From b58cbd9c1a2a07a7dc490eccdecc43ffaada224c Mon Sep 17 00:00:00 2001
From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com>
Date: Wed, 16 Oct 2024 17:10:43 -0600
Subject: [PATCH 1/3] add NVM provisioning tool

---
 .../workflows/build-and-test-whnvmtool.yml    |  39 ++
 port/posix/posix_transport_shm.c              |   6 +-
 src/wh_flash_ramsim.c                         |   8 +-
 src/wh_server_keystore.c                      |   2 +-
 tools/whnvmtool/.gitignore                    |   4 +
 tools/whnvmtool/Makefile                      |  92 +++
 tools/whnvmtool/README.md                     | 105 ++++
 tools/whnvmtool/test/Makefile                 |  69 +++
 tools/whnvmtool/test/data/key1.bin            |   1 +
 tools/whnvmtool/test/data/key2.bin            |   1 +
 tools/whnvmtool/test/data/obj1.bin            |   1 +
 tools/whnvmtool/test/data/obj2.bin            |   1 +
 tools/whnvmtool/test/nvminit/test.nvminit     |   8 +
 tools/whnvmtool/test/test_whnvmtool.c         | 431 +++++++++++++
 tools/whnvmtool/user_settings.h               | 160 +++++
 tools/whnvmtool/whnvmtool.c                   | 583 ++++++++++++++++++
 tools/whnvmtool/wolfhsm_cfg.h                 |  46 ++
 wolfhsm/wh_flash_ramsim.h                     |   3 +-
 18 files changed, 1553 insertions(+), 7 deletions(-)
 create mode 100644 .github/workflows/build-and-test-whnvmtool.yml
 create mode 100644 tools/whnvmtool/.gitignore
 create mode 100644 tools/whnvmtool/Makefile
 create mode 100644 tools/whnvmtool/README.md
 create mode 100644 tools/whnvmtool/test/Makefile
 create mode 100644 tools/whnvmtool/test/data/key1.bin
 create mode 100644 tools/whnvmtool/test/data/key2.bin
 create mode 100644 tools/whnvmtool/test/data/obj1.bin
 create mode 100644 tools/whnvmtool/test/data/obj2.bin
 create mode 100644 tools/whnvmtool/test/nvminit/test.nvminit
 create mode 100644 tools/whnvmtool/test/test_whnvmtool.c
 create mode 100644 tools/whnvmtool/user_settings.h
 create mode 100644 tools/whnvmtool/whnvmtool.c
 create mode 100644 tools/whnvmtool/wolfhsm_cfg.h

diff --git a/.github/workflows/build-and-test-whnvmtool.yml b/.github/workflows/build-and-test-whnvmtool.yml
new file mode 100644
index 00000000..503280a6
--- /dev/null
+++ b/.github/workflows/build-and-test-whnvmtool.yml
@@ -0,0 +1,39 @@
+name: whnvmtool build and test
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    # List host CPU info
+    - name: Host CPU info
+      run: cat /proc/cpuinfo
+
+    # List compiler version
+    - name: List compiler version
+      run: gcc --version
+
+    # pull and build wolfssl
+    - name: Checkout wolfssl
+      uses: actions/checkout@v4
+      with:
+        repository: wolfssl/wolfssl
+        path: wolfssl
+
+    # Build and test standard build of whnvmtool
+    - name: Build and test NVM tool
+      run: cd tools/whnvmtool && make clean && make check WOLFSSL_DIR=../../wolfssl
+
+    # Build and test ASAN
+    - name: Build and test NVM tool with ASAN
+      run: cd tools/whnvmtool && make clean && make check WOLFSSL_DIR=../../wolfssl ASAN=1
+
diff --git a/port/posix/posix_transport_shm.c b/port/posix/posix_transport_shm.c
index 0ecbe9dc..d558f5fc 100644
--- a/port/posix/posix_transport_shm.c
+++ b/port/posix/posix_transport_shm.c
@@ -1,4 +1,3 @@
-
 #include <fcntl.h>     /* For O_* constants */
 #include <sys/mman.h>  /* For shm_open, mmap */
 #include <sys/stat.h>  /* For mode constants */
@@ -7,6 +6,7 @@
 #include <stdlib.h>    /* For exit */
 #include <string.h>    /* For memset */
 #include <stdint.h>
+#include <stdio.h>
 
 #include "wolfhsm/wh_error.h"
 #include "wolfhsm/wh_utils.h"
@@ -370,7 +370,7 @@ int posixTransportShm_ServerInit(void* c, const void* cf,
 
     if (ret == WH_ERROR_OK) {
         memset(ctx, 0, sizeof(*ctx));
-        strncpy(ctx->name,  config->name, sizeof(ctx->name));
+        snprintf(ctx->name, sizeof(ctx->name), "%s", config->name);
         ctx->connectcb = connectcb;
         ctx->connectcb_arg = connectcb_arg;
 
@@ -416,7 +416,7 @@ int posixTransportShm_ClientInit(void* c, const void* cf,
     }
 
     memset(ctx, 0, sizeof(*ctx));
-    strncpy(ctx->name,  config->name, sizeof(ctx->name));
+    snprintf(ctx->name, sizeof(ctx->name), "%s", config->name);
     ctx->connectcb = connectcb;
     ctx->connectcb_arg = connectcb_arg;
 
diff --git a/src/wh_flash_ramsim.c b/src/wh_flash_ramsim.c
index c5316e24..3f4b0e10 100644
--- a/src/wh_flash_ramsim.c
+++ b/src/wh_flash_ramsim.c
@@ -74,8 +74,12 @@ int whFlashRamsim_Init(void* context, const void* config)
         return WH_ERROR_BADARGS;
     }
 
-    /* Simulate starting from erased flash */
-    memset(ctx->memory, ctx->erasedByte, ctx->size);
+    /* Initialize memory based on initData or simulate starting from erased flash */
+    if (cfg->initData != NULL) {
+        memcpy(ctx->memory, cfg->initData, ctx->size);
+    } else {
+        memset(ctx->memory, ctx->erasedByte, ctx->size);
+    }
 
     return WH_ERROR_OK;
 }
diff --git a/src/wh_server_keystore.c b/src/wh_server_keystore.c
index 642240bf..c9212162 100644
--- a/src/wh_server_keystore.c
+++ b/src/wh_server_keystore.c
@@ -529,7 +529,7 @@ int wh_Server_HandleKeyRequest(whServerContext* server, uint16_t magic,
             ret = hsmCacheKey(server, meta, in);
         }
         if (ret == 0) {
-            /* remove the cleint_id, client may set type */
+            /* remove the client_id, client may set type */
             packet->keyCacheRes.id = WH_KEYID_ID(meta->id);
             *size = WH_PACKET_STUB_SIZE + sizeof(packet->keyCacheRes);
         }
diff --git a/tools/whnvmtool/.gitignore b/tools/whnvmtool/.gitignore
new file mode 100644
index 00000000..3d2de7b6
--- /dev/null
+++ b/tools/whnvmtool/.gitignore
@@ -0,0 +1,4 @@
+whnvmtool
+whNvmImage.bin
+whNvmImage.hex
+test/test_whnvmtool
diff --git a/tools/whnvmtool/Makefile b/tools/whnvmtool/Makefile
new file mode 100644
index 00000000..653b25d8
--- /dev/null
+++ b/tools/whnvmtool/Makefile
@@ -0,0 +1,92 @@
+TARGET = whnvmtool
+CC ?= gcc
+
+# wolfHSM source files
+WOLFHSM_DIR ?= $(CURDIR)/../../
+WOLFHSM_SRC = $(wildcard $(WOLFHSM_DIR)/src/*.c)
+WOLFHSM_SRC += $(wildcard $(WOLFHSM_DIR)/port/posix/*.c)
+
+# wolfCrypt source files
+WOLFSSL_DIR ?= $(CURDIR)/../../../wolfssl
+WOLFCRYPT_SRC = \
+	$(WOLFSSL_DIR)/wolfcrypt/src/wc_port.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/memory.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/misc.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/cryptocb.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/random.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/asn.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/coding.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/wolfmath.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/tfm.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/fe_operations.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/rsa.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/curve25519.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/hash.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/sha256.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/aes.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/ecc.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/cmac.c
+
+
+SRC = \
+	$(WOLFHSM_SRC) \
+	$(WOLFCRYPT_SRC) \
+	$(TARGET).c
+
+
+INCLUDE_DIRS = \
+	-I$(WOLFHSM_DIR) \
+	-I$(WOLFSSL_DIR) \
+	-I.
+
+LIBS = \
+	-lm \
+	-lpthread
+
+LIB_DIRS =
+
+CFLAGS = -Wall $(INCLUDE_DIRS)
+CFLAGS += -DWOLFSSL_USER_SETTINGS
+CFLAGS += -std=c90 -D_GNU_SOURCE -Wno-cpp
+
+CFLAGS_EXTRA =  # Additional CFLAGS from the command line
+LDFLAGS = $(LIB_DIRS) $(LIBS)
+OUT = $(TARGET) # Output executable name
+
+# DEBUG flag
+ifeq ($(DEBUG), 1)
+	CFLAGS += -g -O0 -DDEBUG -ggdb3
+else
+	CFLAGS += -O2
+endif
+
+ifeq ($(ASAN), 1)
+	CFLAGS_EXTRA += -fsanitize=address
+endif
+
+# Targets
+all: $(OUT)
+
+$(OUT): $(SRC)
+	$(CC) $(CFLAGS) $(CFLAGS_EXTRA) $(SRC) -o $(OUT) $(LDFLAGS)
+
+# Generate the test NVM image
+test-gen: $(OUT)
+	rm -f whNvmImage.bin whNvmImage.hex
+	./$(OUT) --test test/nvminit/test.nvminit --invert-erased-byte
+
+# Run the test suite, which requires first generating the test NVM image
+check: test
+test: $(OUT) test-gen
+	$(MAKE) -C test/ CFLAGS_EXTRA="-DFLASH_ERASED_BYTE=0x00 $(CFLAGS_EXTRA)" WOLFSSL_DIR=$$(realpath $(WOLFSSL_DIR))
+	cd test && ./test_whnvmtool
+
+clean: clean-test
+	rm -f whNvmImage.bin whNvmImage.hex
+	rm -f $(OUT)
+
+clean-test:
+	$(MAKE) -C test clean
+
+# PHONY targets
+.PHONY: all clean test-gen test
diff --git a/tools/whnvmtool/README.md b/tools/whnvmtool/README.md
new file mode 100644
index 00000000..b0788de9
--- /dev/null
+++ b/tools/whnvmtool/README.md
@@ -0,0 +1,105 @@
+# whnvmtool
+
+## Overview
+`whnvmtool` is a utility for creating Non-Volatile Memory (NVM) images for wolfHSM. It allows users to create NVM images with predefined objects and keys, which can be used for provisioning a wolfHSM device. THe tool creates an NVM image and loads it with objects and keys specified by the user in a configuration file. The generated image can then be loaded into device memory, or used for to initialize an instance of a `whNvmFlash` provider.
+
+## Supported NVM Providers
+
+Currently, `whnvmtool` only supports the `whNvmFlash` provider.
+
+## Usage
+
+```
+./whnvmtool [--test] [--image[=<file>]] [--size <size>] [--invert-erased-byte] <config-file>
+```
+
+- `--image[=<file>]`: Specifies the output NVM image file. If not provided, defaults to `whNvmImage.bin`.
+- `--size <size>`: Sets the partition size for the NVM image. Can be specified in decimal or hexadecimal (with '0x' prefix).
+- `--invert-erased-byte`: Inverts the erased byte value (default is 0xFF, this option changes it to 0x00).
+- `--test`: Enables test mode. In this mode, the tool generates an intermediate file (`nvm_metadata.txt`) containing comma separated metadata ID/file path pairs, associating each object ID with the file path containing the object's original data. This option is used by the `whnvmtool` tests to verify the contents of the generated NVM image, and is not required for normal operation.
+
+## Configuration File Schema
+
+The configuration file follows a specific schema for defining objects and keys to be stored in the NVM image. Each line in the file represents either an object or a key entry. The schema also supports comments and empty lines for readability. Comments use the `#` character, and all text after the `#` on a line is ignored. There are no multi-line comments.
+
+### Object Entry Format
+
+Lines beginning with `obj` define objects to be stored in the NVM image. The format of an object entry is as follows:
+
+```
+obj <metaDataId> <access> <flags> <label> <file>
+```
+
+where:
+
+- `<metaDataId>`: Unsigned 16-bit integer (0-65535) representing the object metadata ID.
+- `<access>`: Unsigned 16-bit integer (0-65535) representing the access permissions.
+- `<flags>`: Unsigned 16-bit integer (0-65535) representing object flags.
+- `<label>`: Label string enclosed in double quotes, maximum 24 characters.
+- `<file>`: Valid file path to a file containing the object's data. Data will be read from this file and stored in the NVM object.
+
+### Key Entry Format
+
+Lines beginning with `key` define keys (a special case of NVM objects)to be stored in the NVM image. The format of a key entry is as follows:
+
+```
+key <clientId> <keyId> <access> <flags> <label> <file>
+```
+
+where:
+
+- `<clientId>`: Unsigned 8-bit integer (0-255) representing the client ID the key belongs to.
+- `<keyId>`: Unsigned 16-bit integer (0-65535) representing the key ID.
+- `<access>`: Unsigned 16-bit integer (0-65535) representing access permissions.
+- `<flags>`: Unsigned 16-bit integer (0-65535) representing key flags.
+- `<label>`: Label string enclosed in double quotes, maximum 24 characters.
+- `<file>`: Valid file path to a file containing the key's data. Data will be read from this file and stored in the NVM key.
+
+
+### General Schema Rules and Restrictions
+
+1. Each entry must be on a separate line.
+2. Fields must be separated by single spaces.
+3. The `<label>` field must be enclosed in double quotes and cannot contain newlines.
+4. Comments can be added using the `#` character. Anything after `#` on a line is ignored.
+5. Empty lines and lines containing only whitespace or comments are ignored.
+6. `<id>`, `<client_id>`, `<key_id>`, `<access>`, and `<flags>` can be specified in decimal or hexadecimal (with '0x' prefix).
+7. File paths must be valid and accessible.
+
+
+### Example Configuration File
+
+```
+# This is a comment
+obj 1 0xFFFF 0x0000 "My Object" "path/to/object.bin" # This is a trailing comment
+key 1 1 0x0001 0x0000 "My Key" "path/to/key.bin"
+```
+
+## Generated NVM Image
+
+The generated NVM image is a binary file that can be used to initialize an instance of `whNvmFlash` or loaded directly into device memory at a device-specific address. In order for a generated NVM image to be compatible with a wolfHSM server implemenation, the following must be true:
+
+1. `whnvmtool` must be compiled against the same version of wolfHSM as the server, and be compiled to use the same value of `WOLFHSM_CFG_NVM_OBJECT_COUNT`
+2. The partition size specified for the NVM image must match that of the server's `whNvmFlash` provider
+3. If using a real flash implementation, the binary NVM image must be programmed to the correct address
+
+### Generating a Hex File
+
+Users may find it useful to generate a hex file to program the NVM image into device memory. This can be accomplished by using the `objcopy` utility to convert the generated NVM image to a hex file, making sure to specify the correct offset into the image for the start of the NVM partition. For example:
+
+```
+objcopy -I binary -O ihex --change-address <offset> <input-file> <output-file>
+```
+
+where:
+
+- `<offset>` is the offset into the NVM image for the start of the NVM partition
+- `<input-file>` is the NVM image file generated by `whnvmtool`
+- `<output-file>` is the name of the output hex file
+
+## Testing
+
+Tests for `whnvmtool` can be run by invoking `make check` or `make test`. This will perform the following steps:
+
+1. Invoke `whnvmtool` to generate an NVM image using an example configuration file, using the `--test` option to export the ID/data file pairs to a file
+2. Build and run a test program `test/test_whnvmtool.c`, which loads the generated NVM image and verifies the contents of the objects and keys using the exported ID/data file pairs. The compatibility of the generated image is verified by loading the image into two `whNvmFlash` providers: the POSIX port file-based NVM flash file simulator (`port/posix/posix_flash_file.c`) and the RAM-based NVM flash simulator (`src/wh_flash_ramsim.c`).
diff --git a/tools/whnvmtool/test/Makefile b/tools/whnvmtool/test/Makefile
new file mode 100644
index 00000000..f12e8611
--- /dev/null
+++ b/tools/whnvmtool/test/Makefile
@@ -0,0 +1,69 @@
+TARGET = test_whnvmtool
+CC ?= gcc
+
+# wolfHSM source files
+WOLFHSM_DIR ?= $(CURDIR)/../../../
+WOLFHSM_SRC = $(wildcard $(WOLFHSM_DIR)/src/*.c)
+WOLFHSM_SRC += $(wildcard $(WOLFHSM_DIR)/port/posix/*.c)
+
+# wolfCrypt source files
+WOLFSSL_DIR ?= $(CURDIR)/../../../../wolfssl
+WOLFCRYPT_SRC = \
+	$(WOLFSSL_DIR)/wolfcrypt/src/wc_port.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/memory.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/misc.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/cryptocb.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/random.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/asn.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/coding.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/wolfmath.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/tfm.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/fe_operations.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/rsa.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/curve25519.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/hash.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/sha256.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/aes.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/ecc.c \
+	$(WOLFSSL_DIR)/wolfcrypt/src/cmac.c
+
+SRC = \
+	$(WOLFHSM_SRC) \
+	$(WOLFCRYPT_SRC) \
+	$(TARGET).c
+
+INCLUDE_DIRS = \
+	-I$(WOLFHSM_DIR) \
+	-I$(WOLFSSL_DIR) \
+	-I..
+
+LIBS = \
+	-lm \
+	-lpthread
+
+LIB_DIRS =
+
+CFLAGS = -Wall $(INCLUDE_DIRS)
+CFLAGS += -DWOLFSSL_USER_SETTINGS
+CFLAGS_EXTRA =  # Additional CFLAGS from the command line
+LDFLAGS = $(LIB_DIRS) $(LIBS)
+OUT = $(TARGET) # Output executable name
+
+# DEBUG flag
+ifeq ($(DEBUG), 1)
+	CFLAGS += -g -O0 -DDEBUG -ggdb3
+else
+	CFLAGS += -O2
+endif
+
+# Targets
+all: $(OUT)
+
+$(OUT): $(SRC)
+	$(CC) $(CFLAGS) $(CFLAGS_EXTRA) $(SRC) -o $(OUT) $(LDFLAGS)
+
+clean:
+	rm -f $(OUT)
+
+# PHONY targets
+.PHONY: all clean
diff --git a/tools/whnvmtool/test/data/key1.bin b/tools/whnvmtool/test/data/key1.bin
new file mode 100644
index 00000000..1baf6bf0
--- /dev/null
+++ b/tools/whnvmtool/test/data/key1.bin
@@ -0,0 +1 @@
+KEY_1_DATA_BRAH
diff --git a/tools/whnvmtool/test/data/key2.bin b/tools/whnvmtool/test/data/key2.bin
new file mode 100644
index 00000000..2715f5ba
--- /dev/null
+++ b/tools/whnvmtool/test/data/key2.bin
@@ -0,0 +1 @@
+KEY_2_DATA_BRAH
diff --git a/tools/whnvmtool/test/data/obj1.bin b/tools/whnvmtool/test/data/obj1.bin
new file mode 100644
index 00000000..7196e2d0
--- /dev/null
+++ b/tools/whnvmtool/test/data/obj1.bin
@@ -0,0 +1 @@
+OBJ_1_DATA_BRAH
diff --git a/tools/whnvmtool/test/data/obj2.bin b/tools/whnvmtool/test/data/obj2.bin
new file mode 100644
index 00000000..02171b7d
--- /dev/null
+++ b/tools/whnvmtool/test/data/obj2.bin
@@ -0,0 +1 @@
+OBJ_2_DATA_BRAH
diff --git a/tools/whnvmtool/test/nvminit/test.nvminit b/tools/whnvmtool/test/nvminit/test.nvminit
new file mode 100644
index 00000000..7f220e26
--- /dev/null
+++ b/tools/whnvmtool/test/nvminit/test.nvminit
@@ -0,0 +1,8 @@
+# Key format is:
+# key <clientId> <keyId> <access> <flags> <label> <file>
+key 0xC 0xFE 0xFF 0x00 "Label for key 1" test/data/key1.bin # hex values
+key 12 255 255 0 "Label for key 2" test/data/key2.bin # decimal values
+# NVM object format is:
+# obj <metaDataId> <access> <flags> <label> <file> 
+obj 14 0xFF 0x00 "Label for object 1" test/data/obj1.bin # arbitrary object
