diff --git a/.github/workflows/zephyr.yml b/.github/workflows/zephyr.yml new file mode 100644 index 0000000..9e81cef --- /dev/null +++ b/.github/workflows/zephyr.yml @@ -0,0 +1,102 @@ +name: Zephyr wolfTPM Tests + +on: + push: + branches: [ '*' ] + pull_request: + branches: [ '*' ] + +jobs: + run_test: + name: Build + strategy: + matrix: + config: + - zephyr-ref: v3.4.0 + zephyr-sdk: 0.16.1 + runs-on: ubuntu-22.04 + # This should be a safe limit for the tests to run. + timeout-minutes: 25 + steps: + - name: Install dependencies + run: | + # Don't prompt for anything + export DEBIAN_FRONTEND=noninteractive + sudo apt-get update + # most of the ci-base zephyr docker image packages + sudo apt-get install -y zip bridge-utils uml-utilities \ + git cmake ninja-build gperf ccache dfu-util device-tree-compiler wget \ + python3-dev python3-pip python3-setuptools python3-tk python3-wheel xz-utils file \ + make gcc gcc-multilib g++-multilib libsdl2-dev libmagic1 \ + autoconf automake bison build-essential ca-certificates cargo ccache chrpath cmake \ + cpio device-tree-compiler dfu-util diffstat dos2unix doxygen file flex g++ gawk gcc \ + gcovr git git-core gnupg gperf gtk-sharp2 help2man iproute2 lcov libcairo2-dev \ + libglib2.0-dev libgtk2.0-0 liblocale-gettext-perl libncurses5-dev libpcap-dev \ + libpopt0 libsdl1.2-dev libsdl2-dev libssl-dev libtool libtool-bin locales make \ + net-tools openssh-client parallel pkg-config python3-dev python3-pip \ + python3-ply python3-setuptools python-is-python3 qemu-kvm rsync socat srecord sudo \ + texinfo unzip wget ovmf xz-utils + + - name: Install west + run: sudo pip install west + + - name: Init west workspace + run: west init --mr ${{ matrix.config.zephyr-ref }} zephyr + + - name: Update west.yml + working-directory: zephyr/zephyr + run: | + REF=$(echo '${{ github.ref }}' | sed -e 's/\//\\\//g') + sed -e 's/remotes:/remotes:\n \- name: wolfssl\n url\-base: https:\/\/github.com\/wolfssl/' -i west.yml + sed -e "s/remotes:/remotes:\n \- name: wolftpm\n url\-base: https:\/\/github.com\/${{ github.repository_owner }}/" -i west.yml + sed -e "s/projects:/projects:\n \- name: wolftpm\n path: modules\/lib\/wolftpm\n remote: wolftpm\n revision: $REF/" -i west.yml + sed -e 's/projects:/projects:\n \- name: wolfssl\n path: modules\/crypto\/wolfssl\n remote: wolfssl\n revision: master/' -i west.yml + + - name: Update west workspace + working-directory: zephyr + run: west update -n -o=--depth=1 + + - name: Export zephyr + working-directory: zephyr + run: west zephyr-export + + - name: Install pip dependencies + working-directory: zephyr + run: sudo pip install -r zephyr/scripts/requirements.txt + + - name: Install zephyr SDK + run: | + wget -q https://github.com/zephyrproject-rtos/sdk-ng/releases/download/v${{ matrix.config.zephyr-sdk }}/zephyr-sdk-${{ matrix.config.zephyr-sdk }}_linux-x86_64_minimal.tar.xz + tar xf zephyr-sdk-${{ matrix.config.zephyr-sdk }}_linux-x86_64_minimal.tar.xz + cd zephyr-sdk-${{ matrix.config.zephyr-sdk }} + ./setup.sh -h -c -t x86_64-zephyr-elf + + - name: Build wolftpm tests + id: wolftpm_build + working-directory: zephyr + run : | + west build -p auto -b qemu_x86 modules/lib/wolftpm/zephyr/samples/wolftpm_wrap_test + west build -p auto -b qemu_x86 modules/lib/wolftpm/zephyr/samples/wolftpm_wrap_caps + + # skipping tests, because no simulator TPM to run + #- name: Run wolftpm tests + # id: wolftpm_tests + # working-directory: zephyr + # run: | + # ./zephyr/scripts/twister --testsuite-root modules/lib/wolftpm --test zephyr/samples/wolftpm_wrap_caps/sample.lib.wolftpm_wrap_caps -vvv + # rm -rf zephyr/twister-out + # ./zephyr/scripts/twister --testsuite-root modules/lib/wolftpm --test zephyr/samples/wolftpm_wrap_test/sample.lib.wolftpm_wrap_test -vvv + # rm -rf zephyr/twister-out + + - name: Zip failure logs + if: ${{ failure() && steps.wolftpm_build.outcome == 'failure' }} + run: | + zip -9 -r logs.zip zephyr/twister-out + + - name: Upload failure logs + if: ${{ failure() && steps.wolftpm_build.outcome == 'failure' }} + uses: actions/upload-artifact@v4 + with: + name: zephyr-client-test-logs + path: logs.zip + retention-days: 5 diff --git a/Makefile.am b/Makefile.am index dc750f0..d5a1ded 100644 --- a/Makefile.am +++ b/Makefile.am @@ -42,6 +42,7 @@ include docs/include.am include wrapper/include.am include hal/include.am include cmake/include.am +include zephyr/include.am EXTRA_DIST+= .cyignore EXTRA_DIST+= README.md diff --git a/examples/csr/csr.c b/examples/csr/csr.c index b187920..aef5d53 100644 --- a/examples/csr/csr.c +++ b/examples/csr/csr.c @@ -38,12 +38,25 @@ #include #ifndef NO_RSA -static const char* gClientCsrRsaFile = "./certs/tpm-rsa-cert.csr"; -static const char* gClientCertRsaFile = "./certs/tpm-rsa-cert.pem"; +#ifndef