From c31a2138ee16b820a10d12e23c7b74a70ebf2a86 Mon Sep 17 00:00:00 2001 From: jordan Date: Sun, 5 Nov 2023 10:09:52 -0600 Subject: [PATCH] XMSS wolfBoot support: add renode-nrf52 test case. --- .github/workflows/test-renode-nrf52.yml | 4 ++++ tools/config.mk | 2 +- tools/scripts/renode-test-update.sh | 18 ++++++++++++++++++ tools/test-renode.mk | 24 ++++++++++++++++++++++++ 4 files changed, 47 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test-renode-nrf52.yml b/.github/workflows/test-renode-nrf52.yml index 460aaea83..7e562f7f1 100644 --- a/.github/workflows/test-renode-nrf52.yml +++ b/.github/workflows/test-renode-nrf52.yml @@ -58,6 +58,10 @@ jobs: - name: Renode Tests LMS-8-5-5 run: ./tools/renode/docker-test.sh "SIGN=LMS LMS_LEVELS=2 LMS_HEIGHT=5 LMS_WINTERNITZ=8 WOLFBOOT_SMALL_STACK=0 IMAGE_SIGNATURE_SIZE=2644 IMAGE_HEADER_SIZE=5288" +# XMSS TEST + - name: Renode Tests XMSS-SHA2_10_256 + run: ./tools/renode/docker-test.sh "SIGN=XMSS XMSS_PARAMS='XMSS-SHA2_10_256' WOLFBOOT_SMALL_STACK=0 IMAGE_SIGNATURE_SIZE=2500 IMAGE_HEADER_SIZE=5000" + - name: Upload Output Dir uses: actions/upload-artifact@v2 with: diff --git a/tools/config.mk b/tools/config.mk index f6757017b..e7706fb30 100644 --- a/tools/config.mk +++ b/tools/config.mk @@ -34,7 +34,7 @@ ifeq ($(ARCH),) LMS_LEVELS?=0 LMS_HEIGHT?=0 LMS_WINTERNITZ?=0 - XMSS_PARAMS?=XMSS-SHA2_10_256 + XMSS_PARAMS?='XMSS-SHA2_10_256' NO_MPU?=0 ENCRYPT?=0 ENCRYPT_WITH_CHACHA?=0 diff --git a/tools/scripts/renode-test-update.sh b/tools/scripts/renode-test-update.sh index a7736509f..f2504ba56 100755 --- a/tools/scripts/renode-test-update.sh +++ b/tools/scripts/renode-test-update.sh @@ -37,6 +37,24 @@ if (echo $TEST_OPTIONS | grep "LMS" &>/dev/null); then cd ../../.. || exit 2 fi +if (echo $TEST_OPTIONS | grep "XMSS" &>/dev/null); then + # Need git. + apt install -y git + + # wolfSSL needs to be on latest master for XMSS support. Also, we need to + # add the wolfssl module as a safe directory so docker can use it. + git config --global --add safe.directory /workspace/lib/wolfssl || exit 2 + cd lib/wolfssl && git checkout master && git pull && cd ../.. || exit 2 + + + # Need to clone the hash-sigs repo, and patch it for wolfBoot build. + cd lib || exit 2 + git clone https://github.com/XMSS/xmss-reference.git xmss || exit 2 + cd xmss && git checkout 171ccbd26f098542a67eb5d2b128281c80bd71a6 && \ + git apply ../../tools/xmss/0001-Patch-to-support-wolfSSL-xmss-reference-integration.patch &&\ + cd ../../ || exit 2 +fi + make distclean make -C tools/keytools make -C tools/test-expect-version diff --git a/tools/test-renode.mk b/tools/test-renode.mk index 