Wolfhsm no keystore

[bigbrett]

No description provided.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR removes support for “local keystore public keys” in wolfHSM client mode and introduces a WOLFBOOT_NO_KEYSTORE build path to avoid compiling/linking the built-in keystore when wolfHSM is the source of trust.

Changes:

• Make wolfHSM client builds always use HSM-resident public keys and drop WOLFBOOT_USE_WOLFHSM_PUBKEY_ID configuration.
• Add WOLFBOOT_NO_KEYSTORE build logic and guard keystore-dependent code paths accordingly.
• Update wolfHSM documentation to reflect the new configuration behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
src/image.c	Adjusts signature verification and authenticity checks to support HSM-only keying and optional “no keystore” builds.
options.mk	Forces --nolocalkeys and removes conditional WOLFBOOT_USE_WOLFHSM_PUBKEY_ID behavior for wolfHSM client builds.
docs/wolfHSM.md	Removes WOLFBOOT_USE_WOLFHSM_PUBKEY_ID docs and clarifies key sourcing in client mode.
Makefile	Adds WOLFHSM_NO_KEYSTORE logic and defines WOLFBOOT_NO_KEYSTORE to omit keystore linkage when applicable.

Comments suppressed due to low confidence (1)

src/image.c:1

• When WOLFBOOT_NO_KEYSTORE is defined, the per-partition key authorization check is entirely bypassed. If the HSM policy is guaranteed to enforce equivalent constraints, that should be made explicit in code via a compile-time constraint (e.g., require WOLFBOOT_CERT_CHAIN_VERIFY and/or a specific HSM policy flag when WOLFBOOT_NO_KEYSTORE is set). Otherwise, consider introducing an HSM-backed partition/key-usage check so you don’t lose this authorization control in no-keystore builds.

/* image.c

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #798

Scan targets checked: wolfboot-bugs, wolfboot-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

[wolfSSL-Fenrir-bot]

🟠 [Medium] ML-DSA verify references dropped keystore in wolfHSM server + cert-chain builds · Copy-paste errors

ML-DSA gates the keystore-import path only on !defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT), unlike _ecc/_rsa_common which also exclude (SERVER && CERT_CHAIN). A WOLFHSM_SERVER=1 SIGN=ML_DSA CERT_CHAIN_VERIFY=1 build defines WOLFBOOT_NO_KEYSTORE and drops keystore.o, so this keystore_get_buffer() call becomes an unresolved symbol (link failure).

Fix: Mirror the ECC/RSA guards: add a (SERVER && CERT_CHAIN) HSM key-ID branch and exclude that case from the keystore path in the ML-DSA verify function.