Skip to content

Commit

Permalink
Update PQ docs, and fix spelling errors.
Browse files Browse the repository at this point in the history
  • Loading branch information
philljj committed Apr 23, 2024
1 parent 6149ef4 commit 6739f6d
Show file tree
Hide file tree
Showing 5 changed files with 81 additions and 61 deletions.
5 changes: 5 additions & 0 deletions config/examples/sim-xmss.config
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# XMSS/XMSS^MT/HSS signature example, based on sim.config example.
#
# XMSS/XMSS^MT is a post-quantum, stateful, hash-based signature scheme.
#
# Use the helper script
# tools/xmss/xmss_siglen.sh
# to calculate your signature length given an xmss parameter string.
#

ARCH=sim
Expand Down
123 changes: 66 additions & 57 deletions docs/PQ.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,42 +19,18 @@ See these links for more info on stateful HBS support and wolfSSL/wolfCrypt:
- https://www.wolfssl.com/documentation/manuals/wolfssl/appendix07.html#post-quantum-stateful-hash-based-signatures
- https://github.com/wolfSSL/wolfssl-examples/tree/master/pq/stateful_hash_sig

## Supported PQ Signature Methods

## LMS/HSS
These four PQ signature options are supported:
- LMS: uses wolfcrypt implementation from `wc_lms.c`, and `wc_lms_impl.c`.
- XMSS: uses wolfcrypt implementation from `wc_xmss.c`, and `wc_xmss_impl.c`.
- ext_LMS: uses external integration from `ext_lms.c`.
- ext_XMSS: uses external integration from `ext_xmss.c`.

The wolfcrypt implementations are more performant and are recommended.
The external integrations are experimental and for testing interoperability.

### Building with LMS Support

LMS/HSS support in wolfCrypt requires the hash-sigs library ( https://github.com/cisco/hash-sigs ).
Use the following procedure to prepare hash-sigs for building with wolfBoot:

```
$ cd lib
$ mkdir hash-sigs
$ls
CMakeLists.txt hash-sigs wolfssl wolfTPM
$ cd hash-sigs
$ mkdir lib
$ git clone https://github.com/cisco/hash-sigs.git src
$ cd src
$ git checkout b0631b8891295bf2929e68761205337b7c031726
$ git apply ../../../tools/lms/0001-Patch-to-support-wolfBoot-LMS-build.patch
```

Nothing more is needed, as wolfBoot will automatically produce the required
hash-sigs build artifacts.

Note: the hash-sigs project only builds static libraries:
- hss_verify.a: a single-threaded verify-only static lib.
- hss_lib.a: a single-threaded static lib.
- hss_lib_thread.a: a multi-threaded static lib.

The keytools utility links against `hss_lib.a`, as it needs full
keygen, signing, and verifying functionality. However wolfBoot
links directly with the subset of objects in the `hss_verify.a`
build rule, as it only requires verify functionality.

### LMS Config
### LMS/HSS Config

A new LMS sim example has been added here:
```
Expand Down Expand Up @@ -86,31 +62,8 @@ winternitz: 8
signature length: 2644
```

## XMSS/XMSS^MT
### XMSS/XMSS^MT Config

### Building with XMSS Support

XMSS/XMSS^MT support in wolfCrypt requires a patched version of the
xmss-reference library ( https://github.com/XMSS/xmss-reference.git ).
Use the following procedure to prepare xmss-reference for building with
wolfBoot:

```
$ cd lib
$ git clone https://github.com/XMSS/xmss-reference.git xmss
$ ls
CMakeLists.txt wolfPKCS11 wolfTPM wolfssl xmss
$ cd xmss
$ git checkout 171ccbd26f098542a67eb5d2b128281c80bd71a6
$ git apply ../../tools/xmss/0001-Patch-to-support-wolfSSL-xmss-reference-integration.patch
```

The patch creates an addendum readme, `patch_readme.md`, with further comments.

Nothing more is needed beyond the patch step, as wolfBoot will handle building
the xmss build artifacts it requires.

### XMSS Config
A new XMSS sim example has been added here:
```
config/examples/sim-xmss.config
Expand Down Expand Up @@ -142,3 +95,59 @@ $ ./tools/xmss/xmss_siglen.sh XMSSMT-SHA2_20/2_256
parameter set: XMSSMT-SHA2_20/2_256
signature length: 4963
```

## Building the external PQ Integrations

### ext_LMS Support

The external LMS/HSS support in wolfCrypt requires the hash-sigs library ( https://github.com/cisco/hash-sigs ).
Use the following procedure to prepare hash-sigs for building with wolfBoot:

```
$ cd lib
$ mkdir hash-sigs
$ls
CMakeLists.txt hash-sigs wolfssl wolfTPM
$ cd hash-sigs
$ mkdir lib
$ git clone https://github.com/cisco/hash-sigs.git src
$ cd src
$ git checkout b0631b8891295bf2929e68761205337b7c031726
$ git apply ../../../tools/lms/0001-Patch-to-support-wolfBoot-LMS-build.patch
```

Nothing more is needed, as wolfBoot will automatically produce the required
hash-sigs build artifacts.

