From 0ab3558944ac4eb59d310a71f797b7e21beaa472 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Fri, 21 Nov 2025 14:17:44 -0800
Subject: [PATCH] Update submodules for release

---
 .github/workflows/test-wolfhsm-simulator.yml      |  3 ++-
 lib/wolfHSM                                       |  2 +-
 lib/wolfPKCS11                                    |  2 +-
 lib/wolfssl                                       |  2 +-
 options.mk                                        |  1 +
 src/image.c                                       | 11 ++++++-----
 tools/scripts/tc3xx/wolfBoot-wolfHSM-keys.nvminit |  3 ++-
 7 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/test-wolfhsm-simulator.yml b/.github/workflows/test-wolfhsm-simulator.yml
index 8c56321c09..be55426e0a 100644
--- a/.github/workflows/test-wolfhsm-simulator.yml
+++ b/.github/workflows/test-wolfhsm-simulator.yml
@@ -111,7 +111,8 @@ jobs:
             echo "obj 1 0xFFFF 0x0000 \"cert CA\" ../../../../../test-dummy-ca/root-cert.der" >> $tmpfile
             ./Build/wh_posix_server.elf --type tcp --nvminit $tmpfile &
           else
-            ./Build/wh_posix_server.elf --type tcp --client 12 --id 255 --key ../../../../../wolfboot_signing_private_key_pub.der &
+            # --flags=0x100 sets the WH_NVM_FLAGS_USAGE_VERIFY flag
+            ./Build/wh_posix_server.elf --type tcp --client 12 --id 255 --flags 0x100 --key ../../../../../wolfboot_signing_private_key_pub.der &
           fi
           TCP_SERVER_PID=$!
           echo "TCP_SERVER_PID=$TCP_SERVER_PID" >> $GITHUB_ENV
diff --git a/lib/wolfHSM b/lib/wolfHSM
index 8ac56d7267..76da7ddfa9 160000
--- a/lib/wolfHSM
+++ b/lib/wolfHSM
@@ -1 +1 @@
-Subproject commit 8ac56d726732ac6bd9cc2da3aef066c7daaddf9e
+Subproject commit 76da7ddfa9e8657587180a94f3a60eacbd3a6d58
diff --git a/lib/wolfPKCS11 b/lib/wolfPKCS11
index 81af264474..52be35889a 160000
--- a/lib/wolfPKCS11
+++ b/lib/wolfPKCS11
@@ -1 +1 @@
-Subproject commit 81af2644740c7c0b5bd810f0525f86451ec0146c
+Subproject commit 52be35889a76ecf208ea6049c04ea8a0a3ce2ae6
diff --git a/lib/wolfssl b/lib/wolfssl
index 8d357de6d8..59f4fa5686 160000
--- a/lib/wolfssl
+++ b/lib/wolfssl
@@ -1 +1 @@
-Subproject commit 8d357de6d804495c34219689119e1d6360791486
+Subproject commit 59f4fa568615396fbf381b073b220d1e8d61e4c2
diff --git a/options.mk b/options.mk
index 9ccc779191..ebc7204dc0 100644
--- a/options.mk
+++ b/options.mk
@@ -950,6 +950,7 @@ ifeq ($(WOLFHSM_SERVER),1)
     $(WOLFBOOT_LIB_WOLFHSM)/src/wh_comm.o \
     $(WOLFBOOT_LIB_WOLFHSM)/src/wh_nvm.o \
     $(WOLFBOOT_LIB_WOLFHSM)/src/wh_nvm_flash.o \
+    $(WOLFBOOT_LIB_WOLFHSM)/src/wh_keyid.o \
     $(WOLFBOOT_LIB_WOLFHSM)/src/wh_flash_unit.o \
     $(WOLFBOOT_LIB_WOLFHSM)/src/wh_crypto.o \
     $(WOLFBOOT_LIB_WOLFHSM)/src/wh_server.o \
diff --git a/src/image.c b/src/image.c
index 5c776ae6d8..998c62027f 100644
--- a/src/image.c
+++ b/src/image.c
@@ -486,8 +486,8 @@ static void wolfBoot_verify_signature_rsa(uint8_t key_slot,
 #else
     whKeyId hsmKeyId = WH_KEYID_ERASED;
     /* Cache the public key on the server */
-    ret = wh_Client_KeyCache(&hsmClientCtx, 0, NULL, 0, pubkey, pubkey_sz,
-                             &hsmKeyId);
+    ret = wh_Client_KeyCache(&hsmClientCtx, WH_NVM_FLAGS_USAGE_VERIFY, NULL, 0,
+                             pubkey, pubkey_sz, &hsmKeyId);
     if (ret != WH_ERROR_OK) {
         return;
     }
@@ -2102,18 +2102,19 @@ int wolfBoot_verify_authenticity(struct wolfBoot_image *img)
             "verifying cert chain and caching leaf pubkey (using DMA)\n");
         hsm_ret = wh_Client_CertVerifyDmaAndCacheLeafPubKey(
             &hsmClientCtx, cert_chain, cert_chain_size, hsmNvmIdCertRootCA,
-            &g_certLeafKeyId, &cert_verify_result);
+            WH_NVM_FLAGS_USAGE_VERIFY, &g_certLeafKeyId, &cert_verify_result);
 #else
         wolfBoot_printf("verifying cert chain and caching leaf pubkey\n");
         hsm_ret = wh_Client_CertVerifyAndCacheLeafPubKey(
             &hsmClientCtx, cert_chain, cert_chain_size, hsmNvmIdCertRootCA,
-            &g_certLeafKeyId, &cert_verify_result);
+            WH_NVM_FLAGS_USAGE_VERIFY, &g_certLeafKeyId, &cert_verify_result);
 #endif
 #elif defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)
         wolfBoot_printf("verifying cert chain and caching leaf pubkey\n");
         hsm_ret = wh_Server_CertVerify(
             &hsmServerCtx, cert_chain, cert_chain_size, hsmNvmIdCertRootCA,
-            WH_CERT_FLAGS_CACHE_LEAF_PUBKEY, &g_certLeafKeyId);
+            WH_CERT_FLAGS_CACHE_LEAF_PUBKEY, WH_NVM_FLAGS_USAGE_VERIFY,
+            &g_certLeafKeyId);
         if (hsm_ret == WH_ERROR_OK) {
             cert_verify_result = 0;
         }
diff --git a/tools/scripts/tc3xx/wolfBoot-wolfHSM-keys.nvminit b/tools/scripts/tc3xx/wolfBoot-wolfHSM-keys.nvminit
index 1c8bc9402e..8966cb739e 100644
--- a/tools/scripts/tc3xx/wolfBoot-wolfHSM-keys.nvminit
+++ b/tools/scripts/tc3xx/wolfBoot-wolfHSM-keys.nvminit
@@ -2,4 +2,5 @@
 #
 # Key format is:
 # key <clientId> <keyId> <access> <flags> <label> <file>
-key 0x1 0xFF 0xFF 0x00 "wolfBoot Pubkey" wolfboot_signing_private_key_pub.der
+# flags: WH_NVM_FLAGS_USAGE_VERIFY=0x100
+key 0x1 0xFF 0xFF 0x100 "wolfBoot Pubkey" wolfboot_signing_private_key_pub.der