Fix for tools/scripts/va416x0/build_test.sh portability (MacOS)

Added option to support wolfCrypt test/benchmark in test-app
Add some checking if partition size is too large

Author: dgarske

Makefile

@@ -202,6 +202,7 @@ endif
 
 # Environment variables for sign tool
 SIGN_ENV=IMAGE_HEADER_SIZE=$(IMAGE_HEADER_SIZE) \
+		 WOLFBOOT_PARTITION_SIZE=$(WOLFBOOT_PARTITION_SIZE) \
 		 WOLFBOOT_SECTOR_SIZE=$(WOLFBOOT_SECTOR_SIZE) \
 		 ML_DSA_LEVEL=$(ML_DSA_LEVEL) \
 		 IMAGE_SIGNATURE_SIZE=$(IMAGE_SIGNATURE_SIZE) \

config/examples/vorago_va416x0.config

@@ -33,7 +33,7 @@ DUALBANK_SWAP?=0
 PKA?=0
 ENCRYPT=0
 WOLFTPM?=0
-OPTIMIZATION_LEVEL=1
+OPTIMIZATION_LEVEL=s
 
 # Optionally allow downgrade to older valid version in update partition
 ALLOW_DOWNGRADE?=0
@@ -45,11 +45,11 @@ NO_ARM_ASM?=0
 # Optional: Use smaller SHA512
 #CFLAGS_EXTRA+=-DUSE_SLOW_SHA512
 
-# 38KB boot, 108KB partitions, 2KB swap
+# Optimized: 46KB wolfboot, 104KB partitions, 2KB swap
 WOLFBOOT_SECTOR_SIZE?=0x800
-WOLFBOOT_PARTITION_SIZE?=0x1B000
-WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x9800
-WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x24800
+WOLFBOOT_PARTITION_SIZE?=0x1A000
+WOLFBOOT_PARTITION_BOOT_ADDRESS?=0xB800
+WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x25800
 WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x3F800
 
 # ML-DSA 5: 36KB boot, 96KB partitions, 12KB swap
@@ -81,3 +81,9 @@ WOLFBOOT_RESTORE_CLOCK?=1
 # Optional debugging
 #CFLAGS_EXTRA+=-DDEBUG_EXT_FLASH
 #CFLAGS_EXTRA+=-DTEST_EXT_FLASH
+
+# Optional: Enable wolfCrypt test and benchmark in test-app
+# Uncomment to enable
+# Note: Requires ~80-160KB additional flash and ~10-20KB RAM
+#WOLFCRYPT_TEST?=1
+#WOLFCRYPT_BENCHMARK?=1

include/user_settings.h

@@ -92,6 +92,7 @@ extern int tolower(int c);
 #   define NO_ED448_EXPORT
 #   define WOLFSSL_SHA3
 #   define WOLFSSL_SHAKE256
+#   define WOLFSSL_SHA512
 #endif
 
 /* ECC */
@@ -101,8 +102,8 @@ extern int tolower(int c);
     defined(WOLFBOOT_SIGN_SECONDARY_ECC256) || \
     defined(WOLFBOOT_SIGN_SECONDARY_ECC384) || \
     defined(WOLFBOOT_SIGN_SECONDARY_ECC521) || \
-    defined(WOLFCRYPT_SECURE_MODE)
-
+    defined(WOLFCRYPT_SECURE_MODE) || \
+    defined(WOLFCRYPT_TEST) || defined(WOLFCRYPT_BENCHMARK)
 
 #   define HAVE_ECC
 #   define ECC_TIMING_RESISTANT
@@ -118,6 +119,7 @@ extern int tolower(int c);
 
     /* Some ECC options are disabled to reduce size */
 #   if !defined(WOLFCRYPT_SECURE_MODE) && \
+       !defined(WOLFCRYPT_TEST) && !defined(WOLFCRYPT_BENCHMARK) && \
        !defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \
        !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
 #       if !defined(WOLFBOOT_TPM)
@@ -138,6 +140,7 @@ extern int tolower(int c);
 #       endif
 #   else
 #       define HAVE_ECC_SIGN
+#       define HAVE_ECC_VERIFY
 #ifndef PKCS11_SMALL
 #       define HAVE_ECC_CDH
 #endif
@@ -147,6 +150,7 @@ extern int tolower(int c);
 #       define WOLFSSL_HAVE_SP_ECC
 #       define WOLFSSL_KEY_GEN
 #       define HAVE_ECC_KEY_EXPORT
+#       define HAVE_ECC_KEY_IMPORT
 #   endif
 
     /* SP MATH */
@@ -160,15 +164,18 @@ extern int tolower(int c);
 
     /* Curve */
 #   if defined(WOLFBOOT_SIGN_ECC256) || defined(WOLFCRYPT_SECURE_MODE) || \
-        defined(WOLFBOOT_SIGN_SECONDARY_ECC256)
+        defined(WOLFBOOT_SIGN_SECONDARY_ECC256) || \
+        defined(WOLFCRYPT_TEST) || defined(WOLFCRYPT_BENCHMARK)
 #       define HAVE_ECC256
 #   endif
 #   if defined(WOLFBOOT_SIGN_ECC384) || \
         defined(WOLFBOOT_SIGN_SECONDARY_ECC384) || \
-        defined(WOLFCRYPT_SECURE_MODE)
+        defined(WOLFCRYPT_SECURE_MODE) || \
+        defined(WOLFCRYPT_TEST) || defined(WOLFCRYPT_BENCHMARK)
 #       define HAVE_ECC384
 #       define WOLFSSL_SP_384
 #   endif
+    /* ECC521 only enabled if specifically requested (not for tests - too large) */
 #   if defined(WOLFBOOT_SIGN_ECC521) || \
         defined(WOLFBOOT_SIGN_SECONDARY_ECC521) || \
         defined(WOLFCRYPT_SECURE_MODE)
@@ -219,6 +226,7 @@ extern int tolower(int c);
 #   define RSA_LOW_MEM
 #   define WC_ASN_HASH_SHA256
 #   if !defined(WOLFBOOT_TPM) && !defined(WOLFCRYPT_SECURE_MODE) && \
+       !defined(WOLFCRYPT_TEST) && !defined(WOLFCRYPT_BENCHMARK) && \
        !defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \
        !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
 #       define WOLFSSL_RSA_VERIFY_INLINE
@@ -305,15 +313,17 @@ extern int tolower(int c);
 #ifdef WOLFBOOT_HASH_SHA3_384
 #   define WOLFSSL_SHA3
 #   if defined(NO_RSA) && !defined(WOLFBOOT_TPM) && \
-    !defined(WOLFCRYPT_SECURE_MODE)
+        !defined(WOLFCRYPT_SECURE_MODE) && \
+        !defined(WOLFCRYPT_TEST) && !defined(WOLFCRYPT_BENCHMARK)
 #       define NO_SHA256
 #   endif
 #endif
 
 #ifdef WOLFBOOT_HASH_SHA384
 #   define WOLFSSL_SHA384
 #   if defined(NO_RSA) && !defined(WOLFBOOT_TPM) && \
-    !defined(WOLFCRYPT_SECURE_MODE)
+    !defined(WOLFCRYPT_SECURE_MODE) && \
+    !defined(WOLFCRYPT_TEST) && !defined(WOLFCRYPT_BENCHMARK)
 #       define NO_SHA256
 #   endif
 #ifndef WOLFSSL_SHA512
@@ -410,7 +420,8 @@ extern int tolower(int c);
 
