config refactor

[bigbrett]

super secret plz dont look just yet

---

Background / Motivation

Problem. The current wolfBoot wolfCrypt configuration is split between two tightly coupled files that have grown into a tangle:

• options.mk (1481 lines) — translates high-level Make variables (SIGN, HASH, WOLFTPM, WOLFHSM_CLIENT, WOLFCRYPT_TZ_*, ENCRYPT*, etc.) into WOLFCRYPT_OBJS (linker input) and -Dxxx CFLAGS (preprocessor input).
• include/user_settings.h (781 lines) — consumes those -Dxxx flags and configures wolfCrypt features.

This led to tightly coupled, hard-to-reason-about logic built around deeply nested, negated #ifdef chains. Adding or modifying a feature required:

• Updating multiple unrelated sections
• Extending fragile negation chains
• Carefully preserving ordering to avoid conflicts

Negative wolfCrypt flags (NO_*, WC_NO_*) made this worse: they don’t compose safely, so enabling a feature often meant editing multiple disable sites or introducing #undefs, increasing risk and maintenance cost.

Additionally, important configuration behavior lived in options.mk, meaning non-Make builds (IDE, CMake) could not reliably reproduce the same configuration without duplicating logic.

---

Summary

This PR replaces the monolithic configuration with a modular, fragment-based system and introduces a WOLFBOOT_NEEDS_* marker model to decouple feature intent from final wolfCrypt configuration.

---

Key Changes

• Shim-based entrypoint

  • include/user_settings.h now only orchestrates includes in a fixed order.

• Fragmented configuration

  • Configuration split into small, self-contained headers (SIGN, HASH, TPM, TrustZone, etc.).
  • Fragments are strictly additive (#define only) and independent.

• Cascade layer (cascade.h)

  • Moves feature-flag implications from options.mk into the preprocessor.
  • Declares all WOLFBOOT_NEEDS_* markers from high-level flags.

• Central reconciliation (finalize.h)

  • Single point translating NEEDS markers into wolfCrypt negative flags.
  • Consolidates all disable logic.

• NEEDS marker model

  • Features declare what they require (e.g., RNG, AES, ASN).
  • The system derives what to disable automatically.

---

Benefits

• Eliminates negated #ifdef chains

  • No more scattered “if not X and not Y and not Z → disable” logic.

• Decouples features

  • Adding a feature no longer requires modifying unrelated code paths.

• Single source of truth for disables

  • All NO_* / WC_NO_* decisions live in finalize.h.

• Improved build portability

  • IDE/CMake builds now match Make builds using only WOLFBOOT_* flags.

• Simpler reasoning

  • Feature requirements: fragment headers
  • Final configuration: finalize.h

• Safer extensibility

  • New features integrate via markers instead of modifying global logic.

---

No User-Facing Changes

• .config inputs and WOLFBOOT_* flags are unchanged.
• Generated binaries remain equivalent for the same configurations.

---

Developer Impact

New features follow a consistent pattern:

1. Add fragment header
2. Include it in the shim
3. Declare required WOLFBOOT_NEEDS_* markers in cascade.h
4. Only touch finalize.h when introducing a new negative-polarity feature

Resulting flow:

WOLFBOOT_* flags
    → cascade.h (derive + declare NEEDS)
    → fragments (additive config)
    → finalize.h (apply disables)
    → final wolfCrypt configuration

---

Scope

• Structural refactor only
• No intended functional or cryptographic changes

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Refactors wolfCrypt/wolfSSL configuration into composable include/user_settings/* fragments and simplifies Make-side -D flag emission for hash-based signature parameterization.

Changes:

• Splits the monolithic include/user_settings.h into ordered “fragment” headers (cascade/base/sign/hash/features/finalize) and turns user_settings.h into a dispatcher.
• Moves SIGN/HASH algorithm-specific configuration into dedicated sign_*.h and hash_*.h fragments with central dispatch headers.
• Updates options.mk so LMS/XMSS Make variables carry only user-provided parameter values, with wolfCrypt-side defines derived in headers.

Reviewed changes

Copilot reviewed 24 out of 24 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
options.mk	Drops wolfCrypt-side LMS/XMSS defines from Make flags; keeps only user parameter -Ds.
include/user_settings.h	Replaced large inline configuration with ordered includes of fragment headers.
include/user_settings/base.h	New: baseline wolfCrypt settings shared by all builds.
include/user_settings/cascade.h	New: feature implication cascades + WOLFBOOT_NEEDS_* markers.
include/user_settings/sign_dispatch.h	New: includes per-signature fragments based on SIGN flags.
include/user_settings/sign_rsa.h	New: RSA verification configuration (and NO_RSA fallback).
include/user_settings/sign_ecc.h	New: ECC verification configuration and carve-outs.
include/user_settings/sign_ed25519.h	New: ED25519 verification configuration and carve-outs.
include/user_settings/sign_ed448.h	New: ED448 verification configuration and carve-outs.
include/user_settings/sign_ml_dsa.h	New: ML-DSA (Dilithium) verification configuration and carve-outs.
include/user_settings/sign_lms.h	New: LMS verification config; maps Make parameters to wolfCrypt defines.
include/user_settings/sign_xmss.h	New: XMSS verification config; maps Make parameters to wolfCrypt defines.
include/user_settings/hash_dispatch.h	New: includes hash fragments based on WOLFBOOT_HASH_*.
include/user_settings/hash_sha384.h	New: SHA-384 hash selection fragment (+ optional NO_SHA256).
include/user_settings/hash_sha3.h	New: SHA3-384 hash selection fragment (+ optional NO_SHA256).
include/user_settings/encrypt.h	New: EXT_ENCRYPTED / SECURE_PKCS11 wolfCrypt configuration.
include/user_settings/trustzone.h	New: TrustZone secure-mode wolfCrypt configuration.
include/user_settings/tpm.h	New: wolfTPM-related config for WOLFBOOT_TPM builds.
include/user_settings/wolfhsm.h	New: crypto-callback/key-gen config for wolfHSM client/server builds.
include/user_settings/cert_chain.h	New: cert-chain verify mode config for wolfHSM server.
include/user_settings/renesas.h	New: Renesas HW crypto offload settings.
include/user_settings/platform.h	New: platform-specific SP-math word-size and minor platform knobs.
include/user_settings/test_bench.h	New: test/benchmark-specific configuration and RNG selection.
include/user_settings/finalize.h	New: reconciles WOLFBOOT_NEEDS_* into NO_* / WC_NO_* and global disables.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.