From bf4c8017ddaca7db6e10d9f009abfe84b0d2f5cf Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Mon, 25 Nov 2024 14:38:29 -0800
Subject: [PATCH 01/29] Test: adding action to build keytools on windows. *
 Update key tools VS project to 2022. * Fix a few warnings in sign.c * Fix
 issues with windows already having min/max. * Fix (workaround) issue with key
 tools needing WOLFBOOT_SECTOR_SIZE.

---
 .github/workflows/build-keytools-windows.yml | 38 ++++++++++++++++++++
 include/delta.h                              |  5 ++-
 src/delta.c                                  |  1 +
 src/libwolfboot.c                            |  4 ++-
 tools/keytools/sign.c                        |  9 ++---
 tools/keytools/wolfBootKeygenTool.vcxproj    | 23 ++++++------
 tools/keytools/wolfBootSignTool.vcxproj      | 33 +++++++++--------
 7 files changed, 82 insertions(+), 31 deletions(-)
 create mode 100644 .github/workflows/build-keytools-windows.yml

diff --git a/.github/workflows/build-keytools-windows.yml b/.github/workflows/build-keytools-windows.yml
new file mode 100644
index 000000000..718da2a4f
--- /dev/null
+++ b/.github/workflows/build-keytools-windows.yml
@@ -0,0 +1,38 @@
+name: Build Windows Keytools executables
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  build-windows:
+    runs-on: windows-latest
+
+    steps:
+    # Step 1: Checkout the repository
+    - name: Checkout Code
+      uses: actions/checkout@v3
+      with:
+        submodules: true
+
+    # Step 2: Setup MSBuild
+    - name: Setup MSBuild
+      uses: microsoft/setup-msbuild@v1
+
+    # Step 3: Build the solution
+    - name: Build Solution
+      shell: cmd
+      run: |
+        echo #define WOLFBOOT_SECTOR_SIZE 1024 > include\target.h
+        MSBuild.exe tools\keytools\wolfBootKeyTools.sln /m /p:Configuration=Release /p:Platform="x64"
+
+    # Step 4: Upload executables as artifacts
+    - name: Upload EXE Artifacts
+      uses: actions/upload-artifact@v3
+      with:
+        name: windows-keytools
+        path: |
+          tools\keytools\*.exe
diff --git a/include/delta.h b/include/delta.h
index c60b85d01..6a16068c6 100644
--- a/include/delta.h
+++ b/include/delta.h
@@ -34,9 +34,12 @@
  */
 #ifndef WOLFBOOT_DELTA_H
 #define WOLFBOOT_DELTA_H
-#include "target.h"
 
+#include <stdint.h>
+
+#ifndef DELTA_PATCH_BLOCK_SIZE
 #define DELTA_PATCH_BLOCK_SIZE 1024
+#endif
 
 struct wb_patch_ctx {
     uint8_t *src_base;
diff --git a/src/delta.c b/src/delta.c
index 503a0a8af..201360495 100644
--- a/src/delta.c
+++ b/src/delta.c
@@ -22,6 +22,7 @@
 #include <stdint.h>
 #include <string.h>
 #include <delta.h>
+#include <target.h> /* WOLFBOOT_SECTOR_SIZE */
 
 
 #define ESC 0x7f
diff --git a/src/libwolfboot.c b/src/libwolfboot.c
index 93e27b19f..b22c9d6cf 100644
--- a/src/libwolfboot.c
+++ b/src/libwolfboot.c
@@ -117,8 +117,10 @@ static uint32_t ext_cache;
 #endif
 
 
-#if defined(__WOLFBOOT) || defined (UNIT_TEST)
+#if defined(__WOLFBOOT) || defined(UNIT_TEST)
 #define WOLFSSL_MISC_INCLUDED /* allow misc.c code to be inlined */
+#include <wolfssl/wolfcrypt/types.h>
+#include <wolfssl/wolfcrypt/wc_port.h>
 #include <wolfcrypt/src/misc.c> /* for ByteReverseWord32 */
 #if defined(EXT_ENCRYPTED) || defined(UNIT_TEST)
 static uint32_t wb_reverse_word32(uint32_t x)
diff --git a/tools/keytools/sign.c b/tools/keytools/sign.c
index 77a3d4f4a..c13ad6136 100644
--- a/tools/keytools/sign.c
+++ b/tools/keytools/sign.c
@@ -1809,7 +1809,7 @@ static int base_diff(const char *f_base, uint8_t *pubkey, uint32_t pubkey_sz, in
     struct stat st;
     void *base = NULL;
     void *buffer = NULL;
-    uint8_t dest[WOLFBOOT_SECTOR_SIZE];
+    static uint8_t dest[WOLFBOOT_SECTOR_SIZE];
     uint8_t ff = 0xff;
     int r;
     uint32_t blksz = WOLFBOOT_SECTOR_SIZE;
@@ -1887,11 +1887,11 @@ static int base_diff(const char *f_base, uint8_t *pubkey, uint32_t pubkey_sz, in
 
     /* Retrieve the hash digest of the base image */
     if (CMD.hash_algo == HASH_SHA256)
-        base_hash_sz = sign_tool_find_header(base + 8, HDR_SHA256, &base_hash);
+        base_hash_sz = sign_tool_find_header((uint8_t*)base + 8, HDR_SHA256, &base_hash);
     else if (CMD.hash_algo == HASH_SHA384)
-        base_hash_sz = sign_tool_find_header(base + 8, HDR_SHA384, &base_hash);
+        base_hash_sz = sign_tool_find_header((uint8_t*)base + 8, HDR_SHA384, &base_hash);
     else if (CMD.hash_algo == HASH_SHA3)
-        base_hash_sz = sign_tool_find_header(base + 8, HDR_SHA3_384, &base_hash);
+        base_hash_sz = sign_tool_find_header((uint8_t*)base + 8, HDR_SHA3_384, &base_hash);
 
 #if HAVE_MMAP
     /* Open second image file */
@@ -2656,6 +2656,7 @@ int main(int argc, char** argv)
         CMD.fw_version = argv[i+2];
     }
 
+    memset(buf, 0, sizeof(buf));
     strncpy((char*)buf, CMD.image_file, sizeof(buf)-1);
     tmpstr = strrchr((char*)buf, '.');
     if (tmpstr) {
diff --git a/tools/keytools/wolfBootKeygenTool.vcxproj b/tools/keytools/wolfBootKeygenTool.vcxproj
index a0215ae92..8d729e005 100644
--- a/tools/keytools/wolfBootKeygenTool.vcxproj
+++ b/tools/keytools/wolfBootKeygenTool.vcxproj
@@ -22,32 +22,32 @@
     <ProjectGuid>{599F7765-B224-41D4-AA56-597FFA9763BC}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>wolfBootKeygenTool</RootNamespace>
-    <WindowsTargetPlatformVersion>10.0.16299.0</WindowsTargetPlatformVersion>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
@@ -72,6 +72,7 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <LinkIncremental>true</LinkIncremental>
     <TargetName>keygen</TargetName>
+    <IntDir>$(Platform)\$(Configuration)\$(ProjectName)\</IntDir>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
     <LinkIncremental>true</LinkIncremental>
@@ -81,10 +82,12 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
     <LinkIncremental>false</LinkIncremental>
     <TargetName>keygen</TargetName>
+    <IntDir>$(Platform)\$(Configuration)\$(ProjectName)\</IntDir>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <LinkIncremental>false</LinkIncremental>
     <TargetName>keygen</TargetName>
+    <IntDir>$(Platform)\$(Configuration)\$(ProjectName)\</IntDir>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <ClCompile>
@@ -93,7 +96,7 @@
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
       <AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
-      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;WOLFSSL_HAVE_MIN;WOLFSSL_HAVE_MAX;%(PreprocessorDefinitions)</PreprocessorDefinitions>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -107,7 +110,7 @@
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
       <AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
-      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;WOLFSSL_HAVE_MIN;WOLFSSL_HAVE_MAX;%(PreprocessorDefinitions)</PreprocessorDefinitions>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -123,7 +126,7 @@
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>true</IntrinsicFunctions>
       <AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
-      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;WOLFSSL_HAVE_MIN;WOLFSSL_HAVE_MAX;%(PreprocessorDefinitions)</PreprocessorDefinitions>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -141,7 +144,7 @@
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>true</IntrinsicFunctions>
       <AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
-      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;WOLFSSL_HAVE_MIN;WOLFSSL_HAVE_MAX;%(PreprocessorDefinitions)</PreprocessorDefinitions>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -180,4 +183,4 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
-</Project>
\ No newline at end of file
+</Project>
diff --git a/tools/keytools/wolfBootSignTool.vcxproj b/tools/keytools/wolfBootSignTool.vcxproj
index 12d8ed03a..18db45bf1 100755
--- a/tools/keytools/wolfBootSignTool.vcxproj
+++ b/tools/keytools/wolfBootSignTool.vcxproj
@@ -22,32 +22,32 @@
     <ProjectGuid>{0E5B9C81-CA2B-47CA-BA83-074078CF3393}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>wolfBootSignTool</RootNamespace>
-    <WindowsTargetPlatformVersion>10.0.16299.0</WindowsTargetPlatformVersion>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
@@ -72,6 +72,7 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <LinkIncremental>true</LinkIncremental>
     <TargetName>sign</TargetName>
+    <IntDir>$(Platform)\$(Configuration)\$(ProjectName)\</IntDir>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
     <LinkIncremental>true</LinkIncremental>
@@ -81,10 +82,12 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
     <LinkIncremental>false</LinkIncremental>
     <TargetName>sign</TargetName>
+    <IntDir>$(Platform)\$(Configuration)\$(ProjectName)\</IntDir>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <LinkIncremental>false</LinkIncremental>
     <TargetName>sign</TargetName>
+    <IntDir>$(Platform)\$(Configuration)\$(ProjectName)\</IntDir>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <ClCompile>
@@ -92,8 +95,8 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;DELTA_UPDATES;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;DELTA_UPDATES;WOLFSSL_HAVE_MIN;WOLFSSL_HAVE_MAX;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -106,8 +109,8 @@
       </PrecompiledHeader>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;DELTA_UPDATES;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;DELTA_UPDATES;WOLFSSL_HAVE_MIN;WOLFSSL_HAVE_MAX;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -122,8 +125,8 @@
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>true</IntrinsicFunctions>
-      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;DELTA_UPDATES;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;DELTA_UPDATES;WOLFSSL_HAVE_MIN;WOLFSSL_HAVE_MAX;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -140,8 +143,8 @@
       <Optimization>MaxSpeed</Optimization>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>true</IntrinsicFunctions>
-      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;DELTA_UPDATES;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;DELTA_UPDATES;WOLFSSL_HAVE_MIN;WOLFSSL_HAVE_MAX;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.;../../lib/wolfssl;../../include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -151,7 +154,7 @@
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>
-    <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\aes.c" />
+    <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\aes.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\asn.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\chacha.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\coding.c" />
@@ -187,4 +190,4 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
-</Project>
\ No newline at end of file
+</Project>

From 6c8aafe09d1a39dbeb5ef2f7ae14b87e3c84cb53 Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <root@danielinux.net>
Date: Tue, 26 Nov 2024 10:57:06 +0100
Subject: [PATCH 02/29] Remove keytools dependency on IMAGE_HEADER_SIZE.

- Added getenv() to override the value at runtime
- Removed doc on old python tools
---
 docs/Signing.md         | 36 ++++++++++++++----------------------
 tools/keytools/Makefile |  5 -----
 tools/keytools/sign.c   | 34 ++++++++++++++++++++--------------
 3 files changed, 34 insertions(+), 41 deletions(-)

diff --git a/docs/Signing.md b/docs/Signing.md
index 1f9f81822..e0fa7af76 100644
--- a/docs/Signing.md
+++ b/docs/Signing.md
@@ -4,39 +4,18 @@
 server) environment to manage wolfBoot private keys and sign the initial
 firmware and all the updates for the target.
 
-## C or Python
-
-The tools are distributed in two versions, using the same command line syntax,
-for portability reasons.
-
-By default, C keytools are compiled. The makefiles and scripts in this
-repository will use the C tools.
-
-### C Key Tools
+## C Key Tools
 
 A standalone C version of the key tools is available in: `./tools/keytools`.
 
 These can be built in `tools/keytools` using `make` or from the wolfBoot root using `make keytools`.
 
-If the C version of the key tools exists they will be used by wolfBoot's makefile and scripts.
-
 #### Windows Visual Studio
 
 Use the `wolfBootSignTool.vcxproj` Visual Studio project to build the `sign.exe` and `keygen.exe` tools for use on Windows.
 
 If you see any error about missing `target.h` this is a generated file based on your .config using the make process. It is needed for `WOLFBOOT_SECTOR_SIZE` used in delta updates.
 
-### Python key tools
-
-**Please note that the Python tools are deprecated and will be removed in future versions.**
-
-In order to use the python key tools, ensure that the `wolfcrypt` package is
-installed in your python environment. In most systems it's sufficient to run a
-command similar to:
-
-`pip install wolfcrypt`
-
-to ensure that the dependencies are met.
 
 ## Command Line Usage
 
@@ -78,6 +57,19 @@ Usage: `sign [OPTIONS] IMAGE.BIN KEY.DER VERSION`
 `VERSION`:    The version associated with this signed software
 `OPTIONS`:    Zero or more options, described below
 
+#### Image header size
+
+By default, the manifest header size used by SIGN tool depends on the ideal
+value for the configuration chosen. In some cases however, it is necessary to use
+a different value than the default. To override the `IMAGE_HEADER_SIZE` value,
+set an environment variable with the same name and the desired value, via `setenv`,
+`export`, or simply inlining it with the sign command:
+
+```
+IMAGE_HEADER_SIZE=2048 sign [OPTIONS] IMAGE.BIN KEY.DER VERSION
+```
+
+
 #### Public key signature options
 
 If none of the following arguments is given, the tool will try to guess the key
diff --git a/tools/keytools/Makefile b/tools/keytools/Makefile
index 65bf71b85..eeae52fc2 100644
--- a/tools/keytools/Makefile
+++ b/tools/keytools/Makefile
@@ -79,11 +79,6 @@ else
   CFLAGS+=$(OPTIMIZE)
 endif
 
-ifeq ($(IMAGE_HEADER_SIZE),)
-  IMAGE_HEADER_SIZE=256
-endif
-
-CFLAGS+=-DIMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE)
 CFLAGS+=-DDELTA_UPDATES
 
 ifneq ($(RENESAS_KEY),)
diff --git a/tools/keytools/sign.c b/tools/keytools/sign.c
index c13ad6136..b8e0d7cff 100644
--- a/tools/keytools/sign.c
+++ b/tools/keytools/sign.c
@@ -147,9 +147,6 @@ static inline int fp_truncate(FILE *f, size_t len)
     #define PATH_MAX 256
 #endif
 
-#ifndef IMAGE_HEADER_SIZE
-    #define IMAGE_HEADER_SIZE 256
-#endif
 
 #define WOLFBOOT_MAGIC          0x464C4F57 /* WOLF */
 
@@ -314,7 +311,6 @@ static struct cmd_options CMD = {
     .sign = SIGN_AUTO,
     .encrypt  = ENC_OFF,
     .hash_algo = HASH_SHA256,
-    .header_sz = IMAGE_HEADER_SIZE,
     .partition_id = HDR_IMG_TYPE_APP,
     .hybrid = 0
 };
@@ -324,7 +320,7 @@ static uint16_t sign_tool_find_header(uint8_t *haystack, uint16_t type, uint8_t
     uint8_t *p = haystack;
     uint16_t len, htype;
     const volatile uint8_t *max_p = (haystack - IMAGE_HEADER_OFFSET) +
-                                                    IMAGE_HEADER_SIZE;
+                                                    CMD.header_sz;
     *ptr = NULL;
     if (p > max_p) {
         fprintf(stderr, "Illegal address (too high)\n");
@@ -344,10 +340,10 @@ static uint16_t sign_tool_find_header(uint8_t *haystack, uint16_t type, uint8_t
 
         len = p[2] | (p[3] << 8);
         /* check len */
-        if ((4 + len) > (uint16_t)(IMAGE_HEADER_SIZE - IMAGE_HEADER_OFFSET)) {
+        if ((4 + len) > (uint16_t)(CMD.header_sz - IMAGE_HEADER_OFFSET)) {
             fprintf(stderr, "This field is too large (bigger than the space available "
                      "in the current header)\n");
-            //fprintf(stderr, "%d %d %d\n", len, IMAGE_HEADER_SIZE, IMAGE_HEADER_OFFSET);
+            //fprintf(stderr, "%d %d %d\n", len, CMD.header_sz, IMAGE_HEADER_OFFSET);
             break;
         }
         /* check max pointer */
@@ -923,13 +919,6 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
         goto failure;
     }
 
-    if (CMD.header_sz < IMAGE_HEADER_SIZE) {
-        printf("image header size overridden by config value (%u bytes)\n", IMAGE_HEADER_SIZE);
-        CMD.header_sz = IMAGE_HEADER_SIZE;
-    } else {
-        printf("image header size calculated at runtime (%u bytes)\n", CMD.header_sz);
-    }
-
     DEBUG_PRINT("Pubkey %d\n", *pubkey_sz);
     DEBUG_BUFFER(*pubkey, *pubkey_sz);
     return *key_buffer;
@@ -2112,6 +2101,8 @@ static void set_signature_sizes(int secondary)
 {
     uint32_t *sz = &CMD.signature_sz;
     int *sign = &CMD.sign;
+    uint32_t suggested_sz = 0;
+    char *env_image_header_size;
     if (secondary) {
         sz = &CMD.secondary_signature_sz;
         sign = &CMD.secondary_sign;
@@ -2261,6 +2252,18 @@ static void set_signature_sizes(int secondary)
         *sz = sig_sz;
     }
 #endif /* WOLFSSL_WC_DILITHIUM */
+
+    env_image_header_size = getenv("IMAGE_HEADER_SIZE");
+    if (env_image_header_size) {
+        suggested_sz = atoi(env_image_header_size);
+    }
+    if (suggested_sz != 0) {
+        if (CMD.header_sz <= suggested_sz)
+            CMD.header_sz = suggested_sz;
+        else
+            printf("Environment variable IMAGE_HEADER_SIZE=%u overridden.\n", suggested_sz);
+    }
+    printf("Manifest header size: %u\n", CMD.header_sz);
 }
 
 int main(int argc, char** argv)
@@ -2291,6 +2294,9 @@ int main(int argc, char** argv)
         exit(1);
     }
 
+    /* Set initial manifest header size to a minimum default value */
+    CMD.header_sz = 256;
+
     /* Parse Arguments */
     for (i=1; i<argc; i++) {
         if (strcmp(argv[i], "--no-sign") == 0) {

From 93866f73763e0bcf4d538c040844bb25ffe3ead2 Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <root@danielinux.net>
Date: Tue, 26 Nov 2024 11:04:09 +0100
Subject: [PATCH 03/29] Use minimum 512B of header with delta updates

---
 tools/keytools/sign.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tools/keytools/sign.c b/tools/keytools/sign.c
index b8e0d7cff..06bee96c0 100644
--- a/tools/keytools/sign.c
+++ b/tools/keytools/sign.c
@@ -2263,6 +2263,10 @@ static void set_signature_sizes(int secondary)
         else
             printf("Environment variable IMAGE_HEADER_SIZE=%u overridden.\n", suggested_sz);
     }
+    if ((CMD.header_sz == 256) && (CMD.delta)) {
+        printf("Adjusting header size to fit base image of delta update \n");
+        CMD.header_sz <<= 1;
+    }
     printf("Manifest header size: %u\n", CMD.header_sz);
 }
 

From bc5e2ce2b8c6766225c390ac930fe8e140719127 Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <root@danielinux.net>
Date: Tue, 26 Nov 2024 11:07:05 +0100
Subject: [PATCH 04/29] Makefile passes IMAGE_HEADER_SIZE to sign tool.

