WolfSSL
/
wolfBoot
mirror of https://github.com/wolfSSL/wolfBoot.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Removing compile-time parameters from keygen

pull/521/head
Daniele Lacamera 2024-12-03 14:50:54 +01:00
parent 7132a13545
commit d5e402ebde
6 changed files with 68 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Makefile
View File

@ -86,7 +86,7 @@ ifeq ($(TARGET),ti_hercules)
endif endif
# Environment variables for sign tool # Environment variables for sign tool
SIGN_ENV=IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) WOLFBOOT_SECTOR_SIZE=$(WOLFBOOT_SECTOR_SIZE) SIGN_ENV=IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) WOLFBOOT_SECTOR_SIZE=$(WOLFBOOT_SECTOR_SIZE) ML_DSA_LEVEL=$(ML_DSA_LEVEL) IMAGE_SIGNATURE_SIZE=$(IMAGE_SIGNATURE_SIZE)
MAIN_TARGET=factory.bin MAIN_TARGET=factory.bin
@ -208,7 +208,7 @@ keytools_check: keytools
$(PRIVATE_KEY): $(PRIVATE_KEY):
$(Q)$(MAKE) keytools_check $(Q)$(MAKE) keytools_check
$(Q)(test $(SIGN) = NONE) || ("$(KEYGEN_TOOL)" $(KEYGEN_OPTIONS) -g $(PRIVATE_KEY)) || true $(Q)(test $(SIGN) = NONE) || ($(SIGN_ENV) "$(KEYGEN_TOOL)" $(KEYGEN_OPTIONS) -g $(PRIVATE_KEY)) || true
$(Q)(test $(SIGN) = NONE) && (echo "// SIGN=NONE" > src/keystore.c) || true $(Q)(test $(SIGN) = NONE) && (echo "// SIGN=NONE" > src/keystore.c) || true
$(Q)(test "$(FLASH_OTP_KEYSTORE)" = "1") && (make -C tools/keytools/otp) || true $(Q)(test "$(FLASH_OTP_KEYSTORE)" = "1") && (make -C tools/keytools/otp) || true
@ -216,7 +216,7 @@ $(SECONDARY_PRIVATE_KEY): $(PRIVATE_KEY) keystore.der
$(Q)$(MAKE) keytools_check $(Q)$(MAKE) keytools_check
$(Q)rm -f src/keystore.c $(Q)rm -f src/keystore.c
$(Q)dd if=keystore.der of=pubkey_1.der bs=1 skip=16 $(Q)dd if=keystore.der of=pubkey_1.der bs=1 skip=16
$(Q)(test $(SIGN_SECONDARY) = NONE) || ("$(KEYGEN_TOOL)" \ $(Q)(test $(SIGN_SECONDARY) = NONE) || ($(SIGN_ENV) "$(KEYGEN_TOOL)" \
$(KEYGEN_OPTIONS) -i pubkey_1.der $(SECONDARY_KEYGEN_OPTIONS) \ $(KEYGEN_OPTIONS) -i pubkey_1.der $(SECONDARY_KEYGEN_OPTIONS) \
-g $(SECONDARY_PRIVATE_KEY)) || true -g $(SECONDARY_PRIVATE_KEY)) || true
$(Q)(test "$(FLASH_OTP_KEYSTORE)" = "1") && (make -C tools/keytools/otp) || true $(Q)(test "$(FLASH_OTP_KEYSTORE)" = "1") && (make -C tools/keytools/otp) || true

20
include/wolfboot/wolfboot.h
View File

@ -138,21 +138,17 @@ extern "C" {
/* ML-DSA pub key size is a function of parameters. /* ML-DSA pub key size is a function of parameters.
* This needs to be configurable. Default to security * This needs to be configurable. Default to security
* category 2. */ * category 2. */
#ifdef ML_DSA_LEVEL
#if ML_DSA_LEVEL == 2 #define ML_DSA_L2_PUBKEY_SIZE 1312
#define KEYSTORE_PUBKEY_SIZE_ML_DSA 1312 #define ML_DSA_L3_PUBKEY_SIZE 1952
#elif ML_DSA_LEVEL == 3 #define ML_DSA_L5_PUBKEY_SIZE 2592
#define KEYSTORE_PUBKEY_SIZE_ML_DSA 1952
#elif ML_DSA_LEVEL == 5
#define KEYSTORE_PUBKEY_SIZE_ML_DSA 2592 #if defined(SIGN_ML_DSA) && !defined(ML_DSA_LEVEL)
#endif #define ML_DSA_LEVEL 5
#else
#ifdef SIGN_ML_DSA
#error "ML_DSA_LEVEL not defined"
#endif #endif
/* Default to max size for keystore */ /* Default to max size for keystore */
#define KEYSTORE_PUBKEY_SIZE_ML_DSA 2592 #define KEYSTORE_PUBKEY_SIZE_ML_DSA 2592
#endif /* defined ML_DSA_LEVEL */
/* Mask for key permissions */ /* Mask for key permissions */
#define KEY_VERIFY_ALL (0xFFFFFFFFU) #define KEY_VERIFY_ALL (0xFFFFFFFFU)

