Remove dependency from PQC parameters. Speed up tests.

2024-12-02 18:55:32 +01:00 · 2024-12-02 18:55:32 +01:00 · 04d2ecd246
parent b2bf2988d3
commit 04d2ecd246
12 changed files with 73 additions and 141 deletions
--- a/.github/workflows/footprint.yml
+++ b/.github/workflows/footprint.yml
@ -22,7 +22,7 @@ jobs:

      - name: make clean
        run: |
-          make keysclean && make -C tools/keytools clean && rm -f include/target.h
+          make keysclean && rm -f include/target.h

      - name: Install wolfSSL
        run: |
@ -34,7 +34,7 @@ jobs:

      - name: Build key tools
        run: |
-          make -C tools/keytools
+          make keytools

      - name: Build wolfboot and test footprint
        run: |
--- a/.github/workflows/test-build-sim-tpm.yml
+++ b/.github/workflows/test-build-sim-tpm.yml
@ -44,9 +44,9 @@ jobs:
        with:
          submodules: true

-      - name: make distclean
+      - name: make keysclean
        run: |
-          make distclean
+          make keysclean

      - name: Select config
        run: |
--- a/.github/workflows/test-sunnyday-simulator.yml
+++ b/.github/workflows/test-sunnyday-simulator.yml
@ -29,7 +29,7 @@ jobs:
      #
      - name: make clean
        run: |
-          make distclean
+          make keysclean

      - name: Select config (32 bit simulator)
        run: |
@ -57,7 +57,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (ECC384)
        run: |
@ -77,7 +77,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (ECC521)
        run: |
@ -97,7 +97,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (RSA2048)
        run: |
@ -117,7 +117,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (RSA3072)
        run: |
@ -137,7 +137,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (RSA4096)
        run: |
@ -159,7 +159,7 @@ jobs:
      #
      - name: make clean
        run: |
-          make distclean
+          make keysclean

      - name: Select config (32 bit simulator)
        run: |
@ -187,7 +187,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (ECC384, FASTMATH)
        run: |
@ -207,7 +207,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (ECC521, FASTMATH)
        run: |
@ -227,7 +227,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (RSA2048, FASTMATH)
        run: |
@ -247,7 +247,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (RSA3072, FASTMATH)
        run: |
@ -267,7 +267,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (RSA4096, FASTMATH)
        run: |
@ -290,7 +290,7 @@ jobs:
      #
      - name: make clean
        run: |
-          make distclean
+          make keysclean

      - name: Select config (64 bit simulator)
        run: |
@ -318,7 +318,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (ECC384)
        run: |
@ -338,7 +338,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (ECC521)
        run: |
@ -358,7 +358,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (RSA2048)
        run: |
@ -378,7 +378,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (RSA3072)
        run: |
@ -398,7 +398,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (RSA4096)
        run: |
@ -420,7 +420,7 @@ jobs:
      #
      - name: make clean
        run: |
-          make distclean
+          make keysclean

      - name: Select config (64 bit simulator)
        run: |
@ -448,7 +448,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (ECC384, FASTMATH)
        run: |
@ -468,7 +468,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (ECC521, FASTMATH)
        run: |
@ -488,7 +488,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (RSA2048, FASTMATH)
        run: |
@ -508,7 +508,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (RSA3072, FASTMATH)
        run: |
@ -528,7 +528,7 @@ jobs:

      - name: Cleanup to change key type
        run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean

      - name: Build wolfboot.elf (RSA4096, FASTMATH)
        run: |
@ -562,7 +562,7 @@ jobs:
      #
      - name: make clean
        run: |
-          make distclean
+          make keysclean

      - name: Select config (64 bit simulator) Hybrid ML_DSA + ECC
        run: |
--- a/5
+++ b/5
@ -204,7 +204,7 @@ include tools/test-renode.mk

 hal/$(TARGET).o:

-keytools_check: keytools FORCE
+keytools_check: keytools

 $(PRIVATE_KEY):
 	$(Q)$(MAKE) keytools_check
@ -223,7 +223,6 @@ $(SECONDARY_PRIVATE_KEY): $(PRIVATE_KEY) keystore.der

 keytools:
 	@echo "Building key tools"
-	@$(MAKE) -C tools/keytools -s clean
 	@$(MAKE) -C tools/keytools -j

 tpmtools: include/target.h keys
@ -281,7 +280,7 @@ wolfboot_stage1.bin: wolfboot.elf stage1/loader_stage1.bin

 wolfboot.elf: include/target.h $(LSCRIPT) $(OBJS) $(BINASSEMBLE) FORCE
 	$(Q)(test $(SIGN) = NONE) || (test $(FLASH_OTP_KEYSTORE) = 1) || (grep -q $(SIGN_ALG) src/keystore.c) || \
-		(echo "Key mismatch: please run 'make distclean' to remove all keys if you want to change algorithm" && false)
+		(echo "Key mismatch: please run 'make keysclean' to remove all keys if you want to change algorithm" && false)
 	@echo "\t[LD] $@"
 	@echo $(OBJS)
 	$(Q)$(LD) $(LDFLAGS) $(LSCRIPT_FLAGS) $(SECURE_LDFLAGS) $(LD_START_GROUP) $(OBJS) $(LIBS) $(LD_END_GROUP) -o $@
--- a/include/wolfboot/wolfboot.h
+++ b/include/wolfboot/wolfboot.h
@ -145,10 +145,14 @@ extern "C" {
        #define KEYSTORE_PUBKEY_SIZE_ML_DSA  1952
    #elif ML_DSA_LEVEL == 5
        #define KEYSTORE_PUBKEY_SIZE_ML_DSA  2592
-    #else
-        #error "Invalid ML_DSA_LEVEL!"
    #endif
-#endif /* ML_DSA_LEVEL */
+#else
+    #ifdef SIGN_ML_DSA
+        #error "ML_DSA_LEVEL not defined"
+    #endif
+    /* Default to max size for keystore */
+    #define KEYSTORE_PUBKEY_SIZE_ML_DSA  2592
+#endif /* defined ML_DSA_LEVEL */

 /* Mask for key permissions */
 #define KEY_VERIFY_ALL         (0xFFFFFFFFU)
--- a/test-app/app_stm32f4.c
+++ b/test-app/app_stm32f4.c
@ -78,6 +78,8 @@ static const char UPDATE='U';
 static const char ACK='#';
 static uint8_t msg[MSGSIZE];

+extern void flash_set_waitstates(void);
+

 #ifdef WOLFBOOT_NO_SIGN

--- a/tools/keytools/Makefile
+++ b/tools/keytools/Makefile
@ -17,49 +17,27 @@ LDFLAGS =
 OBJDIR = ./
 LIBS =

+ML_DSA_LEVEL?=2
+
+LMS_LEVELS?=1
+LMS_HEIGHT?=10
+LMS_WINTERNITZ?=8
+XMSS_PARAMS?='XMSS-SHA2_10_256'
+
 # Common to wc_lms and ext_lms.
-ifneq (,$(filter $(SIGN), LMS ext_LMS))
-  CFLAGS +=-DWOLFBOOT_SIGN_LMS -DWOLFSSL_HAVE_LMS \
-           -D"LMS_LEVELS=$(LMS_LEVELS)" -D"LMS_HEIGHT=$(LMS_HEIGHT)" \
-           -D"LMS_WINTERNITZ=$(LMS_WINTERNITZ)"
-endif
+CFLAGS +=-DWOLFBOOT_SIGN_LMS -DWOLFSSL_HAVE_LMS \
+		 -D"LMS_LEVELS=$(LMS_LEVELS)" -D"LMS_HEIGHT=$(LMS_HEIGHT)" \
+		 -D"LMS_WINTERNITZ=$(LMS_WINTERNITZ)"

-# Specific to ext_lms.
-ifeq ($(SIGN),ext_LMS)
-  LMSDIR = $(WOLFBOOTDIR)/lib/hash-sigs
-  LIBS += $(LMSDIR)/lib/hss_lib.a
-  CFLAGS +=-DHAVE_LIBLMS -I$(LMSDIR)/src
-endif

-# Specific to wc_lms.
-ifeq ($(SIGN),LMS)
-  CFLAGS +=-DWOLFSSL_WC_LMS
-endif
+# LMS flags
+CFLAGS +=-DWOLFSSL_WC_LMS

-# Common to wc_xmss and ext_xmss.
-ifneq (,$(filter $(SIGN), XMSS ext_XMSS))
-  $(info xmss params: $(XMSS_PARAMS))
-  CFLAGS +=-DWOLFBOOT_SIGN_XMSS -DWOLFSSL_HAVE_XMSS \
-           -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
-           -DWOLFBOOT_XMSS_PARAMS=\"$(XMSS_PARAMS)\"
-endif
-
-# Specific to ext_xmss.
-ifeq ($(SIGN),ext_XMSS)
-  XMSSDIR = $(WOLFBOOTDIR)/lib/xmss
-  CFLAGS +=-DHAVE_LIBXMSS -I$(XMSSDIR)
-endif
-
-# Specific to wc_xmss.
-ifeq ($(SIGN),XMSS)
-  CFLAGS +=-D"WOLFSSL_WC_XMSS" -D"WOLFSSL_XMSS_MAX_HEIGHT=32"
-endif
-
-# Only needed if using 3rd party integration. This can be
-# removed if ext_lms and ext_xmss are deprecated.
-ifneq (,$(filter $(SIGN), ext_LMS ext_XMSS))
-  CFLAGS  +=-DWOLFSSL_EXPERIMENTAL_SETTINGS
-endif
+# XMSS flags
+CFLAGS +=-DWOLFBOOT_SIGN_XMSS -DWOLFSSL_HAVE_XMSS \
+		 -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
+		 -DWOLFBOOT_XMSS_PARAMS=\"$(XMSS_PARAMS)\"
+CFLAGS +=-D"WOLFSSL_WC_XMSS" -D"WOLFSSL_XMSS_MAX_HEIGHT=32"

