feat: add riscv-bare-metal feature for Caliptra firmware targets

MarkAtwood · claude · MarkAtwood · commit ff51620af5d5 · 2026-03-25T14:01:24.000-07:00
Adds support for building wolfCrypt targeting riscv32imc-unknown-none-elf
(Caliptra firmware). New files in wolfssl-src:

  user_settings_riscv.h         — minimal wolfSSL config: single-threaded,
    no filesystem, custom RNG seeded from caliptra_generate_seed(),
    STRING_USER with __builtin_mem* instead of libc
  riscv_bare_metal_helpers.c    — bare-metal strncat/strnstr/strcasecmp
    implemented with __builtin_memcpy/memcmp only, no libc

The riscv-bare-metal feature is wired through the full dependency chain:
wolfssl-src → wolfcrypt-sys → wolfcrypt-rs → wolfcrypt → wolfcrypt-dpe.

wolfssl-src selects user_settings_riscv.h over user_settings.h when the
feature is active, copies it to OUT_DIR as user_settings.h so it shadows
the default, and compiles only ssl.c (which includes the remaining
translation units as a unity build on this target).

wolfcrypt-sys/build.rs threads the RISC-V settings dir into bindgen and
drops the ../../wolfssl adjacent-repo fallback that was only useful in
a specific local checkout layout.

wolfcrypt-rs now parses LIBWOLFSSL_VERSION_STRING from wolfssl/version.h
at build time and exposes it as pub const WOLFSSL_VERSION: &amp;str for
runtime diagnostics.

wolfcrypt-dpe is now unconditionally #![no_std] (the std feature gate
was the only thing keeping it conditional) and bumps caliptra-dpe to
fw-2.1.0 (rev cfc9a713), which renamed its workspace packages from
caliptra-dpe-crypto/caliptra-dpe/caliptra-dpe-platform to
crypto/dpe/platform.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/wolfcrypt-dpe-conformance/Cargo.toml b/wolfcrypt-dpe-conformance/Cargo.toml
@@ -1,19 +1,22 @@
 [package]
 name = "wolfcrypt-dpe-conformance"
+authors = ["WolfSSL Inc"]
 version = "0.1.0"
 edition = "2021"
 license = "MIT"
-publish = false
 description = "Cross-validation and conformance tests for wolfcrypt-dpe against caliptra-dpe reference"
-keywords = ["wolfcrypt", "wolfssl", "fips"]
+homepage = "http://wolfssl.com"
+repository = "https://github.com/wolfSSL/wolfssl-rs"
+keywords = ["wolfcrypt", "wolfssl", "fips", "caliptra", "dpe"]
+categories = ["cryptography"]
 
 [lib]
 path = "src/lib.rs"
 
 [dev-dependencies]
 # === Wolf backend ===
-wolfcrypt-dpe = { path = "../wolfcrypt-dpe" }
-wolfcrypt-ring-compat = { path = "../wolfcrypt-ring-compat", default-features = false, features = ["wolfcrypt-rs", "alloc"] }
+wolfcrypt-dpe = { version = "0.1.0", path = "../wolfcrypt-dpe" }
+wolfcrypt-ring-compat = { version = "1.0", path = "../wolfcrypt-ring-compat", default-features = false, features = ["wolfcrypt-rs", "alloc"] }
 
 # === Reference backend (RustCrypto) — same crypto crate with rustcrypto feature ===
 caliptra-dpe-crypto = { git = "https://github.com/chipsalliance/caliptra-dpe", rev = "6dfc502a30d443e5e054db1344a97eeb823ea5b9", package = "caliptra-dpe-crypto", default-features = false, features = ["rustcrypto"] }
diff --git a/wolfcrypt-dpe/Cargo.toml b/wolfcrypt-dpe/Cargo.toml
@@ -1,41 +1,43 @@
 [package]
 name = "wolfcrypt-dpe"
+authors = ["WolfSSL Inc"]
 version = "0.1.0"
 edition = "2021"
 license = "MIT"
-keywords = ["wolfcrypt", "wolfssl", "fips"]
+description = "Caliptra DPE Crypto trait implementation backed by wolfCrypt"
+homepage = "http://wolfssl.com"
+repository = "https://github.com/wolfSSL/wolfssl-rs"
+keywords = ["wolfcrypt", "wolfssl", "fips", "caliptra", "dpe"]
+categories = ["cryptography"]
 