+obj 15 0xFF 0x00 "Label for object 2" test/data/obj2.bin # another arbitrary object
diff --git a/tools/whnvmtool/test/test_whnvmtool.c b/tools/whnvmtool/test/test_whnvmtool.c
new file mode 100644
index 00000000..6bae3294
--- /dev/null
+++ b/tools/whnvmtool/test/test_whnvmtool.c
@@ -0,0 +1,431 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <limits.h>
+
+#include "wolfhsm/wh_error.h"
+#include "wolfhsm/wh_server.h"
+#include "wolfhsm/wh_server_nvm.h"
+#include "wolfhsm/wh_nvm.h"
+#include "wolfhsm/wh_nvm_flash.h"
+
+/* Dummy transport */
+#include "port/posix/posix_transport_tcp.h"
+
+/* Flash implementations to test */
+#include "wolfhsm/wh_flash_ramsim.h"
+#include "port/posix/posix_flash_file.h"
+
+
+/* Dummy Server comms config (unused) */
+whTransportServerCb            gTransportServerCb[1]      = {PTT_SERVER_CB};
+posixTransportTcpServerContext gTransportServerContext[1] = {};
+posixTransportTcpConfig        gTransportTcpConfig[1]     = {{
+               .server_ip_string = "127.0.0.1",
+               .server_port      = 8080,
+}};
+
+whCommServerConfig gCommServerConfig[1] = {{
+    .transport_cb      = gTransportServerCb,
+    .transport_context = (void*)gTransportServerContext,
+    .transport_config  = (void*)gTransportTcpConfig,
+    .server_id         = 34,
+}};
+
+
+/* Default parameters for the NVM Flash configurations to test */
+/* The file containing the NVM image to use for the tests */
+#ifndef FLASH_IMAGE_FILENAME
+#define FLASH_IMAGE_FILENAME "../whNvmImage.bin"
+#endif
+/* The size of the NVM partition to use for the tests */
+#ifndef FLASH_PARTITION_SIZE
+#define FLASH_PARTITION_SIZE 0x10000
+#endif
+/* The byte value that represents an erased NVM flash byte */
+#ifndef FLASH_ERASED_BYTE
+#define FLASH_ERASED_BYTE 0xFF
+#endif
+/* The file containing the object ID and file path pairs, holding golden truth
+ * data */
+#ifndef TEST_DATA_OBJID_FILE_MAPPING
+#define TEST_DATA_OBJID_FILE_MAPPING "../nvm_metadata.txt"
+#endif
+
+
+/* Global NVM Configurations that should be checked */
+
+/* RamSim Flash state and configuration */
+whFlashRamsimCtx gFlashRamsimContext[1] = {0};
+whFlashRamsimCfg gFlashRamsimConfig[1]  = {{
+     .size       = FLASH_PARTITION_SIZE * 2,
+     .sectorSize = FLASH_PARTITION_SIZE,
+     .pageSize   = 8,
+     .erasedByte = FLASH_ERASED_BYTE,
+     .initData   = NULL, /* Init data will be set dynamically */
+}};
+const whFlashCb  gFlashRamsimCb[1]      = {WH_FLASH_RAMSIM_CB};
+#define INIT_RAMSIM_NVM_FLASH_CONFIG                          \
+    {                                                         \
+        .cb = gFlashRamsimCb, .context = gFlashRamsimContext, \
+        .config = gFlashRamsimConfig                          \
+    }
+
+/* POSIX flash file state and configuration */
+static posixFlashFileContext      gPosixFlashContext = {0};
+static const posixFlashFileConfig gPosixFlashConfig  = {
+     .filename       = FLASH_IMAGE_FILENAME,
+     .partition_size = FLASH_PARTITION_SIZE,
+     .erased_byte    = FLASH_ERASED_BYTE,
+};
+const whFlashCb gPosixFlashCb[1] = {POSIX_FLASH_FILE_CB};
+#define INIT_POSIX_NVM_FLASH_CONFIG                          \
+    {                                                        \
+        .cb = gPosixFlashCb, .context = &gPosixFlashContext, \
+        .config = &gPosixFlashConfig                         \
+    }
+
+/* Global array holding all the NVM Flash configurations to test */
+const whNvmFlashConfig gNvmFlashConfigsToTest[] = {
+    INIT_POSIX_NVM_FLASH_CONFIG,
+    INIT_RAMSIM_NVM_FLASH_CONFIG,
+};
+/* Number of NVM Flash configurations to test */
+#define NVM_FLASH_CONFIGS_TO_TEST_COUNT \
+    (sizeof(gNvmFlashConfigsToTest) / sizeof(gNvmFlashConfigsToTest[0]))
+
+/* Object ID/file path pair for golden truth data linked list */
+typedef struct MetadataEntry {
+    whNvmId               id;
+    char                  filePath[PATH_MAX];
+    struct MetadataEntry* next;
+} MetadataEntry;
+
+/* Linked list of the object ID and file path pairs for golden truth data */
+static MetadataEntry* gMetadataHead = NULL;
+
+static void freeMetadataEntries()
+{
+    MetadataEntry* current = gMetadataHead;
+    while (current != NULL) {
+        MetadataEntry* next = current->next;
+        free(current);
+        current = next;
+    }
+    gMetadataHead = NULL;
+}
+
+/* Load objectId/file path pairs into the linked list from the test output
+ * file*/
+static int loadMetadataEntries()
+{
+    FILE* file = fopen(TEST_DATA_OBJID_FILE_MAPPING, "r");
+    if (file == NULL) {
+        fprintf(stderr,
+                "Error: Unable to open intermediate file for reading\n");
+        return -1;
+    }
+
+    char line[PATH_MAX + 20]; /* Extra space for the ID and comma */
+    while (fgets(line, sizeof(line), file)) {
+        MetadataEntry* newEntry = (MetadataEntry*)malloc(sizeof(MetadataEntry));
+        if (newEntry == NULL) {
+            fprintf(stderr, "Error: Memory allocation failed\n");
+            fclose(file);
+            freeMetadataEntries();
+            return -1;
+        }
+
+        if (sscanf(line, "%hu,%s", &newEntry->id, newEntry->filePath) != 2) {
+            fprintf(stderr,
+                    "Error: Invalid line format in intermediate file\n");
+            free(newEntry);
+            fclose(file);
+            freeMetadataEntries();
+            return -1;
+        }
+
+        newEntry->next = gMetadataHead;
+        gMetadataHead  = newEntry;
+    }
+
+    fclose(file);
+    return 0;
+}
+
+/* Lookup the file path for a given object ID in the linked list */
+static const char* getFilePathForId(whNvmId id)
+{
+    MetadataEntry* current = gMetadataHead;
+    while (current != NULL) {
+        if (current->id == id) {
+            return current->filePath;
+        }
+        current = current->next;
+    }
+    return NULL;
+}
+
+/* Compare the NVM data against the known good input file data for a given
+ * object ID */
+static int checkNvmDataValid(whNvmId id, const uint8_t* nvmData,
+                             whNvmSize nvmDataLen)
+{
+    const char* filePath = getFilePathForId(id);
+    if (filePath == NULL) {
+        fprintf(stderr, "Error: No file path found for ID %u\n", id);
+        return -1;
+    }
+
+    FILE* file = fopen(filePath, "rb");
+    if (file == NULL) {
+        fprintf(stderr, "Error: Unable to open file %s for comparison\n",
