wolfPKCS11 support for using TPM 2.0 module as backend. Uses wolfTPM …

…and supports RSA and ECC. Requires wolfSSL/wolfTPM#311 Added CI testing for wolfPKCS11 with wolfTPM backend and single threaded. The keystore will use TPM NV if `WOLFPKCS11_TPM_STORE` is defined.
wolfSSL · Nov 28, 2023 · 9de6d53 · 9de6d53
1 parent d6f8c0c
commit 9de6d53
Show file tree

Hide file tree

Showing 7 changed files with 286 additions and 50 deletions.
diff --git a/.github/workflows/build-workflow.yml b/.github/workflows/build-workflow.yml
@@ -7,6 +7,10 @@ on:
         config:
           required: false
           type: string
+        check:
+          required: false
+          type: string
+          default: 'make check'
 
 jobs:
   build:
@@ -30,7 +34,7 @@ jobs:
     - name: wolfssl configure
       working-directory: ./wolfssl
       run: |
-        ./configure --enable-cryptonly --enable-aescfb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt \
+        ./configure --enable-cryptocb --enable-aescfb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt \
             C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT"
     - name: wolfssl make install
       working-directory: ./wolfssl
@@ -41,6 +45,39 @@ jobs:
           sudo make install
           sudo ldconfig
 
+#setup ibmswtpm2
+    - uses: actions/checkout@v3
+      with:
+        repository: kgoldman/ibmswtpm2
+        path: ibmswtpm2
+    - name: ibmswtpm2 make
+      working-directory: ./ibmswtpm2/src
+      run: |
+          make
+          ./tpm_server &
+
+#setup wolftpm
+    - uses: actions/checkout@v3
+      with:
+        repository: dgarske/wolftpm
+        ref: tpm_cryptocb_keygen
+        path: wolftpm
+    - name: wolftpm autogen
+      working-directory: ./wolftpm
+      run: ./autogen.sh
+    - name: wolftpm configure
+      working-directory: ./wolftpm
+      run: |
+        ./configure --enable-swtpm
+    - name: wolftpm make install
+      working-directory: ./wolftpm
+      run: make
+    - name: wolftpm make install
+      working-directory: ./wolftpm
+      run: |
+          sudo make install
+          sudo ldconfig
+
 #setup wolfPKCS11
     - name: wolfpkcs11 autogen
       run: ./autogen.sh
@@ -49,7 +86,7 @@ jobs:
     - name: wolfpkcs11 make
       run: make
     - name: wolfpkcs11 make check
-      run: make check
+      run: ${{inputs.check}}
     - name: wolfpkcs11 make install
       run: sudo make install
     - name: wolfpkcs11 make dist

diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
@@ -2,7 +2,7 @@ name: wolfPKCS11 Build Tests
 
 on:
   push:
-    branches: [ '*' ]
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
     branches: [ '*' ]
 
@@ -11,6 +11,17 @@ jobs:
   defaults_all:
     uses: ./.github/workflows/build-workflow.yml
 
+  single_theaded:
+    uses: ./.github/workflows/build-workflow.yml
+    with:
+      config: --enable-singlethreaded
+
+  tpm:
+    uses: ./.github/workflows/build-workflow.yml
+    with:
+      config: --enable-singlethreaded --enable-wolftpm --disable-dh CFLAGS="-DWOLFPKCS11_TPM_STORE"
+      check: ./tests/pkcs11test
+
   no_rsa:
     uses: ./.github/workflows/build-workflow.yml
     with:

diff --git a/README.md b/README.md
@@ -13,7 +13,7 @@ Build wolfSSL:
 git clone https://github.com/wolfSSL/wolfssl.git
 cd wolfssl
 ./autogen.sh
-./configure --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT"
+./configure --enable-aescfb --enable-cryptocb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt C_EXTRA_FLAGS="-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT"
 make
 make check
 sudo make install
@@ -35,6 +35,18 @@ make check
 
 ### Build options and defines
 
+#### TPM support with wolfTPM
+
+Enables using a TPM for cryptography and keystore.
+Tested using `./configure --enable-singlethreaded --enable-wolftpm --disable-dh CFLAGS="-DWOLFPKCS11_TPM_STORE" && make`.
+
+Note: The TPM does not support DH, so only RSA and ECC are supported.
+
+##### Define WOLFPKCS11_TPM_STORE
+
+Use `WOLFPKCS11_TPM_STORE` storing objects in TPM NV.
+
+
 #### Define WOLFPKCS11_NO_STORE
 
 Disables storage of tokens.
@@ -48,6 +60,7 @@ See wolfpkcs11/store.h for prototypes of functions to implement.
 
 Sets the private key's label against the public key when generating key pairs.
 
+
 ## Environment variables
 
 ### WOLFPKCS11_TOKEN_PATH

diff --git a/configure.ac b/configure.ac
@@ -324,6 +324,20 @@ if test "$enable_shared" = "no"; then
     AM_CFLAGS="$AM_CFLAGS -DHAVE_PKCS11_STATIC"
 fi
 
+
+AC_ARG_ENABLE([wolftpm],
+    [AS_HELP_STRING([--enable-wolftpm],[Enable wolfTPM keystore support (default: disabled)])],
+    [ ENABLED_TPM=$enableval ],
+    [ ENABLED_TPM=no ]
+    )
+if test "$ENABLED_TPM" = "yes"
+then
+    LIBS="$LIBS -lwolftpm"
+    AM_CFLAGS="$AM_CFLAGS -DWOLFPKCS11_TPM"
+fi
+
+
+
 AM_CONDITIONAL([BUILD_STATIC],[test "x$enable_shared" = "xno"])