RSA_CERT_CSR + #define RSA_CERT_CSR "./certs/tpm-rsa-cert.csr" #endif +#ifndef RSA_CERT_PEM + #define RSA_CERT_PEM "./certs/tpm-rsa-cert.pem" +#endif +static const char* gClientCsrRsaFile = RSA_CERT_CSR; +static const char* gClientCertRsaFile = RSA_CERT_PEM; +#endif + #ifdef HAVE_ECC -static const char* gClientCsrEccFile = "./certs/tpm-ecc-cert.csr"; -static const char* gClientCertEccFile = "./certs/tpm-ecc-cert.pem"; +#ifndef ECC_CERT_CSR + #define ECC_CERT_CSR "./certs/tpm-ecc-cert.csr" +#endif +#ifndef ECC_CERT_PEM + #define ECC_CERT_PEM "./certs/tpm-ecc-cert.pem" +#endif +static const char* gClientCsrEccFile = ECC_CERT_CSR; +static const char* gClientCertEccFile = ECC_CERT_PEM; #endif #ifndef MAX_PEM_SIZE diff --git a/examples/keygen/keygen.c b/examples/keygen/keygen.c index 0e2cb0f..ae9f500 100644 --- a/examples/keygen/keygen.c +++ b/examples/keygen/keygen.c @@ -36,6 +36,28 @@ #include #include +/* Output file path defines with defaults */ +#ifndef OUTPUT_FILE + #define OUTPUT_FILE "keyblob.bin" +#endif +#ifndef EK_PUB_FILE + #define EK_PUB_FILE "ek.pub" +#endif +#ifndef SRK_PUB_FILE + #define SRK_PUB_FILE "srk.pub" +#endif + +#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) + #ifndef AK_NAME_FILE + #define AK_NAME_FILE "ak.name" + #endif + #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN) + /* PEM_FILE is NULL by default, but can be overridden */ + #ifndef PEM_FILE + #define PEM_FILE NULL + #endif + #endif +#endif /******************************************************************************/ /* --- BEGIN TPM Keygen Example -- */ @@ -121,14 +143,14 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) int keyBits = 256; const char* uniqueStr = NULL; const char* authStr = NULL; - const char *outputFile = "keyblob.bin"; - const char *ekPubFile = "ek.pub"; - const char *srkPubFile = "srk.pub"; + const char *outputFile = OUTPUT_FILE; + const char *ekPubFile = EK_PUB_FILE; + const char *srkPubFile = SRK_PUB_FILE; const char *pubFilename = NULL; #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - const char *nameFile = "ak.name"; /* Name Digest for attestation purposes */ + const char *nameFile = AK_NAME_FILE; /* Name Digest for attestation purposes */ #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN) - const char *pemFilename = NULL; + const char *pemFilename = PEM_FILE; #endif #endif const char* symMode = "aesctr"; diff --git a/examples/tls/tls_server.c b/examples/tls/tls_server.c index 70dcaee..ba59d35 100644 --- a/examples/tls/tls_server.c +++ b/examples/tls/tls_server.c @@ -46,6 +46,34 @@ static int mStop = 0; double benchStart; #endif +/* CA Certificate path defines with defaults */ +#ifndef CA_RSA_CERT_PATH + #define CA_RSA_CERT_PATH "./certs/ca-rsa-cert.pem" +#endif +#ifndef WOLF_CA_RSA_CERT_PATH + #define WOLF_CA_RSA_CERT_PATH "./certs/wolf-ca-rsa-cert.pem" +#endif +#ifndef CA_ECC_CERT_PATH + #define CA_ECC_CERT_PATH "./certs/ca-ecc-cert.pem" +#endif +#ifndef WOLF_CA_ECC_CERT_PATH + #define WOLF_CA_ECC_CERT_PATH "./certs/wolf-ca-ecc-cert.pem" +#endif + +/* Server Certificate path defines with defaults */ +#ifndef SERVER_RSA_CERT_PATH + #define SERVER_RSA_CERT_PATH "./certs/server-rsa-cert.pem" +#endif +#ifndef TPM_RSA_CERT_PATH + #define TPM_RSA_CERT_PATH "./certs/tpm-rsa-cert.pem" +#endif +#ifndef SERVER_ECC_CERT_PATH + #define SERVER_ECC_CERT_PATH "./certs/server-ecc-cert.pem" +#endif +#ifndef TPM_ECC_CERT_PATH + #define TPM_ECC_CERT_PATH "./certs/tpm-ecc-cert.pem" +#endif + /* * Generating the Server Certificate * @@ -380,14 +408,14 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) /* Load CA Certificates */ if (!useECC) { #ifndef NO_RSA - if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/ca-rsa-cert.pem", + if (wolfSSL_CTX_load_verify_locations(ctx, CA_RSA_CERT_PATH, 0) != WOLFSSL_SUCCESS) { - printf("Error loading ca-rsa-cert.pem cert\n"); + printf("Error loading %s cert\n", CA_RSA_CERT_PATH); goto exit; } - if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/wolf-ca-rsa-cert.pem", + if (wolfSSL_CTX_load_verify_locations(ctx, WOLF_CA_RSA_CERT_PATH, 0) != WOLFSSL_SUCCESS) { - printf("Error loading wolf-ca-rsa-cert.pem cert\n"); + printf("Error loading %s cert\n", WOLF_CA_RSA_CERT_PATH); goto exit; } #else @@ -398,16 +426,16 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) } else { #ifdef HAVE_ECC - if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/ca-ecc-cert.pem", + if (wolfSSL_CTX_load_verify_locations(ctx, CA_ECC_CERT_PATH, 0) != WOLFSSL_SUCCESS) { - printf("Error loading ca-ecc-cert.pem cert\n"); + printf("Error loading %s cert\n", CA_ECC_CERT_PATH); #ifndef WOLFTPM_MFG_IDENTITY /* not fatal if using mfg identity */ goto exit; #endif } - if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/wolf-ca-ecc-cert.pem", + if (wolfSSL_CTX_load_verify_locations(ctx, WOLF_CA_ECC_CERT_PATH, 0) != WOLFSSL_SUCCESS) { - printf("Error loading wolf-ca-ecc-cert.pem cert\n"); + printf("Error loading %s cert\n", WOLF_CA_ECC_CERT_PATH); goto exit; } #else @@ -461,14 +489,18 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) WOLFSSL_FILETYPE_ASN1); #endif #else - const char* useCert = "./certs/server-rsa-cert.pem"; + const char* useCert = SERVER_RSA_CERT_PATH; if (useSelfSign) { - useCert = "./certs/tpm-rsa-cert.pem"; + useCert = TPM_RSA_CERT_PATH; } rc = wolfSSL_CTX_use_certificate_file(ctx, useCert, WOLFSSL_FILETYPE_PEM); #endif if (rc != WOLFSSL_SUCCESS) { + #ifndef NO_FILESYSTEM + printf("Error loading RSA client cert: %s\n", useCert); + #else printf("Error loading RSA client cert\n"); + #endif goto exit; } #else @@ -496,14 +528,18 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) WOLFSSL_FILETYPE_ASN1); #endif #else - const char* useCert = "./certs/server-ecc-cert.pem"; + const char* useCert = SERVER_ECC_CERT_PATH; if (useSelfSign) { - useCert = "./certs/tpm-ecc-cert.pem"; + useCert = TPM_ECC_CERT_PATH; } rc = wolfSSL_CTX_use_certificate_file(ctx, useCert, WOLFSSL_FILETYPE_PEM); #endif if (rc != WOLFSSL_SUCCESS) { + #ifndef NO_FILESYSTEM + printf("Error loading ECC client cert: %s\n", useCert); + #else printf("Error loading ECC client cert\n"); + #endif goto exit; } #else @@ -649,7 +685,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) } exit: - + mStop = 0; /* Reset the stop flag for if example is compiled into a demo */ if (rc != 0) { printf("Failure %d (0x%x): %s\n", rc, rc, wolfTPM2_GetRCString(rc)); } diff --git a/examples/tpm_test.h b/examples/tpm_test.h index ef47478..d54bbce 100644 --- a/examples/tpm_test.h +++ b/examples/tpm_test.h @@ -52,6 +52,19 @@ #define TPM2_DEMO_PCR_INDEX 16 +#ifndef PEM_FILE_AK + #define PEM_FILE_AK "ak.pem" +#endif +#ifndef PEM_FILE_EK + #define PEM_FILE_EK "ek.pem" +#endif +#ifndef PEM_FILE_SRK + #define PEM_FILE_SRK "srk.pem" +#endif +#ifndef PEM_FILE_KEY + #define PEM_FILE_KEY "key.pem" +#endif + static const char gStorageKeyAuth[] = "ThisIsMyStorageKeyAuth"; static const char gAiKeyAuth[] = "ThisIsMyAiKeyAuth"; static const char gKeyAuth[] = "ThisIsMyKeyAuth"; @@ -60,10 +73,10 @@ static const char gUsageAuth[] = "ThisIsASecretUsageAuth"; static const char gNvAuth[] = "ThisIsMyNvAuth"; static const char gXorAuth[] = "ThisIsMyXorAuth"; -static const char pemFileAk[] = "ak.pem"; -static const char pemFileEk[] = "ek.pem"; -static const char pemFileSrk[] = "srk.pem"; -static const char pemFileKey[] = "key.pem"; +static const char pemFileAk[] = PEM_FILE_AK; +static const char pemFileEk[] = PEM_FILE_EK; +static const char pemFileSrk[] = PEM_FILE_SRK; +static const char pemFileKey[] = PEM_FILE_KEY; /* Default Test PCR */ /* PCR16 is for DEBUG purposes, thus safe to use */ @@ -100,6 +113,8 @@ static const char pemFileKey[] = "key.pem"; #include #elif defined(WOLFTPM_MICROCHIP_HARMONY) #include "system/time/sys_time.h" +#elif defined(WOLFTPM_ZEPHYR) + #include #else #include #endif @@ -119,6 +134,9 @@ static const char pemFileKey[] = "key.pem"; SYS_TIME_CounterSet(0); return (double)(SYS_TIME_Counter64Get()) / (double)SYS_TIME_FrequencyGet(); + #elif defined(WOLFTPM_ZEPHYR) + (void)reset; + return (double)k_uptime_get() / 1000.0; #else struct timeval tv; gettimeofday(&tv, 0); diff --git a/examples/tpm_test_keys.c b/examples/tpm_test_keys.c index df044b8..338587e 100644 --- a/examples/tpm_test_keys.c +++ b/examples/tpm_test_keys.c @@ -40,8 +40,22 @@ #include -#define RSA_FILENAME "rsa_test_blob.raw" -#define ECC_FILENAME "ecc_test_blob.raw" +#ifdef WOLFTPM_ZEPHYR + #include + #define XFILE struct fs_file_t* + /* Note: Other filesystem macros (XFOPEN, XFCLOSE etc) are already defined + * in wolfSSL's wc_port.h for Zephyr */ +#else + #define XFILE FILE* +#endif + +#ifndef RSA_FILENAME + #define RSA_FILENAME "rsa_test_blob.raw" +#endif + +#ifndef ECC_FILENAME + #define ECC_FILENAME "ecc_test_blob.raw" +#endif #ifndef WOLFTPM2_NO_WRAPPER diff --git a/examples/wrap/caps.c b/examples/wrap/caps.c index 7c0965a..877234b 100644 --- a/examples/wrap/caps.c +++ b/examples/wrap/caps.c @@ -129,6 +129,8 @@ int TPM2_Wrapper_CapsArgs(void* userCtx, int argc, char *argv[]) /* Print the available PCR's */ TPM2_PCRs_Print(); + printf("wolfTPM caps read successfully\n"); + exit: /* Only doShutdown=1: Just shutdown the TPM */ wolfTPM2_Reset(&dev, 1, 0); diff --git a/examples/wrap/wrap_test.c b/examples/wrap/wrap_test.c index 1d8dc29..9be359f 100644 --- a/examples/wrap/wrap_test.c +++ b/examples/wrap/wrap_test.c @@ -997,6 +997,8 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) if (rc != 0) goto exit; #endif + printf("wolfTPM