Simplifications for user-supplied keys and certs; wolfHSM RSA4096 fixes #645
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bigbrett
force-pushed
the
simplify-external-certs
branch
2 times, most recently
from
73f87af to
91baf13
Compare
bigbrett
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR simplifies the external certificate chain handling in wolfBoot by removing the CERT_CHAIN_GEN variable and introducing user-provided key/certificate variables (USER_PRIVATE_KEY, USER_PUBLIC_KEY, USER_CERT_CHAIN). The changes streamline the build system to auto-generate dummy certificate chains when needed, while allowing users to supply their own keys and certificates for production use.
Key Changes
- Removed
CERT_CHAIN_GENflag; certificate chains are now auto-generated whenCERT_CHAIN_VERIFY=1is set withoutUSER_CERT_CHAIN - Added
USER_PRIVATE_KEY,USER_PUBLIC_KEY, andUSER_CERT_CHAINvariables for user-provided cryptographic materials - Updated documentation to reflect the simplified workflow and new configuration options
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
Makefile |
Added validation and logic for user-provided keys/certificates; simplified key selection flow |
options.mk |
Replaced CERT_CHAIN_GEN with auto-generation logic based on USER_CERT_CHAIN presence |
test-app/Makefile |
Removed unused RSA-specific IMAGE_HEADER_SIZE configuration |
src/image.c |
Added conditional compilation guard for wolfHSM client key eviction |
include/user_settings.h |
Extended conditional check to exclude RSA inline verification for wolfHSM modes |
arch.mk |
Added NVM image generation support for simulator; made NVM config files overridable |
docs/compile.md |
Added comprehensive documentation for key generation and user-provided key workflow |
docs/Signing.md |
Added Makefile usage examples for certificate chain signing |
docs/keystore.md |
Added reference to new key generation documentation |
config/examples/*.config |
Removed CERT_CHAIN_GEN=1 from example configurations |
lib/wolfHSM |
Updated submodule reference |
tools/scripts/tc3xx/*.nvminit |
Updated NVM object ID for certificate chain |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
new `USER_ variables`
bigbrett
force-pushed
the
simplify-external-certs
branch
from
91baf13 to
33a0dd0
Compare
-various fixes for RSA4096 -remove erroneous coupling between SMALL_STACK and WOLFHSM_SERVER
bigbrett
changed the title
bigbrett
force-pushed
the
simplify-external-certs
branch
from
3764dd2 to
b56d119
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
.configfiles for wolfHSM with RSA4096, and makes associated CI and build system changes