wolfSSL · dgarske · Mar 20, 2026 · Mar 19, 2026 · Mar 19, 2026 · Mar 19, 2026
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -717,6 +717,7 @@ if(ARCH STREQUAL "ARM")
 
                 list(APPEND WOLFBOOT_DEFS
                     SECURE_PKCS11
+                    WOLFPKCS11_USER_SETTINGS
                     WOLFSSL_PKCS11_RW_TOKENS
                     WP11_HASH_PIN_COST=3)
                 list(APPEND WOLFBOOT_DEFS "CK_CALLABLE=__attribute__\\(\\(cmse_nonsecure_entry\\)\\)")

diff --git a/hal/sim.c b/hal/sim.c
@@ -29,6 +29,7 @@
 #include <stdio.h>
 #include <sys/mman.h>
 #include <sys/stat.h>
+#include <sys/syscall.h>
 #include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
@@ -87,6 +88,18 @@ uint32_t hal_sim_get_dualbank_state(void);
 char **main_argv;
 int main_argc;
 
+static int sim_memfd_create(const char *name, unsigned int flags)
+{
+#if defined(__linux__) && defined(SYS_memfd_create)
+    return (int)syscall(SYS_memfd_create, name, flags);
+#else
+    (void)name;
+    (void)flags;
+    errno = ENOSYS;
+    return -1;
+#endif
+}
+
 #ifdef WOLFBOOT_ENABLE_WOLFHSM_CLIENT
 
 /* Client configuration/contexts */
@@ -558,7 +571,7 @@ void do_boot(const uint32_t *app_offset)
     exit(0);
 #else
     char *envp[1] = {NULL};
-    int fd = memfd_create("test_app", 0);
+    int fd = sim_memfd_create("test_app", 0);
     size_t wret;
     if (fd == -1) {
         wolfBoot_printf( "memfd error\n");

diff --git a/include/user_settings.h b/include/user_settings.h
@@ -367,7 +367,9 @@ extern int tolower(int c);
 #   define HAVE_PBKDF2
 #   define WOLFPKCS11_CUSTOM_STORE
 #   define WOLFBOOT_SECURE_PKCS11
-#   define WOLFPKCS11_USER_SETTINGS
+#   ifndef WOLFPKCS11_USER_SETTINGS
+#       define WOLFPKCS11_USER_SETTINGS
+#   endif
 #   define WOLFPKCS11_NO_TIME
 #ifndef WOLFSSL_AES_COUNTER
 #   define WOLFSSL_AES_COUNTER

diff --git a/lib/wolfPKCS11 b/lib/wolfPKCS11
diff --git a/lib/wolfPSA b/lib/wolfPSA
diff --git a/lib/wolfTPM b/lib/wolfTPM
diff --git a/lib/wolfssl b/lib/wolfssl
diff --git a/options.mk b/options.mk
@@ -131,6 +131,10 @@ ifeq ($(WOLFBOOT_SMALL_STACK),1)
   OBJS+=./src/xmalloc.o
 endif
 
+# GCC 13 overestimates some wolfTPM wrapper stack usage; keep TPM
+# limits above 10 KB to avoid false -Wstack-usage failures.
+STACK_USAGE_WOLFTPM=10680
+
 
