Skip to content

config refactor#766

Draft
bigbrett wants to merge 10 commits into
wolfSSL:masterfrom
bigbrett:wolfcrypt-cfg-refactor
Draft

config refactor#766
bigbrett wants to merge 10 commits into
wolfSSL:masterfrom
bigbrett:wolfcrypt-cfg-refactor

Conversation

@bigbrett

@bigbrett bigbrett commented May 1, 2026

Copy link
Copy Markdown
Contributor

super secret plz dont look just yet


Background / Motivation

Problem. The current wolfBoot wolfCrypt configuration is split between two tightly coupled files that have grown into a tangle:

  • options.mk (1481 lines) — translates high-level Make variables (SIGN, HASH, WOLFTPM, WOLFHSM_CLIENT, WOLFCRYPT_TZ_*, ENCRYPT*, etc.) into WOLFCRYPT_OBJS (linker input) and -Dxxx CFLAGS (preprocessor input).
  • include/user_settings.h (781 lines) — consumes those -Dxxx flags and configures wolfCrypt features.

This led to tightly coupled, hard-to-reason-about logic built around deeply nested, negated #ifdef chains. Adding or modifying a feature required:

  • Updating multiple unrelated sections
  • Extending fragile negation chains
  • Carefully preserving ordering to avoid conflicts

Negative wolfCrypt flags (NO_*, WC_NO_*) made this worse: they don’t compose safely, so enabling a feature often meant editing multiple disable sites or introducing #undefs, increasing risk and maintenance cost.

Additionally, important configuration behavior lived in options.mk, meaning non-Make builds (IDE, CMake) could not reliably reproduce the same configuration without duplicating logic.


Summary

This PR replaces the monolithic configuration with a modular, fragment-based system and introduces a WOLFBOOT_NEEDS_* marker model to decouple feature intent from final wolfCrypt configuration.


Key Changes

  • Shim-based entrypoint

    • include/user_settings.h now only orchestrates includes in a fixed order.
  • Fragmented configuration

    • Configuration split into small, self-contained headers (SIGN, HASH, TPM, TrustZone, etc.).
    • Fragments are strictly additive (#define only) and independent.
  • Cascade layer (cascade.h)

    • Moves feature-flag implications from options.mk into the preprocessor.
    • Declares all WOLFBOOT_NEEDS_* markers from high-level flags.
  • Central reconciliation (finalize.h)

    • Single point translating NEEDS markers into wolfCrypt negative flags.
    • Consolidates all disable logic.
  • NEEDS marker model

    • Features declare what they require (e.g., RNG, AES, ASN).
    • The system derives what to disable automatically.

Benefits

  • Eliminates negated #ifdef chains

    • No more scattered “if not X and not Y and not Z → disable” logic.
  • Decouples features

    • Adding a feature no longer requires modifying unrelated code paths.
  • Single source of truth for disables

    • All NO_* / WC_NO_* decisions live in finalize.h.
  • Improved build portability

    • IDE/CMake builds now match Make builds using only WOLFBOOT_* flags.
  • Simpler reasoning

    • Feature requirements: fragment headers
    • Final configuration: finalize.h
  • Safer extensibility

    • New features integrate via markers instead of modifying global logic.

No User-Facing Changes

  • .config inputs and WOLFBOOT_* flags are unchanged.
  • Generated binaries remain equivalent for the same configurations.

Developer Impact

New features follow a consistent pattern:

  1. Add fragment header
  2. Include it in the shim
  3. Declare required WOLFBOOT_NEEDS_* markers in cascade.h
  4. Only touch finalize.h when introducing a new negative-polarity feature

Resulting flow:

WOLFBOOT_* flags
    → cascade.h (derive + declare NEEDS)
    → fragments (additive config)
    → finalize.h (apply disables)
    → final wolfCrypt configuration

Scope

  • Structural refactor only
  • No intended functional or cryptographic changes

Copilot AI review requested due to automatic review settings May 1, 2026 17:49

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Refactors wolfCrypt/wolfSSL configuration into composable include/user_settings/* fragments and simplifies Make-side -D flag emission for hash-based signature parameterization.

