From 6b83732ab0862337ff23d6b288cbc818f3a38fe8 Mon Sep 17 00:00:00 2001 From: Thomas Cook Date: Wed, 3 Jun 2026 10:30:46 -0400 Subject: [PATCH 1/8] Initial implementation --- .wolfssl_known_macro_extras | 2 + doc/dox_comments/header_files/hwpuf.h | 264 +++++++++++++++++ wolfcrypt/src/cryptocb.c | 229 ++++++++++++++- wolfcrypt/src/error.c | 24 ++ wolfcrypt/src/hwpuf.c | 208 ++++++++++++++ wolfcrypt/src/include.am | 2 + wolfcrypt/src/port/nxp/hwpuf_port.c | 360 ++++++++++++++++++++++++ wolfcrypt/src/wc_port.c | 3 + wolfcrypt/test/test.c | 177 ++++++++++++ wolfssl/wolfcrypt/cryptocb.h | 49 +++- wolfssl/wolfcrypt/error-crypt.h | 13 +- wolfssl/wolfcrypt/hwpuf.h | 88 ++++++ wolfssl/wolfcrypt/include.am | 2 + wolfssl/wolfcrypt/port/nxp/hwpuf_port.h | 39 +++ wolfssl/wolfcrypt/settings.h | 3 + wolfssl/wolfcrypt/types.h | 3 +- 16 files changed, 1461 insertions(+), 5 deletions(-) create mode 100644 doc/dox_comments/header_files/hwpuf.h create mode 100644 wolfcrypt/src/hwpuf.c create mode 100644 wolfcrypt/src/port/nxp/hwpuf_port.c create mode 100644 wolfssl/wolfcrypt/hwpuf.h create mode 100644 wolfssl/wolfcrypt/port/nxp/hwpuf_port.h diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 42d31cf0dd4..5268b4d80d1 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -777,6 +777,7 @@ WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK WOLFSSL_HARDEN_TLS_NO_SCR_CHECK WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY +WOLFSSL_HWPUF WOLFSSL_I2D_ECDSA_SIG_ALLOC WOLFSSL_IAR_ARM_TIME WOLFSSL_IGNORE_BAD_CERT_PATH @@ -860,6 +861,7 @@ WOLFSSL_NO_XOR_OPS WOLFSSL_NRF51_AES WOLFSSL_NXP_CASPER_ECC_MUL2ADD WOLFSSL_NXP_CASPER_ECC_MULMOD +WOLFSSL_NXP_HWPUF WOLFSSL_NXP_LPC55S6X WOLFSSL_OLDTLS_AEAD_CIPHERSUITES WOLFSSL_OLD_SET_CURVES_LIST diff --git a/doc/dox_comments/header_files/hwpuf.h b/doc/dox_comments/header_files/hwpuf.h new file mode 100644 index 00000000000..d38a9dbe216 --- /dev/null +++ b/doc/dox_comments/header_files/hwpuf.h @@ -0,0 +1,264 @@ +/*! + \ingroup HWPUF + + For a complete bare-metal example (tested on NUCLEO-H563ZI), see + https://github.com/wolfSSL/wolfssl-examples/tree/master/puf +*/ + +/*! + \ingroup HWPUF + + \brief Initialize a wc_HWPUF structure, zeroing all fields. + Must be called before any other HWPUF operations. + + \return 0 on success + \return BAD_FUNC_ARG if hwpuf is NULL + + \param hwpuf pointer to wc_HWPUF structure to initialize + + _Example_ + \code + wc_HWPUF s_hwpuf; + ret = wc_HWPUF_Init(&s_hwpuf); + \endcode + + \sa wc_HWPUF_Init + \sa wc_HWPUF_Deinit + \sa wc_HWPUF_Unregister +*/ +int wc_HWPUF_Register(wc_HWPUF* hwpuf, void* heap, int devId); + +/*! + \ingroup HWPUF + + \brief Initialize a wc_HWPUF structure, zeroing all fields. + Must be called before any other HWPUF operations. + + \return 0 on success + \return BAD_FUNC_ARG if hwpuf is NULL + + \param hwpuf pointer to wc_HWPUF structure to initialize + + _Example_ + \code + wc_HWPUF s_hwpuf; + ret = wc_HWPUF_Init(&s_hwpuf); + \endcode + + \sa wc_HWPUF_Register + \sa wc_HWPUF_Init + \sa wc_HWPUF_Deinit + \sa wc_HWPUF_Zeroize +*/ +int wc_HWPUF_Unregister(wc_HWPUF* hwpuf); + +/*! + \ingroup HWPUF + + \brief Initialize a wc_HWPUF structure, zeroing all fields. + Must be called before any other HWPUF operations. + + \return 0 on success + \return BAD_FUNC_ARG if hwpuf is NULL + + \param hwpuf pointer to wc_HWPUF structure to initialize + + _Example_ + \code + wc_HWPUF s_hwpuf; + ret = wc_HWPUF_Init(&s_hwpuf); + \endcode + + \sa wc_HWPUF_Deinit + \sa wc_HWPUF_Enroll + \sa wc_HWPUF_Start + \sa wc_HWPUF_Zeroize +*/ +int wc_HWPUF_Init(wc_HWPUF* hwpuf); + +/*! + \ingroup HWPUF + + \brief Initialize a wc_HWPUF structure, zeroing all fields. + Must be called before any other HWPUF operations. + + \return 0 on success + \return BAD_FUNC_ARG if hwpuf is NULL + + \param hwpuf pointer to wc_HWPUF structure to initialize + + _Example_ + \code + wc_HWPUF s_hwpuf; + ret = wc_HWPUF_Deinit(&s_hwpuf); + \endcode + + \sa wc_HWPUF_Init + \sa wc_HWPUF_Zeroize +*/ +int wc_HWPUF_Deinit(wc_HWPUF* hwpuf); + +/*! + \ingroup HWPUF + + \brief Perform HWPUF enrollment. Encodes raw SRAM using BCH(127,64,t=10) + and generates public helper data. After enrollment the context is ready + for key derivation and identity retrieval. + + \return 0 on success + \return BAD_FUNC_ARG if hwpuf is NULL + \return HWPUF_ENROLL_E if enrollment fails + + \param hwpuf pointer to wc_HWPUF (must have SRAM data loaded) + + _Example_ + \code + wc_HWPUF_Enroll(&s_hwpuf); + XMEMCPY(helperData, hwpuf.helperData, WC_HWPUF_HELPER_BYTES); + \endcode + + \sa wc_HWPUF_Start + \sa wc_HWPUF_GetKey +*/ +int wc_HWPUF_Enroll(wc_HWPUF* hwpuf); + +/*! + \ingroup HWPUF + + \brief Reconstruct stable HWPUF bits from noisy SRAM using stored helper + data. BCH error correction (t=10) corrects up to 10 bit flips per + 127-bit codeword. + + \return 0 on success + \return BAD_FUNC_ARG if hwpuf or helperData is NULL + \return HWPUF_RECONSTRUCT_E on failure (too many bit errors or helperSz + too small) + + \param hwpuf pointer to wc_HWPUF + + _Example_ + \code + wc_HWPUF_Start(&s_hwpuf); + \endcode + + \sa wc_HWPUF_Enroll + \sa wc_HWPUF_GetKey +*/ +int wc_HWPUF_Start(wc_HWPUF* hwpuf); + +/*! + \ingroup HWPUF + + \brief Derive a cryptographic key from HWPUF stable bits using HKDF. + Uses SHA-256 by default, or SHA3-256 when WC_HWPUF_SHA3 is defined. + The info parameter provides domain separation for multiple keys. + Requires HAVE_HKDF. + + \return 0 on success + \return BAD_FUNC_ARG if hwpuf or key is NULL, or keySz is 0 + \return HWPUF_DERIVE_KEY_E if HWPUF not ready or HKDF fails + + \param hwpuf pointer to wc_HWPUF (must be enrolled or reconstructed) + \param info optional context info for domain separation (may be NULL; + when NULL, infoSz is treated as 0) + \param infoSz size of info in bytes + \param key output buffer for derived key + \param keySz desired key size in bytes + + _Example_ + \code + byte key[32]; + const byte info[] = "my-app-key"; + wc_HWPUF_GetKey(&s_hwpuf, info, sizeof(info), key, sizeof(key)); + \endcode + + \sa wc_HWPUF_Start +*/ +int wc_HWPUF_GenerateKey(wc_HWPUF* hwpuf, byte keyIdx, word32 keySz, + byte* keycode, word32 keycodeSz); + +/*! + \ingroup HWPUF + + \brief Derive a cryptographic key from HWPUF stable bits using HKDF. + Uses SHA-256 by default, or SHA3-256 when WC_HWPUF_SHA3 is defined. + The info parameter provides domain separation for multiple keys. + Requires HAVE_HKDF. + + \return 0 on success + \return BAD_FUNC_ARG if hwpuf or key is NULL, or keySz is 0 + \return HWPUF_DERIVE_KEY_E if HWPUF not ready or HKDF fails + + \param hwpuf pointer to wc_HWPUF (must be enrolled or reconstructed) + \param info optional context info for domain separation (may be NULL; + when NULL, infoSz is treated as 0) + \param infoSz size of info in bytes + \param key output buffer for derived key + \param keySz desired key size in bytes + + _Example_ + \code + byte key[32]; + const byte info[] = "my-app-key"; + wc_HWPUF_GetKey(&s_hwpuf, info, sizeof(info), key, sizeof(key)); + \endcode + + \sa wc_HWPUF_Enroll + \sa wc_HWPUF_Start +*/ +int wc_HWPUF_SetKey(wc_HWPUF* hwpuf, byte keyIdx, + byte* key, word32 keySz, + byte* keycode, word32 keycodeSz); + +/*! + \ingroup HWPUF + + \brief Derive a cryptographic key from HWPUF stable bits using HKDF. + Uses SHA-256 by default, or SHA3-256 when WC_HWPUF_SHA3 is defined. + The info parameter provides domain separation for multiple keys. + Requires HAVE_HKDF. + + \return 0 on success + \return BAD_FUNC_ARG if hwpuf or key is NULL, or keySz is 0 + \return HWPUF_DERIVE_KEY_E if HWPUF not ready or HKDF fails + + \param hwpuf pointer to wc_HWPUF (must be enrolled or reconstructed) + \param info optional context info for domain separation (may be NULL; + when NULL, infoSz is treated as 0) + \param infoSz size of info in bytes + \param key output buffer for derived key + \param keySz desired key size in bytes + + _Example_ + \code + byte key[32]; + const byte info[] = "my-app-key"; + wc_HWPUF_GetKey(&s_hwpuf, info, sizeof(info), key, sizeof(key)); + \endcode + + \sa wc_HWPUF_Enroll + \sa wc_HWPUF_Start +*/ +int wc_HWPUF_GetKey(wc_HWPUF* hwpuf, byte* keycode, word32 keycodeSz, + byte* key, word32 keySz); + +/*! + \ingroup HWPUF + + \brief Securely zeroize all sensitive data in the HWPUF context using + ForceZero. Call when HWPUF is no longer needed. + + \return 0 on success + \return BAD_FUNC_ARG if hwpuf is NULL + + \param hwpuf pointer to wc_HWPUF to zeroize + + _Example_ + \code + wc_HWPUF_Zeroize(&s_hwpuf); + \endcode + + \sa wc_HWPUF_Init + \sa wc_HWPUF_Deinit +*/ +int wc_HWPUF_Zeroize(wc_HWPUF* hwpuf); diff --git a/wolfcrypt/src/cryptocb.c b/wolfcrypt/src/cryptocb.c index 3218e6efb27..07cf32a8a2c 100644 --- a/wolfcrypt/src/cryptocb.c +++ b/wolfcrypt/src/cryptocb.c @@ -111,6 +111,7 @@ static const char* GetAlgoTypeStr(int algo) case WC_ALGO_TYPE_CMAC: return "CMAC"; case WC_ALGO_TYPE_CERT: return "Cert"; case WC_ALGO_TYPE_KDF: return "KDF"; + case WC_ALGO_TYPE_HWPUF: return "HWPUF"; #ifdef WOLF_CRYPTO_CB_COPY case WC_ALGO_TYPE_COPY: return "Copy"; #endif /* WOLF_CRYPTO_CB_COPY */ @@ -233,7 +234,6 @@ static const char* GetCryptoCbCmdTypeStr(int type) } #endif - #if (defined(HAVE_HKDF) && !defined(NO_HMAC)) || defined(HAVE_CMAC_KDF) static const char* GetKdfTypeStr(int type) { @@ -247,6 +247,31 @@ static const char* GetKdfTypeStr(int type) } #endif +#ifdef WOLFSSL_HWPUF +static const char* GetHwpufTypeStr(int type) +{ + switch (type) { + case WC_HWPUF_TYPE_INIT: + return "INIT"; + case WC_HWPUF_TYPE_DEINIT: + return "DEINIT"; + case WC_HWPUF_TYPE_ENROLL: + return "ENROLL"; + case WC_HWPUF_TYPE_START: + return "START"; + case WC_HWPUF_TYPE_GENERATE_KEY: + return "GENERATE_KEY"; + case WC_HWPUF_TYPE_SET_KEY: + return "SET_KEY"; + case WC_HWPUF_TYPE_GET_KEY: + return "GET_KEY"; + case WC_HWPUF_TYPE_ZEROIZE: + return "ZEROIZE"; + } + return NULL; +} +#endif + void wc_CryptoCb_InfoString(wc_CryptoInfo* info) { if (info == NULL) @@ -346,6 +371,12 @@ void wc_CryptoCb_InfoString(wc_CryptoInfo* info) printf("Crypto CB: %s %s (%d)\n", GetAlgoTypeStr(info->algo_type), GetKdfTypeStr(info->kdf.type), info->kdf.type); } +#endif +#ifdef WOLFSSL_HWPUF + else if (info->algo_type == WC_ALGO_TYPE_HWPUF) { + printf("Crypto CB: %s %s (%d)\n", GetAlgoTypeStr(info->algo_type), + GetHwpufTypeStr(info->hwpuf.type), info->hwpuf.type); + } #endif else { printf("CryptoCb: %s \n", GetAlgoTypeStr(info->algo_type)); @@ -2551,6 +2582,202 @@ int wc_CryptoCb_SheExportKey(wc_SHE* she, } #endif /* WOLFSSL_SHE */ +#ifdef WOLFSSL_HWPUF +int wc_CryptoCb_HwpufInit(wc_HWPUF* hwpuf) +{ + int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); + CryptoCb* dev; + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + + dev = wc_CryptoCb_FindDevice(hwpuf->devId, WC_ALGO_TYPE_HWPUF); + if (dev && dev->cb) { + wc_CryptoInfo cryptoInfo; + XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo)); + cryptoInfo.algo_type = WC_ALGO_TYPE_HWPUF; + cryptoInfo.hwpuf.hwpuf = hwpuf; + cryptoInfo.hwpuf.type = WC_HWPUF_TYPE_INIT; + + ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx); + } + + return wc_CryptoCb_TranslateErrorCode(ret); +} + +int wc_CryptoCb_HwpufDeinit(wc_HWPUF* hwpuf) +{ + int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); + CryptoCb* dev; + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + + dev = wc_CryptoCb_FindDevice(hwpuf->devId, WC_ALGO_TYPE_HWPUF); + if (dev && dev->cb) { + wc_CryptoInfo cryptoInfo; + XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo)); + cryptoInfo.algo_type = WC_ALGO_TYPE_HWPUF; + cryptoInfo.hwpuf.hwpuf = hwpuf; + cryptoInfo.hwpuf.type = WC_HWPUF_TYPE_DEINIT; + + ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx); + } + + return wc_CryptoCb_TranslateErrorCode(ret); +} + +int wc_CryptoCb_HwpufEnroll(wc_HWPUF* hwpuf) +{ + int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); + CryptoCb* dev; + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + + dev = wc_CryptoCb_FindDevice(hwpuf->devId, WC_ALGO_TYPE_HWPUF); + if (dev && dev->cb) { + wc_CryptoInfo cryptoInfo; + XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo)); + cryptoInfo.algo_type = WC_ALGO_TYPE_HWPUF; + cryptoInfo.hwpuf.hwpuf = hwpuf; + cryptoInfo.hwpuf.type = WC_HWPUF_TYPE_ENROLL; + + ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx); + } + + return wc_CryptoCb_TranslateErrorCode(ret); +} + +int wc_CryptoCb_HwpufStart(wc_HWPUF* hwpuf) +{ + int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); + CryptoCb* dev; + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + + dev = wc_CryptoCb_FindDevice(hwpuf->devId, WC_ALGO_TYPE_HWPUF); + if (dev && dev->cb) { + wc_CryptoInfo cryptoInfo; + XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo)); + cryptoInfo.algo_type = WC_ALGO_TYPE_HWPUF; + cryptoInfo.hwpuf.hwpuf = hwpuf; + cryptoInfo.hwpuf.type = WC_HWPUF_TYPE_START; + + ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx); + } + + return wc_CryptoCb_TranslateErrorCode(ret); +} + +int wc_CryptoCb_HwpufGenerateKey(wc_HWPUF* hwpuf, byte keyIdx, word32 keySz, + byte* keycode, word32 keycodeSz) +{ + int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); + CryptoCb* dev; + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + + dev = wc_CryptoCb_FindDevice(hwpuf->devId, WC_ALGO_TYPE_HWPUF); + if (dev && dev->cb) { + wc_CryptoInfo cryptoInfo; + XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo)); + cryptoInfo.algo_type = WC_ALGO_TYPE_HWPUF; + cryptoInfo.hwpuf.hwpuf = hwpuf; + cryptoInfo.hwpuf.type = WC_HWPUF_TYPE_GENERATE_KEY; + cryptoInfo.hwpuf.op.generateKey.keyIdx = keyIdx; + cryptoInfo.hwpuf.op.generateKey.keySz = keySz; + cryptoInfo.hwpuf.op.generateKey.keycode = keycode; + cryptoInfo.hwpuf.op.generateKey.keycodeSz = keycodeSz; + + ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx); + } + + return wc_CryptoCb_TranslateErrorCode(ret); +} + +int wc_CryptoCb_HwpufSetKey(wc_HWPUF* hwpuf, byte keyIdx, + byte* key, word32 keySz, + byte* keycode, word32 keycodeSz) +{ + int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); + CryptoCb* dev; + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + + dev = wc_CryptoCb_FindDevice(hwpuf->devId, WC_ALGO_TYPE_HWPUF); + if (dev && dev->cb) { + wc_CryptoInfo cryptoInfo; + XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo)); + cryptoInfo.algo_type = WC_ALGO_TYPE_HWPUF; + cryptoInfo.hwpuf.hwpuf = hwpuf; + cryptoInfo.hwpuf.type = WC_HWPUF_TYPE_SET_KEY; + cryptoInfo.hwpuf.op.setKey.keyIdx = keyIdx; + cryptoInfo.hwpuf.op.setKey.key = key; + cryptoInfo.hwpuf.op.setKey.keySz = keySz; + cryptoInfo.hwpuf.op.setKey.keycode = keycode; + cryptoInfo.hwpuf.op.setKey.keycodeSz = keycodeSz; + + ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx); + } + + return wc_CryptoCb_TranslateErrorCode(ret); +} + +int wc_CryptoCb_HwpufGetKey(wc_HWPUF* hwpuf, + byte* keycode, word32 keycodeSz, + byte* key, word32 keySz) +{ + int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); + CryptoCb* dev; + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + + dev = wc_CryptoCb_FindDevice(hwpuf->devId, WC_ALGO_TYPE_HWPUF); + if (dev && dev->cb) { + wc_CryptoInfo cryptoInfo; + XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo)); + cryptoInfo.algo_type = WC_ALGO_TYPE_HWPUF; + cryptoInfo.hwpuf.hwpuf = hwpuf; + cryptoInfo.hwpuf.type = WC_HWPUF_TYPE_GET_KEY; + cryptoInfo.hwpuf.op.getKey.keycode = keycode; + cryptoInfo.hwpuf.op.getKey.keycodeSz = keycodeSz; + cryptoInfo.hwpuf.op.getKey.key = key; + cryptoInfo.hwpuf.op.getKey.keySz = keySz; + + ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx); + } + + return wc_CryptoCb_TranslateErrorCode(ret); +} + +int wc_CryptoCb_HwpufZeroize(wc_HWPUF* hwpuf) +{ + int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); + CryptoCb* dev; + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + + dev = wc_CryptoCb_FindDevice(hwpuf->devId, WC_ALGO_TYPE_HWPUF); + if (dev && dev->cb) { + wc_CryptoInfo cryptoInfo; + XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo)); + cryptoInfo.algo_type = WC_ALGO_TYPE_HWPUF; + cryptoInfo.hwpuf.hwpuf = hwpuf; + cryptoInfo.hwpuf.type = WC_HWPUF_TYPE_ZEROIZE; + + ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx); + } + + return wc_CryptoCb_TranslateErrorCode(ret); +} +#endif /* WOLFSSL_HWPUF */ + /* returns the default dev id for the current build */ int wc_CryptoCb_DefaultDevID(void) { diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index 8826d9b1988..1687736e577 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -713,6 +713,30 @@ const char* wc_GetErrorString(int error) case PUF_IDENTITY_E: return "PUF identity retrieval failed"; + case HWPUF_INIT_E: + return "HWPUF initialization failed"; + + case HWPUF_DEINIT_E: + return "HWPUF deinitialization failed"; + + case HWPUF_ENROLL_E: + return "HWPUF enrollment failed"; + + case HWPUF_START_E: + return "HWPUF start failed"; + + case HWPUF_GENERATE_KEY_E: + return "HWPUF generate key failed"; + + case HWPUF_SET_KEY_E: + return "HWPUF set key failed"; + + case HWPUF_GET_KEY_E: + return "HWPUF get key failed"; + + case HWPUF_ZEROIZE_E: + return "HWPUF zeroize failed"; + case MAX_CODE_E: case WC_SPAN1_MIN_CODE_E: case MIN_CODE_E: diff --git a/wolfcrypt/src/hwpuf.c b/wolfcrypt/src/hwpuf.c new file mode 100644 index 00000000000..f27f3c7bf83 --- /dev/null +++ b/wolfcrypt/src/hwpuf.c @@ -0,0 +1,208 @@ +/* hwpuf.c + * + * Copyright (C) 2006-2026 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifdef WOLFSSL_HWPUF + +#include +#include +#include +#include +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +#ifdef WOLFSSL_NXP_HWPUF + #include +#endif + + +WOLFSSL_API int wc_HWPUF_Register(wc_HWPUF* hwpuf, void* heap, int devId) +{ + int ret = 0; + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + if (devId == INVALID_DEVID) + return BAD_FUNC_ARG; + + ForceZero(hwpuf, sizeof(wc_HWPUF)); + hwpuf->heap = heap; + hwpuf->devId = devId; + +#ifdef WOLFSSL_NXP_HWPUF + if (devId == WOLFSSL_NXP_HWPUF_DEVID) { + ret = nxp_hwpuf_RegisterDevice(hwpuf); + } +#else + #error No hwpuf device defined +#endif + + return ret; +} + +WOLFSSL_API int wc_HWPUF_Unregister(wc_HWPUF* hwpuf) +{ + int ret = 0; + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + +#ifdef WOLFSSL_NXP_HWPUF + if (hwpuf->devId == WOLFSSL_NXP_HWPUF_DEVID) { + ret = nxp_hwpuf_UnregisterDevice(hwpuf); + } +#else + #error No hwpuf device defined +#endif + + ForceZero(hwpuf, sizeof(wc_HWPUF)); + + return ret; +} + +WOLFSSL_API int wc_HWPUF_Init(wc_HWPUF* hwpuf) +{ + int ret; + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + if ((hwpuf->flags & WC_HWPUF_FLAG_INITED) != 0) + return HWPUF_INIT_E; + + ret = wc_CryptoCb_HwpufInit(hwpuf); + if (ret == 0) + hwpuf->flags |= WC_HWPUF_FLAG_INITED; + + return ret; +} + +WOLFSSL_API int wc_HWPUF_Deinit(wc_HWPUF* hwpuf) +{ + int ret; + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + + ret = wc_CryptoCb_HwpufDeinit(hwpuf); + hwpuf->flags = 0; + + return ret; +} + +WOLFSSL_API int wc_HWPUF_Enroll(wc_HWPUF* hwpuf) +{ + int ret; + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + if ((hwpuf->flags & WC_HWPUF_FLAG_ENROLLED) != 0) + return HWPUF_ENROLL_E; + if ((hwpuf->flags & WC_HWPUF_FLAG_READY) != 0) + return HWPUF_ENROLL_E; + + ret = wc_CryptoCb_HwpufEnroll(hwpuf); + if (ret == 0) + hwpuf->flags |= WC_HWPUF_FLAG_ENROLLED; + + return ret; +} + +WOLFSSL_API int wc_HWPUF_Start(wc_HWPUF* hwpuf) +{ + int ret; + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + if ((hwpuf->flags & WC_HWPUF_FLAG_ENROLLED) != 0) + return HWPUF_START_E; + if ((hwpuf->flags & WC_HWPUF_FLAG_READY) != 0) + return HWPUF_START_E; + + ret = wc_CryptoCb_HwpufStart(hwpuf); + if (ret == 0) + hwpuf->flags |= WC_HWPUF_FLAG_READY; + + return ret; +} + +WOLFSSL_API int wc_HWPUF_GenerateKey(wc_HWPUF* hwpuf, + byte keyIdx, word32 keySz, + byte* keycode, word32 keycodeSz) +{ + int ret; + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + if ((hwpuf->flags & WC_HWPUF_FLAG_READY) == 0) + return HWPUF_GENERATE_KEY_E; + + ret = wc_CryptoCb_HwpufGenerateKey(hwpuf, keyIdx, keySz, + keycode, keycodeSz); + return ret; +} + +WOLFSSL_API int wc_HWPUF_SetKey(wc_HWPUF* hwpuf, byte keyIdx, + byte* key, word32 keySz, + byte* keycode, word32 keycodeSz) +{ + int ret; + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + if ((hwpuf->flags & WC_HWPUF_FLAG_READY) == 0) + return HWPUF_SET_KEY_E; + + ret = wc_CryptoCb_HwpufSetKey(hwpuf, keyIdx, key, keySz, + keycode, keycodeSz); + return ret; +} + +WOLFSSL_API int wc_HWPUF_GetKey(wc_HWPUF* hwpuf, + byte* keycode, word32 keycodeSz, + byte* key, word32 keySz) +{ + int ret; + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + if ((hwpuf->flags & WC_HWPUF_FLAG_READY) == 0) + return HWPUF_GET_KEY_E; + + ret = wc_CryptoCb_HwpufGetKey(hwpuf, keycode, keycodeSz, key, keySz); + return ret; +} + +WOLFSSL_API int wc_HWPUF_Zeroize(wc_HWPUF* hwpuf) +{ + int ret; + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + + ret = wc_CryptoCb_HwpufZeroize(hwpuf); + hwpuf->flags = 0; + + return ret; +} +#endif /* WOLFSSL_HWPUF */ diff --git a/wolfcrypt/src/include.am b/wolfcrypt/src/include.am index 18d7a339cd5..c649f80f19a 100644 --- a/wolfcrypt/src/include.am +++ b/wolfcrypt/src/include.am @@ -23,6 +23,7 @@ EXTRA_DIST += wolfcrypt/src/poly1305_asm.asm EXTRA_DIST += wolfcrypt/src/wc_dsp.c EXTRA_DIST += wolfcrypt/src/sp_dsp32.c EXTRA_DIST += wolfcrypt/src/sp_x86_64_asm.asm +EXTRA_DIST += wolfcrypt/src/hwpuf.c EXTRA_DIST += \ wolfcrypt/src/ecc_fp.c \ @@ -73,6 +74,7 @@ EXTRA_DIST += wolfcrypt/src/port/ti/ti-aes.c \ wolfcrypt/src/port/nxp/README.md \ wolfcrypt/src/port/nxp/casper_port.c \ wolfcrypt/src/port/nxp/hashcrypt_port.c \ + wolfcrypt/src/port/nxp/hwpuf_port.c \ wolfcrypt/src/port/atmel/README.md \ wolfcrypt/src/port/xilinx/xil-sha3.c \ wolfcrypt/src/port/xilinx/xil-aesgcm.c \ diff --git a/wolfcrypt/src/port/nxp/hwpuf_port.c b/wolfcrypt/src/port/nxp/hwpuf_port.c new file mode 100644 index 00000000000..ff034efd234 --- /dev/null +++ b/wolfcrypt/src/port/nxp/hwpuf_port.c @@ -0,0 +1,360 @@ +/* hwpuf_port.c + * + * Copyright (C) 2006-2026 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + + +#include + +#if defined(WOLFSSL_HWPUF) && defined(WOLFSSL_NXP_HWPUF) + +#ifndef WOLF_CRYPTO_CB + #error WOLFSSL_HWPUF support requires ./configure --enable-cryptocb or WOLF_CRYPTO_CB to be defined +#endif + +#include +#include +#include +#include +#include "fsl_iap_ffr.h" +#include "fsl_puf.h" +#include "fsl_rng.h" + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +typedef struct nxp_hwpuf_ctx { + byte activationCode[PUF_ACTIVATION_CODE_SIZE]; + byte ac_set; + word32 keyMask; /* unique per reset */ +} nxp_hwpuf_ctx; + +static nxp_hwpuf_ctx ctx; +static puf_config_t conf; + + +static int getACFromPFR(byte *ac) +{ + int ret; + flash_config_t flashInstance; + + memset(&flashInstance, 0, sizeof(flash_config_t)); + FLASH_Init(&flashInstance); + FFR_Init(&flashInstance); + + ret = FFR_KeystoreGetAC(&flashInstance, ac); + return ret != kStatus_Success; +} + +static int keyCodeCheck(byte* keycode, word32* keytype, + word32* keyidx, word32* keysize) +{ + *keytype = keycode[0]; + *keyidx = keycode[1]; + *keysize = keycode[3] == 0 ? 512 : 8 * keycode[3] ; + + if (*keytype >= 2) + return 1; + if (*keyidx >= 16) + return 2; + if ( !HWPUF_KEY_SIZE_IS_VALID(*keysize) ) + return 3; + + return 0; +} + +static int nxp_hwpuf_Init(wc_HWPUF* hwpuf) +{ + WOLFSSL_ENTER("nxp_hwpuf_Init"); + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + + PUF_GetDefaultConfig(&conf); + if (PUF_Init(PUF, &conf) != kStatus_Success) { + PUF_Deinit(PUF, &conf); + return HWPUF_INIT_E; + } + ctx.keyMask = RNG->RANDOM_NUMBER; + return 0; +} + +static int nxp_hwpuf_Deinit(wc_HWPUF* hwpuf) +{ + WOLFSSL_ENTER("nxp_hwpuf_Deinit"); + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + + PUF_Deinit(PUF, &conf); + + return 0; +} + +static int nxp_hwpuf_Enroll(wc_HWPUF* hwpuf) +{ + int ret; + byte activationCode[PUF_ACTIVATION_CODE_SIZE]; + + WOLFSSL_ENTER("nxp_hwpuf_Enroll"); + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + + ret = PUF_Enroll(PUF, activationCode, sizeof(activationCode)); + if (ret == kStatus_EnrollNotAllowed) { + /* power cycle and try again */ + (void)PUF_PowerCycle(PUF, &conf); + ret = PUF_Enroll(PUF, activationCode, sizeof(activationCode)); + } + if (ret != kStatus_Success) { + PUF_Deinit(PUF, &conf); + return HWPUF_ENROLL_E; + } + + /* wipe ctx if enroll succeeded (re-enroll will render ctx moot) */ + XMEMSET(&ctx, 0, sizeof(ctx)); + /* store activation code */ + XMEMCPY(ctx.activationCode, activationCode, PUF_ACTIVATION_CODE_SIZE); + ctx.ac_set = 1; + + return 0; +} + +static int nxp_hwpuf_Start(wc_HWPUF* hwpuf) +{ + int ret; + + WOLFSSL_ENTER("nxp_hwpuf_Start"); + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + + if (ctx.ac_set == 0) { + byte activationCode[PUF_ACTIVATION_CODE_SIZE]; + /* try pulling from mfg flash area (what rom code uses) */ + if (getACFromPFR(activationCode) != 0) + return HWPUF_START_E; + + XMEMCPY(ctx.activationCode, activationCode, + PUF_ACTIVATION_CODE_SIZE); + ctx.ac_set = 1; + } + + ret = PUF_Start(PUF, ctx.activationCode, PUF_ACTIVATION_CODE_SIZE); + if (ret == kStatus_StartNotAllowed) { + /* power cycle and try again */ + (void)PUF_PowerCycle(PUF, &conf); + ret = PUF_Start(PUF, ctx.activationCode, PUF_ACTIVATION_CODE_SIZE); + } + if (ret != kStatus_Success) { + PUF_Deinit(PUF, &conf); + return HWPUF_START_E; + } + + return 0; +} + +static int nxp_hwpuf_GenerateKey(wc_HWPUF* hwpuf, byte keyIdx, word32 keySz, + byte* keycode, word32 keycodeSz) +{ + int ret; + word32 kcSz; + + WOLFSSL_ENTER("nxp_hwpuf_GenerateKey"); + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + if (keyIdx > kPUF_KeyIndexMax) + return BAD_FUNC_ARG; + if ( !HWPUF_KEY_SIZE_IS_VALID(keySz) ) + return BAD_FUNC_ARG; + kcSz = PUF_GET_KEY_CODE_SIZE_FOR_KEY_SIZE(keySz); + if (keycode == NULL || kcSz != keycodeSz) + return BAD_FUNC_ARG; + + ret = PUF_SetIntrinsicKey(PUF, (puf_key_index_register_t)keyIdx, keySz, + keycode, keycodeSz); + if (ret != kStatus_Success) + return HWPUF_GENERATE_KEY_E; + + return 0; +} + +static int nxp_hwpuf_SetKey(wc_HWPUF* hwpuf, byte keyIdx, + byte* key, word32 keySz, + byte* keycode, word32 keycodeSz) +{ + WOLFSSL_ENTER("nxp_hwpuf_SetKey"); + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + + return 0; +} + +static int nxp_hwpuf_GetKey(wc_HWPUF* hwpuf, byte* keycode, word32 keycodeSz, + byte* key, word32 keySz) +{ + int ret; + word32 keytype, keyidx, keysize; + word32 kcSz; + + WOLFSSL_ENTER("nxp_hwpuf_GetKey"); + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + if (keycode == NULL || keycodeSz < PUF_MIN_KEY_CODE_SIZE) + return BAD_FUNC_ARG; + + ret = keyCodeCheck(keycode, &keytype, &keyidx, &keysize); + if (ret != kStatus_Success) + return BAD_FUNC_ARG; + + kcSz = PUF_GET_KEY_CODE_SIZE_FOR_KEY_SIZE(keysize); + if (kcSz != keycodeSz) + return BAD_FUNC_ARG; + if (keyidx != kPUF_KeyIndex_00 && (key == NULL || keysize != keySz)) + return BAD_FUNC_ARG; + + /* keyidx 0 means key is sent directly on hw bus, never exposed */ + if (keyidx == kPUF_KeyIndex_00) { + /* keyslot 0 means send to aes engine */ + ret = PUF_GetHwKey(PUF, keycode, keycodeSz, kPUF_KeySlot0, + ctx.keyMask); + if (ret != kStatus_Success) + return HWPUF_GET_KEY_E; + if (key) + XMEMSET(key, 0, keySz); /* no key to return, zero out */ + } + else { + ret = PUF_GetKey(PUF, keycode, keycodeSz, key, keySz); + if (ret != kStatus_Success) + return HWPUF_GET_KEY_E; + } + return 0; +} + +static int nxp_hwpuf_Zeroize(wc_HWPUF* hwpuf) +{ + WOLFSSL_ENTER("nxp_hwpuf_Zeroize"); + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + + ForceZero(&ctx, sizeof(ctx)); + + if (PUF_Zeroize(PUF) != kStatus_Success) { + PUF_Deinit(PUF, &conf); + return HWPUF_ZEROIZE_E; + } + return 0; +} + +static int nxp_hwpuf_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx) +{ + int ret = CRYPTOCB_UNAVAILABLE; + + WOLFSSL_ENTER("nxp_hwpuf_CryptoDevCb"); + + if (info == NULL) + return BAD_FUNC_ARG; + if (devId == INVALID_DEVID) + return CRYPTOCB_UNAVAILABLE; + if (info->algo_type != WC_ALGO_TYPE_HWPUF) + return CRYPTOCB_UNAVAILABLE; + +#ifdef DEBUG_CRYPTOCB + wc_CryptoCb_InfoString(info); +#endif + + if (info->hwpuf.type == WC_HWPUF_TYPE_INIT) { + ret = nxp_hwpuf_Init(info->hwpuf.hwpuf); + } + else if (info->hwpuf.type == WC_HWPUF_TYPE_DEINIT) { + ret = nxp_hwpuf_Deinit(info->hwpuf.hwpuf); + } + else if (info->hwpuf.type == WC_HWPUF_TYPE_ENROLL) { + ret = nxp_hwpuf_Enroll(info->hwpuf.hwpuf); + } + else if (info->hwpuf.type == WC_HWPUF_TYPE_START) { + ret = nxp_hwpuf_Start(info->hwpuf.hwpuf); + } + else if (info->hwpuf.type == WC_HWPUF_TYPE_GENERATE_KEY) { + ret = nxp_hwpuf_GenerateKey(info->hwpuf.hwpuf, + info->hwpuf.op.generateKey.keyIdx, + info->hwpuf.op.generateKey.keySz, + info->hwpuf.op.generateKey.keycode, + info->hwpuf.op.generateKey.keycodeSz); + } + else if (info->hwpuf.type == WC_HWPUF_TYPE_SET_KEY) { + ret = nxp_hwpuf_SetKey(info->hwpuf.hwpuf, + info->hwpuf.op.setKey.keyIdx, + info->hwpuf.op.setKey.key, + info->hwpuf.op.setKey.keySz, + info->hwpuf.op.setKey.keycode, + info->hwpuf.op.setKey.keycodeSz); + } + else if (info->hwpuf.type == WC_HWPUF_TYPE_GET_KEY) { + ret = nxp_hwpuf_GetKey(info->hwpuf.hwpuf, + info->hwpuf.op.getKey.keycode, + info->hwpuf.op.getKey.keycodeSz, + info->hwpuf.op.getKey.key, + info->hwpuf.op.getKey.keySz); + } + else if (info->hwpuf.type == WC_HWPUF_TYPE_ZEROIZE) { + ret = nxp_hwpuf_Zeroize(info->hwpuf.hwpuf); + } + return ret; +} + +WOLFSSL_API int nxp_hwpuf_RegisterDevice(wc_HWPUF* hwpuf) +{ + int ret; + + WOLFSSL_ENTER("nxp_hwpuf_RegisterDevice"); + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + + ret = wc_CryptoCb_RegisterDevice(hwpuf->devId, nxp_hwpuf_CryptoDevCb, NULL); + if (ret != 0) { + WOLFSSL_ERROR_MSG("NXP_HWPUF: nxp_hwpuf_CryptoDevCb, " + "wc_CryptoCb_RegisterDevice() failed"); + } + return ret; +} + +WOLFSSL_API int nxp_hwpuf_UnregisterDevice(wc_HWPUF* hwpuf) +{ + WOLFSSL_ENTER("nxp_hwpuf_UnregisterDevice"); + + if (hwpuf == NULL) + return BAD_FUNC_ARG; + + wc_CryptoCb_UnRegisterDevice(hwpuf->devId); + + return 0; +} + +#endif /* WOLFSSL_HWPUF && WOLFSSL_NXP_HWPUF */ diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 63c1bb57f54..41b511f342e 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -189,6 +189,9 @@ Threading/Mutex options: #ifdef WOLFSSL_NXP_HASHCRYPT #include #endif +#ifdef WOLFSSL_NXP_HWPUF + #include +#endif #ifdef WOLF_CRYPTO_CB #include diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index d76dd112c99..7ab224e7ef3 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -428,6 +428,12 @@ static const byte const_byte_array[] = "A+Gd\0\0\0"; #ifdef WOLFSSL_PUF #include #endif +#ifdef WOLFSSL_HWPUF + #include +#endif +#ifdef WOLFSSL_NXP_HWPUF + #include +#endif #ifdef HAVE_LIBZ #include #endif @@ -887,6 +893,9 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t sm4_test(void); #ifdef WOLFSSL_PUF WOLFSSL_TEST_SUBROUTINE wc_test_ret_t puf_test(void); #endif +#ifdef WOLFSSL_HWPUF +WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hwpuf_test(void); +#endif #ifdef WC_RSA_NO_PADDING WOLFSSL_TEST_SUBROUTINE wc_test_ret_t rsa_no_pad_test(void); #endif @@ -2946,6 +2955,13 @@ options: [-s max_relative_stack_bytes] [-m max_relative_heap_memory_bytes]\n\ TEST_PASS("PUF test passed!