boot mode with external flash on the evaluation board. On this boot mode, the loader program, which is wolfBoot, is copied to the internal RAM(B-TCM). wolfBoot copies the application program from external flash memory to RAM(System RAM). As final step of wolfBoot the entry point of the copied applicatin program is called if its integrity and authenticity are OK. +The example uses SPI boot mode with external flash on the evaluation board. On this boot mode, the loader program, which is wolfBoot, is copied to the internal RAM(B-TCM). wolfBoot copies the application program from external flash memory to RAM(System RAM). As final step of wolfBoot the entry point of the copied application program is called if its integrity and authenticity are OK. ![Operation Overview](../IDE/Renesas/e2studio/RZN2L/doc/image1.png) diff --git a/lib/wolfssl b/lib/wolfssl index 8970ff4c3..33817747c 160000 --- a/lib/wolfssl +++ b/lib/wolfssl @@ -1 +1 @@ -Subproject commit 8970ff4c34034dbb3594943d11f8c9d4c5512bd5 +Subproject commit 33817747c4ac071da06bb4b473a0128e9a6812d6 diff --git a/options.mk b/options.mk index 1ceb5cab3..4f7bf12de 100644 --- a/options.mk +++ b/options.mk @@ -323,7 +323,7 @@ ifneq ($(findstring RSA4096,$(SIGN)),) endif endif -ifeq ($(SIGN),LMS) +ifneq (,$(filter $(SIGN), LMS ext_LMS)) # For LMS the signature size is a function of the LMS parameters. # All five of these parms must be set in the LMS .config file: # LMS_LEVELS, LMS_HEIGHT, LMS_WINTERNITZ, IMAGE_SIGNATURE_SIZE, @@ -348,7 +348,33 @@ ifeq ($(SIGN),LMS) ifndef IMAGE_HEADER_SIZE $(error IMAGE_HEADER_SIZE not set) endif +endif +ifeq ($(SIGN),LMS) + KEYGEN_OPTIONS+=--lms + SIGN_OPTIONS+=--lms + WOLFCRYPT_OBJS+= \ + ./lib/wolfssl/wolfcrypt/src/wc_lms.o \ + ./lib/wolfssl/wolfcrypt/src/wc_lms_impl.o \ + ./lib/wolfssl/wolfcrypt/src/memory.o \ + ./lib/wolfssl/wolfcrypt/src/wc_port.o \ + ./lib/wolfssl/wolfcrypt/src/hash.o + CFLAGS+=-D"WOLFBOOT_SIGN_LMS" -D"WOLFSSL_HAVE_LMS" \ + -D"WOLFSSL_WC_LMS" -D"WOLFSSL_WC_LMS_SMALL" \ + -D"WOLFSSL_LMS_MAX_LEVELS=$(LMS_LEVELS)" \ + -D"WOLFSSL_LMS_MAX_HEIGHT=$(LMS_HEIGHT)" \ + -D"LMS_LEVELS=$(LMS_LEVELS)" -D"LMS_HEIGHT=$(LMS_HEIGHT)" \ + -D"LMS_WINTERNITZ=$(LMS_WINTERNITZ)" \ + -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \ + -D"WOLFSSL_LMS_VERIFY_ONLY" + ifeq ($(WOLFBOOT_SMALL_STACK),1) + $(error WOLFBOOT_SMALL_STACK with LMS not supported) + else + STACK_USAGE=1024 + endif +endif + +ifeq ($(SIGN),ext_LMS) LMSDIR = lib/hash-sigs KEYGEN_OPTIONS+=--lms SIGN_OPTIONS+=--lms @@ -377,11 +403,11 @@ ifeq ($(SIGN),LMS) ifeq ($(WOLFBOOT_SMALL_STACK),1) $(error WOLFBOOT_SMALL_STACK with LMS not supported) else - STACK_USAGE=18064 + STACK_USAGE=1024 endif endif -ifeq ($(SIGN),XMSS) +ifneq (,$(filter $(SIGN), XMSS ext_XMSS)) ifndef XMSS_PARAMS $(error XMSS_PARAMS not set) endif @@ -393,7 +419,32 @@ ifeq ($(SIGN),XMSS) ifndef IMAGE_HEADER_SIZE $(error IMAGE_HEADER_SIZE not set) endif +endif +ifeq ($(SIGN),XMSS) + # Use wc_xmss implementation. + KEYGEN_OPTIONS+=--xmss + SIGN_OPTIONS+=--xmss + WOLFCRYPT_OBJS+= \ + ./lib/wolfssl/wolfcrypt/src/wc_xmss.o \ + ./lib/wolfssl/wolfcrypt/src/wc_xmss_impl.o \ + ./lib/wolfssl/wolfcrypt/src/memory.o \ + ./lib/wolfssl/wolfcrypt/src/wc_port.o \ + ./lib/wolfssl/wolfcrypt/src/hash.o + CFLAGS+=-D"WOLFBOOT_SIGN_XMSS" -D"WOLFSSL_HAVE_XMSS" \ + -D"WOLFSSL_WC_XMSS" -D"WOLFSSL_WC_XMSS_SMALL" \ + -DWOLFBOOT_XMSS_PARAMS=\"$(XMSS_PARAMS)\" \ + -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \ + -D"WOLFSSL_XMSS_VERIFY_ONLY" -D"WOLFSSL_XMSS_MAX_HEIGHT=32" + ifeq ($(WOLFBOOT_SMALL_STACK),1) + $(error WOLFBOOT_SMALL_STACK with XMSS not supported) + else + STACK_USAGE=2688 + endif +endif + +ifeq ($(SIGN),ext_XMSS) + # Use ext_xmss implementation. XMSSDIR = lib/xmss KEYGEN_OPTIONS+=--xmss SIGN_OPTIONS+=--xmss @@ -411,19 +462,19 @@ ifeq ($(SIGN),XMSS) ./lib/wolfssl/wolfcrypt/src/wc_port.o \ ./lib/wolfssl/wolfcrypt/src/hash.o CFLAGS+=-D"WOLFBOOT_SIGN_XMSS" -D"WOLFSSL_HAVE_XMSS" -D"HAVE_LIBXMSS" \ - -DXMSS_PARAMS=\"$(XMSS_PARAMS)\" -I$(XMSSDIR) \ + -DWOLFBOOT_XMSS_PARAMS=\"$(XMSS_PARAMS)\" -I$(XMSSDIR) \ -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \ -D"WOLFSSL_XMSS_VERIFY_ONLY" -D"XMSS_VERIFY_ONLY" ifeq ($(WOLFBOOT_SMALL_STACK),1) $(error WOLFBOOT_SMALL_STACK with XMSS not supported) else - STACK_USAGE=18064 + STACK_USAGE=2712 endif endif # Only needed if using 3rd party integration. This can be -# removed when wc_lms and wc_xmss become default in wolfboot. -ifneq (,$(filter $(SIGN), LMS XMSS)) +# removed if ext_lms and ext_xmss are deprecated. +ifneq (,$(filter $(SIGN), ext_LMS ext_XMSS)) CFLAGS +=-DWOLFSSL_EXPERIMENTAL_SETTINGS endif @@ -748,3 +799,11 @@ endif ifeq ($(SIGN_ALG),) SIGN_ALG=$(SIGN) endif + +ifeq ($(SIGN_ALG),ext_XMSS) + SIGN_ALG=XMSS +endif + +ifeq ($(SIGN_ALG),ext_LMS) + SIGN_ALG=LMS +endif diff --git a/src/image.c b/src/image.c index d2c98762e..8e6a27414 100644 --- a/src/image.c +++ b/src/image.c @@ -320,6 +320,8 @@ static void wolfBoot_verify_signature(uint8_t key_slot, #include #ifdef HAVE_LIBLMS #include +#else + #include #endif static void wolfBoot_verify_signature(uint8_t key_slot, @@ -386,6 +388,8 @@ static void wolfBoot_verify_signature(uint8_t key_slot, #include #ifdef HAVE_LIBXMSS #include +#else + #include #endif static void wolfBoot_verify_signature(uint8_t key_slot, @@ -410,18 +414,16 @@ static void wolfBoot_verify_signature(uint8_t key_slot, return; } - wolfBoot_printf("info: using XMSS parameters: %s\n", XMSS_PARAMS); - /* Set the XMSS parameters. */ - ret = wc_XmssKey_SetParamStr(&xmss, XMSS_PARAMS); + ret = wc_XmssKey_SetParamStr(&xmss, WOLFBOOT_XMSS_PARAMS); if (ret != 0) { /* Something is wrong with the pub key or XMSS parameters. */ wolfBoot_printf("error: wc_XmssKey_SetParamStr(%s)" \ - " returned %d\n", XMSS_PARAMS, ret); + " returned %d\n", WOLFBOOT_XMSS_PARAMS, ret); return; } - wolfBoot_printf("info: using XMSS parameters: %s\n", XMSS_PARAMS); + wolfBoot_printf("info: using XMSS parameters: %s\n", WOLFBOOT_XMSS_PARAMS); /* Set the public key. */ ret = wc_XmssKey_ImportPubRaw(&xmss, pubkey, KEYSTORE_PUBKEY_SIZE); diff --git