Skip to content

se050: implement dynamic hw/sw offload#10862

Open
rizlik wants to merge 1 commit into
wolfSSL:masterfrom
rizlik:se050_dynamic_hwsw
Open

se050: implement dynamic hw/sw offload#10862
rizlik wants to merge 1 commit into
wolfSSL:masterfrom
rizlik:se050_dynamic_hwsw

Conversation

@rizlik

@rizlik rizlik commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Description

Dynamically choose SE050 hardware backend or software backend based on key residency (SE050 keys -> SE050, software keys -> software)

Copilot AI review requested due to automatic review settings July 8, 2026 09:49

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a new SE050 build mode (WOLFSSL_SE050_ONLY_KEY_ID) that makes HW vs SW crypto routing a per-key runtime decision (based on key->keyIdSet) instead of a compile-time “always offload” decision. This helps mixed deployments where some keys are SE050-resident while others remain software-managed.

Changes:

  • Add per-key runtime routing for RSA/ECC/Ed25519 (and adjust keygen behavior) so software keys use wolfCrypt and SE050-resident keys use the SE050 backend.
  • Add wolfCrypt tests to exercise both routing paths (software-generated key vs promoted/SE050-resident key) under WOLFSSL_SE050_ONLY_KEY_ID.
  • Update SE050 port documentation and CI workflow to run both the default SE050 build and the ONLY_KEY_ID build.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
wolfcrypt/test/test.c Adds SE050 ONLY_KEY_ID coverage tests for RSA/ECC and adjusts existing tests for Ed25519/Curve25519 behavior under per-key routing.
wolfcrypt/src/rsa.c Gates SE050 RSA offload on key->keyIdSet under WOLFSSL_SE050_ONLY_KEY_ID; forces RSA keygen to be software in this mode.
wolfcrypt/src/port/nxp/se050_port.c Adds guards to prevent auto-import of software keys into SE050 hardware paths under ONLY_KEY_ID.
wolfcrypt/src/port/nxp/README_SE050.md Documents WOLFSSL_SE050_ONLY_KEY_ID behavior, scope, and interactions with other SE050 macros.
wolfcrypt/src/ed25519.c Adds per-key routing for Ed25519 sign/verify and rejects ctx/ph variants for SE050-resident keys.
wolfcrypt/src/ecc.c Adds per-key routing for ECDSA sign/verify and ECDH, and ensures software verify helper is compiled when needed.
wolfcrypt/src/curve25519.c Makes Curve25519 keygen produce software keys under ONLY_KEY_ID (no implicit SE050 key creation).
.github/workflows/se050-sim.yml Runs simulator CI in a matrix: default SE050 offload and ONLY_KEY_ID build.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread wolfcrypt/test/test.c
Comment on lines +29587 to +29589
ret = wc_se050_rsa_insert_private_key(SE050_ONLYKEYID_TEST_RSA_ID, der,
(word32)derSz);
if (ret != 0) { ret = WC_TEST_RET_ENC_EC(ret); goto done; }
Comment thread wolfcrypt/test/test.c
Comment on lines +42976 to +42978
ret = wc_se050_ecc_insert_private_key(keyId, der, derSz);
if (ret != 0)
return WC_TEST_RET_ENC_EC(ret);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants