wolfCrypt on TI C2000 C28x (LAUNCHXL-F28P55X)#10724
Draft
dgarske wants to merge 6 commits into
Draft
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds and CI-guards a bare-metal wolfCrypt port for TI C2000 C28x targets where CHAR_BIT == 16, introducing gated fixes so hashing, DRBG, ML-DSA verify, and SP-math ECC work correctly when a C “byte” is wider than 8 bits.
Changes:
- Introduces
WOLFSSL_NO_OCTET_BYTEdetection and uses octet-wise load/store paths to avoid invalid byte/word aliasing onCHAR_BIT != 8targets (SHA-256/512 family, SHA-3/SHAKE, Base64 CT decode, DRBG helpers, rotate helpers). - Adds “smallest memory” ML-DSA verify mode that streams
zper polynomial to reduce pinned RAM inwc_MlDsaKey. - Adds TI C2000 compile-only guard scripts plus a GitHub Actions workflow that downloads the TI CGT and compiles a scoped subset.
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfssl/wolfcrypt/wc_port.h | Makes atomic arg type selection robust for 16-bit int by also checking UINT_MAX. |
| wolfssl/wolfcrypt/wc_mldsa.h | Adds WOLFSSL_MLDSA_VERIFY_SMALLEST_MEM struct layout variant for reduced verify RAM. |
| wolfssl/wolfcrypt/types.h | Adds WOLFSSL_NO_OCTET_BYTE auto-detection; adjusts WC_16BIT_CPU 64-bit availability behavior. |
| wolfssl/wolfcrypt/sp_int.h | Adds support for unsigned char being 16-bit (no native 8-bit type). |
| wolfssl/wolfcrypt/settings.h | Requires explicit opt-in for SP math on 16-bit-int CPUs via WOLFSSL_SP_ALLOW_16BIT_CPU. |
| wolfssl/wolfcrypt/dilithium.h | Adds smallest-mem verify gating and defaults slow Montgomery reduction macros on WC_16BIT_CPU. |
| wolfcrypt/test/test.c | Switches large-digest constants from C strings to byte[] to avoid CHAR_BIT!=8 pitfalls. |
| wolfcrypt/src/wc_port.c | Fixes init-state static assert to use CHAR_BIT instead of hardcoded 8. |
| wolfcrypt/src/wc_mldsa.c | Adds octet-masking for packed bytes and fixes integer-promotion/sign issues on 16-bit int; adds streaming z verify path. |
| wolfcrypt/src/sha512.c | Adds octet-wise word load/store and corrects length carry/length placement for CHAR_BIT!=8. |
| wolfcrypt/src/sha3.c | Forces bytewise Keccak absorb/squeeze for WOLFSSL_NO_OCTET_BYTE and adds squeeze helper. |
| wolfcrypt/src/sha256.c | Adds octet-wise word load/store and corrects length carry/length placement for CHAR_BIT!=8. |
| wolfcrypt/src/random.c | Fixes DRBG serialization/addition helpers for non-8-bit “byte” targets. |
| wolfcrypt/src/misc.c | Fixes rotate helpers to use CHAR_BIT-based bit width when needed. |
| wolfcrypt/src/coding.c | Ensures Base64 CT decode returns 0xFF for invalid chars even when byte is wider than 8 bits. |
| wolfcrypt/benchmark/benchmark.c | Adds static buffers for WOLFSSL_NO_MALLOC benchmarking and adjusts frees/allocations accordingly. |
| scripts/ti-c2000/user_settings.h | Adds minimal CI-only config for cl2000 compile-guard. |
| scripts/ti-c2000/compile.sh | Adds compile-only script to build a scoped source set with TI cl2000. |
| .github/workflows/ti-c2000-compile.yml | Adds CI workflow to download/cache TI CGT and run the compile-only guard. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dgarske
force-pushed
the
ti_c25
branch
3 times, most recently
from
20e4053 to
39c343a
Compare
…I C2000 C28x) - core types, misc octet helpers, base64, DRBG
… for CHAR_BIT != 8
…MLDSA_VERIFY_SMALLEST_MEM
…n for CHAR_BIT != 8
…I C2000 compile CI and docs
Comment on lines
+429
to
432
| #if !defined(MICROCHIP_PIC24) && \ | ||
| !(defined(SIZEOF_LONG_LONG) && (SIZEOF_LONG_LONG == 8)) | ||
| #undef WORD64_AVAILABLE | ||
| #endif |
Comment on lines
+691
to
+714
| void BlockSha3(word64* s) | ||
| { | ||
| word32* sp = (word32*)s; | ||
| const word32* rc = (const word32*)hash_keccak_r; | ||
| word32 sl[25], sh[25], nl[25], nh[25], bl[5], bh[5]; | ||
| word32 i, k; | ||
|
|
||
| for (k = 0; k < 25; k++) { | ||
| sl[k] = sp[2 * k]; | ||
| sh[k] = sp[2 * k + 1]; | ||
| } | ||
| for (i = 0; i < 24; i += 2) { | ||
| WC_SHA3_THETA(sl, sh); | ||
| WC_SHA3_ROWMIX(nl, nh, sl, sh); | ||
| nl[0] ^= rc[2 * i]; nh[0] ^= rc[2 * i + 1]; | ||
| WC_SHA3_THETA(nl, nh); | ||
| WC_SHA3_ROWMIX(sl, sh, nl, nh); | ||
| sl[0] ^= rc[2 * (i + 1)]; sh[0] ^= rc[2 * (i + 1) + 1]; | ||
