Add wc_lms support.

.github/workflows/test-renode-nrf52.yml

@@ -60,7 +60,7 @@ jobs:
 
 # LMS TEST
       - name: Renode Tests LMS-8-5-5
-        run: ./tools/renode/docker-test.sh "SIGN=LMS LMS_LEVELS=2 LMS_HEIGHT=5 LMS_WINTERNITZ=8 WOLFBOOT_SMALL_STACK=0 IMAGE_SIGNATURE_SIZE=2644 IMAGE_HEADER_SIZE=5288"
+        run: ./tools/renode/docker-test.sh "SIGN=ext_LMS LMS_LEVELS=2 LMS_HEIGHT=5 LMS_WINTERNITZ=8 WOLFBOOT_SMALL_STACK=0 IMAGE_SIGNATURE_SIZE=2644 IMAGE_HEADER_SIZE=5288"
 
 # XMSS TEST
       - name: Renode Tests XMSS-SHA2_10_256

options.mk

@@ -323,7 +323,7 @@ ifneq ($(findstring RSA4096,$(SIGN)),)
   endif
 endif
 
-ifeq ($(SIGN),LMS)
+ifneq (,$(filter $(SIGN), LMS ext_LMS))
   # For LMS the signature size is a function of the LMS parameters.
   # All five of these parms must be set in the LMS .config file:
   #   LMS_LEVELS, LMS_HEIGHT, LMS_WINTERNITZ, IMAGE_SIGNATURE_SIZE,
@@ -348,7 +348,30 @@ ifeq ($(SIGN),LMS)
   ifndef IMAGE_HEADER_SIZE
     $(error IMAGE_HEADER_SIZE not set)
   endif
+endif
 
+ifeq ($(SIGN),LMS)
+  KEYGEN_OPTIONS+=--lms
+  SIGN_OPTIONS+=--lms
+  WOLFCRYPT_OBJS+= \
+    ./lib/wolfssl/wolfcrypt/src/wc_lms.o \
+    ./lib/wolfssl/wolfcrypt/src/wc_lms_impl.o \
+    ./lib/wolfssl/wolfcrypt/src/memory.o \
+    ./lib/wolfssl/wolfcrypt/src/wc_port.o \
+    ./lib/wolfssl/wolfcrypt/src/hash.o
+  CFLAGS+=-D"WOLFBOOT_SIGN_LMS" -D"WOLFSSL_HAVE_LMS" -D"WOLFSSL_WC_LMS" \
+    -D"LMS_LEVELS=$(LMS_LEVELS)" -D"LMS_HEIGHT=$(LMS_HEIGHT)" \
+    -D"LMS_WINTERNITZ=$(LMS_WINTERNITZ)" -I$(LMSDIR)/src \
+    -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
+    -D"WOLFSSL_LMS_VERIFY_ONLY"
+  ifeq ($(WOLFBOOT_SMALL_STACK),1)
+    $(error WOLFBOOT_SMALL_STACK with LMS not supported)
+  else
+    STACK_USAGE=1024
+  endif
+endif
+
+ifeq ($(SIGN),ext_LMS)
   LMSDIR = lib/hash-sigs
   KEYGEN_OPTIONS+=--lms
   SIGN_OPTIONS+=--lms
@@ -377,7 +400,7 @@ ifeq ($(SIGN),LMS)
   ifeq ($(WOLFBOOT_SMALL_STACK),1)
     $(error WOLFBOOT_SMALL_STACK with LMS not supported)
   else
-    STACK_USAGE=18064
+    STACK_USAGE=1024
   endif
 endif
 
@@ -447,8 +470,8 @@ ifeq ($(SIGN),ext_XMSS)
 endif
 
 # Only needed if using 3rd party integration. This can be
-# removed when wc_lms and wc_xmss become default in wolfboot.
-ifneq (,$(filter $(SIGN), LMS ext_XMSS))
+# removed if ext_lms and ext_xmss are deprecated.
+ifneq (,$(filter $(SIGN), ext_LMS ext_XMSS))
   CFLAGS  +=-DWOLFSSL_EXPERIMENTAL_SETTINGS
 endif
 