a/tools/keytools/Makefile b/tools/keytools/Makefile index 37512e78a..5c6bd7aba 100644 --- a/tools/keytools/Makefile +++ b/tools/keytools/Makefile @@ -17,25 +17,47 @@ LDFLAGS = OBJDIR = ./ LIBS = -ifeq ($(SIGN),LMS) +# Common to wc_lms and ext_lms. +ifneq (,$(filter $(SIGN), LMS ext_LMS)) + CFLAGS +=-DWOLFBOOT_SIGN_LMS -DWOLFSSL_HAVE_LMS \ + -D"LMS_LEVELS=$(LMS_LEVELS)" -D"LMS_HEIGHT=$(LMS_HEIGHT)" \ + -D"LMS_WINTERNITZ=$(LMS_WINTERNITZ)" +endif + +# Specific to ext_lms. +ifeq ($(SIGN),ext_LMS) LMSDIR = $(WOLFBOOTDIR)/lib/hash-sigs LIBS += $(LMSDIR)/lib/hss_lib.a - CFLAGS +=-DWOLFBOOT_SIGN_LMS -DWOLFSSL_HAVE_LMS -DHAVE_LIBLMS -I$(LMSDIR)/src \ - -D"LMS_LEVELS=$(LMS_LEVELS)" -D"LMS_HEIGHT=$(LMS_HEIGHT)" \ - -D"LMS_WINTERNITZ=$(LMS_WINTERNITZ)" + CFLAGS +=-DHAVE_LIBLMS -I$(LMSDIR)/src endif -ifeq ($(SIGN),XMSS) +# Specific to wc_lms. +ifeq ($(SIGN),LMS) + CFLAGS +=-DWOLFSSL_WC_LMS +endif + +# Common to wc_xmss and ext_xmss. +ifneq (,$(filter $(SIGN), XMSS ext_XMSS)) $(info xmss params: $(XMSS_PARAMS)) + CFLAGS +=-DWOLFBOOT_SIGN_XMSS -DWOLFSSL_HAVE_XMSS \ + -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \ + -DWOLFBOOT_XMSS_PARAMS=\"$(XMSS_PARAMS)\" +endif + +# Specific to ext_xmss. +ifeq ($(SIGN),ext_XMSS) XMSSDIR = $(WOLFBOOTDIR)/lib/xmss - CFLAGS +=-DWOLFBOOT_SIGN_XMSS -DWOLFSSL_HAVE_XMSS -DHAVE_LIBXMSS -I$(XMSSDIR) \ - -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \ - -DXMSS_PARAMS=\"$(XMSS_PARAMS)\" + CFLAGS +=-DHAVE_LIBXMSS -I$(XMSSDIR) +endif + +# Specific to wc_xmss. +ifeq ($(SIGN),XMSS) + CFLAGS +=-D"WOLFSSL_WC_XMSS" -D"WOLFSSL_XMSS_MAX_HEIGHT=32" endif # Only needed if using 3rd party integration. This can be -# removed when wc_lms and wc_xmss become default in wolfboot. -ifneq (,$(filter $(SIGN), LMS XMSS)) +# removed if ext_lms and ext_xmss are deprecated. +ifneq (,$(filter $(SIGN), ext_LMS ext_XMSS)) CFLAGS +=-DWOLFSSL_EXPERIMENTAL_SETTINGS endif @@ -88,15 +110,34 @@ OBJS_REAL=\ $(WOLFDIR)/wolfcrypt/src/sha512.o \ $(WOLFDIR)/wolfcrypt/src/tfm.o \ $(WOLFDIR)/wolfcrypt/src/wc_port.o \ - $(WOLFDIR)/wolfcrypt/src/wolfmath.o \ - $(WOLFDIR)/wolfcrypt/src/ext_lms.o \ - $(WOLFDIR)/wolfcrypt/src/ext_xmss.o + $(WOLFDIR)/wolfcrypt/src/wolfmath.o OBJS_REAL+=\ $(WOLFBOOTDIR)/src/delta.o +# Add wolfcrypt lms implementation. +ifeq ($(SIGN),LMS) +OBJS_REAL+=\ + $(WOLFDIR)/wolfcrypt/src/wc_lms.o \ + $(WOLFDIR)/wolfcrypt/src/wc_lms_impl.o +endif + +# Add external lms integration. +ifeq ($(SIGN),ext_LMS) +OBJS_REAL+= $(WOLFDIR)/wolfcrypt/src/ext_lms.o +endif + +# Add wolfcrypt xmss implementation. ifeq ($(SIGN),XMSS) OBJS_REAL+=\ + $(WOLFDIR)/wolfcrypt/src/wc_xmss.o \ + $(WOLFDIR)/wolfcrypt/src/wc_xmss_impl.o +endif + +# Add external xmss integration. +ifeq ($(SIGN),ext_XMSS) +OBJS_REAL+=\ + $(WOLFDIR)/wolfcrypt/src/ext_xmss.o \ $(XMSSDIR)/params.o \ $(XMSSDIR)/thash.o \ $(XMSSDIR)/hash_address.o \ @@ -112,7 +153,7 @@ vpath %.c $(WOLFDIR)/wolfcrypt/src/ vpath %.c $(WOLFBOOTDIR)/src/ vpath %.c ./ -ifeq ($(SIGN),XMSS) +ifeq ($(SIGN),ext_XMSS) vpath %.c $(XMSSDIR)/ endif diff --git