 [lib]
 name = "wolfcrypt_dpe"
 
-# For no_std targets (e.g. Caliptra), depend with:
-#   wolfcrypt-dpe = { ..., default-features = false }
 [features]
-default = ["std"]
-std = ["wolfcrypt/digest", "wolfcrypt/rand"]
+riscv-bare-metal = ["wolfcrypt/riscv-bare-metal"]
 
 [dependencies]
 # wolfcrypt from the local workspace -- the ONLY crypto dependency
-wolfcrypt = { path = "../wolfcrypt", default-features = false, features = [
+wolfcrypt = { version = "0.1.0", path = "../wolfcrypt", default-features = false, features = [
     "digest", "hkdf", "ecdsa", "rand",
 ] }
 
 # RustCrypto traits used in the public/internal API
-digest_trait = { package = "digest", version = "0.10" }
-signature_trait = { package = "signature", version = "2.2" }
-rand_core = "0.10"
+digest_trait = { package = "digest", version = "0.10", default-features = false }
+signature_trait = { package = "signature", version = "2.2", default-features = false }
+rand_core = { version = "0.10", default-features = false }
 
 # Constant-time comparison
-subtle = "2"
-zeroize = "1"
+subtle = { version = "2", default-features = false }
+zeroize = { version = "1", default-features = false }
 
-# caliptra-dpe crypto trait -- pinned to exact commit
-caliptra-dpe-crypto = { git = "https://github.com/chipsalliance/caliptra-dpe", rev = "6dfc502a30d443e5e054db1344a97eeb823ea5b9", package = "caliptra-dpe-crypto", default-features = false }
+# caliptra-dpe crypto trait -- pinned to exact commit (fw-2.1.0)
+caliptra-dpe-crypto = { git = "https://github.com/chipsalliance/caliptra-dpe", rev = "cfc9a713882ca562a0ae6565198129e6da121a42", package = "crypto", default-features = false }
 
 [dev-dependencies]
 hex = "0.4"
 
 # DPE engine + platform for integration tests (same pinned commit as crypto trait)
-caliptra-dpe = { git = "https://github.com/chipsalliance/caliptra-dpe", rev = "6dfc502a30d443e5e054db1344a97eeb823ea5b9", package = "caliptra-dpe", default-features = false, features = ["p384"] }
-caliptra-dpe-platform = { git = "https://github.com/chipsalliance/caliptra-dpe", rev = "6dfc502a30d443e5e054db1344a97eeb823ea5b9", package = "caliptra-dpe-platform", default-features = false, features = ["rustcrypto"] }
+caliptra-dpe = { git = "https://github.com/chipsalliance/caliptra-dpe", rev = "cfc9a713882ca562a0ae6565198129e6da121a42", package = "dpe", default-features = false, features = ["p384"] }
+caliptra-dpe-platform = { git = "https://github.com/chipsalliance/caliptra-dpe", rev = "cfc9a713882ca562a0ae6565198129e6da121a42", package = "platform", default-features = false, features = ["rustcrypto"] }
 caliptra-cfi-lib = { git = "https://github.com/chipsalliance/caliptra-cfi.git", package = "caliptra-cfi-lib", rev = "767d4ef59a106aea683b883c07bd65456fb3ba6b", default-features = false, features = ["cfi-test"] }
diff --git a/wolfcrypt-dpe/src/lib.rs b/wolfcrypt-dpe/src/lib.rs
@@ -3,13 +3,9 @@
 //! This crate does NOT contain any FFI code. All cryptographic operations
 //! are performed through the safe Rust API of the `wolfcrypt` crate.
 
-#![cfg_attr(not(feature = "std"), no_std)]
+#![no_std]
 
 extern crate alloc;
-/// Prelude for no_std compatibility.
-///
-/// When `std` is disabled, re-exports core alloc types so that consumer
-/// modules can `use crate::prelude::*` without caring about the feature.
 pub(crate) mod prelude {
     pub use alloc::vec;
     pub use alloc::vec::Vec;
diff --git a/wolfcrypt-rs/Cargo.toml b/wolfcrypt-rs/Cargo.toml
@@ -2,10 +2,13 @@
 name = "wolfcrypt-rs"
 description = "Low-level FFI bindings for wolfSSL/wolfCrypt cryptographic library."
 version = "0.1.0"
-authors = ["wolfSSL"]
+authors = ["WolfSSL Inc"]
 edition = "2021"
 license = "MIT"
-keywords = ["wolfcrypt", "wolfssl", "fips"]
+homepage = "http://wolfssl.com"
+repository = "https://github.com/wolfSSL/wolfssl-rs"
+keywords = ["wolfcrypt", "wolfssl", "fips", "cryptography"]
+categories = ["cryptography"]
 rust-version = "1.71.0"
 build = "build.rs"
 links = "wolfssl"
@@ -16,6 +19,7 @@ wolfcrypt-sys = { version = "0.1.0", path = "../wolfcrypt-sys", default-features
 [features]
 default = []
 fips = ["wolfcrypt-sys/fips"]
+riscv-bare-metal = ["wolfcrypt-sys/riscv-bare-metal"]
 
