Update wolfHSM pointer, fix minor issues

padelsbach · padelsbach · commit 71bd2dfa9e93 · 2026-03-20T18:07:09.000-07:00
diff --git a/arch.mk b/arch.mk
@@ -49,6 +49,8 @@ ifeq ($(ARCH),x86_64)
       endif
     else
       MATH_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_x86_64.o
+      MATH_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_x86_64_asm.o
+      WOLFCRYPT_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/cpuid.o
     endif
   endif
   ifeq ($(TARGET),x86_64_efi)
@@ -1474,8 +1476,17 @@ ifeq ($(ARCH),sim)
     LDFLAGS+=-m32
   endif
   ifeq ($(SPMATH),1)
-    MATH_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_c32.o
-    CFLAGS+=-DWOLFSSL_SP_DIV_WORD_HALF
+    ifeq ($(FORCE_32BIT),1)
+      MATH_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_c32.o
+      CFLAGS+=-DWOLFSSL_SP_DIV_WORD_HALF
+    else ifeq ($(shell uname -m),aarch64)
+      CFLAGS += -DARCH_AARCH64 -DFAST_MEMCPY
+      MATH_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_c32.o
+      MATH_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_arm64.o
+    else
+      MATH_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_c32.o
+      CFLAGS+=-DWOLFSSL_SP_DIV_WORD_HALF
+    endif
   endif
   ifeq ($(WOLFHSM_CLIENT),1)
     WOLFHSM_OBJS += $(WOLFBOOT_LIB_WOLFHSM)/port/posix/posix_transport_tcp.o
diff --git a/config/examples/sim-wolfHSM-client-certchain-ecc.config b/config/examples/sim-wolfHSM-client-certchain-ecc.config
@@ -19,14 +19,14 @@ WOLFHSM_CLIENT=1
 
 # sizes should be multiple of system page size
 #WOLFBOOT_PARTITION_SIZE=0x40000
-WOLFBOOT_PARTITION_SIZE=0x100000
+WOLFBOOT_PARTITION_SIZE=0x200000
 WOLFBOOT_SECTOR_SIZE=0x1000
 WOLFBOOT_PARTITION_BOOT_ADDRESS=0x80000
 # if on external flash, it should be multiple of system page size
 #WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x100000
 #WOLFBOOT_PARTITION_SWAP_ADDRESS=0x180000
-WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x180000
-WOLFBOOT_PARTITION_SWAP_ADDRESS=0x280000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x280000
+WOLFBOOT_PARTITION_SWAP_ADDRESS=0x480000
 
 # required for keytools
 WOLFBOOT_FIXED_PARTITIONS=1
diff --git a/config/examples/sim-wolfHSM-client-certchain-rsa4096.config b/config/examples/sim-wolfHSM-client-certchain-rsa4096.config
@@ -19,14 +19,14 @@ WOLFHSM_CLIENT=1
 
 # sizes should be multiple of system page size
 #WOLFBOOT_PARTITION_SIZE=0x40000
-WOLFBOOT_PARTITION_SIZE=0x100000
+WOLFBOOT_PARTITION_SIZE=0x200000
 WOLFBOOT_SECTOR_SIZE=0x1000
 WOLFBOOT_PARTITION_BOOT_ADDRESS=0x80000
 # if on external flash, it should be multiple of system page size
 #WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x100000
 #WOLFBOOT_PARTITION_SWAP_ADDRESS=0x180000
-WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x180000
-WOLFBOOT_PARTITION_SWAP_ADDRESS=0x280000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x280000
+WOLFBOOT_PARTITION_SWAP_ADDRESS=0x480000
 
 # required for keytools
 WOLFBOOT_FIXED_PARTITIONS=1
diff --git a/config/examples/sim-wolfHSM-client-ecc.config b/config/examples/sim-wolfHSM-client-ecc.config
@@ -8,12 +8,12 @@ DEBUG=0
 SPMATH=1
 
 # sizes should be multiple of system page size
-WOLFBOOT_PARTITION_SIZE=0x100000
+WOLFBOOT_PARTITION_SIZE=0x200000
 WOLFBOOT_SECTOR_SIZE=0x1000
 WOLFBOOT_PARTITION_BOOT_ADDRESS=0x80000
 # if on external flash, it should be multiple of system page size
-WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x180000
-WOLFBOOT_PARTITION_SWAP_ADDRESS=0x280000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x280000
+WOLFBOOT_PARTITION_SWAP_ADDRESS=0x480000
 