 ECC_OBJS= \
     $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/ecc.o
@@ -192,7 +196,7 @@ ifeq ($(SIGN),ECC256)
        STACK_USAGE=4096
   else
     ifeq ($(WOLFTPM),1)
-      STACK_USAGE=7616
+      STACK_USAGE=$(STACK_USAGE_WOLFTPM)
     else
       ifneq ($(SPMATH),1)
         STACK_USAGE=5264
@@ -216,7 +220,7 @@ ifeq ($(SIGN),ECC384)
        STACK_USAGE=5880
   else
     ifeq ($(WOLFTPM),1)
-      STACK_USAGE=6680
+      STACK_USAGE=$(STACK_USAGE_WOLFTPM)
     else
       ifneq ($(SPMATH),1)
         STACK_USAGE=11248
@@ -240,7 +244,7 @@ ifeq ($(SIGN),ECC521)
        STACK_USAGE=4096
   else
     ifeq ($(WOLFTPM),1)
-      STACK_USAGE=6680
+      STACK_USAGE=$(STACK_USAGE_WOLFTPM)
     else
       ifneq ($(SPMATH),1)
         STACK_USAGE=11256
@@ -261,7 +265,7 @@ ifeq ($(SIGN),ED25519)
   WOLFCRYPT_OBJS+=$(ED25519_OBJS)
   CFLAGS+=-D"WOLFBOOT_SIGN_ED25519"
   ifeq ($(WOLFTPM),1)
-    STACK_USAGE=6680
+    STACK_USAGE=$(STACK_USAGE_WOLFTPM)
   else
     STACK_USAGE?=5000
   endif
@@ -275,7 +279,7 @@ ifeq ($(SIGN),ED448)
   SIGN_OPTIONS+=--ed448
   WOLFCRYPT_OBJS+= $(ED448_OBJS)
   ifeq ($(WOLFTPM),1)
-    STACK_USAGE=6680
+    STACK_USAGE=$(STACK_USAGE_WOLFTPM)
   else
     ifeq ($(WOLFBOOT_SMALL_STACK),1)
       STACK_USAGE?=1024
@@ -313,7 +317,7 @@ ifneq ($(findstring RSA2048,$(SIGN)),)
     endif
   else
     ifeq ($(WOLFTPM),1)
-      STACK_USAGE=9096
+      STACK_USAGE=$(STACK_USAGE_WOLFTPM)
     else
       ifneq ($(SPMATH),1)
         STACK_USAGE=35952
@@ -346,7 +350,7 @@ ifneq ($(findstring RSA3072,$(SIGN)),)
     endif
   else
     ifeq ($(WOLFTPM),1)
-      STACK_USAGE=9096
+      STACK_USAGE=$(STACK_USAGE_WOLFTPM)
     else
       ifneq ($(SPMATH),1)
         STACK_USAGE=52592
@@ -383,7 +387,7 @@ ifneq ($(findstring RSA4096,$(SIGN)),)
     endif
   else
     ifeq ($(WOLFTPM),1)
-      STACK_USAGE=10680
+      STACK_USAGE=$(STACK_USAGE_WOLFTPM)
     else
       ifneq ($(SPMATH),1)
         STACK_USAGE=69232
@@ -791,6 +795,7 @@ endif
 
 ifeq ($(WOLFCRYPT_TZ_PKCS11),1)
   CFLAGS+=-DSECURE_PKCS11
+  CFLAGS+=-DWOLFPKCS11_USER_SETTINGS
   CFLAGS+=-DWOLFSSL_PKCS11_RW_TOKENS
   CFLAGS+=-DCK_CALLABLE="__attribute__((cmse_nonsecure_entry))"
   CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPKCS11)
@@ -899,7 +904,6 @@ ifeq ($(WOLFTPM),1)
   CFLAGS+=-I$(WOLFBOOT_LIB_WOLFTPM)
   CFLAGS+=-D"WOLFBOOT_TPM"
   CFLAGS+=-D"WOLFTPM_SMALL_STACK"
-  CFLAGS+=-D"WOLFTPM_AUTODETECT"
   ifneq ($(SPI_FLASH),1)
     # don't use spi if we're using simulator
     ifeq ($(TARGET),sim)
@@ -910,7 +914,7 @@ ifeq ($(WOLFTPM),1)
       OBJS+=$(WOLFBOOT_LIB_WOLFTPM)/src/tpm2_swtpm.o
     else
       # Use memory-mapped WOLFTPM on x86-64
-       ifeq ($(ARCH),x86_64)
+        ifeq ($(ARCH),x86_64)
           CFLAGS+=-DWOLFTPM_MMIO -DWOLFTPM_EXAMPLE_HAL -DWOLFTPM_INCLUDE_IO_FILE
           OBJS+=$(WOLFBOOT_LIB_WOLFTPM)/hal/tpm_io_mmio.o
         # By default, on other architectures, provide SPI driver

diff --git a/test-app/CMakeLists.txt b/test-app/CMakeLists.txt
@@ -205,7 +205,7 @@ if(BUILD_TEST_APPS)
     endif()
 
     if(WOLFCRYPT_TZ_PKCS11)
-        list(APPEND TEST_APP_COMPILE_DEFINITIONS WOLFBOOT_PKCS11_APP SECURE_PKCS11)
+        list(APPEND TEST_APP_COMPILE_DEFINITIONS WOLFBOOT_PKCS11_APP SECURE_PKCS11 WOLFPKCS11_USER_SETTINGS)
         set(WOLFSSL_PKCS11_SOURCES
             wcs/pkcs11_stub.c
             wcs/pkcs11_test_ecc.c

diff --git a/tools/scripts/sim-sunnyday-update.sh b/tools/scripts/sim-sunnyday-update.sh
@@ -14,5 +14,3 @@ fi
 
 echo Test successful.
 exit 0
-
-
diff --git a/tools/test.mk b/tools/test.mk
@@ -1144,13 +1144,13 @@ test-all: clean
 