 # When WOLFBOOT_UNIVERSAL_KEYSTORE is defined, pad store_sizes in keystore.der
 ifeq ($(WOLFBOOT_UNIVERSAL_KEYSTORE),1)
@ -124,56 +102,24 @@ OBJS_REAL=\
 OBJS_REAL+=\
 	$(WOLFBOOTDIR)/src/delta.o

-# Add wolfcrypt lms implementation.
-ifeq ($(SIGN),LMS)
 OBJS_REAL+=\
 	$(WOLFDIR)/wolfcrypt/src/wc_lms.o \
 	$(WOLFDIR)/wolfcrypt/src/wc_lms_impl.o
-endif

-# Add external lms integration.
-ifeq ($(SIGN),ext_LMS)
-OBJS_REAL+= $(WOLFDIR)/wolfcrypt/src/ext_lms.o
-endif
-
-# Add wolfcrypt xmss implementation.
-ifeq ($(SIGN),XMSS)
 OBJS_REAL+=\
 	$(WOLFDIR)/wolfcrypt/src/wc_xmss.o \
 	$(WOLFDIR)/wolfcrypt/src/wc_xmss_impl.o
-endif
+OBJS_REAL+=$(WOLFDIR)/wolfcrypt/src/dilithium.o

-# Add external xmss integration.
-ifeq ($(SIGN),ext_XMSS)
-OBJS_REAL+=\
-	$(WOLFDIR)/wolfcrypt/src/ext_xmss.o \
-	$(XMSSDIR)/params.o \
-	$(XMSSDIR)/thash.o \
-	$(XMSSDIR)/hash_address.o \
-	$(XMSSDIR)/wots.o \
-	$(XMSSDIR)/xmss.o \
-	$(XMSSDIR)/xmss_core_fast.o \
-	$(XMSSDIR)/xmss_commons.o \
-	$(XMSSDIR)/utils.o
-endif
-
-# Add wolfcrypt ML-DSA (dilithium) implementation.
-ifeq ($(SIGN),ML_DSA)
-  OBJS_REAL+=$(WOLFDIR)/wolfcrypt/src/dilithium.o
-
-  CFLAGS += -D"WOLFBOOT_SIGN_ML_DSA" \
+CFLAGS += -D"WOLFBOOT_SIGN_ML_DSA" \
            -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
            -D"ML_DSA_LEVEL"=$(ML_DSA_LEVEL)
-endif

 OBJS_VIRT=$(addprefix $(OBJDIR), $(notdir $(OBJS_REAL)))
 vpath %.c $(WOLFDIR)/wolfcrypt/src/
 vpath %.c $(WOLFBOOTDIR)/src/
 vpath %.c ./
-
-ifeq ($(SIGN),ext_XMSS)
-    vpath %.c $(XMSSDIR)/
-endif
+vpath %.c $(XMSSDIR)/

 .PHONY: clean all

@ -205,11 +151,3 @@ keygen: $(OBJS_VIRT) $(LIBS) keygen.o
 clean:
 	rm -f sign keygen *.o

-# The final make clean is to ensure a subsequent LMS wolfboot
-# hash-sigs build is separate from keytools.
-$(LMSDIR)/lib/hss_lib.a:
-	@echo "Building hss_lib.a"
-	$(Q)@$(MAKE) -C $(LMSDIR)/src/ -s clean
-	$(Q)@$(MAKE) -C $(LMSDIR)/src/ hss_lib.a
-	$(Q)cp $(LMSDIR)/src/hss_lib.a $(LMSDIR)/lib/
-	$(Q)@$(MAKE) -C $(LMSDIR)/src/ -s clean
--- a/tools/keytools/keygen.c
+++ b/tools/keytools/keygen.c
@ -123,14 +123,8 @@ static int exportPubKey = 0;
 static WC_RNG rng;
 static int noLocalKeys = 0;