+                filePath);
+        return -1;
+    }
+
+    fseek(file, 0, SEEK_END);
+    long fileSize = ftell(file);
+    fseek(file, 0, SEEK_SET);
+
+    if (fileSize != nvmDataLen) {
+        fprintf(stderr,
+                "Error: File size (%ld) doesn't match NVM data length (%u) for "
+                "ID %u\n",
+                fileSize, nvmDataLen, id);
+        fclose(file);
+        return -1;
+    }
+
+    uint8_t* fileData = malloc(fileSize);
+    if (fileData == NULL) {
+        fprintf(stderr, "Error: Memory allocation failed for ID %u\n", id);
+        fclose(file);
+        return -1;
+    }
+
+    size_t bytesRead = fread(fileData, 1, fileSize, file);
+    fclose(file);
+
+    if (bytesRead != fileSize) {
+        fprintf(stderr, "Error: Failed to read entire file for ID %u\n", id);
+        free(fileData);
+        return -1;
+    }
+
+    int result = memcmp(fileData, nvmData, nvmDataLen);
+    if (result != 0) {
+        fprintf(stderr, "Error: Data mismatch for ID %u\n", id);
+        fprintf(stderr, "Expected (File) Data:\n");
+        for (size_t i = 0; i < nvmDataLen; i++) {
+            fprintf(stderr, "%02X ", fileData[i]);
+            if ((i + 1) % 16 == 0)
+                fprintf(stderr, "\n");
+        }
+        fprintf(stderr, "\n");
+
+        fprintf(stderr, "Actual (NVM) Data:\n");
+        for (size_t i = 0; i < nvmDataLen; i++) {
+            fprintf(stderr, "%02X ", nvmData[i]);
+            if ((i + 1) % 16 == 0)
+                fprintf(stderr, "\n");
+        }
+        fprintf(stderr, "\n");
+    }
+    else {
+        printf("Data verification successful for ID %u\n", id);
+    }
+
+    free(fileData);
+    return result;
+}
+
+/* Enumerate the NVM objects and check their data against the known good input
+ * file data */
+int _checkNvm(whServerContext* server)
+{
+    int         rc;
+    whNvmId     startId   = 0;
+    whNvmId     currentId = 0;
+    whNvmId     count     = 0;
+    whNvmAccess access    = WH_NVM_ACCESS_ANY;
+    whNvmFlags  flags     = WH_NVM_FLAGS_ANY;
+
+    do {
+        rc = wh_Nvm_List(server->nvm, access, flags, startId, &count,
+                         &currentId);
+        if (rc != WH_ERROR_OK) {
+            fprintf(stderr, "Error listing NVM objects: %d\n", rc);
+            return rc;
+        }
+
+        printf("NVM List: Count=%u\n", count);
+
+        if (count > 0) {
+            whNvmMetadata meta;
+
+            rc = wh_Nvm_GetMetadata(server->nvm, currentId, &meta);
+            if (rc != WH_ERROR_OK) {
+                fprintf(stderr, "Error getting metadata for object %u: %d\n",
+                        currentId, rc);
+                return rc;
+            }
+
+            printf("Object ID: %u\n", meta.id);
+            printf("Access: 0x%04x\n", meta.access);
+            printf("Flags: 0x%04x\n", meta.flags);
+            printf("Length: %u\n", meta.len);
+            printf("Label: %s\n", meta.label);
+
+            uint8_t* data = malloc(meta.len);
+            if (data == NULL) {
+                fprintf(stderr, "Memory allocation failed\n");
+                return WH_ERROR_ABORTED;
+            }
+
+            rc = wh_Nvm_Read(server->nvm, currentId, 0, meta.len, data);
+            if (rc != WH_ERROR_OK) {
+                fprintf(stderr, "Error reading object %u: %d\n", currentId, rc);
+                free(data);
+                return rc;
+            }
+
+            rc = checkNvmDataValid(currentId, data, meta.len);
+            if (rc != 0) {
+                free(data);
+                return WH_ERROR_ABORTED;
+            }
+
+            free(data);
+        }
+
+        /* Move to the next object */
+        startId = currentId;
+
+    } while (count > 0);
+
+    return WH_ERROR_OK;
+}
+
+/* Initializes a local server and NVM context with the provided NVM config and
+ * enumerates the NVM objects. */
+int _initAndCheckNvmFlashCfg(whNvmFlashConfig* nvmFlashCfg)
+{
+    int               rc;
+    whNvmFlashContext nvmFlashCtx[1];
+    whNvmCb           nvmCb[1] = {WH_NVM_FLASH_CB};
+    whNvmContext      nvmCtx[1];
+    whServerContext   serverCtx[1];
+    uint8_t*          initData = NULL;
+
+    /* If this is the RamSim configuration, set the initData config field to the
+     * contents of the NVM image */
+    if (nvmFlashCfg->cb == gFlashRamsimCb) {
+        printf("Initializing RamSim NVM Flash\n");
+
+        FILE* file = fopen(FLASH_IMAGE_FILENAME, "rb");
+        if (file == NULL) {
+            fprintf(stderr, "Error: Unable to open %s for reading\n",
+                    FLASH_IMAGE_FILENAME);
+            return WH_ERROR_BADARGS;
+        }
+
+        fseek(file, 0, SEEK_END);
+        long fileSize = ftell(file);
+        fseek(file, 0, SEEK_SET);
+
+        initData = (uint8_t*)malloc(fileSize);
+        if (initData == NULL) {
+            fprintf(stderr, "Error: Memory allocation failed for initData\n");
+            fclose(file);
+            return WH_ERROR_ABORTED;
+        }
+
+        size_t bytesRead = fread(initData, 1, fileSize, file);
+        fclose(file);
+
+        if (bytesRead != fileSize) {
+            fprintf(stderr, "Error: Failed to read entire file %s\n",
+                    FLASH_IMAGE_FILENAME);
+            free(initData);
+            return WH_ERROR_ABORTED;
+        }
+
+        ((whFlashRamsimCfg*)nvmFlashCfg->config)->initData = initData;
+    }
+
+    /* Build temporary NVM config for the input NVM Flash config */
+    whNvmConfig nvmCfg[1] = {{
+        .cb      = nvmCb,
+        .context = nvmFlashCtx,
+        .config  = nvmFlashCfg,
+    }};
+
+    /* Initialize the NVM context */
+    rc = wh_Nvm_Init(nvmCtx, nvmCfg);
+    if (rc != WH_ERROR_OK) {
+        fprintf(stderr, "Error: Failed to initialize NVM, ret = %d\n", rc);
+        return rc;
+    }
+
+    /* Build server configuration to use the input NVM context */
+    whServerConfig serverCfg[1] = {{
+        .comm_config = gCommServerConfig,
+        .nvm         = nvmCtx,
+    }};
+
+    /* Initialize the server */
+    rc = wh_Server_Init(serverCtx, serverCfg);
+    if (rc != WH_ERROR_OK) {
+        fprintf(stderr, "Failed to initialize wolfHSM server: ret = %d\n", rc);
+        return rc;
+    }
+
+    /* Check the NVM against expected values */
+    if (rc == WH_ERROR_OK) {