 
 test-size-all:
-	make test-size SIGN=NONE LIMIT=5060 NO_ARM_ASM=1
+	make test-size SIGN=NONE LIMIT=5066 NO_ARM_ASM=1
 	make keysclean
-	make test-size SIGN=ED25519 LIMIT=11778 NO_ARM_ASM=1
+	make test-size SIGN=ED25519 LIMIT=11818 NO_ARM_ASM=1
 	make keysclean
 	make test-size SIGN=ECC256  LIMIT=18944 NO_ARM_ASM=1
 	make clean
-	make test-size SIGN=ECC256 NO_ASM=1 LIMIT=13894 NO_ARM_ASM=1
+	make test-size SIGN=ECC256 NO_ASM=1 LIMIT=13914 NO_ARM_ASM=1
 	make keysclean
 	make test-size SIGN=RSA2048 LIMIT=11916 NO_ARM_ASM=1
 	make clean
@@ -1162,22 +1162,22 @@ test-size-all:
 	make keysclean
 	make test-size SIGN=ECC384 LIMIT=19888 NO_ARM_ASM=1
 	make clean
-	make test-size SIGN=ECC384 NO_ASM=1 LIMIT=15270 NO_ARM_ASM=1
+	make test-size SIGN=ECC384 NO_ASM=1 LIMIT=15290 NO_ARM_ASM=1
 	make keysclean
-	make test-size SIGN=ED448 LIMIT=13846 NO_ARM_ASM=1
+	make test-size SIGN=ED448 LIMIT=13862 NO_ARM_ASM=1
 	make keysclean
 	make test-size SIGN=RSA3072 LIMIT=12056 NO_ARM_ASM=1
 	make clean
 	make test-size SIGN=RSA3072 NO_ASM=1 LIMIT=12600 NO_ARM_ASM=1
 	make keysclean
 	make test-size SIGN=LMS LMS_LEVELS=2 LMS_HEIGHT=5 LMS_WINTERNITZ=8 \
 		WOLFBOOT_SMALL_STACK=0 IMAGE_SIGNATURE_SIZE=2644 \
-		IMAGE_HEADER_SIZE?=5288 LIMIT=7782 NO_ARM_ASM=1
+		IMAGE_HEADER_SIZE?=5288 LIMIT=7798 NO_ARM_ASM=1
 	make keysclean
 	make test-size SIGN=XMSS XMSS_PARAMS='XMSS-SHA2_10_256' \
 		IMAGE_SIGNATURE_SIZE=2500 IMAGE_HEADER_SIZE?=4096 \
-		LIMIT=8638 NO_ARM_ASM=1
+		LIMIT=8658 NO_ARM_ASM=1
 	make keysclean
 	make clean
-	make test-size SIGN=ML_DSA ML_DSA_LEVEL=2 LIMIT=19392 \
+	make test-size SIGN=ML_DSA ML_DSA_LEVEL=2 LIMIT=19400 \
 		IMAGE_SIGNATURE_SIZE=2420 IMAGE_HEADER_SIZE?=8192
diff --git a/tools/unit-tests/Makefile b/tools/unit-tests/Makefile
@@ -87,7 +87,7 @@ unit-enc-nvm-flagshome:CFLAGS+=-DNVM_FLASH_WRITEONCE -DMOCK_PARTITIONS \
 	-DEXT_ENCRYPTED -DENCRYPT_WITH_CHACHA -DEXT_FLASH -DHAVE_CHACHA -DFLAGS_HOME
 unit-enc-nvm-flagshome:WOLFCRYPT_SRC+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/chacha.c
 unit-delta:CFLAGS+=-DNVM_FLASH_WRITEONCE -DMOCK_PARTITIONS -DDELTA_UPDATES -DDELTA_BLOCK_SIZE=512
-unit-pkcs11_store:CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPKCS11) -DMOCK_PARTITIONS -DMOCK_KEYVAULT -DSECURE_PKCS11
+unit-pkcs11_store:CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPKCS11) -DMOCK_PARTITIONS -DMOCK_KEYVAULT -DSECURE_PKCS11 -DWOLFPKCS11_USER_SETTINGS
 unit-psa_store:CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPSA) -DMOCK_PARTITIONS -DMOCK_KEYVAULT -DWOLFCRYPT_TZ_PSA
 unit-update-flash:CFLAGS+=-DMOCK_PARTITIONS -DWOLFBOOT_NO_SIGN -DUNIT_TEST_AUTH \
 	-DWOLFBOOT_HASH_SHA256 -DPRINTF_ENABLED -DEXT_FLASH -DPART_UPDATE_EXT -DPART_SWAP_EXT
+1 −1		.github/workflows/alpine-architecture-tests.yml
+1 −1		.github/workflows/build-workflow.yml
+5 −3		.github/workflows/clang-tidy.yml
+72 −0		.github/workflows/cmake.yml
+95 −0		.github/workflows/empty-pin-store-test.yml
