Update wolfHSM, add associated code changes for compatibility with

bigbrett · bigbrett · commit edc6a2601830 · 2025-11-20T15:25:23.000-07:00
key usage policies
diff --git a/.github/workflows/test-wolfhsm-simulator.yml b/.github/workflows/test-wolfhsm-simulator.yml
@@ -111,7 +111,8 @@ jobs:
             echo "obj 1 0xFFFF 0x0000 \"cert CA\" ../../../../../test-dummy-ca/root-cert.der" >> $tmpfile
             ./Build/wh_posix_server.elf --type tcp --nvminit $tmpfile &
           else
-            ./Build/wh_posix_server.elf --type tcp --client 12 --id 255 --key ../../../../../wolfboot_signing_private_key_pub.der &
+            # --flags=0x100 sets the WH_NVM_FLAGS_USAGE_VERIFY flag
+            ./Build/wh_posix_server.elf --type tcp --client 12 --id 255 --flags 0x100 --key ../../../../../wolfboot_signing_private_key_pub.der &
           fi
           TCP_SERVER_PID=$!
           echo "TCP_SERVER_PID=$TCP_SERVER_PID" >> $GITHUB_ENV
diff --git a/lib/wolfHSM b/lib/wolfHSM
@@ -1 +1 @@
-Subproject commit bb35305de578d1e7163388ed95df8f02580c1c1b
+Subproject commit 76da7ddfa9e8657587180a94f3a60eacbd3a6d58
diff --git a/src/image.c b/src/image.c
@@ -486,8 +486,8 @@ static void wolfBoot_verify_signature_rsa(uint8_t key_slot,
 #else
     whKeyId hsmKeyId = WH_KEYID_ERASED;
     /* Cache the public key on the server */
-    ret = wh_Client_KeyCache(&hsmClientCtx, 0, NULL, 0, pubkey, pubkey_sz,
-                             &hsmKeyId);
+    ret = wh_Client_KeyCache(&hsmClientCtx, WH_NVM_FLAGS_USAGE_VERIFY, NULL, 0,
+                             pubkey, pubkey_sz, &hsmKeyId);
     if (ret != WH_ERROR_OK) {
         return;
     }
@@ -2102,18 +2102,19 @@ int wolfBoot_verify_authenticity(struct wolfBoot_image *img)
             "verifying cert chain and caching leaf pubkey (using DMA)\n");
         hsm_ret = wh_Client_CertVerifyDmaAndCacheLeafPubKey(
             &hsmClientCtx, cert_chain, cert_chain_size, hsmNvmIdCertRootCA,
-            &g_certLeafKeyId, &cert_verify_result);
+            WH_NVM_FLAGS_USAGE_VERIFY, &g_certLeafKeyId, &cert_verify_result);
 #else
         wolfBoot_printf("verifying cert chain and caching leaf pubkey\n");
         hsm_ret = wh_Client_CertVerifyAndCacheLeafPubKey(
             &hsmClientCtx, cert_chain, cert_chain_size, hsmNvmIdCertRootCA,
-            &g_certLeafKeyId, &cert_verify_result);
+            WH_NVM_FLAGS_USAGE_VERIFY, &g_certLeafKeyId, &cert_verify_result);
 #endif
 #elif defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
         wolfBoot_printf("verifying cert chain and caching leaf pubkey\n");
         hsm_ret = wh_Server_CertVerify(
             &hsmServerCtx, cert_chain, cert_chain_size, hsmNvmIdCertRootCA,
-            WH_CERT_FLAGS_CACHE_LEAF_PUBKEY, &g_certLeafKeyId);
+            WH_CERT_FLAGS_CACHE_LEAF_PUBKEY, WH_NVM_FLAGS_USAGE_VERIFY,
+            &g_certLeafKeyId);
         if (hsm_ret == WH_ERROR_OK) {
             cert_verify_result = 0;
         }
diff --git a/tools/scripts/tc3xx/wolfBoot-wolfHSM-keys.nvminit b/tools/scripts/tc3xx/wolfBoot-wolfHSM-keys.nvminit
@@ -2,4 +2,5 @@
 #
 # Key format is:
 # key <clientId> <keyId> <access> <flags> <label> <file>
-key 0x1 0xFF 0xFF 0x00 "wolfBoot Pubkey" wolfboot_signing_private_key_pub.der
+# flags: WH_NVM_FLAGS_USAGE_VERIFY=0x100
+key 0x1 0xFF 0xFF 0x100 "wolfBoot Pubkey" wolfboot_signing_private_key_pub.der

Original file line number	Diff line number	Diff line change
`@@ -2,4 +2,5 @@`
`2`	`2`	`#`
`3`	`3`	`# Key format is:`
`4`	`4`	`# key <clientId> <keyId> <access> <flags> <label> <file>`
`5`		`-key 0x1 0xFF 0xFF 0x00 "wolfBoot Pubkey" wolfboot_signing_private_key_pub.der`
	`5`	`+# flags: WH_NVM_FLAGS_USAGE_VERIFY=0x100`
	`6`	`+key 0x1 0xFF 0xFF 0x100 "wolfBoot Pubkey" wolfboot_signing_private_key_pub.der`