WOLFCRYPT_TZ_WOLFHSM: review fixes and unit-test coverage

- options.mk: drop duplicate WOLFHSM_CLIENT_OBJS / WOLFHSM_SERVER_OBJS
  block; top-of-file definitions are reached before all consumers.
- wolfhsm_callable.c: idempotency guard in wcs_wolfhsm_init; defensive
  memset of g_srv_tx_ctx; move g_flash_cfg to a stack local; clamp
  rsp_size to rsp_capacity before publishing *rspSz; set *rspSz = 0
  on every early-validation error path; use { 0 } initializer; switch
  to #ifdef WOLF_CRYPTO_CB.
- wolfhsm_flash_hal.c: rename _Foo callbacks to whFlashH5_Foo to avoid
  C-reserved leading-underscore-uppercase identifiers; constant-time
  compare in Verify since data may be key material; defensive
  wc_ForceZero(cached_sector) on entry to Program; Erase short-circuits
  size == 0 before the alignment check for consistency.
- test-app/wcs/wolfhsm_test.c: split AesSetIV vs AesCbcEncrypt error
  diagnostics; KeyEvict the cached key when KeyCommit fails; use { 0 }
  initializer for nsc_cfg.
- tools/unit-tests/Makefile: add WOLFBOOT_LIB_WOLFHSM default and
  external-libs fallback so unit-wolfhsm_flash_hal finds wolfhsm
  headers in CI.
- .github/workflows/test-external-library-paths.yml: pass
  WOLFBOOT_LIB_WOLFHSM to the unit-test matrix entry.
- unit-wolfhsm_flash_hal.c: cover Cleanup, erase-failure propagation,
  Read happy path, multi-sector Program, NULL context for
  Read/PartitionSize/Program/Erase/Verify/BlankCheck, NULL data, and
  WriteLock/WriteUnlock; use MAP_FIXED_NOREPLACE when available.

Author: aidangarske

.github/workflows/test-external-library-paths.yml

@@ -86,4 +86,5 @@ jobs:
           echo "=== Building unit tests with external paths ==="
           make -C tools/unit-tests \
             WOLFBOOT_LIB_WOLFSSL="$(realpath ../external-libs/wolfssl)" \
-            WOLFBOOT_LIB_WOLFPKCS11="$(realpath ../external-libs/wolfPKCS11)"
+            WOLFBOOT_LIB_WOLFPKCS11="$(realpath ../external-libs/wolfPKCS11)" \
+            WOLFBOOT_LIB_WOLFHSM="$(realpath ../external-libs/wolfHSM)"

options.mk

@@ -1393,44 +1393,6 @@ ifeq ($(WOLFBOOT_TEST_SIM_CRYPTOCB),1)
 endif
 endif
 
-# Shared wolfHSM client/server object lists. Both the legacy WOLFHSM_CLIENT=1 /
-# WOLFHSM_SERVER=1 flags and the WOLFCRYPT_TZ_WOLFHSM=1 TZ engine reference
-# these to avoid object-list duplication.
-WOLFHSM_CLIENT_OBJS := \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_client.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_client_nvm.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_client_cryptocb.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_client_crypto.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_client_dma.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_crypto.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_dma.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_utils.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_comm.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_comm.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_nvm.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_customcb.o
-
-WOLFHSM_SERVER_OBJS := \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_utils.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_comm.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_nvm.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_nvm_flash.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_keyid.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_flash_unit.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_crypto.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server_nvm.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server_crypto.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server_counter.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server_keystore.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server_customcb.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_customcb.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_keystore.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_crypto.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_counter.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_nvm.o \
-  $(WOLFBOOT_LIB_WOLFHSM)/src/wh_message_comm.o
-
 # wolfHSM client options
 ifeq ($(WOLFHSM_CLIENT),1)
   WOLFCRYPT_OBJS += \

src/wolfhsm_callable.c

@@ -50,15 +50,12 @@ extern uint32_t _flash_keyvault;
 extern uint32_t _flash_keyvault_size;
 
 static whFlashH5Ctx              g_flash_ctx;
-/* Fields filled at runtime in wcs_wolfhsm_init: pointer-to-integer casts of
- * linker symbols are not strictly conforming static initializers. */
-static whFlashH5Ctx              g_flash_cfg;
 
 static whNvmFlashContext         g_nvm_flash_ctx;
 static whNvmFlashConfig          g_nvm_flash_cfg = {
     .cb      = &whFlashH5_Cb,
     .context = &g_flash_ctx,
-    .config  = &g_flash_cfg,
+    /* .config is set at runtime in wcs_wolfhsm_init */
 };
 static whNvmCb                   g_nvm_flash_cb = WH_NVM_FLASH_CB;
 static whNvmContext              g_nvm_ctx;
@@ -70,7 +67,7 @@ static whNvmConfig               g_nvm_cfg = {
 
 static whServerCryptoContext     g_crypto_ctx;
 static whTransportNscServerContext g_srv_tx_ctx;
-static whTransportNscServerConfig g_srv_tx_cfg = { { 0 } };
+static whTransportNscServerConfig g_srv_tx_cfg = { 0 };
 static whCommServerConfig        g_comm_cfg = {
     .transport_context = &g_srv_tx_ctx,
     .transport_cb      = &whTransportNscServer_Cb,
@@ -81,7 +78,7 @@ static whServerConfig            g_server_cfg = {
     .comm_config = &g_comm_cfg,
     .nvm         = &g_nvm_ctx,
     .crypto      = &g_crypto_ctx,
-#if defined WOLF_CRYPTO_CB
+#ifdef WOLF_CRYPTO_CB
     .devId       = INVALID_DEVID,
 #endif
 };
@@ -91,13 +88,22 @@ static int                       g_wolfhsm_ready;
 
 void wcs_wolfhsm_init(void)
 {
-    int rc;
+    whFlashH5Ctx flash_cfg;
+    int          rc;
+
+    if (g_wolfhsm_ready) {
+        return;
+    }
+
+    memset(&g_srv_tx_ctx, 0, sizeof(g_srv_tx_ctx));
 
-    g_flash_cfg.base           = (uint32_t)&_flash_keyvault;
-    g_flash_cfg.size           = (uint32_t)&_flash_keyvault_size;
-    g_flash_cfg.partition_size = WCS_WOLFHSM_PARTITION_SIZE;
+    flash_cfg.base           = (uint32_t)&_flash_keyvault;
+    flash_cfg.size           = (uint32_t)&_flash_keyvault_size;
+    flash_cfg.partition_size = WCS_WOLFHSM_PARTITION_SIZE;
+    g_nvm_flash_cfg.config   = &flash_cfg;
 
-    rc = wc_InitRng(g_crypto_ctx.rng);
+    /* g_crypto_ctx.rng is an embedded WC_RNG[1] (see wh_server.h) */
+    rc = wc_InitRng(&g_crypto_ctx.rng[0]);
     if (rc != 0) {
         wolfBoot_panic();
     }
@@ -125,16 +131,19 @@ int CSME_NSE_API wcs_wolfhsm_transmit(const uint8_t *cmd, uint32_t cmdSz,
     if (cmd == NULL || rsp == NULL || rspSz == NULL) {
         return WH_ERROR_BADARGS;
     }
-    /* volatile read forbids the compiler from re-fetching *rspSz later. */
+    /* single-fetch *rspSz so it cannot be re-read after validation */
     rsp_capacity = *(volatile const uint32_t *)rspSz;
 
     if (cmdSz == 0U || cmdSz > WH_COMM_MTU) {
+        *rspSz = 0;
         return WH_ERROR_BADARGS;
     }
     if (rsp_capacity == 0U || rsp_capacity > WH_COMM_MTU) {
+        *rspSz = 0;
         return WH_ERROR_BADARGS;
     }
     if (!g_wolfhsm_ready) {
+        *rspSz = 0;
         return WH_ERROR_NOTREADY;
     }
 
@@ -148,8 +157,16 @@ int CSME_NSE_API wcs_wolfhsm_transmit(const uint8_t *cmd, uint32_t cmdSz,
     rc = wh_Server_HandleRequestMessage(&g_server);
 
     if (rc == WH_ERROR_OK) {
-        *rspSz = (uint32_t)g_srv_tx_ctx.rsp_size;
-    } else {
+        /* clamp: dispatcher must honor rsp_capacity; defend against regression */
+        if ((uint32_t)g_srv_tx_ctx.rsp_size > rsp_capacity) {
+            *rspSz = 0;
+            rc     = WH_ERROR_ABORTED;
+        }
+        else {
+            *rspSz = (uint32_t)g_srv_tx_ctx.rsp_size;
+        }
+    }
+    else {
         *rspSz = 0;
     }
 

src/wolfhsm_flash_hal.c

@@ -21,15 +21,17 @@
 
 #define WHFH5_SECTOR_SIZE (8U * 1024U)
 
-/* Sector-cached read-modify-erase-write, mirroring psa_store.c. STM32H5
- * flash programs in 16-byte quad-words with ECC; each quad-word can be
- * programmed exactly once between erases. wolfHSM issues 8-byte unit
- * writes which would otherwise re-program neighbouring qwords, so every
- * Program call here loads the affected sector into RAM, modifies it, and
- * rewrites the whole 8 KiB sector after an erase. */
+/* Sector-cached RMW, mirrors psa_store.c. H5 flash programs as 16-byte
+ * qwords ECC; one program per erase. wolfHSM 8-byte writes would clobber
+ * neighbours, so Program loads the sector, modifies, erases, rewrites.
+ *
+ * Single static cache: non-reentrant by design (one secure-side server,
+ * synchronous per-NSC dispatch, no threads or interrupts on this path).
+ * Residual plaintext may remain in cache for one programming cycle if a
+ * synchronous fault aborts hal_flash_write; disable debug in production. */
 static uint8_t cached_sector[WHFH5_SECTOR_SIZE];
 
-static int _Init(void *context, const void *config)
+static int whFlashH5_Init(void *context, const void *config)
 {
     const whFlashH5Ctx *cfg = (const whFlashH5Ctx *)config;
     whFlashH5Ctx       *ctx = (whFlashH5Ctx *)context;
@@ -50,37 +52,38 @@ static int _Init(void *context, const void *config)
     return WH_ERROR_OK;
 }
 
-static int _Cleanup(void *context)
+static int whFlashH5_Cleanup(void *context)
 {
     if (context == NULL) {
         return WH_ERROR_BADARGS;
     }
     return WH_ERROR_OK;
 }
 
-static uint32_t _PartitionSize(void *context)
+static uint32_t whFlashH5_PartitionSize(void *context)
 {
     whFlashH5Ctx *ctx = (whFlashH5Ctx *)context;
     return (ctx == NULL) ? 0U : ctx->partition_size;
 }
 
-static int _WriteLock(void *context, uint32_t offset, uint32_t size)
+static int whFlashH5_WriteLock(void *context, uint32_t offset, uint32_t size)
 {
     (void)context;
     (void)offset;
     (void)size;
     return WH_ERROR_OK;
 }
 
-static int _WriteUnlock(void *context, uint32_t offset, uint32_t size)
+static int whFlashH5_WriteUnlock(void *context, uint32_t offset, uint32_t size)
 {
     (void)context;
     (void)offset;
     (void)size;
     return WH_ERROR_OK;
 }
 
-static int _Read(void *context, uint32_t offset, uint32_t size, uint8_t *data)
+static int whFlashH5_Read(void *context, uint32_t offset, uint32_t size,
+                          uint8_t *data)
 {
     whFlashH5Ctx *ctx = (whFlashH5Ctx *)context;
 
@@ -96,8 +99,8 @@ static int _Read(void *context, uint32_t offset, uint32_t size, uint8_t *data)
     return WH_ERROR_OK;
 }
 
-static int _Program(void *context, uint32_t offset, uint32_t size,
-                    const uint8_t *data)
+static int whFlashH5_Program(void *context, uint32_t offset, uint32_t size,
+                             const uint8_t *data)
 {
     whFlashH5Ctx *ctx = (whFlashH5Ctx *)context;
     uint32_t      written = 0U;
@@ -113,6 +116,9 @@ static int _Program(void *context, uint32_t offset, uint32_t size,
         return WH_ERROR_OK;
     }
 
+    /* defensive wipe in case a prior call faulted before the per-iter wipe */
+    wc_ForceZero(cached_sector, sizeof(cached_sector));
+
     hal_flash_unlock();
     while (written < size) {
         uint32_t in_sector_off = (offset + written) % WHFH5_SECTOR_SIZE;
@@ -147,7 +153,7 @@ static int _Program(void *context, uint32_t offset, uint32_t size,
     return (hrc == 0) ? WH_ERROR_OK : WH_ERROR_ABORTED;
 }
 
-static int _Erase(void *context, uint32_t offset, uint32_t size)
+static int whFlashH5_Erase(void *context, uint32_t offset, uint32_t size)
 {
     whFlashH5Ctx *ctx = (whFlashH5Ctx *)context;
     int rc;
@@ -158,39 +164,56 @@ static int _Erase(void *context, uint32_t offset, uint32_t size)
     if (offset > ctx->size || size > ctx->size - offset) {
         return WH_ERROR_BADARGS;
     }
+    if (size == 0U) {
+        return WH_ERROR_OK;
+    }
     if ((offset % WHFH5_SECTOR_SIZE) != 0U ||
         (size % WHFH5_SECTOR_SIZE) != 0U) {
         return WH_ERROR_BADARGS;
     }
-    if (size == 0U) {
-        return WH_ERROR_OK;
-    }
 
+    /* hal_flash_erase takes int; loop over sector-sized chunks so the cast
+     * stays well-defined regardless of how large size grows. */
     hal_flash_unlock();
-    rc = hal_flash_erase(ctx->base + offset, (int)size);
+    {
+        uint32_t erased = 0U;
+        rc = 0;
+        while (erased < size) {
+            rc = hal_flash_erase(ctx->base + offset + erased,
+                                 (int)WHFH5_SECTOR_SIZE);
+            if (rc != 0) {
+                break;
+            }
+            erased += WHFH5_SECTOR_SIZE;
+        }
+    }
     hal_flash_lock();
     return (rc == 0) ? WH_ERROR_OK : WH_ERROR_ABORTED;
 }
 