wrapper test completed successfully\n"); + exit: if (rc != 0) { diff --git a/hal/tpm_io.c b/hal/tpm_io.c index b3297cb..c9c0033 100644 --- a/hal/tpm_io.c +++ b/hal/tpm_io.c @@ -73,6 +73,8 @@ #include "hal/tpm_io_microchip.c" #elif defined(WOLFSSL_ESPIDF) #include "hal/tpm_io_espressif.c" +#elif defined(WOLFSSL_ZEPHYR) +#include "hal/tpm_io_zephyr.c" #endif #if !defined(WOLFTPM_I2C) && !defined(WOLFTPM_MMIO) @@ -155,6 +157,8 @@ int TPM2_IoCb(TPM2_CTX* ctx, INT32 isRead, UINT32 addr, #elif defined(WOLFTPM_MICROCHIP_HARMONY) /* Use Microchip Harmony I2C */ ret = TPM2_IoCb_MicrochipHarmony_I2C(ctx, isRead, addr, buf, size, userCtx); + #elif defined(WOLFSSL_ZEPHYR) + ret = TPM2_IoCb_Zephyr_I2C(ctx, isRead, addr, buf, size, userCtx); #else /* TODO: Add your platform here for HW I2C interface */ printf("Add your platform here for HW I2C interface\n"); diff --git a/hal/tpm_io.h b/hal/tpm_io.h index 5c7df05..20f2865 100644 --- a/hal/tpm_io.h +++ b/hal/tpm_io.h @@ -92,6 +92,9 @@ WOLFTPM_LOCAL int TPM2_IoCb_Espressif_I2C(TPM2_CTX* ctx, int isRead, word32 addr #elif defined(WOLFTPM_MICROCHIP_HARMONY) WOLFTPM_LOCAL int TPM2_IoCb_MicrochipHarmony_I2C(TPM2_CTX* ctx, int isRead, word32 addr, byte* buf, word16 size, void* userCtx); +#elif defined(WOLFSSL_ZEPHYR) +WOLFTPM_LOCAL int TPM2_IoCb_Zephyr_I2C(TPM2_CTX* ctx, int isRead, word32 addr, + byte* buf, word16 size, void* userCtx); #endif /* __linux__ */ #else /* SPI */ diff --git a/hal/tpm_io_zephyr.c b/hal/tpm_io_zephyr.c new file mode 100644 index 0000000..7c0da80 --- /dev/null +++ b/hal/tpm_io_zephyr.c @@ -0,0 +1,186 @@ +/* tpm_io_zephyr.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfTPM. + * + * wolfTPM is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfTPM is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* This example shows IO interfaces for Zephyr-based micro-controllers + * using Zephyr's kernel and drivers + */ + +/*****************************************************************************/ +/* --- BEGIN IO Callback Logic -- */ +/*****************************************************************************/ + +/* Included via tpm_io.c if WOLFTPM_INCLUDE_IO_FILE is defined */ +#ifdef WOLFTPM_INCLUDE_IO_FILE + +#ifdef WOLFTPM_ZEPHYR + +/* Zephyr Includes Start */ +#include +#include +#include +/* Zephyr Includes End */ + +#ifdef WOLFTPM_I2C + +/* Zephyr Configurations */ + +/* I2C master clock frequency */ +/* Zephyr DTSI Defines this as I2C_BITRATE_STANDARD */ +/* This means we have a clock rate of 100 khz */ + + +/* Infineon 9673 I2C at 0x2e */ +#define TPM2_INFINEON_9673_ADDR 0x2e + +#if defined(WOLFTPM_I2C_CUST_ADDR) + #define TPM2_I2C_ADDR WOLFTPM_I2C_CUST_ADDR +#elif defined(WOLFTPM_SLB9673) + #define TPM2_I2C_ADDR TPM2_INFINEON_9673_ADDR +#else + #error Set WOLFTPM_I2C_CUST_ADDR to i2c device ID or use supported device +#endif + +/* Set to slowest speed supported in zephyr */ +#if !defined(WOLFTPM_ZEPHYR_I2C_SPEED) + #warning WOLFTPM_ZEPHYR_I2C_SPEED set to slowest Zephyr supports + #define WOLFTPM_ZEPHYR_I2C_SPEED I2C_SPEED_STANDARD +#endif + +#if !defined(WOLFTPM_ZEPHYR_I2C_BUS) + #error Set WOLFTPM_ZEPHYR_I2C_BUS to devicetree node label for i2c bus +#endif + +/* Init to False */ +static int _is_initialized_i2c = 0; + +/* Grab pointer from device tree label */ +const struct device *i2c_dev = \ + DEVICE_DT_GET(DT_NODELABEL(WOLFTPM_ZEPHYR_I2C_BUS)); + + +/* Setup the i2c tmp device */ +/* Pass in pointer to the target */ +int TPM2_I2C_Zephyr_Init(void) +{ + int ret = 0; + uint32_t config = 0; + + config = I2C_MODE_CONTROLLER | I2C_SPEED_SET(WOLFTPM_ZEPHYR_I2C_SPEED); + ret = i2c_configure(i2c_dev, config); + + return ret; +} + +int TPM2_IoCb_Zephyr_I2C(TPM2_CTX* ctx, int isRead, word32 addr, + byte* buf, word16 size, void* userCtx) +{ + int ret = 0; + byte* tempBuf = NULL; + + if (buf == NULL) { + printf("Buffer passed is NULL"); + return -1; + } + + if (i2c_dev == NULL) { + printf("I2C device not found in Device Tree!\n"); + return -1; + } + + /* Confirm i2c bus is ready */ + if (!device_is_ready(i2c_dev)) { + printf("Device is not ready"); + return -1; + } + + if (userCtx == NULL) { + //printf("UserCtx Cannot be NULL\n"); + } + + + /* Init Zephyr I2C Driver */ + if (_is_initialized_i2c == 0) { + if (TPM2_I2C_Zephyr_Init() != 0) { + printf("Could Not Init\n"); + return -1; + } + _is_initialized_i2c = 1; + } + + if (isRead) { + tempBuf = (byte*)XMALLOC(1, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (tempBuf == NULL) { + printf("Failed to allocate temp buffer\n"); + } + + tempBuf[0] = (byte)(addr & 0xFF); + + // Read operation: First send register address, then read data + ret = i2c_write_read(i2c_dev, TPM2_I2C_ADDR, tempBuf, 1, buf, size); + if (ret < 0) { + printf("Failed to read from