Note: the hash-sigs project only builds static libraries:
- hss_verify.a: a single-threaded verify-only static lib.
- hss_lib.a: a single-threaded static lib.
- hss_lib_thread.a: a multi-threaded static lib.

The keytools utility links against `hss_lib.a`, as it needs full
keygen, signing, and verifying functionality. However wolfBoot
links directly with the subset of objects in the `hss_verify.a`
build rule, as it only requires verify functionality.


### ext_XMSS Support

The external XMSS/XMSS^MT support in wolfCrypt requires a patched version of the
xmss-reference library ( https://github.com/XMSS/xmss-reference.git ).
Use the following procedure to prepare xmss-reference for building with
wolfBoot:

```
$ cd lib
$ git clone https://github.com/XMSS/xmss-reference.git xmss
$ ls
CMakeLists.txt wolfPKCS11 wolfTPM wolfssl xmss
$ cd xmss
$ git checkout 171ccbd26f098542a67eb5d2b128281c80bd71a6
$ git apply ../../tools/xmss/0001-Patch-to-support-wolfSSL-xmss-reference-integration.patch
```

The patch creates an addendum readme, `patch_readme.md`, with further comments.

Nothing more is needed beyond the patch step, as wolfBoot will handle building
the xmss build artifacts it requires.
2 changes: 1 addition & 1 deletion docs/STM32-TZ.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ OPTION BYTES BANK: 0
nRST_STOP : 0x1 (No reset generated when entering Stop mode)
nRST_STDBY : 0x1 (No reset generated when entering Standby mode)
nRST_SHDW : 0x1 (No reset generated when entering the Shutdown mode)
IWDG_SW : 0x1 (Software independant watchdog)
IWDG_SW : 0x1 (Software independent watchdog)
IWDG_STOP : 0x1 (IWDG counter active in stop mode)
IWDG_STDBY : 0x1 (IWDG counter active in standby mode)
WWDG_SW : 0x1 (Software window watchdog)
Expand Down
6 changes: 6 additions & 0 deletions docs/Signing.md
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,12 @@ file is in this format.
* `--rsa4096` Use rsa4096 for signing the firmware. Assume that the given KEY.DER
file is in this format.

* `--lms` Use LMS/HSS for signing the firmware. Assume that the given KEY.DER
file is in this format.

* `--xmss` Use XMSS/XMSS^MT for signing the firmware. Assume that the given KEY.DER
file is in this format.

* `--no-sign` Disable secure boot signature verification. No signature
verification is performed in the bootloader, and the KEY.DER argument should
not be supplied.
Expand Down
6 changes: 3 additions & 3 deletions docs/Targets.md
Original file line number Diff line number Diff line change
Expand Up @@ -1766,7 +1766,7 @@ O.K.
Reset or power cycle board.
Once wolfBoot has performaed validation of the partition and booted the D15 Green LED on P3_13 will illuminate.
Once wolfBoot has performed validation of the partition and booted the D15 Green LED on P3_13 will illuminate.
### MCX A: Testing firmware update
Expand Down Expand Up @@ -1935,10 +1935,10 @@ Flash Allocation:
Detailed steps can be found at [Readme.md](../IDE/Renesas/e2studio/RA6M4/Readme.md).

## Renesas RZN2L
This example demonstrates simple secure firmware boot from extarnal flash by wolfBoot.
This example demonstrates simple secure firmware boot from external flash by wolfBoot.
A sample application v1 is securely loaded into internal RAM if there is not higher version in update region. A sample application v2 will be loaded when it is in update region.Both versions behave the same except blinking LED Red(v1) or Yellow(v2). They are compiled by e2Studio and running on the target board.

The exmaple uses SPI boot mode with external flash on the evaluation board. On this boot mode, the loader program, which is wolfBoot, is copied to the internal RAM(B-TCM). wolfBoot copies the application program from external flash memory to RAM(System RAM). As final step of wolfBoot the entry point of the copied applicatin program is called if its integrity and authenticity are OK.
The example uses SPI boot mode with external flash on the evaluation board. On this boot mode, the loader program, which is wolfBoot, is copied to the internal RAM(B-TCM). wolfBoot copies the application program from external flash memory to RAM(System RAM). As final step of wolfBoot the entry point of the copied application program is called if its integrity and authenticity are OK.

![Operation Overview](../IDE/Renesas/e2studio/RZN2L/doc/image1.png)

Expand Down

0 comments on commit 6739f6d

Please sign in to comment.