config refactor

include/user_settings/base.h

@@ -0,0 +1,65 @@
+/* user_settings/base.h
+ *
+ * Foundation defines that every wolfBoot build needs regardless of which
+ * SIGN/HASH/feature flags are set: alignment, threading, stdlib types,
+ * basic sizing.
+ *
+ *
+ * Copyright (C) 2026 wolfSSL Inc.
+ *
+ * This file is part of wolfBoot.
+ *
+ * wolfBoot is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfBoot is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+#ifndef _WOLFBOOT_USER_SETTINGS_BASE_H_
+#define _WOLFBOOT_USER_SETTINGS_BASE_H_
+
+/* System */
+#define WOLFSSL_GENERAL_ALIGNMENT 4
+#define SINGLE_THREADED
+#define WOLFSSL_USER_MUTEX /* avoid wc_port.c wc_InitAndAllocMutex */
+/* WOLFCRYPT_ONLY: pure crypto, no TLS/SSL stack. The only configuration
+ * that needs the SSL layer (cert manager) is wolfHSM server + cert-chain
+ * verification, where the carve-out moves to user_settings/cert_chain.h
+ * in a later phase. */
+#if !(defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) && \
+        defined(WOLFBOOT_CERT_CHAIN_VERIFY))
+#  define WOLFCRYPT_ONLY
+#endif
+#define SIZEOF_LONG_LONG 8
+#define HAVE_EMPTY_AGGREGATES 0
+#define HAVE_ANONYMOUS_INLINE_AGGREGATES 0
+
+/* Stdlib Types */
+#define CTYPE_USER /* don't let wolfCrypt types.h include ctype.h */
+
+#ifndef WOLFSSL_ARMASM
+#  ifndef toupper
+extern int toupper(int c);
+#  endif
+#  ifndef tolower
+extern int tolower(int c);
+#  endif
+#  define XTOUPPER(c)     toupper((c))
+#  define XTOLOWER(c)     tolower((c))
+#endif
+
+#ifdef USE_FAST_MATH
+    /* wolfBoot only does public asymmetric operations,
+     * so timing resistance and hardening is not required */
+#   define WC_NO_HARDEN
+#endif
+
+#endif /* _WOLFBOOT_USER_SETTINGS_BASE_H_ */

