XMSS wolfBoot support: add renode-nrf52 test case.

philljj · Nov 6, 2023 · c31a213 · c31a213
1 parent 8dcf0de
commit c31a213
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 1 deletion.
diff --git a/.github/workflows/test-renode-nrf52.yml b/.github/workflows/test-renode-nrf52.yml
@@ -58,6 +58,10 @@ jobs:
       - name: Renode Tests LMS-8-5-5
         run: ./tools/renode/docker-test.sh "SIGN=LMS LMS_LEVELS=2 LMS_HEIGHT=5 LMS_WINTERNITZ=8 WOLFBOOT_SMALL_STACK=0 IMAGE_SIGNATURE_SIZE=2644 IMAGE_HEADER_SIZE=5288"
 
+# XMSS TEST
+      - name: Renode Tests XMSS-SHA2_10_256
+        run: ./tools/renode/docker-test.sh "SIGN=XMSS XMSS_PARAMS='XMSS-SHA2_10_256' WOLFBOOT_SMALL_STACK=0 IMAGE_SIGNATURE_SIZE=2500 IMAGE_HEADER_SIZE=5000"
+
       - name: Upload Output Dir
         uses: actions/upload-artifact@v2
         with:

diff --git a/tools/config.mk b/tools/config.mk
@@ -34,7 +34,7 @@ ifeq ($(ARCH),)
   LMS_LEVELS?=0
   LMS_HEIGHT?=0
   LMS_WINTERNITZ?=0
-  XMSS_PARAMS?=XMSS-SHA2_10_256
+  XMSS_PARAMS?='XMSS-SHA2_10_256'
   NO_MPU?=0
   ENCRYPT?=0
   ENCRYPT_WITH_CHACHA?=0

diff --git a/tools/scripts/renode-test-update.sh b/tools/scripts/renode-test-update.sh
@@ -37,6 +37,24 @@ if (echo $TEST_OPTIONS | grep "LMS" &>/dev/null); then
         cd ../../.. || exit 2
 fi
 
+if (echo $TEST_OPTIONS | grep "XMSS" &>/dev/null); then
+    # Need git.
+    apt install -y git
+
+    # wolfSSL needs to be on latest master for XMSS support. Also, we need to
+    # add the wolfssl module as a safe directory so docker can use it.
+    git config --global --add safe.directory /workspace/lib/wolfssl || exit 2
+    cd lib/wolfssl && git checkout master && git pull && cd ../.. || exit 2
+
+
+    # Need to clone the hash-sigs repo, and patch it for wolfBoot build.
+    cd lib || exit 2
+    git clone https://github.com/XMSS/xmss-reference.git xmss || exit 2
+    cd xmss && git checkout 171ccbd26f098542a67eb5d2b128281c80bd71a6 && \
+        git apply ../../tools/xmss/0001-Patch-to-support-wolfSSL-xmss-reference-integration.patch &&\
+        cd ../../ || exit 2
+fi
+
 make distclean
 make -C tools/keytools
 make -C tools/test-expect-version

diff --git a/tools/test-renode.mk b/tools/test-renode.mk
@@ -20,6 +20,9 @@ RENODE_BINASSEMBLE=tools/bin-assemble/bin-assemble
 LMS_OPTS=LMS_LEVELS=2 LMS_HEIGHT=5 LMS_WINTERNITZ=8 WOLFBOOT_SMALL_STACK=0 \
          IMAGE_SIGNATURE_SIZE=2644 IMAGE_HEADER_SIZE=5288
 
+XMSS_OPTS=XMSS_PARAMS='XMSS-SHA2_10_256' WOLFBOOT_SMALL_STACK=0 \
+         IMAGE_SIGNATURE_SIZE=2500 IMAGE_HEADER_SIZE=5000
+
 # python version only supported using
 # KEYGEN_TOOL="python3 $(WOLFBOOT_ROOT)/tools/keytools/keygen.py"
 ifeq ("$(KEYGEN_TOOL)","")
@@ -97,6 +100,10 @@ ifeq ($(SIGN),LMS)
   SIGN_ARGS+= --lms
 endif
 
+ifeq ($(SIGN),XMSS)
+  SIGN_ARGS+= --xmss
+endif
+
 ifeq ($(HASH),SHA256)
   SIGN_ARGS+= --sha256
 endif
@@ -260,6 +267,9 @@ renode-factory-rsa4096: FORCE
 renode-factory-lms: FORCE
 	make renode-factory SIGN=LMS $(LMS_OPTS)
 
+renode-factory-xmss: FORCE
+	make renode-factory SIGN=XMSS $(XMSS_OPTS)
+
 renode-factory-all: FORCE
 	${Q}make keysclean
 	${Q}make renode-factory-ed25519
@@ -303,6 +313,9 @@ renode-update-rsa4096: FORCE
 renode-update-lms: FORCE
 	make renode-update SIGN=LMS $(LMS_OPTS)
 
+renode-update-xmss: FORCE
+	make renode-update SIGN=XMSS $(XMSS_OPTS)
+
 renode-no-downgrade-ed25519: FORCE
 	make renode-no-downgrade SIGN=ED448
 
@@ -324,6 +337,9 @@ renode-no-downgrade-rsa4096: FORCE
 renode-no-downgrade-lms: FORCE
 	make renode-no-downgrade SIGN=LMS $(LMS_OPTS)
 
+renode-no-downgrade-xmss: FORCE
+	make renode-no-downgrade SIGN=XMSS $(XMSS_OPTS)
+
 renode-corrupted-ed25519: FORCE
 	make renode-corrupted SIGN=ED448
 
@@ -345,6 +361,9 @@ renode-corrupted-rsa4096: FORCE
 renode-corrupted-lms: FORCE
 	make renode-corrupted SIGN=LMS $(LMS_OPTS)
 
+renode-corrupted-xmss: FORCE
+	make renode-corrupted SIGN=XMSS $(XMSS_OPTS)
+
 renode-boot-time-all: FORCE
 	tools/scripts/renode-test-all.sh 2>/dev/null |grep "BOOT TIME"
 
@@ -368,6 +387,7 @@ renode-update-all: FORCE
 	${Q}make keysclean
 	${Q}make renode-update-lms RENODE_PORT=55164
 	${Q}make keysclean
+	${Q}make renode-update-xmss RENODE_PORT=55165
 	${Q}echo All tests in $@ OK!
 
 renode-no-downgrade-all: FORCE
@@ -389,6 +409,8 @@ renode-no-downgrade-all: FORCE
 	${Q}make renode-no-downgrade SIGN=NONE RENODE_PORT=55163
 	${Q}make keysclean
 	${Q}make renode-no-downgrade-lms RENODE_PORT=55164
+	${Q}make keysclean
+	${Q}make renode-no-downgrade-xmss RENODE_PORT=55165
 	${Q}echo All tests in $@ OK!
 
 renode-corrupted-all: FORCE
@@ -410,6 +432,8 @@ renode-corrupted-all: FORCE
 	${Q}make renode-corrupted SIGN=NONE RENODE_PORT=55163
 	${Q}make keysclean
 	${Q}make renode-corrupted-lms RENODE_PORT=55164
+	${Q}make keysclean
+	${Q}make renode-corrupted-xmss RENODE_PORT=55165
 	${Q}echo All tests in $@ OK!
 
 renode-update-all-armored: FORCE