@@ -777,3 +800,7 @@ endif
 ifeq ($(SIGN_ALG),ext_XMSS)
   SIGN_ALG=XMSS
 endif
+
+ifeq ($(SIGN_ALG),ext_LMS)
+  SIGN_ALG=LMS
+endif

src/image.c

@@ -320,6 +320,8 @@ static void wolfBoot_verify_signature(uint8_t key_slot,
 #include <wolfssl/wolfcrypt/lms.h>
 #ifdef HAVE_LIBLMS
     #include <wolfssl/wolfcrypt/ext_lms.h>
+#else
+    #include <wolfssl/wolfcrypt/wc_lms.h>
 #endif
 
 static void wolfBoot_verify_signature(uint8_t key_slot,

tools/keytools/Makefile

@@ -17,33 +17,47 @@ LDFLAGS =
 OBJDIR = ./
 LIBS =
 
-ifeq ($(SIGN),LMS)
+# Common to wc_lms and ext_lms.
+ifneq (,$(filter $(SIGN), LMS ext_LMS))
+  CFLAGS +=-DWOLFBOOT_SIGN_LMS -DWOLFSSL_HAVE_LMS \
+           -D"LMS_LEVELS=$(LMS_LEVELS)" -D"LMS_HEIGHT=$(LMS_HEIGHT)" \
+           -D"LMS_WINTERNITZ=$(LMS_WINTERNITZ)"
+endif
+
+# Specific to ext_lms.
+ifeq ($(SIGN),ext_LMS)
   LMSDIR = $(WOLFBOOTDIR)/lib/hash-sigs
   LIBS += $(LMSDIR)/lib/hss_lib.a
-  CFLAGS  +=-DWOLFBOOT_SIGN_LMS -DWOLFSSL_HAVE_LMS -DHAVE_LIBLMS -I$(LMSDIR)/src \
-            -D"LMS_LEVELS=$(LMS_LEVELS)" -D"LMS_HEIGHT=$(LMS_HEIGHT)" \
-            -D"LMS_WINTERNITZ=$(LMS_WINTERNITZ)"
+  CFLAGS +=-DHAVE_LIBLMS -I$(LMSDIR)/src
 endif
 
-ifeq ($(SIGN),ext_XMSS)
+# Specific to wc_lms.
+ifeq ($(SIGN),LMS)
+  CFLAGS +=-DWOLFSSL_WC_LMS
+endif
+
+# Common to wc_xmss and ext_xmss.
+ifneq (,$(filter $(SIGN), XMSS ext_XMSS))
   $(info xmss params: $(XMSS_PARAMS))
+  CFLAGS +=-DWOLFBOOT_SIGN_XMSS -DWOLFSSL_HAVE_XMSS \
+           -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
+           -DWOLFBOOT_XMSS_PARAMS=\"$(XMSS_PARAMS)\"
+endif
+
+# Specific to ext_xmss.
+ifeq ($(SIGN),ext_XMSS)
   XMSSDIR = $(WOLFBOOTDIR)/lib/xmss
-  CFLAGS  +=-DWOLFBOOT_SIGN_XMSS -DWOLFSSL_HAVE_XMSS -DHAVE_LIBXMSS -I$(XMSSDIR) \
-            -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
-            -DWOLFBOOT_XMSS_PARAMS=\"$(XMSS_PARAMS)\"
+  CFLAGS +=-DHAVE_LIBXMSS -I$(XMSSDIR)
 endif
 