TPM at register 0x%02X! Error: %d\n", addr, ret); + } + + XFREE(tempBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } + else { + // Write operation: Register address + Data + + tempBuf = (byte*)XMALLOC(size + 1, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (tempBuf == NULL) { + printf("Failed to allocate temp buffer\n"); + } + + tempBuf[0] = (byte)(addr & 0xFF); + XMEMCPY((tempBuf + 1), buf, size); + + ret = i2c_write(i2c_dev, tempBuf, size + 1, TPM2_I2C_ADDR); + if (ret < 0) { + printf("Failed to write to TPM at register 0x%02X! Error: %d\n", addr, ret); + } + + XFREE(tempBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } + + if (ret != 0) { + printf("Could not perform operation: %d\n", ret); + if (ret == -EIO) { + printf("Input/Output Error\n"); + } + } + + + + (void)ctx; + return ret; +} + +#else /* If not I2C, it must be SPI */ + /* TODO implement SPI */ + #error TPM2 SPI support on zephyr yet +#endif + +#endif /* WOLFSSL_ZEPHYR */ +#endif /* WOLFTPM_INCLUDE_IO_FILE */ + +/******************************************************************************/ +/* --- END IO Callback Logic -- */ +/******************************************************************************/ diff --git a/src/tpm2_swtpm.c b/src/tpm2_swtpm.c index dbcc8b4..c037aca 100644 --- a/src/tpm2_swtpm.c +++ b/src/tpm2_swtpm.c @@ -43,7 +43,12 @@ #include #include +#ifdef WOLFTPM_ZEPHYR +#include +#include +#elif defined(HAVE_UNISTD_H) #include +#endif #include #include #include @@ -126,10 +131,54 @@ static TPM_RC SwTpmReceive(TPM2_CTX* ctx, void* buffer, size_t rxSz) static TPM_RC SwTpmConnect(TPM2_CTX* ctx, const char* host, const char* port) { TPM_RC rc = TPM_RC_FAILURE; + int s; + int fd = -1; + + /* Zephyr doesnt support getaddrinfo; + * so we need to use Zephyr's socket API + */ +#ifdef WOLFTPM_ZEPHYR + struct zsock_addrinfo hints; + struct zsock_addrinfo *result, *rp; + + if (ctx == NULL) { + return BAD_FUNC_ARG; + } + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + + s = zsock_getaddrinfo(host, port, &hints, &result); + if (s != 0) { + // Handle error + return rc; + } + + for (rp = result; rp != NULL; rp = rp->ai_next) { + fd = zsock_socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol); + if (fd < 0) + continue; + if (zsock_connect(fd, rp->ai_addr, rp->ai_addrlen) < 0) { + zsock_close(fd); + } else { + break; + } + } + zsock_freeaddrinfo(result); + + if (rp != NULL) { + ctx->tcpCtx.fd = fd; + rc = TPM_RC_SUCCESS; + } + #ifdef DEBUG_WOLFTPM + else { + printf("Failed to connect to %s %s\n", host, port); + } + #endif +#else /* !WOLFTPM_ZEPHYR */ struct addrinfo hints; struct addrinfo *result, *rp; - int s; - int fd; if (ctx == NULL) { return BAD_FUNC_ARG; @@ -167,6 +216,7 @@ static TPM_RC SwTpmConnect(TPM2_CTX* ctx, const char* host, const char* port) printf("Failed to connect to %s %s\n", host, port); } #endif +#endif /* WOLFTPM_ZEPHYR */ return rc; } diff --git a/wolftpm/tpm2_socket.h b/wolftpm/tpm2_socket.h index 1972ca9..63fcecd 100644 --- a/wolftpm/tpm2_socket.h +++ b/wolftpm/tpm2_socket.h @@ -36,6 +36,10 @@ /* TODO: HACKY for win32 */ #undef SOCKET_INVALID #define SOCKET_INVALID 0xFFFFFFFF +#elif defined(WOLFTPM_ZEPHYR) + #include + + #define SOCKET_T int #else #include #include diff --git a/wolftpm/tpm2_types.h b/wolftpm/tpm2_types.h index ff0173b..6b9714e 100644 --- a/wolftpm/tpm2_types.h +++ b/wolftpm/tpm2_types.h @@ -263,7 +263,11 @@ typedef int64_t INT64; #define XFEOF feof #endif #ifndef XREWIND /* used in tpm_test_keys.c */ - #define XREWIND rewind + #ifdef XFREWIND + #define XREWIND XFREWIND + #else + #define XREWIND rewind + #endif #endif /* enable way for customer to override printf */ @@ -475,11 +479,10 @@ typedef int64_t INT64; /* sleep helper, used in firmware update */ #ifndef XSLEEP_MS - #ifdef WIN32 - #include - #define XSLEEP_MS(ms) Sleep(ms) - #elif defined(FREERTOS) - #define XSLEEP_MS(ms) vTaskDelay(ms) + #if defined(WOLFTPM_ZEPHYR) + /* For Zephyr, use k_sleep() instead of usleep() */ + #include + #define XSLEEP_MS(ms) k_msleep(ms) #elif defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 199309L #include #define XSLEEP_MS(ms) ({ \ @@ -488,6 +491,11 @@ typedef int64_t INT64; ts.tv_nsec = (ms % 1000) * 1000000; \ nanosleep(&ts, NULL); \ }) + #elif defined(WIN32) + #include + #define XSLEEP_MS(ms) Sleep(ms) + #elif defined(FREERTOS) + #define XSLEEP_MS(ms) vTaskDelay(ms) #else #include #define XSLEEP_MS(ms) ({ \ diff --git a/zephyr/CMakeLists.txt b/zephyr/CMakeLists.txt new file mode 100644 index 0000000..4105991 --- /dev/null +++ b/zephyr/CMakeLists.txt @@ -0,0 +1,17 @@ +if(CONFIG_WOLFTPM) + zephyr_include_directories(${ZEPHYR_CURRENT_MODULE_DIR}) + zephyr_include_directories(${ZEPHYR_CURRENT_MODULE_DIR}/zephyr) + zephyr_library_include_directories(${ZEPHYR_CURRENT_MODULE_DIR}) + FILE(GLOB wolftpm_sources + ${ZEPHYR_CURRENT_MODULE_DIR}/src/*.c + ${ZEPHYR_CURRENT_MODULE_DIR}/hal/*.c + ) + target_sources(app PRIVATE ${wolftpm_sources}) + + if(CONFIG_WOLFTPM_DEBUG) + target_compile_definitions(app PUBLIC DEBUG_WOLFTPM) + endif() + + target_compile_definitions(app PUBLIC WOLFTPM_ZEPHYR) + +endif() diff --git a/zephyr/Kconfig b/zephyr/Kconfig new file mode 100644 index 0000000..dd48ded --- /dev/null +++ b/zephyr/Kconfig @@ -0,0 +1,27 @@ +menuconfig WOLFTPM + bool "wolfTPM module support" + select WOLFSSL + +if WOLFTPM +config WOLFTPM_DEBUG + bool "wolfTPM debug activation" + help + Enable debugging activation for wolfTPM. + +config WOLFTPM_I2C + bool "wolfTPM I2C support" + help + Enables the I2C HAL and Advanced IO + +config WOLFTPM_SPI + bool "wolfTPM SPI support" + help + Enables the SPI HAL (default) + +config ZEPHYR_WOLFTPM_MODULE + bool + depends on WOLFTPM +endif + +# Add relevant macros for tpm + diff --git a/zephyr/README.md b/zephyr/README.md new file mode 100644 index 0000000..da1de3f --- /dev/null +++ b/zephyr/README.md @@ -0,0 +1,82 @@ +Zephyr Project Port +=================== + +## Overview + +This port is for the Zephyr RTOS Project, available [here](https://www.zephyrproject.org/). + + +It provides the following zephyr code. + +- modules/lib/wolftpm + - wolfTPM library code +- modules/lib/wolftpm/zephyr/ + - Configuration and CMake files for wolfTPM as a Zephyr module +- modules/lib/wolftpm/zephyr/samples/wolftpm_wrap_caps + - wolfTPM test application +- modules/lib/wolftpm/zephyr/samples/wolftpm_wrap_test + - wolfTPM test application + +## How to setup as a Zephyr Module + +Follow the [instructions](https://docs.zephyrproject.org/latest/develop/getting_started/index.html) to setup a zephyr project. + +### Modify your project's west manifest + +Add wolfTPM as a project to your west.yml: + +``` +manifest: + remotes: + # + - name: wolftpm + url-base: https://github.com/wolfssl + + projects: + # + - name: wolftpm + path: modules/lib/wolftpm + revision: master + remote: wolftpm +``` + +Note: wolfTPM has dependencies with wolfSSL so you need to also need to add wolfSSL into the west.yml like shown above. + +Update west's modules: + +```bash +west update +``` + +Now west recognizes 'wolftpm' as a module, and will include it's Kconfig and +CMakeFiles.txt in the build system. + +## Build and Run Tests + +### Build and Run wolfTPM wrap Test Application + +If you want to run build apps without running `west zephyr-export` then it is +possible by setting the `CMAKE_PREFIX_PATH` variable to the location of the +zephyr sdk and building from the `zephyr` directory. For example: + +``` +CMAKE_PREFIX_PATH=/path/to/zephyr-sdk- west build -p always -b qemu_x86 ../modules/lib/wolftpm/zephyr/samples/wolftpm_wrap_test/ +``` + +build and execute `wolftpm_wrap_test` + +``` +cd [zephyrproject] +west build -p auto -b qemu_x86 modules/lib/wolftpm/zephyr/samples/wolftpm_wrap_test +west build -t run +``` + +### Build and Run wolfTPM wrap Capabilities Application + +build and execute `wolftpm_wrap_caps` + +``` +cd [zephyrproject] +west build -p auto -b qemu_x86 modules/lib/wolftpm/zephyr/samples/wolftpm_wrap_caps +west build -t run +``` diff --git a/zephyr/include.am b/zephyr/include.am new file mode 100644 index 0000000..c68aaa1 --- /dev/null +++ b/zephyr/include.am @@ -0,0 +1,15 @@ +# vim:ft=automake +# included from Top Level Makefile.am +# All paths should be given relative to the root + +EXTRA_DIST+= zephyr/CMakeLists.txt +EXTRA_DIST+= zephyr/Kconfig +EXTRA_DIST+= zephyr/module.yml +EXTRA_DIST+= zephyr/README.md +EXTRA_DIST+= zephyr/user_settings.h +EXTRA_DIST+= zephyr/samples/wolftpm_wrap_caps/CMakeLists.txt +EXTRA_DIST+= zephyr/samples/wolftpm_wrap_caps/prj.conf +EXTRA_DIST+= zephyr/samples/wolftpm_wrap_caps/sample.yaml +EXTRA_DIST+= zephyr/samples/wolftpm_wrap_test/CMakeLists.txt +EXTRA_DIST+= zephyr/samples/wolftpm_wrap_test/prj.conf +EXTRA_DIST+= zephyr/samples/wolftpm_wrap_test/sample.yaml diff --git a/zephyr/module.yml b/zephyr/module.yml new file mode 100644 index 0000000..d05080e --- /dev/null +++ b/zephyr/module.yml @@ -0,0 +1,6 @@ +name: wolftpm +build: + cmake: zephyr + kconfig: zephyr/Kconfig + depends: + - wolfssl diff --git a/zephyr/samples/wolftpm_wrap_caps/CMakeLists.txt b/zephyr/samples/wolftpm_wrap_caps/CMakeLists.txt new file mode 100644 index 0000000..c8f5749 --- /dev/null +++ b/zephyr/samples/wolftpm_wrap_caps/CMakeLists.txt @@ -0,0 +1,24 @@ +cmake_minimum_required(VERSION 3.13.1) +find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) +project(wolftpm_wrap_caps) + +# Include source code for wrap test +target_sources(app PRIVATE ${ZEPHYR_WOLFTPM_MODULE_DIR}/examples/wrap/caps.c) +target_sources(app