Update submodules for release

Author: dgarske

.github/workflows/test-wolfhsm-simulator.yml

@@ -111,7 +111,8 @@ jobs:
             echo "obj 1 0xFFFF 0x0000 \"cert CA\" ../../../../../test-dummy-ca/root-cert.der" >> $tmpfile
             ./Build/wh_posix_server.elf --type tcp --nvminit $tmpfile &
           else
-            ./Build/wh_posix_server.elf --type tcp --client 12 --id 255 --key ../../../../../wolfboot_signing_private_key_pub.der &
+            # --flags=0x100 sets the WH_NVM_FLAGS_USAGE_VERIFY flag
+            ./Build/wh_posix_server.elf --type tcp --client 12 --id 255 --flags 0x100 --key ../../../../../wolfboot_signing_private_key_pub.der &
           fi
           TCP_SERVER_PID=$!
           echo "TCP_SERVER_PID=$TCP_SERVER_PID" >> $GITHUB_ENV

lib/wolfHSM

@@ -950,6 +950,7 @@ ifeq ($(WOLFHSM_SERVER),1)
     $(WOLFBOOT_LIB_WOLFHSM)/src/wh_comm.o \
     $(WOLFBOOT_LIB_WOLFHSM)/src/wh_nvm.o \
     $(WOLFBOOT_LIB_WOLFHSM)/src/wh_nvm_flash.o \
+    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_keyid.o \
     $(WOLFBOOT_LIB_WOLFHSM)/src/wh_flash_unit.o \
     $(WOLFBOOT_LIB_WOLFHSM)/src/wh_crypto.o \
     $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server.o \

lib/wolfPKCS11

@@ -486,8 +486,8 @@ static void wolfBoot_verify_signature_rsa(uint8_t key_slot,
 #else
     whKeyId hsmKeyId = WH_KEYID_ERASED;
     /* Cache the public key on the server */
-    ret = wh_Client_KeyCache(&hsmClientCtx, 0, NULL, 0, pubkey, pubkey_sz,
-                             &hsmKeyId);
+    ret = wh_Client_KeyCache(&hsmClientCtx, WH_NVM_FLAGS_USAGE_VERIFY, NULL, 0,
+                             pubkey, pubkey_sz, &hsmKeyId);
     if (ret != WH_ERROR_OK) {
         return;
     }
@@ -2102,18 +2102,19 @@ int wolfBoot_verify_authenticity(struct wolfBoot_image *img)
             "verifying cert chain and caching leaf pubkey (using DMA)\n");
         hsm_ret = wh_Client_CertVerifyDmaAndCacheLeafPubKey(
             &hsmClientCtx, cert_chain, cert_chain_size, hsmNvmIdCertRootCA,
-            &g_certLeafKeyId, &cert_verify_result);
+            WH_NVM_FLAGS_USAGE_VERIFY, &g_certLeafKeyId, &cert_verify_result);
 #else
         wolfBoot_printf("verifying cert chain and caching leaf pubkey\n");
         hsm_ret = wh_Client_CertVerifyAndCacheLeafPubKey(
             &hsmClientCtx, cert_chain, cert_chain_size, hsmNvmIdCertRootCA,
-            &g_certLeafKeyId, &cert_verify_result);
+            WH_NVM_FLAGS_USAGE_VERIFY, &g_certLeafKeyId, &cert_verify_result);
 #endif
 #elif defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
         wolfBoot_printf("verifying cert chain and caching leaf pubkey\n");
         hsm_ret = wh_Server_CertVerify(
             &hsmServerCtx, cert_chain, cert_chain_size, hsmNvmIdCertRootCA,
-            WH_CERT_FLAGS_CACHE_LEAF_PUBKEY, &g_certLeafKeyId);
+            WH_CERT_FLAGS_CACHE_LEAF_PUBKEY, WH_NVM_FLAGS_USAGE_VERIFY,
+            &g_certLeafKeyId);
         if (hsm_ret == WH_ERROR_OK) {
             cert_verify_result = 0;
         }

lib/wolfssl

@@ -2,4 +2,5 @@
 #
 # Key format is:
 # key <clientId> <keyId> <access> <flags> <label> <file>
-key 0x1 0xFF 0xFF 0x00 "wolfBoot Pubkey" wolfboot_signing_private_key_pub.der
+# flags: WH_NVM_FLAGS_USAGE_VERIFY=0x100
+key 0x1 0xFF 0xFF 0x100 "wolfBoot Pubkey" wolfboot_signing_private_key_pub.der