Skip to content

Commit

Permalink
Additional fixes for new keytool features introduced in #521
Browse files Browse the repository at this point in the history
  • Loading branch information
bigbrett committed Dec 6, 2024
1 parent ace953a commit ec7a029
Show file tree
Hide file tree
Showing 5 changed files with 55 additions and 17 deletions.
10 changes: 5 additions & 5 deletions IDE/AURIX/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -292,7 +292,7 @@ cd $WOLFBOOT_DIR

# Start with a clean build
make clean && make keysclean && cd $WOLFBOOT_DIR/tools/keytools && make clean
cd $SCRIPTS_DIR && ./aurixtool.sh clean
cd $SCRIPTS_DIR && ./wbaurixtool.sh clean
# Delete any build artifacts in wolfBoot-tc3xx (or wolfBoot-tc3xx-wolfHSM) and test-app (or test-app-wolfHSM) AURIX Studio projects
# ...

Expand All @@ -303,13 +303,13 @@ make keytools

# Generate target.h
cd $SCRIPTS_DIR
./aurixtool.sh target
./wbaurixtool.sh target

# Generate keys, as well as configuration macros and linker script based on the selected signature algorithm
./aurixtool.sh [--hsm] keygen --sign-algo ecc256 --hash-algo sha256 macros lcf
./wbaurixtool.sh [--hsm] keygen --sign-algo ecc256 --hash-algo sha256 macros lcf

# If using wolfHSM, generate key NVM image
./aurixtool.sh nvm
./wbaurixtool.sh nvm
# Load NVM image hexfile to the device
# ...

Expand All @@ -320,7 +320,7 @@ cd $SCRIPTS_DIR
# ....

# Sign test app
./aurixtool.sh [--hsm] sign --sign-algo ecc256 --hash-algo sha256 [--debug]
./wbaurixtool.sh [--hsm] sign --sign-algo ecc256 --hash-algo sha256 [--debug]

# Load wolfBoot + app in Lauterbach using tools/scripts/tc3xx/wolfBoot-loadAll-XXX.cmm
# ...
Expand Down
2 changes: 2 additions & 0 deletions IDE/AURIX/test-app-wolfHSM/Cpu0_Main.c
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@
#include "IfxPort.h"
#include "IfxScuWdt.h"
#include "Ifx_Types.h"

#include "target.h"
#include "wolfboot/wolfboot.h"

IFX_ALIGN(4) IfxCpu_syncEvent g_cpuSyncEvent = 0;
Expand Down
2 changes: 2 additions & 0 deletions IDE/AURIX/test-app/Cpu0_Main.c
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@
#include "IfxPort.h"
#include "IfxScuWdt.h"
#include "Ifx_Types.h"

#include "target.h"
#include "wolfboot/wolfboot.h"

IFX_ALIGN(4) IfxCpu_syncEvent g_cpuSyncEvent = 0;
Expand Down
6 changes: 3 additions & 3 deletions config/examples/sim-wolfHSM-mldsa.config
Original file line number Diff line number Diff line change
Expand Up @@ -12,17 +12,17 @@ DEBUG=1
# Category 2:
ML_DSA_LEVEL=2
IMAGE_SIGNATURE_SIZE=2420
IMAGE_HEADER_SIZE?=8192
IMAGE_HEADER_SIZE=8192
#
# Category 3:
# ML_DSA_LEVEL=3
# IMAGE_SIGNATURE_SIZE=3309
# IMAGE_HEADER_SIZE?=8192
# IMAGE_HEADER_SIZE=8192
#
# Category 5:
# ML_DSA_LEVEL=5
# IMAGE_SIGNATURE_SIZE=4627
# IMAGE_HEADER_SIZE?=12288
# IMAGE_HEADER_SIZE=12288
# This example needs a larger sector size.
# WOLFBOOT_SECTOR_SIZE=0x3000
#
Expand Down
52 changes: 43 additions & 9 deletions tools/scripts/tc3xx/wbaurixtool.sh
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ get_header_size() {
"rsa4096") echo "1024" ;;
"ed25519") echo "256" ;;
"ed448") echo "512" ;;
"lms"|"xmss") echo "0" ;;
"lms"|"xmss") echo "0" ;; # currently not supported
"none") echo "256" ;;
*) echo "256" ;; # Default
esac
Expand Down Expand Up @@ -164,10 +164,22 @@ usage() {