---
 Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index babdb552a..b34c11129 100644
--- a/Makefile
+++ b/Makefile
@@ -238,10 +238,10 @@ test-app/image_v1_signed.bin: $(BOOT_IMG)
 	@echo "\tSECONDARY_SIGN_OPTIONS=$(SECONDARY_SIGN_OPTIONS)"
 	@echo "\tSECONDARY_PRIVATE_KEY=$(SECONDARY_PRIVATE_KEY)"
 
-	$(Q)(test $(SIGN) = NONE) || "$(SIGN_TOOL)" $(SIGN_OPTIONS) \
+	$(Q)(test $(SIGN) = NONE) || IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) "$(SIGN_TOOL)" $(SIGN_OPTIONS) \
 		$(SECONDARY_SIGN_OPTIONS) $(BOOT_IMG) $(PRIVATE_KEY) \
 		$(SECONDARY_PRIVATE_KEY) 1 || true
-	$(Q)(test $(SIGN) = NONE) && "$(SIGN_TOOL)" $(SIGN_OPTIONS) $(BOOT_IMG) 1 || true
+	$(Q)(test $(SIGN) = NONE) && IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) "$(SIGN_TOOL)" $(SIGN_OPTIONS) $(BOOT_IMG) 1 || true
 
 test-app/image.elf: wolfboot.elf
 	$(Q)$(MAKE) -C test-app WOLFBOOT_ROOT="$(WOLFBOOT_ROOT)" image.elf

From 97fb3b68af47f0a42116b5a8100e7c98a04b155b Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <root@danielinux.net>
Date: Tue, 26 Nov 2024 11:17:35 +0100
Subject: [PATCH 05/29] Test: add IMAGE_HEADER_SIZE to sign command

---
 tools/test.mk | 24 ++++++++----------------
 1 file changed, 8 insertions(+), 16 deletions(-)

diff --git a/tools/test.mk b/tools/test.mk
index 7ff4b3e9f..8e88c93ce 100644
--- a/tools/test.mk
+++ b/tools/test.mk
@@ -9,24 +9,16 @@ SIGN_ARGS=
 SIGN_ENC_ARGS=
 DELTA_DATA_SIZE?=2000
 
-# python version only supported using
-# KEYGEN_TOOL="python3 $(WOLFBOOT_ROOT)/tools/keytools/keygen.py"
-ifeq ("$(KEYGEN_TOOL)","")
-	ifneq ("$(wildcard $(WOLFBOOT_ROOT)/tools/keytools/keygen.exe)","")
-		KEYGEN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/keygen.exe
-	else
-		KEYGEN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/keygen
-	endif
+ifneq ("$(wildcard $(WOLFBOOT_ROOT)/tools/keytools/keygen.exe)","")
+	KEYGEN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/keygen.exe
+else
+	KEYGEN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/keygen
 endif
 
-# python version only supported using
-# SIGN_TOOL="python3 $(WOLFBOOT_ROOT)/tools/keytools/sign.py"
-ifeq ("$(SIGN_TOOL)","")
-	ifneq ("$(wildcard $(WOLFBOOT_ROOT)/tools/keytools/sign.exe)","")
-		SIGN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/sign.exe
-	else
-		SIGN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/sign
-	endif
+ifneq ("$(wildcard $(WOLFBOOT_ROOT)/tools/keytools/sign.exe)","")
+	SIGN_TOOL=IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) $(WOLFBOOT_ROOT)/tools/keytools/sign.exe
+else
+	SIGN_TOOL=IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) $(WOLFBOOT_ROOT)/tools/keytools/sign
 endif
 
 # Make sign algorithm argument

From 75efbd9cfb9ad62d91ca2550d638d7dfcb34e523 Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <root@danielinux.net>
Date: Tue, 26 Nov 2024 12:56:25 +0100
Subject: [PATCH 06/29] Removed all compile-time dependency from keytools

---
 Makefile                                      |  9 ++--
 include/delta.h                               |  1 +
 include/wolfboot/wolfboot.h                   |  2 +
 src/delta.c                                   | 49 ++++++++++++++++---
 test-app/app_hifive1.c                        |  1 +
 test-app/app_imx_rt.c                         |  1 +
 test-app/app_kinetis.c                        |  1 +
 test-app/app_mcxa.c                           |  1 +
 test-app/app_nrf52.c                          |  1 +
 test-app/app_nrf5340.c                        |  1 +
 test-app/app_nrf5340_net.c                    |  1 +
 test-app/app_renesas_rx.c                     |  1 +
 test-app/app_sim.c                            |  1 +
 test-app/app_stm32f4.c                        |  1 +
 test-app/app_stm32f7.c                        |  1 +
 test-app/app_stm32h5.c                        |  3 +-
 test-app/app_stm32h7.c                        |  1 +
 test-app/app_stm32l0.c                        |  1 +
 test-app/app_stm32l4.c                        |  1 +
 test-app/app_stm32l5.c                        |  1 +
 test-app/app_stm32u5.c                        |  1 +
 test-app/app_stm32wb.c                        |  1 +
 tools/efi/compile_efi_linux.sh                |  6 +--
 tools/keytools/Makefile                       | 16 +-----
 tools/keytools/sign.c                         | 23 ++++++---
 tools/scripts/nrf5340/build_flash.sh          | 13 +++--
 .../scripts/prepare_encrypted_delta_update.sh | 22 ---------
 tools/scripts/prepare_encrypted_update.sh     | 26 ----------
 tools/scripts/prepare_update.sh               |  6 +--
 tools/scripts/prepare_update_l5.sh            |  6 +--
 tools/scripts/prepare_update_l5_dualbank.sh   |  8 +--
 tools/scripts/prepare_update_u5.sh            |  7 +--
 tools/scripts/prepare_update_u5_dualbank.sh   |  6 +--
 tools/test-delta.mk                           |  8 +--
 tools/test-enc.mk                             | 12 ++---
 tools/test-renode.mk                          | 41 +++++++---------
 tools/test.mk                                 | 34 ++++++-------
 37 files changed, 154 insertions(+), 161 deletions(-)
 delete mode 100755 tools/scripts/prepare_encrypted_delta_update.sh
 delete mode 100755 tools/scripts/prepare_encrypted_update.sh

diff --git a/Makefile b/Makefile
index b34c11129..dd7b3694c 100644
--- a/Makefile
+++ b/Makefile
@@ -85,6 +85,9 @@ ifeq ($(TARGET),ti_hercules)
   LSCRIPT_FLAGS+=--run_linker $(LSCRIPT)
 endif
 
+# Environment variables for sign tool
+SIGN_ENV=IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) WOLFBOOT_SECTOR_SIZE=$(WOLFBOOT_SECTOR_SIZE)
+
 
 MAIN_TARGET=factory.bin
 TARGET_H_TEMPLATE:=include/target.h.in
@@ -218,7 +221,7 @@ $(SECONDARY_PRIVATE_KEY): $(PRIVATE_KEY) keystore.der
 		-g $(SECONDARY_PRIVATE_KEY)) || true
 	$(Q)(test "$(FLASH_OTP_KEYSTORE)" = "1") && (make -C tools/keytools/otp) || true
 
-keytools: include/target.h
+keytools:
 	@echo "Building key tools"
 	@$(MAKE) -C tools/keytools -s clean
 	@$(MAKE) -C tools/keytools -j
@@ -238,10 +241,10 @@ test-app/image_v1_signed.bin: $(BOOT_IMG)
 	@echo "\tSECONDARY_SIGN_OPTIONS=$(SECONDARY_SIGN_OPTIONS)"
 	@echo "\tSECONDARY_PRIVATE_KEY=$(SECONDARY_PRIVATE_KEY)"
 
-	$(Q)(test $(SIGN) = NONE) || IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) "$(SIGN_TOOL)" $(SIGN_OPTIONS) \
+	$(Q)(test $(SIGN) = NONE) || $(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) \
 		$(SECONDARY_SIGN_OPTIONS) $(BOOT_IMG) $(PRIVATE_KEY) \
 		$(SECONDARY_PRIVATE_KEY) 1 || true
-	$(Q)(test $(SIGN) = NONE) && IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) "$(SIGN_TOOL)" $(SIGN_OPTIONS) $(BOOT_IMG) 1 || true
+	$(Q)(test $(SIGN) = NONE) && $(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) $(BOOT_IMG) 1 || true
 
 test-app/image.elf: wolfboot.elf
 	$(Q)$(MAKE) -C test-app WOLFBOOT_ROOT="$(WOLFBOOT_ROOT)" image.elf
diff --git a/include/delta.h b/include/delta.h
index 6a16068c6..10ba26caa 100644
--- a/include/delta.h
+++ b/include/delta.h
@@ -72,6 +72,7 @@ int wb_patch_init(WB_PATCH_CTX *bm, uint8_t *src, uint32_t ssz, uint8_t *patch,
 int wb_patch(WB_PATCH_CTX *ctx, uint8_t *dst, uint32_t len);
 int wolfBoot_get_delta_info(uint8_t part, int inverse, uint32_t **img_offset,
     uint32_t **img_size, uint8_t **base_hash, uint16_t *base_hash_size);
+int wb_diff_get_sector_size(void);
 
 #endif
 
diff --git a/include/wolfboot/wolfboot.h b/include/wolfboot/wolfboot.h
index 8a9f99e82..44c8bba98 100644
--- a/include/wolfboot/wolfboot.h
+++ b/include/wolfboot/wolfboot.h
@@ -30,7 +30,9 @@ extern "C" {
 #endif
 
 #include <stdint.h>
+#ifdef __WOLFBOOT
 #include "target.h"
+#endif
 #include "wolfboot/version.h"
 
 #ifdef WOLFCRYPT_SECURE_MODE
diff --git a/src/delta.c b/src/delta.c
index 201360495..83e5ef6db 100644
--- a/src/delta.c
+++ b/src/delta.c
@@ -22,11 +22,11 @@
 #include <stdint.h>
 #include <string.h>
 #include <delta.h>
-#include <target.h> /* WOLFBOOT_SECTOR_SIZE */
 
 
 #define ESC 0x7f
 
+
 #if (defined(__IAR_SYSTEMS_ICC__) && (__IAR_SYSTEMS_ICC__ > 8)) || \
     defined(__GNUC__)
 #define BLOCK_HDR_PACKED __attribute__ ((packed))
@@ -46,7 +46,7 @@ struct BLOCK_HDR_PACKED block_hdr {
 #include "encrypt.h"
 #define ext_flash_check_write ext_flash_encrypt_write
 #define ext_flash_check_read ext_flash_decrypt_read
-#else
+#elif defined(__WOLFBOOT)
 #include "hal.h"
 #define ext_flash_check_write ext_flash_write
 #define ext_flash_check_read ext_flash_read
@@ -169,6 +169,36 @@ int wb_patch(WB_PATCH_CTX *ctx, uint8_t *dst, uint32_t len)
     return dst_off;
 }
 
+#ifndef __WOLFBOOT
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+
+static uint32_t wolfboot_sector_size = 0;
+
+int wb_diff_get_sector_size(void)
+{
+    uint32_t sec_sz = 0;
+    char *env_sector_size = NULL;
+    env_sector_size = getenv("WOLFBOOT_SECTOR_SIZE");
+    if (!env_sector_size) {
+       fprintf(stderr, "Please set the WOLFBOOT_SECTOR_SIZE environment variable in\n"
+               "order to sign a delta update.\n");
+       exit(6);
+    } else {
+        sec_sz = atoi(env_sector_size);
+        if (sec_sz == 0) {
+            errno = 0;
+            sec_sz = strtol(env_sector_size, NULL, 16);
+            if (errno != 0) {
+                fprintf(stderr, "Invalid WOLFBOOT_SECTOR_SIZE value\n");
+                exit(6);
+            }
+        }
+    }
+    return sec_sz;
+}
 
 int wb_diff_init(WB_DIFF_CTX *ctx, uint8_t *src_a, uint32_t len_a, uint8_t *src_b, uint32_t len_b)
 {
@@ -179,6 +209,8 @@ int wb_diff_init(WB_DIFF_CTX *ctx, uint8_t *src_a, uint32_t len_a, uint8_t *src_
     ctx->src_b = src_b;
     ctx->size_a = len_a;
     ctx->size_b = len_b;
+    wolfboot_sector_size = wb_diff_get_sector_size();
+    printf("WOLFBOOT_SECTOR_SIZE: %u\n", wolfboot_sector_size);
     return 0;
 }
 
@@ -196,7 +228,7 @@ int wb_diff(WB_DIFF_CTX *ctx, uint8_t *patch, uint32_t len)
         return -1;
 
     while ((ctx->off_b + BLOCK_HDR_SIZE < ctx->size_b) && (len > p_off + BLOCK_HDR_SIZE)) {
-        uintptr_t page_start = ctx->off_b / WOLFBOOT_SECTOR_SIZE;
+        uintptr_t page_start = ctx->off_b / wolfboot_sector_size;
         uintptr_t pa_start;
         found = 0;
         if (p_off + BLOCK_HDR_SIZE >  len)
@@ -210,14 +242,14 @@ int wb_diff(WB_DIFF_CTX *ctx, uint8_t *patch, uint32_t len)
          * base for the sectors that have already been updated.
          */
 
-        pa_start = WOLFBOOT_SECTOR_SIZE  * page_start;
+        pa_start = wolfboot_sector_size  * page_start;
         pa = ctx->src_a + pa_start;
         while (((uintptr_t)(pa - ctx->src_a) < (uintptr_t)ctx->size_a) && (p_off < len)) {
             if ((uintptr_t)(ctx->size_a - (pa - ctx->src_a)) < BLOCK_HDR_SIZE)
                 break;
             if ((ctx->size_b - ctx->off_b) < BLOCK_HDR_SIZE)
                 break;
-            if ((WOLFBOOT_SECTOR_SIZE - (ctx->off_b % WOLFBOOT_SECTOR_SIZE)) < BLOCK_HDR_SIZE)
+            if ((wolfboot_sector_size - (ctx->off_b % wolfboot_sector_size)) < BLOCK_HDR_SIZE)
                 break;
             if ((memcmp(pa, (ctx->src_b + ctx->off_b), BLOCK_HDR_SIZE) == 0)) {
                 uintptr_t b_start;
@@ -238,7 +270,7 @@ int wb_diff(WB_DIFF_CTX *ctx, uint8_t *patch, uint32_t len)
                         /* Stop matching if the source image size limit is hit. */
                         break;
                     }
-                    if ((b_start / WOLFBOOT_SECTOR_SIZE) < ((ctx->off_b + 1) / WOLFBOOT_SECTOR_SIZE)) {
+                    if ((b_start / wolfboot_sector_size) < ((ctx->off_b + 1) / wolfboot_sector_size)) {
                         /* Stop matching when the sector bound is hit. */
                         break;
                     }
@@ -262,7 +294,7 @@ int wb_diff(WB_DIFF_CTX *ctx, uint8_t *patch, uint32_t len)
         }
         if (!found) {
             /* Try matching an earlier section in the resulting image */
-            uintptr_t pb_end = page_start * WOLFBOOT_SECTOR_SIZE;
+            uintptr_t pb_end = page_start * wolfboot_sector_size;
             pb = ctx->src_b;
             while (((uintptr_t)(pb - ctx->src_b) < pb_end) && (p_off < len)) {
                 /* Check image boundary */
@@ -274,7 +306,7 @@ int wb_diff(WB_DIFF_CTX *ctx, uint8_t *patch, uint32_t len)
                 /* Don't try matching backwards if the distance between the two
                  * blocks is smaller than one sector.
                  */
-                if (WOLFBOOT_SECTOR_SIZE > (page_start * WOLFBOOT_SECTOR_SIZE)
+                if (wolfboot_sector_size > (page_start * wolfboot_sector_size)
                         - (pb - ctx->src_b))
                     break;
 
@@ -338,5 +370,6 @@ int wb_diff(WB_DIFF_CTX *ctx, uint8_t *patch, uint32_t len)
     }
     return (int)p_off;
 }
+#endif /* __WOLFBOOT */
 
 #endif /* DELTA_UPDATES */
diff --git a/test-app/app_hifive1.c b/test-app/app_hifive1.c
index d224b075f..608c451e0 100644
--- a/test-app/app_hifive1.c
+++ b/test-app/app_hifive1.c
@@ -24,6 +24,7 @@
 #include <string.h>
 #include "hal.h"
 #include "wolfboot/wolfboot.h"
+#include "target.h"
 
 /* Change to '1' to enable uart update */
 #define UART_UPDATE 0
diff --git a/test-app/app_imx_rt.c b/test-app/app_imx_rt.c
index 94c49c0c1..317826d43 100644
--- a/test-app/app_imx_rt.c
+++ b/test-app/app_imx_rt.c
@@ -24,6 +24,7 @@
 #include "fsl_debug_console.h"
 #include "fsl_gpio.h"
 #include "fsl_iomuxc.h"
+#include "target.h"
 
 static int g_pinSet = false;
 extern void imx_rt_init_boot_clock(void);
diff --git a/test-app/app_kinetis.c b/test-app/app_kinetis.c
index b603fdc23..50df518dc 100644
--- a/test-app/app_kinetis.c
+++ b/test-app/app_kinetis.c
@@ -27,6 +27,7 @@
 #include "fsl_gpio.h"
 #include "fsl_clock.h"
 #include "wolfboot/wolfboot.h"
+#include "target.h"
 
 /* FRDM-K64 board */
 #if defined(CPU_MK64FN1M0VLL12)
diff --git a/test-app/app_mcxa.c b/test-app/app_mcxa.c
index ac77c0111..087ed4334 100644
--- a/test-app/app_mcxa.c
+++ b/test-app/app_mcxa.c
@@ -31,6 +31,7 @@
 #include "fsl_clock.h"
 
 #include "wolfboot/wolfboot.h"
+#include "target.h"
 
 extern void hal_init(void);
 
diff --git a/test-app/app_nrf52.c b/test-app/app_nrf52.c
index ad7c60b8e..593a7e9ee 100644
--- a/test-app/app_nrf52.c
+++ b/test-app/app_nrf52.c
@@ -25,6 +25,7 @@
 #include "wolfboot/wolfboot.h"
 #include "hal/nrf52.h"
 #include "printf.h"
+#include "target.h"
 
 static const char extradata[1024 * 16] = "hi!";
 
diff --git a/test-app/app_nrf5340.c b/test-app/app_nrf5340.c
index 1042f70c4..f4459c4a3 100644
--- a/test-app/app_nrf5340.c
+++ b/test-app/app_nrf5340.c
@@ -25,6 +25,7 @@
 #include "wolfboot/wolfboot.h"
 #include "hal/nrf5340.h"
 #include "printf.h"
+#include "target.h"
 
 void gpiotoggle(uint32_t port, uint32_t pin)
 {
diff --git a/test-app/app_nrf5340_net.c b/test-app/app_nrf5340_net.c
index 8325d754a..f79ef83a3 100644
--- a/test-app/app_nrf5340_net.c
+++ b/test-app/app_nrf5340_net.c
@@ -25,6 +25,7 @@
 #include "wolfboot/wolfboot.h"
 #include "hal/nrf5340.h"
 #include "printf.h"
+#include "target.h"
 
 void gpiotoggle(uint32_t port, uint32_t pin)
 {
diff --git a/test-app/app_renesas_rx.c b/test-app/app_renesas_rx.c
index e0116926f..ffb26dfa7 100644
--- a/test-app/app_renesas_rx.c
+++ b/test-app/app_renesas_rx.c
@@ -28,6 +28,7 @@
 #include "hal.h"
 #include "printf.h"
 #include "wolfboot/wolfboot.h"
+#include "target.h"
 
 /* route stdout to UART */
 int write(int fileno, char *buf, int count)
diff --git a/test-app/app_sim.c b/test-app/app_sim.c
index 7221a114c..e118e5a99 100644
--- a/test-app/app_sim.c
+++ b/test-app/app_sim.c
@@ -26,6 +26,7 @@
 #include <string.h>
 #include <stdio.h>
 #include <unistd.h>
+#include "target.h"
 
 #include "wolfboot/wolfboot.h"
 
diff --git a/test-app/app_stm32f4.c b/test-app/app_stm32f4.c
index 99d54341a..c8f1db89a 100644
--- a/test-app/app_stm32f4.c
+++ b/test-app/app_stm32f4.c
@@ -30,6 +30,7 @@
 #include "hal.h"
 #include "wolfboot/wolfboot.h"
 #include "spi_flash.h"
+#include "target.h"
 
 #ifdef TARGET_stm32f4
 
diff --git a/test-app/app_stm32f7.c b/test-app/app_stm32f7.c
index ad19d1478..842629738 100644
--- a/test-app/app_stm32f7.c
+++ b/test-app/app_stm32f7.c
@@ -27,6 +27,7 @@
 #include "system.h"
 #include "wolfboot/wolfboot.h"
 #include "hal.h"
+#include "target.h"
 
 
 /* UART module */
diff --git a/test-app/app_stm32h5.c b/test-app/app_stm32h5.c
index 91e431260..b0250c771 100644
--- a/test-app/app_stm32h5.c
+++ b/test-app/app_stm32h5.c
@@ -32,6 +32,7 @@
 #include "uart_drv.h"
 #include "wolfboot/wolfboot.h"
 #include "keystore.h"
+#include "target.h"
 
 #ifdef SECURE_PKCS11
 #include "wcs/user_settings.h"
@@ -867,4 +868,4 @@ void * _sbrk(unsigned int incr)
     }
     return old_heap;
 }
-#endif
\ No newline at end of file
+#endif
diff --git a/test-app/app_stm32h7.c b/test-app/app_stm32h7.c
index c0a029a77..bba25cc17 100644
--- a/test-app/app_stm32h7.c
+++ b/test-app/app_stm32h7.c
@@ -38,6 +38,7 @@
 #include "system.h"
 #include "hal.h"
 #include "wolfboot/wolfboot.h"
+#include "target.h"
 
 #define SET_BIT(REG, BIT)   ((REG) |= (BIT))
 #define CLEAR_BIT(REG, BIT) ((REG) &= ~(BIT))
diff --git a/test-app/app_stm32l0.c b/test-app/app_stm32l0.c
index 8b5e2748f..b4cfe8d71 100644
--- a/test-app/app_stm32l0.c
+++ b/test-app/app_stm32l0.c
@@ -29,6 +29,7 @@
 #ifdef SPI_FLASH
 #include "spi_flash.h"
 #endif
+#include "target.h"
 
 #ifdef TARGET_stm32l0
 
diff --git a/test-app/app_stm32l4.c b/test-app/app_stm32l4.c
index d8b85dcd9..e3073901c 100644
--- a/test-app/app_stm32l4.c
+++ b/test-app/app_stm32l4.c
@@ -25,6 +25,7 @@
 #include "led.h"
 #include "hal.h"
 #include "wolfboot/wolfboot.h"
+#include "target.h"
 
 #ifdef TARGET_stm32l4
 
diff --git a/test-app/app_stm32l5.c b/test-app/app_stm32l5.c
index a62c1f1c4..919a060d7 100644
--- a/test-app/app_stm32l5.c
+++ b/test-app/app_stm32l5.c
@@ -30,6 +30,7 @@
 #include "uart_drv.h"
 #include "wolfboot/wolfboot.h"
 #include "wolfboot/wc_secure.h"
+#include "target.h"
 
 #ifdef SECURE_PKCS11
 #include "wcs/user_settings.h"
diff --git a/test-app/app_stm32u5.c b/test-app/app_stm32u5.c
index ea8f56dfa..d55f3d4ea 100644
--- a/test-app/app_stm32u5.c
+++ b/test-app/app_stm32u5.c
@@ -28,6 +28,7 @@
 #include "system.h"
 #include "hal.h"
 #include "wolfboot/wolfboot.h"
+#include "target.h"
 
 #define LED_BOOT_PIN (7) /* PH7 - Discovery - Green Led */
 #define LED_USR_PIN  (6) /* PH6 - Discovery - Red Led */
diff --git a/test-app/app_stm32wb.c b/test-app/app_stm32wb.c
index b1d051aaa..f0a4395f9 100644
--- a/test-app/app_stm32wb.c
+++ b/test-app/app_stm32wb.c
@@ -28,6 +28,7 @@
 #include "hal.h"
 #include "wolfboot/wolfboot.h"
 #include "uart_drv.h"
+#include "target.h"
 
 #ifdef TARGET_stm32wb
 
diff --git a/tools/efi/compile_efi_linux.sh b/tools/efi/compile_efi_linux.sh
index a8bbabc16..c42c0d081 100755
--- a/tools/efi/compile_efi_linux.sh
+++ b/tools/efi/compile_efi_linux.sh
@@ -4,6 +4,7 @@ WORK_DIR=/tmp/wolfBoot_efi
 BR_VER=2022.08.3
 BR_DIR=buildroot-$BR_VER
 IMAGE_DIR=$WORK_DIR/output
+. .config
 
 if (test ! -d $WORK_DIR);then
     mkdir -p $WORK_DIR
@@ -17,10 +18,7 @@ fi
 BR2_EXTERNAL=$(pwd)/tools/efi/br_ext_dir make -C $WORK_DIR/$BR_DIR tiny_defconfig O=$IMAGE_DIR
 make -C $WORK_DIR/$BR_DIR O=$IMAGE_DIR
 
-SIGN_TOOL="python3 ./tools/keytools/sign.py"
-if [ -f "./tools/keytools/sign" ]; then
-    SIGN_TOOL="./tools/keytools/sign"
-fi
+SIGN_TOOL="./tools/keytools/sign"
 
 $SIGN_TOOL --ed25519 $IMAGE_DIR/images/bzImage wolfboot_signing_private_key.der 1
 $SIGN_TOOL --ed25519 $IMAGE_DIR/images/bzImage wolfboot_signing_private_key.der 2
diff --git a/tools/keytools/Makefile b/tools/keytools/Makefile
index eeae52fc2..00b0c5ee7 100644
--- a/tools/keytools/Makefile
+++ b/tools/keytools/Makefile
@@ -177,25 +177,11 @@ endif
 
