Simplified auxiliary algorithms for cert chain verification, TPM, etc#822
Draft
bigbrett wants to merge 1 commit into
Draft
Simplified auxiliary algorithms for cert chain verification, TPM, etc#822bigbrett wants to merge 1 commit into
bigbrett wants to merge 1 commit into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces a build-time mechanism to compile auxiliary crypto algorithms (algorithms needed by optional features like cert-chain verification, wolfHSM, and wolfTPM, but not used for primary image signature verification). It wires this through the Make-based configuration, updates wolfCrypt user_settings.h to treat primary/secondary/aux algorithms as a union, and adds docs + CI coverage.
Changes:
- Add
AUX_PK_ALGOS/AUX_HASH_ALGOSmake options to compile additional wolfCrypt objects/macros beyondSIGN/HASH. - Allow dummy cert-chain generation to choose CA key algorithm + cert signature hash independently from the leaf key algorithm; bridge CA algos into auxiliary lists automatically for the auto-generated chain path.
- Update
include/user_settings.hgating so auxiliary algorithms also enable the correct wolfCrypt feature macros, plus add CI matrix builds for aux algos and a mixed-algorithm chain scenario.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tools/scripts/sim-gen-dummy-chain.sh | Extends dummy chain generator to support independent CA/leaf algos and CA hash selection. |
| tools/config.mk | Adds new config variables (aux algos + cert chain CA settings) to the supported config var list. |
| options.mk | Implements AUX algorithm parsing/validation and links extra wolfCrypt objects; integrates cert-chain CA algo/hash bridging. |
| Makefile | Updates dummy-chain generation invocation to pass separate CA/leaf algorithm + CA hash parameters. |
| include/user_settings.h | Unifies primary/secondary/aux algorithm inclusion and adjusts wolfCrypt feature gating accordingly. |
| docs/wolfHSM.md | Documents mixed-algorithm chain support and how to use auxiliary algorithm lists. |
| docs/TPM.md | Documents TPM’s ECC/RSA requirement and AUX fallback behavior. |
| docs/compile.md | Adds “Auxiliary crypto algorithms” section documenting AUX_* usage and constraints. |
| config/examples/sim-wolfHSM-server-certchain-rsa2048-ca.config | New example config for mixed-algorithm cert chain verification. |
| .github/workflows/test-wolfhsm-simulator.yml | Adds a mixed-algorithm cert-chain verification job to the wolfHSM simulator workflow. |
| .github/workflows/test-configs.yml | Adds new config job and AUX algo compile-only matrix coverage. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
189
to
194
| else | ||
| echo "Using provided leaf private key: $LEAF_KEY_FILE" | ||
| cp "$LEAF_KEY_FILE" ${OUTPUT_DIR}/temp/leaf.key.pem | ||
| # Ensure the key file is in the right format | ||
| validate_key_format "${OUTPUT_DIR}/temp/leaf.key.pem" | ||
| validate_key_format "$LEAF_ALGO" "${OUTPUT_DIR}/temp/leaf.key.pem" | ||
| fi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds the ability to enable "auxiliary algorithms" for a given wolfBoot configuration (auxiliary algos are those that must be compiled into the image but are NOT used for primary image signature/integrity verification).
Two notable consumers of this feature are wolfHSM cert chain verification and wolfTPM integration, both of which have been tweaked to leverage the new feature in this PR.
Other wolfBoot features that do this can opt-in via the new macros or build system variables as needed.
Meant as a simpler stopgap alternative to #766 with a much smaller blast radius.