You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/TPM.md
+36Lines changed: 36 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,6 +17,42 @@ In wolfBoot we support TPM based root of trust, sealing/unsealing, cryptographic
17
17
|`WOLFBOOT_TPM_SEAL=1`|`WOLFBOOT_TPM_SEAL`| Enables support for sealing/unsealing based on PCR policy signed externally. |
18
18
|`WOLFBOOT_TPM_SEAL_NV_BASE=0x01400300`|`WOLFBOOT_TPM_SEAL_NV_BASE`| To override the default sealed blob storage location in the platform hierarchy. |
19
19
|`WOLFBOOT_TPM_SEAL_AUTH=secret`|`WOLFBOOT_TPM_SEAL_AUTH`| Password for sealing/unsealing secrets, if omitted the PCR policy will be used |
20
+
|`WOLFBOOT_TPM_MFG_AUTH_DERIVE=1`|`WOLFBOOT_TPM_MFG_AUTH_DERIVE`| MFG identity: opt into on-device derive-from-master. The default is a precomputed per-device authValue (no master secret on device). Requires `WOLFTPM_MFG_IDENTITY`. |
Copy file name to clipboardExpand all lines: docs/wolfHSM.md
+7-9Lines changed: 7 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -75,16 +75,12 @@ This section describes the configuration options available for wolfHSM integrati
75
75
76
76
This option enables wolfHSM client support in wolfBoot. Without defining this option, support for wolfHSM client mode is not compiled in.
77
77
78
+
In client mode, wolfBoot always uses HSM-resident public keys for firmware authentication; public keys are never baked into a local `keystore.c`. The key to verify against is referenced either by the reserved key ID defined in the HAL (`hsmKeyIdPubKey`), or, when certificate-chain verification (`WOLFBOOT_CERT_CHAIN_VERIFY`) is enabled, by the leaf key ID resolved from the verified chain.
79
+
78
80
### `WOLFBOOT_ENABLE_WOLFHSM_SERVER`
79
81
80
82
This option enables wolfHSM server support in wolfBoot. When defined, wolfBoot includes an embedded wolfHSM server that provides HSM functionality locally within the bootloader. This is mutually exclusive with `WOLFBOOT_ENABLE_WOLFHSM_CLIENT`.
81
83
82
-
### `WOLFBOOT_USE_WOLFHSM_PUBKEY_ID`
83
-
84
-
This option enables use of the reserved wolfHSM public key ID for firmware authentication, and is typically the desired behavior for using wolfHSM. When this option is defined, wolfBoot will use the reserved wolfHSM keyId defined by the HAL (`hsmKeyIdPubKey`). This option is meant to be used in conjunction with the `--nolocalkeys` keygen option, as the key material in the keystore will not be used.
85
-
86
-
If this option is not defined, cryptographic operations are still performed on the wolfHSM server, but wolfBoot assumes the key material is present in the keystore and NOT stored on the HSM. This means that wolfBoot will first load keys from the keystore, send the key material to the wolfHSM server at the time of use (cached as ephemeral keys), and finally evict the key from the HSM after usage. This behavior is typically only useful for debugging or testing scenarios, where the keys may not be pre-loaded onto the HSM. The keystore for use in this mode should not be generated with the `--nolocalkeys` option.
87
-
88
84
## HAL Implementations
89
85
90
86
In addition to the standard wolfBoot HAL functions, wolfHSM-enabled platforms must also implement or instantiate the following wolfHSM-specific items in the platform HAL:
@@ -127,7 +123,7 @@ The wolfBoot simulator supports using wolfHSM with all algorithms mentioned in [
127
123
128
124
#### wolfHSM Client Mode Build
129
125
130
-
To build the simulator configured to use wolfHSM client mode, ensure you build with the `WOLFHSM_CLIENT=1` makefile option. This will automatically define `WOLFBOOT_USE_WOLFHSM_PUBKEY_ID`, and requires the public key corresponding to the private key that signed the image to be pre-loaded into the HSM at the keyId specified by `hsmKeyIdPubKey` in the simulator HAL.
126
+
To build the simulator configured to use wolfHSM client mode, ensure you build with the `WOLFHSM_CLIENT=1` makefile option. This requires the public key corresponding to the private key that signed the image to be pre-loaded into the HSM at the keyId specified by `hsmKeyIdPubKey` in the simulator HAL.
131
127
132
128
```sh
133
129
# Grab the HSM client simulator configuration
@@ -175,8 +171,10 @@ Next, in a new terminal window, run the wolfHSM POSIX TCP server, loading the pu
175
171
cd lib/wolfHSM/examples/posix/tcp/wh_server_tcp
176
172
make WOLFSSL_DIR=../../../../../wolfssl
177
173
178
-
# Run the server, loading the wolfBoot public key and using the client ID and keyId matching the values declared in `hal/sim.c`)
0 commit comments