a/tools/keytools/keygen.c b/tools/keytools/keygen.c index 58c1a38b3..750852d75 100644 --- a/tools/keytools/keygen.c +++ b/tools/keytools/keygen.c @@ -65,6 +65,8 @@ #include #ifdef HAVE_LIBLMS #include + #else + #include #endif #endif @@ -72,6 +74,8 @@ #include #ifdef HAVE_LIBXMSS #include + #else + #include #endif #endif @@ -627,14 +631,14 @@ static void keygen_xmss(const char *priv_fname, uint32_t id_mask) exit(1); } - ret = wc_XmssKey_SetParamStr(&key, XMSS_PARAMS); + ret = wc_XmssKey_SetParamStr(&key, WOLFBOOT_XMSS_PARAMS); if (ret != 0) { fprintf(stderr, "error: wc_XmssKey_SetParamStr(%s)" \ - " returned %d\n", XMSS_PARAMS, ret); + " returned %d\n", WOLFBOOT_XMSS_PARAMS, ret); exit(1); } - printf("info: using XMSS parameters: %s\n", XMSS_PARAMS); + printf("info: using XMSS parameters: %s\n", WOLFBOOT_XMSS_PARAMS); ret = wc_XmssKey_SetWriteCb(&key, xmss_write_key); if (ret != 0) { diff --git a/tools/keytools/sign.c b/tools/keytools/sign.c index 72d2778e5..83def1a94 100644 --- a/tools/keytools/sign.c +++ b/tools/keytools/sign.c @@ -110,6 +110,8 @@ static inline int fp_truncate(FILE *f, size_t len) #include #ifdef HAVE_LIBLMS #include + #else + #include #endif #endif @@ -117,6 +119,8 @@ static inline int fp_truncate(FILE *f, size_t len) #include #ifdef HAVE_LIBXMSS #include + #else + #include #endif #endif @@ -781,7 +785,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz, * * If both priv/pub are present: * - The first ?? bytes is the private key. - * - The next 60 bytes is the public key. */ + * - The next 68 bytes is the public key. */ word32 priv_sz = 0; int xmss_ret = 0; @@ -969,7 +973,7 @@ static int sign_digest(int sign, int hash_algo, ret = wc_XmssKey_SetContext(&key.xmss, (void*)CMD.key_file); } if (ret == 0) { - ret = wc_XmssKey_SetParamStr(&key.xmss, XMSS_PARAMS); + ret = wc_XmssKey_SetParamStr(&key.xmss, WOLFBOOT_XMSS_PARAMS); } if (ret == 0) { ret = wc_XmssKey_Reload(&key.xmss); @@ -2297,14 +2301,14 @@ int main(int argc, char** argv) exit(1); } - xmss_ret = wc_XmssKey_SetParamStr(&key.xmss, XMSS_PARAMS); + xmss_ret = wc_XmssKey_SetParamStr(&key.xmss, WOLFBOOT_XMSS_PARAMS); if (xmss_ret != 0) { fprintf(stderr, "error: wc_XmssKey_SetParamStr(%s)" \ - " returned %d\n", XMSS_PARAMS, ret); + " returned %d\n", WOLFBOOT_XMSS_PARAMS, ret); exit(1); } - printf("info: using XMSS parameters: %s\n", XMSS_PARAMS); + printf("info: using XMSS parameters: %s\n", WOLFBOOT_XMSS_PARAMS); xmss_ret = wc_XmssKey_GetSigLen(&key.xmss, &sig_sz); if (xmss_ret != 0) { @@ -2322,7 +2326,7 @@ int main(int argc, char** argv) if (((CMD.sign != NO_SIGN) && (CMD.signature_sz == 0)) || CMD.header_sz == 0) { - printf("Invalid hash or signature type!