| } | ||
| for (k = 0; k < 25; k++) { | ||
| sp[2 * k] = sl[k]; | ||
| sp[2 * k + 1] = sh[k]; | ||
| } | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
WOLFSSL_WIDE_BYTEsupport so wolfCrypt builds and runs correctly on word-addressed targets whereCHAR_BIT != 8- specifically the TI C2000 C28x DSP family, where a Cchar/unsigned char(wolfSSL'sbyte) is 16 bits and is the smallest addressable unit. All changes are gated and are a no-op on normal 8-bit-byte targets.The work was validated end-to-end on a TI LAUNCHXL-F28P55X (TMS320F28P550SJ, C28x, 150 MHz) using the bare-metal example added in the companion wolfssl-examples PR. Every algorithm below passes known-answer tests on hardware, and the standard host
wolfcrypt_testcontinues to pass (no 8-bit regression).Validated algorithms (on C28x hardware)
WC_16BIT_CPUthat emits native instructions instead of compiler 64-bit helper calls - ~53% faster SHAKE/SHA3 on this target)What the
CHAR_BIT != 8fixes addressAll behind
WOLFSSL_WIDE_BYTE(auto-enabled forCHAR_BIT != 8and known 16-bit-char TI toolchain macros), each a no-op on 8-bit targets:word32/word64by casting tobyte*moves addressable cells, not octets. Replaced with explicit shift-based octet I/O via shared helpers inmisc.c(WordsFromBytesBE32/BytesFromWordsBE32,BytesFromWordsLE32, the 64-bit variants, octet-correctreadUnalignedWord32/readUnalignedWord64).sp_int.csp_read_unsigned_binuses an endian-/CHAR_BIT-agnostic shift loop for its leftover bytes (a 3-byte RSA exponent previously loaded as 1 instead of 65537).(byte)xnot truncating to an octet (it keeps 16 bits). Masked withWC_OCTET(x)=(byte)((x) & 0xFF). Used across the ML-KEM/ML-DSA encoders, the SP*_to_binserializers, AESGETBYTE, base64, and the DRBG.1U << nis 16-bit on C28x (use1UL); a bit width writtensizeof(t) * 8is wrong whenCHAR_BIT != 8(useCHAR_BIT * sizeof(t));byteoperands promote to a 16-bitint.sizeofcounting cells, not octets. e.g.CHACHA_CHUNK_BYTESmust be16 * 4, not16 * sizeof(word32)(= 32 on C28x, which halves the ChaCha block and desyncs the counter).xorbufword stride.WOLFSSL_WORD_SIZE_LOG2vssizeof(word)mismatch left half of each buffer un-XORed on a 16-bit-cell target; corrected for theWC_16BIT_CPUword16path.It also adds
WOLFSSL_MLDSA_VERIFY_SMALLEST_MEM(streams the signaturezvector per-row), which combined withWOLFSSL_MLDSA_ASSIGN_KEYbrings ML-DSA-87 verify to ~10.7 KB RAM with zero heap.Commit layout
wolfcrypt: add WOLFSSL_WIDE_BYTE support for CHAR_BIT != 8 targets (TI C2000 C28x) - core types, misc octet helpers, base64, DRBGsha: octet-correct SHA-2 byte I/O and 32-bit split Keccak permutation for CHAR_BIT != 8aes/chacha: octet-correct block, key and keystream I/O for CHAR_BIT != 8mldsa/mlkem: correct ML-DSA and ML-KEM on CHAR_BIT != 8; add WOLFSSL_MLDSA_VERIFY_SMALLEST_MEMecc/25519/sp: octet-correct X25519/Ed25519 and SP byte<->mp conversion for CHAR_BIT != 8test/benchmark/ci: CHAR_BIT != 8 test vectors, NO_MALLOC benchmark, TI C2000 compile CI and docsTesting
./configure --enable-dilithium --enable-experimental --enable-shake256 --enable-shake128 && make && ./wolfcrypt/test/testwolfcrypt- passes (RSA, ECC, ML-DSA, ML-KEM, SHA-2/3, all crypto). No behavior change on 8-bit-byte targets.wolfcrypt_testcrypto passes.IDE/C2000/compile.shrunscl2000 --compile_onlyover theCHAR_BIT != 8wolfCrypt subset;.github/workflows/ti-c2000-compile.ymlruns it on PRs (fetches/caches the TI C2000 code generation tools).Benchmarks (F28P55X @ 150 MHz)
ML-DSA-87: verify ~225 ms/op (~10.7 KB RAM, zero heap); keygen and signing also run (SIGN=1).
Notes
wolfcrypt/src/sp_c32.cis generated. The& 0xFFoctet masks added to itssp_*_to_bin_*serializers should be folded into the SP generator templates for a permanent fix; the in-tree edit is included here so the C28x build is correct today.IDE/C2000/README.mddescribes the support, the build options, and the benchmark results; the full bare-metal example (with KATs, benchmark, linker scripts, and per-algorithmmaketoggles) is in wolfssl-examples atembedded/ti-c2000-f28p55x/.Companion PR
wolfssl-examples: "Add TI LAUNCHXL-F28P55X (C2000 C28x, CHAR_BIT==16) bare-metal wolfCrypt example".
wolfSSL/wolfssl-examples#576