wolfSSL · danielinux · Apr 29, 2025 · Mar 26, 2025 · Apr 9, 2025 · Apr 9, 2025
diff --git a/.github/workflows/footprint.yml b/.github/workflows/footprint.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-24.04
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           submodules: true
 

diff --git a/.github/workflows/test-build-kontron-vx3060-s2.yml b/.github/workflows/test-build-kontron-vx3060-s2.yml
@@ -7,7 +7,7 @@ jobs:
   fsp_qemu_test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           submodules: true
       - name: install req

diff --git a/.github/workflows/test-configs.yml b/.github/workflows/test-configs.yml
@@ -106,6 +106,13 @@ jobs:
       config-file: ./config/examples/kinetis-k82f.config
 
   library_test:
+    uses: ./.github/workflows/test-build.yml
+    with:
+      arch: host
+      config-file: ./config/examples/library.config
+      make-args: test-lib
+
+  libwolfboot_test:
     uses: ./.github/workflows/test-build.yml
     with:
       arch: host

diff --git a/.github/workflows/test-cppcheck.yml b/.github/workflows/test-cppcheck.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           submodules: false
 

diff --git a/.github/workflows/test-library.yml b/.github/workflows/test-library.yml
@@ -0,0 +1,57 @@
+name: wolfBoot as Library test
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  test-lib:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        math: [SPMATH=1 WOLFBOOT_SMALL_STACK=0,
+               SPMATH=1 WOLFBOOT_SMALL_STACK=1,
+               SPMATHALL=1 WOLFBOOT_SMALL_STACK=0,
+               SPMATHALL=1 WOLFBOOT_SMALL_STACK=1,
+               SPMATH=0 SPMATHALL=0 WOLFBOOT_SMALL_STACK=0,
+               SPMATH=0 SPMATHALL=0 WOLFBOOT_SMALL_STACK=1]
+        asym: [ed25519, ecc256, ecc384, ecc521, rsa2048, rsa3072, rsa4096, ed448]
+        hash: [sha256, sha384, sha3]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: make clean
+        run: |
+          make keysclean && make -C tools/keytools clean && rm -f include/target.h
+
+      - name: Build test-lib
+        env:
+          ASYM: ${{ matrix.asym }}
+          HASH: ${{ matrix.hash }}
+        run: |
+          cp config/examples/library.config .config
+          make keytools
+          ./tools/keytools/keygen --${{ matrix.asym }} -g wolfboot_signing_private_key.der
+          echo "Test" > test.bin
+          ./tools/keytools/sign --${{ matrix.asym }} --${{ matrix.hash }} test.bin wolfboot_signing_private_key.der 1
+          # Convert asym and hash to upper case
+          make test-lib SIGN=${ASYM^^} HASH=${HASH^^}
+
+      - name: Run test-lib
+        run: |
+          ./test-lib test_v1_signed.bin
+          ./test-lib test_v1_signed.bin 2>&1 | grep "Firmware Valid"
+
+      - name: Run test-lib (expect failure)
+        run: |
+          # Corrupt signed binary
+          truncate -s -1 test_v1_signed.bin
+          echo "A" >> test_v1_signed.bin
+          ./test-lib test_v1_signed.bin
+          ./test-lib test_v1_signed.bin 2>&1 | grep "Failure"
diff --git a/.github/workflows/test-renode-fastmath.yml b/.github/workflows/test-renode-fastmath.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           submodules: true
 

diff --git a/.github/workflows/test-units.yml b/.github/workflows/test-units.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           submodules: true
 

diff --git a/.github/workflows/test-wolfhsm-simulator.yml b/.github/workflows/test-wolfhsm-simulator.yml
@@ -53,6 +53,8 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: wolfssl/wolfHSM-examples
+          # Make sure to update this when the wolfHSM submodule is updated!
+          ref: wolfHSM-v1.1.0
           path: wolfHSM-examples
 
