Add image manager #129
Merged
Add image manager #129
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
the authenticity of client images using cryptographic signatures. The module supports flexible verification methods and actions through callback functions.
billphipps
previously approved these changes
Jul 9, 2025
Contributor
billphipps
left a comment
There was a problem hiding this comment.
Excellent! I had a couple of questions/ideas about return values, but this is a great framework!
Contributor
There was a problem hiding this comment.
Pull Request Overview
Adds a standalone image manager module to the wolfHSM server for configurable cryptographic image verification with callback-based post-verification actions.
- Define configuration macros for max images and signature buffer size
- Introduce image manager API (init, verify by reference/index/all) and built-in ECC, RSA, CMAC methods
- Wire image manager into server build and extend tests
Reviewed Changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| wolfhsm/wh_settings.h | Added macros for max image count and max signature size |
| wolfhsm/wh_server_img_mgr.h | Declared image manager types, API, and callbacks |
| wolfhsm/wh_server.h | Removed padding field from server context struct |
| wolfhsm/wh_error.h | Fixed typo in error enumeration comment |
| test/wh_test_server_img_mgr.* | Added header and comprehensive tests for image manager |
| test/wh_test.c | Included image manager tests in main test suite |
| test/config/wolfhsm_cfg.h | Enabled image manager feature for tests |
| test/Makefile | Added img_mgr sources to test build |
| src/wh_server_img_mgr.c | Implemented image manager initialization and verification |
Comments suppressed due to low confidence (3)
wolfhsm/wh_server.h:206
- [nitpick] Removing the
WH_PADfield changes the struct size and alignment ofwhServerContext_t. Please verify that this was intentional and that no ABI or packing assumptions are broken.
uint16_t cancelSeq;
wolfhsm/wh_settings.h:61
- [nitpick] The comment
* be managed Default: 4is missing punctuation or a newline before “Default.” Consider rephrasing to* be managed. Default: 4for clarity.
* be managed Default: 4
src/wh_server_img_mgr.c:150
- wh_Server_ImgMgrVerifyImg always returns the local
ret(from NVM operations) rather than propagating the verification callback results. To ensure callers see actual verification failures, consider returningresult->verifyActionResult(or at leastresult->verifyMethodResulton failure) instead of the NVM read status.
return ret;
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds a configurable image verification system to wolfHSM server with callback-based architecture for cryptographic verification and post-verification actions. The image manager is meant to be standalone (not coupled to one specific server) but each registered client image does need to reference the server context that corresponds to the client image being verified, since it needs to know which DMA callbacks to invoke (could be different per-client) and which keycache to use to hold temporary data.
Key components
API Functions
wh_Server_ImgMgrInit()- Initialize with image configurationwh_Server_ImgMgrVerifyImg()- Verify single image by referencewh_Server_ImgMgrVerifyImgIdx()- Verify single image by indexwh_Server_ImgMgrVerifyAll()- Verify all registered imagesBuilt-in Verification Methods
wh_Server_ImgMgrVerifyMethodEccWithSha256()- ECC P256 signature verificationwh_Server_ImgMgrVerifyMethodRsaSslWithSha256()- RSA2048 SSL signature verificationwh_Server_ImgMgrVerifyMethodAesCmac()- AES128 CMAC verificationConfiguration Options
WOLFHSM_CFG_SERVER_IMG_MGR_MAX_IMG_COUNT- Maximum images (default: 4)WOLFHSM_CFG_SERVER_IMG_MGR_MAX_SIG_SIZE- Maximum signature size (default: 512 bytes for RSA4096)Future Work
WOLFHSM_CFG_NO_CRYPTOonce keystore module is refactored to also not depend on this feature macro