PRIVATE ${app_sources}) + +# Include header files +target_include_directories(app PRIVATE + ${ZEPHYR_BASE}/include + ${ZEPHYR_BASE}/include/zephyr + ${ZEPHYR_WOLFTPM_MODULE_DIR}/zephyr + ${ZEPHYR_WOLFTPM_MODULE_DIR}/hal + ${ZEPHYR_WOLFTPM_MODULE_DIR}/tests + ${ZEPHYR_WOLFTPM_MODULE_DIR}/wolftpm + ${ZEPHYR_WOLFTPM_MODULE_DIR}/examples/wrap + ${ZEPHYR_WOLFTPM_MODULE_DIR}/examples + ${ZEPHYR_WOLFTPM_MODULE_DIR} +) + +add_definitions(-DWOLFSSL_ZEPHYR) +add_definitions(-DWOLFSSL_USER_SETTINGS) +add_definitions(-DWOLFTPM_USER_SETTINGS) diff --git a/zephyr/samples/wolftpm_wrap_caps/prj.conf b/zephyr/samples/wolftpm_wrap_caps/prj.conf new file mode 100644 index 0000000..4118fd9 --- /dev/null +++ b/zephyr/samples/wolftpm_wrap_caps/prj.conf @@ -0,0 +1,45 @@ +# Configure stack and heap sizes +CONFIG_MAIN_STACK_SIZE=32768 +CONFIG_COMMON_LIBC_MALLOC_ARENA_SIZE=8192 + +# Include wolfTPM config +CONFIG_WOLFTPM=y +CONFIG_WOLFTPM_I2C=n +CONFIG_WOLFTPM_SPI=n + +# POSIX file operations +CONFIG_POSIX_API=y +CONFIG_POSIX_FS=n + +# Pthreads +CONFIG_PTHREAD_IPC=y + +# Clock for time() +CONFIG_POSIX_CLOCK=y + +# TLS configuration +CONFIG_WOLFSSL=y +CONFIG_WOLFSSL_BUILTIN=y + +# Floating Point +CONFIG_FPU=y + +# Networking configuration +CONFIG_NETWORKING=y +CONFIG_NET_SOCKETS=y + +# Logging +CONFIG_PRINTK=y +CONFIG_CBPRINTF_LIBC_SUBSTS=y +CONFIG_CBPRINTF_FP_SUPPORT=y +CONFIG_CONSOLE=y +CONFIG_LOG=y +CONFIG_LOG_BACKEND_UART=y +CONFIG_LOG_BUFFER_SIZE=15360 +CONFIG_LOG_MODE_IMMEDIATE=y +#CONFIG_WOLFSSL_DEBUG=y + +# Entropy +CONFIG_TEST_RANDOM_GENERATOR=y +CONFIG_ENTROPY_GENERATOR=y +CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y diff --git a/zephyr/samples/wolftpm_wrap_caps/sample.yaml b/zephyr/samples/wolftpm_wrap_caps/sample.yaml new file mode 100644 index 0000000..b85e66d --- /dev/null +++ b/zephyr/samples/wolftpm_wrap_caps/sample.yaml @@ -0,0 +1,15 @@ +sample: + description: wolfTPM wrap caps + name: wolfTPM wrap caps +common: + harness: console + harness_config: + type: one_line + regex: + - "wolfTPM caps read successfully" +tests: + sample.lib.wolftpm_wrap_caps: + timeout: 200 + platform_allow: qemu_x86 + integration_platforms: + - qemu_x86 diff --git a/zephyr/samples/wolftpm_wrap_test/CMakeLists.txt b/zephyr/samples/wolftpm_wrap_test/CMakeLists.txt new file mode 100644 index 0000000..27ef27f --- /dev/null +++ b/zephyr/samples/wolftpm_wrap_test/CMakeLists.txt @@ -0,0 +1,24 @@ +cmake_minimum_required(VERSION 3.13.1) +find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) +project(wolftpm_wrap_test) + +# Include source code for wrap test +target_sources(app PRIVATE ${ZEPHYR_WOLFTPM_MODULE_DIR}/examples/wrap/wrap_test.c) +target_sources(app PRIVATE ${app_sources}) + +# Include header files +target_include_directories(app PRIVATE + ${ZEPHYR_BASE}/include + ${ZEPHYR_BASE}/include/zephyr + ${ZEPHYR_WOLFTPM_MODULE_DIR}/zephyr + ${ZEPHYR_WOLFTPM_MODULE_DIR}/hal + ${ZEPHYR_WOLFTPM_MODULE_DIR}/tests + ${ZEPHYR_WOLFTPM_MODULE_DIR}/wolftpm + ${ZEPHYR_WOLFTPM_MODULE_DIR}/examples/wrap + ${ZEPHYR_WOLFTPM_MODULE_DIR}/examples + ${ZEPHYR_WOLFTPM_MODULE_DIR} +) + +add_definitions(-DWOLFSSL_ZEPHYR) +add_definitions(-DWOLFSSL_USER_SETTINGS) +add_definitions(-DWOLFTPM_USER_SETTINGS) diff --git a/zephyr/samples/wolftpm_wrap_test/prj.conf b/zephyr/samples/wolftpm_wrap_test/prj.conf new file mode 100644 index 0000000..4118fd9 --- /dev/null +++ b/zephyr/samples/wolftpm_wrap_test/prj.conf @@ -0,0 +1,45 @@ +# Configure stack and heap sizes +CONFIG_MAIN_STACK_SIZE=32768 +CONFIG_COMMON_LIBC_MALLOC_ARENA_SIZE=8192 + +# Include wolfTPM config +CONFIG_WOLFTPM=y +CONFIG_WOLFTPM_I2C=n +CONFIG_WOLFTPM_SPI=n + +# POSIX file operations +CONFIG_POSIX_API=y +CONFIG_POSIX_FS=n + +# Pthreads +CONFIG_PTHREAD_IPC=y + +# Clock for time() +CONFIG_POSIX_CLOCK=y + +# TLS configuration +CONFIG_WOLFSSL=y +CONFIG_WOLFSSL_BUILTIN=y + +# Floating Point +CONFIG_FPU=y + +# Networking configuration +CONFIG_NETWORKING=y +CONFIG_NET_SOCKETS=y + +# Logging +CONFIG_PRINTK=y +CONFIG_CBPRINTF_LIBC_SUBSTS=y +CONFIG_CBPRINTF_FP_SUPPORT=y +CONFIG_CONSOLE=y +CONFIG_LOG=y +CONFIG_LOG_BACKEND_UART=y +CONFIG_LOG_BUFFER_SIZE=15360 +CONFIG_LOG_MODE_IMMEDIATE=y +#CONFIG_WOLFSSL_DEBUG=y + +# Entropy +CONFIG_TEST_RANDOM_GENERATOR=y +CONFIG_ENTROPY_GENERATOR=y +CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y diff --git a/zephyr/samples/wolftpm_wrap_test/sample.yaml b/zephyr/samples/wolftpm_wrap_test/sample.yaml new file mode 100644 index 0000000..364e105 --- /dev/null +++ b/zephyr/samples/wolftpm_wrap_test/sample.yaml @@ -0,0 +1,15 @@ +sample: + description: wolfTPM wrap test + name: wolfTPM wrap test +common: + harness: console + harness_config: + type: one_line + regex: + - "wolfTPM wrapper test completed successfully" +tests: + sample.lib.wolftpm_wrap_test: + timeout: 200 + platform_allow: qemu_x86 + integration_platforms: + - qemu_x86 diff --git a/zephyr/user_settings.h b/zephyr/user_settings.h new file mode 100644 index 0000000..bdf4191 --- /dev/null +++ b/zephyr/user_settings.h @@ -0,0 +1,218 @@ +/* user_settings.