       - name: Build example POSIX TCP server

diff --git a/.github/workflows/test-x86-fsp-qemu.yml b/.github/workflows/test-x86-fsp-qemu.yml
@@ -7,7 +7,7 @@ jobs:
   fsp_qemu_test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           submodules: true
       - name: install req

diff --git a/.gitignore b/.gitignore
@@ -116,8 +116,9 @@ tools/tpm/pcr_extend
 tools/tpm/policy_create
 tools/tpm/policy_sign
 config/*.ld
+test-lib
 
-# Generated confiuguration file
+# Generated configuration file
 .config
 .vs
 *.filters
@@ -144,7 +145,7 @@ hal/x86_fsp_qemu_stage1.ld
 
 debug/lauterbach
 
-#cland cache
+#clangd cache
 .cache/*
 
 #gcov files

diff --git a/IDE/XilinxSDK/README.md b/IDE/XilinxSDK/README.md
@@ -28,6 +28,7 @@ A build settings template for Zynq UltraScale+ can be found here `./config/examp
 ```sh
 $ cp ./config/examples/zynqmp.config .config
 $ make keytools
+$ make wolfboot.elf
 ```
 
 These template settings are also in this `.cproject` as preprocessor macros. These settings are loaded into the `target.h.in` template by the wolfBoot `make`. If not using the built-in make then the following defines will need to be manually created in `target.h`:
@@ -201,33 +202,34 @@ Successfully ran Hello World application
 
 ### Adding RSA Authentication
 
-1. Generate keys:
+1. Update boot.bif (see boot_auth.bif)
+
+    ```
+[auth_params] ppk_select=0; spk_id=0x00000000
+[pskfile] pskf.pem
+[sskfile] sskf.pem
+authentication=rsa
+    ```
+
+2. Generate keys:
     * `bootgen.exe -generate_keys auth pem -arch zynqmp -image boot_auth.bif`
-2. Create hash for primary key:
+3. Create hash for primary key:
     * `bootgen.exe -image boot_auth.bif -arch zynqmp -w -o i BOOT.BIN -efuseppkbits ppkf_hash.txt`
-3. Import example project for programming eFuses:
+4. Import example project for programming eFuses:
     * New BSP project (program efuses , ZCU102_hw_platform, standalone, CPU: PSU_cortexa53_0)
     * Goto Xilinx Board Support Packet Settings.
     * Scroll down to Supported Libraries and Check the xiskey library
     * In the system.mss pane, scroll down to Libraries and click Import Examples.
     * Check the xilskey_esfuseps_zynqmp_example
-4. Edit `xilskey_efuseps_zynqmp_input.h`
+5. Edit `xilskey_efuseps_zynqmp_input.h`
     * 433 `#define XSK_EFUSEPS_WRITE_PPK0_HASH  TRUE`
     * 453 `#define XSK_EFUSEPS_PPK0_IS_SHA3     TRUE`
     * 454 `#define XSK_EFUSEPS_PPK0_HASH "0000000000000000000000000000000000000000000000000000000000000000" /* from ppkf_hash.txt */`
-5. Update boot.bif (see boot_auth.bif)
-
-    ```
-    [auth_params] ppk_select=0; spk_id=0x00000000
-    [pskfile] pskf.pem
-    [sskfile] sskf.pem
-    authentication=rsa
-    ```
 
 6. Build “boot.bin” image:
     * `bootgen -image boot_auth.bif -arch zynqmp -o i BOOT.BIN -w`
 
-Note: During testing add `[fsbl_config] bh_auth_enable` to allow skipping of the eFuse check of the PPK hash. In production the RSA_EN eFuses must be blown to force checking of the PPK hash.
+Note: During testing add `[fsbl_config] bh_auth_enable` to allow skipping of the eFuse check of the PPK hash. In production the `RSA_EN` eFuses must be blown to force checking of the PPK hash.
 