\n"); #endif +#ifdef WOLFSSL_HWPUF + if ( (ret = hwpuf_test()) != 0) + return err_sys("HWPUF test failed!\n", ret); + else + TEST_PASS("HWPUF test passed!\n"); +#endif + #if !defined(NO_RSA) && !defined(HAVE_RENESAS_SYNC) #ifdef WC_RSA_NO_PADDING if ( (ret = rsa_no_pad_test()) != 0) @@ -23324,6 +23340,167 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t puf_test(void) } #endif /* WOLFSSL_PUF */ +#ifdef WOLFSSL_HWPUF +WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hwpuf_test(void) +{ + wc_test_ret_t ret = 0; + wc_HWPUF hwpuf; + byte keycode16[HWPUF_KEY_SIZE_TO_KEY_CODE_SIZE(16)]; + byte key16_1[16]; + byte key16_2[16]; + byte keycode24[HWPUF_KEY_SIZE_TO_KEY_CODE_SIZE(24)]; + byte key24_1[24]; + byte key24_2[24]; + byte keycode32[HWPUF_KEY_SIZE_TO_KEY_CODE_SIZE(32)]; + byte key32_1[32]; + byte key32_2[32]; + + WOLFSSL_ENTER("hwpuf_test"); + + ret = wc_HWPUF_Register(&hwpuf, NULL, WOLFSSL_NXP_HWPUF_DEVID); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + + /* ---- Test 1: Init ---- */ + ret = wc_HWPUF_Init(&hwpuf); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + + /* ---- Test 2: Enroll ---- */ + ret = wc_HWPUF_Enroll(&hwpuf); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + + /* hw puf requires a deinit/init cycle after enroll */ + (void)wc_HWPUF_Deinit(&hwpuf); + (void)wc_HWPUF_Init(&hwpuf); + + /* ---- Test 3: Start ---- */ + ret = wc_HWPUF_Start(&hwpuf); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + + /* ---- Test 4: Generate keys of size 16, 24, 32 bytes ---- */ + /* generate a 16-byte key and get a keycode */ + ret = wc_HWPUF_GenerateKey(&hwpuf, 1, 16, keycode16, sizeof(keycode16)); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + /* get key from keycode */ + ret = wc_HWPUF_GetKey(&hwpuf, keycode16, sizeof(keycode16), key16_1, sizeof(key16_1)); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + /* generate a 24-byte key and get a keycode */ + ret = wc_HWPUF_GenerateKey(&hwpuf, 1, 24, keycode24, sizeof(keycode24)); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + /* get key from keycode */ + ret = wc_HWPUF_GetKey(&hwpuf, keycode24, sizeof(keycode24), key24_1, sizeof(key24_1)); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + /* generate a 32-byte key and get a keycode */ + ret = wc_HWPUF_GenerateKey(&hwpuf, 1, 32, keycode32, sizeof(keycode32)); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + /* get key from keycode */ + ret = wc_HWPUF_GetKey(&hwpuf, keycode32, sizeof(keycode32), key32_1, sizeof(key32_1)); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + + /* ---- Test 5: restart and derive the same 3 keys ---- */ + (void)wc_HWPUF_Deinit(&hwpuf); + (void)wc_HWPUF_Init(&hwpuf); + ret = wc_HWPUF_Start(&hwpuf); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + /* 16-byte */ + ret = wc_HWPUF_GetKey(&hwpuf, keycode16, sizeof(keycode16), key16_2, sizeof(key16_2)); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + /* 24-byte */ + ret = wc_HWPUF_GetKey(&hwpuf, keycode24, sizeof(keycode24), key24_2, sizeof(key24_2)); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + /* 32-byte */ + ret = wc_HWPUF_GetKey(&hwpuf, keycode32, sizeof(keycode32), key32_2, sizeof(key32_2)); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + + /* all keys match? */ + if (XMEMCMP(key16_1, key16_2, 16) != 0) + return WC_TEST_RET_ENC_NC; + if (XMEMCMP(key24_1, key24_2, 24) != 0) + return WC_TEST_RET_ENC_NC; + if (XMEMCMP(key32_1, key32_2, 32) != 0) + return WC_TEST_RET_ENC_NC; + + /* ---- Test 7: generate a key and send directly to hw bus ---- */ + ret = wc_HWPUF_GenerateKey(&hwpuf, 0, 32, keycode32, sizeof(keycode32)); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + /* get key from keycode */ + ret = wc_HWPUF_GetKey(&hwpuf, keycode32, sizeof(keycode32), key32_2, sizeof(key32_2)); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + { /* key1 should be zeroed */ + int idx; + for (idx = 0; idx < sizeof(key32_2); ++idx) { + if (key32_2[idx]) + return WC_TEST_RET_ENC_NC; + } + } + + /* ---- Test 8: Bad argument checks ---- */ + /* null hwpuf */ + if (wc_HWPUF_Init(NULL) != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) + return WC_TEST_RET_ENC_NC; + if (wc_HWPUF_Deinit(NULL) != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) + return WC_TEST_RET_ENC_NC; + if (wc_HWPUF_Enroll(NULL) != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) + return WC_TEST_RET_ENC_NC; + if (wc_HWPUF_Zeroize(NULL) != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) + return WC_TEST_RET_ENC_NC; + /* out of bounds key index */ + if (wc_HWPUF_GenerateKey(&hwpuf, 16, 32, keycode32, sizeof(keycode32)) + != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) + return WC_TEST_RET_ENC_NC; + /* invalid key code storage size */ + if (wc_HWPUF_GenerateKey(&hwpuf, 1, 32, keycode32, 99) + != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) + return WC_TEST_RET_ENC_NC; + /* null key code storage */ + if (wc_HWPUF_GenerateKey(&hwpuf, 1, 32, NULL, sizeof(keycode32)) + != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) + return WC_TEST_RET_ENC_NC; + /* invalid key storage size */ + ret = wc_HWPUF_GenerateKey(&hwpuf, 7, 32, keycode32, sizeof(keycode32)); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + if (wc_HWPUF_GetKey(&hwpuf, keycode32, sizeof(keycode32), key32_1, sizeof(key16_1)) + != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) + return WC_TEST_RET_ENC_NC; + /* null key storage */ + if (wc_HWPUF_GetKey(&hwpuf, keycode32, sizeof(keycode32), NULL, sizeof(key32_1)) + != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) + return WC_TEST_RET_ENC_NC; + + /* ---- Test 9: Zeroize ---- */ + ret = wc_HWPUF_Zeroize(&hwpuf); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + if (wc_HWPUF_GetKey(&hwpuf, keycode24, sizeof(keycode32), key24_1, sizeof(key24_1)) + != WC_NO_ERR_TRACE(HWPUF_GET_KEY_E)) + return WC_TEST_RET_ENC_NC; + + /* ---- clean up ---- */ + (void)wc_HWPUF_Deinit(&hwpuf); + ret = wc_HWPUF_Unregister(&hwpuf); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + + return 0; +} +#endif /* WOLFSSL_HWPUF */ + #ifdef HAVE_XCHACHA WOLFSSL_TEST_SUBROUTINE wc_test_ret_t XChaCha_test(void) { diff --git a/wolfssl/wolfcrypt/cryptocb.h b/wolfssl/wolfcrypt/cryptocb.h index b0aaad2f374..90854283ff2 100644 --- a/wolfssl/wolfcrypt/cryptocb.h +++ b/wolfssl/wolfcrypt/cryptocb.h @@ -68,6 +68,9 @@ #ifdef WOLFSSL_SHE #include #endif +#ifdef WOLFSSL_HWPUF + #include +#endif #ifdef HAVE_ED25519 #include #endif @@ -575,6 +578,34 @@ typedef struct wc_CryptoInfo { } op; } she; #endif +#ifdef WOLFSSL_HWPUF + struct { + void* hwpuf; /* wc_HWPUF* context */ + int type; /* enum wc_HwpufType - discriminator */ + const void* ctx; /* read-only caller context */ + union { + struct { + byte keyIdx; + word32 keySz; + byte* keycode; + word32 keycodeSz; + } generateKey; + struct { + byte keyIdx; + byte* key; + word32 keySz; + byte* keycode; + word32 keycodeSz; + } setKey; + struct { + byte* keycode; + word32 keycodeSz; + byte* key; + word32 keySz; + } getKey; + } op; + } hwpuf; +#endif #ifndef NO_CERTS struct { const byte *id; @@ -943,7 +974,23 @@ WOLFSSL_LOCAL int wc_CryptoCb_SheExportKey(wc_SHE* she, byte* m4, word32 m4Sz, byte* m5, word32 m5Sz, const void* ctx); -#endif +#endif /* WOLFSSL_SHE */ + +#ifdef WOLFSSL_HWPUF +WOLFSSL_LOCAL int wc_CryptoCb_HwpufInit(wc_HWPUF* hwpuf); +WOLFSSL_LOCAL int wc_CryptoCb_HwpufDeinit(wc_HWPUF* hwpuf); +WOLFSSL_LOCAL int wc_CryptoCb_HwpufEnroll(wc_HWPUF* hwpuf); +WOLFSSL_LOCAL int wc_CryptoCb_HwpufStart(wc_HWPUF* hwpuf); +WOLFSSL_LOCAL int wc_CryptoCb_HwpufGenerateKey(wc_HWPUF* hwpuf, byte keyIdx, + word32 keySz, byte* keycode, word32 keycodeSz); +WOLFSSL_LOCAL int wc_CryptoCb_HwpufSetKey(wc_HWPUF* hwpuf, byte keyIdx, + byte* key, word32 keySz, + byte* keycode, word32 keycodeSz); +WOLFSSL_LOCAL int wc_CryptoCb_HwpufGetKey(wc_HWPUF* hwpuf, + byte* keycode, word32 keycodeSz, + byte* key, word32 keySz); +WOLFSSL_LOCAL int wc_CryptoCb_HwpufZeroize(wc_HWPUF* hwpuf); +#endif /* WOLFSSL_HWPUF */ #ifndef NO_CERTS WOLFSSL_LOCAL int wc_CryptoCb_GetCert(int devId, const char *label, diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index 736954a0a76..6eefce0544e 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -328,8 +328,17 @@ enum wolfCrypt_ErrorCodes { DRBG_SHA512_KAT_FIPS_E = -1017, /* SHA-512 DRBG KAT failure */ SLH_DSA_KAT_FIPS_E = -1018, /* SLH-DSA CAST KAT failure */ - WC_SPAN2_LAST_E = -1018, /* Update to indicate last used error code */ - WC_LAST_E = -1018, /* the last code used either here or in + HWPUF_INIT_E = -1019, /* HWPUF initialization failed */ + HWPUF_DEINIT_E = -1020, /* HWPUF deinitialization failed */ + HWPUF_ENROLL_E = -1021, /* HWPUF enrollment failed */ + HWPUF_START_E = -1022, /* HWPUF start failed */ + HWPUF_GENERATE_KEY_E= -1023, /* HWPUF generate key failed */ + HWPUF_SET_KEY_E = -1024, /* HWPUF set key failed */ + HWPUF_GET_KEY_E = -1025, /* HWPUF get key failed */ + HWPUF_ZEROIZE_E = -1026, /* HWPUF zeroize failed */ + + WC_SPAN2_LAST_E = -1026, /* Update to indicate last used error code */ + WC_LAST_E = -1026, /* the last code used either here or in * error-ssl.h */ WC_SPAN2_MIN_CODE_E = -1999, /* Last usable code in span 2 */ diff --git a/wolfssl/wolfcrypt/hwpuf.h b/wolfssl/wolfcrypt/hwpuf.h new file mode 100644 index 00000000000..2e30345d957 --- /dev/null +++ b/wolfssl/wolfcrypt/hwpuf.h @@ -0,0 +1,88 @@ +/* hwpuf.h + * + * Copyright (C) 2006-2026 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + + +#ifndef WOLF_CRYPT_HWPUF_H +#define WOLF_CRYPT_HWPUF_H + +#include + +#ifdef WOLFSSL_HWPUF + +#include + +#ifdef __cplusplus + extern "C" { +#endif + +/* flags stored in wc_HWPUF.flags */ +enum wc_HwpufFlags { + WC_HWPUF_FLAG_NONE = 0, /* Deinit() clears all flags */ + WC_HWPUF_FLAG_INITED = 0x01, /* Init() called successfully */ + WC_HWPUF_FLAG_ENROLLED = 0x02, /* Enroll() called successfully */ + WC_HWPUF_FLAG_READY = 0x04, /* Start() called successfully */ + WOLF_ENUM_DUMMY_LAST_ELEMENT(WC_HWPUF_FLAG) +}; + +/* operation type passed to CryptoCb via wc_CryptoInfo.hwpuf.type */ +enum wc_HwpufType { + WC_HWPUF_TYPE_NONE = 0, + WC_HWPUF_TYPE_INIT = 1, + WC_HWPUF_TYPE_DEINIT = 2, + WC_HWPUF_TYPE_ENROLL = 3, + WC_HWPUF_TYPE_START = 4, + WC_HWPUF_TYPE_GENERATE_KEY = 5, + WC_HWPUF_TYPE_SET_KEY = 6, + WC_HWPUF_TYPE_GET_KEY = 7, + WC_HWPUF_TYPE_ZEROIZE = 8, + WOLF_ENUM_DUMMY_LAST_ELEMENT(WC_HWPUF_TYPE) +}; + +typedef struct wc_HWPUF { + word32 flags; + int devId; + void* heap; +} wc_HWPUF; + +WOLFSSL_API int wc_HWPUF_Register(wc_HWPUF* hwpuf, void* heap, int devId); +WOLFSSL_API int wc_HWPUF_Unregister(wc_HWPUF* hwpuf); + +WOLFSSL_API int wc_HWPUF_Init(wc_HWPUF* hwpuf); +WOLFSSL_API int wc_HWPUF_Deinit(wc_HWPUF* hwpuf); +WOLFSSL_API int wc_HWPUF_Enroll(wc_HWPUF* hwpuf); +WOLFSSL_API int wc_HWPUF_Start(wc_HWPUF* hwpuf); +WOLFSSL_API int wc_HWPUF_GenerateKey(wc_HWPUF* hwpuf, + byte keyIdx, word32 keySz, + byte* keycode, word32 keycodeSz); +WOLFSSL_API int wc_HWPUF_SetKey(wc_HWPUF* hwpuf, byte keyIdx, + byte* key, word32 keySz, + byte* keycode, word32 keycodeSz); +WOLFSSL_API int wc_HWPUF_GetKey(wc_HWPUF* hwpuf, + byte* keycode, word32 keycodeSz, + byte* key, word32 keySz); +WOLFSSL_API int wc_HWPUF_Zeroize(wc_HWPUF* hwpuf); + +#ifdef __cplusplus + } /* extern "C" */ +#endif + +#endif /* WOLFSSL_HWPUF */ +#endif /* WOLF_CRYPT_HWPUF_H */ diff --git a/wolfssl/wolfcrypt/include.am b/wolfssl/wolfcrypt/include.am index 9635e1a6cfd..1a775e2c896 100644 --- a/wolfssl/wolfcrypt/include.am +++ b/wolfssl/wolfcrypt/include.am @@ -85,6 +85,7 @@ nobase_include_HEADERS+= \ wolfssl/wolfcrypt/wc_xmss.h \ wolfssl/wolfcrypt/wc_slhdsa.h \ wolfssl/wolfcrypt/puf.h \ + wolfssl/wolfcrypt/hwpuf.h \ wolfssl/wolfcrypt/oid_sum.h noinst_HEADERS+= \ @@ -98,6 +99,7 @@ noinst_HEADERS+= \ wolfssl/wolfcrypt/port/nxp/dcp_port.h \ wolfssl/wolfcrypt/port/nxp/casper_port.h \ wolfssl/wolfcrypt/port/nxp/hashcrypt_port.h \ + wolfssl/wolfcrypt/port/nxp/hwpuf_port.h \ wolfssl/wolfcrypt/port/xilinx/xil-sha3.h \ wolfssl/wolfcrypt/port/xilinx/xil-versal-glue.h \ wolfssl/wolfcrypt/port/xilinx/xil-versal-trng.h \ diff --git a/wolfssl/wolfcrypt/port/nxp/hwpuf_port.h b/wolfssl/wolfcrypt/port/nxp/hwpuf_port.h new file mode 100644 index 00000000000..6a27884220e --- /dev/null +++ b/wolfssl/wolfcrypt/port/nxp/hwpuf_port.h @@ -0,0 +1,39 @@ +/* hwpuf_port.h + * + * Copyright (C) 2006-2026 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ +#ifndef _NXP_HWPUF_PORT_H_ +#define _NXP_HWPUF_PORT_H_ + +#include +#include +#include "fsl_puf.h" + +#define WOLFSSL_NXP_HWPUF_DEVID 5569 + +#define HWPUF_KEY_SIZE_IS_VALID(keysz) \ + (keysz == 16 || keysz == 24 || keysz == 32) + +#define HWPUF_KEY_SIZE_TO_KEY_CODE_SIZE(keysz) \ + PUF_GET_KEY_CODE_SIZE_FOR_KEY_SIZE(keysz) + +WOLFSSL_API int nxp_hwpuf_RegisterDevice(wc_HWPUF* hwpuf); +WOLFSSL_API int nxp_hwpuf_UnregisterDevice(wc_HWPUF* hwpuf); + +#endif /* _NXP_HWPUF_PORT_H_ */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index e574273d746..8913c3498cc 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2204,6 +2204,9 @@ #define WOLFSSL_NXP_CASPER_RSA_PUB_EXPTMOD #define NO_WOLFSSL_SHA256_INTERLEAVE #endif +#if defined(WOLFSSL_NXP_HWPUF) && !defined(WOLF_CRYPTO_CB) + #define WOLF_CRYPTO_CB +#endif #ifdef FREESCALE_LTC_TFM_RSA_4096_ENABLE #undef USE_CERT_BUFFERS_4096 diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index cf8900f6ee0..68e3bccb5d0 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -1433,7 +1433,8 @@ enum wc_AlgoType { WC_ALGO_TYPE_SETKEY = 12, WC_ALGO_TYPE_EXPORT_KEY = 13, WC_ALGO_TYPE_SHE = 14, - WC_ALGO_TYPE_MAX = WC_ALGO_TYPE_SHE + WC_ALGO_TYPE_HWPUF = 15, + WC_ALGO_TYPE_MAX = WC_ALGO_TYPE_HWPUF }; /* KDF types */ From 7473bf587952b64e6c3ac3c23bf32bb954c9673d Mon Sep 17 00:00:00 2001 From: Thomas Cook Date: Thu, 11 Jun 2026 15:16:56 -0400 Subject: [PATCH 2/8] Address some pr failures --- wolfcrypt/src/hwpuf.c | 7 ++++--- wolfcrypt/src/port/nxp/hwpuf_port.c | 6 +++--- wolfcrypt/test/test.c | 6 +++--- wolfssl/wolfcrypt/port/nxp/hwpuf_port.h | 10 +++++++--- 4 files changed, 17 insertions(+), 12 deletions(-) diff --git a/wolfcrypt/src/hwpuf.c b/wolfcrypt/src/hwpuf.c index f27f3c7bf83..623d1668da2 100644 --- a/wolfcrypt/src/hwpuf.c +++ b/wolfcrypt/src/hwpuf.c @@ -19,9 +19,10 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ +#include + #ifdef WOLFSSL_HWPUF -#include #include #include #include @@ -57,7 +58,7 @@ WOLFSSL_API int wc_HWPUF_Register(wc_HWPUF* hwpuf, void* heap, int devId) #else #error No hwpuf device defined #endif - + return ret; } @@ -75,7 +76,7 @@ WOLFSSL_API int wc_HWPUF_Unregister(wc_HWPUF* hwpuf) #else #error No hwpuf device defined #endif - + ForceZero(hwpuf, sizeof(wc_HWPUF)); return ret; diff --git a/wolfcrypt/src/port/nxp/hwpuf_port.c b/wolfcrypt/src/port/nxp/hwpuf_port.c index ff034efd234..a252316d880 100644 --- a/wolfcrypt/src/port/nxp/hwpuf_port.c +++ b/wolfcrypt/src/port/nxp/hwpuf_port.c @@ -45,8 +45,8 @@ typedef struct nxp_hwpuf_ctx { byte activationCode[PUF_ACTIVATION_CODE_SIZE]; - byte ac_set; - word32 keyMask; /* unique per reset */ + byte ac_set; + word32 keyMask; /* unique per reset */ } nxp_hwpuf_ctx; static nxp_hwpuf_ctx ctx; @@ -57,7 +57,7 @@ static int getACFromPFR(byte *ac) { int ret; flash_config_t flashInstance; - + memset(&flashInstance, 0, sizeof(flash_config_t)); FLASH_Init(&flashInstance); FFR_Init(&flashInstance); diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 7ab224e7ef3..ae23db04cd1 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -23345,13 +23345,13 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hwpuf_test(void) { wc_test_ret_t ret = 0; wc_HWPUF hwpuf; - byte keycode16[HWPUF_KEY_SIZE_TO_KEY_CODE_SIZE(16)]; + byte keycode16[HWPUF_KEY_SIZE_TO_KEYCODE_SIZE(16)]; byte key16_1[16]; byte key16_2[16]; - byte keycode24[HWPUF_KEY_SIZE_TO_KEY_CODE_SIZE(24)]; + byte keycode24[HWPUF_KEY_SIZE_TO_KEYCODE_SIZE(24)]; byte key24_1[24]; byte key24_2[24]; - byte keycode32[HWPUF_KEY_SIZE_TO_KEY_CODE_SIZE(32)]; + byte keycode32[HWPUF_KEY_SIZE_TO_KEYCODE_SIZE(32)]; byte key32_1[32]; byte key32_2[32]; diff --git a/wolfssl/wolfcrypt/port/nxp/hwpuf_port.h b/wolfssl/wolfcrypt/port/nxp/hwpuf_port.h index 6a27884220e..3c287b907ef 100644 --- a/wolfssl/wolfcrypt/port/nxp/hwpuf_port.h +++ b/wolfssl/wolfcrypt/port/nxp/hwpuf_port.h @@ -22,18 +22,22 @@ #define _NXP_HWPUF_PORT_H_ #include + +#if defined(WOLFSSL_HWPUF) && defined(WOLFSSL_NXP_HWPUF) + #include -#include "fsl_puf.h" #define WOLFSSL_NXP_HWPUF_DEVID 5569 #define HWPUF_KEY_SIZE_IS_VALID(keysz) \ (keysz == 16 || keysz == 24 || keysz == 32) -#define HWPUF_KEY_SIZE_TO_KEY_CODE_SIZE(keysz) \ - PUF_GET_KEY_CODE_SIZE_FOR_KEY_SIZE(keysz) +/* keycode size is 52 for key sizes of 16, 24, or 32 */ +#define HWPUF_KEY_SIZE_TO_KEYCODE_SIZE(keysz) 52 WOLFSSL_API int nxp_hwpuf_RegisterDevice(wc_HWPUF* hwpuf); WOLFSSL_API int nxp_hwpuf_UnregisterDevice(wc_HWPUF* hwpuf); +#endif /* WOLFSSL_HWPUF && WOLFSSL_NXP_HWPUF */ + #endif /* _NXP_HWPUF_PORT_H_ */ From d3a6b67f80ffe517ac18a73255dc334c818086a4 Mon Sep 17 00:00:00 2001 From: Thomas Cook Date: Fri, 12 Jun 2026 13:33:08 -0400 Subject: [PATCH 3/8] misc cleanup - reworked activationCode and added to api - updated test.c - improved error checking - reworked device id usage - more --- wolfcrypt/src/cryptocb.c | 26 ++++--- wolfcrypt/src/error.c | 3 + wolfcrypt/src/hwpuf.c | 70 ++++++++++-------- wolfcrypt/src/port/nxp/hwpuf_port.c | 95 +++++++++++-------------- wolfcrypt/src/wc_port.c | 3 - wolfcrypt/test/test.c | 75 +++++++++---------- wolfssl/wolfcrypt/cryptocb.h | 32 ++++++--- wolfssl/wolfcrypt/error-crypt.h | 23 +++--- wolfssl/wolfcrypt/hwpuf.h | 25 +++++-- wolfssl/wolfcrypt/port/nxp/hwpuf_port.h | 3 - 10 files changed, 192 insertions(+), 163 deletions(-) diff --git a/wolfcrypt/src/cryptocb.c b/wolfcrypt/src/cryptocb.c index 07cf32a8a2c..92e13a8030f 100644 --- a/wolfcrypt/src/cryptocb.c +++ b/wolfcrypt/src/cryptocb.c @@ -2627,7 +2627,7 @@ int wc_CryptoCb_HwpufDeinit(wc_HWPUF* hwpuf) return wc_CryptoCb_TranslateErrorCode(ret); } -int wc_CryptoCb_HwpufEnroll(wc_HWPUF* hwpuf) +int wc_CryptoCb_HwpufEnroll(wc_HWPUF* hwpuf, byte* actCode, word32 actCodeSz) { int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); CryptoCb* dev; @@ -2642,6 +2642,8 @@ int wc_CryptoCb_HwpufEnroll(wc_HWPUF* hwpuf) cryptoInfo.algo_type = WC_ALGO_TYPE_HWPUF; cryptoInfo.hwpuf.hwpuf = hwpuf; cryptoInfo.hwpuf.type = WC_HWPUF_TYPE_ENROLL; + cryptoInfo.hwpuf.op.enroll.actCode = actCode; + cryptoInfo.hwpuf.op.enroll.actCodeSz = actCodeSz; ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx); } @@ -2649,7 +2651,7 @@ int wc_CryptoCb_HwpufEnroll(wc_HWPUF* hwpuf) return wc_CryptoCb_TranslateErrorCode(ret); } -int wc_CryptoCb_HwpufStart(wc_HWPUF* hwpuf) +int wc_CryptoCb_HwpufStart(wc_HWPUF* hwpuf, byte* actCode, word32 actCodeSz) { int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); CryptoCb* dev; @@ -2664,6 +2666,8 @@ int wc_CryptoCb_HwpufStart(wc_HWPUF* hwpuf) cryptoInfo.algo_type = WC_ALGO_TYPE_HWPUF; cryptoInfo.hwpuf.hwpuf = hwpuf; cryptoInfo.hwpuf.type = WC_HWPUF_TYPE_START; + cryptoInfo.hwpuf.op.start.actCode = actCode; + cryptoInfo.hwpuf.op.start.actCodeSz = actCodeSz; ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx); } @@ -2672,7 +2676,7 @@ int wc_CryptoCb_HwpufStart(wc_HWPUF* hwpuf) } int wc_CryptoCb_HwpufGenerateKey(wc_HWPUF* hwpuf, byte keyIdx, word32 keySz, - byte* keycode, word32 keycodeSz) + byte* keyCode, word32 keyCodeSz) { int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); CryptoCb* dev; @@ -2689,8 +2693,8 @@ int wc_CryptoCb_HwpufGenerateKey(wc_HWPUF* hwpuf, byte keyIdx, word32 keySz, cryptoInfo.hwpuf.type = WC_HWPUF_TYPE_GENERATE_KEY; cryptoInfo.hwpuf.op.generateKey.keyIdx = keyIdx; cryptoInfo.hwpuf.op.generateKey.keySz = keySz; - cryptoInfo.hwpuf.op.generateKey.keycode = keycode; - cryptoInfo.hwpuf.op.generateKey.keycodeSz = keycodeSz; + cryptoInfo.hwpuf.op.generateKey.keyCode = keyCode; + cryptoInfo.hwpuf.op.generateKey.keyCodeSz = keyCodeSz; ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx); } @@ -2700,7 +2704,7 @@ int wc_CryptoCb_HwpufGenerateKey(wc_HWPUF* hwpuf, byte keyIdx, word32 keySz, int wc_CryptoCb_HwpufSetKey(wc_HWPUF* hwpuf, byte keyIdx, byte* key, word32 keySz, - byte* keycode, word32 keycodeSz) + byte* keyCode, word32 keyCodeSz) { int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); CryptoCb* dev; @@ -2718,8 +2722,8 @@ int wc_CryptoCb_HwpufSetKey(wc_HWPUF* hwpuf, byte keyIdx, cryptoInfo.hwpuf.op.setKey.keyIdx = keyIdx; cryptoInfo.hwpuf.op.setKey.key = key; cryptoInfo.hwpuf.op.setKey.keySz = keySz; - cryptoInfo.hwpuf.op.setKey.keycode = keycode; - cryptoInfo.hwpuf.op.setKey.keycodeSz = keycodeSz; + cryptoInfo.hwpuf.op.setKey.keyCode = keyCode; + cryptoInfo.hwpuf.op.setKey.keyCodeSz = keyCodeSz; ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx); } @@ -2728,7 +2732,7 @@ int wc_CryptoCb_HwpufSetKey(wc_HWPUF* hwpuf, byte keyIdx, } int wc_CryptoCb_HwpufGetKey(wc_HWPUF* hwpuf, - byte* keycode, word32 keycodeSz, + byte* keyCode, word32 keyCodeSz, byte* key, word32 keySz) { int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); @@ -2744,8 +2748,8 @@ int wc_CryptoCb_HwpufGetKey(wc_HWPUF* hwpuf, cryptoInfo.algo_type = WC_ALGO_TYPE_HWPUF; cryptoInfo.hwpuf.hwpuf = hwpuf; cryptoInfo.hwpuf.type = WC_HWPUF_TYPE_GET_KEY; - cryptoInfo.hwpuf.op.getKey.keycode = keycode; - cryptoInfo.hwpuf.op.getKey.keycodeSz = keycodeSz; + cryptoInfo.hwpuf.op.getKey.keyCode = keyCode; + cryptoInfo.hwpuf.op.getKey.keyCodeSz = keyCodeSz; cryptoInfo.hwpuf.op.getKey.key = key; cryptoInfo.hwpuf.op.getKey.keySz = keySz; diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index 1687736e577..9f2beaf2e3b 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -713,6 +713,9 @@ const char* wc_GetErrorString(int error) case PUF_IDENTITY_E: return "PUF identity retrieval failed"; + case HWPUF_REGISTER_E: + return "HWPUF registration failed"; + case HWPUF_INIT_E: return "HWPUF initialization failed"; diff --git a/wolfcrypt/src/hwpuf.c b/wolfcrypt/src/hwpuf.c index 623d1668da2..4bda54c890f 100644 --- a/wolfcrypt/src/hwpuf.c +++ b/wolfcrypt/src/hwpuf.c @@ -33,6 +33,7 @@ #include #endif +/* The various supported device ports... One must be defined. */ #ifdef WOLFSSL_NXP_HWPUF #include #endif @@ -40,41 +41,40 @@ WOLFSSL_API int wc_HWPUF_Register(wc_HWPUF* hwpuf, void* heap, int devId) { - int ret = 0; + int ret = CRYPTOCB_UNAVAILABLE; if (hwpuf == NULL) return BAD_FUNC_ARG; - if (devId == INVALID_DEVID) - return BAD_FUNC_ARG; + if (hwpuf->registered) + return HWPUF_REGISTER_E; ForceZero(hwpuf, sizeof(wc_HWPUF)); hwpuf->heap = heap; hwpuf->devId = devId; #ifdef WOLFSSL_NXP_HWPUF - if (devId == WOLFSSL_NXP_HWPUF_DEVID) { - ret = nxp_hwpuf_RegisterDevice(hwpuf); - } -#else - #error No hwpuf device defined + ret = nxp_hwpuf_RegisterDevice(hwpuf); #endif + if (ret == 0) + hwpuf->registered = 1; + else + ForceZero(hwpuf, sizeof(wc_HWPUF)); + return ret; } WOLFSSL_API int wc_HWPUF_Unregister(wc_HWPUF* hwpuf) { - int ret = 0; + int ret = CRYPTOCB_UNAVAILABLE; if (hwpuf == NULL) return BAD_FUNC_ARG; + if (!hwpuf->registered) + return 0; #ifdef WOLFSSL_NXP_HWPUF - if (hwpuf->devId == WOLFSSL_NXP_HWPUF_DEVID) { - ret = nxp_hwpuf_UnregisterDevice(hwpuf); - } -#else - #error No hwpuf device defined + ret = nxp_hwpuf_UnregisterDevice(hwpuf); #endif ForceZero(hwpuf, sizeof(wc_HWPUF)); @@ -88,8 +88,10 @@ WOLFSSL_API int wc_HWPUF_Init(wc_HWPUF* hwpuf) if (hwpuf == NULL) return BAD_FUNC_ARG; + if (!hwpuf->registered) + return HWPUF_REGISTER_E; if ((hwpuf->flags & WC_HWPUF_FLAG_INITED) != 0) - return HWPUF_INIT_E; + return 0; ret = wc_CryptoCb_HwpufInit(hwpuf); if (ret == 0) @@ -104,6 +106,8 @@ WOLFSSL_API int wc_HWPUF_Deinit(wc_HWPUF* hwpuf) if (hwpuf == NULL) return BAD_FUNC_ARG; + if (!hwpuf->registered) + return HWPUF_REGISTER_E; ret = wc_CryptoCb_HwpufDeinit(hwpuf); hwpuf->flags = 0; @@ -111,36 +115,46 @@ WOLFSSL_API int wc_HWPUF_Deinit(wc_HWPUF* hwpuf) return ret; } -WOLFSSL_API int wc_HWPUF_Enroll(wc_HWPUF* hwpuf) +WOLFSSL_API int wc_HWPUF_Enroll(wc_HWPUF* hwpuf, + byte* actCode, word32 actCodeSz) { int ret; if (hwpuf == NULL) return BAD_FUNC_ARG; + if (actCode == NULL || actCodeSz != HWPUF_ACTIVATION_CODE_SIZE) + return BAD_FUNC_ARG; + if ((hwpuf->flags & WC_HWPUF_FLAG_INITED) == 0) + return HWPUF_INIT_E; if ((hwpuf->flags & WC_HWPUF_FLAG_ENROLLED) != 0) return HWPUF_ENROLL_E; if ((hwpuf->flags & WC_HWPUF_FLAG_READY) != 0) return HWPUF_ENROLL_E; - ret = wc_CryptoCb_HwpufEnroll(hwpuf); + ret = wc_CryptoCb_HwpufEnroll(hwpuf, actCode, actCodeSz); if (ret == 0) hwpuf->flags |= WC_HWPUF_FLAG_ENROLLED; return ret; } -WOLFSSL_API int wc_HWPUF_Start(wc_HWPUF* hwpuf) +WOLFSSL_API int wc_HWPUF_Start(wc_HWPUF* hwpuf, + byte* actCode, word32 actCodeSz) { int ret; if (hwpuf == NULL) return BAD_FUNC_ARG; + if (actCode == NULL || actCodeSz != HWPUF_ACTIVATION_CODE_SIZE) + return BAD_FUNC_ARG; + if ((hwpuf->flags & WC_HWPUF_FLAG_INITED) == 0) + return HWPUF_INIT_E; if ((hwpuf->flags & WC_HWPUF_FLAG_ENROLLED) != 0) return HWPUF_START_E; if ((hwpuf->flags & WC_HWPUF_FLAG_READY) != 0) return HWPUF_START_E; - ret = wc_CryptoCb_HwpufStart(hwpuf); + ret = wc_CryptoCb_HwpufStart(hwpuf, actCode, actCodeSz); if (ret == 0) hwpuf->flags |= WC_HWPUF_FLAG_READY; @@ -149,38 +163,38 @@ WOLFSSL_API int wc_HWPUF_Start(wc_HWPUF* hwpuf) WOLFSSL_API int wc_HWPUF_GenerateKey(wc_HWPUF* hwpuf, byte keyIdx, word32 keySz, - byte* keycode, word32 keycodeSz) + byte* keyCode, word32 keyCodeSz) { int ret; if (hwpuf == NULL) return BAD_FUNC_ARG; if ((hwpuf->flags & WC_HWPUF_FLAG_READY) == 0) - return HWPUF_GENERATE_KEY_E; + return HWPUF_START_E; ret = wc_CryptoCb_HwpufGenerateKey(hwpuf, keyIdx, keySz, - keycode, keycodeSz); + keyCode, keyCodeSz); return ret; } WOLFSSL_API int wc_HWPUF_SetKey(wc_HWPUF* hwpuf, byte keyIdx, byte* key, word32 keySz, - byte* keycode, word32 keycodeSz) + byte* keyCode, word32 keyCodeSz) { int ret; if (hwpuf == NULL) return BAD_FUNC_ARG; if ((hwpuf->flags & WC_HWPUF_FLAG_READY) == 0) - return HWPUF_SET_KEY_E; + return HWPUF_START_E; ret = wc_CryptoCb_HwpufSetKey(hwpuf, keyIdx, key, keySz, - keycode, keycodeSz); + keyCode, keyCodeSz); return ret; } WOLFSSL_API int wc_HWPUF_GetKey(wc_HWPUF* hwpuf, - byte* keycode, word32 keycodeSz, + byte* keyCode, word32 keyCodeSz, byte* key, word32 keySz) { int ret; @@ -188,9 +202,9 @@ WOLFSSL_API int wc_HWPUF_GetKey(wc_HWPUF* hwpuf, if (hwpuf == NULL) return BAD_FUNC_ARG; if ((hwpuf->flags & WC_HWPUF_FLAG_READY) == 0) - return HWPUF_GET_KEY_E; + return HWPUF_START_E; - ret = wc_CryptoCb_HwpufGetKey(hwpuf, keycode, keycodeSz, key, keySz); + ret = wc_CryptoCb_HwpufGetKey(hwpuf, keyCode, keyCodeSz, key, keySz); return ret; } diff --git a/wolfcrypt/src/port/nxp/hwpuf_port.c b/wolfcrypt/src/port/nxp/hwpuf_port.c index a252316d880..36aa1c75d17 100644 --- a/wolfcrypt/src/port/nxp/hwpuf_port.c +++ b/wolfcrypt/src/port/nxp/hwpuf_port.c @@ -44,8 +44,6 @@ #endif typedef struct nxp_hwpuf_ctx { - byte activationCode[PUF_ACTIVATION_CODE_SIZE]; - byte ac_set; word32 keyMask; /* unique per reset */ } nxp_hwpuf_ctx; @@ -66,12 +64,12 @@ static int getACFromPFR(byte *ac) return ret != kStatus_Success; } -static int keyCodeCheck(byte* keycode, word32* keytype, +static int keyCodeCheck(byte* keyCode, word32* keytype, word32* keyidx, word32* keysize) { - *keytype = keycode[0]; - *keyidx = keycode[1]; - *keysize = keycode[3] == 0 ? 