\n"); + printf("Invalid hash or signature type! %d\n", CMD.sign); exit(2); } diff --git a/tools/scripts/renode-test-update.sh b/tools/scripts/renode-test-update.sh index f2504ba56..983fa717a 100755 --- a/tools/scripts/renode-test-update.sh +++ b/tools/scripts/renode-test-update.sh @@ -20,15 +20,12 @@ quit_renode() { rm -f $RENODE_UART -if (echo $TEST_OPTIONS | grep "LMS" &>/dev/null); then +# external LMS test +if (echo $TEST_OPTIONS | grep "ext_LMS" &>/dev/null); then # Need git. apt install -y git - # wolfSSL needs to be on latest master for LMS support. Also, we need to - # add the wolfssl module as a safe directory so docker can use it. - git config --global --add safe.directory /workspace/lib/wolfssl || exit 2 - cd lib/wolfssl && git checkout master && git pull && cd ../.. || exit 2 - + # Extra steps needed for external LMS support. # Need to clone the hash-sigs repo, and patch it for wolfBoot build. mkdir -p lib/hash-sigs/lib || exit 2 git clone https://github.com/cisco/hash-sigs.git lib/hash-sigs/src || exit 2 @@ -37,17 +34,13 @@ if (echo $TEST_OPTIONS | grep "LMS" &>/dev/null); then cd ../../.. || exit 2 fi -if (echo $TEST_OPTIONS | grep "XMSS" &>/dev/null); then +# external XMSS test +if (echo $TEST_OPTIONS | grep "ext_XMSS" &>/dev/null); then # Need git. apt install -y git - # wolfSSL needs to be on latest master for XMSS support. Also, we need to - # add the wolfssl module as a safe directory so docker can use it. - git config --global --add safe.directory /workspace/lib/wolfssl || exit 2 - cd lib/wolfssl && git checkout master && git pull && cd ../.. || exit 2 - - - # Need to clone the hash-sigs repo, and patch it for wolfBoot build. + # Extra steps needed for external XMSS support. + # Need to clone the xmss-reference repo, and patch it for wolfBoot build. cd lib || exit 2 git clone https://github.com/XMSS/xmss-reference.git xmss || exit 2 cd xmss && git checkout 171ccbd26f098542a67eb5d2b128281c80bd71a6 && \ diff --git a/tools/test-renode.mk b/tools/test-renode.mk index 76d31d911..171207e56 100644 --- a/tools/test-renode.mk +++ b/tools/test-renode.mk @@ -20,7 +20,7 @@ RENODE_BINASSEMBLE=tools/bin-assemble/bin-assemble LMS_OPTS=LMS_LEVELS=2 LMS_HEIGHT=5 LMS_WINTERNITZ=8 WOLFBOOT_SMALL_STACK=0 \ IMAGE_SIGNATURE_SIZE=2644 IMAGE_HEADER_SIZE=5288 -XMSS_OPTS=XMSS_PARAMS='XMSS-SHA2_10_256' WOLFBOOT_SMALL_STACK=0 \ +XMSS_OPTS=WOLFBOOT_XMSS_PARAMS='XMSS-SHA2_10_256' WOLFBOOT_SMALL_STACK=0 \ IMAGE_SIGNATURE_SIZE=2500 IMAGE_HEADER_SIZE=5000 # python version only supported using diff --git a/tools/test.mk b/tools/test.mk index 223e492cf..29c7a2131 100644 --- a/tools/test.mk +++ b/tools/test.mk @@ -51,10 +51,10 @@ endif ifeq ($(SIGN),RSA4096) SIGN_ARGS+= --rsa4096 endif -ifeq ($(SIGN),LMS) +ifneq (,$(filter $(SIGN), LMS ext_LMS)) SIGN_ARGS+= --lms endif -ifeq ($(SIGN),XMSS) +ifneq (,$(filter $(SIGN), XMSS ext_XMSS)) SIGN_ARGS+= --xmss endif @@ -970,7 +970,7 @@ test-all: clean test-size-all: make test-size SIGN=NONE LIMIT=4776 make keysclean - make test-size SIGN=ED25519 LIMIT=11380 + make test-size SIGN=ED25519 LIMIT=11424 make keysclean make test-size SIGN=ECC256 LIMIT=17824 make keysclean @@ -988,7 +988,7 @@ test-size-all: make keysclean make test-size SIGN=ECC384 NO_ASM=1 LIMIT=15024 make keysclean - make test-size SIGN=ED448 LIMIT=13464 + make test-size SIGN=ED448 LIMIT=13536 make keysclean make test-size SIGN=RSA3072 LIMIT=11240 make keysclean