10
tools/keytools/Makefile
View File

@ -17,7 +17,8 @@ LDFLAGS =
OBJDIR = ./ OBJDIR = ./
LIBS = LIBS =
ML_DSA_LEVEL?=2 ML_DSA_LEVEL?=5
CFLAGS+=-DML_DSA_LEVEL=$(ML_DSA_LEVEL)
LMS_LEVELS?=1 LMS_LEVELS?=1
LMS_HEIGHT?=10 LMS_HEIGHT?=10
@ -33,6 +34,9 @@ CFLAGS +=-DWOLFBOOT_SIGN_LMS -DWOLFSSL_HAVE_LMS \
# LMS flags # LMS flags
CFLAGS +=-DWOLFSSL_WC_LMS CFLAGS +=-DWOLFSSL_WC_LMS
# ML_DSA flags
CFLAGS +=-DWOLFSSL_HAVE_DILITHIUM
# XMSS flags # XMSS flags
CFLAGS +=-DWOLFBOOT_SIGN_XMSS -DWOLFSSL_HAVE_XMSS \ CFLAGS +=-DWOLFBOOT_SIGN_XMSS -DWOLFSSL_HAVE_XMSS \
-D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \ -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
@ -111,10 +115,6 @@ OBJS_REAL+=\
$(WOLFDIR)/wolfcrypt/src/wc_xmss_impl.o $(WOLFDIR)/wolfcrypt/src/wc_xmss_impl.o
OBJS_REAL+=$(WOLFDIR)/wolfcrypt/src/dilithium.o OBJS_REAL+=$(WOLFDIR)/wolfcrypt/src/dilithium.o
CFLAGS += -D"WOLFBOOT_SIGN_ML_DSA" \
-D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
-D"ML_DSA_LEVEL"=$(ML_DSA_LEVEL)
OBJS_VIRT=$(addprefix $(OBJDIR), $(notdir $(OBJS_REAL))) OBJS_VIRT=$(addprefix $(OBJDIR), $(notdir $(OBJS_REAL)))
vpath %.c $(WOLFDIR)/wolfcrypt/src/ vpath %.c $(WOLFDIR)/wolfcrypt/src/
vpath %.c $(WOLFBOOTDIR)/src/ vpath %.c $(WOLFBOOTDIR)/src/