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfTPM. + * + * wolfTPM is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfTPM is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef _ZEPHYR_USER_SETTINGS_H_ +#define _ZEPHYR_USER_SETTINGS_H_ + +#ifdef __cplusplus +extern "C" { +#endif + +/* -- WOLFTPM ZEPHYR SETTINGS -- */ +#undef WOLFTPM_USER_SETTINGS +#define WOLFTPM_USER_SETTINGS + +#undef WOLFTPM_EXAMPLE_HAL +#define WOLFTPM_EXAMPLE_HAL + +#undef WOLFTPM_ZEPHYR +#define WOLFTPM_ZEPHYR + +/* -- WOLFSSL SETTINGS -- */ +#undef WOLFSSL_USER_SETTINGS +#define WOLFSSL_USER_SETTINGS + +#ifdef CONFIG_WOLFTPM_I2C + #define WOLFTPM_I2C + #define WOLFTPM_ADV_IO + + //#define WOLFTPM_ZEPHYR_I2C_BUS flexcomm3_lpi2c3 + //#define WOLFTPM_ZEPHYR_I2C_SPEED I2C_SPEED_STANDARD /* I2C_SPEED_FAST */ +#elif defined(CONFIG_WOLFTPM_SPI) + /* default */ +#else + #undef WOLFTPM_SWTPM + #define WOLFTPM_SWTPM +#endif + +#undef WOLF_CRYPTO_CB +#define WOLF_CRYPTO_CB + +#undef WOLFSSL_AES_CFB +#define WOLFSSL_AES_CFB + +/* -- WOLFTPM SETTINGS -- */ + +/* enable for low resource options */ +#if 0 + #define USE_LOW_RESOURCE +#endif + +#ifdef USE_LOW_RESOURCE + /* wolfCrypt only (no SSL/TLS) */ + #define WOLFCRYPT_ONLY +#else + /* wolfTPM with TLS example (v1.3 only) */ + #define WOLFSSL_TLS13 + #define WOLFSSL_NO_TLS12 + #define NO_OLD_TLS + + #define HAVE_TLS_EXTENSIONS + #define HAVE_SUPPORTED_CURVES + #define HAVE_SERVER_RENEGOTIATION_INFO + #define HAVE_ENCRYPT_THEN_MAC + + #define HAVE_HKDF + #define WC_RSA_PSS + #define WOLFSSL_PSS_LONG_SALT +#endif + +/* No threading or file system */ +#define SINGLE_THREADED + +#ifdef USE_LOW_RESOURCE + /* Single Precision math for RSA 2048 only (small) */ + #define WOLFSSL_HAVE_SP_RSA + #define WOLFSSL_SP_MATH + #define WOLFSSL_SP_SMALL + #define WOLFSSL_SP_NO_3072 /* 2048-only */ +#else + /* Enable SP math all (sp_int.c) with multi-precision support */ + #define WOLFSSL_SP_MATH_ALL +#endif + +/* Enable hardening (timing resistance) */ +#define TFM_TIMING_RESISTANT +#define ECC_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* Enable PRNG (SHA2-256) */ +#ifdef USE_LOW_RESOURCE + /* use TPM TRNG */ + #define WC_NO_HASHDRBG +#else + #define HAVE_HASHDRBG +#endif + +/* Asymmetric */ +#if 1 /* RSA - needed to encrypt salt */ + #undef NO_RSA + #ifdef USE_LOW_RESOURCE + #define WOLFSSL_RSA_PUBLIC_ONLY + #define WOLFSSL_RSA_VERIFY_INLINE + #define NO_CHECK_PRIVATE_KEY + #endif +#else + #define NO_RSA +#endif +#if 1 /* ECC - needed for encrypt ECC salt */ + #define HAVE_ECC + #define ECC_USER_CURVES /* default to only SECP256R1 */ +#endif +#ifndef USE_LOW_RESOURCE /* DH */ + #undef NO_DH + #define HAVE_FFDHE_2048 + #define HAVE_DH_DEFAULT_PARAMS +#else + #define NO_DH +#endif + +/* Symmetric Hash */ +#undef NO_SHA +#undef NO_SHA256 +#ifndef USE_LOW_RESOURCE + #define WOLFSSL_SHA512 + #define WOLFSSL_SHA384 +#endif + +/* Symmetric Cipher */ +#define WOLFSSL_AES_CFB +#define HAVE_AES_DECRYPT +#ifndef USE_LOW_RESOURCE + #define HAVE_AES_KEYWRAP + #define WOLFSSL_AES_DIRECT + #define HAVE_AESGCM + #define GCM_TABLE_4BIT +#else + #define NO_AES_CBC +#endif + +#if 0 /* ChaCha20 / Poly1305 */ + #define HAVE_POLY1305 + #define HAVE_CHACHA +#endif + +/* Features */ +#define WOLFSSL_ASN_TEMPLATE +#define WOLFSSL_USER_IO /* user recv/send callbacks for network IO */ +#ifndef USE_LOW_RESOURCE + #define WOLFSSL_CERT_GEN + #define WOLFSSL_CERT_REQ + #define WOLFSSL_CERT_EXT + + #define HAVE_PKCS7 + #define HAVE_X963_KDF + #define WOLFSSL_BASE64_ENCODE +#endif + +/* Disables */ +#define NO_PKCS8 +#define NO_PKCS12 +#define NO_PWDBASED +#define NO_DSA +#define NO_DES3 +#define NO_RC4 +#define NO_PSK +#define NO_MD4 +#define NO_MD5 +#define WOLFSSL_NO_SHAKE128 +#define WOLFSSL_NO_SHAKE256 +#define NO_WRITEV + +/* Low Resource Options */ +#ifdef USE_LOW_RESOURCE + #define NO_FILESYSTEM /* File system disable */ + #define NO_ERROR_STRINGS + #define WOLFSSL_NO_ASM + #define TFM_NO_ASM + #define NO_WOLFSSL_MEMORY + #define NO_SESSION_CACHE + #define RSA_LOW_MEM + #define WOLFSSL_AES_SMALL_TABLES + #define WOLFSSL_AES_NO_UNROLL + #define GCM_SMALL + #undef GCM_TABLE_4BIT + #define NO_AES_192 + #define NO_AES_256 + #define USE_SLOW_SHA + #define USE_SLOW_SHA256 + #define USE_SLOW_SHA512 + #define NO_SIG_WRAPPER + #define NO_ASN_TIME + #define NO_CODING + #define NO_BIG_INT +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* _ZEPHYR_USER_SETTINGS_H_ */