From 04d2ecd24611cf061463c7572d1203bf6d2d9121 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Mon, 2 Dec 2024 18:55:32 +0100 Subject: [PATCH] Remove dependency from PQC parameters. Speed up tests. --- .github/workflows/footprint.yml | 4 +- .github/workflows/test-build-sim-tpm.yml | 4 +- .github/workflows/test-sunnyday-simulator.yml | 50 ++++----- Makefile | 5 +- include/wolfboot/wolfboot.h | 10 +- test-app/app_stm32f4.c | 2 + tools/keytools/Makefile | 102 ++++-------------- tools/keytools/keygen.c | 10 +- tools/keytools/sign.c | 15 +-- tools/scripts/renode-test-update.sh | 4 +- tools/scripts/sim-pq-sunnyday-update.sh | 2 +- tools/test-delta.mk | 6 +- 12 files changed, 73 insertions(+), 141 deletions(-) diff --git a/.github/workflows/footprint.yml b/.github/workflows/footprint.yml index 333377fc..096c2d1e 100644 --- a/.github/workflows/footprint.yml +++ b/.github/workflows/footprint.yml @@ -22,7 +22,7 @@ jobs: - name: make clean run: | - make keysclean && make -C tools/keytools clean && rm -f include/target.h + make keysclean && rm -f include/target.h - name: Install wolfSSL run: | @@ -34,7 +34,7 @@ jobs: - name: Build key tools run: | - make -C tools/keytools + make keytools - name: Build wolfboot and test footprint run: | diff --git a/.github/workflows/test-build-sim-tpm.yml b/.github/workflows/test-build-sim-tpm.yml index 786e2f0f..7a48dc33 100644 --- a/.github/workflows/test-build-sim-tpm.yml +++ b/.github/workflows/test-build-sim-tpm.yml @@ -44,9 +44,9 @@ jobs: with: submodules: true - - name: make distclean + - name: make keysclean run: | - make distclean + make keysclean - name: Select config run: | diff --git a/.github/workflows/test-sunnyday-simulator.yml b/.github/workflows/test-sunnyday-simulator.yml index 133999ae..a391f986 100644 --- a/.github/workflows/test-sunnyday-simulator.yml +++ b/.github/workflows/test-sunnyday-simulator.yml @@ -29,7 +29,7 @@ jobs: # - name: make clean run: | - make distclean + make keysclean - name: Select config (32 bit simulator) run: | @@ -57,7 +57,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (ECC384) run: | @@ -77,7 +77,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (ECC521) run: | @@ -97,7 +97,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (RSA2048) run: | @@ -117,7 +117,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (RSA3072) run: | @@ -137,7 +137,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (RSA4096) run: | @@ -159,7 +159,7 @@ jobs: # - name: make clean run: | - make distclean + make keysclean - name: Select config (32 bit simulator) run: | @@ -187,7 +187,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (ECC384, FASTMATH) run: | @@ -207,7 +207,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (ECC521, FASTMATH) run: | @@ -227,7 +227,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (RSA2048, FASTMATH) run: | @@ -247,7 +247,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (RSA3072, FASTMATH) run: | @@ -267,7 +267,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (RSA4096, FASTMATH) run: | @@ -290,7 +290,7 @@ jobs: # - name: make clean run: | - make distclean + make keysclean - name: Select config (64 bit simulator) run: | @@ -318,7 +318,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (ECC384) run: | @@ -338,7 +338,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (ECC521) run: | @@ -358,7 +358,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (RSA2048) run: | @@ -378,7 +378,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (RSA3072) run: | @@ -398,7 +398,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (RSA4096) run: | @@ -420,7 +420,7 @@ jobs: # - name: make clean run: | - make distclean + make keysclean - name: Select config (64 bit simulator) run: | @@ -448,7 +448,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (ECC384, FASTMATH) run: | @@ -468,7 +468,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (ECC521, FASTMATH) run: | @@ -488,7 +488,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (RSA2048, FASTMATH) run: | @@ -508,7 +508,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (RSA3072, FASTMATH) run: | @@ -528,7 +528,7 @@ jobs: - name: Cleanup to change key type run: | - make -C tools/keytools clean && make keysclean && make -C tools/keytools + make keysclean - name: Build wolfboot.elf (RSA4096, FASTMATH) run: | @@ -562,7 +562,7 @@ jobs: # - name: make clean run: | - make distclean + make keysclean - name: Select config (64 bit simulator) Hybrid ML_DSA + ECC run: | diff --git a/Makefile b/Makefile index 14cb9d43..33ede26e 100644 --- a/Makefile +++ b/Makefile @@ -204,7 +204,7 @@ include tools/test-renode.mk hal/$(TARGET).o: -keytools_check: keytools FORCE +keytools_check: keytools $(PRIVATE_KEY): $(Q)$(MAKE) keytools_check @@ -223,7 +223,6 @@ $(SECONDARY_PRIVATE_KEY): $(PRIVATE_KEY) keystore.der keytools: @echo "Building key tools" - @$(MAKE) -C tools/keytools -s clean @$(MAKE) -C tools/keytools -j tpmtools: include/target.h keys @@ -281,7 +280,7 @@ wolfboot_stage1.bin: wolfboot.elf stage1/loader_stage1.bin wolfboot.elf: include/target.h $(LSCRIPT) $(OBJS) $(BINASSEMBLE) FORCE $(Q)(test $(SIGN) = NONE) || (test $(FLASH_OTP_KEYSTORE) = 1) || (grep -q $(SIGN_ALG) src/keystore.c) || \ - (echo "Key mismatch: please run 'make distclean' to remove all keys if you want to change algorithm" && false) + (echo "Key mismatch: please run 'make keysclean' to remove all keys if you want to change algorithm" && false) @echo "\t[LD] $@" @echo $(OBJS) $(Q)$(LD) $(LDFLAGS) $(LSCRIPT_FLAGS) $(SECURE_LDFLAGS) $(LD_START_GROUP) $(OBJS) $(LIBS) $(LD_END_GROUP) -o $@ diff --git a/include/wolfboot/wolfboot.h b/include/wolfboot/wolfboot.h index 44c8bba9..6d44e9e9 100644 --- a/include/wolfboot/wolfboot.h +++ b/include/wolfboot/wolfboot.h @@ -145,10 +145,14 @@ extern "C" { #define KEYSTORE_PUBKEY_SIZE_ML_DSA 1952 #elif ML_DSA_LEVEL == 5 #define KEYSTORE_PUBKEY_SIZE_ML_DSA 2592 - #else - #error "Invalid ML_DSA_LEVEL!" #endif -#endif /* ML_DSA_LEVEL */ +#else + #ifdef SIGN_ML_DSA + #error "ML_DSA_LEVEL not defined" + #endif + /* Default to max size for keystore */ + #define KEYSTORE_PUBKEY_SIZE_ML_DSA 