512 : 8 * keycode[3] ; + *keytype = keyCode[0]; + *keyidx = keyCode[1]; + *keysize = keyCode[3] == 0 ? 512 : 8 * keyCode[3] ; if (*keytype >= 2) return 1; @@ -111,37 +109,32 @@ static int nxp_hwpuf_Deinit(wc_HWPUF* hwpuf) return 0; } -static int nxp_hwpuf_Enroll(wc_HWPUF* hwpuf) +static int nxp_hwpuf_Enroll(wc_HWPUF* hwpuf, byte* actCode, word32 actCodeSz) { int ret; - byte activationCode[PUF_ACTIVATION_CODE_SIZE]; WOLFSSL_ENTER("nxp_hwpuf_Enroll"); if (hwpuf == NULL) return BAD_FUNC_ARG; - ret = PUF_Enroll(PUF, activationCode, sizeof(activationCode)); + ret = PUF_Enroll(PUF, actCode, actCodeSz); if (ret == kStatus_EnrollNotAllowed) { /* power cycle and try again */ (void)PUF_PowerCycle(PUF, &conf); - ret = PUF_Enroll(PUF, activationCode, sizeof(activationCode)); + ret = PUF_Enroll(PUF, actCode, actCodeSz); } if (ret != kStatus_Success) { - PUF_Deinit(PUF, &conf); return HWPUF_ENROLL_E; } /* wipe ctx if enroll succeeded (re-enroll will render ctx moot) */ XMEMSET(&ctx, 0, sizeof(ctx)); - /* store activation code */ - XMEMCPY(ctx.activationCode, activationCode, PUF_ACTIVATION_CODE_SIZE); - ctx.ac_set = 1; return 0; } -static int nxp_hwpuf_Start(wc_HWPUF* hwpuf) +static int nxp_hwpuf_Start(wc_HWPUF* hwpuf, byte* actCode, word32 actCodeSz) { int ret; @@ -150,25 +143,13 @@ static int nxp_hwpuf_Start(wc_HWPUF* hwpuf) if (hwpuf == NULL) return BAD_FUNC_ARG; - if (ctx.ac_set == 0) { - byte activationCode[PUF_ACTIVATION_CODE_SIZE]; - /* try pulling from mfg flash area (what rom code uses) */ - if (getACFromPFR(activationCode) != 0) - return HWPUF_START_E; - - XMEMCPY(ctx.activationCode, activationCode, - PUF_ACTIVATION_CODE_SIZE); - ctx.ac_set = 1; - } - - ret = PUF_Start(PUF, ctx.activationCode, PUF_ACTIVATION_CODE_SIZE); + ret = PUF_Start(PUF, actCode, actCodeSz); if (ret == kStatus_StartNotAllowed) { /* power cycle and try again */ (void)PUF_PowerCycle(PUF, &conf); - ret = PUF_Start(PUF, ctx.activationCode, PUF_ACTIVATION_CODE_SIZE); + ret = PUF_Start(PUF, actCode, actCodeSz); } if (ret != kStatus_Success) { - PUF_Deinit(PUF, &conf); return HWPUF_START_E; } @@ -176,7 +157,7 @@ static int nxp_hwpuf_Start(wc_HWPUF* hwpuf) } static int nxp_hwpuf_GenerateKey(wc_HWPUF* hwpuf, byte keyIdx, word32 keySz, - byte* keycode, word32 keycodeSz) + byte* keyCode, word32 keyCodeSz) { int ret; word32 kcSz; @@ -190,11 +171,11 @@ static int nxp_hwpuf_GenerateKey(wc_HWPUF* hwpuf, byte keyIdx, word32 keySz, if ( !HWPUF_KEY_SIZE_IS_VALID(keySz) ) return BAD_FUNC_ARG; kcSz = PUF_GET_KEY_CODE_SIZE_FOR_KEY_SIZE(keySz); - if (keycode == NULL || kcSz != keycodeSz) + if (keyCode == NULL || kcSz != keyCodeSz) return BAD_FUNC_ARG; ret = PUF_SetIntrinsicKey(PUF, (puf_key_index_register_t)keyIdx, keySz, - keycode, keycodeSz); + keyCode, keyCodeSz); if (ret != kStatus_Success) return HWPUF_GENERATE_KEY_E; @@ -203,17 +184,17 @@ static int nxp_hwpuf_GenerateKey(wc_HWPUF* hwpuf, byte keyIdx, word32 keySz, static int nxp_hwpuf_SetKey(wc_HWPUF* hwpuf, byte keyIdx, byte* key, word32 keySz, - byte* keycode, word32 keycodeSz) + byte* keyCode, word32 keyCodeSz) { WOLFSSL_ENTER("nxp_hwpuf_SetKey"); if (hwpuf == NULL) return BAD_FUNC_ARG; - return 0; + return CRYPTOCB_UNAVAILABLE; } -static int nxp_hwpuf_GetKey(wc_HWPUF* hwpuf, byte* keycode, word32 keycodeSz, +static int nxp_hwpuf_GetKey(wc_HWPUF* hwpuf, byte* keyCode, word32 keyCodeSz, byte* key, word32 keySz) { int ret; @@ -224,15 +205,15 @@ static int nxp_hwpuf_GetKey(wc_HWPUF* hwpuf, byte* keycode, word32 keycodeSz, if (hwpuf == NULL) return BAD_FUNC_ARG; - if (keycode == NULL || keycodeSz < PUF_MIN_KEY_CODE_SIZE) + if (keyCode == NULL || keyCodeSz < PUF_MIN_KEY_CODE_SIZE) return BAD_FUNC_ARG; - ret = keyCodeCheck(keycode, &keytype, &keyidx, &keysize); + ret = keyCodeCheck(keyCode, &keytype, &keyidx, &keysize); if (ret != kStatus_Success) return BAD_FUNC_ARG; kcSz = PUF_GET_KEY_CODE_SIZE_FOR_KEY_SIZE(keysize); - if (kcSz != keycodeSz) + if (kcSz != keyCodeSz) return BAD_FUNC_ARG; if (keyidx != kPUF_KeyIndex_00 && (key == NULL || keysize != keySz)) return BAD_FUNC_ARG; @@ -240,7 +221,7 @@ static int nxp_hwpuf_GetKey(wc_HWPUF* hwpuf, byte* keycode, word32 keycodeSz, /* keyidx 0 means key is sent directly on hw bus, never exposed */ if (keyidx == kPUF_KeyIndex_00) { /* keyslot 0 means send to aes engine */ - ret = PUF_GetHwKey(PUF, keycode, keycodeSz, kPUF_KeySlot0, + ret = PUF_GetHwKey(PUF, keyCode, keyCodeSz, kPUF_KeySlot0, ctx.keyMask); if (ret != kStatus_Success) return HWPUF_GET_KEY_E; @@ -248,7 +229,7 @@ static int nxp_hwpuf_GetKey(wc_HWPUF* hwpuf, byte* keycode, word32 keycodeSz, XMEMSET(key, 0, keySz); /* no key to return, zero out */ } else { - ret = PUF_GetKey(PUF, keycode, keycodeSz, key, keySz); + ret = PUF_GetKey(PUF, keyCode, keyCodeSz, key, keySz); if (ret != kStatus_Success) return HWPUF_GET_KEY_E; } @@ -257,6 +238,8 @@ static int nxp_hwpuf_GetKey(wc_HWPUF* hwpuf, byte* keycode, word32 keycodeSz, static int nxp_hwpuf_Zeroize(wc_HWPUF* hwpuf) { + int ret; + WOLFSSL_ENTER("nxp_hwpuf_Zeroize"); if (hwpuf == NULL) @@ -264,8 +247,9 @@ static int nxp_hwpuf_Zeroize(wc_HWPUF* hwpuf) ForceZero(&ctx, sizeof(ctx)); - if (PUF_Zeroize(PUF) != kStatus_Success) { - PUF_Deinit(PUF, &conf); + ret = PUF_Zeroize(PUF); + PUF_Deinit(PUF, &conf); + if (ret != kStatus_Success) { return HWPUF_ZEROIZE_E; } return 0; @@ -295,30 +279,34 @@ static int nxp_hwpuf_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx) ret = nxp_hwpuf_Deinit(info->hwpuf.hwpuf); } else if (info->hwpuf.type == WC_HWPUF_TYPE_ENROLL) { - ret = nxp_hwpuf_Enroll(info->hwpuf.hwpuf); + ret = nxp_hwpuf_Enroll(info->hwpuf.hwpuf, + info->hwpuf.op.enroll.actCode, + info->hwpuf.op.enroll.actCodeSz); } else if (info->hwpuf.type == WC_HWPUF_TYPE_START) { - ret = nxp_hwpuf_Start(info->hwpuf.hwpuf); + ret = nxp_hwpuf_Start(info->hwpuf.hwpuf, + info->hwpuf.op.start.actCode, + info->hwpuf.op.start.actCodeSz); } else if (info->hwpuf.type == WC_HWPUF_TYPE_GENERATE_KEY) { ret = nxp_hwpuf_GenerateKey(info->hwpuf.hwpuf, - info->hwpuf.op.generateKey.keyIdx, - info->hwpuf.op.generateKey.keySz, - info->hwpuf.op.generateKey.keycode, - info->hwpuf.op.generateKey.keycodeSz); + info->hwpuf.op.generateKey.keyIdx, + info->hwpuf.op.generateKey.keySz, + info->hwpuf.op.generateKey.keyCode, + info->hwpuf.op.generateKey.keyCodeSz); } else if (info->hwpuf.type == WC_HWPUF_TYPE_SET_KEY) { ret = nxp_hwpuf_SetKey(info->hwpuf.hwpuf, info->hwpuf.op.setKey.keyIdx, info->hwpuf.op.setKey.key, info->hwpuf.op.setKey.keySz, - info->hwpuf.op.setKey.keycode, - info->hwpuf.op.setKey.keycodeSz); + info->hwpuf.op.setKey.keyCode, + info->hwpuf.op.setKey.keyCodeSz); } else if (info->hwpuf.type == WC_HWPUF_TYPE_GET_KEY) { ret = nxp_hwpuf_GetKey(info->hwpuf.hwpuf, - info->hwpuf.op.getKey.keycode, - info->hwpuf.op.getKey.keycodeSz, + info->hwpuf.op.getKey.keyCode, + info->hwpuf.op.getKey.keyCodeSz, info->hwpuf.op.getKey.key, info->hwpuf.op.getKey.keySz); } @@ -337,6 +325,9 @@ WOLFSSL_API int nxp_hwpuf_RegisterDevice(wc_HWPUF* hwpuf) if (hwpuf == NULL) return BAD_FUNC_ARG; + if (hwpuf->devId == INVALID_DEVID) + hwpuf->devId = WOLFSSL_NXP_HWPUF_DEVID; + ret = wc_CryptoCb_RegisterDevice(hwpuf->devId, nxp_hwpuf_CryptoDevCb, NULL); if (ret != 0) { WOLFSSL_ERROR_MSG("NXP_HWPUF: nxp_hwpuf_CryptoDevCb, " diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 41b511f342e..63c1bb57f54 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -189,9 +189,6 @@ Threading/Mutex options: #ifdef WOLFSSL_NXP_HASHCRYPT #include #endif -#ifdef WOLFSSL_NXP_HWPUF - #include -#endif #ifdef WOLF_CRYPTO_CB #include diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index ae23db04cd1..70e82eed535 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -431,9 +431,6 @@ static const byte const_byte_array[] = "A+Gd\0\0\0"; #ifdef WOLFSSL_HWPUF #include #endif -#ifdef WOLFSSL_NXP_HWPUF - #include -#endif #ifdef HAVE_LIBZ #include #endif @@ -23345,19 +23342,20 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hwpuf_test(void) { wc_test_ret_t ret = 0; wc_HWPUF hwpuf; - byte keycode16[HWPUF_KEY_SIZE_TO_KEYCODE_SIZE(16)]; + byte activationCode[HWPUF_ACTIVATION_CODE_SIZE]; + byte keyCode16[HWPUF_KEY_SIZE_TO_KEY_CODE_SIZE(16)]; byte key16_1[16]; byte key16_2[16]; - byte keycode24[HWPUF_KEY_SIZE_TO_KEYCODE_SIZE(24)]; + byte keyCode24[HWPUF_KEY_SIZE_TO_KEY_CODE_SIZE(24)]; byte key24_1[24]; byte key24_2[24]; - byte keycode32[HWPUF_KEY_SIZE_TO_KEYCODE_SIZE(32)]; + byte keyCode32[HWPUF_KEY_SIZE_TO_KEY_CODE_SIZE(32)]; byte key32_1[32]; byte key32_2[32]; WOLFSSL_ENTER("hwpuf_test"); - ret = wc_HWPUF_Register(&hwpuf, NULL, WOLFSSL_NXP_HWPUF_DEVID); + ret = wc_HWPUF_Register(&hwpuf, NULL, INVALID_DEVID); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); @@ -23367,7 +23365,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hwpuf_test(void) return WC_TEST_RET_ENC_EC(ret); /* ---- Test 2: Enroll ---- */ - ret = wc_HWPUF_Enroll(&hwpuf); + ret = wc_HWPUF_Enroll(&hwpuf, activationCode, sizeof(activationCode)); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); @@ -23376,52 +23374,52 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hwpuf_test(void) (void)wc_HWPUF_Init(&hwpuf); /* ---- Test 3: Start ---- */ - ret = wc_HWPUF_Start(&hwpuf); + ret = wc_HWPUF_Start(&hwpuf, activationCode, sizeof(activationCode)); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); /* ---- Test 4: Generate keys of size 16, 24, 32 bytes ---- */ - /* generate a 16-byte key and get a keycode */ - ret = wc_HWPUF_GenerateKey(&hwpuf, 1, 16, keycode16, sizeof(keycode16)); + /* generate a 16-byte key and get a keyCode */ + ret = wc_HWPUF_GenerateKey(&hwpuf, 1, 16, keyCode16, sizeof(keyCode16)); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); - /* get key from keycode */ - ret = wc_HWPUF_GetKey(&hwpuf, keycode16, sizeof(keycode16), key16_1, sizeof(key16_1)); + /* get key from keyCode */ + ret = wc_HWPUF_GetKey(&hwpuf, keyCode16, sizeof(keyCode16), key16_1, sizeof(key16_1)); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); - /* generate a 24-byte key and get a keycode */ - ret = wc_HWPUF_GenerateKey(&hwpuf, 1, 24, keycode24, sizeof(keycode24)); + /* generate a 24-byte key and get a keyCode */ + ret = wc_HWPUF_GenerateKey(&hwpuf, 1, 24, keyCode24, sizeof(keyCode24)); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); - /* get key from keycode */ - ret = wc_HWPUF_GetKey(&hwpuf, keycode24, sizeof(keycode24), key24_1, sizeof(key24_1)); + /* get key from keyCode */ + ret = wc_HWPUF_GetKey(&hwpuf, keyCode24, sizeof(keyCode24), key24_1, sizeof(key24_1)); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); - /* generate a 32-byte key and get a keycode */ - ret = wc_HWPUF_GenerateKey(&hwpuf, 1, 32, keycode32, sizeof(keycode32)); + /* generate a 32-byte key and get a keyCode */ + ret = wc_HWPUF_GenerateKey(&hwpuf, 1, 32, keyCode32, sizeof(keyCode32)); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); - /* get key from keycode */ - ret = wc_HWPUF_GetKey(&hwpuf, keycode32, sizeof(keycode32), key32_1, sizeof(key32_1)); + /* get key from keyCode */ + ret = wc_HWPUF_GetKey(&hwpuf, keyCode32, sizeof(keyCode32), key32_1, sizeof(key32_1)); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); /* ---- Test 5: restart and derive the same 3 keys ---- */ (void)wc_HWPUF_Deinit(&hwpuf); (void)wc_HWPUF_Init(&hwpuf); - ret = wc_HWPUF_Start(&hwpuf); + ret = wc_HWPUF_Start(&hwpuf, activationCode, sizeof(activationCode)); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); /* 16-byte */ - ret = wc_HWPUF_GetKey(&hwpuf, keycode16, sizeof(keycode16), key16_2, sizeof(key16_2)); + ret = wc_HWPUF_GetKey(&hwpuf, keyCode16, sizeof(keyCode16), key16_2, sizeof(key16_2)); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); /* 24-byte */ - ret = wc_HWPUF_GetKey(&hwpuf, keycode24, sizeof(keycode24), key24_2, sizeof(key24_2)); + ret = wc_HWPUF_GetKey(&hwpuf, keyCode24, sizeof(keyCode24), key24_2, sizeof(key24_2)); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); /* 32-byte */ - ret = wc_HWPUF_GetKey(&hwpuf, keycode32, sizeof(keycode32), key32_2, sizeof(key32_2)); + ret = wc_HWPUF_GetKey(&hwpuf, keyCode32, sizeof(keyCode32), key32_2, sizeof(key32_2)); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); @@ -23434,11 +23432,11 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hwpuf_test(void) return WC_TEST_RET_ENC_NC; /* ---- Test 7: generate a key and send directly to hw bus ---- */ - ret = wc_HWPUF_GenerateKey(&hwpuf, 0, 32, keycode32, sizeof(keycode32)); + ret = wc_HWPUF_GenerateKey(&hwpuf, 0, 32, keyCode32, sizeof(keyCode32)); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); - /* get key from keycode */ - ret = wc_HWPUF_GetKey(&hwpuf, keycode32, sizeof(keycode32), key32_2, sizeof(key32_2)); + /* get key from keyCode */ + ret = wc_HWPUF_GetKey(&hwpuf, keyCode32, sizeof(keyCode32), key32_2, sizeof(key32_2)); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); { /* key1 should be zeroed */ @@ -23455,40 +23453,43 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hwpuf_test(void) return WC_TEST_RET_ENC_NC; if (wc_HWPUF_Deinit(NULL) != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) return WC_TEST_RET_ENC_NC; - if (wc_HWPUF_Enroll(NULL) != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) + if (wc_HWPUF_Enroll(NULL, NULL, 0) != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) return WC_TEST_RET_ENC_NC; if (wc_HWPUF_Zeroize(NULL) != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) return WC_TEST_RET_ENC_NC; /* out of bounds key index */ - if (wc_HWPUF_GenerateKey(&hwpuf, 16, 32, keycode32, sizeof(keycode32)) + if (wc_HWPUF_GenerateKey(&hwpuf, 16, 32, keyCode32, sizeof(keyCode32)) != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) return WC_TEST_RET_ENC_NC; /* invalid key code storage size */ - if (wc_HWPUF_GenerateKey(&hwpuf, 1, 32, keycode32, 99) + if (wc_HWPUF_GenerateKey(&hwpuf, 1, 32, keyCode32, 99) != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) return WC_TEST_RET_ENC_NC; /* null key code storage */ - if (wc_HWPUF_GenerateKey(&hwpuf, 1, 32, NULL, sizeof(keycode32)) + if (wc_HWPUF_GenerateKey(&hwpuf, 1, 32, NULL, sizeof(keyCode32)) != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) return WC_TEST_RET_ENC_NC; /* invalid key storage size */ - ret = wc_HWPUF_GenerateKey(&hwpuf, 7, 32, keycode32, sizeof(keycode32)); + ret = wc_HWPUF_GenerateKey(&hwpuf, 7, 32, keyCode32, sizeof(keyCode32)); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); - if (wc_HWPUF_GetKey(&hwpuf, keycode32, sizeof(keycode32), key32_1, sizeof(key16_1)) + if (wc_HWPUF_GetKey(&hwpuf, keyCode32, sizeof(keyCode32), key32_1, sizeof(key16_1)) != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) return WC_TEST_RET_ENC_NC; /* null key storage */ - if (wc_HWPUF_GetKey(&hwpuf, keycode32, sizeof(keycode32), NULL, sizeof(key32_1)) + if (wc_HWPUF_GetKey(&hwpuf, keyCode32, sizeof(keyCode32), NULL, sizeof(key32_1)) != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) return WC_TEST_RET_ENC_NC; /* ---- Test 9: Zeroize ---- */ + ret = wc_HWPUF_GetKey(&hwpuf, keyCode24, sizeof(keyCode24), key24_1, sizeof(key24_1)); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); ret = wc_HWPUF_Zeroize(&hwpuf); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); - if (wc_HWPUF_GetKey(&hwpuf, keycode24, sizeof(keycode32), key24_1, sizeof(key24_1)) - != WC_NO_ERR_TRACE(HWPUF_GET_KEY_E)) + if (wc_HWPUF_GetKey(&hwpuf, keyCode24, sizeof(keyCode24), key24_2, sizeof(key24_2)) + != WC_NO_ERR_TRACE(HWPUF_START_E)) return WC_TEST_RET_ENC_NC; /* ---- clean up ---- */ diff --git a/wolfssl/wolfcrypt/cryptocb.h b/wolfssl/wolfcrypt/cryptocb.h index 90854283ff2..6f727432c4a 100644 --- a/wolfssl/wolfcrypt/cryptocb.h +++ b/wolfssl/wolfcrypt/cryptocb.h @@ -584,22 +584,30 @@ typedef struct wc_CryptoInfo { int type; /* enum wc_HwpufType - discriminator */ const void* ctx; /* read-only caller context */ union { + struct { + byte* actCode; + word32 actCodeSz; + } enroll; + struct { + byte* actCode; + word32 actCodeSz; + } start; struct { byte keyIdx; word32 keySz; - byte* keycode; - word32 keycodeSz; + byte* keyCode; + word32 keyCodeSz; } generateKey; struct { byte keyIdx; byte* key; word32 keySz; - byte* keycode; - word32 keycodeSz; + byte* keyCode; + word32 keyCodeSz; } setKey; struct { - byte* keycode; - word32 keycodeSz; + byte* keyCode; + word32 keyCodeSz; byte* key; word32 keySz; } getKey; @@ -979,15 +987,17 @@ WOLFSSL_LOCAL int wc_CryptoCb_SheExportKey(wc_SHE* she, #ifdef WOLFSSL_HWPUF WOLFSSL_LOCAL int wc_CryptoCb_HwpufInit(wc_HWPUF* hwpuf); WOLFSSL_LOCAL int wc_CryptoCb_HwpufDeinit(wc_HWPUF* hwpuf); -WOLFSSL_LOCAL int wc_CryptoCb_HwpufEnroll(wc_HWPUF* hwpuf); -WOLFSSL_LOCAL int wc_CryptoCb_HwpufStart(wc_HWPUF* hwpuf); +WOLFSSL_LOCAL int wc_CryptoCb_HwpufEnroll(wc_HWPUF* hwpuf, + byte* actCode, word32 actCodeSz); +WOLFSSL_LOCAL int wc_CryptoCb_HwpufStart(wc_HWPUF* hwpuf, + byte* actCode, word32 actCodeSz); WOLFSSL_LOCAL int wc_CryptoCb_HwpufGenerateKey(wc_HWPUF* hwpuf, byte keyIdx, - word32 keySz, byte* keycode, word32 keycodeSz); + word32 keySz, byte* keyCode, word32 keyCodeSz); WOLFSSL_LOCAL int wc_CryptoCb_HwpufSetKey(wc_HWPUF* hwpuf, byte keyIdx, byte* key, word32 keySz, - byte* keycode, word32 keycodeSz); + byte* keyCode, word32 keyCodeSz); WOLFSSL_LOCAL int wc_CryptoCb_HwpufGetKey(wc_HWPUF* hwpuf, - byte* keycode, word32 keycodeSz, + byte* keyCode, word32 keyCodeSz, byte* key, word32 keySz); WOLFSSL_LOCAL int wc_CryptoCb_HwpufZeroize(wc_HWPUF* hwpuf); #endif /* WOLFSSL_HWPUF */ diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index 6eefce0544e..0fc8de99d2b 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -328,17 +328,18 @@ enum wolfCrypt_ErrorCodes { DRBG_SHA512_KAT_FIPS_E = -1017, /* SHA-512 DRBG KAT failure */ SLH_DSA_KAT_FIPS_E = -1018, /* SLH-DSA CAST KAT failure */ - HWPUF_INIT_E = -1019, /* HWPUF initialization failed */ - HWPUF_DEINIT_E = -1020, /* HWPUF deinitialization failed */ - HWPUF_ENROLL_E = -1021, /* HWPUF enrollment failed */ - HWPUF_START_E = -1022, /* HWPUF start failed */ - HWPUF_GENERATE_KEY_E= -1023, /* HWPUF generate key failed */ - HWPUF_SET_KEY_E = -1024, /* HWPUF set key failed */ - HWPUF_GET_KEY_E = -1025, /* HWPUF get key failed */ - HWPUF_ZEROIZE_E = -1026, /* HWPUF zeroize failed */ - - WC_SPAN2_LAST_E = -1026, /* Update to indicate last used error code */ - WC_LAST_E = -1026, /* the last code used either here or in + HWPUF_REGISTER_E = -1019, /* HWPUF registration failed */ + HWPUF_INIT_E = -1020, /* HWPUF initialization failed */ + HWPUF_DEINIT_E = -1021, /* HWPUF deinitialization failed */ + HWPUF_ENROLL_E = -1022, /* HWPUF enrollment failed */ + HWPUF_START_E = -1023, /* HWPUF start failed */ + HWPUF_GENERATE_KEY_E= -1024, /* HWPUF generate key failed */ + HWPUF_SET_KEY_E = -1025, /* HWPUF set key failed */ + HWPUF_GET_KEY_E = -1026, /* HWPUF get key failed */ + HWPUF_ZEROIZE_E = -1027, /* HWPUF zeroize failed */ + + WC_SPAN2_LAST_E = -1027, /* Update to indicate last used error code */ + WC_LAST_E = -1027, /* the last code used either here or in * error-ssl.h */ WC_SPAN2_MIN_CODE_E = -1999, /* Last usable code in span 2 */ diff --git a/wolfssl/wolfcrypt/hwpuf.h b/wolfssl/wolfcrypt/hwpuf.h index 2e30345d957..8a4b4e4572a 100644 --- a/wolfssl/wolfcrypt/hwpuf.h +++ b/wolfssl/wolfcrypt/hwpuf.h @@ -24,15 +24,23 @@ #define WOLF_CRYPT_HWPUF_H #include +#include #ifdef WOLFSSL_HWPUF -#include - #ifdef __cplusplus extern "C" { #endif +#ifdef WOLFSSL_NXP_HWPUF + #define HWPUF_ACTIVATION_CODE_SIZE 1192 + /* keyCode size is 52 for key sizes of 16, 24, or 32 */ + #define HWPUF_KEY_SIZE_TO_KEY_CODE_SIZE(keysz) 52 +#else + #error HWPUF: No valid port defined +#endif + + /* flags stored in wc_HWPUF.flags */ enum wc_HwpufFlags { WC_HWPUF_FLAG_NONE = 0, /* Deinit() clears all flags */ @@ -57,6 +65,7 @@ enum wc_HwpufType { }; typedef struct wc_HWPUF { + int registered; word32 flags; int devId; void* heap; @@ -67,16 +76,18 @@ WOLFSSL_API int wc_HWPUF_Unregister(wc_HWPUF* hwpuf); WOLFSSL_API int wc_HWPUF_Init(wc_HWPUF* hwpuf); WOLFSSL_API int wc_HWPUF_Deinit(wc_HWPUF* hwpuf); -WOLFSSL_API int wc_HWPUF_Enroll(wc_HWPUF* hwpuf); -WOLFSSL_API int wc_HWPUF_Start(wc_HWPUF* hwpuf); +WOLFSSL_API int wc_HWPUF_Enroll(wc_HWPUF* hwpuf, + byte* actCode, word32 actCodeSz); +WOLFSSL_API int wc_HWPUF_Start(wc_HWPUF* hwpuf, + byte* actCode, word32 actCodeSz); WOLFSSL_API int wc_HWPUF_GenerateKey(wc_HWPUF* hwpuf, byte keyIdx, word32 keySz, - byte* keycode, word32 keycodeSz); + byte* keyCode, word32 keyCodeSz); WOLFSSL_API int wc_HWPUF_SetKey(wc_HWPUF* hwpuf, byte keyIdx, byte* key, word32 keySz, - byte* keycode, word32 keycodeSz); + byte* keyCode, word32 keyCodeSz); WOLFSSL_API int wc_HWPUF_GetKey(wc_HWPUF* hwpuf, - byte* keycode, word32 keycodeSz, + byte* keyCode, word32 keyCodeSz, byte* key, word32 keySz); WOLFSSL_API int wc_HWPUF_Zeroize(wc_HWPUF* hwpuf); diff --git a/wolfssl/wolfcrypt/port/nxp/hwpuf_port.h b/wolfssl/wolfcrypt/port/nxp/hwpuf_port.h index 3c287b907ef..1b6d44a35c0 100644 --- a/wolfssl/wolfcrypt/port/nxp/hwpuf_port.h +++ b/wolfssl/wolfcrypt/port/nxp/hwpuf_port.h @@ -32,9 +32,6 @@ #define HWPUF_KEY_SIZE_IS_VALID(keysz) \ (keysz == 16 || keysz == 24 || keysz == 32) -/* keycode size is 52 for key sizes of 16, 24, or 32 */ -#define HWPUF_KEY_SIZE_TO_KEYCODE_SIZE(keysz) 52 - WOLFSSL_API int nxp_hwpuf_RegisterDevice(wc_HWPUF* hwpuf); WOLFSSL_API int nxp_hwpuf_UnregisterDevice(wc_HWPUF* hwpuf); From 22b84bafe1bfd4bbb082fd76eaec5f5c41ac6e94 Mon Sep 17 00:00:00 2001 From: Thomas Cook Date: Fri, 12 Jun 2026 13:33:38 -0400 Subject: [PATCH 4/8] update doxygen for hwpuf --- doc/dox_comments/header_files/hwpuf.h | 224 +++++++++++++++----------- wolfcrypt/src/hwpuf.c | 2 +- 2 files changed, 128 insertions(+), 98 deletions(-) diff --git a/doc/dox_comments/header_files/hwpuf.h b/doc/dox_comments/header_files/hwpuf.h index d38a9dbe216..f225c2b7050 100644 --- a/doc/dox_comments/header_files/hwpuf.h +++ b/doc/dox_comments/header_files/hwpuf.h @@ -1,25 +1,30 @@ /*! \ingroup HWPUF - For a complete bare-metal example (tested on NUCLEO-H563ZI), see - https://github.com/wolfSSL/wolfssl-examples/tree/master/puf + For a complete bare-metal example (tested on LPC55S69), see + https://github.com/wolfSSL/wolfBoot/tree/master/config/examples/lpc55s69-hwpuf.config */ /*! \ingroup HWPUF - \brief Initialize a wc_HWPUF structure, zeroing all fields. + \brief Initialize the wc_HWPUF context and register the CryptoCb device. Must be called before any other HWPUF operations. \return 0 on success \return BAD_FUNC_ARG if hwpuf is NULL + \return HWPUF_REGISTER_E if already registered + \return CRYPTOCB_UNAVAILABLE if nothing to register - \param hwpuf pointer to wc_HWPUF structure to initialize + \param hwpuf pointer to wc_HWPUF context to initialize + \param heap heap hint, can be NULL + \param devId device ID for crypto callbacks. Specify INVALID_DEVID to use + the default compiled into the driver. _Example_ \code wc_HWPUF s_hwpuf; - ret = wc_HWPUF_Init(&s_hwpuf); + ret = wc_HWPUF_Register(&s_hwpuf, NULL, INVALID_DEVID); \endcode \sa wc_HWPUF_Init @@ -31,18 +36,18 @@ int wc_HWPUF_Register(wc_HWPUF* hwpuf, void* heap, int devId); /*! \ingroup HWPUF - \brief Initialize a wc_HWPUF structure, zeroing all fields. - Must be called before any other HWPUF operations. - - \return 0 on success + \brief Unregister the CryptoCb device and zero the wc_HWPUF context. + + \return 0 on success, or if not registered \return BAD_FUNC_ARG if hwpuf is NULL + \return CRYPTOCB_UNAVAILABLE if nothing to unregister - \param hwpuf pointer to wc_HWPUF structure to initialize + \param hwpuf pointer to wc_HWPUF context _Example_ \code wc_HWPUF s_hwpuf; - ret = wc_HWPUF_Init(&s_hwpuf); + ret = wc_HWPUF_Unregister(&s_hwpuf); \endcode \sa wc_HWPUF_Register @@ -55,13 +60,16 @@ int wc_HWPUF_Unregister(wc_HWPUF* hwpuf); /*! \ingroup HWPUF - \brief Initialize a wc_HWPUF structure, zeroing all fields. - Must be called before any other HWPUF operations. + \brief Initialize the hardware device into a functional state. + May include turning on the clock and taking the peripheral out of reset. - \return 0 on success + \return 0 on success, or if already initialized \return BAD_FUNC_ARG if hwpuf is NULL + \return HWPUF_REGISTER_E if not registered + \return HWPUF_INIT_E if hardware initialization failed, leaving device in + a deinitialized state - \param hwpuf pointer to wc_HWPUF structure to initialize + \param hwpuf pointer to wc_HWPUF context _Example_ \code @@ -69,23 +77,23 @@ int wc_HWPUF_Unregister(wc_HWPUF* hwpuf); ret = wc_HWPUF_Init(&s_hwpuf); \endcode - \sa wc_HWPUF_Deinit - \sa wc_HWPUF_Enroll \sa wc_HWPUF_Start - \sa wc_HWPUF_Zeroize + \sa wc_HWPUF_Deinit + \sa wc_HWPUF_Unregister */ int wc_HWPUF_Init(wc_HWPUF* hwpuf); /*! \ingroup HWPUF - \brief Initialize a wc_HWPUF structure, zeroing all fields. - Must be called before any other HWPUF operations. + \brief Deinitialize the hardware device into a non-functional state. + May include turning off the clock and putting the peripheral into reset. \return 0 on success \return BAD_FUNC_ARG if hwpuf is NULL + \return HWPUF_REGISTER_E if not registered - \param hwpuf pointer to wc_HWPUF structure to initialize + \param hwpuf pointer to wc_HWPUF context _Example_ \code @@ -93,172 +101,194 @@ int wc_HWPUF_Init(wc_HWPUF* hwpuf); ret = wc_HWPUF_Deinit(&s_hwpuf); \endcode + \sa wc_HWPUF_Unregister \sa wc_HWPUF_Init - \sa wc_HWPUF_Zeroize */ int wc_HWPUF_Deinit(wc_HWPUF* hwpuf); /*! \ingroup HWPUF - \brief Perform HWPUF enrollment. Encodes raw SRAM using BCH(127,64,t=10) - and generates public helper data. After enrollment the context is ready - for key derivation and identity retrieval. + \brief Perform HWPUF enrollment. Enrollment is usually a one-time + operation, which generates an activation code (or helper data). + The activation code should be stored in NVM and used whenever the device + is started for key operations, i.e., wc_HWPUF_Start(). + After a successful enrollment, device must go through a + wc_HWPUF_Deinit() / wc_HWPUF_Init() cycle before wc_HWPUF_Start(). \return 0 on success - \return BAD_FUNC_ARG if hwpuf is NULL - \return HWPUF_ENROLL_E if enrollment fails + \return BAD_FUNC_ARG if hwpuf or actCode is NULL, or if invalid actCodeSz + \return HWPUF_INIT_E if not yet initialized + \return HWPUF_ENROLL_E if already enrolled, or if enrollment failed - \param hwpuf pointer to wc_HWPUF (must have SRAM data loaded) + \param hwpuf pointer to wc_HWPUF context + \param actCode output buffer for activation code + \param actCodeSz size of activation code (HWPUF_ACTIVATION_CODE_SIZE) _Example_ \code - wc_HWPUF_Enroll(&s_hwpuf); - XMEMCPY(helperData, hwpuf.helperData, WC_HWPUF_HELPER_BYTES); + wc_HWPUF s_hwpuf; + byte activationCode[HWPUF_ACTIVATION_CODE_SIZE]; + ret = wc_HWPUF_Enroll(&s_hwpuf, activationCode, sizeof(activationCode)); + < write activationCode to nvm > \endcode \sa wc_HWPUF_Start - \sa wc_HWPUF_GetKey + \sa wc_HWPUF_Init + \sa wc_HWPUF_Deinit */ -int wc_HWPUF_Enroll(wc_HWPUF* hwpuf); +int wc_HWPUF_Enroll(wc_HWPUF* hwpuf, byte* actCode, word32 actCodeSz); /*! \ingroup HWPUF - \brief Reconstruct stable HWPUF bits from noisy SRAM using stored helper - data. BCH error correction (t=10) corrects up to 10 bit flips per - 127-bit codeword. + \brief Start the device with an activation code (helper data). + Starting puts the device into a ready state for key operations. \return 0 on success - \return BAD_FUNC_ARG if hwpuf or helperData is NULL - \return HWPUF_RECONSTRUCT_E on failure (too many bit errors or helperSz - too small) + \return BAD_FUNC_ARG if hwpuf or actCode is NULL, or if invalid actCodeSz + \return HWPUF_INIT_E if not yet initialized + \return HWPUF_START_E if already started, or if start failed - \param hwpuf pointer to wc_HWPUF + \param hwpuf pointer to wc_HWPUF context + \param actCode pointer to the activation code + \param actCodeSz size of activation code in bytes _Example_ \code - wc_HWPUF_Start(&s_hwpuf); + wc_HWPUF s_hwpuf; + byte activationCode[HWPUF_ACTIVATION_CODE_SIZE]; + XMEMCPY(activationCode, nvm.activationCode, HWPUF_ACTIVATION_CODE_SIZE); + ret = wc_HWPUF_Start(&s_hwpuf, activationCode, sizeof(activationCode)); \endcode + \sa wc_HWPUF_Init + \sa wc_HWPUF_Deinit \sa wc_HWPUF_Enroll - \sa wc_HWPUF_GetKey */ -int wc_HWPUF_Start(wc_HWPUF* hwpuf); +int wc_HWPUF_Start(wc_HWPUF* hwpuf, byte* actCode, word32 actCodeSz); /*! \ingroup HWPUF - \brief Derive a cryptographic key from HWPUF stable bits using HKDF. - Uses SHA-256 by default, or SHA3-256 when WC_HWPUF_SHA3 is defined. - The info parameter provides domain separation for multiple keys. - Requires HAVE_HKDF. + \brief Generate a key and return a key code. + The key code should be stored in NVM and used whenever the key is + requested from the device, i.e., wc_HWPUF_GetKey(). \return 0 on success - \return BAD_FUNC_ARG if hwpuf or key is