 [build-dependencies]
 cc = { workspace = true, features = ["parallel"] }
diff --git a/wolfcrypt-rs/build.rs b/wolfcrypt-rs/build.rs
@@ -43,6 +43,21 @@ fn main() {
 
     let mut shim_build = cc::Build::new();
     shim_build.include(&wolfssl_include);
+    // For riscv-bare-metal, put OUT_DIR first so the RISC-V user_settings.h
+    // shadows the default one, and add bare-metal stub headers.
+    if cfg!(feature = "riscv-bare-metal") {
+        let out_dir = env::var("OUT_DIR").unwrap();
+        shim_build.include(&out_dir);
+        if let Ok(stubs) = env::var("WOLFSSL_BARE_METAL_STUBS") {
+            shim_build.include(&stubs);
+        }
+        // Copy RISC-V settings to our OUT_DIR too
+        let src_settings = std::path::Path::new(&settings_include).join("user_settings_riscv.h");
+        let dst = std::path::Path::new(&out_dir).join("user_settings.h");
+        if src_settings.exists() && !dst.exists() {
+            std::fs::copy(&src_settings, &dst).ok();
+        }
+    }
     shim_build.include(&settings_include);
     if vendored {
         shim_build.define("WOLFSSL_USER_SETTINGS", None);
@@ -75,6 +90,9 @@ fn main() {
         .unwrap_or_else(|_| panic!("DEP_WOLFCRYPT_SYS_LIBCRYPTO not set — is wolfcrypt-sys a dependency?")));
     println!("cargo:VENDORED={}", env::var("DEP_WOLFCRYPT_SYS_VENDORED")
         .unwrap_or_else(|_| panic!("DEP_WOLFCRYPT_SYS_VENDORED not set — is wolfcrypt-sys a dependency?")));
+    let version = env::var("DEP_WOLFCRYPT_SYS_VERSION").unwrap_or_else(|_| "unknown".to_string());
+    println!("cargo:VERSION={version}");
+    println!("cargo:rustc-env=WOLFSSL_VERSION={version}");
 
     // --- rerun-if-changed ---
     println!("cargo:rerun-if-changed=build.rs");
diff --git a/wolfcrypt-rs/src/lib.rs b/wolfcrypt-rs/src/lib.rs
@@ -48,6 +48,12 @@ pub const CHACHA_ALLOC_SIZE: usize = 128;
 #[cfg(wolfssl_chacha20_poly1305)]
 pub const CHACHA_POLY_AEAD_ALLOC_SIZE: usize = 192;
 
+/// Version string of the linked wolfSSL C library (e.g. `"5.7.4"`).
+///
+/// Set at compile time from `LIBWOLFSSL_VERSION_STRING` in `wolfssl/version.h`.
+/// Returns `"unknown"` if the header was not found during the build.
+pub const WOLFSSL_VERSION: &str = env!("WOLFSSL_VERSION");
+
 // ================================================================
 // Opaque types (used behind pointers)
 // ================================================================
diff --git a/wolfcrypt-sys/Cargo.toml b/wolfcrypt-sys/Cargo.toml
@@ -1,16 +1,21 @@
 [package]
 name = "wolfcrypt-sys"
+authors = ["WolfSSL Inc"]
 version = "0.1.0"
 edition = "2021"
 description = "Auto-generated Rust FFI bindings to wolfSSL via bindgen"
 license = "MIT"
-keywords = ["wolfcrypt", "wolfssl", "fips"]
+homepage = "http://wolfssl.com"
+repository = "https://github.com/wolfSSL/wolfssl-rs"
+keywords = ["wolfcrypt", "wolfssl", "fips", "ffi", "cryptography"]
+categories = ["cryptography"]
 links = "wolfcrypt_sys"
 
