update wolfHSM, add --flags field to add key usage for CI keys

bigbrett · bigbrett · commit 27c5f0e3a4c6 · 2025-11-20T10:12:58.000-07:00
diff --git a/.github/workflows/test-wolfhsm-simulator.yml b/.github/workflows/test-wolfhsm-simulator.yml
@@ -111,7 +111,8 @@ jobs:
             echo "obj 1 0xFFFF 0x0000 \"cert CA\" ../../../../../test-dummy-ca/root-cert.der" >> $tmpfile
             ./Build/wh_posix_server.elf --type tcp --nvminit $tmpfile &
           else
-            ./Build/wh_posix_server.elf --type tcp --client 12 --id 255 --key ../../../../../wolfboot_signing_private_key_pub.der &
+            # --flags=0x100 sets the WH_NVM_FLAGS_USAGE_VERIFY flag
+            ./Build/wh_posix_server.elf --type tcp --client 12 --id 255 --key --flags 0x100 ../../../../../wolfboot_signing_private_key_pub.der &
           fi
           TCP_SERVER_PID=$!
           echo "TCP_SERVER_PID=$TCP_SERVER_PID" >> $GITHUB_ENV
diff --git a/lib/wolfHSM b/lib/wolfHSM
@@ -1 +1 @@
-Subproject commit bb35305de578d1e7163388ed95df8f02580c1c1b
+Subproject commit bfb5d90bb22719709171adbf72b3d67ca7787957
diff --git a/tools/scripts/tc3xx/wolfBoot-wolfHSM-keys.nvminit b/tools/scripts/tc3xx/wolfBoot-wolfHSM-keys.nvminit
@@ -2,4 +2,5 @@
 #
 # Key format is:
 # key <clientId> <keyId> <access> <flags> <label> <file>
-key 0x1 0xFF 0xFF 0x00 "wolfBoot Pubkey" wolfboot_signing_private_key_pub.der
+# flags: WH_NVM_FLAGS_USAGE_VERIFY=0x100
+key 0x1 0xFF 0xFF 0x100 "wolfBoot Pubkey" wolfboot_signing_private_key_pub.der

Original file line number	Diff line number	Diff line change
`@@ -2,4 +2,5 @@`
`2`	`2`	`#`
`3`	`3`	`# Key format is:`
`4`	`4`	`# key <clientId> <keyId> <access> <flags> <label> <file>`
`5`		`-key 0x1 0xFF 0xFF 0x00 "wolfBoot Pubkey" wolfboot_signing_private_key_pub.der`
	`5`	`+# flags: WH_NVM_FLAGS_USAGE_VERIFY=0x100`
	`6`	`+key 0x1 0xFF 0xFF 0x100 "wolfBoot Pubkey" wolfboot_signing_private_key_pub.der`