 #if (defined(WOLFBOOT_TPM_SEAL) && defined(WOLFBOOT_ATA_DISK_LOCK)) || \
     defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) || \
-    defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
+    defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) || \
+    defined(WOLFCRYPT_TEST) || defined(WOLFCRYPT_BENCHMARK)
 #   define WOLFSSL_BASE64_ENCODE
 #else
 #   define NO_CODING
@@ -464,7 +475,8 @@ extern int tolower(int c);
     #endif
 #endif
 
-#if !defined(WOLFCRYPT_SECURE_MODE) && !defined(WOLFBOOT_TPM_PARMENC)
+#if !defined(WOLFCRYPT_SECURE_MODE) && !defined(WOLFBOOT_TPM_PARMENC) && \
+    !defined(WOLFCRYPT_TEST) && !defined(WOLFCRYPT_BENCHMARK)
 #if !(defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \
       defined(WOLFBOOT_SIGN_ML_DSA)) && \
     !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
@@ -473,23 +485,40 @@ extern int tolower(int c);
     #define WC_NO_HASHDRBG
     #define NO_AES_CBC
 #else
-    #define HAVE_HASHDRBG
-    #define WOLFSSL_AES_CFB
+    #if defined(WOLFCRYPT_TEST) || defined(WOLFCRYPT_BENCHMARK)
+        /* Use custom RNG for tests/benchmarks (saves ~7KB vs HASHDRBG).
+         * WARNING: my_rng_seed_gen is NOT cryptographically secure.
+         * Only used in test-app builds, not in production wolfBoot. */
+        #define WC_NO_HASHDRBG
+        #define CUSTOM_RAND_GENERATE_SEED my_rng_seed_gen
+        #define CUSTOM_RAND_GENERATE_BLOCK my_rng_seed_gen
+        extern int my_rng_seed_gen(unsigned char* output, unsigned int sz);
+    #else
+        #define HAVE_HASHDRBG
+        #define WOLFSSL_AES_CFB
+    #endif
 #endif
 
 
 #if !defined(ENCRYPT_WITH_AES128) && !defined(ENCRYPT_WITH_AES256) && \
-    !defined(WOLFBOOT_TPM_PARMENC) && !defined(WOLFCRYPT_SECURE_MODE)
+    !defined(WOLFBOOT_TPM_PARMENC) && !defined(WOLFCRYPT_SECURE_MODE) && \
+    !defined(SECURE_PKCS11) && !defined(WOLFCRYPT_TZ_PSA) && \
+    !defined(WOLFCRYPT_TEST) && !defined(WOLFCRYPT_BENCHMARK)
     #define NO_AES
 #endif
 
-#if !defined(WOLFBOOT_TPM) && !defined(WOLFCRYPT_SECURE_MODE)
+#if !defined(WOLFBOOT_TPM) && !defined(WOLFCRYPT_SECURE_MODE) && \
+    !defined(WOLFCRYPT_TEST) && !defined(WOLFCRYPT_BENCHMARK)
 #   define NO_HMAC
-#if !(defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \
-      defined(WOLFBOOT_SIGN_ML_DSA)) &&          \
-    !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
-#define WC_NO_RNG
 #endif
+
+#if !defined(WOLFBOOT_TPM) && !defined(WOLFCRYPT_SECURE_MODE) && \
+    !defined(WOLFCRYPT_TEST) && !defined(WOLFCRYPT_BENCHMARK)
+#   if !(defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \
+       defined(WOLFBOOT_SIGN_ML_DSA)) &&          \
+      !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
+#   define WC_NO_RNG
+#   endif
 #   define WC_NO_HASHDRBG
 #   define NO_DEV_RANDOM
 #   if !defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \
@@ -534,9 +563,55 @@ extern int tolower(int c);
 #define NO_CHECK_PRIVATE_KEY
 #define NO_KDF
 
