Documentation cleanups. Renamed zynqmp CSU PKA to HW_SHA3. Disabled CSU PUF code, since it is only supported with eFuses (it cannot be used adhoc).

dgarske · dgarske · commit ca48718bf4c5 · 2025-03-24T16:01:26.000-07:00
diff --git a/arch.mk b/arch.mk
@@ -76,9 +76,9 @@ ifeq ($(ARCH),AARCH64)
     CFLAGS+=-DWOLFBOOT_UBOOT_LEGACY
     CFLAGS+=-DWOLFBOOT_DUALBOOT
 
-    ifeq ($(PKA),1)
+    ifeq ($(HW_SHA3),1)
       # Use HAL for hash (see zynqmp.c)
-      PKA_HASH_HAL=1
+      HASH_HAL=1
       CFLAGS+=-DWOLFBOOT_ZYNQMP_CSU
     endif
   else
diff --git a/config/examples/zynqmp.config b/config/examples/zynqmp.config
@@ -9,11 +9,11 @@ HASH?=SHA3
 IMAGE_HEADER_SIZE?=1024
 
 # Hashing Option
-# 1. ARMv8+Crypto Assembly: PKA=0 and NO_ARM_ASM=0 (default)
-# 2. CSU SHA3 hardware acceleration PKA=1 and NO_ARM_ASM=1
-# 3. C Only PKA=0 and NO_ARM_ASM=1
+# 1. ARMv8+Crypto Assembly: HW_SHA3=0 and NO_ARM_ASM=0 (default)
+# 2. CSU SHA3 hardware acceleration HW_SHA3=1 and NO_ARM_ASM=1
+# 3. C Only HW_SHA3=0 and NO_ARM_ASM=1
 NO_ARM_ASM?=0
-PKA?=0
+HW_SHA3?=0
 
 # XMSS/XMSS^MT is a post-quantum, stateful, hash-based signature scheme.
 # Use the helper script `tools/xmss/xmss_siglen.sh`
@@ -49,6 +49,7 @@ V?=0
 SPMATH?=1
 RAM_CODE?=0
 DUALBANK_SWAP?=0
+PKA?=0
 WOLFTPM?=0
 EXT_FLASH?=1
 SPI_FLASH?=0
diff --git a/docs/Targets.md b/docs/Targets.md
@@ -19,7 +19,7 @@ This README describes configuration of supported targets.
 * [NXP LPC54xxx](#nxp-lpc54xxx)
 * [NXP LS1028A](#nxp-ls1028a)
 * [NXP MCXA153](#nxp-mcxa153)
-* [NXP MCXW716C](#nxp-mcxw716c)
+* [NXP MCXW716](#nxp-mcxw716)
 * [NXP P1021 PPC](#nxp-qoriq-p1021-ppc)
 * [NXP T1024 PPC](#nxp-qoriq-t1024-ppc)
 * [NXP T2080 PPC](#nxp-qoriq-t2080-ppc)
@@ -1296,7 +1296,7 @@ My board version is: 0xA020D3
 Trying partition 0 at 0x140000
 Boot partition: 0x140000 (size 14901760, version 0x1)
 ....
-````
+```
 Note: Now, integrity-check takes 2 - 3 minutes to complete before running Linux kernel.
 
