wolfSSL · bigbrett · Mar 30, 2026 · Apr 14, 2026 · Apr 14, 2026 · Apr 14, 2026
diff --git a/.github/workflows/test-cryptocb-simulator.yml b/.github/workflows/test-cryptocb-simulator.yml
@@ -0,0 +1,242 @@
+name: test simulator with crypto callback (cryptocb)
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '**' ]
+
+jobs:
+  cryptocb_simulator_tests:
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/wolfssl/wolfboot-ci-sim:v1.0
+    timeout-minutes: 30
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Trust workspace
+        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
+      # 64 bit simulator, cryptocb enabled
+      #
+      - name: make clean
+        run: |
+          make keysclean
+
+      - name: Select config (64 bit simulator)
+        run: |
+          cp config/examples/sim.config .config
+
+      - name: Build tools
+        run: |
+          make -C tools/keytools && make -C tools/bin-assemble
+
+      # Classical algorithms (each tested once with SPMATH=1)
+      # Note: ECC uses wc_ecc_verify_hash_ex which bypasses cryptocb PK dispatch,
+      # so we only verify hash for ECC. ED25519 and RSA dispatch PK through cryptocb.
+      #
+      - name: Build wolfboot.elf (ED25519, cryptocb)
+        run: |
+          make clean && make test-sim-internal-flash-with-update SIGN=ED25519 SPMATH=1 WOLFBOOT_TEST_SIM_CRYPTOCB=1
+
+      - name: Run cryptocb sunnyday test (ED25519)
+        run: |
+          tools/scripts/sim-cryptocb-sunnyday-update.sh "SHA-256" "ED25519-verify"
+
+      - name: Cleanup to change key type
+        run: |
+          make keysclean
+
+      - name: Build wolfboot.elf (ECC256, cryptocb)
+        run: |
+          make clean && make test-sim-internal-flash-with-update SIGN=ECC256 SPMATH=1 WOLFBOOT_TEST_SIM_CRYPTOCB=1
+
+      - name: Run cryptocb sunnyday test (ECC256)
+        run: |
+          tools/scripts/sim-cryptocb-sunnyday-update.sh "SHA-256"
+
+      - name: Cleanup to change key type
+        run: |
+          make keysclean
+
+      - name: Build wolfboot.elf (ECC384, cryptocb)
+        run: |
+          make clean && make test-sim-internal-flash-with-update SIGN=ECC384 SPMATH=1 WOLFBOOT_TEST_SIM_CRYPTOCB=1
+
+      - name: Run cryptocb sunnyday test (ECC384)
+        run: |
+          tools/scripts/sim-cryptocb-sunnyday-update.sh "SHA-256"
+
+      - name: Cleanup to change key type
+        run: |
+          make keysclean
+
+      - name: Build wolfboot.elf (ECC521, cryptocb)
+        run: |
+          make clean && make test-sim-internal-flash-with-update SIGN=ECC521 SPMATH=1 WOLFBOOT_TEST_SIM_CRYPTOCB=1
+
+      - name: Run cryptocb sunnyday test (ECC521)
+        run: |
+          tools/scripts/sim-cryptocb-sunnyday-update.sh "SHA-256"
+
+      - name: Cleanup to change key type
+        run: |
+          make keysclean
+
+      - name: Build wolfboot.elf (RSA2048, cryptocb)
+        run: |
+          make clean && make test-sim-internal-flash-with-update SIGN=RSA2048 SPMATH=1 WOLFBOOT_TEST_SIM_CRYPTOCB=1
+
+      - name: Run cryptocb sunnyday test (RSA2048)
+        run: |
+          tools/scripts/sim-cryptocb-sunnyday-update.sh "SHA-256" "RSA"
+
+      - name: Cleanup to change key type
+        run: |
+          make keysclean
+
+      - name: Build wolfboot.elf (RSA3072, cryptocb)
+        run: |
+          make clean && make test-sim-internal-flash-with-update SIGN=RSA3072 SPMATH=1 WOLFBOOT_TEST_SIM_CRYPTOCB=1
+
+      - name: Run cryptocb sunnyday test (RSA3072)
+        run: |
+          tools/scripts/sim-cryptocb-sunnyday-update.sh "SHA-256" "RSA"
+
+      - name: Cleanup to change key type
+        run: |
+          make keysclean
+
+      - name: Build wolfboot.elf (RSA4096, cryptocb)
+        run: |
+          make clean && make test-sim-internal-flash-with-update SIGN=RSA4096 SPMATH=1 WOLFBOOT_TEST_SIM_CRYPTOCB=1
+
+      - name: Run cryptocb sunnyday test (RSA4096)
+        run: |
+          tools/scripts/sim-cryptocb-sunnyday-update.sh "SHA-256" "RSA"
+
+      # SHA-384 hash coverage (paired with algorithms that naturally use 384-bit)
+      #
+      - name: Cleanup to change key type
+        run: |
+          make keysclean
+
+      - name: Build wolfboot.elf (ECC384 + SHA384, cryptocb)
+        run: |
+          make clean && make test-sim-internal-flash-with-update SIGN=ECC384 HASH=SHA384 SPMATH=1 WOLFBOOT_TEST_SIM_CRYPTOCB=1
+
+      - name: Run cryptocb sunnyday test (ECC384 + SHA384)
+        run: |
+          tools/scripts/sim-cryptocb-sunnyday-update.sh "SHA-384"
+
+      - name: Cleanup to change key type
+        run: |
+          make keysclean
+
+      - name: Build wolfboot.elf (RSA4096 + SHA384, cryptocb)