include/user_settings/cascade.h

@@ -0,0 +1,216 @@
+/* user_settings/cascade.h
+ *
+ * Lift Make-side feature implications into preprocessor cascades, and
+ * declare WOLFBOOT_NEEDS_* positive intent markers used by the rest
+ * of the user_settings/ fragments and reconciled in finalize.h.
+ *
+ * Idempotent: every #define is #ifndef-guarded, so it's a no-op when
+ * options.mk has already emitted the same -D flag.
+ *
+ *
+ * Copyright (C) 2026 wolfSSL Inc.
+ *
+ * This file is part of wolfBoot.
+ *
+ * wolfBoot is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfBoot is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+#ifndef _WOLFBOOT_USER_SETTINGS_CASCADE_H_
+#define _WOLFBOOT_USER_SETTINGS_CASCADE_H_
+
+/* ------------------------------------------------------------------
+ * Feature-flag cascades
+ * ------------------------------------------------------------------ */
+
+/* Any feature that requires a hardware TPM 2.0 implies WOLFBOOT_TPM.
+ * Mirrors options.mk:34-92 where the same Make variables force WOLFTPM:=1. */
+#if defined(WOLFBOOT_TPM_VERIFY)   || \
+    defined(WOLFBOOT_MEASURED_BOOT) || \
+    defined(WOLFBOOT_TPM_KEYSTORE) || \
+    defined(WOLFBOOT_TPM_SEAL)
+#  ifndef WOLFBOOT_TPM
+#    define WOLFBOOT_TPM
+#  endif
+#endif
+
+/* TPM keystore and seal both require TPM session parameter encryption. */
+#if defined(WOLFBOOT_TPM_KEYSTORE) || defined(WOLFBOOT_TPM_SEAL)
+#  ifndef WOLFBOOT_TPM_PARMENC
+#    define WOLFBOOT_TPM_PARMENC
+#  endif
+#endif
+
+/* Any RSA SIGN flag (or WOLFCRYPT_SECURE_MODE without PKCS11_SMALL) means
+ * the build links wolfCrypt's RSA code. sign_rsa.h handles the actual
+ * configuration; the marker is set here so finalize.h can see it ahead
+ * of finalize-time and skip NO_ASN. */
+#if defined(WOLFBOOT_SIGN_RSA2048)            || \
+    defined(WOLFBOOT_SIGN_RSA3072)            || \
+    defined(WOLFBOOT_SIGN_RSA4096)            || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSA2048)  || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSA3072)  || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSA4096)  || \
+    defined(WOLFBOOT_SIGN_RSAPSS2048)         || \
+    defined(WOLFBOOT_SIGN_RSAPSS3072)         || \
+    defined(WOLFBOOT_SIGN_RSAPSS4096)         || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096) || \
+    (defined(WOLFCRYPT_SECURE_MODE) && !defined(PKCS11_SMALL))
+#  ifndef WOLFBOOT_NEEDS_RSA
+#    define WOLFBOOT_NEEDS_RSA
+#  endif
+#endif
+
+/* ------------------------------------------------------------------
+ * WOLFBOOT_NEEDS_* declarations
+ * ------------------------------------------------------------------
+ * Positive intent markers. user_settings/finalize.h tests them and
+ * applies the corresponding wolfCrypt negative flag (NO_*, WC_NO_*) to
+ * builds that did NOT opt in. Fragments may also set additional markers
+ * from their own headers. */
+
+/* NEEDS_RNG: any feature that uses wolfCrypt's RNG.
+ * Driven by: TPM parm-enc, secure-mode (TZ-PSA / TZ-FWTPM), test/bench,
+ * wolfHSM server, and wolfHSM client + ML-DSA. */
+#if defined(WOLFBOOT_TPM_PARMENC)            || \
+    defined(WOLFCRYPT_SECURE_MODE)           || \
+    defined(WOLFCRYPT_TEST)                  || \
+    defined(WOLFCRYPT_BENCHMARK)             || \
+    defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)  || \
+    (defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \
+     defined(WOLFBOOT_SIGN_ML_DSA))
+#  ifndef WOLFBOOT_NEEDS_RNG
+#    define WOLFBOOT_NEEDS_RNG
+#  endif
+#endif
+
+/* NEEDS_HASHDRBG: features that use wolfCrypt's HASHDRBG specifically.
+ * Note: TEST/BENCH non-LPC55S69 builds use a custom RNG and do NOT
+ * declare this marker; their explicit `#define WC_NO_HASHDRBG` lives
+ * in test_bench.h. */
+#if defined(WOLFBOOT_TPM_PARMENC)  || \
+    defined(WOLFCRYPT_SECURE_MODE) || \
+    ((defined(WOLFCRYPT_TEST) || defined(WOLFCRYPT_BENCHMARK)) && \