 o Kernel panic after wolfboot message
@@ -1399,38 +1399,6 @@ qemu-system-aarch64 -machine xlnx-zcu102 -cpu cortex-a53 -serial stdio -display
 
 ```
 
-### Testing with qemu-system-aarch64
-
-* Build wolfboot using the example configuration (RSA4096, SHA3)
-
-```
-cp config/examples/raspi3.config .config
-make clean
-make wolfboot.bin CROSS_COMPILE=aarch64-linux-gnu-
-```
-
-* Sign Linux kernel image
-```
-make keytools
-./tools/keytools/sign --rsa4096 --sha3 Image wolfboot_signing_private_key.der 1
-```
-
-* Compose the image
-
-```
-tools/bin-assemble/bin-assemble wolfboot_linux_raspi.bin 0x0 wolfboot.bin \
-                              0xc0000 Image_v1_signed.bin
-dd if=bcm2710-rpi-3-b.dtb of=wolfboot_linux_raspi.bin bs=1 seek=128K conv=notrunc
-```
-
-* Test boot using qemu
-
-```
-qemu-system-aarch64 -M raspi3b -m 1024 -serial stdio -kernel wolfboot_linux_raspi.bin -cpu cortex-a53
-```
-
-
-
 #### Signing Zynq
 
 `tools/keytools/sign --rsa4096 --sha3 /srv/linux-rpi4/vmlinux.bin wolfboot_signing_private_key.der 1`
diff --git a/hal/zynq.c b/hal/zynq.c
@@ -338,7 +338,7 @@ void wc_Sha3_384_Free(wc_Sha3* sha)
     (void)sha;
 }
 #else
-#   error PKA=1 only supported with HASH=SHA3
+#   error HW_SHA3=1 only supported with HASH=SHA3
 #endif
 
 /* CSU PUF */
@@ -573,33 +573,17 @@ int csu_aes_key_zero(void)
     return ret;
 }
 
-#ifdef CSU_PUF_ROT
-#define KEY_WRAP_SZ 32
-/* Red (sensitive key), Black (protected key), Grey (unknown) */
-/* Example key to encrypt */
-static const uint8_t XALIGNED(32) redKey[KEY_WRAP_SZ] = {
-    0x64, 0xF0, 0x3A, 0xFD, 0x7D, 0x0C, 0x70, 0xD2,
-    0x59, 0x1C, 0xDF, 0x34, 0x30, 0x5F, 0x7B, 0x8A,
-    0x5B, 0xA4, 0x59, 0x3C, 0x0A, 0x0E, 0x1B, 0x8C,
-    0x5E, 0xCD, 0xFF, 0x9F, 0x59, 0x00, 0x19, 0x2C
-};
-/* Example IV to use for wrapping */
-static const uint8_t XALIGNED(32) blackIv[AES_GCM_TAG_SZ] = {
-    0xD1, 0x42, 0xAC, 0x7C, 0x56, 0x0F, 0x15, 0x8B,
-    0xA9, 0x5A, 0x21, 0x31
-};
-static uint8_t XALIGNED(32) blackKey[KEY_WRAP_SZ+AES_GCM_TAG_SZ];
-#endif
-
 int csu_init(void)
 {
     int ret = 0;
 #ifdef CSU_PUF_ROT
+    #if 0
     uint32_t syndrome[CSU_PUF_SYNDROME_WORDS];
     uint32_t chash=0, aux=0;
     #if defined(DEBUG_CSU) && DEBUG_CSU >= 1
     uint32_t idx;
     #endif
+    #endif
 #endif
     uint32_t reg1 = pmu_mmio_read(CSU_IDCODE);
     uint32_t reg2 = pmu_mmio_read(CSU_VERSION);
@@ -637,6 +621,10 @@ int csu_init(void)
     pmu_efuse_read(ZYNQMP_EFUSE_PUF_AUX, &reg2, sizeof(reg2));
     wolfBoot_printf("eFuse PUF CHASH 0x%08x, AUX 0x%08x\n", reg1, reg2);
 
+    /* CSU PUF only supported with eFuses */
+    /* Keeping code for reference in future generations like Versal */
+    /* Red (sensitive key), Black (protected key), Grey (unknown) */
+    #if 0
     memset(syndrome, 0, sizeof(syndrome));
     ms = hal_timer_ms();
     ret = csu_puf_register(syndrome, &chash, &aux);
@@ -676,6 +664,7 @@ int csu_init(void)
         }
         wolfBoot_printf("\n");
     #endif
+    #endif
     }
 #endif
 
diff --git a/options.mk b/options.mk
@@ -748,7 +748,7 @@ ifeq ($(WOLFBOOT_NO_PARTITIONS),1)
 endif
 
 ifeq ($(HASH),SHA3)
-  ifeq ($(PKA_HASH_HAL),)
+  ifeq ($(HASH_HAL),)
     WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/sha3.o
   endif
   CFLAGS+=-D"WOLFBOOT_HASH_SHA3_384"
