wolfSSL · gojimmypi · Nov 12, 2025 · danielinux · Nov 13, 2025 · danielinux
diff --git a/include/image.h b/include/image.h
@@ -133,9 +133,11 @@ int wolfBot_get_dts_size(void *dts_addr);
 #define wolfBoot_verify_signature_primary wolfBoot_verify_signature_ecc
 #endif
 #if defined(WOLFBOOT_SIGN_LMS)
+#undef  wolfBoot_verify_signature_primary
 #define wolfBoot_verify_signature_primary wolfBoot_verify_signature_lms
 #endif
 #if defined(WOLFBOOT_SIGN_XMSS )
+#undef  wolfBoot_verify_signature_primary
 #define wolfBoot_verify_signature_primary wolfBoot_verify_signature_xmss
 #endif
 #ifdef WOLFBOOT_SIGN_ML_DSA
@@ -363,6 +365,12 @@ static void __attribute__((noinline)) wolfBoot_image_clear_signature_ok(
     asm volatile("cmp r2, r0":::"cc"); \
     asm volatile("bne .-12")
 
+/* Some SHA checks */
+#if !defined(WOLFBOOT_SHA_DIGEST_SIZE) || (WOLFBOOT_SHA_DIGEST_SIZE <= 0)
+#   error "WOLFBOOT_SHA_DIGEST_SIZE must be defined"
+#endif
+
+
 /**
  * First part of RSA verification. Ensure that the function is called by
  * double checking its return value contains a valid

diff --git a/include/user_settings.h b/include/user_settings.h
@@ -22,13 +22,50 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
-#ifndef _WOLFBOOT_USER_SETTINGS_H_
-#define _WOLFBOOT_USER_SETTINGS_H_
+#ifndef WOLFBOOT_USER_SETTINGS_H
+#define WOLFBOOT_USER_SETTINGS_H
+
+/* This is the wolfBoot embedded target user settings.
+ *
+ * See also settings in [WOLFBOOT_ROOT]/tools/keytools
+ *
+ * When in question, define DEBUG_SIGNTOOL and optionally WOLFBOOT_SHOW_INCLUDE
+ */
+
+ /* During development in new environment, ensure the expected user settings is used: */
+#ifdef WOLFBOOT_SHOW_INCLUDE
+#   ifdef __GNUC__  /* GCC compiler */
+#      pragma message "===============include/user_settings.h"
+#   elif defined(_MSC_VER) /* Microsoft Visual C++ compiler */
+#      pragma message("===============include/user_settings.h")
+#   else
+#      warning "===============include/user_settings.h"
+#   endif
+#endif /* WOLFBOOT_SHOW_INCLUDE user_settings message */
+
+#if defined(_MSC_VER)
+    /* MSVC and clang-cl both define _MSC_VER */
+#   ifndef WOLFSSL_HAVE_MIN
+#      define WOLFSSL_HAVE_MIN
+#   endif
+#   ifndef WOLFSSL_HAVE_MAX
+#      define WOLFSSL_HAVE_MAX
+#   endif
+
+    /* Really keep Windows headers from redefining min/max */
+#   ifndef NOMINMAX
+#      define NOMINMAX 1
+#   endif
+#endif
 
 #ifdef WOLFBOOT_PKCS11_APP
 # include "test-app/wcs/user_settings.h"
 #else
 
+/* The target.h is a device-specific, typically a generated file.
+ * CMake configures from `include/target.h.in` into ${CMAKE_CURRENT_BINARY_DIR}
+ *
+ * See also the sample in [WOLFBOOT_ROOT]/tools/unit-tests/target.h */
 #include <target.h>
 
 /* System */
@@ -330,7 +367,9 @@ extern int tolower(int c);
 
     /* SP Math needs to understand long long */
 #   ifndef ULLONG_MAX
-#       define ULLONG_MAX 18446744073709551615ULL
+#       ifndef _MSC_VER
+#           define ULLONG_MAX 18446744073709551615ULL
+#       endif
 #   endif
 #endif
 
@@ -586,4 +625,4 @@ extern int tolower(int c);
 #   define WOLFSSL_PEM_TO_DER
 #endif
 
-#endif /* !_WOLFBOOT_USER_SETTINGS_H_ */
+#endif /* !WOLFBOOT_USER_SETTINGS_H */
diff --git a/include/wolfboot/wolfboot.h b/include/wolfboot/wolfboot.h
@@ -163,6 +163,18 @@ extern "C" {
 #if defined(__WOLFBOOT) || defined(UNIT_TEST_AUTH)
 