+# Specific to wc_xmss.
 ifeq ($(SIGN),XMSS)
-  $(info xmss params: $(XMSS_PARAMS))
-  CFLAGS  +=-DWOLFBOOT_SIGN_XMSS -DWOLFSSL_HAVE_XMSS -D"WOLFSSL_WC_XMSS" \
-            -D"WOLFSSL_XMSS_MAX_HEIGHT=32" \
-            -D"IMAGE_SIGNATURE_SIZE"=$(IMAGE_SIGNATURE_SIZE) \
-            -DWOLFBOOT_XMSS_PARAMS=\"$(XMSS_PARAMS)\"
+  CFLAGS +=-D"WOLFSSL_WC_XMSS" -D"WOLFSSL_XMSS_MAX_HEIGHT=32"
 endif
 
 # Only needed if using 3rd party integration. This can be
-# removed when wc_lms and wc_xmss become default in wolfboot.
-ifneq (,$(filter $(SIGN), LMS ext_XMSS))
+# removed if ext_lms and ext_xmss are deprecated.
+ifneq (,$(filter $(SIGN), ext_LMS ext_XMSS))
   CFLAGS  +=-DWOLFSSL_EXPERIMENTAL_SETTINGS
 endif
 
@@ -96,18 +110,31 @@ OBJS_REAL=\
 	$(WOLFDIR)/wolfcrypt/src/sha512.o \
 	$(WOLFDIR)/wolfcrypt/src/tfm.o \
 	$(WOLFDIR)/wolfcrypt/src/wc_port.o \
-	$(WOLFDIR)/wolfcrypt/src/wolfmath.o \
-	$(WOLFDIR)/wolfcrypt/src/ext_lms.o
+	$(WOLFDIR)/wolfcrypt/src/wolfmath.o
 
 OBJS_REAL+=\
 	$(WOLFBOOTDIR)/src/delta.o
 
+# Add wolfcrypt lms implementation.
+ifeq ($(SIGN),LMS)
+OBJS_REAL+=\
+	$(WOLFDIR)/wolfcrypt/src/wc_lms.o \
+	$(WOLFDIR)/wolfcrypt/src/wc_lms_impl.o
+endif
+
+# Add external lms integration.
+ifeq ($(SIGN),ext_LMS)
+OBJS_REAL+= $(WOLFDIR)/wolfcrypt/src/ext_lms.o
+endif
+
+# Add wolfcrypt xmss implementation.
 ifeq ($(SIGN),XMSS)
 OBJS_REAL+=\
 	$(WOLFDIR)/wolfcrypt/src/wc_xmss.o \
 	$(WOLFDIR)/wolfcrypt/src/wc_xmss_impl.o
 endif
 
+# Add external xmss integration.
 ifeq ($(SIGN),ext_XMSS)
 OBJS_REAL+=\
 	$(WOLFDIR)/wolfcrypt/src/ext_xmss.o \

tools/keytools/keygen.c

@@ -65,6 +65,8 @@
     #include <wolfssl/wolfcrypt/lms.h>
     #ifdef HAVE_LIBLMS
         #include <wolfssl/wolfcrypt/ext_lms.h>
+    #else
+        #include <wolfssl/wolfcrypt/wc_lms.h>
     #endif
 #endif
 

tools/keytools/sign.c

@@ -110,6 +110,8 @@ static inline int fp_truncate(FILE *f, size_t len)
     #include <wolfssl/wolfcrypt/lms.h>
     #ifdef HAVE_LIBLMS
         #include <wolfssl/wolfcrypt/ext_lms.h>
+    #else
+        #include <wolfssl/wolfcrypt/wc_lms.h>
     #endif
 #endif
 

tools/test.mk

@@ -51,7 +51,7 @@ endif
 ifeq ($(SIGN),RSA4096)
 	SIGN_ARGS+= --rsa4096
 endif
-ifeq ($(SIGN),LMS)
+ifneq (,$(filter $(SIGN), LMS ext_LMS))
 	SIGN_ARGS+= --lms
 endif
 ifneq (,$(filter $(SIGN), XMSS ext_XMSS))