2592 +#endif /* defined ML_DSA_LEVEL */ /* Mask for key permissions */ #define KEY_VERIFY_ALL (0xFFFFFFFFU) diff --git a/test-app/app_stm32f4.c b/test-app/app_stm32f4.c index c8f1db89..7097f1cc 100644 --- a/test-app/app_stm32f4.c +++ b/test-app/app_stm32f4.c @@ -78,6 +78,8 @@ static const char UPDATE='U'; static const char ACK='#'; static uint8_t msg[MSGSIZE]; +extern void flash_set_waitstates(void); + #ifdef WOLFBOOT_NO_SIGN diff --git a/tools/keytools/Makefile b/tools/keytools/Makefile index 00b0c5ee..d1c387b5 100644 --- a/tools/keytools/Makefile +++ b/tools/keytools/Makefile @@ -17,49 +17,27 @@ LDFLAGS = OBJDIR = ./ LIBS = +ML_DSA_LEVEL?=2 + +LMS_LEVELS?=1 +LMS_HEIGHT?=10 +LMS_WINTERNITZ?=8 +XMSS_PARAMS?='XMSS-SHA2_10_256' + # Common to wc_lms and ext_lms. -ifneq (,$(filter $(SIGN), LMS ext_LMS)) - CFLAGS +=-DWOLFBOOT_SIGN_LMS -DWOLFSSL_HAVE_LMS \ - -D"LMS_LEVELS=$(LMS_LEVELS)" -D"LMS_HEIGHT=$(LMS_HEIGHT)" \ - -D"LMS_WINTERNITZ=$(LMS_WINTERNITZ)" -endif +CFLAGS +=-DWOLFBOOT_SIGN_LMS -DWOLFSSL_HAVE_LMS \ + -D"LMS_LEVELS=$(LMS_LEVELS)" -D"LMS_HEIGHT=$(LMS_HEIGHT)" \ + -D"LMS_WINTERNITZ=$(LMS_WINTERNITZ)" -# Specific to ext_lms. -ifeq ($(SIGN),ext_LMS) - LMSDIR = $(WOLFBOOTDIR)/lib/hash-sigs - LIBS += $(LMSDIR)/lib/hss_lib.a - CFLAGS +=-DHAVE_LIBLMS -I$(LMSDIR)/src -endif -# Specific to wc_lms. -ifeq ($(SIGN),LMS) - CFLAGS +=-DWOLFSSL_WC_LMS -endif +# LMS flags +CFLAGS +=-DWOLFSSL_WC_LMS -# Common to wc_xmss and ext_xmss. -ifneq (,$(filter $(SIGN), XMSS ext_XMSS)) - $(info xmss params: $(XMSS_PARAMS)) - CFLAGS +=-DWOLFBOOT_SIGN_XMSS -DWOLFSSL_HAVE_XMSS \ - -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \ - -DWOLFBOOT_XMSS_PARAMS=\"$(XMSS_PARAMS)\" -endif - -# Specific to ext_xmss. -ifeq ($(SIGN),ext_XMSS) - XMSSDIR = $(WOLFBOOTDIR)/lib/xmss - CFLAGS +=-DHAVE_LIBXMSS -I$(XMSSDIR) -endif - -# Specific to wc_xmss. -ifeq ($(SIGN),XMSS) - CFLAGS +=-D"WOLFSSL_WC_XMSS" -D"WOLFSSL_XMSS_MAX_HEIGHT=32" -endif - -# Only needed if using 3rd party integration. This can be -# removed if ext_lms and ext_xmss are deprecated. -ifneq (,$(filter $(SIGN), ext_LMS ext_XMSS)) - CFLAGS +=-DWOLFSSL_EXPERIMENTAL_SETTINGS -endif +# XMSS flags +CFLAGS +=-DWOLFBOOT_SIGN_XMSS -DWOLFSSL_HAVE_XMSS \ + -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \ + -DWOLFBOOT_XMSS_PARAMS=\"$(XMSS_PARAMS)\" +CFLAGS +=-D"WOLFSSL_WC_XMSS" -D"WOLFSSL_XMSS_MAX_HEIGHT=32" # When WOLFBOOT_UNIVERSAL_KEYSTORE is defined, pad store_sizes in keystore.der ifeq ($(WOLFBOOT_UNIVERSAL_KEYSTORE),1) @@ -124,56 +102,24 @@ OBJS_REAL=\ OBJS_REAL+=\ $(WOLFBOOTDIR)/src/delta.o -# Add wolfcrypt lms implementation. -ifeq ($(SIGN),LMS) OBJS_REAL+=\ $(WOLFDIR)/wolfcrypt/src/wc_lms.o \ $(WOLFDIR)/wolfcrypt/src/wc_lms_impl.o -endif -# Add external lms integration. -ifeq ($(SIGN),ext_LMS) -OBJS_REAL+= $(WOLFDIR)/wolfcrypt/src/ext_lms.o -endif - -# Add wolfcrypt xmss implementation. -ifeq ($(SIGN),XMSS) OBJS_REAL+=\ $(WOLFDIR)/wolfcrypt/src/wc_xmss.o \ $(WOLFDIR)/wolfcrypt/src/wc_xmss_impl.o -endif +OBJS_REAL+=$(WOLFDIR)/wolfcrypt/src/dilithium.o -# Add