 .PHONY: clean all
 
-all: $(WOLFBOOTDIR)/include/target.h sign keygen
+all: sign keygen
 
 debug: CFLAGS+=$(DEBUG_FLAGS)
 debug: all
 
-# Target.h is required for key tools
-$(WOLFBOOTDIR)/include/target.h: $(WOLFBOOTDIR)/include/target.h.in
-	@cat $(WOLFBOOTDIR)/include/target.h.in | \
-	sed -e "s/@WOLFBOOT_PARTITION_SIZE@/$(WOLFBOOT_PARTITION_SIZE)/g" | \
-	sed -e "s/@WOLFBOOT_SECTOR_SIZE@/$(WOLFBOOT_SECTOR_SIZE)/g" | \
-	sed -e "s/@WOLFBOOT_PARTITION_BOOT_ADDRESS@/$(WOLFBOOT_PARTITION_BOOT_ADDRESS)/g" | \
-	sed -e "s/@WOLFBOOT_PARTITION_UPDATE_ADDRESS@/$(WOLFBOOT_PARTITION_UPDATE_ADDRESS)/g" | \
-	sed -e "s/@WOLFBOOT_PARTITION_SWAP_ADDRESS@/$(WOLFBOOT_PARTITION_SWAP_ADDRESS)/g" | \
-	sed -e "s/@WOLFBOOT_DTS_BOOT_ADDRESS@/$(WOLFBOOT_DTS_BOOT_ADDRESS)/g" | \
-	sed -e "s/@WOLFBOOT_DTS_UPDATE_ADDRESS@/$(WOLFBOOT_DTS_UPDATE_ADDRESS)/g" | \
-	sed -e "s/@WOLFBOOT_LOAD_ADDRESS@/$(WOLFBOOT_LOAD_ADDRESS)/g" | \
-	sed -e "s/@WOLFBOOT_LOAD_DTS_ADDRESS@/$(WOLFBOOT_LOAD_DTS_ADDRESS)/g" \
-		> $@
-
 # build objects
 $(OBJDIR)/%.o: %.c
 	$(Q)$(CC) $(CFLAGS) -c -o $@ $<
diff --git a/tools/keytools/sign.c b/tools/keytools/sign.c
index 06bee96c0..2d6a29814 100644
--- a/tools/keytools/sign.c
+++ b/tools/keytools/sign.c
@@ -42,13 +42,10 @@
 #include <fcntl.h>
 #include <stddef.h>
 #include <inttypes.h>
-/* target.h is a generated file based on .config (see target.h.in)
- * Provides: WOLFBOOT_SECTOR_SIZE */
-#include <target.h>
 #include <delta.h>
 
 #include "wolfboot/version.h"
-#include "wolfboot/wolfboot.h"
+//#include "wolfboot/wolfboot.h"
 
 #ifdef DEBUG_SIGNTOOL
 #define DEBUG_PRINT(...) fprintf(stderr, __VA_ARGS__)
@@ -1798,10 +1795,9 @@ static int base_diff(const char *f_base, uint8_t *pubkey, uint32_t pubkey_sz, in
     struct stat st;
     void *base = NULL;
     void *buffer = NULL;
-    static uint8_t dest[WOLFBOOT_SECTOR_SIZE];
+    uint8_t *dest = NULL;
     uint8_t ff = 0xff;
     int r;
-    uint32_t blksz = WOLFBOOT_SECTOR_SIZE;
     uint32_t patch_sz, patch_inv_sz;
     uint32_t patch_inv_off;
     uint32_t delta_base_version = 0;
@@ -1811,6 +1807,17 @@ static int base_diff(const char *f_base, uint8_t *pubkey, uint32_t pubkey_sz, in
     int io_sz;
     uint8_t *base_hash = NULL;
     uint32_t base_hash_sz = 0;
+    uint32_t wolfboot_sector_size = 0;
+    uint32_t blksz;
+
+    wolfboot_sector_size = wb_diff_get_sector_size();
+    printf("delta update: WOLFBOOT_SECTOR_SIZE: %u\n", wolfboot_sector_size);
+    blksz = wolfboot_sector_size;
+    dest = malloc(wolfboot_sector_size);
+    if (!dest) {
+        printf("Error allocating memory to prepare patch sectors\n");
+        goto cleanup;
+    }
 
     /* Get source file size */
     if (stat(f_base, &st) < 0) {
@@ -2039,6 +2046,10 @@ static int base_diff(const char *f_base, uint8_t *pubkey, uint32_t pubkey_sz, in
             delta_base_version, patch_sz, patch_inv_off, patch_inv_sz, base_hash, base_hash_sz);
 
 cleanup:
+    if (dest) {
+        free(dest);
+        dest = NULL;
+    }
     /* Unlink output file */
     unlink(wolfboot_delta_file);
 #if HAVE_MMAP
diff --git a/tools/scripts/nrf5340/build_flash.sh b/tools/scripts/nrf5340/build_flash.sh
index f339b004b..26bc98574 100755
--- a/tools/scripts/nrf5340/build_flash.sh
+++ b/tools/scripts/nrf5340/build_flash.sh
@@ -15,6 +15,9 @@
 # Build dela update version 3 and flash to external (also reprograms internal flash)
 # ./tools/scripts/nrf5340/build_flash.sh --delta
 
+#import config for IMAGE_HEADER_SIZE and WOLFBOOT_SECTOR_SIZE
+. config/examples/nrf5340.config
+
 # Defaults
 MAKE_ARGS=" DEBUG_SYMBOLS=1"
 DO_CLEAN=0
@@ -28,6 +31,8 @@ DO_PROGRAM_EXT=0
 DO_DELTA=0
 UPDATE_VERSION=1
 
+SIGN_ENV=IMAGE_HEADER_SIZE=$IMAGE_HEADER_SIZE WOLFBOOT_SECTOR_SIZE=$WOLFBOOT_SECTOR_SIZE
+SIGN_TOOL=tools/keytools/sign
 SIGN_ARGS="--ecc384 --sha384"
 #SIGN_ARGS="--ecc256 --sha256"
 
@@ -161,8 +166,8 @@ fi
 
 if [[ $DO_UPDATE == 1 ]]; then
   # Sign flash update for testing (for network partition using --id 2)
-  tools/keytools/sign $SIGN_ARGS --id 2 tools/scripts/nrf5340/image_net.bin wolfboot_signing_private_key.der $UPDATE_VERSION
-  tools/keytools/sign $SIGN_ARGS        tools/scripts/nrf5340/image_app.bin wolfboot_signing_private_key.der $UPDATE_VERSION
+  $SIGN_ENV $SIGN_TOOL $SIGN_ARGS --id 2 tools/scripts/nrf5340/image_net.bin wolfboot_signing_private_key.der $UPDATE_VERSION
+  $SIGN_ENV $SIGN_TOOL $SIGN_ARGS        tools/scripts/nrf5340/image_app.bin wolfboot_signing_private_key.der $UPDATE_VERSION
 
   # Create a bin footer with wolfBoot trailer "BOOT" and "p" (ASCII for 0x70 == IMG_STATE_UPDATING):
   echo -n "pBOOT" > tools/scripts/nrf5340/trigger_magic.bin
@@ -177,8 +182,8 @@ fi
 
 if [[ $DO_DELTA == 1 ]]; then
   # Sign flash update for testing (for network partition using --id 2) delta between v1 and v3
-  tools/keytools/sign $SIGN_ARGS --id 2 --delta tools/scripts/nrf5340/image_net_v1_signed.bin tools/scripts/nrf5340/image_net.bin wolfboot_signing_private_key.der $UPDATE_VERSION
-  tools/keytools/sign $SIGN_ARGS        --delta tools/scripts/nrf5340/image_app_v1_signed.bin tools/scripts/nrf5340/image_app.bin wolfboot_signing_private_key.der $UPDATE_VERSION
+  $SIGN_ENV $SIGN_TOOL $SIGN_ARGS --id 2 --delta tools/scripts/nrf5340/image_net_v1_signed.bin tools/scripts/nrf5340/image_net.bin wolfboot_signing_private_key.der $UPDATE_VERSION
+  $SIGN_ENV $SIGN_TOOL $SIGN_ARGS        --delta tools/scripts/nrf5340/image_app_v1_signed.bin tools/scripts/nrf5340/image_app.bin wolfboot_signing_private_key.der $UPDATE_VERSION
 
   # Create a bin footer with wolfBoot trailer "BOOT" and "p" (ASCII for 0x70 == IMG_STATE_UPDATING):
   echo -n "pBOOT" > tools/scripts/nrf5340/trigger_magic.bin
diff --git a/tools/scripts/prepare_encrypted_delta_update.sh b/tools/scripts/prepare_encrypted_delta_update.sh
deleted file mode 100755
index 655aaa22d..000000000
--- a/tools/scripts/prepare_encrypted_delta_update.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-
-SIGN_TOOL="python3 ./tools/keytools/sign.py"
-if [ -f "./tools/keytools/sign" ]; then
-    SIGN_TOOL="./tools/keytools/sign"
-fi
-
-# SIZE is WOLFBOOT_PARTITION_SIZE - 49 (44B: key + nonce, 5B: "pBOOT")
-SIZE=131023
-VERSION=7
-APP=test-app/image_v"$VERSION"_signed_diff_encrypted.bin
-
-# Create test key
-echo -n "0123456789abcdef0123456789abcdef0123456789ab" > enc_key.der
-
-$SIGN_TOOL --ecc256 \
-    --encrypt enc_key.der \
-    --delta test-app/image_v1_signed.bin \
-    test-app/image.bin wolfboot_signing_private_key.der $VERSION
-dd if=/dev/zero bs=$SIZE count=1 2>/dev/null | tr "\000" "\377" > update.bin
-dd if=$APP of=update.bin bs=1 conv=notrunc
-printf "pBOOT"  >> update.bin
diff --git a/tools/scripts/prepare_encrypted_update.sh b/tools/scripts/prepare_encrypted_update.sh
deleted file mode 100755
index 1b3661ecf..000000000
--- a/tools/scripts/prepare_encrypted_update.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/bash
-
-SIGN_TOOL="python3 ./tools/keytools/sign.py"
-if [ -f "./tools/keytools/sign" ]; then
-    SIGN_TOOL="./tools/keytools/sign"
-fi
-
-# SIZE is WOLFBOOT_PARTITION_SIZE - 49 (44B: key + nonce, 5B: "pBOOT")
-SIZE=131023
-#SIZE=65487
-VERSION=8
-APP=test-app/image_v"$VERSION"_signed_and_encrypted.bin
-
-# Create test key
-echo -n "0123456789abcdef0123456789abcdef0123456789ab" > enc_key.der
-
-$SIGN_TOOL --ecc256 --encrypt enc_key.der test-app/image.bin wolfboot_signing_private_key.der $VERSION
-dd if=/dev/zero bs=$SIZE count=1 2>/dev/null | tr "\000" "\377" > update.bin
-dd if=$APP of=update.bin bs=1 conv=notrunc
-
-printf "pBOOT"  >> update.bin
-
-#Make a 1MB rom image for SPI
-rm -f update.rom
-dd if=/dev/zero bs=1M count=1 2>/dev/null | tr "\000" "\377" > update.rom
-dd if=update.bin of=update.rom bs=1 conv=notrunc
diff --git a/tools/scripts/prepare_update.sh b/tools/scripts/prepare_update.sh
index 576690f9c..251fe93f4 100755
--- a/tools/scripts/prepare_update.sh
+++ b/tools/scripts/prepare_update.sh
@@ -1,9 +1,7 @@
 #!/bin/bash
 
-SIGN_TOOL="python3 ./tools/keytools/sign.py"
-if [ -f "./tools/keytools/sign" ]; then
-    SIGN_TOOL="./tools/keytools/sign"
-fi
+. .config
+SIGN_TOOL="./tools/keytools/sign"
 
 # SIZE is WOLFBOOT_PARTITION_SIZE - 5
 SIZE=131067
diff --git a/tools/scripts/prepare_update_l5.sh b/tools/scripts/prepare_update_l5.sh
index 2ab7c39b7..9a85d8d1f 100755
--- a/tools/scripts/prepare_update_l5.sh
+++ b/tools/scripts/prepare_update_l5.sh
@@ -1,9 +1,7 @@
 #!/bin/bash
 
-SIGN_TOOL="python3 ./tools/keytools/sign.py"
-if [ -f "./tools/keytools/sign" ]; then
-    SIGN_TOOL="./tools/keytools/sign"
-fi
+. ./.config
+SIGN_TOOL="./tools/keytools/sign"
 
 # SIZE is WOLFBOOT_PARTITION_SIZE - 5
 SIZE=129019
diff --git a/tools/scripts/prepare_update_l5_dualbank.sh b/tools/scripts/prepare_update_l5_dualbank.sh
index e7a3ef2e5..f4a1b3e1e 100755
--- a/tools/scripts/prepare_update_l5_dualbank.sh
+++ b/tools/scripts/prepare_update_l5_dualbank.sh
@@ -1,9 +1,9 @@
 #!/bin/bash
 
-SIGN_TOOL="python3 ./tools/keytools/sign.py"
-if [ -f "./tools/keytools/sign" ]; then
-    SIGN_TOOL="./tools/keytools/sign"
-fi
+. .config
+echo IMAGE_HEADER_SIZE= $IMAGE_HEADER_SIZE
+echo WOLFBOOT_SECTOR_SIZE= $WOLFBOOT_SECTOR_SIZE
+SIGN_TOOL="./tools/keytools/sign"
 
 # SIZE is WOLFBOOT_PARTITION_SIZE - 5
 SIZE=229371
diff --git a/tools/scripts/prepare_update_u5.sh b/tools/scripts/prepare_update_u5.sh
index 55090de35..29f826aea 100755
--- a/tools/scripts/prepare_update_u5.sh
+++ b/tools/scripts/prepare_update_u5.sh
@@ -1,9 +1,6 @@
 #!/bin/bash
-
-SIGN_TOOL="python3 ./tools/keytools/sign.py"
-if [ -f "./tools/keytools/sign" ]; then
-    SIGN_TOOL="./tools/keytools/sign"
-fi
+. .config
+SIGN_TOOL="./tools/keytools/sign"
 
 # SIZE is WOLFBOOT_PARTITION_SIZE - 5
 SIZE=131067
diff --git a/tools/scripts/prepare_update_u5_dualbank.sh b/tools/scripts/prepare_update_u5_dualbank.sh
index e7a3ef2e5..124bc5623 100755
--- a/tools/scripts/prepare_update_u5_dualbank.sh
+++ b/tools/scripts/prepare_update_u5_dualbank.sh
@@ -1,9 +1,7 @@
 #!/bin/bash
 
-SIGN_TOOL="python3 ./tools/keytools/sign.py"
-if [ -f "./tools/keytools/sign" ]; then
-    SIGN_TOOL="./tools/keytools/sign"
-fi
+. .config
+SIGN_TOOL="./tools/keytools/sign"
 
 # SIZE is WOLFBOOT_PARTITION_SIZE - 5
 SIZE=229371
diff --git a/tools/test-delta.mk b/tools/test-delta.mk
index 729feb6a3..cd7967bd3 100644
--- a/tools/test-delta.mk
+++ b/tools/test-delta.mk
@@ -26,9 +26,9 @@ test-delta-update: distclean factory.bin test-app/image.bin tools/uart-flash-ser
 	@st-flash erase || st-flash erase
 	@rm -f zero.bin
 	@diff .config config/examples/stm32wb-delta.config || (echo "\n\n*** Error: please copy config/examples/stm32wb-delta.config to .config to run this test\n\n" && exit 1)
-	$(SIGN_TOOL) $(SIGN_ARGS) --delta test-app/image_v1_signed.bin test-app/image.bin \
+	$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) --delta test-app/image_v1_signed.bin test-app/image.bin \
 		$(PRIVATE_KEY) 7
-	$(SIGN_TOOL) $(SIGN_ARGS) --delta test-app/image_v1_signed.bin test-app/image.bin \
+	$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) --delta test-app/image_v1_signed.bin test-app/image.bin \
 		$(PRIVATE_KEY) 2
 	@st-flash write factory.bin 0x08000000
 	@echo Expecting version '1'
@@ -79,7 +79,7 @@ test-delta-update-ext: distclean factory.bin test-app/image.bin tools/uart-flash
 	@st-flash erase || st-flash erase
 	@rm -f zero.bin
 	@diff .config config/examples/stm32wb-delta-ext.config || (echo "\n\n*** Error: please copy config/examples/stm32wb-delta-ext.config to .config to run this test\n\n" && exit 1)
-	$(SIGN_TOOL) $(SIGN_ARGS) --delta test-app/image_v1_signed.bin test-app/image.bin \
+	$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) --delta test-app/image_v1_signed.bin test-app/image.bin \
 		$(PRIVATE_KEY) 7
 	@(tools/uart-flash-server/ufserver test-app/image_v7_signed_diff.bin $(USBTTY))&
 	@st-flash reset
@@ -121,7 +121,7 @@ test-delta-enc-update-ext: distclean factory.bin test-app/image.bin tools/uart-f
 	   @st-flash erase || st-flash erase
 	   @rm -f zero.bin
 	   @diff .config config/examples/stm32wb-delta-enc-ext.config || (echo "\n\n*** Error: please copy config/examples/stm32wb-delta-enc-ext.config to .config to run this test\n\n" && exit 1)
-	   $(SIGN_TOOL) $(SIGN_ARGS) --delta test-app/image_v1_signed.bin \
+	   $(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) --delta test-app/image_v1_signed.bin \
 	           $(ENCRYPT_STRING) --encrypt /tmp/enc_key.der \
 	           test-app/image.bin \
 	           $(PRIVATE_KEY) 7
diff --git a/tools/test-enc.mk b/tools/test-enc.mk
index 0214417a5..7e7faff7a 100644
--- a/tools/test-enc.mk
+++ b/tools/test-enc.mk
@@ -24,8 +24,8 @@ tools/uart-flash-server/ufserver: FORCE
 test-enc-update: factory.bin test-app/image.bin tools/uart-flash-server/ufserver
 	@diff .config config/examples/stm32wb-uart-flash-encryption.config || (echo "\n\n*** Error: please copy config/examples/stm32wb-uart-flash-encryption.config to .config to run this test\n\n" && exit 1)
 	@printf "0123456789abcdef0123456789abcdef0123456789ab" > /tmp/enc_key.der
-	@$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
-	@$(SIGN_TOOL) $(SIGN_ENC_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
+	@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
+	@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ENC_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
 	@(tools/uart-flash-server/ufserver test-app/image_v$(ENC_TEST_UPDATE_VERSION)_signed_and_encrypted.bin $(USBTTY))&
 	@st-flash erase
 	@st-flash write factory.bin 0x08000000
@@ -47,8 +47,8 @@ test-enc-update: factory.bin test-app/image.bin tools/uart-flash-server/ufserver
 test-enc-aes128-update: factory.bin test-app/image.bin tools/uart-flash-server/ufserver
 	@diff .config config/examples/stm32wb-uart-flash-encryption-aes128.config || (echo "\n\n*** Error: please copy config/examples/stm32wb-uart-flash-encryption-aes128.config to .config to run this test\n\n" && exit 1)
 	@printf "0123456789abcdef0123456789abcdef" > /tmp/enc_key.der
-	@$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
-	@$(SIGN_TOOL) $(SIGN_ENC_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
+	@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
+	@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ENC_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
 	@(tools/uart-flash-server/ufserver test-app/image_v$(ENC_TEST_UPDATE_VERSION)_signed_and_encrypted.bin $(USBTTY))&
 	@st-flash erase
 	@st-flash write factory.bin 0x08000000
@@ -70,8 +70,8 @@ test-enc-aes128-update: factory.bin test-app/image.bin tools/uart-flash-server/u
 test-enc-aes256-update: factory.bin test-app/image.bin tools/uart-flash-server/ufserver
 	@diff .config config/examples/stm32wb-uart-flash-encryption-aes256.config || (echo "\n\n*** Error: please copy config/examples/stm32wb-uart-flash-encryption-aes256.config to .config to run this test\n\n" && exit 1)
 	@printf "0123456789abcdef0123456789abcdef0123456789abcdef" > /tmp/enc_key.der
-	@$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
-	@$(SIGN_TOOL) $(SIGN_ENC_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
+	@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
+	@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ENC_ARGS) test-app/image.bin $(PRIVATE_KEY) $(ENC_TEST_UPDATE_VERSION)
 	@(tools/uart-flash-server/ufserver test-app/image_v$(ENC_TEST_UPDATE_VERSION)_signed_and_encrypted.bin $(USBTTY))&
 	@st-flash erase
 	@st-flash write factory.bin 0x08000000
diff --git a/tools/test-renode.mk b/tools/test-renode.mk
index bec829698..a3b00e294 100644
--- a/tools/test-renode.mk
+++ b/tools/test-renode.mk
@@ -24,26 +24,19 @@ LMS_OPTS=LMS_LEVELS=2 LMS_HEIGHT=5 LMS_WINTERNITZ=8 WOLFBOOT_SMALL_STACK=0 \
 XMSS_OPTS=WOLFBOOT_XMSS_PARAMS='XMSS-SHA2_10_256' WOLFBOOT_SMALL_STACK=0 \
          IMAGE_SIGNATURE_SIZE=2500 IMAGE_HEADER_SIZE=5000
 
-# python version only supported using
-# KEYGEN_TOOL="python3 $(WOLFBOOT_ROOT)/tools/keytools/keygen.py"
-ifeq ("$(KEYGEN_TOOL)","")
-	ifneq ("$(wildcard $(WOLFBOOT_ROOT)/tools/keytools/keygen.exe)","")
-		KEYGEN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/keygen.exe
-	else
-		KEYGEN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/keygen
-	endif
+ifneq ("$(wildcard $(WOLFBOOT_ROOT)/tools/keytools/keygen.exe)","")
+	KEYGEN_TOOL?=$(WOLFBOOT_ROOT)/tools/keytools/keygen.exe
+else
+	KEYGEN_TOOL?=$(WOLFBOOT_ROOT)/tools/keytools/keygen
 endif
 
-# python version only supported using
-# SIGN_TOOL="python3 $(WOLFBOOT_ROOT)/tools/keytools/sign.py"
-ifeq ("$(SIGN_TOOL)","")
-	ifneq ("$(wildcard $(WOLFBOOT_ROOT)/tools/keytools/sign.exe)","")
-		SIGN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/sign.exe
-	else
-		SIGN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/sign
-	endif
+ifneq ("$(wildcard $(WOLFBOOT_ROOT)/tools/keytools/sign.exe)","")
+	SIGN_TOOL?=$(WOLFBOOT_ROOT)/tools/keytools/sign.exe
+else
+	SIGN_TOOL?=$(WOLFBOOT_ROOT)/tools/keytools/sign
 endif
 
+SIGN_ENV=IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) WOLFBOOT_SECTOR_SIZE=$(WOLFBOOT_SECTOR_SIZE)
 
 ifeq ($(TARGET),stm32f7)
   RENODE_CONFIG=tools/renode/stm32f746_wolfboot.resc
@@ -140,7 +133,7 @@ renode-off: FORCE
 
