Skip to content

Commit a1f86fa

Browse files
bigbrettdanielinux
bigbrett
authored and
danielinux
committed
expose root CA list as makefile var
1 parent b8bc0a7 commit a1f86fa

5 files changed

Lines changed: 19 additions & 5 deletions

File tree

docs/wolfHSM.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -96,7 +96,7 @@ In addition to the standard wolfBoot HAL functions, wolfHSM-enabled platforms mu
9696
- `hsmDevIdHash`: The HSM device ID for hash operations. This is used to identify the HSM device to wolfBoot.
9797
- `hsmDevIdPubKey`: The HSM device ID for public key operations. This is used to identify the HSM device to wolfBoot.
9898
- `hsmKeyIdPubKey`: The HSM key ID for public key operations. This is used to identify the key to use for public key operations.
99-
- `hsmNvmIdCertRootCAList` / `hsmNvmIdCertRootCACount`: Array of NVM IDs identifying the trusted root CA certificate(s) and its element count. Only used when building with `WOLFBOOT_CERT_CHAIN_VERIFY`. The chain in the firmware header may anchor to any of the listed roots; the count is bounded by `WOLFHSM_CFG_CERT_MAX_VERIFY_ROOTS` (default 8). Each in-tree HAL provides a default of `{ 1 }`; override at build time by passing a comma-separated initializer in `WOLFBOOT_WOLFHSM_NVM_ROOT_CA_LIST`, e.g. `make CFLAGS_EXTRA='-DWOLFBOOT_WOLFHSM_NVM_ROOT_CA_LIST="1, 2, 3"'`.
99+
- `hsmNvmIdCertRootCAList` / `hsmNvmIdCertRootCACount`: Array of NVM IDs identifying the trusted root CA certificate(s) and its element count. Only used when building with `WOLFBOOT_CERT_CHAIN_VERIFY`. The chain in the firmware header may anchor to any of the listed roots; the count is bounded by `WOLFHSM_CFG_CERT_MAX_VERIFY_ROOTS` (default 8). Each in-tree HAL provides a default of `{ 1 }`; override the list via the `WOLFHSM_NVM_ROOT_CA_LIST` build option, which takes a comma-separated initializer (no quotes, no spaces) and is propagated to the HAL as `-DWOLFBOOT_WOLFHSM_NVM_ROOT_CA_LIST=...`. Set it in `.config` (e.g. `WOLFHSM_NVM_ROOT_CA_LIST=1,2,3`) or on the make command line (`make WOLFHSM_NVM_ROOT_CA_LIST=1,2,3 ...`).
100100

101101
### Client HAL Functions
102102

hal/aurix_tc3xx.c

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -111,7 +111,8 @@ const int hsmDevIdCrypt = WH_DEV_ID;
111111
const int hsmKeyIdCrypt = 0xFF;
112112
#endif
113113
#ifdef WOLFBOOT_CERT_CHAIN_VERIFY
114-
/* Override at build time, e.g. -DWOLFBOOT_WOLFHSM_NVM_ROOT_CA_LIST="1, 2, 3" */
114+
/* Set WOLFHSM_NVM_ROOT_CA_LIST=1,2,3 in .config (or pass on the make command
115+
* line) to override the default single-root list. */
115116
#ifndef WOLFBOOT_WOLFHSM_NVM_ROOT_CA_LIST
116117
#define WOLFBOOT_WOLFHSM_NVM_ROOT_CA_LIST 1
117118
#endif
@@ -125,7 +126,8 @@ const uint16_t hsmNvmIdCertRootCACount =
125126
/* map wolfBoot HAL layer wofHSM exports to their tchsm config vals */
126127
const int hsmDevIdHash = HSM_DEVID;
127128
const int hsmDevIdPubKey = HSM_DEVID;
128-
/* Override at build time, e.g. -DWOLFBOOT_WOLFHSM_NVM_ROOT_CA_LIST="1, 2, 3" */
129+
/* Set WOLFHSM_NVM_ROOT_CA_LIST=1,2,3 in .config (or pass on the make command
130+
* line) to override the default single-root list. */
129131
#ifndef WOLFBOOT_WOLFHSM_NVM_ROOT_CA_LIST
130132
#define WOLFBOOT_WOLFHSM_NVM_ROOT_CA_LIST 1
131133
#endif

hal/sim.c

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -191,7 +191,8 @@ const int hsmDevIdCrypt = WH_DEV_ID;
191191
const int hsmKeyIdCrypt = 0xFF;
192192
#endif
193193
#ifdef WOLFBOOT_CERT_CHAIN_VERIFY
194-
/* Override at build time, e.g. -DWOLFBOOT_WOLFHSM_NVM_ROOT_CA_LIST="1, 2, 3" */
194+
/* Set WOLFHSM_NVM_ROOT_CA_LIST=1,2,3 in .config (or pass on the make command
195+
* line) to override the default single-root list. */
195196
#ifndef WOLFBOOT_WOLFHSM_NVM_ROOT_CA_LIST
196197
#define WOLFBOOT_WOLFHSM_NVM_ROOT_CA_LIST 1
197198
#endif
@@ -265,7 +266,8 @@ whServerContext hsmServerCtx = {0};
265266

266267
const int hsmDevIdHash = INVALID_DEVID;
267268
const int hsmDevIdPubKey = INVALID_DEVID;
268-
/* Override at build time, e.g. -DWOLFBOOT_WOLFHSM_NVM_ROOT_CA_LIST="1, 2, 3" */
269+
/* Set WOLFHSM_NVM_ROOT_CA_LIST=1,2,3 in .config (or pass on the make command
270+
* line) to override the default single-root list. */
269271
#ifndef WOLFBOOT_WOLFHSM_NVM_ROOT_CA_LIST
270272
#define WOLFBOOT_WOLFHSM_NVM_ROOT_CA_LIST 1
271273
#endif

options.mk

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1465,6 +1465,15 @@ ifneq ($(CERT_CHAIN_VERIFY),)
14651465
# export the private key in DER format so it can be used with certificates
14661466
KEYGEN_OPTIONS += --der
14671467

1468+
# Optional override for the wolfHSM trusted-root NVM ID list used during
1469+
# cert-chain verification. Expects a comma-separated initializer (no quotes,
1470+
# no spaces), e.g. WOLFHSM_NVM_ROOT_CA_LIST=1,2,3. Bounded by
1471+
# WOLFHSM_CFG_CERT_MAX_VERIFY_ROOTS. When unset, falls back to a HAL-specified
1472+
# default
1473+
ifneq ($(strip $(WOLFHSM_NVM_ROOT_CA_LIST)),)
1474+
CFLAGS += '-DWOLFBOOT_WOLFHSM_NVM_ROOT_CA_LIST=$(WOLFHSM_NVM_ROOT_CA_LIST)'
1475+
endif
1476+
14681477
# User-provided cert chain takes precedence
14691478
ifneq ($(USER_CERT_CHAIN),)
14701479
CERT_CHAIN_FILE = $(USER_CERT_CHAIN)

tools/config.mk

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -134,4 +134,5 @@ CONFIG_VARS:= ARCH TARGET SIGN HASH MCUXSDK MCUXPRESSO MCUXPRESSO_CPU MCUXPRESSO
134134
SIGN_SECONDARY \
135135
WOLFHSM_CLIENT \
136136
WOLFHSM_CLIENT_LOCAL_KEYS \
137+
WOLFHSM_NVM_ROOT_CA_LIST \
137138
ENCRYPT_CACHE

0 commit comments

Comments
 (0)