NULL, or keySz is 0 - \return HWPUF_DERIVE_KEY_E if HWPUF not ready or HKDF fails + \return BAD_FUNC_ARG if hwpuf NULL, or a problem with other params + \return HWPUF_START_E if device is not started (ready) + \return HWPUF_GENERATE_KEY_E if the device failed to generate the key - \param hwpuf pointer to wc_HWPUF (must be enrolled or reconstructed) - \param info optional context info for domain separation (may be NULL; - when NULL, infoSz is treated as 0) - \param infoSz size of info in bytes - \param key output buffer for derived key - \param keySz desired key size in bytes + \param hwpuf pointer to wc_HWPUF context + \param keyIdx index to associate with the generated key/keyCode pair + \param keySz size of the generated key in bytes + \param keyCode output buffer for key code + \param keyCodeSz size of the key code in bytes _Example_ \code - byte key[32]; - const byte info[] = "my-app-key"; - wc_HWPUF_GetKey(&s_hwpuf, info, sizeof(info), key, sizeof(key)); + wc_HWPUF s_hwpuf; + byte keyCode1[HWPUF_KEY_SIZE_TO_KEY_CODE_SIZE(32)]; + XMEMCPY(keyCode1, nvm.keyCode1, sizeof(keyCode1)); + ret = wc_HWPUF_GenerateKey(&s_hwpuf, 1, 32, keyCode1, sizeof(keyCode1)); + < write keyCode1 to nvm > \endcode \sa wc_HWPUF_Start + \sa wc_HWPUF_SetKey + \sa wc_HWPUF_GetKey */ int wc_HWPUF_GenerateKey(wc_HWPUF* hwpuf, byte keyIdx, word32 keySz, - byte* keycode, word32 keycodeSz); + byte* keyCode, word32 keyCodeSz); /*! \ingroup HWPUF - \brief Derive a cryptographic key from HWPUF stable bits using HKDF. - Uses SHA-256 by default, or SHA3-256 when WC_HWPUF_SHA3 is defined. - The info parameter provides domain separation for multiple keys. - Requires HAVE_HKDF. + \brief Set a key into the device and return a key code. + The key code should be stored in NVM and used whenever the key is + requested from the device, i.e., wc_HWPUF_GetKey(). + This is typically done in a secure factory, for pre-shared keys. \return 0 on success - \return BAD_FUNC_ARG if hwpuf or key is NULL, or keySz is 0 - \return HWPUF_DERIVE_KEY_E if HWPUF not ready or HKDF fails + \return BAD_FUNC_ARG if hwpuf NULL, or a problem with other params + \return HWPUF_START_E if device is not started (ready) + \return HWPUF_SET_KEY_E if the device failed to set the key - \param hwpuf pointer to wc_HWPUF (must be enrolled or reconstructed) - \param info optional context info for domain separation (may be NULL; - when NULL, infoSz is treated as 0) - \param infoSz size of info in bytes - \param key output buffer for derived key - \param keySz desired key size in bytes + \param hwpuf pointer to wc_HWPUF context + \param keyIdx index to associate with the generated key/keyCode pair + \param key input buffer with key to set + \param keySz size of the key to set in bytes + \param keyCode output buffer for key code + \param keyCodeSz size of the key code in bytes _Example_ \code - byte key[32]; - const byte info[] = "my-app-key"; - wc_HWPUF_GetKey(&s_hwpuf, info, sizeof(info), key, sizeof(key)); + byte key2[16]; + byte keyCode2[HWPUF_KEY_SIZE_TO_KEY_CODE_SIZE(16)]; + XMEMCPY(key2, nvm.key2, sizeof(key2)); + ret = wc_HWPUF_SetKey(&s_hwpuf, 2, 16, key2, sizeof(key2), + keyCode2, sizeof(keyCode2)); + < write keyCode2 to nvm > \endcode - \sa wc_HWPUF_Enroll - \sa wc_HWPUF_Start + \sa wc_HWPUF_GetKey + \sa wc_HWPUF_GenerateKey */ int wc_HWPUF_SetKey(wc_HWPUF* hwpuf, byte keyIdx, byte* key, word32 keySz, - byte* keycode, word32 keycodeSz); + byte* keyCode, word32 keyCodeSz); /*! \ingroup HWPUF - \brief Derive a cryptographic key from HWPUF stable bits using HKDF. - Uses SHA-256 by default, or SHA3-256 when WC_HWPUF_SHA3 is defined. - The info parameter provides domain separation for multiple keys. - Requires HAVE_HKDF. + \brief Get a key from a key code \return 0 on success - \return BAD_FUNC_ARG if hwpuf or key is NULL, or keySz is 0 - \return HWPUF_DERIVE_KEY_E if HWPUF not ready or HKDF fails + \return BAD_FUNC_ARG if hwpuf NULL, or a problem with other params + \return HWPUF_START_E if device is not started (ready) + \return HWPUF_GET_KEY_E if the device failed to get the key - \param hwpuf pointer to wc_HWPUF (must be enrolled or reconstructed) - \param info optional context info for domain separation (may be NULL; - when NULL, infoSz is treated as 0) - \param infoSz size of info in bytes - \param key output buffer for derived key - \param keySz desired key size in bytes + \param hwpuf pointer to wc_HWPUF context + \param keyCode input buffer with key code + \param keyCodeSz size of the key code in bytes + \param key output buffer for key + \param keySz size of the key in bytes _Example_ \code - byte key[32]; - const byte info[] = "my-app-key"; - wc_HWPUF_GetKey(&s_hwpuf, info, sizeof(info), key, sizeof(key)); + byte key2[16]; + byte keyCode2[HWPUF_KEY_SIZE_TO_KEY_CODE_SIZE(16)]; + XMEMCPY(keyCode2, nvm.keyCode2, sizeof(keyCode2)); + ret = wc_HWPUF_GetKey(&s_hwpuf, keyCode2, sizeof(keyCode2), + key2, sizeof(key2)); \endcode - \sa wc_HWPUF_Enroll + \sa wc_HWPUF_GenerateKey + \sa wc_HWPUF_SetKey \sa wc_HWPUF_Start */ -int wc_HWPUF_GetKey(wc_HWPUF* hwpuf, byte* keycode, word32 keycodeSz, +int wc_HWPUF_GetKey(wc_HWPUF* hwpuf, byte* keyCode, word32 keyCodeSz, byte* key, word32 keySz); /*! \ingroup HWPUF - \brief Securely zeroize all sensitive data in the HWPUF context using - ForceZero. Call when HWPUF is no longer needed. + \brief Securely zeroize all sensitive data in both the device and context. + Call when the device is no longer needed. Leaves the device in the + deinitialized state. \return 0 on success \return BAD_FUNC_ARG if hwpuf is NULL + \return HWPUF_ZEROIZE_E if the device failed the zeroize operation - \param hwpuf pointer to wc_HWPUF to zeroize + \param hwpuf pointer to wc_HWPUF context _Example_ \code wc_HWPUF_Zeroize(&s_hwpuf); \endcode - \sa wc_HWPUF_Init \sa wc_HWPUF_Deinit */ int wc_HWPUF_Zeroize(wc_HWPUF* hwpuf); diff --git a/wolfcrypt/src/hwpuf.c b/wolfcrypt/src/hwpuf.c index 4bda54c890f..c5ea94865a3 100644 --- a/wolfcrypt/src/hwpuf.c +++ b/wolfcrypt/src/hwpuf.c @@ -60,7 +60,7 @@ WOLFSSL_API int wc_HWPUF_Register(wc_HWPUF* hwpuf, void* heap, int devId) hwpuf->registered = 1; else ForceZero(hwpuf, sizeof(wc_HWPUF)); - + return ret; } From f4987d00da851e0a59ab95f21e36a80b4a1b886c Mon Sep 17 00:00:00 2001 From: Thomas Cook Date: Mon, 15 Jun 2026 11:22:53 -0400 Subject: [PATCH 5/8] address pr comments after code update --- wolfcrypt/src/hwpuf.c | 23 +++++++++-------- wolfcrypt/src/port/nxp/hwpuf_port.c | 40 ++++++++++++++++++----------- wolfcrypt/test/test.c | 15 +++++++++-- wolfssl/wolfcrypt/cryptocb.h | 2 +- wolfssl/wolfcrypt/error-crypt.h | 19 +++++++------- wolfssl/wolfcrypt/hwpuf.h | 1 - wolfssl/wolfcrypt/settings.h | 5 +++- 7 files changed, 65 insertions(+), 40 deletions(-) diff --git a/wolfcrypt/src/hwpuf.c b/wolfcrypt/src/hwpuf.c index c5ea94865a3..47dabb0639a 100644 --- a/wolfcrypt/src/hwpuf.c +++ b/wolfcrypt/src/hwpuf.c @@ -38,6 +38,7 @@ #include #endif +static int hwpuf_registered = 0; WOLFSSL_API int wc_HWPUF_Register(wc_HWPUF* hwpuf, void* heap, int devId) { @@ -45,7 +46,7 @@ WOLFSSL_API int wc_HWPUF_Register(wc_HWPUF* hwpuf, void* heap, int devId) if (hwpuf == NULL) return BAD_FUNC_ARG; - if (hwpuf->registered) + if (hwpuf_registered) return HWPUF_REGISTER_E; ForceZero(hwpuf, sizeof(wc_HWPUF)); @@ -55,12 +56,14 @@ WOLFSSL_API int wc_HWPUF_Register(wc_HWPUF* hwpuf, void* heap, int devId) #ifdef WOLFSSL_NXP_HWPUF ret = nxp_hwpuf_RegisterDevice(hwpuf); #endif - - if (ret == 0) - hwpuf->registered = 1; - else + if (ret != 0) { + if (ret != CRYPTOCB_UNAVAILABLE) { + ret = HWPUF_REGISTER_E; + } ForceZero(hwpuf, sizeof(wc_HWPUF)); - + return ret; + } + hwpuf_registered = 1; return ret; } @@ -70,7 +73,7 @@ WOLFSSL_API int wc_HWPUF_Unregister(wc_HWPUF* hwpuf) if (hwpuf == NULL) return BAD_FUNC_ARG; - if (!hwpuf->registered) + if (!hwpuf_registered) return 0; #ifdef WOLFSSL_NXP_HWPUF @@ -78,7 +81,7 @@ WOLFSSL_API int wc_HWPUF_Unregister(wc_HWPUF* hwpuf) #endif ForceZero(hwpuf, sizeof(wc_HWPUF)); - + hwpuf_registered = 0; return ret; } @@ -88,7 +91,7 @@ WOLFSSL_API int wc_HWPUF_Init(wc_HWPUF* hwpuf) if (hwpuf == NULL) return BAD_FUNC_ARG; - if (!hwpuf->registered) + if (!hwpuf_registered) return HWPUF_REGISTER_E; if ((hwpuf->flags & WC_HWPUF_FLAG_INITED) != 0) return 0; @@ -106,7 +109,7 @@ WOLFSSL_API int wc_HWPUF_Deinit(wc_HWPUF* hwpuf) if (hwpuf == NULL) return BAD_FUNC_ARG; - if (!hwpuf->registered) + if (!hwpuf_registered) return HWPUF_REGISTER_E; ret = wc_CryptoCb_HwpufDeinit(hwpuf); diff --git a/wolfcrypt/src/port/nxp/hwpuf_port.c b/wolfcrypt/src/port/nxp/hwpuf_port.c index 36aa1c75d17..c905a76c170 100644 --- a/wolfcrypt/src/port/nxp/hwpuf_port.c +++ b/wolfcrypt/src/port/nxp/hwpuf_port.c @@ -43,6 +43,12 @@ #include #endif +typedef enum nxp_hwpuf_keytype { + nxp_hwpuf_keytype_user = 0, + nxp_hwpuf_keytype_intrinsic = 1, + nxp_hwpuf_keytype_max = nxp_hwpuf_keytype_intrinsic +} nxp_hwpuf_keytype; + typedef struct nxp_hwpuf_ctx { word32 keyMask; /* unique per reset */ } nxp_hwpuf_ctx; @@ -51,18 +57,8 @@ static nxp_hwpuf_ctx ctx; static puf_config_t conf; -static int getACFromPFR(byte *ac) -{ - int ret; - flash_config_t flashInstance; - - memset(&flashInstance, 0, sizeof(flash_config_t)); - FLASH_Init(&flashInstance); - FFR_Init(&flashInstance); - - ret = FFR_KeystoreGetAC(&flashInstance, ac); - return ret != kStatus_Success; -} +#define NXP_HWPUF_USER_KEY 0 +#define NXP_HWPUF_INTRINSIC_KEY 0 static int keyCodeCheck(byte* keyCode, word32* keytype, word32* keyidx, word32* keysize) @@ -71,9 +67,9 @@ static int keyCodeCheck(byte* keyCode, word32* keytype, *keyidx = keyCode[1]; *keysize = keyCode[3] == 0 ? 512 : 8 * keyCode[3] ; - if (*keytype >= 2) + if (*keytype > nxp_hwpuf_keytype_max) return 1; - if (*keyidx >= 16) + if (*keyidx > kPUF_KeyIndexMax) return 2; if ( !HWPUF_KEY_SIZE_IS_VALID(*keysize) ) return 3; @@ -81,6 +77,8 @@ static int keyCodeCheck(byte* keyCode, word32* keytype, return 0; } +static int nxp_rng_initialized = 0; + static int nxp_hwpuf_Init(wc_HWPUF* hwpuf) { WOLFSSL_ENTER("nxp_hwpuf_Init"); @@ -93,6 +91,10 @@ static int nxp_hwpuf_Init(wc_HWPUF* hwpuf) PUF_Deinit(PUF, &conf); return HWPUF_INIT_E; } + if (!nxp_rng_initialized) { + RNG_Init(RNG); + nxp_rng_initialized = 1; + } ctx.keyMask = RNG->RANDOM_NUMBER; return 0; } @@ -191,6 +193,12 @@ static int nxp_hwpuf_SetKey(wc_HWPUF* hwpuf, byte keyIdx, if (hwpuf == NULL) return BAD_FUNC_ARG; + (void)keyIdx; + (void)key; + (void)keySz; + (void)keyCode; + (void)keyCodeSz; + return CRYPTOCB_UNAVAILABLE; } @@ -255,12 +263,14 @@ static int nxp_hwpuf_Zeroize(wc_HWPUF* hwpuf) return 0; } -static int nxp_hwpuf_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx) +static int nxp_hwpuf_CryptoDevCb(int devId, wc_CryptoInfo* info, void* devCtx) { int ret = CRYPTOCB_UNAVAILABLE; WOLFSSL_ENTER("nxp_hwpuf_CryptoDevCb"); + (void)devCtx; + if (info == NULL) return BAD_FUNC_ARG; if (devId == INVALID_DEVID) diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 70e82eed535..f5be1d9cf8a 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -23431,7 +23431,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hwpuf_test(void) if (XMEMCMP(key32_1, key32_2, 32) != 0) return WC_TEST_RET_ENC_NC; - /* ---- Test 7: generate a key and send directly to hw bus ---- */ + /* ---- Test 6: generate a key and send directly to hw bus ---- */ ret = wc_HWPUF_GenerateKey(&hwpuf, 0, 32, keyCode32, sizeof(keyCode32)); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); @@ -23440,13 +23440,19 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hwpuf_test(void) if (ret != 0) return WC_TEST_RET_ENC_EC(ret); { /* key1 should be zeroed */ - int idx; + word32 idx; for (idx = 0; idx < sizeof(key32_2); ++idx) { if (key32_2[idx]) return WC_TEST_RET_ENC_NC; } } + /* ---- Test 7: set key fails for now ---- */ + if (wc_HWPUF_SetKey(&hwpuf, 7, key32_2, sizeof(key32_2), + keyCode32, sizeof(keyCode32)) + != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) + return WC_TEST_RET_ENC_NC; + /* ---- Test 8: Bad argument checks ---- */ /* null hwpuf */ if (wc_HWPUF_Init(NULL) != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) @@ -23492,6 +23498,11 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hwpuf_test(void) != WC_NO_ERR_TRACE(HWPUF_START_E)) return WC_TEST_RET_ENC_NC; + /* ---- Test 10: double register fails ---- */ + if (wc_HWPUF_Register(&hwpuf, NULL, INVALID_DEVID) + != WC_NO_ERR_TRACE(HWPUF_REGISTER_E)) + return WC_TEST_RET_ENC_NC; + /* ---- clean up ---- */ (void)wc_HWPUF_Deinit(&hwpuf); ret = wc_HWPUF_Unregister(&hwpuf); diff --git a/wolfssl/wolfcrypt/cryptocb.h b/wolfssl/wolfcrypt/cryptocb.h index 6f727432c4a..f892be5d617 100644 --- a/wolfssl/wolfcrypt/cryptocb.h +++ b/wolfssl/wolfcrypt/cryptocb.h @@ -580,7 +580,7 @@ typedef struct wc_CryptoInfo { #endif #ifdef WOLFSSL_HWPUF struct { - void* hwpuf; /* wc_HWPUF* context */ + wc_HWPUF* hwpuf; /* wc_HWPUF* context */ int type; /* enum wc_HwpufType - discriminator */ const void* ctx; /* read-only caller context */ union { diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index 0fc8de99d2b..9f9e464b958 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -330,16 +330,15 @@ enum wolfCrypt_ErrorCodes { HWPUF_REGISTER_E = -1019, /* HWPUF registration failed */ HWPUF_INIT_E = -1020, /* HWPUF initialization failed */ - HWPUF_DEINIT_E = -1021, /* HWPUF deinitialization failed */ - HWPUF_ENROLL_E = -1022, /* HWPUF enrollment failed */ - HWPUF_START_E = -1023, /* HWPUF start failed */ - HWPUF_GENERATE_KEY_E= -1024, /* HWPUF generate key failed */ - HWPUF_SET_KEY_E = -1025, /* HWPUF set key failed */ - HWPUF_GET_KEY_E = -1026, /* HWPUF get key failed */ - HWPUF_ZEROIZE_E = -1027, /* HWPUF zeroize failed */ - - WC_SPAN2_LAST_E = -1027, /* Update to indicate last used error code */ - WC_LAST_E = -1027, /* the last code used either here or in + HWPUF_ENROLL_E = -1021, /* HWPUF enrollment failed */ + HWPUF_START_E = -1022, /* HWPUF start failed */ + HWPUF_GENERATE_KEY_E= -1023, /* HWPUF generate key failed */ + HWPUF_SET_KEY_E = -1024, /* HWPUF set key failed */ + HWPUF_GET_KEY_E = -1025, /* HWPUF get key failed */ + HWPUF_ZEROIZE_E = -1026, /* HWPUF zeroize failed */ + + WC_SPAN2_LAST_E = -1026, /* Update to indicate last used error code */ + WC_LAST_E = -1026, /* the last code used either here or in * error-ssl.h */ WC_SPAN2_MIN_CODE_E = -1999, /* Last usable code in span 2 */ diff --git a/wolfssl/wolfcrypt/hwpuf.h b/wolfssl/wolfcrypt/hwpuf.h index 8a4b4e4572a..ead17ba4e6b 100644 --- a/wolfssl/wolfcrypt/hwpuf.h +++ b/wolfssl/wolfcrypt/hwpuf.h @@ -65,7 +65,6 @@ enum wc_HwpufType { }; typedef struct wc_HWPUF { - int registered; word32 flags; int devId; void* heap; diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 8913c3498cc..e5af479d233 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2204,9 +2204,12 @@ #define WOLFSSL_NXP_CASPER_RSA_PUB_EXPTMOD #define NO_WOLFSSL_SHA256_INTERLEAVE #endif -#if defined(WOLFSSL_NXP_HWPUF) && !defined(WOLF_CRYPTO_CB) + +#if defined(WOLFSSL_HWPUF) && defined(WOLFSSL_NXP_HWPUF) +#ifndef WOLF_CRYPTO_CB #define WOLF_CRYPTO_CB #endif +#endif #ifdef FREESCALE_LTC_TFM_RSA_4096_ENABLE #undef USE_CERT_BUFFERS_4096 From f81e7f9aa209825e9a3afec2cdc507e90f1b7d96 Mon Sep 17 00:00:00 2001 From: Thomas Cook Date: Mon, 15 Jun 2026 11:40:42 -0400 Subject: [PATCH 6/8] address pr comments after code update --- wolfcrypt/src/error.