61
tools/keytools/keygen.c
View File

@ -451,15 +451,35 @@ static uint32_t get_pubkey_size(uint32_t keyType)
case KEYGEN_XMSS: case KEYGEN_XMSS:
size = KEYSTORE_PUBKEY_SIZE_XMSS; size = KEYSTORE_PUBKEY_SIZE_XMSS;
break; break;
#ifdef KEYSTORE_PUBKEY_SIZE_ML_DSA
case KEYGEN_ML_DSA: case KEYGEN_ML_DSA:
size = KEYSTORE_PUBKEY_SIZE_ML_DSA; {
char *env_ml_dsa_level = getenv("ML_DSA_LEVEL");
if (env_ml_dsa_level == NULL) {
fprintf(stderr, "warning: ML_DSA_LEVEL environment variable"
" not set, assuming level 2\n");
size = ML_DSA_L2_PUBKEY_SIZE;
} else {
int level = atoi(env_ml_dsa_level);
switch (level) {
case 2:
size = ML_DSA_L2_PUBKEY_SIZE;
break;
case 3:
size = ML_DSA_L3_PUBKEY_SIZE;
break;
case 5:
size = ML_DSA_L5_PUBKEY_SIZE;
break;
default:
fprintf(stderr, "error: invalid ML_DSA_LEVEL: %d\n", level);
exit(1);
}
}
break; break;
#endif
default: default:
size = 0; size = 0;
} }
}
return size; return size;
} }
@ -520,7 +540,6 @@ void keystore_add(uint32_t ktype, uint8_t *key, uint32_t sz, const char *keyfile
} }
#if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN)
static void keygen_rsa(const char *keyfile, int kbits, uint32_t id_mask) static void keygen_rsa(const char *keyfile, int kbits, uint32_t id_mask)
{ {
RsaKey k; RsaKey k;
@ -570,9 +589,7 @@ static void keygen_rsa(const char *keyfile, int kbits, uint32_t id_mask)
else if (kbits == 4096) else if (kbits == 4096)
keystore_add(KEYGEN_RSA4096, pub_der, publen, keyfile, id_mask); keystore_add(KEYGEN_RSA4096, pub_der, publen, keyfile, id_mask);
} }
#endif
#ifdef HAVE_ECC
#define MAX_ECC_KEY_SIZE 66 #define MAX_ECC_KEY_SIZE 66
static void keygen_ecc(const char *priv_fname, uint16_t ecc_key_size, static void keygen_ecc(const char *priv_fname, uint16_t ecc_key_size,
@ -676,10 +693,8 @@ static void keygen_ecc(const char *priv_fname, uint16_t ecc_key_size,
else if (ecc_key_size == 66) else if (ecc_key_size == 66)
keystore_add(KEYGEN_ECC521, k_buffer, 2 * ecc_key_size, priv_fname, id_mask); keystore_add(KEYGEN_ECC521, k_buffer, 2 * ecc_key_size, priv_fname, id_mask);
} }
#endif
#ifdef HAVE_ED25519
static void keygen_ed25519(const char *privkey, uint32_t id_mask) static void keygen_ed25519(const char *privkey, uint32_t id_mask)
{ {
ed25519_key k; ed25519_key k;
@ -716,9 +731,7 @@ static void keygen_ed25519(const char *privkey, uint32_t id_mask)
keystore_add(KEYGEN_ED25519, pub, ED25519_PUB_KEY_SIZE, privkey, id_mask); keystore_add(KEYGEN_ED25519, pub, ED25519_PUB_KEY_SIZE, privkey, id_mask);
} }
#endif
#ifdef HAVE_ED448
static void keygen_ed448(const char *privkey, uint32_t id_mask) static void keygen_ed448(const char *privkey, uint32_t id_mask)
{ {
ed448_key k; ed448_key k;
@ -755,9 +768,7 @@ static void keygen_ed448(const char *privkey, uint32_t id_mask)
keystore_add(KEYGEN_ED448, pub, ED448_PUB_KEY_SIZE, privkey, id_mask); keystore_add(KEYGEN_ED448, pub, ED448_PUB_KEY_SIZE, privkey, id_mask);
} }
#endif
#if defined(WOLFSSL_HAVE_LMS)
#include "../lms/lms_common.h" #include "../lms/lms_common.h"
static void keygen_lms(const char *priv_fname, uint32_t id_mask) static void keygen_lms(const char *priv_fname, uint32_t id_mask)
@ -844,9 +855,7 @@ static void keygen_lms(const char *priv_fname, uint32_t id_mask)
wc_LmsKey_Free(&key); wc_LmsKey_Free(&key);
} }
#endif /* if defined(WOLFSSL_HAVE_LMS) */
#if defined(WOLFSSL_HAVE_XMSS)
#include "../xmss/xmss_common.h" #include "../xmss/xmss_common.h"
static void keygen_xmss(const char *priv_fname, uint32_t id_mask) static void keygen_xmss(const char *priv_fname, uint32_t id_mask)
@ -942,9 +951,7 @@ static void keygen_xmss(const char *priv_fname, uint32_t id_mask)
wc_XmssKey_Free(&key); wc_XmssKey_Free(&key);
} }
#endif /* if defined(WOLFSSL_HAVE_XMSS) */
#if defined(WOLFSSL_WC_DILITHIUM)
static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask) static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
{ {
@ -957,6 +964,13 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
word32 pub_len = 0; word32 pub_len = 0;
int ml_dsa_priv_len = 0; int ml_dsa_priv_len = 0;
int ml_dsa_pub_len = 0; int ml_dsa_pub_len = 0;
int ml_dsa_level = ML_DSA_LEVEL;
char * env_ml_dsa_level = getenv("ML_DSA_LEVEL");
if (env_ml_dsa_level != NULL) {
ml_dsa_level = atoi(env_ml_dsa_level);
}
fprintf(stderr, "info: using DSA level %d\n", ml_dsa_level);
ret = wc_MlDsaKey_Init(&key, NULL, INVALID_DEVID); ret = wc_MlDsaKey_Init(&key, NULL, INVALID_DEVID);
if (ret != 0) { if (ret != 0) {
@ -964,10 +978,10 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
exit(1); exit(1);
} }
ret = wc_MlDsaKey_SetParams(&key, ML_DSA_LEVEL); ret = wc_MlDsaKey_SetParams(&key, ml_dsa_level);
if (ret != 0) { if (ret != 0) {
fprintf(stderr, "error: wc_MlDsaKey_SetParams(%d) returned %d\n", fprintf(stderr, "error: wc_MlDsaKey_SetParams(%d) returned %d\n",
ML_DSA_LEVEL, ret); ml_dsa_level, ret);
exit(1); exit(1);
} }
@ -985,6 +999,7 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
ret); ret);
exit(1); exit(1);
} }
printf("info: ml-dsa public key length: %d\n", ml_dsa_pub_len);
/* Get the ML-DSA private key length. This API returns /* Get the ML-DSA private key length. This API returns
* the public + private length. */ * the public + private length. */
@ -994,6 +1009,7 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
ret); ret);
exit(1); exit(1);
} }
printf("info: ml-dsa private key length: %d\n", ml_dsa_priv_len);
if (ml_dsa_priv_len <= ml_dsa_pub_len) { if (ml_dsa_priv_len <= ml_dsa_pub_len) {
printf("error: ml-dsa: unexpected key lengths: %d, %d", printf("error: ml-dsa: unexpected key lengths: %d, %d",
@ -1026,9 +1042,9 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
exit(1); exit(1);
} }
if (pub_len != sizeof(pub)) { if ((int)pub_len != ml_dsa_pub_len) {
fprintf(stderr, "error: wc_MlDsaKey_ExportPubRaw returned pub_len=%d, " \ fprintf(stderr, "error: wc_MlDsaKey_ExportPubRaw returned pub_len=%d, " \
"expected %zu\n", pub_len, sizeof(pub)); "expected %d\n", pub_len, ml_dsa_pub_len);
exit(1); exit(1);
} }
@ -1050,14 +1066,13 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
fwrite(pub, pub_len, 1, fpriv); fwrite(pub, pub_len, 1, fpriv);
fclose(fpriv); fclose(fpriv);
keystore_add(KEYGEN_ML_DSA, pub, KEYSTORE_PUBKEY_SIZE_ML_DSA, keystore_add(KEYGEN_ML_DSA, pub, pub_len,
priv_fname, id_mask); priv_fname, id_mask);
wc_MlDsaKey_Free(&key); wc_MlDsaKey_Free(&key);
free(priv); free(priv);
priv = NULL; priv = NULL;
} }
#endif /* if defined(WOLFSSL_WC_DILITHIUM) */
static void key_gen_check(const char *kfilename) static void key_gen_check(const char *kfilename)
{ {

