Wolfhsm no keystore#798
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR removes support for “local keystore public keys” in wolfHSM client mode and introduces a WOLFBOOT_NO_KEYSTORE build path to avoid compiling/linking the built-in keystore when wolfHSM is the source of trust.
Changes:
- Make wolfHSM client builds always use HSM-resident public keys and drop
WOLFBOOT_USE_WOLFHSM_PUBKEY_IDconfiguration. - Add
WOLFBOOT_NO_KEYSTOREbuild logic and guard keystore-dependent code paths accordingly. - Update wolfHSM documentation to reflect the new configuration behavior.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/image.c | Adjusts signature verification and authenticity checks to support HSM-only keying and optional “no keystore” builds. |
| options.mk | Forces --nolocalkeys and removes conditional WOLFBOOT_USE_WOLFHSM_PUBKEY_ID behavior for wolfHSM client builds. |
| docs/wolfHSM.md | Removes WOLFBOOT_USE_WOLFHSM_PUBKEY_ID docs and clarifies key sourcing in client mode. |
| Makefile | Adds WOLFHSM_NO_KEYSTORE logic and defines WOLFBOOT_NO_KEYSTORE to omit keystore linkage when applicable. |
Comments suppressed due to low confidence (1)
src/image.c:1
- When
WOLFBOOT_NO_KEYSTOREis defined, the per-partition key authorization check is entirely bypassed. If the HSM policy is guaranteed to enforce equivalent constraints, that should be made explicit in code via a compile-time constraint (e.g., requireWOLFBOOT_CERT_CHAIN_VERIFYand/or a specific HSM policy flag whenWOLFBOOT_NO_KEYSTOREis set). Otherwise, consider introducing an HSM-backed partition/key-usage check so you don’t lose this authorization control in no-keystore builds.
/* image.c
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #798
Scan targets checked: wolfboot-bugs, wolfboot-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
bigbrett
force-pushed
the
wolfhsm-no-keystore
branch
from
5766936 to
9582aee
Compare
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #798
Scan targets checked: wolfboot-bugs, wolfboot-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #798
Scan targets checked: wolfboot-bugs, wolfboot-src
Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
bigbrett
force-pushed
the
wolfhsm-no-keystore
branch
from
a4435a2 to
11394b3
Compare
dgarske
left a comment
dgarske
left a comment
There was a problem hiding this comment.
Skoll Code Review
Scan type: reviewOverall recommendation: COMMENT
Findings: 4 total — 4 posted, 0 skipped
2 finding(s) posted as inline comments (see file-level comments below)
Posted findings
- [Low] Removed make option WOLFHSM_CLIENT_LOCAL_KEYS left dangling; new WOLFHSM_CLIENT_ID not registered —
tools/config.mk:95,137 (and config/examples/sim-wolfHSM-client-ecc.config:28, sim-wolfHSM-client-mldsa.config:49) - [Low] Potential hybrid-signing build break in wolfHSM no-keystore mode —
src/image.c:2455-2459 - [Info] $(error) continuation line embeds leading whitespace into the message —
options.mk:1423-1426 - [Info] WOLFHSM_SERVER misconfiguration $(error) also aborts clean targets —
options.mk:1420-1426
Review generated by Skoll
…configs, add no keystore option default to config.mk
wolfHSM was not intended to be useable with hybrid signatures, since that would require a secondary public key ID to be registered for all woflHSM HALs. It is definitely something we can do and support, but was not within the scope of this PR.
This is the one thing my local skolling didn't seem to find (though innocuous). Fixed in my latest commit. I will re-request review when CI clears. Also pushed an unrelated commit as I forgot to rename the Makefile variable to match the macro name |
Main Change
wolfHSM client mode (and server mode with cert-chain verify) now builds without a local wolfBoot keystore. Public keys live on the HSM, referenced by key ID or resolved from a verified certificate chain. The old hybrid path that loaded keys from
keystore.cand pushed them to the HSM as ephemeral keys is removed.WOLFHSM_CLIENT=1(orWOLFHSM_SERVER=1withCERT_CHAIN_VERIFY=1) no longer compiles/linkssrc/keystore.o. DefinesWOLFBOOT_NO_KEYSTORE, which skips the keystore permission-mask check and pubkey-hash lookups since key authorization is enforced by the HSM.Other changes
Removed
WOLFBOOT_USE_WOLFHSM_PUBKEY_IDand theWOLFHSM_CLIENT_LOCAL_KEYSmake option. Clients now always use HSM-resident keys. This simplifies the#ifspaghetti insrc/image.c.Parameterizable client ID: new
WOLFHSM_CLIENT_IDmake variable (default 1) replaces hardcoded IDs all of the various HALs.Server mode requires cert chain:
WOLFHSM_SERVER=1withoutCERT_CHAIN_VERIFY=1now fails the build with a clear error (was always disallowed, now just added explicit error)ML-DSA wolfHSM fixes: added missing server-side ML-DSA key export and post-verify key eviction for client and server cert-chain modes.
Doc updates