+        rc = _checkNvm(serverCtx);
+        if (rc != WH_ERROR_OK) {
+            fprintf(stderr, "NVM check failed: ret = %d\n", rc);
+        }
+
+        (void)wh_Server_Cleanup(serverCtx);
+    }
+
+    /* Clean up the RAMsim initData if it was dynamically allocated */
+    if (initData != NULL) {
+        free(initData);
+        ((whFlashRamsimCfg*)nvmFlashCfg->config)->initData = NULL;
+    }
+
+    return rc;
+}
+
+
+int main(void)
+{
+    int rc = 0;
+
+    /* Load metadata entries from the intermediate file */
+    rc = loadMetadataEntries();
+    if (rc != 0) {
+        fprintf(stderr, "Failed to load metadata entries\n");
+        return rc;
+    }
+
+    for (size_t i = 0; i < NVM_FLASH_CONFIGS_TO_TEST_COUNT; i++) {
+        printf("Testing NVM Flash config %zu\n", i);
+        rc = _initAndCheckNvmFlashCfg(
+            (whNvmFlashConfig*)&gNvmFlashConfigsToTest[i]);
+        if (rc != WH_ERROR_OK) {
+            fprintf(stderr, "NVM check failed for config %zu: ret = %d\n", i,
+                    rc);
+            break;
+        }
+    }
+
+    /* Clean up metadata entries at the end */
+    freeMetadataEntries();
+
+    return rc;
+}
diff --git a/tools/whnvmtool/user_settings.h b/tools/whnvmtool/user_settings.h
new file mode 100644
index 00000000..150dc409
--- /dev/null
+++ b/tools/whnvmtool/user_settings.h
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2024 wolfSSL Inc.
+ *
+ * This file is part of wolfHSM.
+ *
+ * wolfHSM is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfHSM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with wolfHSM.  If not, see <http://www.gnu.org/licenses/>.
+ */
+/*
+ * user_settings.h
+ *
+ * Configured to support library testing
+ */
+
+#ifndef USER_SETTINGS_H
+#define USER_SETTINGS_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** Settings specific to the host arch, OS, and compiler */
+/* #define BIG_ENDIAN_ORDER */
+/* #define SINGLE_THREADED */
+/* #define WC_NO_ASYNC_THREADING */
+
+/*
+#define DEBUG_CRYPTOCB
+#define DEBUG_CRYPTOCB_VERBOSE
+*/
+
+/** wolfHSM required settings for wolfCrypt */
+#define WOLFCRYPT_ONLY
+#define WOLF_CRYPTO_CB
+#define HAVE_HASHDRBG
+#define WOLFSSL_KEY_GEN
+#define WOLFSSL_ASN_TEMPLATE
+#define WOLFSSL_BASE64_ENCODE
+#define HAVE_ANONYMOUS_INLINE_AGGREGATES 1
+
+/** Math library selection for test */
+#define USE_FAST_MATH
+
+/** wolfHSM recommended */
+#define WOLFSSL_NO_MALLOC
+#define WOLFSSL_USE_ALIGN
+#define WOLFSSL_IGNORE_FILE_WARN
+#define TFM_TIMING_RESISTANT
+#define ECC_TIMING_RESISTANT
+#define WC_RSA_BLINDING
+
+/** Remove unneeded features*/
+#define NO_MAIN_DRIVER
+#define NO_ERROR_STRINGS
+#define NO_ERROR_QUEUE
+#define NO_FILESYSTEM
+#define NO_INLINE
+#define NO_OLD_TLS
+#define WOLFSSL_NO_TLS12
+#define NO_DO178
+
+/** Remove unneded namespace */
+#define NO_OLD_RNGNAME
+#define NO_OLD_WC_NAMES
+#define NO_OLD_SSL_NAMES
+#define NO_OLD_SHA_NAMES
+#define NO_OLD_MD5_NAME
+
+/** RSA Options */
+/*#define NO_RSA */
+#define WC_RSA_PSS
+#define WOLFSSL_PSS_LONG_SALT
+#define FP_MAX_BITS 4096
+
+/** ECC Options */
+#define HAVE_ECC
+#define TFM_ECC256
+#define ECC_SHAMIR
+#define HAVE_SUPPORTED_CURVES
+
+/** Curve25519 Options */
+#define HAVE_CURVE25519
+
+/** DH and DHE Options */
+#define NO_DH
+#define HAVE_DH_DEFAULT_PARAMS
+#define HAVE_FFDHE_2048
+
+/** AES Options */
+/* #define NO_AES */
+#define HAVE_AESGCM
+#define GCM_TABLE_4BIT
+
+#define WOLFSSL_AES_DIRECT
+#define HAVE_AES_ECB
+#define WOLFSSL_CMAC
+
+/** SHA Options */
+#define NO_SHA
+/* #define NO_SHA256 */
+/* #define WOLFSSL_SHA384 */
+/* #define WOLFSSL_SHA512 */
+
+/** Composite features */
+#define HAVE_HKDF
+
+/* Remove unneeded crypto */
+#define NO_DSA
+#define NO_RC4
+#define NO_PSK
+#define NO_MD4
+#define NO_MD5
+#define NO_DES3
+#define WOLFSSL_NO_SHAKE128
+#define WOLFSSL_NO_SHAKE256
+#define NO_PWDBASED
+
+
+/* Allows custom "custom_time()" function to be used for benchmark */
+/*
+#define WOLFSSL_USER_CURRTIME
+#define USER_TICKS
+#define HAVE_WC_INTROSPECTION
+*/
+
+/* Standard Lib - C89 */
+/*
+#define XSTRCASECMP(s1,s2) strcmp((s1),(s2))
+*/
+
+/* ------------------------------------------------------------------------- */
+/* Memory */
+/* ------------------------------------------------------------------------- */
+#if 0
+    /* Static memory requires fast math or SP math with no malloc */
+    #define WOLFSSL_STATIC_MEMORY
+
+    /* Disable fallback malloc/free */
+    #define WOLFSSL_NO_MALLOC
+    #if 1
+        #define WOLFSSL_MALLOC_CHECK /* trap malloc failure */
+    #endif
+#endif
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* USER_SETTINGS_H */
diff --git a/tools/whnvmtool/whnvmtool.c b/tools/whnvmtool/whnvmtool.c
new file mode 100644
index 00000000..c68279d2
--- /dev/null
+++ b/tools/whnvmtool/whnvmtool.c
@@ -0,0 +1,583 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <errno.h>
+#include <stdint.h>
+#include <ctype.h>
+#include <getopt.h>
+
+#include "wolfhsm/wh_common.h"
+#include "wolfhsm/wh_server.h"
+#include "wolfhsm/wh_nvm_flash.h"
+#include "port/posix/posix_flash_file.h"
+#include "port/posix/posix_transport_tcp.h"
+
+/* Macros for maximum client ID and key ID */
+#define MAX_CLIENT_ID 255
+#define MAX_KEY_ID UINT16_MAX
+
+/* Macros for maximum file path length (Linux PATH_MAX is a good reference) */
+#define MAX_FILE_PATH_LENGTH PATH_MAX
+
+/* Parameterize MAX_LINE_LENGTH by 512 bytes + MAX_FILE_PATH_LENGTH */
+#define MAX_LINE_LENGTH (512 + MAX_FILE_PATH_LENGTH)
+
+#define INTERMEDIATE_FILE "nvm_metadata.txt"
+#define DEFAULT_IMAGE_FILE "whNvmImage.bin"
+#define DEFAULT_PARTITION_SIZE 0x10000
+#define DEFAULT_ERASED_BYTE 0xFF
+
+/* Structure representing an entry in the linked list */
+typedef struct Entry {
+    uint8_t       clientId; /* Used only for keys */
+    uint16_t      id;       /* Object ID for NVM, keyId for keys */
+    uint16_t      access;   /* Access permissions */
+    uint16_t      flags;    /* Flags for the object */
+    char*         label;    /* Label for the object */
+    char*         filePath; /* File path for the object */
+    struct Entry* next;     /* Pointer to the next entry */
+} Entry;
+
+/* Head of the linked list for entries */
+Entry* entryHead = NULL;
+
+/* Flag to indicate if we're in test mode, set by --test command line argument.