2
tools/keytools/user_settings.h
View File

@ -74,7 +74,6 @@
#undef NO_SHA256 #undef NO_SHA256
/* ML-DSA (dilithium) */ /* ML-DSA (dilithium) */
#if defined(WOLFBOOT_SIGN_ML_DSA)
#define HAVE_DILITHIUM #define HAVE_DILITHIUM
#define WOLFSSL_WC_DILITHIUM #define WOLFSSL_WC_DILITHIUM
#define WOLFSSL_EXPERIMENTAL_SETTINGS #define WOLFSSL_EXPERIMENTAL_SETTINGS
@ -86,7 +85,6 @@
#endif #endif
/* dilithium needs these sha functions. */ /* dilithium needs these sha functions. */
#define WOLFSSL_SHAKE128 #define WOLFSSL_SHAKE128
#endif /* WOLFBOOT_SIGN_ML_DSA */
/* ASN */ /* ASN */
#define WOLFSSL_ASN_TEMPLATE #define WOLFSSL_ASN_TEMPLATE

2
tools/test-renode.mk
View File

@ -36,8 +36,6 @@ else
SIGN_TOOL?=$(WOLFBOOT_ROOT)/tools/keytools/sign SIGN_TOOL?=$(WOLFBOOT_ROOT)/tools/keytools/sign
endif endif
SIGN_ENV=IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) WOLFBOOT_SECTOR_SIZE=$(WOLFBOOT_SECTOR_SIZE)
ifeq ($(TARGET),stm32f7) ifeq ($(TARGET),stm32f7)
RENODE_CONFIG=tools/renode/stm32f746_wolfboot.resc RENODE_CONFIG=tools/renode/stm32f746_wolfboot.resc
POFF=393211 POFF=393211