+     (defined(WOLFSSL_NXP_LPC55S69_WITH_HWACCEL) || \
+      defined(WOLFSSL_NXP_LPC55S69_NO_HWACCEL)))
+#  ifndef WOLFBOOT_NEEDS_HASHDRBG
+#    define WOLFBOOT_NEEDS_HASHDRBG
+#  endif
+#endif
+
+/* NEEDS_AES_CBC: features that use AES-CBC (entropy-using paths). */
+#if defined(WOLFBOOT_TPM_PARMENC)  || \
+    defined(WOLFCRYPT_SECURE_MODE) || \
+    defined(WOLFCRYPT_TEST)        || \
+    defined(WOLFCRYPT_BENCHMARK)
+#  ifndef WOLFBOOT_NEEDS_AES_CBC
+#    define WOLFBOOT_NEEDS_AES_CBC
+#  endif
+#endif
+
+/* NEEDS_AES: features that use AES core. */
+#if defined(ENCRYPT_WITH_AES128)   || \
+    defined(ENCRYPT_WITH_AES256)   || \
+    defined(WOLFBOOT_TPM_PARMENC)  || \
+    defined(WOLFCRYPT_SECURE_MODE) || \
+    defined(SECURE_PKCS11)         || \
+    defined(WOLFCRYPT_TZ_PSA)      || \
+    defined(WOLFCRYPT_TEST)        || \
+    defined(WOLFCRYPT_BENCHMARK)
+#  ifndef WOLFBOOT_NEEDS_AES
+#    define WOLFBOOT_NEEDS_AES
+#  endif
+#endif
+
+/* NEEDS_HMAC: features that use HMAC. */
+#if defined(WOLFBOOT_TPM)          || \
+    defined(WOLFCRYPT_SECURE_MODE) || \
+    defined(WOLFCRYPT_TEST)        || \
+    defined(WOLFCRYPT_BENCHMARK)
+#  ifndef WOLFBOOT_NEEDS_HMAC
+#    define WOLFBOOT_NEEDS_HMAC
+#  endif
+#endif
+
+/* NEEDS_DEV_RANDOM: features that may want OS /dev/random as entropy. */
+#if defined(WOLFBOOT_TPM)          || \
+    defined(WOLFCRYPT_SECURE_MODE) || \
+    defined(WOLFCRYPT_TEST)        || \
+    defined(WOLFCRYPT_BENCHMARK)
+#  ifndef WOLFBOOT_NEEDS_DEV_RANDOM
+#    define WOLFBOOT_NEEDS_DEV_RANDOM
+#  endif
+#endif
+
+/* NEEDS_ECC_KEY_EXPORT: features that need to export ECC keys. */
+#if defined(WOLFBOOT_TPM)                    || \
+    defined(WOLFCRYPT_SECURE_MODE)           || \
+    defined(WOLFCRYPT_TEST)                  || \
+    defined(WOLFCRYPT_BENCHMARK)             || \
+    defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT)  || \
+    defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
+#  ifndef WOLFBOOT_NEEDS_ECC_KEY_EXPORT
+#    define WOLFBOOT_NEEDS_ECC_KEY_EXPORT
+#  endif
+#endif
+
+/* NEEDS_ASN: features that need ASN.1 parsing. NEEDS_RSA also implies
+ * this (RSA always parses ASN.1). */
+#if defined(WOLFBOOT_NEEDS_RSA)              || \
+    defined(WOLFBOOT_TPM)                    || \
+    defined(WOLFCRYPT_SECURE_MODE)           || \
+    defined(WOLFCRYPT_TEST)                  || \
+    defined(WOLFCRYPT_BENCHMARK)             || \
+    defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT)  || \
+    defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
+#  ifndef WOLFBOOT_NEEDS_ASN
+#    define WOLFBOOT_NEEDS_ASN
+#  endif
+#endif
+
+/* NEEDS_BASE64: features that use base64 encoding. */
+#if (defined(WOLFBOOT_TPM_SEAL) && defined(WOLFBOOT_ATA_DISK_LOCK)) || \
+    defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT)  || \
+    defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
+#  ifndef WOLFBOOT_NEEDS_BASE64
+#    define WOLFBOOT_NEEDS_BASE64
+#  endif
+#endif
+
+/* NEEDS_CMAC and NEEDS_KDF: TZ_PSA and TZ_FWTPM need both. */
+#if defined(WOLFCRYPT_TZ_PSA) || defined(WOLFBOOT_TZ_FWTPM)
+#  ifndef WOLFBOOT_NEEDS_CMAC
+#    define WOLFBOOT_NEEDS_CMAC
+#  endif
+#  ifndef WOLFBOOT_NEEDS_KDF
+#    define WOLFBOOT_NEEDS_KDF
+#  endif
+#endif
+
+/* NEEDS_MALLOC: features whose code-paths use heap allocation.
+ * SECURE_PKCS11, WOLFCRYPT_TZ_PSA, the wolfHSM server, and the
+ * test/bench harnesses all expect a working malloc. Default builds
+ * (no marker) get NO_WOLFSSL_MEMORY + WOLFSSL_NO_MALLOC instead. */
+#if defined(SECURE_PKCS11)                  || \
+    defined(WOLFCRYPT_TZ_PSA)               || \
+    defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) || \
+    defined(WOLFCRYPT_TEST)                 || \
+    defined(WOLFCRYPT_BENCHMARK)
+#  ifndef WOLFBOOT_NEEDS_MALLOC
+#    define WOLFBOOT_NEEDS_MALLOC
+#  endif
+#endif
+
+#endif /* _WOLFBOOT_USER_SETTINGS_CASCADE_H_ */