-#define BENCH_EMBEDDED
-#define NO_CRYPT_TEST
-#define NO_CRYPT_BENCHMARK
+/* wolfCrypt Test/Benchmark Configuration */
+#ifdef WOLFCRYPT_TEST
+    /* Skip extended tests to save memory */
+    #define NO_CRYPT_TEST_EXTENDED
+    /* Use smaller certificate buffers */
+    #define USE_CERT_BUFFERS_256
+    /* Override default NO_CRYPT_TEST */
+    #undef NO_CRYPT_TEST
+#else
+    #define NO_CRYPT_TEST
+#endif
+
+#ifdef WOLFCRYPT_BENCHMARK
+    /* Embedded benchmark mode */
+    #ifndef BENCH_EMBEDDED
+        #define BENCH_EMBEDDED
+    #endif
+    /* Override default NO_CRYPT_BENCHMARK */
+    #undef NO_CRYPT_BENCHMARK
+#else
+    #define NO_CRYPT_BENCHMARK
+#endif
+
+/* Common optimizations when test/benchmark enabled */
+#if defined(WOLFCRYPT_TEST) || defined(WOLFCRYPT_BENCHMARK)
+    #define NO_WRITE_TEMP_FILES
+
+    /* Use static memory pool to avoid system malloc dependency.
+     * benchmark.c provides gBenchMemory static buffer.
+     * Default is 50KB with BENCH_EMBEDDED, override for smaller targets */
+    #ifndef WOLFSSL_STATIC_MEMORY
+        #define WOLFSSL_STATIC_MEMORY
+    #endif
+    #ifndef WOLFSSL_STATIC_MEMORY_TEST_SZ
+        #define WOLFSSL_STATIC_MEMORY_TEST_SZ (10 * 1024)
+    #endif
+
+    /* Enable SP math digit operations */
+    #define WOLFSSL_SP_MUL_D
+
+    /* User time functions provided */
+    #define WOLFSSL_USER_CURRTIME
+    #define XTIME my_time
+    extern unsigned long my_time(unsigned long* timer);
+#endif
+
+#if !defined(WOLFCRYPT_TEST) && !defined(WOLFCRYPT_BENCHMARK)
+    #define BENCH_EMBEDDED
+#endif
 
 #if defined(WOLFCRYPT_TZ_PSA)
 #undef NO_CMAC
@@ -566,7 +641,8 @@ extern int tolower(int c);
 #       define WOLFSSL_SP_NO_DYN_STACK
 #   endif
 #   if !defined(SECURE_PKCS11) && !defined(WOLFCRYPT_TZ_PSA) && \
-       !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
+       !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) && \
+       !defined(WOLFCRYPT_TEST) && !defined(WOLFCRYPT_BENCHMARK)
 #       define NO_WOLFSSL_MEMORY
 #       define WOLFSSL_NO_MALLOC
 #   endif

lib/wolfssl

@@ -720,11 +720,13 @@ static int wolfBoot_delta_update(struct wolfBoot_image *boot,
 #    endif
 #endif
 
-/* Reserve space for two sectors in case of NVM_FLASH_WRITEONCE, for redundancy */
+/* Max firmware size: partition must hold header + fw + trailer sector(s) */
 #ifndef NVM_FLASH_WRITEONCE
-    #define MAX_UPDATE_SIZE (size_t)((WOLFBOOT_PARTITION_SIZE - WOLFBOOT_SECTOR_SIZE))
+    #define MAX_UPDATE_SIZE (size_t)((WOLFBOOT_PARTITION_SIZE - \
+        IMAGE_HEADER_SIZE - WOLFBOOT_SECTOR_SIZE))
 #else
-    #define MAX_UPDATE_SIZE (size_t)((WOLFBOOT_PARTITION_SIZE - (2 *WOLFBOOT_SECTOR_SIZE)))
+    #define MAX_UPDATE_SIZE (size_t)((WOLFBOOT_PARTITION_SIZE - \
+        IMAGE_HEADER_SIZE - (2 * WOLFBOOT_SECTOR_SIZE)))
 #endif
 
 static int wolfBoot_get_total_size(struct wolfBoot_image* boot,

src/update_flash.c

@@ -1,5 +1,5 @@
-_Min_Heap_Size  = 0x00002000; /* required amount of heap  */
-_Min_Stack_Size = 0x00002000; /* required amount of stack */
+_Min_Heap_Size  = 0x00000100; /* minimal heap (not using malloc) */
+_Min_Stack_Size = 0x00003000; /* required amount of stack */
 
