Add image manager

[bigbrett]

Adds a configurable image verification system to wolfHSM server with callback-based architecture for cryptographic verification and post-verification actions. The image manager is meant to be standalone (not coupled to one specific server) but each registered client image does need to reference the server context that corresponds to the client image being verified, since it needs to know which DMA callbacks to invoke (could be different per-client) and which keycache to use to hold temporary data.

Key components

• Image Manager Context: Manages multiple images with their verification parameters (address, size, key ID, signature NVM ID)
• Verification Methods: Built-in support for ECC P256/SHA256, RSA2048/SHA256, and AES128 CMAC, or user can register a custom method callback
• Verification Actions: Configurable callbacks for post-verification behavior (e.g. releasing client cores)
• Images are bound to a server context, allowing for use of client-specific DMA callbacks and keycache
• DMA Support: Full integration with wolfHSM DMA address translation

API Functions

• wh_Server_ImgMgrInit() - Initialize with image configuration
• wh_Server_ImgMgrVerifyImg() - Verify single image by reference
• wh_Server_ImgMgrVerifyImgIdx() - Verify single image by index
• wh_Server_ImgMgrVerifyAll() - Verify all registered images

Built-in Verification Methods

• wh_Server_ImgMgrVerifyMethodEccWithSha256() - ECC P256 signature verification
• wh_Server_ImgMgrVerifyMethodRsaSslWithSha256() - RSA2048 SSL signature verification
• wh_Server_ImgMgrVerifyMethodAesCmac() - AES128 CMAC verification

Configuration Options

• WOLFHSM_CFG_SERVER_IMG_MGR_MAX_IMG_COUNT - Maximum images (default: 4)
• WOLFHSM_CFG_SERVER_IMG_MGR_MAX_SIG_SIZE - Maximum signature size (default: 512 bytes for RSA4096)

Future Work

• Potentially make entire server context pointer optional (allowed to be NULL) and only use keystore/DMA functionality if not NULL
• Decouple from WOLFHSM_CFG_NO_CRYPTO once keystore module is refactored to also not depend on this feature macro
• Additional verification methods
• More testing

[billphipps]

Excellent! I had a couple of questions/ideas about return values, but this is a great framework!

[Copilot]

Pull Request Overview

Adds a standalone image manager module to the wolfHSM server for configurable cryptographic image verification with callback-based post-verification actions.

• Define configuration macros for max images and signature buffer size
• Introduce image manager API (init, verify by reference/index/all) and built-in ECC, RSA, CMAC methods
• Wire image manager into server build and extend tests

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
wolfhsm/wh_settings.h	Added macros for max image count and max signature size
wolfhsm/wh_server_img_mgr.h	Declared image manager types, API, and callbacks
wolfhsm/wh_server.h	Removed padding field from server context struct
wolfhsm/wh_error.h	Fixed typo in error enumeration comment
test/wh_test_server_img_mgr.*	Added header and comprehensive tests for image manager
test/wh_test.c	Included image manager tests in main test suite
test/config/wolfhsm_cfg.h	Enabled image manager feature for tests
test/Makefile	Added img_mgr sources to test build
src/wh_server_img_mgr.c	Implemented image manager initialization and verification

Comments suppressed due to low confidence (3)

wolfhsm/wh_server.h:206

• [nitpick] Removing the WH_PAD field changes the struct size and alignment of whServerContext_t. Please verify that this was intentional and that no ABI or packing assumptions are broken.

    uint16_t           cancelSeq;

wolfhsm/wh_settings.h:61

• [nitpick] The comment * be managed Default: 4 is missing punctuation or a newline before “Default.” Consider rephrasing to * be managed. Default: 4 for clarity.

 * be managed Default: 4

src/wh_server_img_mgr.c:150

• wh_Server_ImgMgrVerifyImg always returns the local ret (from NVM operations) rather than propagating the verification callback results. To ensure callers see actual verification failures, consider returning result->verifyActionResult (or at least result->verifyMethodResult on failure) instead of the NVM read status.

    return ret;

[billphipps]

Looks great!