Allow setting devId at runtime through every wolfPSA wc_*Init() call#17
Merged
Conversation
wolfPSA always passed INVALID_DEVID as the devId argument to the
underlying wolfCrypt init functions, which meant a wolfCrypt crypto_cb
registered against any non-default dev id was completely bypassed: every
PSA operation ran wolfCrypt locally, even when an offload backend
(wolfHSM, hardware accelerator, ...) had been registered.
Introduce a runtime API mirroring wc_CryptoCb_SetDefaultDevID():
int wolfPSA_SetDefaultDevID(int devId);
int wolfPSA_GetDefaultDevID(void);
The default stays INVALID_DEVID, so behaviour is unchanged for existing
consumers. Applications that have registered a crypto_cb call
wolfPSA_SetDefaultDevID() once (before or after psa_crypto_init()), and
wolfPSA from then on threads that devId through every wc_AesInit /
wc_Des3Init / wc_InitSha3_* / wc_LmsKey_Init / wc_XmssKey_Init /
wc_MlDsaKey_Init / wc_MlKemKey_Init / wc_NewRsaKey / wc_PRF_TLS callsite
inside src/, so wolfCrypt's crypto_cb dispatch fires for every primitive
PSA exercises.
Export the two new symbols from libwolfpsa.so via wolfpsa.map.
There was a problem hiding this comment.
Pull request overview
This PR adds a runtime-configurable “default devId” for wolfPSA so that wolfPSA’s internal wolfCrypt primitive initialization/PRF calls can be routed through a non-default wolfCrypt crypto_cb device (enabling offload backends like wolfHSM / hardware accelerators), while keeping existing behavior unchanged by default (INVALID_DEVID).
Changes:
- Introduces
wolfPSA_SetDefaultDevID()/wolfPSA_GetDefaultDevID()and exports them fromlibwolfpsa.so. - Threads
wolfPSA_GetDefaultDevID()through multiple wolfCrypt init/creation call sites (AES/3DES/SHA3/LMS/XMSS/ML-DSA/ML-KEM/RSA/TLS PRF). - Adds the new symbols to
wolfpsa.map.
Reviewed changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfpsa/psa_engine.h | Declares the new public default-devId setter/getter API. |
| wolfpsa.map | Exports the new API symbols from the shared library. |
| src/psa_engine.c | Implements the runtime default-devId storage and accessor functions. |
| src/psa_cipher.c | Passes the runtime devId into wc_AesInit / wc_Des3Init. |
| src/psa_aead.c | Passes the runtime devId into wc_AesInit for GCM/CCM finalization paths. |
| src/psa_hash_engine.c | Passes the runtime devId into SHA3 init calls. |
| src/psa_key_derivation.c | Passes the runtime devId into TLS12 PRF call sites. |
| src/psa_key_storage.c | Passes the runtime devId into wc_NewRsaKey and includes the engine header. |
| src/psa_lms_xmss.c | Passes the runtime devId into LMS/XMSS key init calls. |
| src/psa_mldsa.c | Passes the runtime devId into ML-DSA key init calls. |
| src/psa_mlkem.c | Passes the runtime devId into ML-KEM key init calls. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Address the two actionable Copilot comments raised against the runtime-devid hook patch on PR wolfSSL#17. C++ ABI guard ------------- Wrap the wolfpsa/psa_engine.h declarations of wc_error_to_psa_status, wolfPSA_SetDefaultDevID, and wolfPSA_GetDefaultDevID in an `extern "C"` / `__cplusplus` block. Without it the new exported symbols would be name-mangled when the header is pulled in from C++ TUs, breaking the linkage against libwolfpsa. Matches the pattern already used by wolfpsa/psa_key_storage.h and the psa/* headers shipped from this tree. Threading semantics documented ------------------------------ Extend the wolfPSA_SetDefaultDevID() doc comment to spell out the threading contract: the default devId lives in a process-global static and is read by every wolfPSA-internal wc_*Init() call, so callers must set it during single-threaded initialisation (or otherwise serialise) before issuing PSA operations. wolfPSA already assumes single-threaded operation per crypto_struct.h, so no synchronisation primitive is introduced — documenting the contract is sufficient and avoids dragging atomics / mutexes into the PSA engine for a hook that is, by design, set once at boot. Not addressed ------------- Copilot also requested an automated test that registers a crypto_cb on a non-default devId and asserts dispatch through it for one representative operation. That is a worthwhile follow-up but is outside the scope of this PR (which is the runtime hook itself), requires a mock-callback test fixture that does not yet exist in test/, and would meaningfully expand the diff. Leaving it for a dedicated follow-up so this change stays minimal and reviewable.
bigbrett
approved these changes
May 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
wolfPSA always passed INVALID_DEVID as the devId argument to the underlying wolfCrypt init functions, which meant a wolfCrypt crypto_cb registered against any non-default dev id was completely bypassed: every PSA operation ran wolfCrypt locally, even when an offload backend (wolfHSM, hardware accelerator, ...) had been registered.
Introduce a runtime API mirroring wc_CryptoCb_SetDefaultDevID():
The default stays INVALID_DEVID, so behaviour is unchanged for existing consumers. Applications that have registered a crypto_cb call wolfPSA_SetDefaultDevID() once (before or after psa_crypto_init()), and wolfPSA from then on threads that devId through every wc_AesInit / wc_Des3Init / wc_InitSha3_* / wc_LmsKey_Init / wc_XmssKey_Init / wc_MlDsaKey_Init / wc_MlKemKey_Init / wc_NewRsaKey / wc_PRF_TLS callsite inside src/, so wolfCrypt's crypto_cb dispatch fires for every primitive PSA exercises.
Export the two new symbols from libwolfpsa.so via wolfpsa.map.