Changes:

  • Splits the monolithic include/user_settings.h into ordered “fragment” headers (cascade/base/sign/hash/features/finalize) and turns user_settings.h into a dispatcher.
  • Moves SIGN/HASH algorithm-specific configuration into dedicated sign_*.h and hash_*.h fragments with central dispatch headers.
  • Updates options.mk so LMS/XMSS Make variables carry only user-provided parameter values, with wolfCrypt-side defines derived in headers.

Reviewed changes

Copilot reviewed 24 out of 24 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
options.mk Drops wolfCrypt-side LMS/XMSS defines from Make flags; keeps only user parameter -Ds.
include/user_settings.h Replaced large inline configuration with ordered includes of fragment headers.
include/user_settings/base.h New: baseline wolfCrypt settings shared by all builds.
include/user_settings/cascade.h New: feature implication cascades + WOLFBOOT_NEEDS_* markers.
include/user_settings/sign_dispatch.h New: includes per-signature fragments based on SIGN flags.
include/user_settings/sign_rsa.h New: RSA verification configuration (and NO_RSA fallback).
include/user_settings/sign_ecc.h New: ECC verification configuration and carve-outs.
include/user_settings/sign_ed25519.h New: ED25519 verification configuration and carve-outs.
include/user_settings/sign_ed448.h New: ED448 verification configuration and carve-outs.
include/user_settings/sign_ml_dsa.h New: ML-DSA (Dilithium) verification configuration and carve-outs.
include/user_settings/sign_lms.h New: LMS verification config; maps Make parameters to wolfCrypt defines.
include/user_settings/sign_xmss.h New: XMSS verification config; maps Make parameters to wolfCrypt defines.
include/user_settings/hash_dispatch.h New: includes hash fragments based on WOLFBOOT_HASH_*.
include/user_settings/hash_sha384.h New: SHA-384 hash selection fragment (+ optional NO_SHA256).
include/user_settings/hash_sha3.h New: SHA3-384 hash selection fragment (+ optional NO_SHA256).
include/user_settings/encrypt.h New: EXT_ENCRYPTED / SECURE_PKCS11 wolfCrypt configuration.
include/user_settings/trustzone.h New: TrustZone secure-mode wolfCrypt configuration.
include/user_settings/tpm.h New: wolfTPM-related config for WOLFBOOT_TPM builds.
include/user_settings/wolfhsm.h New: crypto-callback/key-gen config for wolfHSM client/server builds.
include/user_settings/cert_chain.h New: cert-chain verify mode config for wolfHSM server.
include/user_settings/renesas.h New: Renesas HW crypto offload settings.
include/user_settings/platform.h New: platform-specific SP-math word-size and minor platform knobs.
include/user_settings/test_bench.h New: test/benchmark-specific configuration and RNG selection.
include/user_settings/finalize.h New: reconciles WOLFBOOT_NEEDS_* into NO_* / WC_NO_* and global disables.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread include/user_settings/finalize.h
Comment thread include/user_settings/trustzone.h
Comment thread include/user_settings/sign_ecc.h
Comment thread include/user_settings/cascade.h Outdated
@bigbrett bigbrett self-assigned this May 4, 2026
@bigbrett bigbrett force-pushed the wolfcrypt-cfg-refactor branch 2 times, most recently from de02995 to 721b1ad Compare May 11, 2026 22:27
bigbrett and others added 10 commits July 2, 2026 11:09
Master (PR wolfSSL#773) consolidated WOLFSSL_NXP_LPC55S69_WITH_HWACCEL and
WOLFSSL_NXP_LPC55S69_NO_HWACCEL into a single WOLFSSL_NXP_LPC55S6X
hwaccel flag, switched the test/bench HASHDRBG and HW-feature gates to
TARGET_lpc55s69 (covers both hwaccel and non-hwaccel builds), and
dropped the NO_WOLFSSL_SHA256_INTERLEAVE workaround. Propagate those
changes into the new include/user_settings/ fragments so the old macro
names (which no longer exist in arch.mk/test-app/hal) don't leave the
test/bench and NEEDS_HASHDRBG paths permanently disabled on lpc55s69.
Post-rebase fixup after pulling in upstream commits cab04ad (wolfssl
submodule update with file-level ML-DSA rename) and 6e60abd (continue
the ML-DSA renaming).