 
 $(RENODE_UPDATE_FILE): test-app/image.bin FORCE
-	${Q}$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) \
+	${Q}$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) \
 		$(TEST_UPDATE_VERSION)
 	${Q}dd if=/dev/zero bs=$(POFF) count=1 2>/dev/null | tr "\000" "\377" \
 		> $@
@@ -150,7 +143,7 @@ $(RENODE_UPDATE_FILE): test-app/image.bin FORCE
 
 renode-factory: factory.bin test-app/image.bin $(RENODE_UPDATE_FILE) $(EXPVER) FORCE
 	${Q}rm -f $(RENODE_UART)
-	${Q}$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 1
+	${Q}$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 1
 	${Q}cp test-app/image_v1_signed.bin $(TMP)/renode-test-v1.bin
 	${Q}cp wolfboot.elf $(TMP)/renode-wolfboot.elf
 	${Q}make renode-on
@@ -175,8 +168,8 @@ renode-update: factory.bin test-app/image.bin $(EXPVER) FORCE
 	${Q}rm -f $(RENODE_UART)
 	${Q}dd if=/dev/zero bs=$(POFF) count=1 2>/dev/null | tr "\000" "\377" \
 		> $(RENODE_UPDATE_FILE)
-	${Q}$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 1
-	${Q}$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) \
+	${Q}$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 1
+	${Q}$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) \
 		$(TEST_UPDATE_VERSION)
 	${Q}dd if=test-app/image_v$(TEST_UPDATE_VERSION)_signed.bin \
 		of=$(RENODE_UPDATE_FILE) bs=1 conv=notrunc
@@ -201,8 +194,8 @@ renode-no-downgrade: factory.bin test-app/image.bin $(EXPVER) FORCE
 	${Q}rm -f $(RENODE_UART)
 	${Q}dd if=/dev/zero bs=$(POFF) count=1 2>/dev/null | tr "\000" "\377" \
 		> $(RENODE_UPDATE_FILE)
-	${Q}$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 7
-	${Q}$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 5
+	${Q}$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 7
+	${Q}$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 5
 	${Q}dd if=test-app/image_v5_signed.bin \
 		of=$(RENODE_UPDATE_FILE) bs=1 conv=notrunc
 	${Q}printf "pBOOT" >> $(RENODE_UPDATE_FILE)
@@ -225,8 +218,8 @@ renode-corrupted: factory.bin test-app/image.bin $(EXPVER) FORCE
 	${Q}rm -f $(RENODE_UART)
 	${Q}dd if=/dev/zero bs=$(POFF) count=1 2>/dev/null | tr "\000" "\377" \
 		> $(RENODE_UPDATE_FILE)
-	${Q}$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 1
-	${Q}$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) \
+	${Q}$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) 1
+	${Q}$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) \
 		$(TEST_UPDATE_VERSION)
 	${Q}dd if=test-app/image_v$(TEST_UPDATE_VERSION)_signed.bin \
 		of=$(RENODE_UPDATE_FILE) bs=1 conv=notrunc
diff --git a/tools/test.mk b/tools/test.mk
index 8e88c93ce..1c96e1ebb 100644
--- a/tools/test.mk
+++ b/tools/test.mk
@@ -16,9 +16,9 @@ else
 endif
 
 ifneq ("$(wildcard $(WOLFBOOT_ROOT)/tools/keytools/sign.exe)","")
-	SIGN_TOOL=IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) $(WOLFBOOT_ROOT)/tools/keytools/sign.exe
+	SIGN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/sign.exe
 else
-	SIGN_TOOL=IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) $(WOLFBOOT_ROOT)/tools/keytools/sign
+	SIGN_TOOL=$(WOLFBOOT_ROOT)/tools/keytools/sign
 endif
 
 # Make sign algorithm argument
@@ -138,7 +138,7 @@ test-spi-off: FORCE
 
 test-update: test-app/image.bin FORCE
 	@dd if=/dev/zero bs=131067 count=1 2>/dev/null $(INVERSION) > test-update.bin
-	@$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
+	@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
 	@dd if=test-app/image_v$(TEST_UPDATE_VERSION)_signed.bin of=test-update.bin bs=1 conv=notrunc
 	@printf "pBOOT" >> test-update.bin
 	@make test-reset
@@ -150,10 +150,10 @@ test-update: test-app/image.bin FORCE
 test-sim-external-flash-with-update: wolfboot.bin test-app/image.elf FORCE
 	$(Q)cp test-app/image.elf test-app/image.bak.elf
 	$(Q)dd if=/dev/urandom of=test-app/image.elf bs=1K count=16 oflag=append conv=notrunc
-	$(Q)$(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) 1
+	$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) 1
 	$(Q)cp test-app/image.bak.elf test-app/image.elf
 	$(Q)dd if=/dev/urandom of=test-app/image.elf bs=1K count=16 oflag=append conv=notrunc
-	$(Q)$(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
+	$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
 	# Assembling internal flash image
 	#
 	$(Q)dd if=/dev/zero bs=$$(($(WOLFBOOT_PARTITION_SIZE))) count=1 2>/dev/null $(INVERSION) > v1_part.dd
@@ -168,13 +168,13 @@ test-sim-external-flash-with-enc-delta-update-extradata:DELTA_UPDATE_OPTIONS=--d
 test-sim-external-flash-with-enc-delta-update-extradata:SIGN_ENC_ARGS=--encrypt /tmp/enc_key.der --aes128
 test-sim-external-flash-with-enc-delta-update-extradata: wolfboot.bin test-app/image.elf FORCE
 	@printf "0123456789abcdef0123456789abcdef0123456789abcdef" > /tmp/enc_key.der
-	$(Q)$(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) 1
+	$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) 1
 	$(Q)cp test-app/image_v1_signed.bin test-app/image_v1_signed.bak
 	$(Q)rm -f test-app/image.elf test-app/app_sim.o
 	$(Q)make -C test-app delta-extra-data DELTA_DATA_SIZE=$(DELTA_DATA_SIZE)
 	$(Q)cp test-app/image_v1_signed.bak test-app/image_v1_signed.bin
-	$(Q)$(SIGN_TOOL) $(SIGN_OPTIONS) $(SIGN_ENC_ARGS) test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
-	$(Q)$(SIGN_TOOL) $(SIGN_ARGS) $(DELTA_UPDATE_OPTIONS) $(SIGN_ENC_ARGS) \
+	$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) $(SIGN_ENC_ARGS) test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
+	$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) $(DELTA_UPDATE_OPTIONS) $(SIGN_ENC_ARGS) \
 		test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
 	$(Q)dd if=/dev/zero bs=$$(($(WOLFBOOT_PARTITION_SIZE))) count=1 2>/dev/null $(INVERSION) > v1_part.dd
 	$(Q)dd if=test-app/image_v1_signed.bin bs=256 of=v1_part.dd conv=notrunc
@@ -192,11 +192,11 @@ test-sim-external-flash-with-enc-update: wolfboot.bin test-app/image.elf FORCE
 	$(Q)cp test-app/image.elf test-app/image.bak.elf
 	$(Q)dd if=/dev/urandom of=test-app/image.elf bs=1k count=16 oflag=append conv=notrunc
 	@printf "0123456789abcdef0123456789abcdef0123456789abcdef" > /tmp/enc_key.der
-	$(Q)$(SIGN_TOOL) $(SIGN_OPTIONS) $(SIGN_ENC_ARGS) test-app/image.elf $(PRIVATE_KEY) 1
+	$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) $(SIGN_ENC_ARGS) test-app/image.elf $(PRIVATE_KEY) 1
 	$(Q)cp test-app/image.bak.elf test-app/image.elf
 	$(Q)dd if=/dev/urandom of=test-app/image.elf bs=1k count=16 oflag=append conv=notrunc
-	$(Q)$(SIGN_TOOL) $(SIGN_OPTIONS) $(SIGN_ENC_ARGS) test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
-	$(Q)$(SIGN_TOOL) $(SIGN_ARGS) $(DELTA_UPDATE_OPTIONS) $(SIGN_ENC_ARGS) \
+	$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) $(SIGN_ENC_ARGS) test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
+	$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) $(DELTA_UPDATE_OPTIONS) $(SIGN_ENC_ARGS) \
 		test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
 	# Assembling internal flash image
 	#
@@ -217,12 +217,12 @@ test-sim-external-flash-with-enc-delta-update:
 test-sim-internal-flash-with-update: wolfboot.bin test-app/image.elf FORCE
 	$(Q)cp test-app/image.elf test-app/image.bak.elf
 	$(Q)dd if=/dev/urandom of=test-app/image.elf bs=1k count=16 oflag=append conv=notrunc
-	$(Q)$(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) 1
+	$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) 1
 	$(Q)cp test-app/image.bak.elf test-app/image.elf
 	$(Q)dd if=/dev/urandom of=test-app/image.elf bs=1k count=16 oflag=append conv=notrunc
-	$(Q)$(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
+	$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_OPTIONS) test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
 	$(Q)dd if=/dev/zero bs=$$(($(WOLFBOOT_SECTOR_SIZE))) count=1 2>/dev/null $(INVERSION) > erased_sec.dd
-	$(Q)$(SIGN_TOOL) $(SIGN_ARGS) $(DELTA_UPDATE_OPTIONS) \
+	$(Q)$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) $(DELTA_UPDATE_OPTIONS) \
 		test-app/image.elf $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
 	$(Q)$(BINASSEMBLE) internal_flash.dd \
 		0 wolfboot.bin \
@@ -268,12 +268,12 @@ test-sim-rollback-flash: wolfboot.elf test-sim-internal-flash-with-update FORCE
 test-self-update: FORCE
 	@mv $(PRIVATE_KEY) private_key.old
 	@make clean factory.bin RAM_CODE=1 WOLFBOOT_VERSION=1 SIGN=$(SIGN)
-	@$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
+	@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
 	@st-flash --reset write test-app/image_v2_signed.bin 0x08020000 || \
 		(make test-reset && sleep 1 && st-flash --reset write test-app/image_v2_signed.bin 0x08020000) || \
 		(make test-reset && sleep 1 && st-flash --reset write test-app/image_v2_signed.bin 0x08020000)
 	@dd if=/dev/zero bs=131067 count=1 2>/dev/null $(INVERSION) > test-self-update.bin
-	@$(SIGN_TOOL) $(SIGN_ARGS) --wolfboot-update wolfboot.bin private_key.old $(WOLFBOOT_VERSION)
+	@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) --wolfboot-update wolfboot.bin private_key.old $(WOLFBOOT_VERSION)
 	@dd if=wolfboot_v$(WOLFBOOT_VERSION)_signed.bin of=test-self-update.bin bs=1 conv=notrunc
 	@printf "pBOOT" >> test-self-update.bin
 	@st-flash --reset write test-self-update.bin 0x08040000 || \
@@ -281,7 +281,7 @@ test-self-update: FORCE
 		(make test-reset && sleep 1 && st-flash --reset write test-self-update.bin 0x08040000)
 
 test-update-ext: test-app/image.bin FORCE
-	@$(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
+	@$(SIGN_ENV) $(SIGN_TOOL) $(SIGN_ARGS) test-app/image.bin $(PRIVATE_KEY) $(TEST_UPDATE_VERSION)
 	@(dd if=/dev/zero bs=1M count=1 | tr '\000' '\377' > test-update.rom)
 	@dd if=test-app/image_v$(TEST_UPDATE_VERSION)_signed.bin of=test-update.rom bs=1 count=524283 conv=notrunc
 	@printf "pBOOT" | dd of=test-update.rom obs=1 seek=524283 count=5 conv=notrunc

From 4007d14ef068cf068a16fbca061abae34808b707 Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <root@danielinux.net>
Date: Tue, 26 Nov 2024 13:19:35 +0100
Subject: [PATCH 07/29] Added dep to target.h on tpmtools

---
 Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index dd7b3694c..14cb9d431 100644
--- a/Makefile
+++ b/Makefile
@@ -226,12 +226,12 @@ keytools:
 	@$(MAKE) -C tools/keytools -s clean
 	@$(MAKE) -C tools/keytools -j
 
-tpmtools: keys
+tpmtools: include/target.h keys
 	@echo "Building TPM tools"
 	@$(MAKE) -C tools/tpm -s clean
 	@$(MAKE) -C tools/tpm -j
 
-swtpmtools:
+swtpmtools: include/target.h
 	@echo "Building TPM tools"
 	@$(MAKE) -C tools/tpm -s clean
 	@$(MAKE) -C tools/tpm -j swtpm

From 10cdc5408a1294f3a78af5c2253dc6ef693e6dc3 Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <root@danielinux.net>
Date: Thu, 28 Nov 2024 11:06:16 +0100
Subject: [PATCH 08/29] Add env variable to unit test

---
 tools/unit-tests/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/unit-tests/Makefile b/tools/unit-tests/Makefile
index 681e2f1e6..498088828 100644
--- a/tools/unit-tests/Makefile
+++ b/tools/unit-tests/Makefile
@@ -35,7 +35,7 @@ cov:
 
 run: $(TESTS)
 	for unit in $(TESTS); do \
-		./$$unit || exit 1; \
+		WOLFBOOT_SECTOR_SIZE=0x400 ./$$unit || exit 1; \
 	done
 
 

From b6d3d4a66624fd2a451b0624ea5e3c0fcacbf778 Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <root@danielinux.net>
Date: Thu, 28 Nov 2024 11:18:19 +0100
Subject: [PATCH 09/29] Renode test: add V=1

---
 .github/workflows/test-renode-nrf52.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/test-renode-nrf52.yml b/.github/workflows/test-renode-nrf52.yml
index c3c88086c..8207fc480 100644
--- a/.github/workflows/test-renode-nrf52.yml
+++ b/.github/workflows/test-renode-nrf52.yml
@@ -23,12 +23,12 @@ jobs:
 # SIGN=NONE TEST
 
       - name: Renode Tests SIGN=NONE
-        run: ./tools/renode/docker-test.sh "SIGN=NONE"
+        run: ./tools/renode/docker-test.sh "SIGN=NONE V=1"
 
 
 # ECC256 TEST
       - name: Renode Tests ECC256
-        run: ./tools/renode/docker-test.sh "SIGN=ECC256"
+        run: ./tools/renode/docker-test.sh "SIGN=ECC256 V=1"
 
 # ECC384 TEST
       - name: Renode Tests ECC384

From a31ddfc5533658eed5763ddf43e45aa27c044831 Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <root@danielinux.net>
Date: Thu, 28 Nov 2024 11:28:31 +0100
Subject: [PATCH 10/29] Fixed include order

---
 test-app/app_imx_rt.c  | 2 +-
 test-app/app_nrf52.c   | 2 +-
 test-app/app_stm32f7.c | 2 +-
 test-app/app_stm32l0.c | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/test-app/app_imx_rt.c b/test-app/app_imx_rt.c
index 317826d43..120aa16cc 100644
--- a/test-app/app_imx_rt.c
+++ b/test-app/app_imx_rt.c
@@ -17,6 +17,7 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+#include "target.h"
 #include "wolfboot/wolfboot.h"
 #include <stdint.h>
 #include "fsl_common.h"
@@ -24,7 +25,6 @@
 #include "fsl_debug_console.h"
 #include "fsl_gpio.h"
 #include "fsl_iomuxc.h"
-#include "target.h"
 
 static int g_pinSet = false;
 extern void imx_rt_init_boot_clock(void);
diff --git a/test-app/app_nrf52.c b/test-app/app_nrf52.c
index 593a7e9ee..d910cf3f7 100644
--- a/test-app/app_nrf52.c
+++ b/test-app/app_nrf52.c
@@ -22,10 +22,10 @@
 #include <stdlib.h>
 #include <stdint.h>
 #include <string.h>
+#include "target.h"
 #include "wolfboot/wolfboot.h"
 #include "hal/nrf52.h"
 #include "printf.h"
-#include "target.h"
 
 static const char extradata[1024 * 16] = "hi!";
 
diff --git a/test-app/app_stm32f7.c b/test-app/app_stm32f7.c
index 842629738..44ae204b9 100644
--- a/test-app/app_stm32f7.c
+++ b/test-app/app_stm32f7.c
@@ -25,9 +25,9 @@
 #include <stdint.h>
 #include <string.h>
 #include "system.h"
+#include "target.h"
 #include "wolfboot/wolfboot.h"
 #include "hal.h"
-#include "target.h"
 
 
 /* UART module */
diff --git a/test-app/app_stm32l0.c b/test-app/app_stm32l0.c
index b4cfe8d71..1697eb614 100644
--- a/test-app/app_stm32l0.c
+++ b/test-app/app_stm32l0.c
@@ -25,11 +25,11 @@
 #include <stdint.h>
 #include <string.h>
 #include "led.h"
+#include "target.h"
 #include "wolfboot/wolfboot.h"
 #ifdef SPI_FLASH
 #include "spi_flash.h"
 #endif
-#include "target.h"
 
 #ifdef TARGET_stm32l0
 

From d3935774d9f32110d2b36bc4a26fbf61e5b6a866 Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <dan@danielinux.net>
Date: Mon, 2 Dec 2024 12:03:32 +0100
Subject: [PATCH 11/29] Fix header size in hybrid mode

---
 tools/keytools/sign.c | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/tools/keytools/sign.c b/tools/keytools/sign.c
index 2d6a29814..32ffc7e88 100644
--- a/tools/keytools/sign.c
+++ b/tools/keytools/sign.c
@@ -364,7 +364,7 @@ static uint16_t sign_tool_find_header(uint8_t *haystack, uint16_t type, uint8_t
 }
 
 static int load_key_ecc(int sign_type, uint32_t curve_sz, int curve_id,
-    int header_sz,
+    uint32_t header_sz,
     uint8_t **key_buffer, uint32_t *key_buffer_sz,
     uint8_t **pubkey, uint32_t *pubkey_sz, int secondary)
 {
@@ -449,7 +449,8 @@ static int load_key_ecc(int sign_type, uint32_t curve_sz, int curve_id,
         free(*pubkey);
 
     if (ret == 0 || CMD.sign != SIGN_AUTO) {
-        CMD.header_sz = header_sz;
+        if (CMD.header_sz < header_sz)
+            CMD.header_sz = header_sz;
         if (secondary) {
             CMD.secondary_sign = sign_type;
             CMD.secondary_signature_sz = (curve_sz * 2);
@@ -464,7 +465,7 @@ static int load_key_ecc(int sign_type, uint32_t curve_sz, int curve_id,
 }
 
 static int load_key_rsa(int sign_type, uint32_t rsa_keysz, uint32_t rsa_pubkeysz,
-    int header_sz,
+    uint32_t header_sz,
     uint8_t **key_buffer, uint32_t *key_buffer_sz,
     uint8_t **pubkey, uint32_t *pubkey_sz, int secondary)
 {
@@ -523,7 +524,8 @@ static int load_key_rsa(int sign_type, uint32_t rsa_keysz, uint32_t rsa_pubkeysz
         }
 
         if (ret == 0 || CMD.sign != SIGN_AUTO) {
-            CMD.header_sz = header_sz;
+            if (CMD.header_sz < header_sz)
+                CMD.header_sz = header_sz;
             if (CMD.policy_sign) {
                 CMD.header_sz += 512;
             }
@@ -2193,7 +2195,8 @@ static void set_signature_sizes(int secondary)
 
         DEBUG_PRINT("info: LMS signature size: %d\n", sig_sz);
 
-        CMD.header_sz = 2 * sig_sz;
+        if (CMD.header_sz < 2 * sig_sz)
+            CMD.header_sz = 2 * sig_sz;
         *sz = sig_sz;
     }
 #endif /* WOLFSSL_HAVE_LMS */
@@ -2226,14 +2229,15 @@ static void set_signature_sizes(int secondary)
 
         DEBUG_PRINT("info: XMSS signature size: %d\n", sig_sz);
 
-        CMD.header_sz = 2 * sig_sz;
+        if (CMD.header_sz < 2 * sig_sz)
+            CMD.header_sz = 2 * sig_sz;
         *sz = sig_sz;
     }
 #endif /* WOLFSSL_HAVE_XMSS */
 #ifdef WOLFSSL_WC_DILITHIUM
     else if (*sign == SIGN_ML_DSA) {
         int ml_dsa_ret = 0;
-        int sig_sz = 0;
+        uint32_t sig_sz = 0;
 
         ml_dsa_ret = wc_MlDsaKey_Init(&key.ml_dsa, NULL, INVALID_DEVID);
         if (ml_dsa_ret != 0) {
@@ -2250,7 +2254,7 @@ static void set_signature_sizes(int secondary)
 
         printf("info: using ML-DSA parameters: %d\n", ML_DSA_LEVEL);
 
-        ml_dsa_ret = wc_MlDsaKey_GetSigLen(&key.ml_dsa, &sig_sz);
+        ml_dsa_ret = wc_MlDsaKey_GetSigLen(&key.ml_dsa, (int *)&sig_sz);
         if (ml_dsa_ret != 0) {
             fprintf(stderr, "error: wc_MlDsaKey_GetSigLen returned %d\n",
                     ml_dsa_ret);
@@ -2259,7 +2263,8 @@ static void set_signature_sizes(int secondary)
 
         DEBUG_PRINT("info: ML-DSA signature size: %d\n", sig_sz);
 
-        CMD.header_sz = 2 * sig_sz;
+        if (CMD.header_sz < 2 * sig_sz)
+            CMD.header_sz = 2 * sig_sz;
         *sz = sig_sz;
     }
 #endif /* WOLFSSL_WC_DILITHIUM */

From b0e3000d88fbc800e90115c6a8a427f7c73664ac Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <dan@danielinux.net>
Date: Mon, 2 Dec 2024 12:19:10 +0100
Subject: [PATCH 12/29] Added libwolfboot to nrf53 app build

---
 test-app/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test-app/Makefile b/test-app/Makefile
index 234566bc7..064625c43 100644
--- a/test-app/Makefile
+++ b/test-app/Makefile
@@ -215,6 +215,7 @@ ifeq ($(TARGET),stm32u5)
 endif
 
 ifeq ($(TARGET),nrf5340_net)
+  APP_OBJS:=app_$(TARGET).o ../test-app/libwolfboot.o
   LSCRIPT_TEMPLATE=ARM-nrf5340_net.ld
 endif
 

From 137a97fbae8c2763f2f8c5ad0bfa89a24db97ffe Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <dan@danielinux.net>
Date: Mon, 2 Dec 2024 12:27:27 +0100
Subject: [PATCH 13/29] Correct include order in nrf53 test app

---
 test-app/app_nrf5340.c     | 2 +-
 test-app/app_nrf5340_net.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/test-app/app_nrf5340.c b/test-app/app_nrf5340.c
index f4459c4a3..8eadf9151 100644
--- a/test-app/app_nrf5340.c
+++ b/test-app/app_nrf5340.c
@@ -22,10 +22,10 @@
 #include <stdlib.h>
 #include <stdint.h>
 #include <string.h>
+#include "target.h"
 #include "wolfboot/wolfboot.h"
 #include "hal/nrf5340.h"
 #include "printf.h"
-#include "target.h"
 
 void gpiotoggle(uint32_t port, uint32_t pin)
 {
diff --git a/test-app/app_nrf5340_net.c b/test-app/app_nrf5340_net.c
index f79ef83a3..8cf30b533 100644
--- a/test-app/app_nrf5340_net.c
+++ b/test-app/app_nrf5340_net.c
@@ -22,10 +22,10 @@
 #include <stdlib.h>
 #include <stdint.h>
 #include <string.h>
+#include "target.h"
 #include "wolfboot/wolfboot.h"
 #include "hal/nrf5340.h"
 #include "printf.h"
-#include "target.h"
 
 void gpiotoggle(uint32_t port, uint32_t pin)
 {

From 05d0e92ecf5715f406fd05865e44564635f9dfea Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <dan@danielinux.net>
Date: Mon, 2 Dec 2024 14:07:43 +0100
Subject: [PATCH 14/29] Removed forced inflation of header size in `sign`

---
 tools/keytools/sign.c | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/tools/keytools/sign.c b/tools/keytools/sign.c
index 32ffc7e88..a8f2cd5d6 100644
--- a/tools/keytools/sign.c
+++ b/tools/keytools/sign.c
@@ -481,12 +481,6 @@ static int load_key_rsa(int sign_type, uint32_t rsa_keysz, uint32_t rsa_pubkeysz
 
         if (*pubkey_sz <= rsa_pubkeysz) {
             CMD.header_sz = header_sz;
-            if (CMD.policy_sign) {
-                CMD.header_sz += 512;
-            }
-            else if (sign_type == SIGN_RSA3072 && CMD.hash_algo != HASH_SHA256) {
-                CMD.header_sz += 512;
-            }
             if (secondary) {
                 CMD.secondary_signature_sz = rsa_keysz;
                 CMD.secondary_sign = sign_type;
@@ -526,12 +520,6 @@ static int load_key_rsa(int sign_type, uint32_t rsa_keysz, uint32_t rsa_pubkeysz
         if (ret == 0 || CMD.sign != SIGN_AUTO) {
             if (CMD.header_sz < header_sz)
                 CMD.header_sz = header_sz;
-            if (CMD.policy_sign) {
-                CMD.header_sz += 512;
-            }
-            else if (sign_type == SIGN_RSA3072 && CMD.hash_algo != HASH_SHA256) {
-                CMD.header_sz += 512;
-            }
             if (secondary) {
                 CMD.secondary_sign = sign_type;
                 CMD.secondary_signature_sz = keySzOut;

From b2bf2988d35477e13e1607b114df17669d748d5b Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <dan@danielinux.net>
Date: Mon, 2 Dec 2024 14:19:01 +0100
Subject: [PATCH 15/29] Shorten tests by not re-building keytools

---
 .../workflows/test-powerfail-simulator.yml    | 74 ++++---------------
 1 file changed, 13 insertions(+), 61 deletions(-)

diff --git a/.github/workflows/test-powerfail-simulator.yml b/.github/workflows/test-powerfail-simulator.yml
index 3892dc19f..1d99a3ba7 100644
--- a/.github/workflows/test-powerfail-simulator.yml
+++ b/.github/workflows/test-powerfail-simulator.yml
@@ -17,7 +17,7 @@ jobs:
 
       - name: make clean
         run: |
-          make distclean
+          make keysclean
 
       - name: Select config
         run: |
@@ -63,16 +63,12 @@ jobs:
       # TEST with NVM_FLASH_WRITEONCE enabled
       - name: make clean
         run: |
-          make distclean
+          make keysclean
 
       - name: Select config with NVM_FLASH_WRITEONCE
         run: |
           cp config/examples/sim-nvm-writeonce.config .config
 
-      - name: Build tools
-        run: |
-          make -C tools/keytools && make -C tools/bin-assemble
-
       - name: Build wolfboot.elf
         run: |
           make clean && make test-sim-internal-flash-with-update
@@ -109,16 +105,12 @@ jobs:
       # TEST with NVM_FLASH_WRITEONCE AND FLAGS_HOME enabled
       - name: make clean
         run: |
-          make distclean
+          make keysclean
 
       - name: Select config with NVM_FLASH_WRITEONCE and FLAGS_HOME
         run: |
           cp config/examples/sim-nvm-writeonce-flags-home.config .config
 
-      - name: Build tools
-        run: |
-          make -C tools/keytools && make -C tools/bin-assemble
-
       - name: Build wolfboot.elf
         run: |
           make clean && make test-sim-internal-flash-with-update
@@ -155,16 +147,12 @@ jobs:
       # TEST with NVM_FLASH_WRITEONCE AND FLAGS_HOME AND FLAGS_INVERT enabled
       - name: make clean
         run: |
-          make distclean
+          make keysclean
 
       - name: Select config with NVM_FLASH_WRITEONCE and FLAGS_HOME and FLAGS_INVERT
         run: |
           cp config/examples/sim-nvm-writeonce-flags-home-invert.config .config
 
-      - name: Build tools
-        run: |
-          make -C tools/keytools && make -C tools/bin-assemble
-
       - name: Build wolfboot.elf
         run: |
           make clean && make test-sim-external-flash-with-update
@@ -201,16 +189,12 @@ jobs:
       # TEST with DELTA updates
       - name: make clean
         run: |
-          make distclean
+          make keysclean
 
       - name: Select config with DELTA updates
         run: |
           cp config/examples/sim-delta-update.config .config
 
-      - name: Build tools
-        run: |
-          make -C tools/keytools && make -C tools/bin-assemble
-
       - name: Build wolfboot.elf
         run: |
           make clean && make test-sim-internal-flash-with-delta-update
@@ -254,16 +238,12 @@ jobs:
      # TEST with encryption (aes128)
       - name: make clean
         run: |
-          make distclean
+          make keysclean
 
       - name: Select config with encrypted updates
         run: |
           cp config/examples/sim-encrypt-update.config .config
 
-      - name: Build tools
-        run: |
-          make -C tools/keytools && make -C tools/bin-assemble
-
       - name: Build wolfboot.elf
         run: |
           make clean && make test-sim-external-flash-with-enc-update
@@ -299,15 +279,11 @@ jobs:
      # TEST with encryption (aes128) and delta updates
       - name: make clean
         run: |
-          make distclean
+          make keysclean
       - name: Select config with encrypted updates
         run: |
           cp config/examples/sim-encrypt-delta-update.config .config
 
-      - name: Build tools
-        run: |
-          make -C tools/keytools && make -C tools/bin-assemble
-
       - name: Build wolfboot.elf
         run: |
           make clean && make test-sim-external-flash-with-enc-delta-update
@@ -336,16 +312,12 @@ jobs:
      # TEST with encryption (aes128) and NVM_FLASH_WRITEONCE
       - name: make clean
         run: |
-          make distclean
+          make keysclean
 
       - name: Select config with encrypted updates
         run: |
           cp config/examples/sim-encrypt-nvm-writeonce-update.config .config
 
-      - name: Build tools
-        run: |
-          make -C tools/keytools && make -C tools/bin-assemble
-
       - name: Build wolfboot.elf
         run: |
           make clean && make test-sim-external-flash-with-enc-update
@@ -463,15 +435,11 @@ jobs:
      # TEST with encryption (aes128) and NVM_FLASH_WRITEONCE and DELTA updates
       - name: make clean
         run: |
-          make distclean
+          make keysclean
       - name: Select config with encrypted updates
         run: |
           cp config/examples/sim-encrypt-delta-nvm-writeonce-update.config .config
 
-      - name: Build tools
-        run: |
-          make -C tools/keytools && make -C tools/bin-assemble
-
       - name: Build wolfboot.elf
         run: |
           make clean && make test-sim-external-flash-with-enc-delta-update
@@ -499,15 +467,11 @@ jobs:
     # TEST with backup disabled
       - name: make clean
         run: |
-          make distclean
+          make keysclean
       - name: Select config with backup disabled
         run: |
           cp config/examples/sim-nobackup.config .config
 
-      - name: Build tools
-        run: |
-          make -C tools/keytools && make -C tools/bin-assemble
-
       - name: Build wolfboot.elf
         run: |
           make clean && make test-sim-internal-flash-with-update
@@ -527,15 +491,11 @@ jobs:
     # TEST with backup disabled + NVM_FLASH_WRITEONCE
       - name: make clean
         run: |
-          make distclean
+          make keysclean
       - name: Select config with backup disabled + NVM WRITEONCE
         run: |
           cp config/examples/sim-nobackup-nvm-writeonce.config .config
 
-      - name: Build tools
-        run: |
-          make -C tools/keytools && make -C tools/bin-assemble
-
       - name: Build wolfboot.elf
         run: |
           make clean && make test-sim-internal-flash-with-update
@@ -555,15 +515,11 @@ jobs:
     # TEST with backup disabled + FLAGS_HOME
       - name: make clean
         run: |
-          make distclean
+          make keysclean
       - name: Select config with backup disabled + FLAGS_HOME
         run: |
           cp config/examples/sim-nobackup-flags-home.config .config
 
-      - name: Build tools
-        run: |
-          make -C tools/keytools && make -C tools/bin-assemble
-
       - name: Build wolfboot.elf
         run: |
           make clean && make test-sim-internal-flash-with-update
@@ -584,16 +540,12 @@ jobs:
     # TEST with FLASH_MULTI_SECTOR_ERASE
       - name: make clean
         run: |
-          make distclean
+          make keysclean
 
       - name: Select config
         run: |
           cp config/examples/sim.config .config
 
-      - name: Build tools
-        run: |
-          make -C tools/keytools && make -C tools/bin-assemble
-
       - name: Build wolfboot.elf (FLASH_MULTI_SECTOR_ERASE=1)
         run: |
           make clean && make test-sim-internal-flash-with-update FLASH_MULTI_SECTOR_ERASE=1

From 04d2ecd24611cf061463c7572d1203bf6d2d9121 Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <dan@danielinux.net>
Date: Mon, 2 Dec 2024 18:55:32 +0100
Subject: [PATCH 16/29] Remove dependency from PQC parameters. Speed up tests.

---
 .github/workflows/footprint.yml               |   4 +-
 .github/workflows/test-build-sim-tpm.yml      |   4 +-
 .github/workflows/test-sunnyday-simulator.yml |  50 ++++-----
 Makefile                                      |   5 +-
 include/wolfboot/wolfboot.h                   |  10 +-
 test-app/app_stm32f4.c                        |   2 +
 tools/keytools/Makefile                       | 100 ++++--------------
 tools/keytools/keygen.c                       |  10 +-
 tools/keytools/sign.c                         |  15 +--
 tools/scripts/renode-test-update.sh           |   4 +-
 tools/scripts/sim-pq-sunnyday-update.sh       |   2 +-
 tools/test-delta.mk                           |   6 +-
 12 files changed, 72 insertions(+), 140 deletions(-)

diff --git a/.github/workflows/footprint.yml b/.github/workflows/footprint.yml
index 333377fc8..096c2d1e9 100644
--- a/.github/workflows/footprint.yml
+++ b/.github/workflows/footprint.yml
@@ -22,7 +22,7 @@ jobs:
 
       - name: make clean
         run: |
-          make keysclean && make -C tools/keytools clean && rm -f include/target.h
+          make keysclean && rm -f include/target.h
 
       - name: Install wolfSSL
         run: |
@@ -34,7 +34,7 @@ jobs:
 
       - name: Build key tools
         run: |
-          make -C tools/keytools
+          make keytools
 
       - name: Build wolfboot and test footprint
         run: |
diff --git a/.github/workflows/test-build-sim-tpm.yml b/.github/workflows/test-build-sim-tpm.yml
index 786e2f0f0..7a48dc33f 100644
--- a/.github/workflows/test-build-sim-tpm.yml
+++ b/.github/workflows/test-build-sim-tpm.yml
@@ -44,9 +44,9 @@ jobs:
         with:
           submodules: true
 
-      - name: make distclean
+      - name: make keysclean
         run: |
-          make distclean
+          make keysclean
 
       - name: Select config
         run: |
diff --git a/.github/workflows/test-sunnyday-simulator.yml b/.github/workflows/test-sunnyday-simulator.yml
index 133999ae7..a391f9864 100644
--- a/.github/workflows/test-sunnyday-simulator.yml
+++ b/.github/workflows/test-sunnyday-simulator.yml
@@ -29,7 +29,7 @@ jobs:
       #
       - name: make clean
         run: |
-          make distclean
+          make keysclean
 
       - name: Select config (32 bit simulator)
         run: |
@@ -57,7 +57,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (ECC384)
         run: |
@@ -77,7 +77,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (ECC521)
         run: |
@@ -97,7 +97,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (RSA2048)
         run: |
@@ -117,7 +117,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (RSA3072)
         run: |
@@ -137,7 +137,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (RSA4096)
         run: |
@@ -159,7 +159,7 @@ jobs:
       #
       - name: make clean
         run: |
-          make distclean
+          make keysclean
 
       - name: Select config (32 bit simulator)
         run: |
@@ -187,7 +187,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (ECC384, FASTMATH)
         run: |
@@ -207,7 +207,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (ECC521, FASTMATH)
         run: |
@@ -227,7 +227,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (RSA2048, FASTMATH)
         run: |
@@ -247,7 +247,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (RSA3072, FASTMATH)
         run: |
@@ -267,7 +267,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (RSA4096, FASTMATH)
         run: |
@@ -290,7 +290,7 @@ jobs:
       #
       - name: make clean
         run: |
-          make distclean
+          make keysclean
 
       - name: Select config (64 bit simulator)
         run: |
@@ -318,7 +318,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (ECC384)
         run: |
@@ -338,7 +338,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (ECC521)
         run: |
@@ -358,7 +358,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (RSA2048)
         run: |
@@ -378,7 +378,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (RSA3072)
         run: |
@@ -398,7 +398,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (RSA4096)
         run: |
@@ -420,7 +420,7 @@ jobs:
       #
       - name: make clean
         run: |
-          make distclean
+          make keysclean
 
       - name: Select config (64 bit simulator)
         run: |
@@ -448,7 +448,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (ECC384, FASTMATH)
         run: |
@@ -468,7 +468,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (ECC521, FASTMATH)
         run: |
@@ -488,7 +488,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (RSA2048, FASTMATH)
         run: |
@@ -508,7 +508,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (RSA3072, FASTMATH)
         run: |
@@ -528,7 +528,7 @@ jobs:
 
       - name: Cleanup to change key type
         run: |
-          make -C tools/keytools clean && make keysclean && make -C tools/keytools
+          make keysclean
 
       - name: Build wolfboot.elf (RSA4096, FASTMATH)
         run: |
@@ -562,7 +562,7 @@ jobs:
       #
       - name: make clean
         run: |
-          make distclean
+          make keysclean
 
       - name: Select config (64 bit simulator) Hybrid ML_DSA + ECC
         run: |
diff --git a/Makefile b/Makefile
index 14cb9d431..33ede26e5 100644
--- a/Makefile
+++ b/Makefile
@@ -204,7 +204,7 @@ include tools/test-renode.mk
 
 hal/$(TARGET).o:
 
-keytools_check: keytools FORCE
+keytools_check: keytools
 
 $(PRIVATE_KEY):
 	$(Q)$(MAKE) keytools_check
@@ -223,7 +223,6 @@ $(SECONDARY_PRIVATE_KEY): $(PRIVATE_KEY) keystore.der
 
 keytools:
 	@echo "Building key tools"
-	@$(MAKE) -C tools/keytools -s clean
 	@$(MAKE) -C tools/keytools -j
 
 tpmtools: include/target.h keys
@@ -281,7 +280,7 @@ wolfboot_stage1.bin: wolfboot.elf stage1/loader_stage1.bin
 
 wolfboot.elf: include/target.h $(LSCRIPT) $(OBJS) $(BINASSEMBLE) FORCE
 	$(Q)(test $(SIGN) = NONE) || (test $(FLASH_OTP_KEYSTORE) = 1) || (grep -q $(SIGN_ALG) src/keystore.c) || \
-		(echo "Key mismatch: please run 'make distclean' to remove all keys if you want to change algorithm" && false)
+		(echo "Key mismatch: please run 'make keysclean' to remove all keys if you want to change algorithm" && false)
 	@echo "\t[LD] $@"
 	@echo $(OBJS)
 	$(Q)$(LD) $(LDFLAGS) $(LSCRIPT_FLAGS) $(SECURE_LDFLAGS) $(LD_START_GROUP) $(OBJS) $(LIBS) $(LD_END_GROUP) -o $@
diff --git a/include/wolfboot/wolfboot.h b/include/wolfboot/wolfboot.h
index 44c8bba98..6d44e9e94 100644
--- a/include/wolfboot/wolfboot.h
+++ b/include/wolfboot/wolfboot.h
@@ -145,10 +145,14 @@ extern "C" {
         #define KEYSTORE_PUBKEY_SIZE_ML_DSA  1952
     #elif ML_DSA_LEVEL == 5
         #define KEYSTORE_PUBKEY_SIZE_ML_DSA  2592
-    #else
-        #error "Invalid ML_DSA_LEVEL!"
     #endif
-#endif /* ML_DSA_LEVEL */
+#else
+    #ifdef SIGN_ML_DSA
+        #error "ML_DSA_LEVEL not defined"
+    #endif
+    /* Default to max size for keystore */
+    #define KEYSTORE_PUBKEY_SIZE_ML_DSA  2592
+#endif /* defined ML_DSA_LEVEL */
 
 /* Mask for key permissions */
 #define KEY_VERIFY_ALL         (0xFFFFFFFFU)
diff --git a/test-app/app_stm32f4.c b/test-app/app_stm32f4.c
index c8f1db89a..7097f1ccb 100644
--- a/test-app/app_stm32f4.c
+++ b/test-app/app_stm32f4.c
@@ -78,6 +78,8 @@ static const char UPDATE='U';
 static const char ACK='#';
 static uint8_t msg[MSGSIZE];
 
+extern void flash_set_waitstates(void);
+
 
 #ifdef WOLFBOOT_NO_SIGN
 
diff --git a/tools/keytools/Makefile b/tools/keytools/Makefile
index 00b0c5ee7..d1c387b5a 100644
--- a/tools/keytools/Makefile
+++ b/tools/keytools/Makefile
@@ -17,49 +17,27 @@ LDFLAGS =
 OBJDIR = ./
 LIBS =
 
-# Common to wc_lms and ext_lms.
-ifneq (,$(filter $(SIGN), LMS ext_LMS))
-  CFLAGS +=-DWOLFBOOT_SIGN_LMS -DWOLFSSL_HAVE_LMS \
-           -D"LMS_LEVELS=$(LMS_LEVELS)" -D"LMS_HEIGHT=$(LMS_HEIGHT)" \
-           -D"LMS_WINTERNITZ=$(LMS_WINTERNITZ)"
-endif
-
-# Specific to ext_lms.
-ifeq ($(SIGN),ext_LMS)
-  LMSDIR = $(WOLFBOOTDIR)/lib/hash-sigs
-  LIBS += $(LMSDIR)/lib/hss_lib.a
-  CFLAGS +=-DHAVE_LIBLMS -I$(LMSDIR)/src
-endif
+ML_DSA_LEVEL?=2
 
-# Specific to wc_lms.
-ifeq ($(SIGN),LMS)
-  CFLAGS +=-DWOLFSSL_WC_LMS
-endif
+LMS_LEVELS?=1
+LMS_HEIGHT?=10
+LMS_WINTERNITZ?=8
+XMSS_PARAMS?='XMSS-SHA2_10_256'
 
-# Common to wc_xmss and ext_xmss.
-ifneq (,$(filter $(SIGN), XMSS ext_XMSS))
-  $(info xmss params: $(XMSS_PARAMS))
-  CFLAGS +=-DWOLFBOOT_SIGN_XMSS -DWOLFSSL_HAVE_XMSS \
-           -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
-           -DWOLFBOOT_XMSS_PARAMS=\"$(XMSS_PARAMS)\"
-endif
+# Common to wc_lms and ext_lms.
+CFLAGS +=-DWOLFBOOT_SIGN_LMS -DWOLFSSL_HAVE_LMS \
+		 -D"LMS_LEVELS=$(LMS_LEVELS)" -D"LMS_HEIGHT=$(LMS_HEIGHT)" \
+		 -D"LMS_WINTERNITZ=$(LMS_WINTERNITZ)"
 
-# Specific to ext_xmss.
-ifeq ($(SIGN),ext_XMSS)
-  XMSSDIR = $(WOLFBOOTDIR)/lib/xmss
-  CFLAGS +=-DHAVE_LIBXMSS -I$(XMSSDIR)
-endif
 
-# Specific to wc_xmss.
-ifeq ($(SIGN),XMSS)
-  CFLAGS +=-D"WOLFSSL_WC_XMSS" -D"WOLFSSL_XMSS_MAX_HEIGHT=32"
-endif
+# LMS flags
+CFLAGS +=-DWOLFSSL_WC_LMS
 
-# Only needed if using 3rd party integration. This can be
-# removed if ext_lms and ext_xmss are deprecated.
-ifneq (,$(filter $(SIGN), ext_LMS ext_XMSS))
-  CFLAGS  +=-DWOLFSSL_EXPERIMENTAL_SETTINGS
-endif
+# XMSS flags
+CFLAGS +=-DWOLFBOOT_SIGN_XMSS -DWOLFSSL_HAVE_XMSS \
+		 -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
+		 -DWOLFBOOT_XMSS_PARAMS=\"$(XMSS_PARAMS)\"
+CFLAGS +=-D"WOLFSSL_WC_XMSS" -D"WOLFSSL_XMSS_MAX_HEIGHT=32"
 
 # When WOLFBOOT_UNIVERSAL_KEYSTORE is defined, pad store_sizes in keystore.der
 ifeq ($(WOLFBOOT_UNIVERSAL_KEYSTORE),1)
@@ -124,56 +102,24 @@ OBJS_REAL=\
 OBJS_REAL+=\
 	$(WOLFBOOTDIR)/src/delta.o
 
-# Add wolfcrypt lms implementation.
-ifeq ($(SIGN),LMS)
 OBJS_REAL+=\
 	$(WOLFDIR)/wolfcrypt/src/wc_lms.o \
 	$(WOLFDIR)/wolfcrypt/src/wc_lms_impl.o
-endif
 
-# Add external lms integration.
-ifeq ($(SIGN),ext_LMS)
-OBJS_REAL+= $(WOLFDIR)/wolfcrypt/src/ext_lms.o
-endif
-
-# Add wolfcrypt xmss implementation.
-ifeq ($(SIGN),XMSS)
 OBJS_REAL+=\
 	$(WOLFDIR)/wolfcrypt/src/wc_xmss.o \
 	$(WOLFDIR)/wolfcrypt/src/wc_xmss_impl.o
-endif
-
-# Add external xmss integration.
-ifeq ($(SIGN),ext_XMSS)
-OBJS_REAL+=\
-	$(WOLFDIR)/wolfcrypt/src/ext_xmss.o \
-	$(XMSSDIR)/params.o \
-	$(XMSSDIR)/thash.o \
-	$(XMSSDIR)/hash_address.o \
-	$(XMSSDIR)/wots.o \
-	$(XMSSDIR)/xmss.o \
-	$(XMSSDIR)/xmss_core_fast.o \
-	$(XMSSDIR)/xmss_commons.o \
-	$(XMSSDIR)/utils.o
-endif
-
-# Add wolfcrypt ML-DSA (dilithium) implementation.
-ifeq ($(SIGN),ML_DSA)
-  OBJS_REAL+=$(WOLFDIR)/wolfcrypt/src/dilithium.o
+OBJS_REAL+=$(WOLFDIR)/wolfcrypt/src/dilithium.o
 