 #include "wolfssl/wolfcrypt/settings.h"
+
+/* During development in new environment, ensure the expected user settings is used: */
+#ifdef DEBUG_SIGNTOOL
+#ifdef WOLFBOOT_KEYTOOLS_USER_SETTINGS_H
+    /* Encountered the user settings in  [WOLFBOOT_ROOT]/tools/keytools/user_settings.h */
+#   error "wolfBoot expects user settings from [WOLFBOOT_ROOT]/tools/keygen/user_settings.h"
+#endif
+#ifndef WOLFBOOT_USER_SETTINGS_H
+#   error "wolfBoot expected user settings from [WOLFBOOT_ROOT]/include/user_settings.h"
+#endif
+#endif /* DEBUG_SIGNTOOL optional user settings check */
+
 #include "wolfssl/wolfcrypt/visibility.h"
 #include "wolfssl/wolfcrypt/wc_port.h"
 #include "wolfssl/wolfcrypt/types.h"

diff --git a/src/image.c b/src/image.c
@@ -31,8 +31,9 @@
 #endif
 #include <wolfssl/wolfcrypt/settings.h> /* for wolfCrypt hash/sign routines */
 #ifdef WOLFBOOT_KEYTOOLS
-    /* this code needs to use the Use ./include/user_settings.h, not keytools */
-    #error "The wrong user_settings.h has been included."
+    /* this code needs to use the local tools/keytools/user_settings.h
+     *                    not [WOLFBOOT_ROOT]/include/user_settings.h  */
+#   error "The wrong user_settings.h has been included."
 #endif
 
 

diff --git a/tools/keytools/README.md b/tools/keytools/README.md
@@ -1,3 +1,51 @@
 # Key Tools for signing and key generation
 
-See documentation [here](../../docs/Signing.md).
+## Sign
+
+See [code file `./tools/keytools/sign.c`](./sign.c) and documentation in [docs/Signing.md](../../docs/Signing.md).
+
+## KeyGen and KeyStore
+
+See [code file `./tools/keytools/keygen.c`](./keygen.c) and documentation [docs/keystore.md](../../docs/keystore.md).
+
+## Flash OTP Keystore Generation, Primer, Startup
+
+See documentation [docs/flash-OTP.md](../../docs/flash-OTP.md).
+
+### Keystore Generation
+
+Pack public keys into a single binary (`otp.bin`) formatted the way wolfBoot expects for
+provisioning the device�s OTP/NVM keystore. No signing, no encryption�just a correctly laid-out image
+with a header plus fixed-size "slots" for each key.
+
+See [code file `./tools/keytools/otp/otp-keystore-gen.c`](./otp/otp-keystore-gen.c)
+
+### Flash OTP Primer
+
+See [code file `./tools/keytools/otp/otp-keystore-primer.c`](./otp/otp-keystore-primer.c)
+
+## Flash OTP Startup
+
+See [code file `./tools/keytools/otp/startup.c`](./otp/startup.c)
+
+
+## Quick Start (Linux)
+
+```
+make wolfboot_signing_private_key.der SIGN=ED25519
+
+# or
+
+./tools/keytools/keygen --ed25519 -g wolfboot_signing_private_key.der
+```
+
+## Debugging and Development
+
+### `DEBUG_SIGNTOOL`
+
+Enables additional diagnostic messages that may be useful during development and initial bring-up.
+
+### `WOLFBOOT_SHOW_INCLUDE`
+
+Enables compile-time verbosity to indicate which `user_settings.h` file is being used.
+
diff --git a/tools/keytools/keygen.c b/tools/keytools/keygen.c
@@ -24,12 +24,8 @@
 
 /* Option to enable sign tool debugging */
 /* Must also define DEBUG_WOLFSSL in user_settings.h */
-//#define DEBUG_SIGNTOOL
+/* #define DEBUG_SIGNTOOL */
 
-#ifdef _WIN32
-#define _CRT_SECURE_NO_WARNINGS
-#define _CRT_NONSTDC_NO_DEPRECATE /* unlink */
-#endif
 #include <stdio.h>
 #include <stdint.h>
 #include <stdarg.h>
@@ -40,18 +36,38 @@
 #include <sys/types.h>
 #include <errno.h>
 #include <fcntl.h>
-#ifndef _WIN32
-    #include <unistd.h>
+#ifdef _WIN32
+#   define _CRT_SECURE_NO_WARNINGS
+#   define _CRT_NONSTDC_NO_DEPRECATE /* unlink */
+#else
+#   include <unistd.h>
 #endif
 
+/* wolfSSL */
+/* Always include wolfcrypt/settings.h before any other wolfSSL file.    */
+/* Reminder: settings.h pulls in user_settings.h; don't include it here. */
 #include <wolfssl/wolfcrypt/settings.h>
+
+/* During development in new environment, ensure the expected user settings is used: */
+#ifdef DEBUG_SIGNTOOL
+#ifdef WOLFBOOT_USER_SETTINGS_H
+#   error "Keygen encountered unexpected user settings from [WOLFBOOT_ROOT]/include/user_settings.h"
+#endif
+#ifdef __WOLFBOOT
+    /* wolfBoot otherwise uses a user_se*/
+#error "Keygen unexpectedly encountered __WOLFBOOT. Check your config"
+#endif
+#ifndef WOLFBOOT_KEYTOOLS_USER_SETTINGS_H
+#   error "Keygen expects settings from [WOLFBOOT_ROOT]/tools/keygen/user_settings.h"
+#endif
+#endif /* DEBUG_SIGNTOOL optional user settings check */
+
 #ifndef NO_RSA
 #include <wolfssl/wolfcrypt/rsa.h>
 #endif
 #ifdef HAVE_ECC
 #include <wolfssl/wolfcrypt/ecc.h>
 #include <wolfssl/wolfcrypt/asn.h>
-
 #endif
 #ifdef HAVE_ED25519
 #include <wolfssl/wolfcrypt/ed25519.h>
@@ -62,7 +78,7 @@
 #endif
 
