David Garske fca5895090 Example for FIPS Linker Descriptor to explicitly set wolfCrypt FIPS boundaries. | 4 년 전 | |
---|---|---|
.. | ||
Header | 4 년 전 | |
Source | 4 년 전 | |
Makefile | 6 년 전 | |
Makefile.bench | 7 년 전 | |
Makefile.client | 7 년 전 | |
Makefile.common | 5 년 전 | |
Makefile.static | 7 년 전 | |
Makefile.test | 7 년 전 | |
README.md | 5 년 전 | |
include.am | 4 년 전 | |
linker.ld | 7 년 전 | |
linker_fips.ld | 4 년 전 |
This example is for Cortex M series, but can be adopted for other architectures.
Header/user_settings.h
.linker.ld
.reset_handler
in armtarget.c
.armtarget.c
gcc-arm-none-eabi
installed.Makefile.common
:
TOOLCHAIN
.-mcpu=name
.SRC_LD = -T./linker.ld
in Makefile.common.make
to build the static library (libwolfssl.a), wolfCrypt test/benchmark and wolfSSL TLS client targets as .elf
and .hex
in /Build
.Example Makefile.common
changes for Raspberry Pi with Cortex-A53:
ARCHFLAGS
to -mcpu=cortex-a53 -mthumb
.SRC_LD
, since custom memory map is not applicable.TOOLCHAIN
, so it will use default gcc
. Set TOOLCHAIN =
LDFLAGS += --specs=nano.specs
and LDFLAGS += --specs=nosys.specs
to nosys and nano.Note: To comment out a line in a Makefile use place #
in front of line.
HAVE_FIPS
is enabled.make
../Build/WolfCryptTest.elf
to generate the FIPS boundary HASHExample:
$ Crypt Test
error test passed!
base64 test passed!
base16 test passed!
asn test passed!
in my Fips callback, ok = 0, err = -203
message = In Core Integrity check FIPS error
hash = F607C7B983D1D283590448A56381DE460F1E83CB02584F4D77B7F2C583A8F5CD
In core integrity hash check failure, copy above hash
into verifyCore[] in fips_test.c and rebuild
SHA test failed!
error = -1802
Crypt Test: Return code -1
../../wolfcrypt/src/fips_test.c
array static const char verifyCore[] = {}
with the correct core hash check.make
.The configure script in the main project directory can perform a cross-compile build with the the gcc-arm-none-eabi tools. Assuming the tools are installed in your executable path:
$ ./configure \
--host=arm-non-eabi \
CC=arm-none-eabi-gcc \
AR=arm-none-eabi-ar \
STRIP=arm-none-eabi-strip \
RANLIB=arm-none-eabi-ranlib \
--prefix=/path/to/build/wolfssl-arm \
CFLAGS="-march=armv8-a --specs=nosys.specs \
-DHAVE_PK_CALLBACKS -DWOLFSSL_USER_IO -DNO_WRITEV" \
--disable-filesystem --enable-fastmath \
--disable-shared
$ make
$ make install
If you are building for a 32-bit architecture, add -DTIME_T_NOT_64BIT
to the
list of CFLAGS.
make clean && make
text data bss dec hex filename
50076 2508 44 52628 cd94 ./Build/WolfCryptTest.elf
text data bss dec hex filename
39155 2508 60 41723 a2fb ./Build/WolfCryptBench.elf
text data bss dec hex filename
70368 464 36 70868 114d4 ./Build/WolfSSLClient.elf
These settings are located in Header/user_settings.h
.
DEBUG_WOLFSSL
: Undefine this to disable debug logging.NO_ERROR_STRINGS
: Disables error strings to save code space.NO_INLINE
: Disabling inline function saves about 1KB, but is slower.WOLFSSL_SMALL_STACK
: Enables stack reduction techniques to allocate stack sections over 100 bytes from heap.USE_FAST_MATH
: Uses stack based math, which is faster than the heap based math.ALT_ECC_SIZE
: If using fast math and RSA/DH you can define this to reduce your ECC memory consumption.FP_MAX_BITS
: Is the maximum math size (key size * 2). Used only with USE_FAST_MATH
.ECC_TIMING_RESISTANT
: Enables timing resistance for ECC and uses slightly less memory.ECC_SHAMIR
: Doubles heap usage, but slightly fasterRSA_LOW_MEM
: Half as much memory but twice as slow. Uses Non-CRT method for private key.GCM_SMALL
, GCM_WORD32
or GCM_TABLE
: Tunes performance and flash/memory usage.CURVED25519_SMALL
: Enables small versions of Ed/Curve (FE/GE math).USE_SLOW_SHA
: Enables smaller/slower version of SHA.USE_SLOW_SHA256
: About 2k smaller and about 25% slowerUSE_SLOW_SHA512
: Over twice as small, but 50% slowerUSE_CERT_BUFFERS_1024
or USE_CERT_BUFFERS_2048
: Size of RSA certs / keys to test with.BENCH_EMBEDDED
: Define this if using the wolfCrypt test/benchmark and using a low memory target.ECC_USER_CURVES
: Allows user to define curve sizes to enable. Default is 256-bit on. To enable others use HAVE_ECC192
, HAVE_ECC224
, etc....TFM_ARM
, TFM_SSE2
, TFM_AVR32
, TFM_PPC32
, TFM_MIPS
, TFM_X86
or TFM_X86_64
: These are assembly optimizations available with USE_FAST_MATH.WOLFSSL_SP
. Optimized math for ARM performance of specific RSA, DH and ECC algorithms.