-  CFLAGS += -D"WOLFBOOT_SIGN_ML_DSA" \
+CFLAGS += -D"WOLFBOOT_SIGN_ML_DSA" \
             -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
             -D"ML_DSA_LEVEL"=$(ML_DSA_LEVEL)
-endif
 
 OBJS_VIRT=$(addprefix $(OBJDIR), $(notdir $(OBJS_REAL)))
 vpath %.c $(WOLFDIR)/wolfcrypt/src/
 vpath %.c $(WOLFBOOTDIR)/src/
 vpath %.c ./
-
-ifeq ($(SIGN),ext_XMSS)
-    vpath %.c $(XMSSDIR)/
-endif
+vpath %.c $(XMSSDIR)/
 
 .PHONY: clean all
 
@@ -205,11 +151,3 @@ keygen: $(OBJS_VIRT) $(LIBS) keygen.o
 clean:
 	rm -f sign keygen *.o
 
-# The final make clean is to ensure a subsequent LMS wolfboot
-# hash-sigs build is separate from keytools.
-$(LMSDIR)/lib/hss_lib.a:
-	@echo "Building hss_lib.a"
-	$(Q)@$(MAKE) -C $(LMSDIR)/src/ -s clean
-	$(Q)@$(MAKE) -C $(LMSDIR)/src/ hss_lib.a
-	$(Q)cp $(LMSDIR)/src/hss_lib.a $(LMSDIR)/lib/
-	$(Q)@$(MAKE) -C $(LMSDIR)/src/ -s clean
diff --git a/tools/keytools/keygen.c b/tools/keytools/keygen.c
index 02564b1fc..b517fdcef 100644
--- a/tools/keytools/keygen.c
+++ b/tools/keytools/keygen.c
@@ -123,14 +123,8 @@ static int exportPubKey = 0;
 static WC_RNG rng;
 static int noLocalKeys = 0;
 
-#ifndef KEYSLOT_MAX_PUBKEY_SIZE
-    #if defined(KEYSTORE_PUBKEY_SIZE_ML_DSA)
-        /* ML-DSA pub keys are big. */
-        #define KEYSLOT_MAX_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_ML_DSA
-    #else
-        #define KEYSLOT_MAX_PUBKEY_SIZE 576
-    #endif
-#endif
+/* ML-DSA pub keys are big. */
+#define KEYSLOT_MAX_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_ML_DSA
 
 struct keystore_slot {
      uint32_t slot_id;
diff --git a/tools/keytools/sign.c b/tools/keytools/sign.c
index a8f2cd5d6..770a7ff74 100644
--- a/tools/keytools/sign.c
+++ b/tools/keytools/sign.c
@@ -541,13 +541,8 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
     uint32_t idx = 0;
     int io_sz;
     FILE *f;
-#if defined(WOLFSSL_HAVE_XMSS)
     word32 priv_sz = 0;
-#endif
-#if defined(WOLFSSL_WC_DILITHIUM)
-    int    priv_sz = 0;
-    int    pub_sz = 0;
-#endif
+    word32 pub_sz = 0;
     int sign = CMD.sign;
     const char *key_file = CMD.key_file;
 
@@ -843,7 +838,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
 #ifdef WOLFSSL_WC_DILITHIUM
             FALL_THROUGH; /* we didn't solve the key, keep trying */
         case SIGN_ML_DSA:
-            ret = wc_MlDsaKey_GetPubLen(&key.ml_dsa, &pub_sz);
+            ret = wc_MlDsaKey_GetPubLen(&key.ml_dsa, (int *)&pub_sz);
 
             if (ret != 0 || pub_sz <= 0) {
                 printf("error: wc_MlDsaKey_GetPubLen returned %d\n", ret);
@@ -852,7 +847,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
 
             /* Get the ML-DSA private key length. This API returns
              * the public + private length. */
-            ret = wc_MlDsaKey_GetPrivLen(&key.ml_dsa, &priv_sz);
+            ret = wc_MlDsaKey_GetPrivLen(&key.ml_dsa, (int*)&priv_sz);
 
             if (ret != 0 || priv_sz <= 0) {
                 printf("error: wc_MlDsaKey_GetPrivLen returned %d\n", ret);
@@ -871,7 +866,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
             DEBUG_PRINT("info: ml-dsa priv len: %d\n", priv_sz);
             DEBUG_PRINT("info: ml-dsa pub len: %d\n", pub_sz);
 
-            if ((int)*key_buffer_sz == (priv_sz + pub_sz)) {
+            if (*key_buffer_sz == (priv_sz + pub_sz)) {
                 /* priv + pub */
                 ret = wc_MlDsaKey_ImportPrivRaw(&key.ml_dsa, *key_buffer,
                                                 priv_sz);
@@ -881,7 +876,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
                 printf("Found ml-dsa key\n");
                 break;
             }
-            else if ((int)*key_buffer_sz == pub_sz) {
+            else if (*key_buffer_sz == pub_sz) {
                 /* pub only */
                 *pubkey = (*key_buffer);
                 *pubkey_sz = pub_sz;
diff --git a/tools/scripts/renode-test-update.sh b/tools/scripts/renode-test-update.sh
index 983fa717a..59c8d8aad 100755
--- a/tools/scripts/renode-test-update.sh
+++ b/tools/scripts/renode-test-update.sh
@@ -48,8 +48,8 @@ if (echo $TEST_OPTIONS | grep "ext_XMSS" &>/dev/null); then
         cd ../../ || exit 2
 fi
 
-make distclean
-make -C tools/keytools
+make keysclean
+make keytools
 make -C tools/test-expect-version
 make clean && make $TEST_OPTIONS || exit 2
 make /tmp/renode-test-update.bin $TEST_OPTIONS || exit 2
diff --git a/tools/scripts/sim-pq-sunnyday-update.sh b/tools/scripts/sim-pq-sunnyday-update.sh
index 104b2a11d..2e05b3cb8 100755
--- a/tools/scripts/sim-pq-sunnyday-update.sh
+++ b/tools/scripts/sim-pq-sunnyday-update.sh
@@ -29,7 +29,7 @@ fi
 
 cp $sim_pq .config || err_and_die "cp $sim_pq"
 
-make distclean; make clean;
+make keysclean; make clean;
 
 make keytools || err_and_die "keytools build failed"
 
diff --git a/tools/test-delta.mk b/tools/test-delta.mk
index cd7967bd3..54c7c1191 100644
--- a/tools/test-delta.mk
+++ b/tools/test-delta.mk
@@ -14,7 +14,7 @@ test-delta-enc-update-ext:EXPVER=tools/test-expect-version/test-expect-version /
 test-delta-enc-update-ext:PART_SIZE=131023
 test-delta-enc-update-ext:APP=test-app/image_v7_signed_diff_encrypted.bin
 
-test-delta-update: distclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version
+test-delta-update: keysclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version
 	@killall ufserver || true
 	@st-flash reset
 	@sleep 2
@@ -68,7 +68,7 @@ test-delta-update: distclean factory.bin test-app/image.bin tools/uart-flash-ser
 	@(test `$(EXPVER)` -eq 2)
 	@echo "TEST SUCCESSFUL"
 
-test-delta-update-ext: distclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version
+test-delta-update-ext: keysclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version
 	@killall ufserver || true
 	@st-flash reset
 	@dd if=/dev/zero of=zero.bin bs=4096 count=1
@@ -110,7 +110,7 @@ test-delta-update-ext: distclean factory.bin test-app/image.bin tools/uart-flash
 	@rm boot.bin boot_full.bin
 	@echo "TEST SUCCESSFUL"
 
-test-delta-enc-update-ext: distclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version
+test-delta-enc-update-ext: keysclean factory.bin test-app/image.bin tools/uart-flash-server/ufserver tools/delta/bmdiff tools/test-expect-version/test-expect-version
 	   @killall ufserver || true
 	   @st-flash reset
 	   @dd if=/dev/zero of=zero.bin bs=4096 count=1

From 7132a13545f7001a5acc35fb3bf0b949e9fedd90 Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <dan@danielinux.net>
Date: Tue, 3 Dec 2024 11:10:16 +0100
Subject: [PATCH 17/29] Complete generic sign

---
 tools/keytools/sign.c | 121 ++++++++++++++----------------------------
 tools/test.mk         |   3 ++
 2 files changed, 44 insertions(+), 80 deletions(-)

diff --git a/tools/keytools/sign.c b/tools/keytools/sign.c
index 770a7ff74..548bc1f2f 100644
--- a/tools/keytools/sign.c
+++ b/tools/keytools/sign.c
@@ -229,39 +229,20 @@ static void header_append_tag(uint8_t* header, uint32_t* idx, uint16_t tag,
     *idx += len;
 }
 
-#ifdef WOLFSSL_HAVE_LMS
 #include "../lms/lms_common.h"
-#endif
-
-#ifdef WOLFSSL_HAVE_XMSS
 #include "../xmss/xmss_common.h"
-#endif
 
 /* Globals */
 static const char wolfboot_delta_file[] = "/tmp/wolfboot-delta.bin";
 
 static struct {
-#ifdef HAVE_ED25519
     ed25519_key ed;
-#endif
-#ifdef HAVE_ED448
     ed448_key ed4;
-#endif
-#ifdef HAVE_ECC
     ecc_key ecc;
-#endif
-#ifndef NO_RSA
     RsaKey rsa;
-#endif
-#ifdef WOLFSSL_HAVE_LMS
     LmsKey lms;
-#endif
-#ifdef WOLFSSL_HAVE_XMSS
     XmssKey xmss;
-#endif
-#ifdef WOLFSSL_WC_DILITHIUM
     MlDsaKey  ml_dsa;
-#endif
 } key;
 
 struct cmd_options {
@@ -743,7 +724,6 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
             if (ret == 0)
                 break;
 
-#ifdef WOLFSSL_HAVE_LMS
             FALL_THROUGH; /* we didn't solve the key, keep trying */
         case SIGN_LMS:
             ret = -1;
@@ -783,9 +763,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
                 printf("error: unrecognized LMS key size: %d\n",
                         *key_buffer_sz);
             }
-#endif /* WOLFSSL_HAVE_LMS */
 
-#ifdef WOLFSSL_HAVE_XMSS
             FALL_THROUGH; /* we didn't solve the key, keep trying */
         case SIGN_XMSS:
             ret = -1;
@@ -833,9 +811,6 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
                 printf("error: unrecognized XMSS key size: %d\n",
                     *key_buffer_sz);
             }
-#endif /* WOLFSSL_HAVE_XMSS */
-
-#ifdef WOLFSSL_WC_DILITHIUM
             FALL_THROUGH; /* we didn't solve the key, keep trying */
         case SIGN_ML_DSA:
             ret = wc_MlDsaKey_GetPubLen(&key.ml_dsa, (int *)&pub_sz);
@@ -890,8 +865,6 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
                     *key_buffer_sz);
                 ret = -1;
             }
-#endif /* WOLFSSL_WC_DILITHIUM */
-
             break;
     } /* end switch (sign) */
 
@@ -927,21 +900,16 @@ static int sign_digest(int sign, int hash_algo,
         return ret;
     }
 
-#ifdef HAVE_ED25519
     if (sign == SIGN_ED25519) {
         ret = wc_ed25519_sign_msg(digest, digest_sz, signature,
                 signature_sz, &key.ed);
     }
     else
-#endif
-#ifdef HAVE_ED448
     if (sign == SIGN_ED448) {
         ret = wc_ed448_sign_msg(digest, digest_sz, signature,
                 signature_sz, &key.ed4, NULL, 0);
     }
     else
-#endif
-#ifdef HAVE_ECC
     if (sign == SIGN_ECC256 ||
         sign == SIGN_ECC384 ||
         sign == SIGN_ECC521)
@@ -969,8 +937,6 @@ static int sign_digest(int sign, int hash_algo,
         mp_clear(&r); mp_clear(&s);
     }
     else
-#endif
-#ifndef NO_RSA
     if (sign == SIGN_RSA2048 ||
         sign == SIGN_RSA3072 ||
         sign == SIGN_RSA4096)
@@ -1001,8 +967,6 @@ static int sign_digest(int sign, int hash_algo,
         }
     }
     else
-#endif
-#ifdef WOLFSSL_HAVE_LMS
     if (sign == SIGN_LMS) {
         const char *key_file = CMD.key_file;
         if (secondary) {
@@ -1028,8 +992,6 @@ static int sign_digest(int sign, int hash_algo,
         }
     }
     else
-#endif /* WOLFSSL_HAVE_LMS */
-#ifdef WOLFSSL_HAVE_XMSS
     if (sign == SIGN_XMSS) {
         const char *key_file = CMD.key_file;
         if (secondary) {
@@ -1061,8 +1023,6 @@ static int sign_digest(int sign, int hash_algo,
         }
     }
     else
-#endif /* WOLFSSL_HAVE_XMSS */
-#ifdef WOLFSSL_WC_DILITHIUM
     if (sign == SIGN_ML_DSA) {
         /* Nothing else to do, ready to sign. */
         if (ret == 0) {
@@ -1074,7 +1034,6 @@ static int sign_digest(int sign, int hash_algo,
         }
     }
     else
-#endif /* WOLFSSL_WC_DILITHIUM */
     {
         ret = NOT_COMPILED_IN;
     }
@@ -2146,28 +2105,44 @@ static void set_signature_sizes(int secondary)
             CMD.header_sz = 1024;
         *sz = 512;
     }
-#ifdef WOLFSSL_HAVE_LMS
     else if (*sign == SIGN_LMS) {
         int    lms_ret = 0;
         word32 sig_sz = 0;
+        char *lms_levels_str, *lms_height_str, *lms_winternitz_str;
+        int lms_levels, lms_height, lms_winternitz;
+        lms_levels_str = getenv("LMS_LEVELS");
+        lms_height_str = getenv("LMS_HEIGHT");
+        lms_winternitz_str = getenv("LMS_WINTERNITZ");
+
+        if (!lms_levels_str)
+            lms_levels = LMS_LEVELS;
+        else 
+            lms_levels = atoi(lms_levels_str);
+        if (!lms_height_str)
+            lms_height = LMS_HEIGHT;
+        else
+            lms_height = atoi(lms_height_str);
+        if (!lms_winternitz_str)
+            lms_winternitz = LMS_WINTERNITZ;
+        else
+            lms_winternitz = atoi(lms_winternitz_str);
 
         lms_ret = wc_LmsKey_Init(&key.lms, NULL, INVALID_DEVID);
         if (lms_ret != 0) {
             fprintf(stderr, "error: wc_LmsKey_Init returned %d\n", lms_ret);
             exit(1);
         }
-
-        lms_ret = wc_LmsKey_SetParameters(&key.lms, LMS_LEVELS,
-                                          LMS_HEIGHT, LMS_WINTERNITZ);
+        lms_ret = wc_LmsKey_SetParameters(&key.lms, lms_levels, lms_height,
+                                          lms_winternitz);
         if (lms_ret != 0) {
             fprintf(stderr, "error: wc_LmsKey_SetParameters(%d, %d, %d)" \
-                    " returned %d\n", LMS_LEVELS, LMS_HEIGHT,
-                    LMS_WINTERNITZ, lms_ret);
+                    " returned %d\n", lms_levels, lms_height,
+                    lms_winternitz, lms_ret);
             exit(1);
         }
 
-        printf("info: using LMS parameters: L%d-H%d-W%d\n", LMS_LEVELS,
-               LMS_HEIGHT, LMS_WINTERNITZ);
+        printf("info: using LMS parameters: L%d-H%d-W%d\n", lms_levels,
+               lms_height, lms_winternitz);
 
         lms_ret = wc_LmsKey_GetSigLen(&key.lms, &sig_sz);
         if (lms_ret != 0) {
@@ -2182,11 +2157,16 @@ static void set_signature_sizes(int secondary)
             CMD.header_sz = 2 * sig_sz;
         *sz = sig_sz;
     }
-#endif /* WOLFSSL_HAVE_LMS */
-#ifdef WOLFSSL_HAVE_XMSS
     else if (*sign == SIGN_XMSS) {
         int    xmss_ret = 0;
         word32 sig_sz = 0;
+        char *xmss_params = NULL;
+
+        xmss_params = getenv("XMSS_PARAMS");
+        if (!xmss_params)
+            xmss_params = WOLFBOOT_XMSS_PARAMS;
+
+        printf("info: using XMSS parameters: %s\n", xmss_params);
 
         xmss_ret = wc_XmssKey_Init(&key.xmss, NULL, INVALID_DEVID);
         if (xmss_ret != 0) {
@@ -2194,14 +2174,13 @@ static void set_signature_sizes(int secondary)
             exit(1);
         }
 
-        xmss_ret = wc_XmssKey_SetParamStr(&key.xmss, WOLFBOOT_XMSS_PARAMS);
+        xmss_ret = wc_XmssKey_SetParamStr(&key.xmss, xmss_params);
         if (xmss_ret != 0) {
             fprintf(stderr, "error: wc_XmssKey_SetParamStr(%s)" \
-                    " returned %d\n", WOLFBOOT_XMSS_PARAMS, xmss_ret);
+                    " returned %d\n", xmss_params, xmss_ret);
             exit(1);
         }
 
-        printf("info: using XMSS parameters: %s\n", WOLFBOOT_XMSS_PARAMS);
 
         xmss_ret = wc_XmssKey_GetSigLen(&key.xmss, &sig_sz);
         if (xmss_ret != 0) {
@@ -2216,11 +2195,14 @@ static void set_signature_sizes(int secondary)
             CMD.header_sz = 2 * sig_sz;
         *sz = sig_sz;
     }
-#endif /* WOLFSSL_HAVE_XMSS */
-#ifdef WOLFSSL_WC_DILITHIUM
     else if (*sign == SIGN_ML_DSA) {
         int ml_dsa_ret = 0;
         uint32_t sig_sz = 0;
+        char *env_ml_dsa_level = NULL;
+        int ml_dsa_level = ML_DSA_LEVEL;
+        env_ml_dsa_level = getenv("ML_DSA_LEVEL");
+        if (env_ml_dsa_level)
+            ml_dsa_level = atoi(env_ml_dsa_level);
 
         ml_dsa_ret = wc_MlDsaKey_Init(&key.ml_dsa, NULL, INVALID_DEVID);
         if (ml_dsa_ret != 0) {
@@ -2228,14 +2210,14 @@ static void set_signature_sizes(int secondary)
             exit(1);
         }
 
-        ml_dsa_ret = wc_MlDsaKey_SetParams(&key.ml_dsa, ML_DSA_LEVEL);
+        ml_dsa_ret = wc_MlDsaKey_SetParams(&key.ml_dsa, ml_dsa_level);
         if (ml_dsa_ret != 0) {
             fprintf(stderr, "error: wc_MlDsaKey_SetParamStr(%d)" \
-                    " returned %d\n", ML_DSA_LEVEL, ml_dsa_ret);
+                    " returned %d\n", ml_dsa_level, ml_dsa_ret);
             exit(1);
         }
 
-        printf("info: using ML-DSA parameters: %d\n", ML_DSA_LEVEL);
+        printf("info: using ML-DSA parameters: %d\n", ml_dsa_level);
 
         ml_dsa_ret = wc_MlDsaKey_GetSigLen(&key.ml_dsa, (int *)&sig_sz);
         if (ml_dsa_ret != 0) {
@@ -2250,7 +2232,6 @@ static void set_signature_sizes(int secondary)
             CMD.header_sz = 2 * sig_sz;
         *sz = sig_sz;
     }
-#endif /* WOLFSSL_WC_DILITHIUM */
 
     env_image_header_size = getenv("IMAGE_HEADER_SIZE");
     if (env_image_header_size) {
@@ -2417,7 +2398,6 @@ int main(int argc, char** argv)
                 sign_str = "RSA4096";
             }
         }
-#ifdef WOLFSSL_HAVE_LMS
         else if (strcmp(argv[i], "--lms") == 0) {
             if (CMD.sign != SIGN_AUTO) {
                 CMD.hybrid = 1;
@@ -2428,8 +2408,6 @@ int main(int argc, char** argv)
                 sign_str = "LMS";
             }
         }
-#endif
-#ifdef WOLFSSL_HAVE_XMSS
         else if (strcmp(argv[i], "--xmss") == 0) {
             if (CMD.sign != SIGN_AUTO) {
                 CMD.hybrid = 1;
@@ -2440,8 +2418,6 @@ int main(int argc, char** argv)
                 sign_str = "XMSS";
             }
         }
-#endif
-#ifdef HAVE_DILITHIUM
         else if (strcmp(argv[i], "--ml_dsa") == 0) {
             if (CMD.sign != SIGN_AUTO) {
                 CMD.hybrid = 1;
@@ -2452,7 +2428,6 @@ int main(int argc, char** argv)
                 sign_str = "ML-DSA";
             }
         }
-#endif
         else if (strcmp(argv[i], "--sha256") == 0) {
             CMD.hash_algo = HASH_SHA256;
             hash_str = "SHA256";
@@ -2800,43 +2775,29 @@ int main(int argc, char** argv)
     if (kbuf)
         free(kbuf);
     if (CMD.sign == SIGN_ED25519) {
-#ifdef HAVE_ED25519
         wc_ed25519_free(&key.ed);
-#endif
     }
     else if (CMD.sign == SIGN_ED448) {
-#ifdef HAVE_ED448
         wc_ed448_free(&key.ed4);
-#endif
     }
     else if (CMD.sign == SIGN_ECC256 ||
              CMD.sign == SIGN_ECC384 ||
              CMD.sign == SIGN_ECC521) {
-#ifdef HAVE_ECC
         wc_ecc_free(&key.ecc);
-#endif
     }
     else if (CMD.sign == SIGN_RSA2048 ||
              CMD.sign == SIGN_RSA3072 ||
              CMD.sign == SIGN_RSA4096) {
-#ifndef NO_RSA
         wc_FreeRsaKey(&key.rsa);
-#endif
     }
     else if (CMD.sign == SIGN_LMS) {
-#ifdef WOLFSSL_HAVE_LMS
         wc_LmsKey_Free(&key.lms);
-#endif
     }
     else if (CMD.sign == SIGN_XMSS) {
-#ifdef WOLFSSL_HAVE_XMSS
         wc_XmssKey_Free(&key.xmss);
-#endif
     }
     else if (CMD.sign == SIGN_ML_DSA) {
-#ifdef WOLFSSL_WC_DILITHIUM
         wc_MlDsaKey_Free(&key.ml_dsa);
-#endif
     }
     return ret;
 }
diff --git a/tools/test.mk b/tools/test.mk
index 1c96e1ebb..a3b049242 100644
--- a/tools/test.mk
+++ b/tools/test.mk
@@ -1020,3 +1020,6 @@ test-size-all:
 		IMAGE_SIGNATURE_SIZE=2500 IMAGE_HEADER_SIZE?=4096 \
 		LIMIT=8232 NO_ARM_ASM=1
 	make keysclean
+	make clean
+	make test-size SIGN=ML_DSA ML_DSA_LEVEL=2 LIMIT=18868 \
+		 IMAGE_SIGNATURE_SIZE=2420 IMAGE_HEADER_SIZE?=8192