include/user_settings/cert_chain.h

@@ -0,0 +1,44 @@
+/* user_settings/cert_chain.h
+ *
+ * wolfCrypt configuration for WOLFBOOT_CERT_CHAIN_VERIFY. This is the
+ * only build mode that links the wolfSSL TLS-layer cert manager (server
+ * side). Client side just uses wolfHSM's cert manager and needs no
+ * extra wolfCrypt config beyond what wolfhsm.h already supplies.
+ *
+ * The companion `WOLFCRYPT_ONLY` carve-out (when the server cert-chain
+ * mode is active) lives in user_settings/base.h.
+ *
+ *
+ * Copyright (C) 2026 wolfSSL Inc.
+ *
+ * This file is part of wolfBoot.
+ *
+ * wolfBoot is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfBoot is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+#ifndef _WOLFBOOT_USER_SETTINGS_CERT_CHAIN_H_
+#define _WOLFBOOT_USER_SETTINGS_CERT_CHAIN_H_
+
+#if defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER) && \
+    defined(WOLFBOOT_CERT_CHAIN_VERIFY)
+#  define NO_TLS
+#  define NO_OLD_TLS
+#  define WOLFSSL_NO_TLS12
+#  define WOLFSSL_USER_IO
+#  define WOLFSSL_SP_MUL_D
+#  define WOLFSSL_PEM_TO_DER
+#  define WOLFSSL_ALLOW_NO_SUITES
+#endif
+
+#endif /* _WOLFBOOT_USER_SETTINGS_CERT_CHAIN_H_ */

include/user_settings/encrypt.h

@@ -0,0 +1,66 @@
+/* user_settings/encrypt.h
+ *
+ * wolfCrypt configuration for image encryption (EXT_ENCRYPTED) and the
+ * SECURE_PKCS11 store. The cipher selection (ChaCha20 vs AES-128 vs
+ * AES-256 vs PKCS#11-backed) lives in options.mk; this fragment owns the
+ * wolfCrypt-side gates that follow from those choices.
+ *
+ *
+ * Copyright (C) 2026 wolfSSL Inc.
+ *
+ * This file is part of wolfBoot.
+ *
+ * wolfBoot is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfBoot is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+#ifndef _WOLFBOOT_USER_SETTINGS_ENCRYPT_H_
+#define _WOLFBOOT_USER_SETTINGS_ENCRYPT_H_
+
+#if defined(EXT_ENCRYPTED)
+#  define HAVE_PWDBASED
+#endif
+
+#if defined(SECURE_PKCS11)
+#  include <time.h>
+#  define HAVE_PWDBASED
+#  define HAVE_PBKDF2
+#  define WOLFPKCS11_CUSTOM_STORE
+#  define WOLFBOOT_SECURE_PKCS11
+#  ifndef WOLFPKCS11_USER_SETTINGS
+#    define WOLFPKCS11_USER_SETTINGS
+#  endif
+#  define WOLFPKCS11_NO_TIME
+#  ifndef WOLFSSL_AES_COUNTER
+#    define WOLFSSL_AES_COUNTER
+#  endif
+#  define HAVE_AESCTR
+#  ifndef WOLFSSL_AES_DIRECT
+#    define WOLFSSL_AES_DIRECT
+#  endif
+#  define WOLFSSL_AES_GCM
+#  define GCM_TABLE_4BIT
+#  define WOLFSSL_AES_128
+#  define HAVE_SCRYPT
+#  define HAVE_AESGCM
+#  define HAVE_PKCS8
+#endif
+
+/* PKCS11 for wolfBoot is always static. */
+#define HAVE_PKCS11_STATIC
+
+/* The NO_PWDBASED fallback (when no fragment opted in) lives in
+ * user_settings/finalize.h so it runs after trustzone.h / tpm.h /
+ * test_bench.h have had a chance to set HAVE_PWDBASED. */
+
+#endif /* _WOLFBOOT_USER_SETTINGS_ENCRYPT_H_ */