 # required for keytools
 WOLFBOOT_FIXED_PARTITIONS=1
diff --git a/config/examples/sim-wolfHSM-client-mldsa.config b/config/examples/sim-wolfHSM-client-mldsa.config
@@ -29,12 +29,12 @@ IMAGE_HEADER_SIZE=8192
 #
 
 # sizes should be multiple of system page size
-WOLFBOOT_PARTITION_SIZE=0x100000
+WOLFBOOT_PARTITION_SIZE=0x200000
 WOLFBOOT_SECTOR_SIZE=0x2000
 WOLFBOOT_PARTITION_BOOT_ADDRESS=0x80000
 # if on external flash, it should be multiple of system page size
-WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x180000
-WOLFBOOT_PARTITION_SWAP_ADDRESS=0x280000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS=0x280000
+WOLFBOOT_PARTITION_SWAP_ADDRESS=0x480000
 
 # required for keytools
 WOLFBOOT_FIXED_PARTITIONS=1
diff --git a/hal/sim.c b/hal/sim.c
@@ -183,9 +183,7 @@ whCommServerConfig cs_conf[1] = {{
 }};
 
 /* Crypto context */
-whServerCryptoContext crypto[1] = {{
-    .devId = INVALID_DEVID,
-}};
+whServerCryptoContext crypto[1] = {0};
 
 #if defined(WOLFHSM_CFG_SHE_EXTENSION)
 whServerSheContext    she[1]    = {{0}};
diff --git a/include/target.h.in b/include/target.h.in
@@ -37,11 +37,13 @@
 #ifdef WOLFBOOT_FIXED_PARTITIONS
 
 #if defined(ARCH_SIM) && !defined(WOLFBOOT_PARTITION_FILENAME)
+#ifndef __ASSEMBLER__
     #include <stdint.h>
     /* use runtime ram base for simulator */
     extern uint8_t *sim_ram_base;
     #undef  ARCH_FLASH_OFFSET
     #define ARCH_FLASH_OFFSET ((size_t)sim_ram_base)
+#endif /* !__ASSEMBLER__ */
     #define WOLFBOOT_PART_USE_ARCH_OFFSET
 #endif
 
diff --git a/include/user_settings.h b/include/user_settings.h
@@ -46,7 +46,7 @@
 /* Stdlib Types */
 #define CTYPE_USER /* don't let wolfCrypt types.h include ctype.h */
 
-#ifndef WOLFSSL_ARMASM
+#if !defined(WOLFSSL_ARMASM) && !defined(__ASSEMBLER__)
 #ifndef toupper
 extern int toupper(int c);
 #endif
@@ -77,8 +77,10 @@ extern int tolower(int c);
 #if defined(WOLFBOOT_SIGN_ED25519) || defined(WOLFBOOT_SIGN_SECONDARY_ED25519)
 #   define HAVE_ED25519
 #   define ED25519_SMALL
-#   define NO_ED25519_SIGN
-#   define NO_ED25519_EXPORT
+#   if !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
+#       define NO_ED25519_SIGN
+#       define NO_ED25519_EXPORT
+#   endif
 #   define USE_SLOW_SHA512
 #   define WOLFSSL_SHA512
 #endif
@@ -88,8 +90,10 @@ extern int tolower(int c);
 #   define HAVE_ED448
 #   define HAVE_ED448_VERIFY
 #   define ED448_SMALL
-#   define NO_ED448_SIGN
-#   define NO_ED448_EXPORT
+#   if !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
+#       define NO_ED448_SIGN
+#       define NO_ED448_EXPORT
+#   endif
 #   define WOLFSSL_SHA3
 #   define WOLFSSL_SHAKE256
 #   define WOLFSSL_SHA512
@@ -146,7 +150,6 @@ extern int tolower(int c);
 #endif
 #       define WOLFSSL_SP_MATH
 #       define WOLFSSL_SP_SMALL
-#       define SP_WORD_SIZE 32
 #       define WOLFSSL_HAVE_SP_ECC
 #       define WOLFSSL_KEY_GEN
 #       define HAVE_ECC_KEY_EXPORT
@@ -343,12 +346,20 @@ extern int tolower(int c);
 #       define HAVE___UINT128_T
 #       define SP_WORD_SIZE 64
 #   elif defined(ARCH_x86_64) && !defined(FORCE_32BIT)
+#       define HAVE___UINT128_T
 #       define SP_WORD_SIZE 64
-#       ifndef NO_ASM
+#       if !defined(NO_ASM)
 #           define WOLFSSL_SP_X86_64_ASM
 #       endif
 #   else
 #       define SP_WORD_SIZE 32
+#   endif
+
+    /* x86_64 ASM 4096-bit routines use 2048-bit helpers internally,
+     * so ensure 2048-bit asm is not excluded when 4096-bit is needed */
+#   if defined(WOLFSSL_SP_X86_64_ASM) && defined(WOLFSSL_SP_4096) && \
+       defined(WOLFSSL_SP_NO_2048)
+#       undef WOLFSSL_SP_NO_2048
 #   endif
 
     /* SP Math needs to understand long long */
diff --git a/lib/wolfHSM b/lib/wolfHSM
@@ -1 +1 @@
-Subproject commit 1e47a7ead2758f4e5138fcc704a42b62b1c6b62a
+Subproject commit 977bf187e7a57a184493dcd216eb9a328f381865
diff --git a/src/image.c b/src/image.c
@@ -816,9 +816,10 @@ static void wolfBoot_verify_signature_ml_dsa(uint8_t key_slot,
                         ML_DSA_LEVEL);
 
         /* Finally verify signature. */
-        ret = wc_MlDsaKey_Verify(&ml_dsa, sig, ML_DSA_IMAGE_SIGNATURE_SIZE,
-                                 img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE,
-                                 &verify_res);
+        ret = wc_MlDsaKey_VerifyCtx(&ml_dsa, sig, ML_DSA_IMAGE_SIGNATURE_SIZE,
+                                    NULL, 0,
+                                    img->sha_hash, WOLFBOOT_SHA_DIGEST_SIZE,
+                                    &verify_res);
 
     #ifdef WOLFBOOT_ARMORED
         if (ret == 0) {
diff --git a/src/multiboot.c b/src/multiboot.c
@@ -379,13 +379,18 @@ uint8_t *mb2_find_header(uint8_t *image, int size)
 
 void mb2_jump(uintptr_t entry, uint32_t mb2_boot_info)
 {
+#if defined(__x86_64__) || defined(__i386__)
     __asm__(
             "mov $0x36d76289, %%eax\r\n"
             "mov %0, %%ebx\r\n"
             "jmp *%1\r\n"
             :
             : "g"(mb2_boot_info), "g"(entry)
             : "eax", "ebx");
+#else
+    (void)entry;
+    (void)mb2_boot_info;
+#endif
 }
 