+ * If set, write the metadata ID/filepath pair to an intermediate file so the
+ * test code can parse this file and associate object IDs with their input data
+ * to verify the results against known good data */
+static int gTestMode = 0;
+
+
+/* Function prototypes */
+static void   writeMetadataToFile(uint32_t metadataId, const char* filePath);
+static int    initializeServer(whServerContext*      serverContext,
+                               whNvmContext*         nvmContext,
+                               const whServerConfig* serverConfig,
+                               const whNvmConfig*    nvmConfig);
+static void   cleanupServer(whServerContext* serverContext);
+static Entry* createEntry(uint8_t clientId, uint16_t id, uint16_t access,
+                          uint16_t flags, const char* label,
+                          const char* filePath);
+static void   appendEntry(Entry** head, uint8_t clientId, uint16_t id,
+                          uint16_t access, uint16_t flags, const char* label,
+                          const char* filePath);
+static void   processEntry(Entry* entry, int isKey, whNvmContext* nvmContext);
+static void   processEntries(whNvmContext* nvmContext);
+static void   freeEntries(void);
+static void   stripComment(char* line);
+static void   trimWhitespace(char* str);
+static int  parseInteger(const char* str, uint32_t maxValue, uint32_t* result);
+static void parseConfigFile(const char* filePath);
+
+
+/* Creates a new entry in the linked list based on the provided parameters */
+Entry* createEntry(uint8_t clientId, uint16_t id, uint16_t access,
+                   uint16_t flags, const char* label, const char* filePath)
+{
+    Entry* newEntry = (Entry*)malloc(sizeof(Entry));
+    if (!newEntry) {
+        fprintf(stderr, "Memory allocation error\n");
+        exit(EXIT_FAILURE);
+    }
+    newEntry->clientId = clientId;
+    newEntry->id       = id;
+    newEntry->access   = access;
+    newEntry->flags    = flags;
+    newEntry->label    = strdup(label);
+    newEntry->filePath = strdup(filePath);
+    newEntry->next     = NULL;
+    return newEntry;
+}
+
+/* Appends a new entry to the linked list */
+void appendEntry(Entry** head, uint8_t clientId, uint16_t id, uint16_t access,
+                 uint16_t flags, const char* label, const char* filePath)
+{
+    Entry* newEntry = createEntry(clientId, id, access, flags, label, filePath);
+    if (*head == NULL) {
+        *head = newEntry;
+    }
+    else {
+        Entry* current = *head;
+        while (current->next != NULL) {
+            current = current->next;
+        }
+        current->next = newEntry;
+    }
+}
+
+/* Writes a list entry to NVM and optionally to an intermediate file for
+ * test mode */
+static void processEntry(Entry* entry, int isKey, whNvmContext* nvmContext)
+{
+    FILE* file = fopen(entry->filePath, "rb");
+    if (file == NULL) {
+        fprintf(stderr, "Error: Unable to open file %s\n", entry->filePath);
+        return;
+    }
+
+    /* Get the file size */
+    fseek(file, 0, SEEK_END);
+    long fileSize = ftell(file);
+    fseek(file, 0, SEEK_SET);
+
+    /* Allocate memory for the file data */
+    uint8_t* buffer = (uint8_t*)malloc(fileSize);
+    if (buffer == NULL) {
+        fprintf(stderr, "Error: Memory allocation failed for file %s\n",
+                entry->filePath);
+        fclose(file);
+        return;
+    }
+
+    /* Read the file data into the buffer */
+    size_t bytesRead = fread(buffer, 1, fileSize, file);
+    fclose(file);
+
+    if (bytesRead != fileSize) {
+        fprintf(stderr, "Error: Failed to read entire file %s\n",
+                entry->filePath);
+        free(buffer);
+        return;
+    }
+
+    /* Create metadata for the new entry */
+    whNvmMetadata meta = {0};
+    if (isKey) {
+        /* Keys have special ID format */
+        meta.id = WH_MAKE_KEYID(WH_KEYTYPE_CRYPTO, entry->clientId, entry->id);
+        printf("Processing Key Entry - ClientID: 0x%X, KeyID: 0x%X, Meta ID: "
+               "0x%X, "
+               "Access: 0x%X, Flags: 0x%X, Label: %s, File: %s, Size: %ld\n",
+               entry->clientId, entry->id, meta.id, entry->access, entry->flags,
+               entry->label, entry->filePath, fileSize);
+    }
+    else {
+        meta.id = entry->id;
+        printf("Processing Object Entry - ID: 0x%X, Access: 0x%X, Flags: 0x%X, "
+               "Label: %s, File: %s, Size: %ld\n",
+               entry->id, entry->access, entry->flags, entry->label,
+               entry->filePath, fileSize);
+    }
+    meta.access = entry->access;
+    meta.flags  = entry->flags;
+    meta.len    = fileSize;
+    snprintf((char*)meta.label, WH_NVM_LABEL_LEN, "%s", entry->label);
+
+    int rc = wh_Nvm_AddObject(nvmContext, &meta, fileSize, buffer);
+    if (rc != 0) {
+        fprintf(stderr, "Error: Failed to add entry ID %u to NVM, ret = %d\n",
+                meta.id, rc);
+    }
+
+    if (gTestMode) {
+        writeMetadataToFile(meta.id, entry->filePath);
+    }
+
+    free(buffer);
+}
+
+/* Iterates through the linked list and processes each entry */
+static void processEntries(whNvmContext* nvmContext)
+{
+    Entry* current = entryHead;
+    while (current != NULL) {
+        /* Determine if it's a key based on clientId */
+        int isKey = (current->clientId != 0);
+        processEntry(current, isKey, nvmContext);
+        current = current->next;
+    }
+}
+
+/* Frees the memory allocated for the linked list */
+void freeEntries()
+{
+    Entry* current = entryHead;
+    while (current != NULL) {
+        Entry* next = current->next;
+        free(current->label);
+        free(current->filePath);
+        free(current);
+        current = next;
+    }
+}
+
+/* Function to remove comments from a line */
+void stripComment(char* line)
+{
+    char* commentStart = strchr(line, '#');
+    if (commentStart) {