# Function to generate keys
do_keygen() {
local base_dir="../../../"
local sign_algo="${KEYGEN_OPTS[sign_algo]:-$DEFAULT_SIGN_ALGO}"
local pq_params="${COMMON_OPTS[sign_pq_params]}"
local header_size

# Get header size for current algorithm
header_size=$(get_header_size "$sign_algo" "$pq_params")

echo "Generating keys with algorithm: $sign_algo"

# Set environment variables for keygen tool
export IMAGE_HEADER_SIZE="$header_size"
if [ "$sign_algo" = "ml_dsa" ]; then
export ML_DSA_LEVEL="${pq_params:-2}" # Default to level 2 if not specified
fi

echo "Generating keys with algorithm: ${KEYGEN_OPTS[sign_algo]}"
(cd $base_dir && tools/keytools/keygen --"${KEYGEN_OPTS[sign_algo]}" -g $(basename $PRVKEY_DER) --exportpubkey \
(cd $WOLFBOOT_DIR && tools/keytools/keygen --"$sign_algo" -g $(basename $PRVKEY_DER) --exportpubkey \
${KEYGEN_OPTS[nolocalkeys]:+--nolocalkeys} --der)
}

Expand All @@ -176,9 +188,18 @@ do_sign() {
local base_path="../../../IDE/AURIX"
local app_name="test-app${HSM:+-wolfHSM}"
local sign_algo="${SIGN_OPTS[sign_algo]:-${KEYGEN_OPTS[sign_algo]}}"
local pq_params="${COMMON_OPTS[sign_pq_params]}"
local header_size
local bin_path="$base_path/$app_name/TriCore ${SIGN_OPTS[build_type]} (GCC)/$app_name.bin"

# Get header size for current algorithm
header_size=$(get_header_size "$sign_algo" "$pq_params")

# Set IMAGE_HEADER_SIZE environment variable for sign tool
export IMAGE_HEADER_SIZE="$header_size"

echo "Signing binaries with $sign_algo and ${SIGN_OPTS[hash_algo]}"
local bin_path="$base_path/$app_name/TriCore ${SIGN_OPTS[build_type]} (GCC)/$app_name.bin"
echo "Using header size: $header_size"

# Sign for both partition 1 and 2
../../keytools/sign --"$sign_algo" --"${SIGN_OPTS[hash_algo]}" "$bin_path" "$PRVKEY_DER" 1
Expand Down Expand Up @@ -264,11 +285,24 @@ do_gen_macros() {
use_wolfhsm_pubkey_id="-DWOLFBOOT_USE_WOLFHSM_PUBKEY_ID"
fi

# Set image signature size and ML-DSA level only for ML-DSA
# Quirk: set additional (redundant) macros for ML DSA based on pq_params
if [[ "${sign_algo,,}" == ml_dsa* ]]; then
image_signature_size="-DIMAGE_SIGNATURE_SIZE=2420"
ml_dsa_image_signature_size="-DML_DSA_IMAGE_SIGNATURE_SIZE=2420"
ml_dsa_level="-DML_DSA_LEVEL=2"
local level="${pq_params:-2}" # Default to level 2 if not specified
case "$level" in
2)
image_signature_size="-DIMAGE_SIGNATURE_SIZE=2420"
ml_dsa_image_signature_size="-DML_DSA_IMAGE_SIGNATURE_SIZE=2420"
;;
3)
image_signature_size="-DIMAGE_SIGNATURE_SIZE=3300"
ml_dsa_image_signature_size="-DML_DSA_IMAGE_SIGNATURE_SIZE=3300"
;;
5)
image_signature_size="-DIMAGE_SIGNATURE_SIZE=5200"
ml_dsa_image_signature_size="-DML_DSA_IMAGE_SIGNATURE_SIZE=5200"
;;
esac
ml_dsa_level="-DML_DSA_LEVEL=$level"
fi

echo "Generating macros file with sign_algo=$sign_algo, hash_algo=$hash_algo"
Expand Down

0 comments on commit ec7a029

Please sign in to comment.