- sign_ml_dsa.h: switch the legacy HAVE_DILITHIUM / WOLFSSL_WC_DILITHIUM
  / WOLFSSL_DILITHIUM_* spellings to the canonical WOLFSSL_HAVE_MLDSA /
  WOLFSSL_MLDSA_* names. The shim in wolfcrypt/src/wc_mldsa.c still
  accepts the legacy names, but matching the canonical names keeps the
  fragment readable against the new submodule.
- sign_dispatch.h: drop the "/ Dilithium" half of the algorithm header
  comment.
- sign_rsa.h: gate WC_RSA_BLINDING by WOLFCRYPT_SECURE_MODE,
  WOLFBOOT_TPM_PARMENC, WOLFCRYPT_TEST, WOLFCRYPT_BENCHMARK, or
  WOLFBOOT_ENABLE_WOLFHSM_SERVER, mirroring upstream commit cab04ad.
  Blinding requires the wolfCrypt RNG, which settings.h disables in
  verify-only builds.
- sign_lms.h / sign_xmss.h: drop the no-longer-referenced
  WOLFSSL_WC_LMS / WOLFSSL_WC_XMSS gates (only the _SMALL variants
  remain in the submodule), matching upstream's options.mk trim in
  cab04ad.

Built clean against sim, sim-ml-dsa, sim-lms, sim-xmss, and
sim-rsapss2048 configs.
…cert chains

Post-rebase fixup translating upstream's user_settings.h changes since
b983fa7 into the fragment architecture:

- sign_rsa.h: wrap the WC_RSA_BLINDING condition in #ifndef WC_NO_RNG,
  mirroring upstream 9786f56 (STM32N6 port). Covers NS-side test-apps
  that force WC_NO_RNG from CFLAGS (TEST_APP_NO_RNG=1) while inheriting
  WOLFCRYPT_SECURE_MODE. finalize.h's own WC_NO_RNG cannot coexist with
  the inner conditions since each declares WOLFBOOT_NEEDS_RNG.
- finalize.h: define WC_BLINDING_NO_RNG_ACKNOWLEDGE_WEAKNESS alongside
  the central WC_NO_RNG, mirroring upstream b9bd6da's two per-section
  definitions (wolfssl rejects WC_NO_RNG with default blinding macros).
- wolfhsm.h: adopt the WOLFCRYPT_TZ_WOLFHSM TrustZone engine (upstream
  b9bd6da): extend the crypto-cb gate, add secure-side SHA384/SHA512
  and keycache sizing for wolfHSM server builds, and the AES/HKDF/GCM
  positive set for the TZ engine (all skipped under UNIT_TEST).
- cascade.h: declare NEEDS_AES / NEEDS_HMAC for WOLFCRYPT_TZ_WOLFHSM
  && !UNIT_TEST -- the fragment equivalent of upstream's #undef NO_AES
  / #undef NO_HMAC re-enables.
- cert_chain.h: drop WOLFSSL_PEM_TO_DER (upstream 9b8629e) and the
  NEEDS_PEM opt-in; chains are DER-only so finalize.h's WOLFSSL_NO_PEM
  now applies, matching upstream's effective macro state.
- docs/wolfssl-config.md: refresh the affected tables and fragment
  sections.

Verified against upstream/master's monolithic user_settings.h with a
gcc -dM -E macro diff: identical effective config for the TZ-wolfHSM
secure/NS-app/unit-test flag sets and plain ECC256/RSA2048/ED25519
builds; cert-chain server differs only by the pre-existing deliberate
NEEDS_ASN_TIME/PKCS8/CHECK_PRIVATE_KEY divergences. Built clean against
sim, sim-rsapss2048, sim-lms, sim-xmss, sim-ml-dsa, and
stm32h5-tz-wolfhsm; unit-test suite passes (85/85).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VRYWs5z7ZgeEQsQTx9c7do
@bigbrett bigbrett force-pushed the wolfcrypt-cfg-refactor branch from 4be5504 to 9641492 Compare July 2, 2026 18:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants