From de067b6320cb9c8894568d87a9db6791a32ddbb3 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Tue, 12 Sep 2023 15:30:43 +0200 Subject: [PATCH] Reworked sections of user_settings.h Enabling all wolfcrypt settings for PKCS11 build. --- include/user_settings.h | 197 ++++++++++++++++++---------------------- options.mk | 14 ++- 2 files changed, 101 insertions(+), 110 deletions(-) diff --git a/include/user_settings.h b/include/user_settings.h index 3ba861bcc..82da987b1 100644 --- a/include/user_settings.h +++ b/include/user_settings.h @@ -51,9 +51,11 @@ extern int tolower(int c); #if defined(WOLFBOOT_TPM_KEYSTORE) || defined(WOLFBOOT_TPM_SEAL) # define WOLFBOOT_TPM_PARMENC /* used in this file to gate features */ -# if defined(SIGN_ECC256) || defined(SIGN_ECC384) || defined(SIGN_ECC521) -# define HAVE_ECC_KEY_EXPORT -# endif +#endif + +#ifdef WOLFCRYPT_SECURE_MODE + int hal_trng_get_entropy(unsigned char *out, unsigned len); + #define CUSTOM_RAND_GENERATE_SEED hal_trng_get_entropy #endif /* ED25519 and SHA512 */ @@ -64,7 +66,6 @@ extern int tolower(int c); # define NO_ED25519_EXPORT # define WOLFSSL_SHA512 # define USE_SLOW_SHA512 -# define NO_RSA #endif /* ED448 */ @@ -74,15 +75,15 @@ extern int tolower(int c); # define ED448_SMALL # define NO_ED448_SIGN # define NO_ED448_EXPORT -# define NO_RSA # define WOLFSSL_SHA3 # define WOLFSSL_SHAKE256 #endif -/* ECC and SHA256 */ -#if defined(WOLFBOOT_SIGN_ECC256) ||\ - defined(WOLFBOOT_SIGN_ECC384) ||\ - defined(WOLFBOOT_SIGN_ECC521) +/* ECC */ +#if defined(WOLFBOOT_SIGN_ECC256) || \ + defined(WOLFBOOT_SIGN_ECC384) || \ + defined(WOLFBOOT_SIGN_ECC521) || \ + defined(WOLFCRYPT_SECURE_MODE) # define HAVE_ECC # define ECC_TIMING_RESISTANT @@ -96,136 +97,122 @@ extern int tolower(int c); # define FREESCALE_LTC_TFM # endif -/* SP MATH */ -# if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL) + +/* Some ECC options are disabled to reduce size */ +# if !defined(WOLFCRYPT_SECURE_MODE) +# ifndef WOLFBOOT_TPM +# define NO_ECC_SIGN +# define NO_ECC_EXPORT +# define NO_ECC_KEY_EXPORT +# else +# define HAVE_ECC_KEY_EXPORT +# endif +# else +# define HAVE_ECC_SIGN +# define HAVE_ECC_CDH # define WOLFSSL_SP # define WOLFSSL_SP_MATH # define WOLFSSL_SP_SMALL +# define SP_WORD_SIZE 32 # define WOLFSSL_HAVE_SP_ECC +# define WOLFSSL_KEY_GEN +# define HAVE_ECC_KEY_EXPORT # endif - -/* ECC options disabled to reduce size */ -#if !defined(WOLFCRYPT_SECURE_MODE) -# define HAVE_ECC -# if !defined(WOLFBOOT_TPM_PARMENC) -# define NO_ECC_SIGN -# define NO_ECC_EXPORT -# define NO_ECC_KEY_EXPORT + /* SP MATH */ +# if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL) +# define WOLFSSL_SP +# define WOLFSSL_SP_MATH +# define WOLFSSL_SP_SMALL +# define WOLFSSL_HAVE_SP_ECC # endif -#else -# define HAVE_ECC_SIGN -# define HAVE_ECC_CDH -# define WOLFSSL_SP -# define WOLFSSL_SP_MATH -# define WOLFSSL_SP_SMALL -# define SP_WORD_SIZE 32 -# define WOLFSSL_HAVE_SP_ECC -# define WOLFSSL_SP_MATH_ALL -# define WOLFSSL_KEY_GEN -# define HAVE_ECC_KEY_EXPORT - -int hal_trng_get_entropy(unsigned char *out, unsigned len); -# define CUSTOM_RAND_GENERATE_SEED hal_trng_get_entropy -#endif + /* Curve */ -#ifdef WOLFBOOT_SIGN_ECC256 -# define HAVE_ECC256 -# define FP_MAX_BITS (256 + 32) -#elif defined(WOLFBOOT_SIGN_ECC384) -# define HAVE_ECC384 -# define FP_MAX_BITS (384 * 2) -# if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL) -# define WOLFSSL_SP_384 -# define WOLFSSL_SP_NO_256 -# endif -# if !defined(WOLFBOOT_TPM_PARMENC) -# define NO_ECC256 -# endif -#elif defined(WOLFBOOT_SIGN_ECC521) -# define HAVE_ECC521 -# define FP_MAX_BITS (528 * 2) -# if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL) -# define WOLFSSL_SP_521 -# define WOLFSSL_SP_NO_256 -# endif -# if !defined(WOLFBOOT_TPM_PARMENC) -# define NO_ECC256 +# ifdef WOLFBOOT_SIGN_ECC256 +# define HAVE_ECC256 +# define FP_MAX_BITS (256 + 32) +# elif defined(WOLFBOOT_SIGN_ECC384) +# define HAVE_ECC384 +# define FP_MAX_BITS (384 * 2) +# if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL) +# define WOLFSSL_SP_384 +# define WOLFSSL_SP_NO_256 +# endif +# if !defined(WOLFBOOT_TPM_PARMENC) +# define NO_ECC256 +# endif +# elif defined(WOLFBOOT_SIGN_ECC521) +# define HAVE_ECC521 +# define FP_MAX_BITS (528 * 2) +# if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL) +# define WOLFSSL_SP_521 +# define WOLFSSL_SP_NO_256 +# endif +# if !defined(WOLFBOOT_TPM_PARMENC) +# define NO_ECC256 +# endif # endif -#endif -# define NO_RSA #endif /* WOLFBOOT_SIGN_ECC521 || WOLFBOOT_SIGN_ECC384 || WOLFBOOT_SIGN_ECC256 */ -#ifdef WOLFBOOT_SIGN_RSA2048 + +#if defined(WOLFBOOT_SIGN_RSA2048) || \ + defined(WOLFBOOT_SIGN_RSA3072) || \ + defined(WOLFBOOT_SIGN_RSA4096) || \ + defined(WOLFCRYPT_SECURE_MODE) + +# define WC_RSA_BLINDING +# define WC_RSA_DIRECT # define RSA_LOW_MEM -# ifndef WOLFBOOT_TPM +# define WC_ASN_HASH_SHA256 + +# if !defined(WOLFBOOT_TPM) && !defined(WOLFCRYPT_SECURE_MODE) # define WOLFSSL_RSA_VERIFY_INLINE # define WOLFSSL_RSA_VERIFY_ONLY -# endif -# if !defined(WOLFBOOT_TPM_PARMENC) # define WC_NO_RSA_OAEP # endif -# define FP_MAX_BITS (2048 * 2) - /* sp math */ # if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL) # define WOLFSSL_HAVE_SP_RSA # define WOLFSSL_SP # define WOLFSSL_SP_SMALL # define WOLFSSL_SP_MATH +# endif + + +# ifdef WOLFBOOT_SIGN_RSA2048 +# define FP_MAX_BITS (2048 * 2) # define WOLFSSL_SP_NO_3072 # define WOLFSSL_SP_NO_4096 +# define WC_ASN_HASH_SHA256 # endif -# define WC_ASN_HASH_SHA256 -#endif -#ifdef WOLFBOOT_SIGN_RSA3072 -# define RSA_LOW_MEM -# define WOLFSSL_RSA_VERIFY_INLINE -# define WOLFSSL_RSA_VERIFY_ONLY -# define WC_NO_RSA_OAEP -# define FP_MAX_BITS (3072 * 2) - /* sp math */ -# if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL) -# define WOLFSSL_HAVE_SP_RSA -# define WOLFSSL_SP -# define WOLFSSL_SP_SMALL -# define WOLFSSL_SP_MATH +# ifdef WOLFBOOT_SIGN_RSA3072 +# define FP_MAX_BITS (3072 * 2) # define WOLFSSL_SP_NO_2048 # define WOLFSSL_SP_NO_4096 # endif -# define WC_ASN_HASH_SHA256 -#endif -#ifdef WOLFBOOT_SIGN_RSA4096 -# define RSA_LOW_MEM -# define WOLFSSL_RSA_VERIFY_INLINE -# define WOLFSSL_RSA_VERIFY_ONLY -# define WC_NO_RSA_OAEP -# define FP_MAX_BITS (4096 * 2) - /* sp math */ -# if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL) -# define WOLFSSL_HAVE_SP_RSA -# define WOLFSSL_SP -# define WOLFSSL_SP_SMALL -# define WOLFSSL_SP_MATH -# define WOLFSSL_SP_4096 +# ifdef WOLFBOOT_SIGN_RSA4096 +# define FP_MAX_BITS (4096 * 2) # define WOLFSSL_SP_NO_2048 # define WOLFSSL_SP_NO_3072 # endif -# define WC_ASN_HASH_SHA256 -#endif +#else +# define NO_RSA +#endif /* RSA */ #ifdef WOLFBOOT_HASH_SHA3_384 # define WOLFSSL_SHA3 -# if defined(NO_RSA) && !defined(WOLFBOOT_TPM_PARMENC) +# if defined(NO_RSA) && !defined(WOLFBOOT_TPM_PARMENC) && \ + !defined(WOLFCRYPT_SECURE_MODE) # define NO_SHA256 # endif #endif #ifdef WOLFBOOT_HASH_SHA384 # define WOLFSSL_SHA384 -# if defined(NO_RSA) && !defined(WOLFBOOT_TPM_PARMENC) +# if