 Note: To generate a report of a boot.bin use the `bootgen_utility` or after 2022.1 use `bootgen -read`:
 `bootgen -arch zynqmp -read BOOT.BIN`

diff --git a/Makefile b/Makefile
@@ -34,8 +34,11 @@ OBJS:= \
 	./src/string.o \
 	./src/image.o \
 	./src/libwolfboot.o \
-	./hal/hal.o \
-	./hal/$(TARGET).o
+	./hal/hal.o
+
+ifneq ($(TARGET),library)
+	OBJS+=./hal/$(TARGET).o
+endif
 
 ifeq ($(SIGN),NONE)
   PRIVATE_KEY=
@@ -126,7 +129,7 @@ endif
 
 ifeq ($(TARGET),library)
     CFLAGS+=-g
-    MAIN_TARGET:=test-lib
+    MAIN_TARGET:=libwolfboot.a
 endif
 
 ifeq ($(TARGET),raspi3)
@@ -171,8 +174,13 @@ stage1/loader_stage1.bin: FORCE
 	@echo "\t[BIN] $@"
 	$(Q)$(MAKE) -C $(dir $@) $(notdir $@)
 
-test-lib: include/target.h $(OBJS)
-	$(Q)$(CC) $(CFLAGS) -o $@ $(OBJS)
+libwolfboot.a: include/target.h $(OBJS)
+	@echo "\t[LIB] $@"
+	$(Q)$(AR) rcs $@ $(OBJS)
+
+test-lib: libwolfboot.a hal/library.o
+	@echo "\t[BIN] $@"
+	$(Q)$(CC) $(CFLAGS) -o $@ hal/library.o libwolfboot.a
 
 wolfboot.efi: wolfboot.elf
 	@echo "\t[BIN] $@"
@@ -193,7 +201,6 @@ wolfboot.bin: wolfboot.elf
 	$(Q)$(SIZE) wolfboot.elf
 	@echo
 
-
 test-app/image.bin: wolfboot.elf
 	$(Q)$(MAKE) -C test-app WOLFBOOT_ROOT="$(WOLFBOOT_ROOT)"
 	$(Q)$(SIZE) test-app/image.elf
@@ -377,7 +384,7 @@ distclean: clean keysclean utilsclean
 	$(Q)rm -f *.bin *.elf
 
 include/target.h: $(TARGET_H_TEMPLATE) FORCE
-	@cat $(TARGET_H_TEMPLATE) | \
+	$(Q)cat $(TARGET_H_TEMPLATE) | \
 	sed -e "s/@WOLFBOOT_PARTITION_SIZE@/$(WOLFBOOT_PARTITION_SIZE)/g" | \
 	sed -e "s/@WOLFBOOT_SECTOR_SIZE@/$(WOLFBOOT_SECTOR_SIZE)/g" | \
 	sed -e "s/@WOLFBOOT_PARTITION_BOOT_ADDRESS@/$(WOLFBOOT_PARTITION_BOOT_ADDRESS)/g" | \
@@ -445,16 +452,16 @@ tools/keytools/otp/otp-keystore-primer.bin: FORCE
 secondary: $(SECONDARY_PRIVATE_KEY)
 
 %.o:%.c
-	@echo "\t[CC-$(ARCH)] $@"
+	@echo "\t[CC $(ARCH)] $@"
 	$(Q)$(CC) $(CFLAGS) -c $(OUTPUT_FLAG) $@ $^
 
 %.o:%.S
-	@echo "\t[AS-$(ARCH)] $@"
+	@echo "\t[AS $(ARCH)] $@"
 	$(Q)$(CC) $(CFLAGS) -c $(OUTPUT_FLAG) $@ $^
 
 src/x86/fsp_s.o: $(FSP_S_BIN)
 	$(OBJCOPY) -I binary -O elf64-x86-64 -B i386 --rename-section .data=.fsp_s $^ $@
-	
+
 pico-sdk-info: FORCE
 	@echo "To complete the build, check IDE/pico-sdk/rp2350"