 [features]
 default = []
 fips = []
 vendored = []
+riscv-bare-metal = ["wolfssl-src/riscv-bare-metal"]
 
 [build-dependencies]
 bindgen = "0.72.0"
diff --git a/wolfcrypt-sys/build.rs b/wolfcrypt-sys/build.rs
@@ -7,8 +7,7 @@
 //   2. WOLFSSL_DIR                            → install prefix (lib/ + include/)
 //   3. `vendored` feature / WOLFSSL_SRC       → compile via wolfssl-src
 //   4. pkg-config                             → system library
-//   5. ../../wolfssl exists                   → compile via wolfssl-src
-//   6. panic with instructions
+//   5. panic with instructions
 
 use std::collections::HashSet;
 use std::env;
@@ -208,6 +207,12 @@ fn generate_bindings(
             builder = builder.clang_arg(format!("-I{}", settings_dir.display()));
         }
         builder = builder.clang_arg("-DWOLFSSL_USER_SETTINGS");
+        // For riscv-bare-metal, add stub headers (stdio.h, etc.)
+        if cfg!(feature = "riscv-bare-metal") {
+            if let Ok(stubs) = env::var("WOLFSSL_BARE_METAL_STUBS") {
+                builder = builder.clang_arg(format!("-I{}", stubs));
+            }
+        }
     } else {
         // For system/pkg-config builds, tell settings.h to pull in options.h
         // so that all feature flags (TLS 1.3, SNI, etc.) are visible to bindgen.
@@ -269,8 +274,7 @@ fn main() {
     //   2. WOLFSSL_DIR                           → install prefix
     //   3. vendored feature / WOLFSSL_SRC        → wolfssl-src
     //   4. pkg-config                            → system
-    //   5. ../../wolfssl fallback                → wolfssl-src
-    //   6. panic
+    //   5. panic
 
     if let (Ok(lib_dir), Ok(include_dir)) = (
         env::var("WOLFSSL_LIB_DIR"),
@@ -295,21 +299,15 @@ fn main() {
     } else if let Some((include_dir, lib_dirs, defines)) = try_pkg_config() {
         do_system(&include_dir, &lib_dirs, &manifest_dir, &defines, is_fips);
     } else {
-        // Last resort: try vendored build if source exists
-        let candidate = manifest_dir.join("..").join("..").join("wolfssl");
-        if candidate.exists() {
-            do_vendored(&manifest_dir, is_fips);
-        } else {
-            panic!(
-                "wolfSSL not found. Either:\n  \
-                 - Install wolfssl and ensure pkg-config can find it\n  \
-                 - Set WOLFSSL_DIR to a wolfssl install prefix\n  \
-                 - Set WOLFSSL_LIB_DIR and WOLFSSL_INCLUDE_DIR\n  \
-                 - Enable the `vendored` feature and set WOLFSSL_SRC\n  \
-                 - Clone wolfssl adjacent to this workspace:\n    \
-                   git clone https://github.com/wolfSSL/wolfssl.git"
-            );
-        }
+        panic!(
+            "wolfSSL not found. Either:\n  \
+             - Install wolfssl and ensure pkg-config can find it\n  \
+             - Set WOLFSSL_DIR to a wolfssl install prefix\n  \
+             - Set WOLFSSL_LIB_DIR and WOLFSSL_INCLUDE_DIR\n  \
+             - Enable the `vendored` feature and set WOLFSSL_SRC\n  \
+             - Clone wolfssl: git clone https://github.com/wolfSSL/wolfssl.git\n    \
+               then set WOLFSSL_SRC to the cloned path"
+        );
     }
 
     println!("cargo:rerun-if-changed=build.rs");
@@ -370,12 +368,19 @@ fn do_vendored(manifest_dir: &Path, is_fips: bool) {
     let artifacts = builder.build();
     let active_cfgs = emit_cfg_flags(&artifacts.defines);
 
+    // For riscv-bare-metal, bindgen must see the RISC-V user_settings.h
+    // (copied to OUT_DIR by wolfssl-src) rather than the default.
+    let settings_dir = if cfg!(feature = "riscv-bare-metal") {
+        PathBuf::from(env::var("OUT_DIR").unwrap())
+    } else {
+        artifacts.settings_include_dir.clone()
+    };
     generate_bindings(
         &artifacts.include_dir,
         manifest_dir,
         is_fips,
         true,
-        Some(&artifacts.settings_include_dir),
+        Some(&settings_dir),
     );
 
     emit_metadata(
@@ -412,6 +417,25 @@ fn do_system(
     emit_metadata(&active_cfgs, include_dir, include_dir, "", lib_dirs, false);
 }
 
