Skip to content

Add Trusted Firmware M wolfCOSE attestation patch#349

Draft
aidangarske wants to merge 2 commits into
wolfSSL:masterfrom
aidangarske:tfm-wolfcose
Draft

Add Trusted Firmware M wolfCOSE attestation patch#349
aidangarske wants to merge 2 commits into
wolfSSL:masterfrom
aidangarske:tfm-wolfcose

Conversation

@aidangarske

@aidangarske aidangarske commented Jul 17, 2026

Copy link
Copy Markdown
Member

New OSP entry for Trusted Firmware-M, patch against the TF-Mv2.3.0 tag. Replaces t_cose with wolfCOSE for initial attestation token signing.

The IAK is never exported. wolfCOSE gets a signature callback that calls psa_sign_hash, so the key stays in the crypto partition. wolfCrypt does the SHA-256.

Adds a TFM_COSE_BACKEND selector defaulting to t_cose, so an unselected build is unchanged. Backend specific code is in new files to keep the patch easy to re cut on TF-M releases.

Testing: tf-m-tests TF-Mv2.3.0 regression suite on QEMU mps2-an521 with BL2 on passes 200/0, matching stock t_cose. Attestation partition links zero t_cose symbols. Real t_cose still verifies the wolfCOSE produced token in the test suite.

Depends on wolfSSL/wolfCOSE#59 for WOLFCOSE_ENABLE_EXT_SIGN.

  • Skoll still needs run. CI will need added in wolfssl-examples.

Copilot AI review requested due to automatic review settings July 17, 2026 01:36

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new Open Source Program (OSP) entry for Trusted Firmware‑M v2.3.0 that introduces an optional wolfCOSE-based initial attestation signing backend while preserving the default t_cose behavior when unselected.

Changes:

  • Adds a TF‑M v2.3.0 patch that introduces a TFM_COSE_BACKEND selector and a wolfCOSE signing implementation that delegates signing to psa_sign_hash (IAK not exported).
  • Adds TF‑M build integration for wolfCOSE/wolfCrypt sources under lib/ext/wolfcose/.
  • Documents the Trusted Firmware‑M patch naming convention and where to find apply instructions.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
trusted-firmware-m/2.3.0/trusted-firmware-m-2.3.0-wolfcose.patch TF‑M v2.3.0 patch adding a selectable wolfCOSE backend for initial attestation token signing and associated build glue.
trusted-firmware-m/2.3.0/README Introduces basic documentation for TF‑M patch storage/naming and where apply instructions live.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +91 to +98
+if (NOT WOLFCOSE_PATH OR NOT EXISTS ${WOLFCOSE_PATH})
+ message(FATAL_ERROR "WOLFCOSE_PATH = '${WOLFCOSE_PATH}' is not set or does not exist. "
+ "Provide the path to a wolfCOSE checkout with -DWOLFCOSE_PATH=")
+endif()
+if (NOT WOLFSSL_PATH OR NOT EXISTS ${WOLFSSL_PATH})
+ message(FATAL_ERROR "WOLFSSL_PATH = '${WOLFSSL_PATH}' is not set or does not exist. "
+ "wolfCOSE needs wolfCrypt headers and SHA-256. Use -DWOLFSSL_PATH=")
+endif()
- *cose_algorithm_id = T_COSE_ALGORITHM_ES384;
+ *cose_algorithm_id = ATTEST_COSE_ALGORITHM_ES384;
break;
case 512:
Comment on lines +834 to +837
+ if (ecc_inited != 0) {
+ (void)wc_ecc_free(&ecc);
+ }
+ return ret;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants