From ec7a029b0f651717139baf3636ca0e5e94eb1a97 Mon Sep 17 00:00:00 2001 From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com> Date: Fri, 6 Dec 2024 12:35:32 -0700 Subject: [PATCH] Additional fixes for new keytool features introduced in #521 --- IDE/AURIX/README.md | 10 ++--- IDE/AURIX/test-app-wolfHSM/Cpu0_Main.c | 2 + IDE/AURIX/test-app/Cpu0_Main.c | 2 + config/examples/sim-wolfHSM-mldsa.config | 6 +-- tools/scripts/tc3xx/wbaurixtool.sh | 52 ++++++++++++++++++++---- 5 files changed, 55 insertions(+), 17 deletions(-) diff --git a/IDE/AURIX/README.md b/IDE/AURIX/README.md index a767879a7..75d26ca17 100644 --- a/IDE/AURIX/README.md +++ b/IDE/AURIX/README.md @@ -292,7 +292,7 @@ cd $WOLFBOOT_DIR # Start with a clean build make clean && make keysclean && cd $WOLFBOOT_DIR/tools/keytools && make clean -cd $SCRIPTS_DIR && ./aurixtool.sh clean +cd $SCRIPTS_DIR && ./wbaurixtool.sh clean # Delete any build artifacts in wolfBoot-tc3xx (or wolfBoot-tc3xx-wolfHSM) and test-app (or test-app-wolfHSM) AURIX Studio projects # ... @@ -303,13 +303,13 @@ make keytools # Generate target.h cd $SCRIPTS_DIR -./aurixtool.sh target +./wbaurixtool.sh target # Generate keys, as well as configuration macros and linker script based on the selected signature algorithm -./aurixtool.sh [--hsm] keygen --sign-algo ecc256 --hash-algo sha256 macros lcf +./wbaurixtool.sh [--hsm] keygen --sign-algo ecc256 --hash-algo sha256 macros lcf # If using wolfHSM, generate key NVM image -./aurixtool.sh nvm +./wbaurixtool.sh nvm # Load NVM image hexfile to the device # ... @@ -320,7 +320,7 @@ cd $SCRIPTS_DIR # .... # Sign test app -./aurixtool.sh [--hsm] sign --sign-algo ecc256 --hash-algo sha256 [--debug] +./wbaurixtool.sh [--hsm] sign --sign-algo ecc256 --hash-algo sha256 [--debug] # Load wolfBoot + app in Lauterbach using tools/scripts/tc3xx/wolfBoot-loadAll-XXX.cmm # ... diff --git a/IDE/AURIX/test-app-wolfHSM/Cpu0_Main.c b/IDE/AURIX/test-app-wolfHSM/Cpu0_Main.c index 9ea976bb0..6f80c3ab3 100644 --- a/IDE/AURIX/test-app-wolfHSM/Cpu0_Main.c +++ b/IDE/AURIX/test-app-wolfHSM/Cpu0_Main.c @@ -22,6 +22,8 @@ #include "IfxPort.h" #include "IfxScuWdt.h" #include "Ifx_Types.h" + +#include "target.h" #include "wolfboot/wolfboot.h" IFX_ALIGN(4) IfxCpu_syncEvent g_cpuSyncEvent = 0; diff --git a/IDE/AURIX/test-app/Cpu0_Main.c b/IDE/AURIX/test-app/Cpu0_Main.c index 9ea976bb0..6f80c3ab3 100644 --- a/IDE/AURIX/test-app/Cpu0_Main.c +++ b/IDE/AURIX/test-app/Cpu0_Main.c @@ -22,6 +22,8 @@ #include "IfxPort.h" #include "IfxScuWdt.h" #include "Ifx_Types.h" + +#include "target.h" #include "wolfboot/wolfboot.h" IFX_ALIGN(4) IfxCpu_syncEvent g_cpuSyncEvent = 0; diff --git a/config/examples/sim-wolfHSM-mldsa.config b/config/examples/sim-wolfHSM-mldsa.config index 60778d9ae..3e8c97007 100644 --- a/config/examples/sim-wolfHSM-mldsa.config +++ b/config/examples/sim-wolfHSM-mldsa.config @@ -12,17 +12,17 @@ DEBUG=1 # Category 2: ML_DSA_LEVEL=2 IMAGE_SIGNATURE_SIZE=2420 -IMAGE_HEADER_SIZE?=8192 +IMAGE_HEADER_SIZE=8192 # # Category 3: # ML_DSA_LEVEL=3 # IMAGE_SIGNATURE_SIZE=3309 -# IMAGE_HEADER_SIZE?=8192 +# IMAGE_HEADER_SIZE=8192 # # Category 5: # ML_DSA_LEVEL=5 # IMAGE_SIGNATURE_SIZE=4627 -# IMAGE_HEADER_SIZE?=12288 +# IMAGE_HEADER_SIZE=12288 # This example needs a larger sector size. # WOLFBOOT_SECTOR_SIZE=0x3000 # diff --git a/tools/scripts/tc3xx/wbaurixtool.sh b/tools/scripts/tc3xx/wbaurixtool.sh index 06dd66b92..90c6553d8 100644 --- a/tools/scripts/tc3xx/wbaurixtool.sh +++ b/tools/scripts/tc3xx/wbaurixtool.sh @@ -100,7 +100,7 @@ get_header_size() { "rsa4096") echo "1024" ;; "ed25519") echo "256" ;; "ed448") echo "512" ;; - "lms"|"xmss") echo "0" ;; + "lms"|"xmss") echo "0" ;; # currently not supported "none") echo "256" ;; *) echo "256" ;; # Default esac @@ -164,10 +164,22 @@ usage() { # Function to generate keys do_keygen() { - local base_dir="../../../" + local sign_algo="${KEYGEN_OPTS[sign_algo]:-$DEFAULT_SIGN_ALGO}" + local pq_params="${COMMON_OPTS[sign_pq_params]}" + local header_size + + # Get header size for current algorithm + header_size=$(get_header_size "$sign_algo" "$pq_params") + + echo "Generating keys with algorithm: $sign_algo" + + # Set environment variables for keygen tool + export IMAGE_HEADER_SIZE="$header_size" + if [ "$sign_algo" = "ml_dsa" ]; then + export ML_DSA_LEVEL="${pq_params:-2}" # Default to level 2 if not specified + fi - echo "Generating keys with algorithm: ${KEYGEN_OPTS[sign_algo]}" - (cd $base_dir && tools/keytools/keygen --"${KEYGEN_OPTS[sign_algo]}" -g $(basename $PRVKEY_DER) --exportpubkey \ + (cd $WOLFBOOT_DIR && tools/keytools/keygen --"$sign_algo" -g $(basename $PRVKEY_DER) --exportpubkey \ ${KEYGEN_OPTS[nolocalkeys]:+--nolocalkeys} --der) } @@ -176,9 +188,18 @@ do_sign() { local base_path="../../../IDE/AURIX" local app_name="test-app${HSM:+-wolfHSM}" local sign_algo="${SIGN_OPTS[sign_algo]:-${KEYGEN_OPTS[sign_algo]}}" + local pq_params="${COMMON_OPTS[sign_pq_params]}" + local header_size + local bin_path="$base_path/$app_name/TriCore ${SIGN_OPTS[build_type]} (GCC)/$app_name.bin" + + # Get header size for current algorithm + header_size=$(get_header_size "$sign_algo" "$pq_params") + + # Set IMAGE_HEADER_SIZE environment variable for sign tool + export IMAGE_HEADER_SIZE="$header_size" echo "Signing binaries with $sign_algo and ${SIGN_OPTS[hash_algo]}" - local bin_path="$base_path/$app_name/TriCore ${SIGN_OPTS[build_type]} (GCC)/$app_name.bin" + echo "Using header size: $header_size" # Sign for both partition 1 and 2 ../../keytools/sign --"$sign_algo" --"${SIGN_OPTS[hash_algo]}" "$bin_path" "$PRVKEY_DER" 1 @@ -264,11 +285,24 @@ do_gen_macros() { use_wolfhsm_pubkey_id="-DWOLFBOOT_USE_WOLFHSM_PUBKEY_ID" fi - # Set image signature size and ML-DSA level only for ML-DSA + # Quirk: set additional (redundant) macros for ML DSA based on pq_params if [[ "${sign_algo,,}" == ml_dsa* ]]; then - image_signature_size="-DIMAGE_SIGNATURE_SIZE=2420" - ml_dsa_image_signature_size="-DML_DSA_IMAGE_SIGNATURE_SIZE=2420" - ml_dsa_level="-DML_DSA_LEVEL=2" + local level="${pq_params:-2}" # Default to level 2 if not specified + case "$level" in + 2) + image_signature_size="-DIMAGE_SIGNATURE_SIZE=2420" + ml_dsa_image_signature_size="-DML_DSA_IMAGE_SIGNATURE_SIZE=2420" + ;; + 3) + image_signature_size="-DIMAGE_SIGNATURE_SIZE=3300" + ml_dsa_image_signature_size="-DML_DSA_IMAGE_SIGNATURE_SIZE=3300" + ;; + 5) + image_signature_size="-DIMAGE_SIGNATURE_SIZE=5200" + ml_dsa_image_signature_size="-DML_DSA_IMAGE_SIGNATURE_SIZE=5200" + ;; + esac + ml_dsa_level="-DML_DSA_LEVEL=$level" fi echo "Generating macros file with sign_algo=$sign_algo, hash_algo=$hash_algo"