SHE+keywrap interop#413
Draft
bigbrett wants to merge 2 commits into
Draft
Conversation
Add support for server-trusted software KEKs, make them (or HW keys) a requirement for all keywrap operations, and builds SHE key interoperability on top of it.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds SHE ↔ keywrap interoperability by introducing a new “wrap-and-export (by id)” operation, enforcing a “trusted KEK” policy for operations that move server-held secrets across the client boundary, and adding optional hardware-only KEK support via a hardware keystore front-end.
Changes:
- Add trusted-KEK enforcement (
WH_NVM_FLAGS_KEK+ server-only flag stripping) for wrap-export and unwrap-and-cache, plus associated NVM/keystore policy gates. - Add hardware-only key IDs (
WH_KEYTYPE_HW/WH_CLIENT_KEYID_MAKE_HW) and a newwh_hwkeystoremodule to fetch KEKs from a hardware backend on-demand for keywrap/datawrap. - Add
wh_Client_KeyWrapExport*API + message types, update SHE/no-NVM behavior and add extensive tests + documentation.
Reviewed changes
Copilot reviewed 33 out of 33 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| wolfhsm/wh_settings.h | Adds HW keystore configuration macros and defaults. |
| wolfhsm/wh_server.h | Plumbs optional hwKeystore into server config/context when enabled. |
| wolfhsm/wh_nvm.h | Tightens “checked” NVM API semantics and const-correctness for metadata sanitization. |
| wolfhsm/wh_message.h | Adds new keystore action WH_KEY_KEYWRAPEXPORT. |
| wolfhsm/wh_message_keystore.h | Defines wrap-export request/response wire structs + translation prototypes. |
| wolfhsm/wh_keyid.h | Adds client HW flag, WH_KEYTYPE_HW, and WH_KEYID_IS_UNASSIGNED() helper. |
| wolfhsm/wh_hwkeystore.h | Introduces hardware keystore front-end API and backend callback contract. |
| wolfhsm/wh_common.h | Adds server-only WH_NVM_FLAGS_KEK and WH_NVM_FLAGS_SERVER_ONLY mask. |
| wolfhsm/wh_client.h | Adds wrap-export API and exposes split data wrap/unwrap request/response APIs; adds HW keyId macro. |
| tools/whnvmtool/README.md | Documents how to provision a trusted software KEK into NVM images. |
| test/wh_test_she.c | Adds SHE↔keywrap interop coverage, trusted KEK provisioning, and reboot + no-NVM flows. |
| test/wh_test_she_no_nvm.h | Declares new no-NVM SHE test entrypoint. |
| test/wh_test_she_no_nvm.c | Adds full end-to-end no-NVM SHE test using unwrap-and-cache provisioning. |
| test/wh_test_multiclient.c | Updates unwrap-and-cache tests to use a provisioned trusted KEK. |
| test/wh_test_keywrap.h | Exposes HW keystore test callback/table for in-process servers. |
| test/wh_test_keywrap.c | Adds wrap-export tests, trusted-KEK policy tests, and HW-keystore KEK tests. |
| test/wh_test_crypto.c | Binds hwKeystore to in-process server harness and runs HW-keystore tests when applicable. |
| test/config/wolfhsm_cfg.h | Enables HW keystore in test configuration when crypto is enabled. |
| test-refactor/wh_test_list.c | Registers new hwKeystore misc/server tests in refactor harness. |
| test-refactor/server/wh_test_hwkeystore_server.c | Adds server-side hwKeystore unit coverage + keystore rejection checks. |
| test-refactor/misc/wh_test_hwkeystore.c | Adds end-to-end client/server hw-only KEK test over mem transport. |
| test-refactor/config/wolfhsm_cfg.h | Enables HW keystore in refactor test configuration when crypto is enabled. |
| src/wh_server.c | Copies hwKeystore pointer from config into server context. |
| src/wh_server_she.c | Fixes SHE persistence behavior for no-NVM servers and PRNG seed handling. |
| src/wh_server_keystore.c | Implements trusted-KEK enforcement, HW KEK resolution, wrap-export handler, and SHE counter guard on unwrap-and-cache. |
| src/wh_server_crypto.c | Strips server-only flags from client-driven crypto cache-import paths. |
| src/wh_nvm.c | Enforces KEK immutability and sanitizes server-only flags in checked add path without mutating client memory. |
| src/wh_message_keystore.c | Implements wrap-export message translation functions. |
| src/wh_keyid.c | Implements HW flag ↔ WH_KEYTYPE_HW translation. |
| src/wh_hwkeystore.c | Implements hwKeystore front-end init/get/cleanup with optional locking. |
| src/wh_client_keywrap.c | Implements wh_Client_KeyWrapExport* request/response/blocking helper. |
| docs/src/9-Configuration.md | Documents new HW keystore macros and trusted software KEK provisioning. |
| docs/src/5-Features.md | Documents trusted KEKs, wrap-export, and hardware-only keys. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+3020
to
+3035
| if (ret == WH_ERROR_OK) { | ||
| /* Compute actual variable data size from the received packet */ | ||
| reqDataSz = req_size - sizeof(wrapReq); | ||
|
|
||
| /* Translate request */ | ||
| (void)wh_MessageKeystore_TranslateKeyWrapExportRequest( | ||
| magic, req_packet, &wrapReq); | ||
|
|
||
| /* Set the request data pointer directly after the request */ | ||
| reqData = (uint8_t*)req_packet + | ||
| sizeof(whMessageKeystore_KeyWrapExportRequest); | ||
|
|
||
| /* Set the response data pointer directly after the response */ | ||
| respData = (uint8_t*)resp_packet + | ||
| sizeof(whMessageKeystore_KeyWrapExportResponse); | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.