defined(NO_RSA) && !defined(WOLFBOOT_TPM_PARMENC) && \ + !defined(WOLFCRYPT_SECURE_MODE) # define NO_SHA256 # endif #endif @@ -270,8 +257,6 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len); # define HAVE_SCRYPT # define HAVE_AESGCM typedef unsigned long time_t; -#else -# define NO_HMAC #endif #ifndef HAVE_PWDBASED @@ -300,7 +285,6 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len); /* Configure RNG seed */ #define CUSTOM_RAND_GENERATE_SEED(buf, sz) ({(void)buf; (void)sz; 0;}) /* stub, not used */ #define WC_RNG_SEED_CB - #define HAVE_HASHDRBG #endif #ifdef WOLFTPM_MMIO @@ -329,9 +313,8 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len); #define WC_NO_HASHDRBG #define NO_AES_CBC #else - #ifndef HAVE_HASHDRBG - #define HAVE_HASHDRBG - #endif + #define HAVE_HASHDRBG + #define WOLFSSL_AES_CFB #endif @@ -340,7 +323,7 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len); #define NO_AES #endif -#if !defined(WOLFBOOT_TPM_PARMENC) && !defined(WOLFCRYPT_SECURE_MODE) +#if !defined(WOLFBOOT_TPM) && !defined(WOLFCRYPT_SECURE_MODE) #define NO_HMAC #define WC_NO_RNG #define WC_NO_HASHDRBG @@ -350,12 +333,12 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len); #endif #define NO_CMAC +#define NO_DH #define NO_CODING #define WOLFSSL_NO_PEM #define NO_ASN_TIME #define NO_RC4 #define NO_SHA -#define NO_DH #define NO_DSA #define NO_MD4 #define NO_RABBIT @@ -396,7 +379,7 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len); # define WOLFSSL_SP_NO_MALLOC # define WOLFSSL_SP_NO_DYN_STACK # endif -# if !defined(ARCH_SIM) && !defined(SECURE_PKCS11) +# if !defined(ARCH_SIM) && !defined(WOLFCRYPT_SECURE_MODE) # define WOLFSSL_NO_MALLOC # endif #else @@ -415,7 +398,7 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len); #define XPRINTF uart_printf #endif -#ifdef SECURE_PKCS11 +#ifdef WOLFCRYPT_SECURE_MODE typedef unsigned long time_t; #endif diff --git a/options.mk b/options.mk index ebda29bf2..7eff5b3d3 100644 --- a/options.mk +++ b/options.mk @@ -187,6 +187,9 @@ ifeq ($(SIGN),ED448) endif endif +ifeq ($(SECURE_PKCS11),1) +endif + ifneq ($(HASH),SHA3) WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/sha3.o @@ -380,9 +383,6 @@ ifeq ($(SIGN),LMS) endif -ifeq ($(USE_GCC_HEADLESS),1) - CFLAGS+="-Wstack-usage=$(STACK_USAGE)" -endif ifeq ($(RAM_CODE),1) CFLAGS+= -D"RAM_CODE" @@ -544,12 +544,15 @@ ifeq ($(SECURE_PKCS11),1) OBJS+=src/pkcs11_store.o OBJS+=src/pkcs11_callable.o WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/aes.o + WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/rsa.o WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/pwdbased.o WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/hmac.o + WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/dh.o WOLFCRYPT_OBJS+=./lib/wolfPKCS11/src/crypto.o \ ./lib/wolfPKCS11/src/internal.o \ ./lib/wolfPKCS11/src/slot.o \ ./lib/wolfPKCS11/src/wolfpkcs11.o + STACK_USAGE=12596 endif OBJS+=$(PUBLIC_KEY_OBJS) @@ -589,6 +592,7 @@ ifeq ($(WOLFTPM),1) WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/aes.o WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/hmac.o WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/random.o + WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/asn.o ifeq ($(DEBUG),1) CFLAGS+=-DWOLFBOOT_DEBUG_TPM=1 endif @@ -677,6 +681,10 @@ endif CFLAGS+=$(CFLAGS_EXTRA) +ifeq ($(USE_GCC_HEADLESS),1) + CFLAGS+="-Wstack-usage=$(STACK_USAGE)" +endif + ifeq ($(SIGN_ALG),) SIGN_ALG=$(SIGN) endif