 #endif /* WOLFBOOT_MULTIBOOT2 */
diff --git a/src/xmalloc.c b/src/xmalloc.c
@@ -75,6 +75,12 @@ struct xmalloc_slot {
             #define MP_POINT_SIZE (196)
             #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 8)
             #define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * 2 * 8 * 6)
+        #elif SP_WORD_SIZE == 64
+            #define MP_POINT_SIZE (200)
+            #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 4)
+            #define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * (2 * 4 * 6))
+            #define MP_DIGITS_BUFFER_SIZE_2 (MP_DIGIT_SIZE * (2 * 4 * 6))
+            #define MP_MONTGOMERY_SIZE (sizeof(int64_t) * 2 * 8)
         #else
             #define MP_POINT_SIZE (220)
             #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 9)
@@ -91,6 +97,12 @@ struct xmalloc_slot {
             #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 12)
             #define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * 2 * 12 * 6)
             #define MP_MONTGOMERY_SIZE (sizeof(int64_t) * 12)
+        #elif SP_WORD_SIZE == 64
+            #define MP_POINT_SIZE (344)
+            #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 7)
+            #define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * (2 * 7 * 6))
+            #define MP_DIGITS_BUFFER_SIZE_2 (MP_DIGIT_SIZE * (2 * 7 * 6))
+            #define MP_MONTGOMERY_SIZE (sizeof(int64_t) * 2 * 12)
         #else
             #define MP_POINT_SIZE (364)
             #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 15)
@@ -107,6 +119,12 @@ struct xmalloc_slot {
             #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 17)
             #define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * 2 * 17 * 6)
             #define MP_MONTGOMERY_SIZE (sizeof(int64_t) * 12)
+        #elif SP_WORD_SIZE == 64
+            #define MP_POINT_SIZE (440)
+            #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 9)
+            #define MP_DIGITS_BUFFER_SIZE_1 (MP_DIGIT_SIZE * (2 * 9 * 6))
+            #define MP_DIGITS_BUFFER_SIZE_2 (MP_DIGIT_SIZE * (2 * 9 * 6))
+            #define MP_MONTGOMERY_SIZE (sizeof(int64_t) * 2 * 12)
         #else
             #define MP_POINT_SIZE (508)
             #define MP_DIGITS_BUFFER_SIZE_0 (MP_DIGIT_SIZE * 18 * 21)
@@ -129,7 +147,13 @@ struct xmalloc_slot {
     #endif
     static uint8_t mp_points_0[MP_POINT_SIZE * 2];
     static uint8_t mp_points_1[MP_POINT_SIZE * 3];
+    /* x86_64 SP always uses win_add_sub with 33+2 precomputed points,
+     * even when WOLFSSL_SP_SMALL is defined */
+    #if SP_WORD_SIZE == 64
+    static uint8_t mp_points_2[MP_POINT_SIZE * (33 + 2)];
+    #else
     static uint8_t mp_points_2[MP_POINT_SIZE * (16 + 1)];
+    #endif
     static uint8_t mp_digits_buffer_0[MP_DIGITS_BUFFER_SIZE_0];
     static uint8_t mp_digits_buffer_1[MP_DIGITS_BUFFER_SIZE_1];
     #if !defined(WOLFSSL_SP_ARM_CORTEX_M_ASM) && (defined(WOLFBOOT_SIGN_ECC256) || defined(WOLFBOOT_SIGN_ECC384) || defined(WOLFBOOT_SIGN_ECC521))
@@ -234,7 +258,11 @@ static struct xmalloc_slot xmalloc_pool[] = {
     { (uint8_t *)mp_digits_buffer_2, MP_DIGITS_BUFFER_SIZE_2, 0 },
     { (uint8_t *)mp_montgomery, MP_MONTGOMERY_SIZE, 0 },
     #endif
+    #if SP_WORD_SIZE == 64
+    { (uint8_t *)mp_points_2, MP_POINT_SIZE * (33 + 2), 0 },
+    #else
     { (uint8_t *)mp_points_2, MP_POINT_SIZE * (16 + 1), 0 },
+    #endif
     { (uint8_t *)mp_digits_buffer_0, MP_DIGITS_BUFFER_SIZE_0, 0},
     { (uint8_t *)mp_digits_buffer_1, MP_DIGITS_BUFFER_SIZE_1, 0},
     #ifndef WC_NO_CACHE_RESISTANT
diff --git a/test-app/Makefile b/test-app/Makefile
@@ -970,6 +970,11 @@ $(WOLFSSL_LOCAL_OBJDIR)/%.o: %.c
 	$(Q)mkdir -p $(dir $@)
 	$(Q)$(CC) $(WOLFSSL_CFLAGS) -c $(OUTPUT_FLAG) $@ $<
 
+$(WOLFSSL_LOCAL_OBJDIR)/%.o: %.S
+	@echo "\t[AS-$(ARCH)] $@"
+	$(Q)mkdir -p $(dir $@)
+	$(Q)$(CC) $(WOLFSSL_CFLAGS) -c $(OUTPUT_FLAG) $@ $<
+
 clean:
 	$(Q)rm -f *.bin *.elf tags *.o $(LSCRIPT) $(APP_OBJS) wcs/*.o
 	$(Q)rm -rf $(WOLFSSL_LOCAL_OBJDIR)
diff --git a/tools/keytools/sign.c b/tools/keytools/sign.c
@@ -1088,8 +1088,9 @@ static int sign_digest(int sign, int hash_algo,
     if (sign == SIGN_ML_DSA) {
         /* Nothing else to do, ready to sign. */
         if (ret == 0) {
-            ret = wc_MlDsaKey_Sign(&key.ml_dsa, signature, signature_sz,
-                                   digest, digest_sz, &rng);
+            ret = wc_MlDsaKey_SignCtx(&key.ml_dsa, NULL, 0,
+                                      signature, signature_sz,
+                                      digest, digest_sz, &rng);
         }
         if (ret != 0) {
             fprintf(stderr, "error signing with ML-DSA: %d\n", ret);