+        run: |
+          make clean && make test-sim-internal-flash-with-update SIGN=RSA4096 HASH=SHA384 SPMATH=1 WOLFBOOT_TEST_SIM_CRYPTOCB=1
+
+      - name: Run cryptocb sunnyday test (RSA4096 + SHA384)
+        run: |
+          tools/scripts/sim-cryptocb-sunnyday-update.sh "SHA-384" "RSA"
+
+      # SHA3-384 hash coverage
+      #
+      - name: Cleanup to change key type
+        run: |
+          make keysclean
+
+      - name: Build wolfboot.elf (ECC384 + SHA3-384, cryptocb)
+        run: |
+          make clean && make test-sim-internal-flash-with-update SIGN=ECC384 HASH=SHA3 SPMATH=1 WOLFBOOT_TEST_SIM_CRYPTOCB=1
+
+      - name: Run cryptocb sunnyday test (ECC384 + SHA3-384)
+        run: |
+          tools/scripts/sim-cryptocb-sunnyday-update.sh "SHA3-384"
+
+      # AES encrypted partition coverage (external flash + AES128-CTR)
+      #
+      - name: Cleanup to change key type
+        run: |
+          make keysclean
+
+      - name: Build wolfboot.elf (ED25519 + AES128 encrypt, cryptocb)
+        run: |
+          cp config/examples/sim-encrypt-update.config .config
+          make clean && make test-sim-external-flash-with-enc-update WOLFBOOT_TEST_SIM_CRYPTOCB=1
+
+      - name: Run cryptocb sunnyday test (ED25519 + AES128 encrypt)
+        run: |
+          tools/scripts/sim-cryptocb-sunnyday-update.sh "SHA-256" "ED25519-verify" "AES-CTR"
+
+      # PQ algorithms (each uses its own config, build + test inline)
+      #
+      - name: Build and test LMS (cryptocb)
+        run: |
+          cp config/examples/sim-lms.config .config
+          make keysclean && make clean
+          make keytools
+          make test-sim-internal-flash-with-update WOLFBOOT_TEST_SIM_CRYPTOCB=1
+          tools/scripts/sim-cryptocb-sunnyday-update.sh "SHA-256"
+
+      - name: Build and test XMSS (cryptocb)
+        run: |
+          cp config/examples/sim-xmss.config .config
+          make keysclean && make clean
+          make keytools
+          make test-sim-internal-flash-with-update WOLFBOOT_TEST_SIM_CRYPTOCB=1
+          tools/scripts/sim-cryptocb-sunnyday-update.sh "SHA-256"
+
+      - name: Build and test ML-DSA level 2 (cryptocb)
+        run: |
+          cp config/examples/sim-ml-dsa.config .config
+          make keysclean && make clean
+          make keytools
+          make test-sim-internal-flash-with-update WOLFBOOT_TEST_SIM_CRYPTOCB=1
+          tools/scripts/sim-cryptocb-sunnyday-update.sh "SHA-256" "ML-DSA-verify"
+
+      - name: Build and test ML-DSA level 3 (cryptocb)
+        run: |
+          cp config/examples/sim-ml-dsa3.config .config
+          make keysclean && make clean
+          make keytools
+          make test-sim-internal-flash-with-update WOLFBOOT_TEST_SIM_CRYPTOCB=1
+          tools/scripts/sim-cryptocb-sunnyday-update.sh "SHA-256" "ML-DSA-verify"
+
+      - name: Build and test ML-DSA level 5 (cryptocb)
+        run: |
+          cp config/examples/sim-ml-dsa5.config .config
+          make keysclean && make clean
+          make keytools
+          make test-sim-internal-flash-with-update WOLFBOOT_TEST_SIM_CRYPTOCB=1
+          tools/scripts/sim-cryptocb-sunnyday-update.sh "SHA-256" "ML-DSA-verify"
+
+      # Hybrid auth: ML_DSA + ECDSA
+      #
+      - name: make clean (hybrid)
+        run: |
+          make keysclean
+
+      - name: Select config (hybrid ML_DSA + ECC)
+        run: |
+          cp config/examples/sim-ml-dsa-ecc-hybrid.config .config
+
+      - name: Build tools (hybrid)
+        run: |
+          make -C tools/keytools && make -C tools/bin-assemble
+
+      - name: Build wolfboot.elf (hybrid, cryptocb)
+        run: |
+          make clean && make WOLFBOOT_TEST_SIM_CRYPTOCB=1
+
+      - name: Run hybrid boot test with cryptocb verification
+        run: |
+          ./wolfboot.elf get_version > sim_cryptocb.log 2>/dev/null
+          grep -q "sim-cryptocb: hash SHA-256" sim_cryptocb.log || (echo "hash SHA-256 not found" && cat sim_cryptocb.log && exit 1)
+          grep -q "sim-cryptocb: pk ML-DSA-verify" sim_cryptocb.log || (echo "pk ML-DSA-verify not found" && cat sim_cryptocb.log && exit 1)
+          echo "Hybrid cryptocb verification passed"
diff --git a/IDE/Renesas/e2studio/RA6M4/wolfBoot/user_settings.h b/IDE/Renesas/e2studio/RA6M4/wolfBoot/user_settings.h
@@ -60,6 +60,9 @@
 #   define WOLF_CRYPTO_CB
 #   define RENESAS_SCE_INSTALLEDKEY_ADDR 0x08001000U
 #   define SCE_ID 7890
+#   define RENESAS_DEVID SCE_ID
+#   define WOLFBOOT_DEVID_PUBKEY SCE_ID
+#   define WOLFBOOT_DEVID_CRYPT (SCE_ID + 1)
 #   undef  VECTOR_Reset_Handler
 #   define VECTOR_Reset_Handler ((uint32_t *)(0x20204))
 ...