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index 9f2beaf2e3b..efd0813a1fd 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -719,9 +719,6 @@ const char* wc_GetErrorString(int error) case HWPUF_INIT_E: return "HWPUF initialization failed"; - case HWPUF_DEINIT_E: - return "HWPUF deinitialization failed"; - case HWPUF_ENROLL_E: return "HWPUF enrollment failed"; From 1758daf78f17eec6c76ec57bdc649a847612b579 Mon Sep 17 00:00:00 2001 From: Thomas Cook Date: Thu, 25 Jun 2026 14:51:22 -0400 Subject: [PATCH 7/8] Remove SetKey from hwpuf api --- doc/dox_comments/header_files/hwpuf.h | 39 --------------------------- wolfcrypt/src/cryptocb.c | 31 --------------------- wolfcrypt/src/error.c | 3 --- wolfcrypt/src/hwpuf.c | 16 ----------- wolfcrypt/src/port/nxp/hwpuf_port.c | 26 ------------------ wolfcrypt/test/test.c | 12 +++------ wolfssl/wolfcrypt/cryptocb.h | 10 ------- wolfssl/wolfcrypt/error-crypt.h | 9 +++---- wolfssl/wolfcrypt/hwpuf.h | 8 ++---- 9 files changed, 9 insertions(+), 145 deletions(-) diff --git a/doc/dox_comments/header_files/hwpuf.h b/doc/dox_comments/header_files/hwpuf.h index f225c2b7050..6e4b0485bc9 100644 --- a/doc/dox_comments/header_files/hwpuf.h +++ b/doc/dox_comments/header_files/hwpuf.h @@ -196,49 +196,11 @@ int wc_HWPUF_Start(wc_HWPUF* hwpuf, byte* actCode, word32 actCodeSz); \endcode \sa wc_HWPUF_Start - \sa wc_HWPUF_SetKey \sa wc_HWPUF_GetKey */ int wc_HWPUF_GenerateKey(wc_HWPUF* hwpuf, byte keyIdx, word32 keySz, byte* keyCode, word32 keyCodeSz); -/*! - \ingroup HWPUF - - \brief Set a key into the device and return a key code. - The key code should be stored in NVM and used whenever the key is - requested from the device, i.e., wc_HWPUF_GetKey(). - This is typically done in a secure factory, for pre-shared keys. - - \return 0 on success - \return BAD_FUNC_ARG if hwpuf NULL, or a problem with other params - \return HWPUF_START_E if device is not started (ready) - \return HWPUF_SET_KEY_E if the device failed to set the key - - \param hwpuf pointer to wc_HWPUF context - \param keyIdx index to associate with the generated key/keyCode pair - \param key input buffer with key to set - \param keySz size of the key to set in bytes - \param keyCode output buffer for key code - \param keyCodeSz size of the key code in bytes - - _Example_ - \code - byte key2[16]; - byte keyCode2[HWPUF_KEY_SIZE_TO_KEY_CODE_SIZE(16)]; - XMEMCPY(key2, nvm.key2, sizeof(key2)); - ret = wc_HWPUF_SetKey(&s_hwpuf, 2, 16, key2, sizeof(key2), - keyCode2, sizeof(keyCode2)); - < write keyCode2 to nvm > - \endcode - - \sa wc_HWPUF_GetKey - \sa wc_HWPUF_GenerateKey -*/ -int wc_HWPUF_SetKey(wc_HWPUF* hwpuf, byte keyIdx, - byte* key, word32 keySz, - byte* keyCode, word32 keyCodeSz); - /*! \ingroup HWPUF @@ -265,7 +227,6 @@ int wc_HWPUF_SetKey(wc_HWPUF* hwpuf, byte keyIdx, \endcode \sa wc_HWPUF_GenerateKey - \sa wc_HWPUF_SetKey \sa wc_HWPUF_Start */ int wc_HWPUF_GetKey(wc_HWPUF* hwpuf, byte* keyCode, word32 keyCodeSz, diff --git a/wolfcrypt/src/cryptocb.c b/wolfcrypt/src/cryptocb.c index 92e13a8030f..140ace23ebe 100644 --- a/wolfcrypt/src/cryptocb.c +++ b/wolfcrypt/src/cryptocb.c @@ -261,8 +261,6 @@ static const char* GetHwpufTypeStr(int type) return "START"; case WC_HWPUF_TYPE_GENERATE_KEY: return "GENERATE_KEY"; - case WC_HWPUF_TYPE_SET_KEY: - return "SET_KEY"; case WC_HWPUF_TYPE_GET_KEY: return "GET_KEY"; case WC_HWPUF_TYPE_ZEROIZE: @@ -2702,35 +2700,6 @@ int wc_CryptoCb_HwpufGenerateKey(wc_HWPUF* hwpuf, byte keyIdx, word32 keySz, return wc_CryptoCb_TranslateErrorCode(ret); } -int wc_CryptoCb_HwpufSetKey(wc_HWPUF* hwpuf, byte keyIdx, - byte* key, word32 keySz, - byte* keyCode, word32 keyCodeSz) -{ - int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); - CryptoCb* dev; - - if (hwpuf == NULL) - return BAD_FUNC_ARG; - - dev = wc_CryptoCb_FindDevice(hwpuf->devId, WC_ALGO_TYPE_HWPUF); - if (dev && dev->cb) { - wc_CryptoInfo cryptoInfo; - XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo)); - cryptoInfo.algo_type = WC_ALGO_TYPE_HWPUF; - cryptoInfo.hwpuf.hwpuf = hwpuf; - cryptoInfo.hwpuf.type = WC_HWPUF_TYPE_SET_KEY; - cryptoInfo.hwpuf.op.setKey.keyIdx = keyIdx; - cryptoInfo.hwpuf.op.setKey.key = key; - cryptoInfo.hwpuf.op.setKey.keySz = keySz; - cryptoInfo.hwpuf.op.setKey.keyCode = keyCode; - cryptoInfo.hwpuf.op.setKey.keyCodeSz = keyCodeSz; - - ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx); - } - - return wc_CryptoCb_TranslateErrorCode(ret); -} - int wc_CryptoCb_HwpufGetKey(wc_HWPUF* hwpuf, byte* keyCode, word32 keyCodeSz, byte* key, word32 keySz) diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index efd0813a1fd..3e60789854e 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -728,9 +728,6 @@ const char* wc_GetErrorString(int error) case HWPUF_GENERATE_KEY_E: return "HWPUF generate key failed"; - case HWPUF_SET_KEY_E: - return "HWPUF set key failed"; - case HWPUF_GET_KEY_E: return "HWPUF get key failed"; diff --git a/wolfcrypt/src/hwpuf.c b/wolfcrypt/src/hwpuf.c index 47dabb0639a..3f1d367cacb 100644 --- a/wolfcrypt/src/hwpuf.c +++ b/wolfcrypt/src/hwpuf.c @@ -180,22 +180,6 @@ WOLFSSL_API int wc_HWPUF_GenerateKey(wc_HWPUF* hwpuf, return ret; } -WOLFSSL_API int wc_HWPUF_SetKey(wc_HWPUF* hwpuf, byte keyIdx, - byte* key, word32 keySz, - byte* keyCode, word32 keyCodeSz) -{ - int ret; - - if (hwpuf == NULL) - return BAD_FUNC_ARG; - if ((hwpuf->flags & WC_HWPUF_FLAG_READY) == 0) - return HWPUF_START_E; - - ret = wc_CryptoCb_HwpufSetKey(hwpuf, keyIdx, key, keySz, - keyCode, keyCodeSz); - return ret; -} - WOLFSSL_API int wc_HWPUF_GetKey(wc_HWPUF* hwpuf, byte* keyCode, word32 keyCodeSz, byte* key, word32 keySz) diff --git a/wolfcrypt/src/port/nxp/hwpuf_port.c b/wolfcrypt/src/port/nxp/hwpuf_port.c index c905a76c170..6cf2f318989 100644 --- a/wolfcrypt/src/port/nxp/hwpuf_port.c +++ b/wolfcrypt/src/port/nxp/hwpuf_port.c @@ -184,24 +184,6 @@ static int nxp_hwpuf_GenerateKey(wc_HWPUF* hwpuf, byte keyIdx, word32 keySz, return 0; } -static int nxp_hwpuf_SetKey(wc_HWPUF* hwpuf, byte keyIdx, - byte* key, word32 keySz, - byte* keyCode, word32 keyCodeSz) -{ - WOLFSSL_ENTER("nxp_hwpuf_SetKey"); - - if (hwpuf == NULL) - return BAD_FUNC_ARG; - - (void)keyIdx; - (void)key; - (void)keySz; - (void)keyCode; - (void)keyCodeSz; - - return CRYPTOCB_UNAVAILABLE; -} - static int nxp_hwpuf_GetKey(wc_HWPUF* hwpuf, byte* keyCode, word32 keyCodeSz, byte* key, word32 keySz) { @@ -305,14 +287,6 @@ static int nxp_hwpuf_CryptoDevCb(int devId, wc_CryptoInfo* info, void* devCtx) info->hwpuf.op.generateKey.keyCode, info->hwpuf.op.generateKey.keyCodeSz); } - else if (info->hwpuf.type == WC_HWPUF_TYPE_SET_KEY) { - ret = nxp_hwpuf_SetKey(info->hwpuf.hwpuf, - info->hwpuf.op.setKey.keyIdx, - info->hwpuf.op.setKey.key, - info->hwpuf.op.setKey.keySz, - info->hwpuf.op.setKey.keyCode, - info->hwpuf.op.setKey.keyCodeSz); - } else if (info->hwpuf.type == WC_HWPUF_TYPE_GET_KEY) { ret = nxp_hwpuf_GetKey(info->hwpuf.hwpuf, info->hwpuf.op.getKey.keyCode, diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index f5be1d9cf8a..38510a6f414 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -23447,13 +23447,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hwpuf_test(void) } } - /* ---- Test 7: set key fails for now ---- */ - if (wc_HWPUF_SetKey(&hwpuf, 7, key32_2, sizeof(key32_2), - keyCode32, sizeof(keyCode32)) - != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) - return WC_TEST_RET_ENC_NC; - - /* ---- Test 8: Bad argument checks ---- */ + /* ---- Test 7: Bad argument checks ---- */ /* null hwpuf */ if (wc_HWPUF_Init(NULL) != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) return WC_TEST_RET_ENC_NC; @@ -23487,7 +23481,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hwpuf_test(void) != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) return WC_TEST_RET_ENC_NC; - /* ---- Test 9: Zeroize ---- */ + /* ---- Test 8: Zeroize ---- */ ret = wc_HWPUF_GetKey(&hwpuf, keyCode24, sizeof(keyCode24), key24_1, sizeof(key24_1)); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); @@ -23498,7 +23492,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hwpuf_test(void) != WC_NO_ERR_TRACE(HWPUF_START_E)) return WC_TEST_RET_ENC_NC; - /* ---- Test 10: double register fails ---- */ + /* ---- Test 9: double register fails ---- */ if (wc_HWPUF_Register(&hwpuf, NULL, INVALID_DEVID) != WC_NO_ERR_TRACE(HWPUF_REGISTER_E)) return WC_TEST_RET_ENC_NC; diff --git a/wolfssl/wolfcrypt/cryptocb.h b/wolfssl/wolfcrypt/cryptocb.h index f892be5d617..3cf2a51108c 100644 --- a/wolfssl/wolfcrypt/cryptocb.h +++ b/wolfssl/wolfcrypt/cryptocb.h @@ -598,13 +598,6 @@ typedef struct wc_CryptoInfo { byte* keyCode; word32 keyCodeSz; } generateKey; - struct { - byte keyIdx; - byte* key; - word32 keySz; - byte* keyCode; - word32 keyCodeSz; - } setKey; struct { byte* keyCode; word32 keyCodeSz; @@ -993,9 +986,6 @@ WOLFSSL_LOCAL int wc_CryptoCb_HwpufStart(wc_HWPUF* hwpuf, byte* actCode, word32 actCodeSz); WOLFSSL_LOCAL int wc_CryptoCb_HwpufGenerateKey(wc_HWPUF* hwpuf, byte keyIdx, word32 keySz, byte* keyCode, word32 keyCodeSz); -WOLFSSL_LOCAL int wc_CryptoCb_HwpufSetKey(wc_HWPUF* hwpuf, byte keyIdx, - byte* key, word32 keySz, - byte* keyCode, word32 keyCodeSz); WOLFSSL_LOCAL int wc_CryptoCb_HwpufGetKey(wc_HWPUF* hwpuf, byte* keyCode, word32 keyCodeSz, byte* key, word32 keySz); diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index 9f9e464b958..95242f23dc1 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -333,12 +333,11 @@ enum wolfCrypt_ErrorCodes { HWPUF_ENROLL_E = -1021, /* HWPUF enrollment failed */ HWPUF_START_E = -1022, /* HWPUF start failed */ HWPUF_GENERATE_KEY_E= -1023, /* HWPUF generate key failed */ - HWPUF_SET_KEY_E = -1024, /* HWPUF set key failed */ - HWPUF_GET_KEY_E = -1025, /* HWPUF get key failed */ - HWPUF_ZEROIZE_E = -1026, /* HWPUF zeroize failed */ + HWPUF_GET_KEY_E = -1024, /* HWPUF get key failed */ + HWPUF_ZEROIZE_E = -1025, /* HWPUF zeroize failed */ - WC_SPAN2_LAST_E = -1026, /* Update to indicate last used error code */ - WC_LAST_E = -1026, /* the last code used either here or in + WC_SPAN2_LAST_E = -1025, /* Update to indicate last used error code */ + WC_LAST_E = -1025, /* the last code used either here or in * error-ssl.h */ WC_SPAN2_MIN_CODE_E = -1999, /* Last usable code in span 2 */ diff --git a/wolfssl/wolfcrypt/hwpuf.h b/wolfssl/wolfcrypt/hwpuf.h index ead17ba4e6b..eb579dfb124 100644 --- a/wolfssl/wolfcrypt/hwpuf.h +++ b/wolfssl/wolfcrypt/hwpuf.h @@ -58,9 +58,8 @@ enum wc_HwpufType { WC_HWPUF_TYPE_ENROLL = 3, WC_HWPUF_TYPE_START = 4, WC_HWPUF_TYPE_GENERATE_KEY = 5, - WC_HWPUF_TYPE_SET_KEY = 6, - WC_HWPUF_TYPE_GET_KEY = 7, - WC_HWPUF_TYPE_ZEROIZE = 8, + WC_HWPUF_TYPE_GET_KEY = 6, + WC_HWPUF_TYPE_ZEROIZE = 7, WOLF_ENUM_DUMMY_LAST_ELEMENT(WC_HWPUF_TYPE) }; @@ -82,9 +81,6 @@ WOLFSSL_API int wc_HWPUF_Start(wc_HWPUF* hwpuf, WOLFSSL_API int wc_HWPUF_GenerateKey(wc_HWPUF* hwpuf, byte keyIdx, word32 keySz, byte* keyCode, word32 keyCodeSz); -WOLFSSL_API int wc_HWPUF_SetKey(wc_HWPUF* hwpuf, byte keyIdx, - byte* key, word32 keySz, - byte* keyCode, word32 keyCodeSz); WOLFSSL_API int wc_HWPUF_GetKey(wc_HWPUF* hwpuf, byte* keyCode, word32 keyCodeSz, byte* key, word32 keySz); From 364b7dfab418b83ff60f86fef3eceb8a3a7268a8 Mon Sep 17 00:00:00 2001 From: Thomas Cook Date: Thu, 25 Jun 2026 20:50:58 -0400 Subject: [PATCH 8/8] Fix multi-test issues --- doc/dox_comments/header_files/hwpuf.h | 6 +++--- wolfcrypt/src/hwpuf.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/dox_comments/header_files/hwpuf.h b/doc/dox_comments/header_files/hwpuf.h index 6e4b0485bc9..479dede9f4d 100644 --- a/doc/dox_comments/header_files/hwpuf.h +++ b/doc/dox_comments/header_files/hwpuf.h @@ -37,7 +37,7 @@ int wc_HWPUF_Register(wc_HWPUF* hwpuf, void* heap, int devId); \ingroup HWPUF \brief Unregister the CryptoCb device and zero the wc_HWPUF context. - + \return 0 on success, or if not registered \return BAD_FUNC_ARG if hwpuf is NULL \return CRYPTOCB_UNAVAILABLE if nothing to unregister @@ -117,7 +117,7 @@ int wc_HWPUF_Deinit(wc_HWPUF* hwpuf); wc_HWPUF_Deinit() / wc_HWPUF_Init() cycle before wc_HWPUF_Start(). \return 0 on success - \return BAD_FUNC_ARG if hwpuf or actCode is NULL, or if invalid actCodeSz + \return BAD_FUNC_ARG if hwpuf or actCode is NULL, or if invalid actCodeSz \return HWPUF_INIT_E if not yet initialized \return HWPUF_ENROLL_E if already enrolled, or if enrollment failed @@ -146,7 +146,7 @@ int wc_HWPUF_Enroll(wc_HWPUF* hwpuf, byte* actCode, word32 actCodeSz); Starting puts the device into a ready state for key operations. \return 0 on success - \return BAD_FUNC_ARG if hwpuf or actCode is NULL, or if invalid actCodeSz + \return BAD_FUNC_ARG if hwpuf or actCode is NULL, or if invalid actCodeSz \return HWPUF_INIT_E if not yet initialized \return HWPUF_START_E if already started, or if start failed diff --git a/wolfcrypt/src/hwpuf.c b/wolfcrypt/src/hwpuf.c index 3f1d367cacb..a767da2b529 100644 --- a/wolfcrypt/src/hwpuf.c +++ b/wolfcrypt/src/hwpuf.c @@ -42,7 +42,7 @@ static int hwpuf_registered = 0; WOLFSSL_API int wc_HWPUF_Register(wc_HWPUF* hwpuf, void* heap, int devId) { - int ret = CRYPTOCB_UNAVAILABLE; + int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); if (hwpuf == NULL) return BAD_FUNC_ARG; @@ -57,7 +57,7 @@ WOLFSSL_API int wc_HWPUF_Register(wc_HWPUF* hwpuf, void* heap, int devId) ret = nxp_hwpuf_RegisterDevice(hwpuf); #endif if (ret != 0) { - if (ret != CRYPTOCB_UNAVAILABLE) { + if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) { ret = HWPUF_REGISTER_E; } ForceZero(hwpuf, sizeof(wc_HWPUF)); @@ -69,7 +69,7 @@ WOLFSSL_API int wc_HWPUF_Register(wc_HWPUF* hwpuf, void* heap, int devId) WOLFSSL_API int wc_HWPUF_Unregister(wc_HWPUF* hwpuf) { - int ret = CRYPTOCB_UNAVAILABLE; + int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); if (hwpuf == NULL) return BAD_FUNC_ARG;