se050: implement dynamic hw/sw offload#10862
Open
rizlik wants to merge 1 commit into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces a new SE050 build mode (WOLFSSL_SE050_ONLY_KEY_ID) that makes HW vs SW crypto routing a per-key runtime decision (based on key->keyIdSet) instead of a compile-time “always offload” decision. This helps mixed deployments where some keys are SE050-resident while others remain software-managed.
Changes:
- Add per-key runtime routing for RSA/ECC/Ed25519 (and adjust keygen behavior) so software keys use wolfCrypt and SE050-resident keys use the SE050 backend.
- Add wolfCrypt tests to exercise both routing paths (software-generated key vs promoted/SE050-resident key) under
WOLFSSL_SE050_ONLY_KEY_ID. - Update SE050 port documentation and CI workflow to run both the default SE050 build and the
ONLY_KEY_IDbuild.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
wolfcrypt/test/test.c |
Adds SE050 ONLY_KEY_ID coverage tests for RSA/ECC and adjusts existing tests for Ed25519/Curve25519 behavior under per-key routing. |
wolfcrypt/src/rsa.c |
Gates SE050 RSA offload on key->keyIdSet under WOLFSSL_SE050_ONLY_KEY_ID; forces RSA keygen to be software in this mode. |
wolfcrypt/src/port/nxp/se050_port.c |
Adds guards to prevent auto-import of software keys into SE050 hardware paths under ONLY_KEY_ID. |
wolfcrypt/src/port/nxp/README_SE050.md |
Documents WOLFSSL_SE050_ONLY_KEY_ID behavior, scope, and interactions with other SE050 macros. |
wolfcrypt/src/ed25519.c |
Adds per-key routing for Ed25519 sign/verify and rejects ctx/ph variants for SE050-resident keys. |
wolfcrypt/src/ecc.c |
Adds per-key routing for ECDSA sign/verify and ECDH, and ensures software verify helper is compiled when needed. |
wolfcrypt/src/curve25519.c |
Makes Curve25519 keygen produce software keys under ONLY_KEY_ID (no implicit SE050 key creation). |
.github/workflows/se050-sim.yml |
Runs simulator CI in a matrix: default SE050 offload and ONLY_KEY_ID build. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+29587
to
+29589
| ret = wc_se050_rsa_insert_private_key(SE050_ONLYKEYID_TEST_RSA_ID, der, | ||
| (word32)derSz); | ||
| if (ret != 0) { ret = WC_TEST_RET_ENC_EC(ret); goto done; } |
Comment on lines
+42976
to
+42978
| ret = wc_se050_ecc_insert_private_key(keyId, der, derSz); | ||
| if (ret != 0) | ||
| return WC_TEST_RET_ENC_EC(ret); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Dynamically choose SE050 hardware backend or software backend based on key residency (SE050 keys -> SE050, software keys -> software)