6484c03e2..bdba179fd 100644 --- a/tools/test-renode.mk +++ b/tools/test-renode.mk @@ -20,6 +20,9 @@ RENODE_BINASSEMBLE=tools/bin-assemble/bin-assemble LMS_OPTS=LMS_LEVELS=2 LMS_HEIGHT=5 LMS_WINTERNITZ=8 WOLFBOOT_SMALL_STACK=0 \ IMAGE_SIGNATURE_SIZE=2644 IMAGE_HEADER_SIZE=5288 +XMSS_OPTS=XMSS_PARAMS='XMSS-SHA2_10_256' WOLFBOOT_SMALL_STACK=0 \ + IMAGE_SIGNATURE_SIZE=2500 IMAGE_HEADER_SIZE=5000 + # python version only supported using # KEYGEN_TOOL="python3 $(WOLFBOOT_ROOT)/tools/keytools/keygen.py" ifeq ("$(KEYGEN_TOOL)","") @@ -97,6 +100,10 @@ ifeq ($(SIGN),LMS) SIGN_ARGS+= --lms endif +ifeq ($(SIGN),XMSS) + SIGN_ARGS+= --xmss +endif + ifeq ($(HASH),SHA256) SIGN_ARGS+= --sha256 endif @@ -260,6 +267,9 @@ renode-factory-rsa4096: FORCE renode-factory-lms: FORCE make renode-factory SIGN=LMS $(LMS_OPTS) +renode-factory-xmss: FORCE + make renode-factory SIGN=XMSS $(XMSS_OPTS) + renode-factory-all: FORCE ${Q}make keysclean ${Q}make renode-factory-ed25519 @@ -303,6 +313,9 @@ renode-update-rsa4096: FORCE renode-update-lms: FORCE make renode-update SIGN=LMS $(LMS_OPTS) +renode-update-xmss: FORCE + make renode-update SIGN=XMSS $(XMSS_OPTS) + renode-no-downgrade-ed25519: FORCE make renode-no-downgrade SIGN=ED448 @@ -324,6 +337,9 @@ renode-no-downgrade-rsa4096: FORCE renode-no-downgrade-lms: FORCE make renode-no-downgrade SIGN=LMS $(LMS_OPTS) +renode-no-downgrade-xmss: FORCE + make renode-no-downgrade SIGN=XMSS $(XMSS_OPTS) + renode-corrupted-ed25519: FORCE make renode-corrupted SIGN=ED448 @@ -345,6 +361,9 @@ renode-corrupted-rsa4096: FORCE renode-corrupted-lms: FORCE make renode-corrupted SIGN=LMS $(LMS_OPTS) +renode-corrupted-xmss: FORCE + make renode-corrupted SIGN=XMSS $(XMSS_OPTS) + renode-boot-time-all: FORCE tools/scripts/renode-test-all.sh 2>/dev/null |grep "BOOT TIME" @@ -368,6 +387,7 @@ renode-update-all: FORCE ${Q}make keysclean ${Q}make renode-update-lms RENODE_PORT=55164 ${Q}make keysclean + ${Q}make renode-update-xmss RENODE_PORT=55165 ${Q}echo All tests in $@ OK! renode-no-downgrade-all: FORCE @@ -389,6 +409,8 @@ renode-no-downgrade-all: FORCE ${Q}make renode-no-downgrade SIGN=NONE RENODE_PORT=55163 ${Q}make keysclean ${Q}make renode-no-downgrade-lms RENODE_PORT=55164 + ${Q}make keysclean + ${Q}make renode-no-downgrade-xmss RENODE_PORT=55165 ${Q}echo All tests in $@ OK! renode-corrupted-all: FORCE @@ -410,6 +432,8 @@ renode-corrupted-all: FORCE ${Q}make renode-corrupted SIGN=NONE RENODE_PORT=55163 ${Q}make keysclean ${Q}make renode-corrupted-lms RENODE_PORT=55164 + ${Q}make keysclean + ${Q}make renode-corrupted-xmss RENODE_PORT=55165 ${Q}echo All tests in $@ OK! renode-update-all-armored: FORCE