Example for ST-SAFE A120

Author: dgarske

.gitignore

@@ -402,3 +402,8 @@ kernel/bsdkm/bsd_example.ko
 kernel/bsdkm/machine
 kernel/bsdkm/opt_global.h
 kernel/bsdkm/x86
+
+# STSAFE test executables
+stsafe/stsafe_test
+stsafe/wolfssl_stsafe_test
+stsafe/wolfssl_stsafe_full_test

stsafe/Makefile

@@ -0,0 +1,162 @@
+# STSAFE-A120 Test Makefile for Raspberry Pi
+#
+# Copyright 2025 wolfSSL Inc.
+
+CC = gcc
+CFLAGS = -Wall -Wextra -O2 -g
+
+# wolfSSL configuration
+# Option 1: Use installed wolfSSL (after make install)
+#WOLFSSL_DIR = /usr/local
+# Option 2: Use local wolfSSL source
+WOLFSSL_DIR = $(HOME)/wolfssl
+
+# STSELib paths
+STSELIB_DIR = $(HOME)/STSELib
+PLATFORM_DIR = ./platform
+
+# Include paths
+# Note: Current directory (.) must come first so our user_settings.h is found
+INCLUDES = -I. \
+           -I$(STSELIB_DIR) \
+           -I$(PLATFORM_DIR) \
+           -I$(WOLFSSL_DIR)
+
+# wolfSSL library flags
+# For installed wolfSSL:
+#LDFLAGS = -L$(WOLFSSL_DIR)/lib -lwolfssl -lm
+# For local wolfSSL source (using .libs):
+LDFLAGS = -L$(WOLFSSL_DIR)/src/.libs -lwolfssl -lm -Wl,-rpath,$(WOLFSSL_DIR)/src/.libs
+
+# wolfSSL compile flags
+# WOLFSSL_USER_SETTINGS tells wolfSSL to include user_settings.h
+CFLAGS += -DWOLFSSL_USER_SETTINGS
+
+# STSELib source files
+STSELIB_CORE_SRC = $(STSELIB_DIR)/core/stse_device.c \
+                   $(STSELIB_DIR)/core/stse_frame.c \
+                   $(STSELIB_DIR)/core/stse_generic_typedef.c \
+                   $(STSELIB_DIR)/core/stse_platform.c \
+                   $(STSELIB_DIR)/core/stse_session.c
+
+STSELIB_API_SRC = $(wildcard $(STSELIB_DIR)/api/*.c)
+STSELIB_SERVICES_SRC = $(wildcard $(STSELIB_DIR)/services/stsafea/*.c) \
+                       $(wildcard $(STSELIB_DIR)/services/stsafel/*.c)
+STSELIB_CERT_SRC = $(wildcard $(STSELIB_DIR)/certificate/*.c)
+
+# Platform source files
+PLATFORM_SRC = $(PLATFORM_DIR)/stse_platform_linux.c
+
+# Platform crypto source (wolfSSL implementation)
+# Uncomment when building with wolfSSL crypto support:
+PLATFORM_CRYPTO_SRC = $(PLATFORM_DIR)/stse_platform_crypto_wolfssl.c
+
+# Test source files
+TEST_SRC = stsafe_test.c
+WOLFSSL_TEST_SRC = wolfssl_stsafe_test.c
+WOLFSSL_FULL_TEST_SRC = wolfssl_stsafe_full_test.c
+
+# All sources
+ALL_SRC = $(STSELIB_CORE_SRC) $(STSELIB_API_SRC) $(STSELIB_SERVICES_SRC) \
+          $(STSELIB_CERT_SRC) $(PLATFORM_SRC) $(PLATFORM_CRYPTO_SRC) $(TEST_SRC)
+
+# wolfSSL STSAFE port source
+WOLFSSL_STSAFE_SRC = $(WOLFSSL_DIR)/wolfcrypt/src/port/st/stsafe.c
+
+# Targets
+TARGET = stsafe_test
+WOLFSSL_TARGET = wolfssl_stsafe_test
+WOLFSSL_FULL_TARGET = wolfssl_stsafe_full_test
+
+.PHONY: all clean test info basic wolfssl wolfssl-full
+
+all: $(TARGET)
+
+# Full build with wolfSSL crypto support
+$(TARGET): $(TEST_SRC) $(PLATFORM_SRC) $(PLATFORM_CRYPTO_SRC)
+	$(CC) $(CFLAGS) $(INCLUDES) -o $@ \
+		$(TEST_SRC) \
+		$(PLATFORM_SRC) \
+		$(PLATFORM_CRYPTO_SRC) \
+		$(STSELIB_CORE_SRC) \
+		$(STSELIB_API_SRC) \
+		$(STSELIB_SERVICES_SRC) \
+		$(STSELIB_CERT_SRC) \
+		$(LDFLAGS)
+
+# Basic build without wolfSSL (for initial testing without host sessions)
+basic: $(TEST_SRC) $(PLATFORM_SRC)
+	$(CC) $(CFLAGS) $(INCLUDES) -o $(TARGET) \
+		$(TEST_SRC) \
+		$(PLATFORM_SRC) \
+		$(STSELIB_CORE_SRC) \
+		$(STSELIB_API_SRC) \
+		$(STSELIB_SERVICES_SRC) \
+		$(STSELIB_CERT_SRC)
+
+# wolfSSL crypto callback test build
+# Note: We compile stsafe.c directly since it's not built into libwolfssl by default
+# IMPORTANT: Use WOLFSSL_USE_OPTIONS_H to get options.h included for proper wolfSSL settings
+# We add -DWOLFSSL_STSAFEA120 -DUSE_STSAFE_RNG_SEED to enable STSAFE in stsafe.c
+WOLFSSL_STSAFE_FLAGS = -DWOLFSSL_USE_OPTIONS_H -DWOLFSSL_STSAFEA120 -DUSE_STSAFE_RNG_SEED -Wno-strict-prototypes
+WOLFSSL_BASE_FLAGS = -Wall -Wextra -O2 -g
+wolfssl: $(WOLFSSL_TEST_SRC) $(PLATFORM_SRC) $(PLATFORM_CRYPTO_SRC)
+	$(CC) $(WOLFSSL_BASE_FLAGS) $(WOLFSSL_STSAFE_FLAGS) -I$(STSELIB_DIR) -I$(PLATFORM_DIR) -I$(WOLFSSL_DIR) \
+		-c $(WOLFSSL_STSAFE_SRC) -o stsafe.o
+	$(CC) $(WOLFSSL_BASE_FLAGS) $(WOLFSSL_STSAFE_FLAGS) -I$(STSELIB_DIR) -I$(PLATFORM_DIR) -I$(WOLFSSL_DIR) \
+		-c $(PLATFORM_SRC) -o stse_platform_linux.o
+	$(CC) $(WOLFSSL_BASE_FLAGS) $(WOLFSSL_STSAFE_FLAGS) -I$(STSELIB_DIR) -I$(PLATFORM_DIR) -I$(WOLFSSL_DIR) \
