Add PKCS11 backend for encrypted partitions#653
Merged
danielinux merged 4 commits intowolfSSL:masterfrom Dec 30, 2025
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds PKCS#11 backend support for encrypted partitions in wolfBoot, enabling the use of wolfPKCS11 as the crypto backend for partition encryption instead of plain wolfCrypt. The implementation allows applications to store encryption keys in the keyvault with a specific ID, which wolfBoot can then retrieve and use for encryption operations.
Key changes include:
- Added new
ENCRYPT_PKCS11configuration option with support for PKCS#11-based encryption - Implemented PKCS11 crypto functions (init, encrypt, decrypt, set_iv, deinit) in
src/libwolfboot.c - Fixed variable scoping issues for
sel_secto only declare it whenNVM_FLASH_WRITEONCEis defined - Updated build configuration in
options.mkto handle PKCS11 encryption alongside existing AES and ChaCha options
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| src/update_flash.c | Moved WP11_Library_Init() call earlier in boot sequence and added pkcs11_crypto_deinit() cleanup call |
| src/libwolfboot.c | Added complete PKCS11 crypto implementation with init/deinit/encrypt/decrypt functions; fixed variable scoping for sel_sec |
| options.mk | Added PKCS11 encryption configuration logic with mechanism selection and parameter definitions; updated AES object inclusion logic |
| include/wolfboot/wolfboot.h | Added ENCRYPT_PKCS11 macro definitions for block size, key size, and nonce size |
| include/user_settings.h | Added conditional compilation guards for AES settings; removed direct ENCRYPT_WITH_AES128 definition |
| include/encrypt.h | Added PKCS11 crypto function declarations and macro definitions |
| docs/encrypted_partitions.md | Added comprehensive documentation for PKCS#11 backend configuration and usage |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
danielinux
approved these changes
Dec 30, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This basically adds
ENCRYPT_PKCS11and a few new options which make wolfBoot use wolfPKCS11 as the crypto backend for partition encryption (rather than plain wolfCrypt), let the application store the encryption key in the keyvault with a specific ID and make that ID available to wolfBoot. More info in the changes todocs/encrypted_partitions.md.