-static int _Verify(void *context, uint32_t offset, uint32_t size,
-                   const uint8_t *data)
+static int whFlashH5_Verify(void *context, uint32_t offset, uint32_t size,
+                            const uint8_t *data)
 {
-    whFlashH5Ctx *ctx = (whFlashH5Ctx *)context;
+    whFlashH5Ctx  *ctx = (whFlashH5Ctx *)context;
+    const uint8_t *p;
+    uint8_t        acc = 0;
+    uint32_t       i;
 
     if (ctx == NULL || (size != 0U && data == NULL)) {
         return WH_ERROR_BADARGS;
     }
     if (offset > ctx->size || size > ctx->size - offset) {
         return WH_ERROR_BADARGS;
     }
-    if (size > 0U &&
-        memcmp((const uint8_t *)(ctx->base + offset), data, size) != 0) {
-        return WH_ERROR_NOTVERIFIED;
+    /* constant-time compare; verified data may be key material */
+    p = (const uint8_t *)(ctx->base + offset);
+    for (i = 0U; i < size; i++) {
+        acc |= (uint8_t)(p[i] ^ data[i]);
     }
-    return WH_ERROR_OK;
+    return (acc == 0U) ? WH_ERROR_OK : WH_ERROR_NOTVERIFIED;
 }
 
-static int _BlankCheck(void *context, uint32_t offset, uint32_t size)
+static int whFlashH5_BlankCheck(void *context, uint32_t offset, uint32_t size)
 {
     whFlashH5Ctx  *ctx = (whFlashH5Ctx *)context;
     const uint8_t *p;
@@ -212,16 +235,16 @@ static int _BlankCheck(void *context, uint32_t offset, uint32_t size)
 }
 
 const whFlashCb whFlashH5_Cb = {
-    .Init          = _Init,
-    .Cleanup       = _Cleanup,
-    .PartitionSize = _PartitionSize,
-    .WriteLock     = _WriteLock,
-    .WriteUnlock   = _WriteUnlock,
-    .Read          = _Read,
-    .Program       = _Program,
-    .Erase         = _Erase,
-    .Verify        = _Verify,
-    .BlankCheck    = _BlankCheck,
+    .Init          = whFlashH5_Init,
+    .Cleanup       = whFlashH5_Cleanup,
+    .PartitionSize = whFlashH5_PartitionSize,
+    .WriteLock     = whFlashH5_WriteLock,
+    .WriteUnlock   = whFlashH5_WriteUnlock,
+    .Read          = whFlashH5_Read,
+    .Program       = whFlashH5_Program,
+    .Erase         = whFlashH5_Erase,
+    .Verify        = whFlashH5_Verify,
+    .BlankCheck    = whFlashH5_BlankCheck,
 };
 
 #endif /* WOLFCRYPT_TZ_WOLFHSM */

test-app/wcs/wolfhsm_test.c

@@ -153,9 +153,11 @@ static int wolfhsm_test_aes_cached(whClientContext *client)
     }
 
     rc = wc_AesSetIV(&aes, iv);
-    if (rc == 0) {
-        rc = wc_AesCbcEncrypt(&aes, ct, pt, (word32)sizeof(pt));
+    if (rc != 0) {
+        printf("wolfHSM AesSetIV failed: %d\r\n", rc);
+        goto out;
     }
+    rc = wc_AesCbcEncrypt(&aes, ct, pt, (word32)sizeof(pt));
     if (rc != 0) {
         printf("wolfHSM AES encrypt failed: %d\r\n", rc);
         goto out;
@@ -209,6 +211,7 @@ static int wolfhsm_test_persist(whClientContext *client, int *boot_state)
     rc = wh_Client_KeyCommit(client, keyId);
     if (rc != WH_ERROR_OK) {
         printf("wolfHSM persist KeyCommit failed: %d\r\n", rc);
+        (void)wh_Client_KeyEvict(client, keyId);
         return rc;
     }
     (void)wh_Client_KeyEvict(client, keyId);
@@ -218,7 +221,7 @@ static int wolfhsm_test_persist(whClientContext *client, int *boot_state)
 
 int cmd_wolfhsm_test(const char *args)
 {
-    static const whTransportNscClientConfig nsc_cfg = { { 0 } };
+    static const whTransportNscClientConfig nsc_cfg = { 0 };
     whCommClientConfig comm_cfg;
     whClientConfig     cfg;
     whClientContext    client;