Simplifications for user-supplied keys and certs; wolfHSM RSA4096 fixes

[bigbrett]

• Adds three new makefile variables (and some associated logic) to simplify building the test app using user-supplied keys or certificate chains
• Fixes bug where RSA IMAGE_HEADER_SIZES were hardcoded, breaking compatibility with cert chain inclusion
• adds new .config files for wolfHSM with RSA4096 (for sim and AURIX TC3), and makes associated CI and build system changes
• Updates wolfHSM to latest

[Copilot]

Pull request overview

This PR simplifies the external certificate chain handling in wolfBoot by removing the CERT_CHAIN_GEN variable and introducing user-provided key/certificate variables (USER_PRIVATE_KEY, USER_PUBLIC_KEY, USER_CERT_CHAIN). The changes streamline the build system to auto-generate dummy certificate chains when needed, while allowing users to supply their own keys and certificates for production use.

Key Changes

• Removed CERT_CHAIN_GEN flag; certificate chains are now auto-generated when CERT_CHAIN_VERIFY=1 is set without USER_CERT_CHAIN
• Added USER_PRIVATE_KEY, USER_PUBLIC_KEY, and USER_CERT_CHAIN variables for user-provided cryptographic materials
• Updated documentation to reflect the simplified workflow and new configuration options

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
Makefile	Added validation and logic for user-provided keys/certificates; simplified key selection flow
options.mk	Replaced CERT_CHAIN_GEN with auto-generation logic based on USER_CERT_CHAIN presence
test-app/Makefile	Removed unused RSA-specific IMAGE_HEADER_SIZE configuration
src/image.c	Added conditional compilation guard for wolfHSM client key eviction
include/user_settings.h	Extended conditional check to exclude RSA inline verification for wolfHSM modes
arch.mk	Added NVM image generation support for simulator; made NVM config files overridable
docs/compile.md	Added comprehensive documentation for key generation and user-provided key workflow
docs/Signing.md	Added Makefile usage examples for certificate chain signing
docs/keystore.md	Added reference to new key generation documentation
config/examples/*.config	Removed CERT_CHAIN_GEN=1 from example configurations
lib/wolfHSM	Updated submodule reference
tools/scripts/tc3xx/*.nvminit	Updated NVM object ID for certificate chain

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[danielinux]

Completely in favor of adding a mechanism to override key generation for the first make.

Unfortunately our keystore supports a similar but different feature, with similar wording, that might be confusing in the Signing.md

Side note, descriptions added in the documentation insist on the "default keystore with one key generated during make", which is just the 'quickstart' option

[bigbrett]

Hi @danielinux, yes you're right about the terminology overlap. I see how this is a bit confusing. My last commit adds some more color to hopefully clear this up. Let me know what you think.

For context, the whole reason I'm implementing this is to hopefully reduce complexity for evaluators on TC3xx. For standard and simple wolfBoot configuration on a single core MCU, there arent that many steps to keep track of so it is NBD. But for something like TC3xx with wolfHSM compatibility and cert chain auth, there are so many steps required to generate a bootable image that making any of the manual steps automated by the build system is actually quite helpful