review: copilot cleanups

bigbrett · bigbrett · commit 53922ef75d36 · 2026-05-07T09:57:48.000-06:00
diff --git a/include/user_settings/cascade.h b/include/user_settings/cascade.h
@@ -51,10 +51,9 @@
 #  endif
 #endif
 
-/* Any RSA SIGN flag (or WOLFCRYPT_SECURE_MODE without PKCS11_SMALL) means
- * the build links wolfCrypt's RSA code. sign_rsa.h handles the actual
- * configuration; the marker is set here so finalize.h can see it ahead
- * of finalize-time and skip NO_ASN. */
+/* Single source of truth for "this build links wolfCrypt's RSA code".
+ * Tested by sign_rsa.h's outer #if and by the WOLFBOOT_NEEDS_RSA marker
+ * below; finalize.h reads the marker to skip NO_RSA / NO_ASN. */
 #if defined(WOLFBOOT_SIGN_RSA2048)            || \
     defined(WOLFBOOT_SIGN_RSA3072)            || \
     defined(WOLFBOOT_SIGN_RSA4096)            || \
@@ -68,6 +67,12 @@
     defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \
     defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096) || \
     (defined(WOLFCRYPT_SECURE_MODE) && !defined(PKCS11_SMALL))
+#  ifndef WOLFBOOT_RSA_ENABLED
+#    define WOLFBOOT_RSA_ENABLED
+#  endif
+#endif
+
+#ifdef WOLFBOOT_RSA_ENABLED
 #  ifndef WOLFBOOT_NEEDS_RSA
 #    define WOLFBOOT_NEEDS_RSA
 #  endif
diff --git a/include/user_settings/sign_ecc.h b/include/user_settings/sign_ecc.h
@@ -83,8 +83,10 @@
 #  define HAVE_ECC_KEY_IMPORT
 #endif
 
-/* SP MATH */
-#if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL)
+/* SP MATH default for builds that did not go through the secure-mode/
+ * test/bench/wolfHSM #else branch above (which already sets these). */
+#if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL) && \
+    !defined(WOLFSSL_SP_MATH)
 #  define WOLFSSL_SP_MATH
 #  define WOLFSSL_SP_SMALL
 #  define WOLFSSL_HAVE_SP_ECC
diff --git a/include/user_settings/sign_rsa.h b/include/user_settings/sign_rsa.h
@@ -3,8 +3,8 @@
  * wolfCrypt configuration for RSA (PKCS#1 v1.5 and PSS) signature
  * verification.
  *
- * Active when any WOLFBOOT_SIGN_RSA{2048,3072,4096} (or RSAPSS, or
- * SECONDARY) is defined, or when WOLFCRYPT_SECURE_MODE && !PKCS11_SMALL.
+ * Active when WOLFBOOT_RSA_ENABLED is set by cascade.h (any RSA SIGN
+ * flag, or WOLFCRYPT_SECURE_MODE && !PKCS11_SMALL).
  *
  * The companion `NO_RSA` fallback (when RSA isn't enabled) is also in
  * this file, in the #else branch -- so the fragment is included
@@ -32,24 +32,13 @@
 #ifndef _WOLFBOOT_USER_SETTINGS_SIGN_RSA_H_
 #define _WOLFBOOT_USER_SETTINGS_SIGN_RSA_H_
 
-/* This fragment is included unconditionally by user_settings.h: the trigger
- * condition is here in the outer #if, and the #else branch defines NO_RSA
- * so downstream blocks that test `#if defined(NO_RSA)` (e.g. the NO_ASN
- * carve-out) keep seeing the same value. */
+/* This fragment is included unconditionally by user_settings.h. The opt-in
+ * condition lives in cascade.h as WOLFBOOT_RSA_ENABLED (single source of
+ * truth shared with the WOLFBOOT_NEEDS_RSA marker). The #else branch
+ * defines NO_RSA so downstream blocks that test `#if defined(NO_RSA)`
+ * (e.g. the hash_sha*.h NO_ASN carve-outs) keep seeing the same value. */
 
-#if defined(WOLFBOOT_SIGN_RSA2048)            || \
-    defined(WOLFBOOT_SIGN_RSA3072)            || \
-    defined(WOLFBOOT_SIGN_RSA4096)            || \
-    defined(WOLFBOOT_SIGN_SECONDARY_RSA2048)  || \
-    defined(WOLFBOOT_SIGN_SECONDARY_RSA3072)  || \
-    defined(WOLFBOOT_SIGN_SECONDARY_RSA4096)  || \
-    defined(WOLFBOOT_SIGN_RSAPSS2048)         || \
-    defined(WOLFBOOT_SIGN_RSAPSS3072)         || \
-    defined(WOLFBOOT_SIGN_RSAPSS4096)         || \
-    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \
-    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \
-    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096) || \
-    (defined(WOLFCRYPT_SECURE_MODE) && !defined(PKCS11_SMALL))
+#ifdef WOLFBOOT_RSA_ENABLED
 
 #define WC_RSA_BLINDING
 #define WC_RSA_DIRECT
@@ -132,7 +121,7 @@
 #  define RSA_MAX_SIZE 4096
 #endif
 
-#else /* No RSA SIGN flag, no SECURE_MODE without PKCS11_SMALL */
+#else /* !WOLFBOOT_RSA_ENABLED */
 #  define NO_RSA
 #endif
 
diff --git a/include/user_settings/trustzone.h b/include/user_settings/trustzone.h
@@ -40,12 +40,13 @@
 #endif
 
 #if defined(WOLFCRYPT_TZ_PSA)
+   /* WOLFSSL_AES_CFB is set by the SECURE_MODE block above (TZ_PSA implies
+    * SECURE_MODE in options.mk). */
 #  define WOLFSSL_AES_COUNTER
 #  define WOLFSSL_AES_GCM
 #  define HAVE_AESGCM
 #  define HAVE_AESCCM
 #  define HAVE_AES_ECB
-#  define WOLFSSL_AES_CFB
 #  define WOLFSSL_AES_OFB
 #  ifndef NO_DES3
 #    define NO_DES3
@@ -70,7 +71,8 @@
 #endif
 
 #if defined(WOLFBOOT_TZ_FWTPM)
-#  define WOLFSSL_AES_CFB
+   /* WOLFSSL_AES_CFB is set by the SECURE_MODE block above (TZ_FWTPM
+    * implies SECURE_MODE in options.mk). */
 #  define WOLFSSL_SHA384
 #endif
 