+		-c $(PLATFORM_CRYPTO_SRC) -o stse_platform_crypto.o
+	$(CC) $(WOLFSSL_BASE_FLAGS) $(WOLFSSL_STSAFE_FLAGS) -I$(STSELIB_DIR) -I$(PLATFORM_DIR) -I$(WOLFSSL_DIR) \
+		-o $(WOLFSSL_TARGET) \
+		$(WOLFSSL_TEST_SRC) \
+		stse_platform_linux.o stse_platform_crypto.o stsafe.o \
+		$(STSELIB_CORE_SRC) \
+		$(STSELIB_API_SRC) \
+		$(STSELIB_SERVICES_SRC) \
+		$(STSELIB_CERT_SRC) \
+		$(LDFLAGS)
+
+test: $(TARGET)
+	./$(TARGET)
+
+test-wolfssl: wolfssl
+	./$(WOLFSSL_TARGET)
+
+# Full wolfSSL integration test with ECDH and benchmarks
+wolfssl-full: $(WOLFSSL_FULL_TEST_SRC) $(PLATFORM_SRC) $(PLATFORM_CRYPTO_SRC)
+	$(CC) $(WOLFSSL_BASE_FLAGS) $(WOLFSSL_STSAFE_FLAGS) -I$(STSELIB_DIR) -I$(PLATFORM_DIR) -I$(WOLFSSL_DIR) \
+		-c $(WOLFSSL_STSAFE_SRC) -o stsafe.o
+	$(CC) $(WOLFSSL_BASE_FLAGS) $(WOLFSSL_STSAFE_FLAGS) -I$(STSELIB_DIR) -I$(PLATFORM_DIR) -I$(WOLFSSL_DIR) \
+		-c $(PLATFORM_SRC) -o stse_platform_linux.o
+	$(CC) $(WOLFSSL_BASE_FLAGS) $(WOLFSSL_STSAFE_FLAGS) -I$(STSELIB_DIR) -I$(PLATFORM_DIR) -I$(WOLFSSL_DIR) \
+		-c $(PLATFORM_CRYPTO_SRC) -o stse_platform_crypto.o
+	$(CC) $(WOLFSSL_BASE_FLAGS) $(WOLFSSL_STSAFE_FLAGS) -I$(STSELIB_DIR) -I$(PLATFORM_DIR) -I$(WOLFSSL_DIR) \
+		-o $(WOLFSSL_FULL_TARGET) \
+		$(WOLFSSL_FULL_TEST_SRC) \
+		stse_platform_linux.o stse_platform_crypto.o stsafe.o \
+		$(STSELIB_CORE_SRC) \
+		$(STSELIB_API_SRC) \
+		$(STSELIB_SERVICES_SRC) \
+		$(STSELIB_CERT_SRC) \
+		$(LDFLAGS)
+
+test-wolfssl-full: wolfssl-full
+	./$(WOLFSSL_FULL_TARGET)
+
+clean:
+	rm -f $(TARGET) $(WOLFSSL_TARGET) $(WOLFSSL_FULL_TARGET) *.o stsafe.o stse_platform_linux.o stse_platform_crypto.o
+
+# Show configuration
+info:
+	@echo "STSELib directory: $(STSELIB_DIR)"
+	@echo "wolfSSL directory: $(WOLFSSL_DIR)"
+	@echo "Platform directory: $(PLATFORM_DIR)"
+	@echo "Include paths: $(INCLUDES)"
+	@echo "Linker flags: $(LDFLAGS)"
+	@echo ""
+	@echo "Build targets:"
+	@echo "  make        - Build with wolfSSL crypto support (full features)"
+	@echo "  make basic  - Build without wolfSSL (basic tests only)"
+	@echo "  make test   - Build and run tests"
+	@echo "  make clean  - Clean build artifacts"

