ML-DSA default is level 2. The keytools must be able to support all ML-DSA levels at run-time using `ML_DSA_LEVEL` environment variable. wolfBoot needs to be built with the correct level specified in the .config.

tools/keytools/Makefile

@@ -17,7 +17,7 @@ LDFLAGS =
 OBJDIR = ./
 LIBS =
 
-ML_DSA_LEVEL?=5
+ML_DSA_LEVEL?=2
 CFLAGS+=-DML_DSA_LEVEL=$(ML_DSA_LEVEL)
 
 LMS_LEVELS?=1

tools/keytools/user_settings.h

@@ -86,10 +86,13 @@
 #if 0
     #define WOLFSSL_DILITHIUM_FIPS204_DRAFT
 #endif
+
+/* Default the keygen/sign tool to use ML-DSA level 2 */
 #ifndef ML_DSA_LEVEL
-    #define ML_DSA_LEVEL 5
+    #define ML_DSA_LEVEL 2
 #endif
-/* dilithium needs these sha functions. */
+
+/* Dilithium needs SHAKE128 */
 #define WOLFSSL_SHAKE128
 
 /* LMS */