From d5e402ebde72ee3bb5fdb2333e393b61614bdd99 Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <dan@danielinux.net>
Date: Tue, 3 Dec 2024 14:50:54 +0100
Subject: [PATCH 18/29] Removing compile-time parameters from keygen

---
 Makefile                       |  6 ++--
 include/wolfboot/wolfboot.h    | 26 ++++++---------
 tools/keytools/Makefile        | 10 +++---
 tools/keytools/keygen.c        | 61 +++++++++++++++++++++-------------
 tools/keytools/user_settings.h | 24 ++++++-------
 tools/test-renode.mk           |  2 --
 6 files changed, 68 insertions(+), 61 deletions(-)

diff --git a/Makefile b/Makefile
index 33ede26e5..ba3d5535f 100644
--- a/Makefile
+++ b/Makefile
@@ -86,7 +86,7 @@ ifeq ($(TARGET),ti_hercules)
 endif
 
 # Environment variables for sign tool
-SIGN_ENV=IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) WOLFBOOT_SECTOR_SIZE=$(WOLFBOOT_SECTOR_SIZE)
+SIGN_ENV=IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) WOLFBOOT_SECTOR_SIZE=$(WOLFBOOT_SECTOR_SIZE) ML_DSA_LEVEL=$(ML_DSA_LEVEL) IMAGE_SIGNATURE_SIZE=$(IMAGE_SIGNATURE_SIZE)
 
 
 MAIN_TARGET=factory.bin
@@ -208,7 +208,7 @@ keytools_check: keytools
 
 $(PRIVATE_KEY):
 	$(Q)$(MAKE) keytools_check
-	$(Q)(test $(SIGN) = NONE) || ("$(KEYGEN_TOOL)" $(KEYGEN_OPTIONS) -g $(PRIVATE_KEY)) || true
+	$(Q)(test $(SIGN) = NONE) || ($(SIGN_ENV) "$(KEYGEN_TOOL)" $(KEYGEN_OPTIONS) -g $(PRIVATE_KEY)) || true
 	$(Q)(test $(SIGN) = NONE) && (echo "// SIGN=NONE" >  src/keystore.c) || true
 	$(Q)(test "$(FLASH_OTP_KEYSTORE)" = "1") && (make -C tools/keytools/otp) || true
 
@@ -216,7 +216,7 @@ $(SECONDARY_PRIVATE_KEY): $(PRIVATE_KEY) keystore.der
 	$(Q)$(MAKE) keytools_check
 	$(Q)rm -f src/keystore.c
 	$(Q)dd if=keystore.der of=pubkey_1.der bs=1 skip=16
-	$(Q)(test $(SIGN_SECONDARY) = NONE) || ("$(KEYGEN_TOOL)" \
+	$(Q)(test $(SIGN_SECONDARY) = NONE) || ($(SIGN_ENV) "$(KEYGEN_TOOL)" \
 		$(KEYGEN_OPTIONS) -i pubkey_1.der $(SECONDARY_KEYGEN_OPTIONS) \
 		-g $(SECONDARY_PRIVATE_KEY)) || true
 	$(Q)(test "$(FLASH_OTP_KEYSTORE)" = "1") && (make -C tools/keytools/otp) || true
diff --git a/include/wolfboot/wolfboot.h b/include/wolfboot/wolfboot.h
index 6d44e9e94..e697c38bf 100644
--- a/include/wolfboot/wolfboot.h
+++ b/include/wolfboot/wolfboot.h
@@ -138,21 +138,17 @@ extern "C" {
 /* ML-DSA pub key size is a function of parameters.
  * This needs to be configurable. Default to security
  * category 2. */
-#ifdef ML_DSA_LEVEL
-    #if ML_DSA_LEVEL == 2
-        #define KEYSTORE_PUBKEY_SIZE_ML_DSA  1312
-    #elif ML_DSA_LEVEL == 3
-        #define KEYSTORE_PUBKEY_SIZE_ML_DSA  1952
-    #elif ML_DSA_LEVEL == 5
-        #define KEYSTORE_PUBKEY_SIZE_ML_DSA  2592
-    #endif
-#else
-    #ifdef SIGN_ML_DSA
-        #error "ML_DSA_LEVEL not defined"
-    #endif
-    /* Default to max size for keystore */
-    #define KEYSTORE_PUBKEY_SIZE_ML_DSA  2592
-#endif /* defined ML_DSA_LEVEL */
+
+#define ML_DSA_L2_PUBKEY_SIZE   1312
+#define ML_DSA_L3_PUBKEY_SIZE   1952
+#define ML_DSA_L5_PUBKEY_SIZE   2592
+
+
+#if defined(SIGN_ML_DSA) && !defined(ML_DSA_LEVEL)
+    #define ML_DSA_LEVEL 5
+#endif
+/* Default to max size for keystore */
+#define KEYSTORE_PUBKEY_SIZE_ML_DSA  2592
 
 /* Mask for key permissions */
 #define KEY_VERIFY_ALL         (0xFFFFFFFFU)
diff --git a/tools/keytools/Makefile b/tools/keytools/Makefile
index d1c387b5a..e1e3be552 100644
--- a/tools/keytools/Makefile
+++ b/tools/keytools/Makefile
@@ -17,7 +17,8 @@ LDFLAGS =
 OBJDIR = ./
 LIBS =
 
-ML_DSA_LEVEL?=2
+ML_DSA_LEVEL?=5
+CFLAGS+=-DML_DSA_LEVEL=$(ML_DSA_LEVEL)
 
 LMS_LEVELS?=1
 LMS_HEIGHT?=10
@@ -33,6 +34,9 @@ CFLAGS +=-DWOLFBOOT_SIGN_LMS -DWOLFSSL_HAVE_LMS \
 # LMS flags
 CFLAGS +=-DWOLFSSL_WC_LMS
 
+# ML_DSA flags
+CFLAGS +=-DWOLFSSL_HAVE_DILITHIUM
+
 # XMSS flags
 CFLAGS +=-DWOLFBOOT_SIGN_XMSS -DWOLFSSL_HAVE_XMSS \
 		 -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
@@ -111,10 +115,6 @@ OBJS_REAL+=\
 	$(WOLFDIR)/wolfcrypt/src/wc_xmss_impl.o
 OBJS_REAL+=$(WOLFDIR)/wolfcrypt/src/dilithium.o
 
-CFLAGS += -D"WOLFBOOT_SIGN_ML_DSA" \
-            -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
-            -D"ML_DSA_LEVEL"=$(ML_DSA_LEVEL)
-
 OBJS_VIRT=$(addprefix $(OBJDIR), $(notdir $(OBJS_REAL)))
 vpath %.c $(WOLFDIR)/wolfcrypt/src/
 vpath %.c $(WOLFBOOTDIR)/src/
diff --git a/tools/keytools/keygen.c b/tools/keytools/keygen.c
index b517fdcef..60c253aef 100644
--- a/tools/keytools/keygen.c
+++ b/tools/keytools/keygen.c
@@ -451,15 +451,35 @@ static uint32_t get_pubkey_size(uint32_t keyType)
         case KEYGEN_XMSS:
             size = KEYSTORE_PUBKEY_SIZE_XMSS;
             break;
-#ifdef KEYSTORE_PUBKEY_SIZE_ML_DSA
         case KEYGEN_ML_DSA:
-            size = KEYSTORE_PUBKEY_SIZE_ML_DSA;
+        {
+            char *env_ml_dsa_level = getenv("ML_DSA_LEVEL");
+            if (env_ml_dsa_level == NULL) {
+                fprintf(stderr, "warning: ML_DSA_LEVEL environment variable"
+                       " not set, assuming level 2\n");
+                size = ML_DSA_L2_PUBKEY_SIZE;
+            } else {
+                int level = atoi(env_ml_dsa_level);
+                switch (level) {
+                    case 2:
+                        size = ML_DSA_L2_PUBKEY_SIZE;
+                        break;
+                    case 3:
+                        size = ML_DSA_L3_PUBKEY_SIZE;
+                        break;
+                    case 5:
+                        size = ML_DSA_L5_PUBKEY_SIZE;
+                        break;
+                    default:
+                        fprintf(stderr, "error: invalid ML_DSA_LEVEL: %d\n", level);
+                        exit(1);
+                }
+            }
             break;
-#endif
         default:
             size = 0;
+        }
     }
-
     return size;
 }
 
@@ -520,7 +540,6 @@ void keystore_add(uint32_t ktype, uint8_t *key, uint32_t sz, const char *keyfile
 }
 
 
-#if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN)
 static void keygen_rsa(const char *keyfile, int kbits, uint32_t id_mask)
 {
     RsaKey k;
@@ -570,9 +589,7 @@ static void keygen_rsa(const char *keyfile, int kbits, uint32_t id_mask)
     else if (kbits == 4096)
         keystore_add(KEYGEN_RSA4096, pub_der, publen, keyfile, id_mask);
 }
-#endif
 
-#ifdef HAVE_ECC
 #define MAX_ECC_KEY_SIZE 66
 
 static void keygen_ecc(const char *priv_fname, uint16_t ecc_key_size,
@@ -676,10 +693,8 @@ static void keygen_ecc(const char *priv_fname, uint16_t ecc_key_size,
     else if (ecc_key_size == 66)
         keystore_add(KEYGEN_ECC521, k_buffer, 2 * ecc_key_size, priv_fname, id_mask);
 }
-#endif
 
 
-#ifdef HAVE_ED25519
 static void keygen_ed25519(const char *privkey, uint32_t id_mask)
 {
     ed25519_key k;
@@ -716,9 +731,7 @@ static void keygen_ed25519(const char *privkey, uint32_t id_mask)
 
     keystore_add(KEYGEN_ED25519, pub, ED25519_PUB_KEY_SIZE, privkey, id_mask);
 }
-#endif
 
-#ifdef HAVE_ED448
 static void keygen_ed448(const char *privkey, uint32_t id_mask)
 {
     ed448_key k;
@@ -755,9 +768,7 @@ static void keygen_ed448(const char *privkey, uint32_t id_mask)
 
     keystore_add(KEYGEN_ED448, pub, ED448_PUB_KEY_SIZE, privkey, id_mask);
 }
-#endif
 
-#if defined(WOLFSSL_HAVE_LMS)
 #include "../lms/lms_common.h"
 
 static void keygen_lms(const char *priv_fname, uint32_t id_mask)
@@ -844,9 +855,7 @@ static void keygen_lms(const char *priv_fname, uint32_t id_mask)
 
     wc_LmsKey_Free(&key);
 }
-#endif /* if defined(WOLFSSL_HAVE_LMS) */
 
-#if defined(WOLFSSL_HAVE_XMSS)
 #include "../xmss/xmss_common.h"
 
 static void keygen_xmss(const char *priv_fname, uint32_t id_mask)
@@ -942,9 +951,7 @@ static void keygen_xmss(const char *priv_fname, uint32_t id_mask)
 
     wc_XmssKey_Free(&key);
 }
-#endif /* if defined(WOLFSSL_HAVE_XMSS) */
 
-#if defined(WOLFSSL_WC_DILITHIUM)
 
 static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
 {
@@ -957,6 +964,13 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
     word32   pub_len = 0;
     int      ml_dsa_priv_len = 0;
     int      ml_dsa_pub_len = 0;
+    int      ml_dsa_level = ML_DSA_LEVEL;
+    char *   env_ml_dsa_level = getenv("ML_DSA_LEVEL");
+    if (env_ml_dsa_level != NULL) {
+        ml_dsa_level = atoi(env_ml_dsa_level);
+    }
+
+    fprintf(stderr, "info: using DSA level %d\n", ml_dsa_level);
 
     ret = wc_MlDsaKey_Init(&key, NULL, INVALID_DEVID);
     if (ret != 0) {
@@ -964,10 +978,10 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
         exit(1);
     }
 
-    ret = wc_MlDsaKey_SetParams(&key, ML_DSA_LEVEL);
+    ret = wc_MlDsaKey_SetParams(&key, ml_dsa_level);
     if (ret != 0) {
         fprintf(stderr, "error: wc_MlDsaKey_SetParams(%d) returned %d\n",
-                ML_DSA_LEVEL, ret);
+                ml_dsa_level, ret);
         exit(1);
     }
 
@@ -985,6 +999,7 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
                 ret);
         exit(1);
     }
+    printf("info: ml-dsa public key length: %d\n", ml_dsa_pub_len);
 
     /* Get the ML-DSA private key length. This API returns
      * the public + private length. */
@@ -994,6 +1009,7 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
                 ret);
         exit(1);
     }
+    printf("info: ml-dsa private key length: %d\n", ml_dsa_priv_len);
 
     if (ml_dsa_priv_len <= ml_dsa_pub_len) {
         printf("error: ml-dsa: unexpected key lengths: %d, %d",
@@ -1026,9 +1042,9 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
         exit(1);
     }
 
-    if (pub_len != sizeof(pub)) {
+    if ((int)pub_len != ml_dsa_pub_len) {
         fprintf(stderr, "error: wc_MlDsaKey_ExportPubRaw returned pub_len=%d, " \
-                        "expected %zu\n", pub_len, sizeof(pub));
+                        "expected %d\n", pub_len, ml_dsa_pub_len);
         exit(1);
     }
 
@@ -1050,14 +1066,13 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
     fwrite(pub, pub_len, 1, fpriv);
     fclose(fpriv);
 
-    keystore_add(KEYGEN_ML_DSA, pub, KEYSTORE_PUBKEY_SIZE_ML_DSA,
+    keystore_add(KEYGEN_ML_DSA, pub, pub_len,
                  priv_fname, id_mask);
 
     wc_MlDsaKey_Free(&key);
     free(priv);
     priv = NULL;
 }
-#endif /* if defined(WOLFSSL_WC_DILITHIUM) */
 
 static void key_gen_check(const char *kfilename)
 {
diff --git a/tools/keytools/user_settings.h b/tools/keytools/user_settings.h
index ca66ac942..0759d1a3f 100644
--- a/tools/keytools/user_settings.h
+++ b/tools/keytools/user_settings.h
@@ -74,19 +74,17 @@
 #undef  NO_SHA256
 
 /* ML-DSA (dilithium) */
-#if defined(WOLFBOOT_SIGN_ML_DSA)
-#   define HAVE_DILITHIUM
-#   define WOLFSSL_WC_DILITHIUM
-#   define WOLFSSL_EXPERIMENTAL_SETTINGS
-    /* Wolfcrypt builds ML-DSA (dilithium) to the FIPS 204 final
-     * standard by default. Uncomment this if you want the draft
-     * version instead. */
-    #if 0
-    #define WOLFSSL_DILITHIUM_FIPS204_DRAFT
-    #endif
-    /* dilithium needs these sha functions. */
-#   define WOLFSSL_SHAKE128
-#endif /* WOLFBOOT_SIGN_ML_DSA */
+#define HAVE_DILITHIUM
+#define WOLFSSL_WC_DILITHIUM
+#define WOLFSSL_EXPERIMENTAL_SETTINGS
+/* Wolfcrypt builds ML-DSA (dilithium) to the FIPS 204 final
+* standard by default. Uncomment this if you want the draft
+* version instead. */
+#if 0
+  #define WOLFSSL_DILITHIUM_FIPS204_DRAFT
+#endif
+/* dilithium needs these sha functions. */
+#define WOLFSSL_SHAKE128
 
 /* ASN */
 #define WOLFSSL_ASN_TEMPLATE
diff --git a/tools/test-renode.mk b/tools/test-renode.mk
index a3b00e294..de40b3a66 100644
--- a/tools/test-renode.mk
+++ b/tools/test-renode.mk
@@ -36,8 +36,6 @@ else
 	SIGN_TOOL?=$(WOLFBOOT_ROOT)/tools/keytools/sign
 endif
 
-SIGN_ENV=IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) WOLFBOOT_SECTOR_SIZE=$(WOLFBOOT_SECTOR_SIZE)
-
 ifeq ($(TARGET),stm32f7)
   RENODE_CONFIG=tools/renode/stm32f746_wolfboot.resc
   POFF=393211

From 5ab661677f5719121b9119ae15486ee0f7ec160b Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <dan@danielinux.net>
Date: Tue, 3 Dec 2024 14:58:49 +0100
Subject: [PATCH 19/29] keygen: removed compile-time parameters (lms, xmss)

---
 Makefile                |  9 ++++++++-
 tools/keytools/keygen.c | 36 ++++++++++++++++++++++++++++--------
 2 files changed, 36 insertions(+), 9 deletions(-)

diff --git a/Makefile b/Makefile
index ba3d5535f..cf9fdec2d 100644
--- a/Makefile
+++ b/Makefile
@@ -86,7 +86,14 @@ ifeq ($(TARGET),ti_hercules)
 endif
 
 # Environment variables for sign tool
-SIGN_ENV=IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) WOLFBOOT_SECTOR_SIZE=$(WOLFBOOT_SECTOR_SIZE) ML_DSA_LEVEL=$(ML_DSA_LEVEL) IMAGE_SIGNATURE_SIZE=$(IMAGE_SIGNATURE_SIZE)
+SIGN_ENV=IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) \
+		 WOLFBOOT_SECTOR_SIZE=$(WOLFBOOT_SECTOR_SIZE) \
+		 ML_DSA_LEVEL=$(ML_DSA_LEVEL) \
+		 IMAGE_SIGNATURE_SIZE=$(IMAGE_SIGNATURE_SIZE) \
+		 LMS_LEVELS=$(LMS_LEVELS) \
+		 LMS_HEIGHT=$(LMS_HEIGHT) \
+		 LMS_WINTERNITZ=$(LMS_WINTERNITZ) \
+		 XMSS_PARAMS=$(XMSS_PARAMS)
 
 
 MAIN_TARGET=factory.bin
diff --git a/tools/keytools/keygen.c b/tools/keytools/keygen.c
index 60c253aef..ca1d58927 100644
--- a/tools/keytools/keygen.c
+++ b/tools/keytools/keygen.c
@@ -778,6 +778,22 @@ static void keygen_lms(const char *priv_fname, uint32_t id_mask)
     int     ret;
     byte    lms_pub[HSS_MAX_PUBLIC_KEY_LEN];
     word32  pub_len = sizeof(lms_pub);
+    int     lms_levels, lms_height, lms_winternitz;
+    char    *env_lms_levels, *env_lms_height, *env_lms_winternitz;
+
+    lms_levels = LMS_LEVELS;
+    lms_height = LMS_HEIGHT;
+    lms_winternitz = LMS_WINTERNITZ;
+
+    env_lms_levels = getenv("LMS_LEVELS");
+    env_lms_height = getenv("LMS_HEIGHT");
+    env_lms_winternitz = getenv("LMS_WINTERNITZ");
+    if (env_lms_levels != NULL)
+        lms_levels = atoi(env_lms_levels);
+    if (env_lms_height != NULL)
+        lms_height = atoi(env_lms_height);
+    if (env_lms_winternitz != NULL)
+        lms_winternitz = atoi(env_lms_winternitz);
 
     ret = wc_LmsKey_Init(&key, NULL, INVALID_DEVID);
     if (ret != 0) {
@@ -785,16 +801,16 @@ static void keygen_lms(const char *priv_fname, uint32_t id_mask)
         exit(1);
     }
 
-    ret = wc_LmsKey_SetParameters(&key, LMS_LEVELS, LMS_HEIGHT, LMS_WINTERNITZ);
+    ret = wc_LmsKey_SetParameters(&key, lms_levels, lms_height, lms_winternitz);
     if (ret != 0) {
         fprintf(stderr, "error: wc_LmsKey_SetParameters(%d, %d, %d)" \
-                " returned %d\n", LMS_LEVELS, LMS_HEIGHT,
-                LMS_WINTERNITZ, ret);
+                " returned %d\n", lms_levels, lms_height,
+                lms_winternitz, ret);
         exit(1);
     }
 
-    printf("info: using LMS parameters: L%d-H%d-W%d\n", LMS_LEVELS,
-           LMS_HEIGHT, LMS_WINTERNITZ);
+    printf("info: using LMS parameters: L%d-H%d-W%d\n", lms_levels,
+           lms_height, lms_winternitz);
 
     ret = wc_LmsKey_SetWriteCb(&key, lms_write_key);
     if (ret != 0) {
@@ -865,6 +881,7 @@ static void keygen_xmss(const char *priv_fname, uint32_t id_mask)
     int     ret;
     word32  priv_sz = 0;
     byte    xmss_pub[XMSS_SHA256_PUBLEN];
+    char    *xmss_params = getenv("XMSS_PARAMS");
     word32  pub_len = sizeof(xmss_pub);
 
     ret = wc_XmssKey_Init(&key, NULL, INVALID_DEVID);
@@ -873,14 +890,17 @@ static void keygen_xmss(const char *priv_fname, uint32_t id_mask)
         exit(1);
     }
 
-    ret = wc_XmssKey_SetParamStr(&key, WOLFBOOT_XMSS_PARAMS);
+    if (xmss_params != NULL)
+        xmss_params = WOLFBOOT_XMSS_PARAMS;
+
+    ret = wc_XmssKey_SetParamStr(&key, xmss_params);
     if (ret != 0) {
         fprintf(stderr, "error: wc_XmssKey_SetParamStr(%s)" \
-                " returned %d\n", WOLFBOOT_XMSS_PARAMS, ret);
+                " returned %d\n", xmss_params, ret);
         exit(1);
     }
 
-    printf("info: using XMSS parameters: %s\n", WOLFBOOT_XMSS_PARAMS);
+    printf("info: using XMSS parameters: %s\n", xmss_params);
 
     ret = wc_XmssKey_SetWriteCb(&key, xmss_write_key);
     if (ret != 0) {

From 51eff3e71d5b9837bcc5113b8b3d6c4eb28a3305 Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <dan@danielinux.net>
Date: Tue, 3 Dec 2024 15:03:45 +0100
Subject: [PATCH 20/29] Adjusted size for ML_DSA build

---
 tools/test.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/test.mk b/tools/test.mk
index a3b049242..2a02afbfc 100644
--- a/tools/test.mk
+++ b/tools/test.mk
@@ -1021,5 +1021,5 @@ test-size-all:
 		LIMIT=8232 NO_ARM_ASM=1
 	make keysclean
 	make clean
-	make test-size SIGN=ML_DSA ML_DSA_LEVEL=2 LIMIT=18868 \
+	make test-size SIGN=ML_DSA ML_DSA_LEVEL=2 LIMIT=20148 \
 		 IMAGE_SIGNATURE_SIZE=2420 IMAGE_HEADER_SIZE?=8192

From c3fe5055f679bbdc7d37187057544659a3f17738 Mon Sep 17 00:00:00 2001
From: Daniele Lacamera <dan@danielinux.net>
Date: Tue, 3 Dec 2024 15:23:40 +0100
Subject: [PATCH 21/29] Fix check on ML_DSA pubkey size at runtime

---
 config/examples/sim-ml-dsa.config | 10 +++++-----
 src/image.c                       |  5 +++--
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/config/examples/sim-ml-dsa.config b/config/examples/sim-ml-dsa.config
index cc209b7cf..c6e1e3147 100644
--- a/config/examples/sim-ml-dsa.config
+++ b/config/examples/sim-ml-dsa.config
@@ -25,8 +25,8 @@
 
 ARCH=sim
 TARGET=sim
-SIGN?=ML_DSA
-HASH?=SHA256
+SIGN=ML_DSA
+HASH=SHA256
 WOLFBOOT_SMALL_STACK=0
 SPI_FLASH=0
 DEBUG=0
@@ -38,17 +38,17 @@ DELTA_UPDATES=0
 # Category 2:
 ML_DSA_LEVEL=2
 IMAGE_SIGNATURE_SIZE=2420
-IMAGE_HEADER_SIZE?=8192
+IMAGE_HEADER_SIZE=8192
 #
 # Category 3:
 # ML_DSA_LEVEL=3
 # IMAGE_SIGNATURE_SIZE=3309
-# IMAGE_HEADER_SIZE?=8192
+# IMAGE_HEADER_SIZE=8192
 #
 # Category 5:
 # ML_DSA_LEVEL=5
 # IMAGE_SIGNATURE_SIZE=4627
-# IMAGE_HEADER_SIZE?=12288
+# IMAGE_HEADER_SIZE=12288
 # This example needsd larger sector size.
 # WOLFBOOT_SECTOR_SIZE=0x3000
 #
diff --git a/src/image.c b/src/image.c
index 00271ba0e..f1cbc3865 100644
--- a/src/image.c
+++ b/src/image.c
@@ -593,6 +593,7 @@ static void wolfBoot_verify_signature_xmss(uint8_t key_slot,
 
 #ifdef WOLFBOOT_SIGN_ML_DSA
 #include <wolfssl/wolfcrypt/dilithium.h>
+
 static void wolfBoot_verify_signature_ml_dsa(uint8_t key_slot,
         struct wolfBoot_image *img, uint8_t *sig)
 {
@@ -636,9 +637,9 @@ static void wolfBoot_verify_signature_ml_dsa(uint8_t key_slot,
             wolfBoot_printf("error: wc_MlDsaKey_GetPubLen returned %d\n", ret);
             ret = -1;
         }
-        else if (pub_len != KEYSTORE_PUBKEY_SIZE_ML_DSA) {
+        else if (pub_len > KEYSTORE_PUBKEY_SIZE) {
             wolfBoot_printf("error: ML-DSA pub key mismatch: got %d bytes " \
-                   "expected %d\n", pub_len, KEYSTORE_PUBKEY_SIZE_ML_DSA);
+                   "max %d\n", pub_len, KEYSTORE_PUBKEY_SIZE);
             ret = -1;
         }
     }

From eddf0bd2340bb8c70d62eb12562ff0dd909c1851 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 5 Dec 2024 08:36:02 -0800
Subject: [PATCH 22/29] Progress getting the Windows tools to build.

---
 lib/wolfssl                               |  2 +-
 tools/keytools/Makefile                   | 19 ++++--------
 tools/keytools/user_settings.h            | 35 +++++++++++++++++++++--
 tools/keytools/wolfBootKeygenTool.vcxproj |  5 ++++
 tools/keytools/wolfBootSignTool.vcxproj   |  5 ++++
 5 files changed, 49 insertions(+), 17 deletions(-)

diff --git a/lib/wolfssl b/lib/wolfssl
index bdd62314f..1e9607b65 160000
--- a/lib/wolfssl
+++ b/lib/wolfssl
@@ -1 +1 @@
-Subproject commit bdd62314f00fca0e216bf8c963c8eeff6327e0cb
+Subproject commit 1e9607b65ea4cc8f3e71c03a79e59a2d3f37e268
diff --git a/tools/keytools/Makefile b/tools/keytools/Makefile
index e1e3be552..31b10cd1d 100644
--- a/tools/keytools/Makefile
+++ b/tools/keytools/Makefile
@@ -12,7 +12,7 @@ LD      = gcc
 WOLFBOOTDIR = ../..
 WOLFDIR = $(WOLFBOOTDIR)/lib/wolfssl
 CFLAGS  = -Wall -Wextra -Werror
-CFLAGS  += -I. -DWOLFSSL_USER_SETTINGS -I$(WOLFDIR) -I$(WOLFBOOTDIR)/include -DWOLFBOOT_KEYTOOLS
+CFLAGS  += -I. -DWOLFSSL_USER_SETTINGS -I$(WOLFDIR) -I$(WOLFBOOTDIR)/include
 LDFLAGS =
 OBJDIR = ./
 LIBS =
@@ -23,25 +23,16 @@ CFLAGS+=-DML_DSA_LEVEL=$(ML_DSA_LEVEL)
 LMS_LEVELS?=1
 LMS_HEIGHT?=10
 LMS_WINTERNITZ?=8
-XMSS_PARAMS?='XMSS-SHA2_10_256'
 
 # Common to wc_lms and ext_lms.
-CFLAGS +=-DWOLFBOOT_SIGN_LMS -DWOLFSSL_HAVE_LMS \
-		 -D"LMS_LEVELS=$(LMS_LEVELS)" -D"LMS_HEIGHT=$(LMS_HEIGHT)" \
+CFLAGS +=-D"LMS_LEVELS=$(LMS_LEVELS)" \
+		 -D"LMS_HEIGHT=$(LMS_HEIGHT)" \
 		 -D"LMS_WINTERNITZ=$(LMS_WINTERNITZ)"
 
-
-# LMS flags
-CFLAGS +=-DWOLFSSL_WC_LMS
-
-# ML_DSA flags
-CFLAGS +=-DWOLFSSL_HAVE_DILITHIUM
-
 # XMSS flags
-CFLAGS +=-DWOLFBOOT_SIGN_XMSS -DWOLFSSL_HAVE_XMSS \
-		 -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
+XMSS_PARAMS?='XMSS-SHA2_10_256'
+CFLAGS +=-D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
 		 -DWOLFBOOT_XMSS_PARAMS=\"$(XMSS_PARAMS)\"
-CFLAGS +=-D"WOLFSSL_WC_XMSS" -D"WOLFSSL_XMSS_MAX_HEIGHT=32"
 
 # When WOLFBOOT_UNIVERSAL_KEYSTORE is defined, pad store_sizes in keystore.der
 ifeq ($(WOLFBOOT_UNIVERSAL_KEYSTORE),1)
diff --git a/tools/keytools/user_settings.h b/tools/keytools/user_settings.h
index 0759d1a3f..2e1e2d533 100644
--- a/tools/keytools/user_settings.h
+++ b/tools/keytools/user_settings.h
@@ -29,6 +29,7 @@
 #include <stdint.h>
 
 /* System */
+#define WOLFBOOT_KEYTOOLS
 #define SINGLE_THREADED
 #define WOLFCRYPT_ONLY
 
@@ -73,19 +74,49 @@
 #define WOLFSSL_SHA3
 #undef  NO_SHA256
 
+/* Enable experimental PQ algos */
+#define WOLFSSL_EXPERIMENTAL_SETTINGS
+
 /* ML-DSA (dilithium) */
 #define HAVE_DILITHIUM
 #define WOLFSSL_WC_DILITHIUM
-#define WOLFSSL_EXPERIMENTAL_SETTINGS
 /* Wolfcrypt builds ML-DSA (dilithium) to the FIPS 204 final
 * standard by default. Uncomment this if you want the draft
 * version instead. */
 #if 0
-  #define WOLFSSL_DILITHIUM_FIPS204_DRAFT
+    #define WOLFSSL_DILITHIUM_FIPS204_DRAFT
+#endif
+#ifndef ML_DSA_LEVEL
+    #define ML_DSA_LEVEL 5
 #endif
 /* dilithium needs these sha functions. */
 #define WOLFSSL_SHAKE128
 
+/* LMS */
+#define WOLFBOOT_SIGN_LMS
+#define WOLFSSL_HAVE_LMS
+#define WOLFSSL_WC_LMS
+#ifndef LMS_LEVELS
+    #define LMS_LEVELS 1
+#endif
+#ifndef LMS_HEIGHT
+    #define LMS_HEIGHT 10
+#endif
+#ifndef LMS_WINTERNITZ
+    #define LMS_WINTERNITZ 8
+#endif
+
+/* XMSS */
+#define WOLFBOOT_SIGN_XMSS
+#define WOLFSSL_HAVE_XMSS
+#define WOLFSSL_WC_XMSS
+#ifndef WOLFBOOT_XMSS_PARAMS
+    #define WOLFBOOT_XMSS_PARAMS "XMSS-SHA2_10_256"
+#endif
+#ifndef WOLFSSL_XMSS_MAX_HEIGHT
+    #define WOLFSSL_XMSS_MAX_HEIGHT 32
+#endif
+
 /* ASN */
 #define WOLFSSL_ASN_TEMPLATE
 
diff --git a/tools/keytools/wolfBootKeygenTool.vcxproj b/tools/keytools/wolfBootKeygenTool.vcxproj
index 8d729e005..b9fd05a5f 100644
--- a/tools/keytools/wolfBootKeygenTool.vcxproj
+++ b/tools/keytools/wolfBootKeygenTool.vcxproj
@@ -157,6 +157,7 @@
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\asn.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\chacha.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\coding.c" />
+    <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\dilithium.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\ecc.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\ed25519.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\ed448.c" />
@@ -177,6 +178,10 @@
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\sp_int.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\tfm.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_port.c" />
+    <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_lms.c" />
+    <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_lms_impl.c" />
+    <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_xmss.c" />
+    <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_xmss_impl.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wolfmath.c" />
     <ClCompile Include="keygen.c" />
   </ItemGroup>
diff --git a/tools/keytools/wolfBootSignTool.vcxproj b/tools/keytools/wolfBootSignTool.vcxproj
index 18db45bf1..4c50d21f6 100755
--- a/tools/keytools/wolfBootSignTool.vcxproj
+++ b/tools/keytools/wolfBootSignTool.vcxproj
@@ -158,6 +158,7 @@
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\asn.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\chacha.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\coding.c" />
+    <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\dilithium.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\ecc.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\ed25519.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\ed448.c" />
@@ -178,6 +179,10 @@
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\sp_int.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\tfm.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_port.c" />
+    <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_lms.c" />
+    <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_lms_impl.c" />
+    <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_xmss.c" />
+    <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wc_xmss_impl.c" />
     <ClCompile Include="..\..\lib\wolfssl\wolfcrypt\src\wolfmath.c" />
     <ClCompile Include="..\..\src\delta.c" />
     <ClCompile Include="sign.c">

From 4ac4de51acf747c79f507d7802b51a76441ea8c2 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 5 Dec 2024 10:29:00 -0800
Subject: [PATCH 23/29] Fix ML-DSA level comment.

---
 include/wolfboot/wolfboot.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/wolfboot/wolfboot.h b/include/wolfboot/wolfboot.h
index e697c38bf..4ca85d6ca 100644
--- a/include/wolfboot/wolfboot.h
+++ b/include/wolfboot/wolfboot.h
@@ -137,7 +137,7 @@ extern "C" {
 
 /* ML-DSA pub key size is a function of parameters.
  * This needs to be configurable. Default to security
- * category 2. */
+ * category 5. */
 
 #define ML_DSA_L2_PUBKEY_SIZE   1312
 #define ML_DSA_L3_PUBKEY_SIZE   1952

From 8cdefaae20d23683243eb10fb7cc696567d1d83f Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 5 Dec 2024 10:45:52 -0800
Subject: [PATCH 24/29] Fix to remove ext_XMS artifact from keytools Makefile.
 Caused mingw readdir error.

---
 tools/keytools/Makefile | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/tools/keytools/Makefile b/tools/keytools/Makefile
index 31b10cd1d..0db21eccd 100644
--- a/tools/keytools/Makefile
+++ b/tools/keytools/Makefile
@@ -110,7 +110,6 @@ OBJS_VIRT=$(addprefix $(OBJDIR), $(notdir $(OBJS_REAL)))
 vpath %.c $(WOLFDIR)/wolfcrypt/src/
 vpath %.c $(WOLFBOOTDIR)/src/
 vpath %.c ./
-vpath %.c $(XMSSDIR)/
 
 .PHONY: clean all
 
@@ -127,9 +126,6 @@ $(OBJDIR)/%.o: $(WOLFBOOTDIR)/src/%.c
 $(OBJDIR)/%.o: $(WOLFDIR)/wolfcrypt/src/%.c
 	$(Q)$(CC) $(CFLAGS) -c -o $@ $<
 
-$(XMSSDIR)/src/%.o: $(XMSSDIR)/src/%.c
-	$(Q)$(CC) $(CFLAGS) -c -o $@ $<
-
 # build templates
 sign: $(OBJS_VIRT) $(LIBS) sign.o
 	@echo "Building signing tool"

From 29794f2ad8b5b27aeaa5878cb98f68b9138fbeb7 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 5 Dec 2024 10:50:25 -0800
Subject: [PATCH 25/29] Update wolfssl submodule to latest master that includes
 https://github.com/wolfSSL/wolfssl/pull/8257

---
 lib/wolfssl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/wolfssl b/lib/wolfssl
index 1e9607b65..1bfbdb6c7 160000
--- a/lib/wolfssl
+++ b/lib/wolfssl
@@ -1 +1 @@
-Subproject commit 1e9607b65ea4cc8f3e71c03a79e59a2d3f37e268
+Subproject commit 1bfbdb6c7f5976d4242279c3cd166f1a8e0f965f

From 35b98e723bad73efc5a76e7ddc6b93deebeff7d3 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 5 Dec 2024 11:32:22 -0800
Subject: [PATCH 26/29] Fix the Windows keytools artifact upload.

---
 .github/workflows/build-keytools-windows.yml | 2 +-
 include/wolfboot/wolfboot.h                  | 9 +++------
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build-keytools-windows.yml b/.github/workflows/build-keytools-windows.yml
index 718da2a4f..1a5903565 100644
--- a/.github/workflows/build-keytools-windows.yml
+++ b/.github/workflows/build-keytools-windows.yml
@@ -35,4 +35,4 @@ jobs:
       with:
         name: windows-keytools
         path: |
-          tools\keytools\*.exe
+          tools\keytools\x64\Release\*.exe
diff --git a/include/wolfboot/wolfboot.h b/include/wolfboot/wolfboot.h
index 4ca85d6ca..4bbaeda7a 100644
--- a/include/wolfboot/wolfboot.h
+++ b/include/wolfboot/wolfboot.h
@@ -135,16 +135,13 @@ extern "C" {
 #define KEYSTORE_PUBKEY_SIZE_LMS     60
 #define KEYSTORE_PUBKEY_SIZE_XMSS    68
 
-/* ML-DSA pub key size is a function of parameters.
- * This needs to be configurable. Default to security
- * category 5. */
-
+/* ML-DSA pub key size is a function of parameters. */
 #define ML_DSA_L2_PUBKEY_SIZE   1312
 #define ML_DSA_L3_PUBKEY_SIZE   1952
 #define ML_DSA_L5_PUBKEY_SIZE   2592
 
-
-#if defined(SIGN_ML_DSA) && !defined(ML_DSA_LEVEL)
+/* Configure using ML_DSA_LEVEL: Default is security category 5. */
+#if defined(WOLFBOOT_SIGN_ML_DSA) && !defined(ML_DSA_LEVEL)
     #define ML_DSA_LEVEL 5
 #endif
 /* Default to max size for keystore */

From 4991eabb18dfb967277d4b3e4ed5c98153c39dbf Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 5 Dec 2024 13:39:11 -0800
Subject: [PATCH 27/29] Peer review fixes. Default to ML-DSA level 2.

---
 include/wolfboot/wolfboot.h | 16 +++++++++++-----
 tools/keytools/keygen.c     |  2 +-
 tools/keytools/sign.c       | 13 ++++++-------
 3 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/include/wolfboot/wolfboot.h b/include/wolfboot/wolfboot.h
index 4bbaeda7a..faa7bb3a1 100644
--- a/include/wolfboot/wolfboot.h
+++ b/include/wolfboot/wolfboot.h
@@ -140,12 +140,18 @@ extern "C" {
 #define ML_DSA_L3_PUBKEY_SIZE   1952
 #define ML_DSA_L5_PUBKEY_SIZE   2592
 
-/* Configure using ML_DSA_LEVEL: Default is security category 5. */
-#if defined(WOLFBOOT_SIGN_ML_DSA) && !defined(ML_DSA_LEVEL)
-    #define ML_DSA_LEVEL 5
+/* Configure using ML_DSA_LEVEL: Default is security category 2. */
+#ifndef ML_DSA_LEVEL
+#define ML_DSA_LEVEL 2
+#endif
+
+#if ML_DSA_LEVEL == 2
+    #define KEYSTORE_PUBKEY_SIZE_ML_DSA ML_DSA_L2_PUBKEY_SIZE
+#elif ML_DSA_LEVEL == 3
+    #define KEYSTORE_PUBKEY_SIZE_ML_DSA ML_DSA_L3_PUBKEY_SIZE
+#elif ML_DSA_LEVEL == 5
+    #define KEYSTORE_PUBKEY_SIZE_ML_DSA ML_DSA_L5_PUBKEY_SIZE
 #endif
-/* Default to max size for keystore */
-#define KEYSTORE_PUBKEY_SIZE_ML_DSA  2592
 
 /* Mask for key permissions */
 #define KEY_VERIFY_ALL         (0xFFFFFFFFU)
diff --git a/tools/keytools/keygen.c b/tools/keytools/keygen.c
index ca1d58927..3e3151afe 100644
--- a/tools/keytools/keygen.c
+++ b/tools/keytools/keygen.c
@@ -124,7 +124,7 @@ static WC_RNG rng;
 static int noLocalKeys = 0;
 
 /* ML-DSA pub keys are big. */
-#define KEYSLOT_MAX_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_ML_DSA
+#define KEYSLOT_MAX_PUBKEY_SIZE ML_DSA_L5_PUBKEY_SIZE
 
 struct keystore_slot {
      uint32_t slot_id;
diff --git a/tools/keytools/sign.c b/tools/keytools/sign.c
index 548bc1f2f..2be7cb0d1 100644
--- a/tools/keytools/sign.c
+++ b/tools/keytools/sign.c
@@ -45,7 +45,6 @@
 #include <delta.h>
 
 #include "wolfboot/version.h"
-//#include "wolfboot/wolfboot.h"
 
 #ifdef DEBUG_SIGNTOOL
 #define DEBUG_PRINT(...) fprintf(stderr, __VA_ARGS__)
@@ -319,15 +318,15 @@ static uint16_t sign_tool_find_header(uint8_t *haystack, uint16_t type, uint8_t
         len = p[2] | (p[3] << 8);
         /* check len */
         if ((4 + len) > (uint16_t)(CMD.header_sz - IMAGE_HEADER_OFFSET)) {
-            fprintf(stderr, "This field is too large (bigger than the space available "
-                     "in the current header)\n");
-            //fprintf(stderr, "%d %d %d\n", len, CMD.header_sz, IMAGE_HEADER_OFFSET);
+            fprintf(stderr, "This field too large to fit into header "
+                "(%d > %d)\n",
+                (int)(4 + len), (int)(CMD.header_sz - IMAGE_HEADER_OFFSET));
             break;
         }
         /* check max pointer */
         if (p + 4 + len > max_p) {
-            fprintf(stderr, "This field is too large and would overflow the image "
-                     "header\n");
+            fprintf(stderr, "This field is too large and would overflow the "
+                "image header pointer\n");
             break;
         }
 
@@ -2116,7 +2115,7 @@ static void set_signature_sizes(int secondary)
 
         if (!lms_levels_str)
             lms_levels = LMS_LEVELS;
-        else 
+        else
             lms_levels = atoi(lms_levels_str);
         if (!lms_height_str)
             lms_height = LMS_HEIGHT;

From 6bed80fbc2dc0c2435c7cc1e654fbd98d67a922e Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 5 Dec 2024 14:07:15 -0800
Subject: [PATCH 28/29] ML-DSA default is level 2. The keytools must be able to
 support all ML-DSA levels at run-time using `ML_DSA_LEVEL` environment
 variable. wolfBoot needs to be built with the correct level specified in the
 .config.

---
 tools/keytools/Makefile        | 2 +-
 tools/keytools/user_settings.h | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/tools/keytools/Makefile b/tools/keytools/Makefile
index 0db21eccd..646327bc6 100644
--- a/tools/keytools/Makefile
+++ b/tools/keytools/Makefile
@@ -17,7 +17,7 @@ LDFLAGS =
 OBJDIR = ./
 LIBS =
 
-ML_DSA_LEVEL?=5
+ML_DSA_LEVEL?=2
 CFLAGS+=-DML_DSA_LEVEL=$(ML_DSA_LEVEL)
 
 LMS_LEVELS?=1
diff --git a/tools/keytools/user_settings.h b/tools/keytools/user_settings.h
index 2e1e2d533..10e478236 100644
--- a/tools/keytools/user_settings.h
+++ b/tools/keytools/user_settings.h
@@ -86,10 +86,13 @@
 #if 0
     #define WOLFSSL_DILITHIUM_FIPS204_DRAFT
 #endif
+
+/* Default the keygen/sign tool to use ML-DSA level 2 */
 #ifndef ML_DSA_LEVEL
-    #define ML_DSA_LEVEL 5
+    #define ML_DSA_LEVEL 2
 #endif
-/* dilithium needs these sha functions. */
+
+/* Dilithium needs SHAKE128 */
 #define WOLFSSL_SHAKE128
 
 /* LMS */

From fae36f2adf35c7b3bf3c98b8b47f8c794388c6bd Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 5 Dec 2024 14:44:30 -0800
Subject: [PATCH 29/29] Reserve enough size for the ML-DSA public key in gen.

---
 tools/keytools/keygen.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/keytools/keygen.c b/tools/keytools/keygen.c
index 3e3151afe..ea486979f 100644
--- a/tools/keytools/keygen.c
+++ b/tools/keytools/keygen.c
@@ -979,7 +979,7 @@ static void keygen_ml_dsa(const char *priv_fname, uint32_t id_mask)
     MlDsaKey key;
     int      ret;
     byte *   priv = NULL;
-    byte     pub[KEYSTORE_PUBKEY_SIZE_ML_DSA];
+    byte     pub[ML_DSA_L5_PUBKEY_SIZE]; /* max size */
     word32   priv_len = 0;
     word32   pub_len = 0;
     int      ml_dsa_priv_len = 0;