+/// Parse `LIBWOLFSSL_VERSION_STRING` from `<include_dir>/wolfssl/version.h`.
+fn parse_wolfssl_version(include_dir: &Path) -> String {
+    let version_h = include_dir.join("wolfssl").join("version.h");
+    let content = match std::fs::read_to_string(&version_h) {
+        Ok(s) => s,
+        Err(_) => return "unknown".to_string(),
+    };
+    for line in content.lines() {
+        let trimmed = line.trim();
+        if let Some(rest) = trimmed.strip_prefix("#define LIBWOLFSSL_VERSION_STRING") {
+            let rest = rest.trim();
+            if let Some(ver) = rest.strip_prefix('"').and_then(|s| s.strip_suffix('"')) {
+                return ver.to_string();
+            }
+        }
+    }
+    "unknown".to_string()
+}
+
 /// Emit cargo metadata for downstream crates.
 fn emit_metadata(
     active_cfgs: &[String],
@@ -421,6 +445,8 @@ fn emit_metadata(
     lib_dirs: &[PathBuf],
     vendored: bool,
 ) {
+    let version = parse_wolfssl_version(include_dir);
+    println!("cargo:VERSION={version}");
     println!("cargo:CFGS={}", active_cfgs.join(","));
     println!("cargo:ALL_CFGS={}", ALL_WOLFSSL_CFGS.join(","));
     println!("cargo:INCLUDE={}", include_dir.display());
diff --git a/wolfcrypt/Cargo.toml b/wolfcrypt/Cargo.toml
@@ -4,11 +4,16 @@
 
 [package]
 name = "wolfcrypt"
+authors = ["WolfSSL Inc"]
 version = "0.1.0"
 edition = "2021"
 rust-version = "1.71.0"
 license = "MIT"
-keywords = ["wolfcrypt", "wolfssl", "fips"]
+description = "RustCrypto trait implementations backed by wolfCrypt"
+homepage = "http://wolfssl.com"
+repository = "https://github.com/wolfSSL/wolfssl-rs"
+keywords = ["wolfcrypt", "wolfssl", "fips", "rustcrypto", "cryptography"]
+categories = ["cryptography"]
 
 [features]
 default = ["digest", "rand"]
@@ -41,9 +46,10 @@ rsa-direct = ["rsa", "rand"]
 cryptocb = []
 hpke     = ["rand"]
 fips     = ["wolfcrypt-rs/fips"]
+riscv-bare-metal = ["wolfcrypt-rs/riscv-bare-metal"]
 
 [dependencies]
-wolfcrypt-rs = { path = "../wolfcrypt-rs" }
+wolfcrypt-rs = { version = "0.1.0", path = "../wolfcrypt-rs" }
 
 # RustCrypto trait crates (renamed to avoid module name collision).
 #
diff --git a/wolfssl-src/Cargo.toml b/wolfssl-src/Cargo.toml
@@ -1,10 +1,20 @@
 [package]
 name = "wolfssl-src"
+authors = ["WolfSSL Inc"]
 version = "0.1.0"
 edition = "2021"
 description = "Compile wolfSSL from source for use by wolfcrypt-sys"
 license = "MIT"
-keywords = ["wolfcrypt", "wolfssl", "fips"]
+homepage = "http://wolfssl.com"
+repository = "https://github.com/wolfSSL/wolfssl-rs"
+keywords = ["wolfcrypt", "wolfssl", "fips", "cryptography"]
+categories = ["cryptography"]
+
+[features]
+default = []
+# Use the minimal bare-metal user_settings_riscv.h instead of the full
+# user_settings.h.  Intended for riscv32imc-unknown-none-elf targets.
+riscv-bare-metal = []
 
 [dependencies]
 cc = { version = "1.2.26", features = ["parallel"] }
diff --git a/wolfssl-src/riscv_bare_metal_helpers.c b/wolfssl-src/riscv_bare_metal_helpers.c
diff --git a/wolfssl-src/src/lib.rs b/wolfssl-src/src/lib.rs
diff --git a/wolfssl-src/user_settings_riscv.h b/wolfssl-src/user_settings_riscv.h