 #if defined(WOLFSSL_HAVE_LMS)
-    #include <wolfssl/wolfcrypt/lms.h>
+#include <wolfssl/wolfcrypt/lms.h>
     #ifdef HAVE_LIBLMS
         #include <wolfssl/wolfcrypt/ext_lms.h>
     #else

diff --git a/tools/keytools/otp/otp-keystore-gen.c b/tools/keytools/otp/otp-keystore-gen.c
@@ -36,6 +36,26 @@
 #endif
 
 #include "wolfboot/wolfboot.h"
+
+/* During development in new environment, ensure the expected user settings is used: */
+#ifdef DEBUG_SIGNTOOL
+#ifdef __WOLFBOOT
+#   ifndef WOLFBOOT_USER_SETTINGS_H
+#      error "otp-keystore-gen encountered unexpected user settings, expected [WOLFBOOT_ROOT]/include/user_settings.h"
+#   endif
+#   ifdef WOLFBOOT_KEYTOOLS_USER_SETTINGS_H
+#      error "Detected keytools user settings, expected [WOLFBOOT_ROOT]/include/user_settings.hh"
+#   endif
+#else
+#   ifdef WOLFBOOT_KEYTOOLS_USER_SETTINGS_H
+#      error "Detected keytools user settings, otp-keystore-gen does not expect any user_settings.h"
+#   endif
+#   ifdef WOLFBOOT_USER_SETTINGS_H
+#      error "Detected wolfboot user settings, otp-keystore-gen does not expect any user_settings.h"
+#   endif
+#endif
+#endif /* optional user settings check */
+
 #include "keystore.h"
 #include "otp_keystore.h"
 

diff --git a/tools/keytools/sign.c b/tools/keytools/sign.c
@@ -22,9 +22,11 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+/* Beware of wolfCrypt user settings in [WOLFBOOT_ROOT]/include/user_settings.h */
+
 /* Option to enable sign tool debugging */
-/* Must also define DEBUG_WOLFSSL in user_settings.h */
-//#define DEBUG_SIGNTOOL
+/* Must also define DEBUG_WOLFSSL in /tools/keytools/user_settings.h */
+/* #define DEBUG_SIGNTOOL */
 
 #ifdef _WIN32
 #define _CRT_SECURE_NO_WARNINGS
@@ -79,6 +81,20 @@ static inline int fp_truncate(FILE *f, size_t len)
 #endif
 
 #include <wolfssl/wolfcrypt/settings.h>
+/* During development in new environment, ensure the expected user settings is used: */
+#ifdef DEBUG_SIGNTOOL
+#ifdef WOLFBOOT_USER_SETTINGS_H
+#   error "signing tool encountered unexpected user settings from [WOLFBOOT_ROOT]/include/user_settings.h"
+#endif
+#ifdef __WOLFBOOT
+    /* wolfBoot otherwise uses a different user_settings */
+#   error "signing tool unexpectedly encountered __WOLFBOOT. Check your config"
+#endif
+#ifndef WOLFBOOT_KEYTOOLS_USER_SETTINGS_H
+#   error "signing tool expects settings from [WOLFBOOT_ROOT]/tools/keygen/user_settings.h"
+#endif
+#endif /* DEBUG_SIGNTOOL optional user settings check */
+
 #include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/aes.h>
 

diff --git a/tools/keytools/user_settings.h b/tools/keytools/user_settings.h
@@ -23,8 +23,31 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
-#ifndef H_USER_SETTINGS_
-#define H_USER_SETTINGS_
+#ifndef WOLFBOOT_KEYTOOLS_USER_SETTINGS_H
+#define WOLFBOOT_KEYTOOLS_USER_SETTINGS_H
+
+/* This is the keytools user settings.
+ *
+ * See also settings in [WOLFBOOT_ROOT]/include/user_settings.h
+ *
+ * When in question, define DEBUG_SIGNTOOL and optionally WOLFBOOT_SHOW_INCLUDE
+ */
+
+ /* During development in new environment, ensure the expected user settings is used: */
+#ifdef WOLFBOOT_SHOW_INCLUDE
+    #ifdef __GNUC__  /* GCC compiler */
+        #pragma message "============= keytools/user_settings.h"
+    #elif defined(_MSC_VER) /* Microsoft Visual C++ compiler */
+        #pragma message("============= keytools/user_settings.h")
+    #else
+        #warning "============= keytools/user_settings"
+    #endif
+#endif /* optional user settings check */
+
+/* Some debug options. See docs. */
+/* #define DEBUG_SIGNTOOL */
+/* #define WOLFBOOT_HASH_SHA256 */
+/* #define WOLFBOOT_SIGN_ECC256 */
 
 #include <stdint.h>