stsafe/README.md

@@ -0,0 +1,183 @@
+# wolfSSL STSAFE-A120 Test Suite
+
+Test harness for wolfSSL integration with ST STSAFE-A120 secure element on Raspberry Pi 5.
+
+## Hardware Requirements
+
+- Raspberry Pi 5 (or compatible Linux system with I2C)
+- STSAFE-A120 secure element connected via I2C
+- I2C enabled on the system
+
+## Software Requirements
+
+- wolfSSL library (compiled with ECC, CMAC, SHA-384 support)
+- STSELib (ST Secure Element Library)
+- GCC compiler
+- Linux I2C development headers (`libi2c-dev`)
+
+## Directory Structure
+
+```
+stsafe/
+├── Makefile                          # Build configuration
+├── README.md                         # This file
+├── user_settings.h                   # wolfSSL configuration
+├── stsafe_test.c                     # STSELib basic tests
+├── wolfssl_stsafe_test.c             # wolfSSL crypto callback tests
+├── wolfssl_stsafe_full_test.c        # Full integration tests with benchmarks
+└── platform/
+    ├── stse_conf.h                   # STSELib configuration
+    ├── stse_platform_generic.h       # Platform type definitions
+    ├── stse_platform_linux.c         # Linux I2C platform implementation
+    └── stse_platform_crypto_wolfssl.c # wolfSSL crypto for STSELib
+```
+
+## Configuration
+
+### I2C Setup
+
+1. Enable I2C on Raspberry Pi:
+   ```bash
+   sudo raspi-config
+   # Navigate to: Interface Options -> I2C -> Enable
+   ```
+
+2. Verify I2C device:
+   ```bash
+   sudo i2cdetect -y 1
+   # STSAFE should appear at address 0x20
+   ```
+
+3. Set I2C permissions (optional, for non-root access):
+   ```bash
+   sudo usermod -a -G i2c $USER
+   # Logout and login again
+   ```
+
+### Environment
+
+Set paths to dependencies:
+```bash
+export WOLFSSL_DIR=$HOME/wolfssl
+export STSELIB_DIR=$HOME/STSELib
+```
+
+## Building
+
+### Prerequisites
+
+1. Build wolfSSL with required features:
+   ```bash
+   cd $WOLFSSL_DIR
+   ./configure --enable-cryptocb --enable-ecc --enable-cmac --enable-sha384 --enable-debug
+   make
+   ```
+
+2. Clone STSELib:
+   ```bash
+   git clone https://github.com/STMicroelectronics/STSELib.git $STSELIB_DIR
+   ```
+
+### Build Targets
+
+```bash
+# Build basic STSELib tests (no wolfSSL crypto callbacks)
+make
+
+# Build wolfSSL crypto callback tests
+make wolfssl
+
+# Build full integration tests with benchmarks
+make wolfssl-full
+
+# Build without wolfSSL (basic I2C tests only)
+make basic
+
+# Clean build artifacts
+make clean
+
+# Show configuration
+make info
+```
+
+## Running Tests
+
+### Basic STSELib Tests
+```bash
+./stsafe_test
+```
+
+Tests:
+- Echo command (I2C communication)
+- Random number generation
+- ECC P-256 key generation
+- ECDSA P-256 signing
+- ECC P-384 key generation
+
+### wolfSSL Crypto Callback Tests
+```bash
+./wolfssl_stsafe_test
+```
+
+Tests:
+- RNG with STSAFE-A120
+- ECC P-256 key generation via crypto callback
+- ECC P-384 key generation via crypto callback
+- ECDSA P-256 sign/verify
+- ECDSA P-384 sign/verify
+
+### Full Integration Tests
+```bash
+./wolfssl_stsafe_full_test
+```
+
+Tests:
+- RNG benchmark
+- ECDSA P-256 benchmark (keygen, sign, verify timing)
+- Multiple sequential operations
+
+## Expected Output
+
+```
+================================================
+STSAFE-A120 Test Suite for wolfSSL Integration
+================================================
+
+Initializing STSAFE handler...
+STSAFE-A120 initialized successfully.
+
+Test: Echo Command
+  Echo response matches!
+[PASS] Echo command
+
+Test: Random Number Generation
+  Random data: A1 B2 C3 D4 ...
+[PASS] Random number generation
+
+Test: ECC Key Generation (P-256)
+  Public Key X: 12345678...
+  Public Key Y: ABCDEF01...
+[PASS] ECC P-256 key generation
+
+...
+
+================================================
+Test Summary: 5 passed, 0 failed
+================================================
+```
+
+## Performance Results (Raspberry Pi 5)
+
+| Operation | Time | Throughput |
+|-----------|------|------------|
+| RNG (256 bytes) | <1 ms | ~9 MB/s |
+| ECC P-256 KeyGen | ~40 ms | 25 ops/sec |
+| ECDSA P-256 Sign | ~51 ms | 19.5 ops/sec |
+| ECDSA P-256 Verify | ~79 ms | 12.7 ops/sec |
+
+## References
+
+- [wolfSSL Documentation](https://www.wolfssl.com/docs/)
+- [STSELib GitHub](https://github.com/STMicroelectronics/STSELib)
+- [STSAFE-A120 Datasheet](https://www.st.com/en/secure-mcus/stsafe-a120.html)
+- [Raspberry Pi I2C Documentation](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#gpio-and-the-40-pin-header)