+3 −3		.github/workflows/nss-cmsutil-test.yml
+4 −4		.github/workflows/nss-curl-test.yml
+1 −1		.github/workflows/nss-pdfsig-test.yml
+1 −1		.github/workflows/nss-pk12util-debian-test.yml
+1 −1		.github/workflows/nss-pk12util-test.yml
+1 −1		.github/workflows/nss-ssltap-test.yml
+1 −1		.github/workflows/nss.yml
+4 −2		.github/workflows/sanitizer-tests.yml
+3 −1		.github/workflows/scan-build.yml
+2 −2		.github/workflows/storage-upgrade-test-tpm.yml
+9 −9		.github/workflows/storage-upgrade-test.yml
+16 −1		.github/workflows/unit-test.yml
+12 −0		.gitignore
+918 −0		CMakeLists.txt
+2 −1		Docker/firefox/Dockerfile
+15 −1		Makefile.am
+126 −0		README.md
+83 −0		cmake/functions.cmake
+116 −0		cmake/options.h.in
+15 −0		cmake/wolfpkcs11Config.cmake.in
+12 −0		cmake/wolfpkcs11ConfigVersion.cmake.in
+35 −0		cmake/wolfpkcs11Targets.cmake.in
+73 −1		configure.ac
+10 −7		examples/add_aes_key.c
+10 −7		examples/add_cert.c
+10 −7		examples/add_cert_file.c
+10 −7		examples/add_hmac_key.c
+10 −7		examples/add_rsa_key.c
+10 −7		examples/add_rsa_key_file.c
+7 −3		examples/init_token.c
+7 −3		examples/mech_info.c
+8 −4		examples/nss_pkcs12_pbe_example.c
+10 −7		examples/obj_list.c
+7 −3		examples/slot_info.c
+7 −6		examples/stm32_dhuk_aes_key.c
+7 −3		examples/token_info.c
+645 −5		src/crypto.c
+1,163 −34		src/internal.c
+118 −0		src/slot.c
+353 −4		src/wolfpkcs11.c
+13 −1		tests/debug_test.c
+458 −0		tests/empty_pin_store_test.c
+13 −0		tests/include.am
+2 −2		tests/pkcs11mtt.c
+4 −0		tests/pkcs11str.c
+337 −11		tests/pkcs11test.c
+1,787 −0		tests/pkcs11v3test.c
+6 −0		tests/testdata.h
+2 −14		tests/token_path_test.c
+23 −1		wolfpkcs11/internal.h
+707 −2		wolfpkcs11/pkcs11.h
+2 −0		wolfpkcs11/store.h
+29 −0		.github/workflows/psa-compliance.yml
+65 −0		.github/workflows/test-psa-api.yml
+35 −0		.github/workflows/wolfcrypt-benchmark.yml
+36 −0		.github/workflows/wolfssl-psa-client-server.yml
+7 −0		.gitignore
+8 −3		Makefile
+15 −0		src/misc_impl.c
+28 −40		src/psa_aead.c
+37 −0		src/psa_aead_internal.h
+16 −0		src/psa_asymmetric.c
+32 −27		src/psa_asymmetric_api.c
+27 −23		src/psa_cipher.c
+8 −4		src/psa_ecc.c
+40 −10		src/psa_ed25519_ed448.c
+7 −2		src/psa_hash_engine.c
+72 −27		src/psa_key_derivation.c
+86 −18		src/psa_key_storage.c
+28 −6		src/psa_lms_xmss.c
+20 −15		src/psa_mac.c
+16 −11		src/psa_mldsa.c
+6 −0		src/psa_pq.c
+3 −0		src/psa_random.c
+40 −7		src/psa_rsa.c
+109 −8		test/Makefile
+301 −81		test/psa_server/psa_api_test.c
+43 −0		test/psa_server/psa_api_test_user_settings.h
+53 −0		test/psa_server/psa_des3_stack_scrub_test.c
+107 −0		test/psa_server/psa_ecc_bit_inference_test.c
+58 −0		test/psa_server/psa_ecc_curve_id_test.c
+53 −0		test/psa_server/psa_random_size_test.c
+211 −0		test/psa_server/psa_rsa_pss_interop_test.c
+93 −13		test/psa_server/psa_tls_server.c
+0 −3		test/psa_server/tls_client/user_settings.h
+57 −6		test/run_psa_tls_server_client.sh
+2 −0		test/wolfcrypt-benchmark/user_settings.h
+0 −1		user_settings.h
+94 −0		wolfpsa.map
+2 −1		wolfpsa/psa_key_storage.h
+3 −0		.github/workflows/cmake-build.yml
+26 −0		.github/workflows/codespell.yml
+56 −0		.github/workflows/coverity-scan-fixes.yml
+19 −0		.github/workflows/make-test-swtpm.yml
+99 −0		.github/workflows/multi-compiler.yml
+112 −0		.github/workflows/sanitizer.yml
+71 −0		.github/workflows/seal-test.yml
+1 −1		.github/workflows/zephyr.yml
+18 −0		.gitignore
+5 −2		CMakeLists.txt
+45 −0		ChangeLog.md
+20 −0		IDE/Espressif/components/wolfssl/README.md
+10 −4		IDE/Espressif/components/wolfssl/include/user_settings.h
+17 −0		IDE/Espressif/main/main.c
+2 −2		IDE/Espressif/sdkconfig.defaults
+48 −4		README.md
+5 −4		configure.ac
+1 −1		docs/Doxyfile
+1 −1		examples/attestation/README.md
+14 −0		examples/attestation/activate_credential.c
+8 −0		examples/attestation/make_credential.c
+4 −1		examples/bench/bench.c
+1 −1		examples/boot/secret_seal.c
+35 −3		examples/csr/csr.c
+1 −1		examples/endorsement/README.md
+154 −2		examples/endorsement/get_ek_certs.c
+98 −1		examples/firmware/README.md
+1 −1		examples/firmware/ifx_fw_extract.c
+16 −2		examples/firmware/include.am
+405 −0		examples/firmware/st33_fw_update.c
+1 −1		examples/gpio/gpio_config.c
+1 −0		examples/keygen/external_import.c
+1 −1		examples/management/flush.c
+10 −2		examples/nvram/include.am
+1 −2		examples/nvram/nvram.h
+1 −1		examples/nvram/read.c
+382 −0		examples/nvram/seal_nv.c
+14 −4		examples/pcr/extend.c
+0 −1		examples/pcr/pcr.h
+1 −1		examples/pcr/reset.c
+4 −1		examples/pkcs7/pkcs7.c
+139 −0		examples/run_examples.sh
+128 −0		examples/seal/README.md
+19 −2		examples/seal/include.am
+2 −1		examples/seal/seal.h
+363 −0		examples/seal/seal_pcr.c
+530 −0		examples/seal/seal_policy_auth.c
+288 −0		examples/seal/seal_test.sh
+2 −1		examples/seal/unseal.c
+1 −1		examples/timestamp/clock_set.c
+1 −1		examples/tls/tls_client.c
+13 −2		examples/tls/tls_client_notpm.c
+1 −1		examples/tpm_test.h
+9 −3		examples/tpm_test_keys.c
+4 −1		examples/wrap/caps.c
+7 −5		examples/wrap/wrap_test.c
+2 −0		hal/tpm_io.c
+216 −12		hal/tpm_io_espressif.c
+76 −0		hal/tpm_io_linux.c
+1 −1		hal/tpm_io_microchip.c
+17 −4		hal/tpm_io_mmio.c
+152 −19		hal/tpm_io_uboot.c
+1 −1		hal/tpm_io_xilinx.c
+3 −8		hal/tpm_io_zephyr.c
+1 −1		pre-commit.sh
+1 −1		scripts/swtpm_sim.test
+2 −5		src/include.am
+134 −13		src/tpm2.c
+11 −2		src/tpm2_asn.c
+20 −10		src/tpm2_cryptocb.c
+54 −10		src/tpm2_linux.c
+81 −8		src/tpm2_packet.c
+120 −43		src/tpm2_param_enc.c
+5 −4		src/tpm2_swtpm.c
+5 −3		src/tpm2_tis.c
+1,150 −241		src/tpm2_wrap.c
+276 −41		tests/unit_tests.c
+28 −1		wolftpm/tpm2.h
+15 −0		wolftpm/tpm2_linux.h
+1 −1		wolftpm/tpm2_packet.h
+4 −0		wolftpm/tpm2_swtpm.h
+48 −16		wolftpm/tpm2_types.h
+4 −0		wolftpm/tpm2_winapi.h
+42 −3		wolftpm/tpm2_wrap.h
+2 −2		wolftpm/version.h
+27 −0		wrapper/CSharp/wolfTPM-tests.cs
+6 −1		wrapper/CSharp/wolfTPM.cs