diff --git a/IDE/Renesas/e2studio/RX72N/include/user_settings.h b/IDE/Renesas/e2studio/RX72N/include/user_settings.h
@@ -42,6 +42,8 @@
 #   define WOLF_CRYPTO_CB
 #   define RENESAS_TSIP_INSTALLEDKEY_ADDR 0xFFFF0000
 #   define RENESAS_DEVID 7890
+#   define WOLFBOOT_DEVID_PUBKEY RENESAS_DEVID
+#   define WOLFBOOT_DEVID_CRYPT (RENESAS_DEVID + 1)
 #else
     #define WOLFBOOT_SIGN_RSA2048
     /* #define WOLFBOOT_SIGN_RSA3072 */

diff --git a/IDE/Renesas/e2studio/RZN2L/user_settings.h b/IDE/Renesas/e2studio/RZN2L/user_settings.h
@@ -56,6 +56,8 @@
     #define RENESAS_RSIP_INSTALLEDKEY_FLASH_ADDR  0x60200000
     #define RENESAS_RSIP_INSTALLEDKEY_RAM_ADDR    0x10000100
     #define RENESAS_DEVID 7890
+    #define WOLFBOOT_DEVID_PUBKEY RENESAS_DEVID
+    #define WOLFBOOT_DEVID_CRYPT (RENESAS_DEVID + 1)
 
     #if defined(WOLFBOOT_SIGN_RSA3072) ||\
         defined(WOLFBOOT_SIGN_RSA4096) ||\

diff --git a/arch.mk b/arch.mk
@@ -504,6 +504,8 @@ ifeq ($(ARCH),RENESAS_RX)
 
   ifeq ($(PKA),1)
     CFLAGS+=-DWOLFBOOT_RENESAS_TSIP
+    CFLAGS+=-DWOLFBOOT_DEVID_PUBKEY=7890
+    CFLAGS+=-DWOLFBOOT_DEVID_CRYPT=7891
     RX_DRIVER_PATH?=./lib
 
     OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/cryptocb.o \

diff --git a/hal/sim.c b/hal/sim.c
@@ -48,6 +48,66 @@
 #include "elf.h"
 #endif
 
+#if defined(WOLFBOOT_TEST_SIM_CRYPTOCB) && defined(__WOLFBOOT)
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/cryptocb.h>
+
+/* Crypto callback that prints dispatched algorithm names to stdout, then
+ * returns CRYPTOCB_UNAVAILABLE to trigger software fallback.  Test scripts
+ * redirect stdout to a log and grep for "sim-cryptocb: <type> <name>" lines.
+ *
+ * NOTE: We only need to support the algorithms used by wolfBoot that also have
+ * internal support for crypto callbacks. Algorithms like ED448 do not need to
+ * be handled here since they do not dispatch to a crypto callback internally.
+ */
+static int sim_cryptocb(int devIdArg, wc_CryptoInfo* info, void* ctx)
+{
+    (void)devIdArg;
+    (void)ctx;
+
+    if (info == NULL)
+        return CRYPTOCB_UNAVAILABLE;
+
+    if (info->algo_type == WC_ALGO_TYPE_HASH) {
+        const char* name = "unknown";
+        switch (info->hash.type) {
+            case WC_HASH_TYPE_SHA256:  name = "SHA-256";  break;
+            case WC_HASH_TYPE_SHA384:  name = "SHA-384";  break;
+            case WC_HASH_TYPE_SHA3_384: name = "SHA3-384"; break;
+            default: break;
+        }
+        printf("sim-cryptocb: hash %s\n", name);
+    }
+    else if (info->algo_type == WC_ALGO_TYPE_PK) {
+        const char* name = "unknown";
+        switch (info->pk.type) {
+            case WC_PK_TYPE_RSA:            name = "RSA";            break;
+            case WC_PK_TYPE_ECDSA_VERIFY:   name = "ECDSA-verify";   break;
+            case WC_PK_TYPE_ED25519_VERIFY: name = "ED25519-verify"; break;
+        #ifdef HAVE_DILITHIUM
+            case WC_PK_TYPE_PQC_SIG_VERIFY:
+                name = "ML-DSA-verify";
+                break;
+        #endif
+            default: break;
+        }
+        printf("sim-cryptocb: pk %s\n", name);
+    }
+    #if !defined(NO_AES) || !defined(NO_DES3)
+    else if (info->algo_type == WC_ALGO_TYPE_CIPHER) {
+        const char* name = "unknown";
+        switch (info->cipher.type) {
+            case WC_CIPHER_AES_CTR: name = "AES-CTR"; break;
+            default: break;
+        }
+        printf("sim-cryptocb: cipher %s\n", name);
+    }
+    #endif
+
+    return CRYPTOCB_UNAVAILABLE;
+}
+#endif /* WOLFBOOT_TEST_SIM_CRYPTOCB && __WOLFBOOT */
+
 #ifdef WOLFBOOT_ENABLE_WOLFHSM_CLIENT
 #include "wolfhsm/wh_error.h"
 #include "wolfhsm/wh_client.h"
@@ -438,6 +498,24 @@ void hal_init(void)
         else if (strcmp(main_argv[i], "emergency") == 0)
             forceEmergency = 1;
     }
+
+#if defined(WOLFBOOT_TEST_SIM_CRYPTOCB) && defined(__WOLFBOOT)
+    {
+        int cb_ret;
+        wolfCrypt_Init();
+        /* simulator WOLFBOOT_DEVID_XXX are all the same, only need to register
+         * one of them for the sim test - chose hash. */
+        cb_ret = wc_CryptoCb_RegisterDevice(WOLFBOOT_DEVID_HASH,
+            sim_cryptocb, NULL);
+        if (cb_ret != 0) {
+            wolfBoot_printf("Failed to register sim crypto callback: %d\n",
+                cb_ret);
+            exit(-1);
+        }
+        wolfBoot_printf("Registered sim_cryptocb with devId %d\n",
+            WOLFBOOT_DEVID_HASH);
+    }
+#endif
 }
 
 void ext_flash_lock(void)
@@ -583,6 +661,7 @@ void do_boot(const uint32_t *app_offset)
     }
     wolfBoot_printf("Stored test-app to memfd, address %p (%zu bytes)\n", app_offset, wret);
 
+    fflush(stdout);
     ret = fexecve(fd, main_argv, envp);
     wolfBoot_printf( "fexecve error\n");
 #endif