 /* Memory areas */
 MEMORY

test-app/ARM-va416x0.ld

@@ -95,6 +95,71 @@ ifeq ($(DEBUG_UART),1)
     APP_OBJS+=../src/string.o
 endif
 
+# wolfCrypt Test and Benchmark Support
+WOLFCRYPT_SUPPORT=0
+
+ifeq ($(WOLFCRYPT_TEST),1)
+  CFLAGS+=-DWOLFCRYPT_TEST
+  WOLFCRYPT_SUPPORT=1
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/test/test.o
+endif
+
+ifeq ($(WOLFCRYPT_BENCHMARK),1)
+  CFLAGS+=-DWOLFCRYPT_BENCHMARK
+  WOLFCRYPT_SUPPORT=1
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/benchmark/benchmark.o
+endif
+
+ifeq ($(WOLFCRYPT_SUPPORT),1)
+  # Add support infrastructure
+  APP_OBJS+=wolfcrypt_support.o
+  APP_OBJS+=syscalls.o
+
+  # Add wolfCrypt core implementation files
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/hash.o
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/wc_port.o
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/logging.o
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/misc.o
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/wolfmath.o
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/memory.o
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/asn.o
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/coding.o
+
+  # Add SHA implementations (needed for test/benchmark)
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sha256.o
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sha512.o
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/hmac.o
+
+  # Add RNG support (needed for ECC signing and tests)
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/random.o
+
+  # Add AES support (needed by benchmark for AES-CBC etc.)
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/aes.o
+
+  # Add ECC support (needed by test suite)
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/ecc.o
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_int.o
+
+  # Add SP math implementations for ARM Cortex-M
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_cortexm.o
+  APP_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_c32.o
+
+  ifneq ($(NO_ARM_ASM),1)
+    APP_OBJS+= \
+          $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/port/arm/thumb2-aes-asm_c.o \
+          $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/port/arm/thumb2-sha256-asm_c.o \
+          $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/port/arm/thumb2-sha512-asm_c.o \
+          $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/port/arm/thumb2-sha3-asm_c.o \
+          $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/port/arm/thumb2-chacha-asm_c.o
+
+    CFLAGS+=-DWOLFSSL_ARMASM -DWOLFSSL_ARMASM_NO_HW_CRYPTO -DWOLFSSL_ARMASM_INLINE \
+                              -DWOLFSSL_ARMASM_NO_NEON -DWOLFSSL_ARMASM_THUMB2
+  endif
+
+  CFLAGS+=-DWOLFSSL_USER_SETTINGS
+  CFLAGS+=-I"$(WOLFBOOT_LIB_WOLFSSL)"
+endif
+
 ifeq ($(TZEN),1)
     CFLAGS+=-DNONSECURE_APP
     CFLAGS+=-I./
@@ -335,6 +400,17 @@ ifeq ($(TARGET),va416x0)
   ifneq ($(SIGN),NONE)
     APP_OBJS+=../src/keystore.o
   endif
+  # Reduce size: newlib-nano and section GC
+  LDFLAGS+=--specs=nano.specs
+  ifneq ($(WOLFCRYPT_SUPPORT),1)
+    # Only use nosys stubs when not providing our own syscalls
+    LDFLAGS+=--specs=nosys.specs
+  endif
+  ifeq ($(WOLFCRYPT_BENCHMARK),1)
+    # Benchmark needs float printf for results
+    LDFLAGS+=-u _printf_float
+  endif
+  CFLAGS+=-ffunction-sections -fdata-sections
 endif
 
 ifeq ($(TARGET),sim)