From 6bed80fbc2dc0c2435c7cc1e654fbd98d67a922e Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 5 Dec 2024 14:07:15 -0800
Subject: [PATCH] ML-DSA default is level 2. The keytools must be able to
 support all ML-DSA levels at run-time using `ML_DSA_LEVEL` environment
 variable. wolfBoot needs to be built with the correct level specified in the
 .config.

---
 tools/keytools/Makefile        | 2 +-
 tools/keytools/user_settings.h | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/tools/keytools/Makefile b/tools/keytools/Makefile
index 0db21ecc..646327bc 100644
--- a/tools/keytools/Makefile
+++ b/tools/keytools/Makefile
@@ -17,7 +17,7 @@ LDFLAGS =
 OBJDIR = ./
 LIBS =
 
-ML_DSA_LEVEL?=5
+ML_DSA_LEVEL?=2
 CFLAGS+=-DML_DSA_LEVEL=$(ML_DSA_LEVEL)
 
 LMS_LEVELS?=1
diff --git a/tools/keytools/user_settings.h b/tools/keytools/user_settings.h
index 2e1e2d53..10e47823 100644
--- a/tools/keytools/user_settings.h
+++ b/tools/keytools/user_settings.h
@@ -86,10 +86,13 @@
 #if 0
     #define WOLFSSL_DILITHIUM_FIPS204_DRAFT
 #endif
+
+/* Default the keygen/sign tool to use ML-DSA level 2 */
 #ifndef ML_DSA_LEVEL
-    #define ML_DSA_LEVEL 5
+    #define ML_DSA_LEVEL 2
 #endif
-/* dilithium needs these sha functions. */
+
+/* Dilithium needs SHAKE128 */
 #define WOLFSSL_SHAKE128
 
 /* LMS */