external xmss integration. -ifeq ($(SIGN),ext_XMSS) -OBJS_REAL+=\ - $(WOLFDIR)/wolfcrypt/src/ext_xmss.o \ - $(XMSSDIR)/params.o \ - $(XMSSDIR)/thash.o \ - $(XMSSDIR)/hash_address.o \ - $(XMSSDIR)/wots.o \ - $(XMSSDIR)/xmss.o \ - $(XMSSDIR)/xmss_core_fast.o \ - $(XMSSDIR)/xmss_commons.o \ - $(XMSSDIR)/utils.o -endif - -# Add wolfcrypt ML-DSA (dilithium) implementation. -ifeq ($(SIGN),ML_DSA) - OBJS_REAL+=$(WOLFDIR)/wolfcrypt/src/dilithium.o - - CFLAGS += -D"WOLFBOOT_SIGN_ML_DSA" \ +CFLAGS += -D"WOLFBOOT_SIGN_ML_DSA" \ -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \ -D"ML_DSA_LEVEL"=$(ML_DSA_LEVEL) -endif OBJS_VIRT=$(addprefix $(OBJDIR), $(notdir $(OBJS_REAL))) vpath %.c $(WOLFDIR)/wolfcrypt/src/ vpath %.c $(WOLFBOOTDIR)/src/ vpath %.c ./ - -ifeq ($(SIGN),ext_XMSS) - vpath %.c $(XMSSDIR)/ -endif +vpath %.c $(XMSSDIR)/ .PHONY: clean all @@ -205,11 +151,3 @@ keygen: $(OBJS_VIRT) $(LIBS) keygen.o clean: rm -f sign keygen *.o -# The final make clean is to ensure a subsequent LMS wolfboot -# hash-sigs build is separate from keytools. -$(LMSDIR)/lib/hss_lib.a: - @echo "Building hss_lib.a" - $(Q)@$(MAKE) -C $(LMSDIR)/src/ -s clean - $(Q)@$(MAKE) -C $(LMSDIR)/src/ hss_lib.a - $(Q)cp $(LMSDIR)/src/hss_lib.a $(LMSDIR)/lib/ - $(Q)@$(MAKE) -C $(LMSDIR)/src/ -s clean diff --git a/tools/keytools/keygen.c b/tools/keytools/keygen.c index 02564b1f..b517fdce 100644 --- a/tools/keytools/keygen.c +++ b/tools/keytools/keygen.c @@ -123,14 +123,8 @@ static int exportPubKey = 0; static WC_RNG rng; static int noLocalKeys = 0; -#ifndef KEYSLOT_MAX_PUBKEY_SIZE - #if defined(KEYSTORE_PUBKEY_SIZE_ML_DSA) - /* ML-DSA pub keys are big. */ - #define KEYSLOT_MAX_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_ML_DSA - #else - #define KEYSLOT_MAX_PUBKEY_SIZE 576 - #endif -#endif +/* ML-DSA pub keys are big. */ +#define KEYSLOT_MAX_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_ML_DSA struct keystore_slot { uint32_t slot_id; diff --git a/tools/keytools/sign.c b/tools/keytools/sign.c index a8f2cd5d..770a7ff7 100644 --- a/tools/keytools/sign.c +++ b/tools/keytools/sign.c @@ -541,13 +541,8 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz, uint32_t idx = 0; int io_sz; FILE *f; -#if defined(WOLFSSL_HAVE_XMSS) word32 priv_sz = 0; -#endif -#if defined(WOLFSSL_WC_DILITHIUM) - int priv_sz = 0; - int pub_sz = 0; -#endif + word32 pub_sz = 0; int sign = CMD.sign; const char *key_file = CMD.key_file; @@ -843,7 +838,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz, #ifdef WOLFSSL_WC_DILITHIUM FALL_THROUGH; /* we didn't solve the key, keep trying */ case SIGN_ML_DSA: - ret = wc_MlDsaKey_GetPubLen(&key.ml_dsa, &pub_sz); + ret = wc_MlDsaKey_GetPubLen(&key.ml_dsa, (int *)&pub_sz); if (ret != 0 || pub_sz <= 0) { printf("error: wc_MlDsaKey_GetPubLen returned %d\n", ret); @@ -852,7 +847,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz, /* Get the ML-DSA private key length. This API returns * the public + private length. */ - ret = wc_MlDsaKey_GetPrivLen(&key.ml_dsa, &priv_sz); + ret = wc_MlDsaKey_GetPrivLen(&key.ml_dsa, (int*)&priv_sz); if (ret != 0 || priv_sz <= 0) { printf("error: wc_MlDsaKey_GetPrivLen returned %d\n", ret); @@ -871,7 +866,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz, DEBUG_PRINT("info: ml-dsa priv len: %d\n", priv_sz); DEBUG_PRINT("info: ml-dsa pub len: %d\n", pub_sz); - if ((int)*key_buffer_sz == (priv_sz + pub_sz)) { + if (*key_buffer_sz == (priv_sz + pub_sz)) { /* priv + pub */ ret = wc_MlDsaKey_ImportPrivRaw(&key.ml_dsa, *key_buffer, priv_sz); @@ -881,7 +876,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz, printf("Found ml-dsa key\n"); break; } - else if ((int)*key_buffer_sz == pub_sz) { + else if (*key_buffer_sz == pub_sz) { /* pub only */ *pubkey = (*key_buffer); *pubkey_sz = pub_sz; diff --git a/tools/scripts/renode-test-update.sh b/tools/scripts/renode-test-update.sh index 983fa717..59c8d8aa 100755 --- a/tools/scripts/renode-test-update.sh +++ b/tools/scripts/renode-test-update.sh @@ -48,8 +48,8 @@ if (echo $TEST_OPTIONS | grep "ext_XMSS" &>/dev/null); then cd ../../ || exit 2 fi -make distclean -make -C tools/keytools +make keysclean +make keytools make -C tools/test-expect-version make clean && make $TEST_OPTIONS || exit 2 make /tmp/renode-test-update.bin $TEST_OPTIONS || exit 2 diff --git a/tools/scripts/sim-pq-sunnyday-update.sh b/tools/scripts/sim-pq-sunnyday-update.sh index 104b2a11..2e05b3cb 100755 --- a/tools/scripts/sim-pq-sunnyday-update.sh +++ b/tools/scripts/sim-pq-sunnyday-update.sh @@ -29,7 +29,7 @@ fi cp $sim_pq .config || err_and_die "cp $sim_pq" -make distclean; make clean; +make keysclean; make clean; make keytools || err_and_die "keytools build failed" diff --git a/tools/test-delta.mk b/tools/test-delta.mk index cd7967bd..54c7c119 100644 --- a/tools/test-delta.mk +++ b/tools/test-delta.mk @@ -14,7 +14,7 @@ test-delta-enc-update-ext:EXPVER=tools/test-expect-version/test-expect-version / test-delta-enc-update-ext:PART_SIZE=131023 test-delta-enc-update-ext:APP=test-app/image_v7_signed_diff_encrypted.bin -test-delta-update: distclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version +test-delta-update: keysclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version @killall ufserver || true @st-flash reset @sleep 2 @@ -68,7 +68,7 @@ test-delta-update: distclean factory.bin test-app/image.bin tools/uart-flash-ser @(test `$(EXPVER)` -eq 2) @echo "TEST SUCCESSFUL" -test-delta-update-ext: distclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version +test-delta-update-ext: keysclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version @killall ufserver || true @st-flash reset @dd if=/dev/zero of=zero.bin bs=4096 count=1 @@ -110,7 +110,7 @@ test-delta-update-ext: distclean factory.bin test-app/image.bin tools/uart-flash @rm boot.bin boot_full.bin @echo "TEST SUCCESSFUL" -test-delta-enc-update-ext: distclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version +test-delta-enc-update-ext: keysclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version @killall ufserver || true @st-flash reset @dd if=/dev/zero of=zero.bin bs=4096 count=1