Add cert chain verification via wolfHSM on sim and TC3xx#574
Add cert chain verification via wolfHSM on sim and TC3xx#574dgarske merged 7 commits intowolfSSL:masterfrom
Conversation
|
Not sure why footprint test is failing since AFAICT, all the code is guarded by the appropriate feature flags...investigating |
There was a problem hiding this comment.
Pull Request Overview
This PR adds end-to-end support for embedding and verifying certificate chains in firmware images using wolfHSM, including tooling, simulator configuration, and documentation updates.
- Implements TLV support for a certificate chain in the sign tool and adjusts header sizing
- Extends the bootloader to extract, verify, and cache the leaf public key via wolfHSM
- Introduces a helper script to generate dummy chains for simulator tests and updates docs/configs
Reviewed Changes
Copilot reviewed 17 out of 17 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/keytools/sign.c | Add HDR_CERT_CHAIN TLV, CLI flag, header sizing, and loading |
| src/image.c | Extract and verify chain, cache leaf key ID, use in verify |
| include/wolfboot/wolfboot.h | Define new HDR_CERT_CHAIN constant |
| include/hal.h | Declare new root-CA NVM ID extern |
| hal/sim.c | Define hsmClientNvmIdCertRootCA for simulator |
| tools/scripts/sim-gen-dummy-chain.sh | New script to generate dummy cert chains for tests |
| options.mk | Add CERT_CHAIN_VERIFY build flags and SIGN_OPTIONS injection |
| tools/test.mk, Makefile | Switch SIGN_ARGS → SIGN_OPTIONS for signing invocations |
| docs/*.md | Document certificate chain verification setup and usage |
| config/examples/sim-*.config | Add sim example for cert-chain verification |
| .github/workflows/test-*.yml | Add CI matrix entry for cert-chain simulator test |
Comments suppressed due to low confidence (1)
docs/firmware_update.md:227
- Capitalization error: "in this mode of operation" should start with an uppercase 'In'.
wolfBoot supports authenticating images using certificate chains instead of raw public keys. in this mode of operation, a certificate chain is included in the image manifest header, and the image is signed with the private key corresponding to the leaf certificate identity (signer cert). On boot, wolfBoot verifies the trust of the certificate chain (and therefore the signer cert) against a trusted root CA stored in the wolfHSM server, and if the chain is trusted, verifies the authenticity of the firmware image using the public key from the leaf certificate.
|
Looks like the footprint test failing is just a consequence of updating wolfSSL (which is unfortunately required for this PR do to usage of new ASN APIs). I can try and diagnose but might be helpful to have someone else look at this too. In addition to code size increases, updating to wolfSSL after wolfSSL/wolfssl#8725 also breaks our build. A fix for that is pending in wolfSSL/wolfssl#8806 |
bigbrett
force-pushed
the
wolfhsm-cert-verify
branch
from
1947ab8 to
be9b21d
Compare
|
@dgarske @danielinux Got it to work on TC3xx with some small tweaks, so went ahead and just pushed those to get it all in one PR. David there is only one small change to wolfBoot code you already reviewed (now defaulting to DMA signature verification if enabled in wolfHSM) otherwise all the changes are isolated to TC3xx. Ready for (re)review |
bigbrett
changed the title
|
@dgarske this was approved by @danielinux (dismissed by my last formatting fix) and is ready for your final review and merge |
Adds certificate chain verification for firmware image authenticity to wolfBoot using the wolfHSM cert chain verification API.
At a high level, wolfBoot verifies a chain in the image manifest header consisting of multiple intermediates and a leaf (signing) cert against a trusted root CA stored in the HSM NVM. If the chain verifies as trusted, then the public key in the leaf/signing cert is cached on the server and used to verify the firmware.
Right now wolfHSM compatibility is the only way to use this feature, however an additional native mechanism using the wolfBoot keystore or other providers could be added in the future.