-#ifndef KEYSLOT_MAX_PUBKEY_SIZE
-    #if defined(KEYSTORE_PUBKEY_SIZE_ML_DSA)
-        /* ML-DSA pub keys are big. */
-        #define KEYSLOT_MAX_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_ML_DSA
-    #else
-        #define KEYSLOT_MAX_PUBKEY_SIZE 576
-    #endif
-#endif
+/* ML-DSA pub keys are big. */
+#define KEYSLOT_MAX_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_ML_DSA

 struct keystore_slot {
     uint32_t slot_id;
--- a/tools/keytools/sign.c
+++ b/tools/keytools/sign.c
@ -541,13 +541,8 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
    uint32_t idx = 0;
    int io_sz;
    FILE *f;
-#if defined(WOLFSSL_HAVE_XMSS)
    word32 priv_sz = 0;
-#endif
-#if defined(WOLFSSL_WC_DILITHIUM)
-    int    priv_sz = 0;
-    int    pub_sz = 0;
-#endif
+    word32 pub_sz = 0;
    int sign = CMD.sign;
    const char *key_file = CMD.key_file;

@ -843,7 +838,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
 #ifdef WOLFSSL_WC_DILITHIUM
            FALL_THROUGH; /* we didn't solve the key, keep trying */
        case SIGN_ML_DSA:
-            ret = wc_MlDsaKey_GetPubLen(&key.ml_dsa, &pub_sz);
+            ret = wc_MlDsaKey_GetPubLen(&key.ml_dsa, (int *)&pub_sz);

            if (ret != 0 || pub_sz <= 0) {
                printf("error: wc_MlDsaKey_GetPubLen returned %d\n", ret);
@ -852,7 +847,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,

            /* Get the ML-DSA private key length. This API returns
             * the public + private length. */
-            ret = wc_MlDsaKey_GetPrivLen(&key.ml_dsa, &priv_sz);
+            ret = wc_MlDsaKey_GetPrivLen(&key.ml_dsa, (int*)&priv_sz);

            if (ret != 0 || priv_sz <= 0) {
                printf("error: wc_MlDsaKey_GetPrivLen returned %d\n", ret);
@ -871,7 +866,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
            DEBUG_PRINT("info: ml-dsa priv len: %d\n", priv_sz);
            DEBUG_PRINT("info: ml-dsa pub len: %d\n", pub_sz);

-            if ((int)*key_buffer_sz == (priv_sz + pub_sz)) {
+            if (*key_buffer_sz == (priv_sz + pub_sz)) {
                /* priv + pub */
                ret = wc_MlDsaKey_ImportPrivRaw(&key.ml_dsa, *key_buffer,
                                                priv_sz);
@ -881,7 +876,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
                printf("Found ml-dsa key\n");
                break;
            }
-            else if ((int)*key_buffer_sz == pub_sz) {
+            else if (*key_buffer_sz == pub_sz) {
                /* pub only */
                *pubkey = (*key_buffer);
                *pubkey_sz = pub_sz;
--- a/tools/scripts/renode-test-update.sh
+++ b/tools/scripts/renode-test-update.sh
@ -48,8 +48,8 @@ if (echo $TEST_OPTIONS | grep "ext_XMSS" &>/dev/null); then
        cd ../../ || exit 2
 fi

-make distclean
-make -C tools/keytools
+make keysclean
+make keytools
 make -C tools/test-expect-version
 make clean && make $TEST_OPTIONS || exit 2
 make /tmp/renode-test-update.bin $TEST_OPTIONS || exit 2
--- a/tools/scripts/sim-pq-sunnyday-update.sh
+++ b/tools/scripts/sim-pq-sunnyday-update.sh
@ -29,7 +29,7 @@ fi

 cp $sim_pq .config || err_and_die "cp $sim_pq"

-make distclean; make clean;
+make keysclean; make clean;

 make keytools || err_and_die "keytools build failed"

--- a/tools/test-delta.mk
+++ b/tools/test-delta.mk
@ -14,7 +14,7 @@ test-delta-enc-update-ext:EXPVER=tools/test-expect-version/test-expect-version /
 test-delta-enc-update-ext:PART_SIZE=131023
 test-delta-enc-update-ext:APP=test-app/image_v7_signed_diff_encrypted.bin

-test-delta-update: distclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version
+test-delta-update: keysclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version
 	@killall ufserver || true
 	@st-flash reset
 	@sleep 2
@ -68,7 +68,7 @@ test-delta-update: distclean factory.bin test-app/image.bin tools/uart-flash-ser
 	@(test `$(EXPVER)` -eq 2)
 	@echo "TEST SUCCESSFUL"

-test-delta-update-ext: distclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version
+test-delta-update-ext: keysclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version
 	@killall ufserver || true
 	@st-flash reset
 	@dd if=/dev/zero of=zero.bin bs=4096 count=1
@ -110,7 +110,7 @@ test-delta-update-ext: distclean factory.bin test-app/image.bin tools/uart-flash
 	@rm boot.bin boot_full.bin
 	@echo "TEST SUCCESSFUL"

-test-delta-enc-update-ext: distclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version
+test-delta-enc-update-ext: keysclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version
 	   @killall ufserver || true
 	   @st-flash reset
 	   @dd if=/dev/zero of=zero.bin bs=4096 count=1