+        /* Null-terminate the line at the start of the comment */
+        *commentStart = '\0';
+    }
+}
+
+/* Function to trim leading and trailing whitespace */
+void trimWhitespace(char* str)
+{
+    /* Trim leading whitespace */
+    char* start = str;
+    while (*start != '\0' && isspace((unsigned char)*start)) {
+        start++;
+    }
+
+    /* Trim trailing whitespace */
+    char* end = start + strlen(start) - 1;
+    while (end > start && isspace((unsigned char)*end)) {
+        *end = '\0';
+        end--;
+    }
+
+    /* Copy the trimmed string back into the original buffer */
+    memmove(str, start, strlen(start) + 1);
+}
+
+/* Function to parse a uint16_t or uint8_t from a string (handles hex or
+ * decimal) */
+int parseInteger(const char* str, uint32_t maxValue, uint32_t* result)
+{
+    char* endPtr;
+    long  value;
+
+    if (strstr(str, "0x") == str) {
+        /* Parse as hexadecimal */
+        value = strtol(str, &endPtr, 16);
+    }
+    else {
+        /* Parse as decimal */
+        value = strtol(str, &endPtr, 10);
+    }
+
+    if (*endPtr != '\0' || value < 0 || value > maxValue) {
+        return 0; /* Error: invalid number */
+    }
+
+    *result = (uint32_t)value;
+    return 1; /* Success */
+}
+
+/* Function to parse the configuration file and build the linked list */
+void parseConfigFile(const char* filePath)
+{
+    FILE* file = fopen(filePath, "r");
+    if (!file) {
+        perror("Error opening file");
+        exit(EXIT_FAILURE);
+    }
+
+    char line[MAX_LINE_LENGTH];
+    int  lineNumber = 0;
+
+    while (fgets(line, sizeof(line), file)) {
+        lineNumber++;
+        stripComment(line);
+        trimWhitespace(line);
+
+        /* Skip empty lines after removing comments and whitespace */
+        if (strlen(line) == 0) {
+            continue;
+        }
+
+        char*    token;
+        char     label[256], filePath[MAX_FILE_PATH_LENGTH];
+        uint32_t clientId = 0, id, access, flags;
+
+        /* Check if the line defines a key or an object */
+        if (strncmp(line, "key", 3) == 0) {
+            /* Parse client ID for key entries */
+            token = strtok(line + 3, " ");
+            if (!token || !parseInteger(token, MAX_CLIENT_ID, &clientId)) {
+                fprintf(stderr,
+                        "Error on line %d: Malformed key entry - invalid "
+                        "clientId\n",
+                        lineNumber);
+                fclose(file);
+                exit(EXIT_FAILURE);
+            }
+
+            /* Parse key ID for key entries */
+            token = strtok(NULL, " ");
+            if (!token || !parseInteger(token, MAX_KEY_ID, &id)) {
+                fprintf(
+                    stderr,
+                    "Error on line %d: Malformed key entry - invalid keyId\n",
+                    lineNumber);
+                fclose(file);
+                exit(EXIT_FAILURE);
+            }
+        }
+        else if (strncmp(line, "obj", 3) == 0) {
+            /* Parse object ID for object entries */
+            token = strtok(line + 3, " ");
+            if (!token || !parseInteger(token, MAX_KEY_ID, &id)) {
+                fprintf(
+                    stderr,
+                    "Error on line %d: Malformed object entry - invalid id\n",
+                    lineNumber);
+                fclose(file);
+                exit(EXIT_FAILURE);
+            }
+        }
+        else {
+            /* Report error for unknown entry types */
+            fprintf(stderr,
+                    "Error on line %d: Malformed line or unknown entry type\n",
+                    lineNumber);
+            fclose(file);
+            exit(EXIT_FAILURE);
+        }
+
+        /* Parse access field */
+        token = strtok(NULL, " ");
+        if (!token || !parseInteger(token, UINT16_MAX, &access)) {
+            fprintf(stderr,
+                    "Error on line %d: Malformed entry - invalid access\n",
+                    lineNumber);
+            fclose(file);
+            exit(EXIT_FAILURE);
+        }
+
+        /* Parse flags */
+        token = strtok(NULL, " ");
+        if (!token || !parseInteger(token, UINT16_MAX, &flags)) {
+            fprintf(stderr,
+                    "Error on line %d: Malformed entry - invalid flags\n",
+                    lineNumber);
+            fclose(file);
+            exit(EXIT_FAILURE);
+        }
+
+        /* Parse the label (enclosed in quotes) */
+        token = strtok(NULL, "\"");
+        if (!token) {
+            fprintf(stderr,
+                    "Error on line %d: Malformed entry - missing or incorrect "
+                    "label format\n",
+                    lineNumber);
+            fclose(file);
+            exit(EXIT_FAILURE);
+        }
+        snprintf(label, sizeof(label), "%s", token);
+
+        /* Parse the file path */
+        token = strtok(NULL, " ");
+        if (!token || sscanf(token, "%s", filePath) != 1) {
+            fprintf(stderr,
+                    "Error on line %d: Malformed entry - missing file path\n",
+                    lineNumber);
+            fclose(file);
+            exit(EXIT_FAILURE);
+        }
+
+        /* Add the parsed entry to the linked list */
+        appendEntry(&entryHead, (uint8_t)clientId, (uint16_t)id,
+                    (uint16_t)access, (uint16_t)flags, label, filePath);
+    }
+
+    fclose(file);
+}
+
+/* Writes the metadata ID and filepath to an intermediate file for test mode.
+ *  The format of the file should be comma separated <metadata ID>,<file path>
+ * pairs, with one entry per line */
+static void writeMetadataToFile(uint32_t metadataId, const char* filePath)
+{
+    FILE* file = fopen(INTERMEDIATE_FILE, "a");
+    if (file == NULL) {
+        fprintf(stderr,
+                "Error: Unable to open intermediate file for writing\n");
+        return;
+    }
+
+    char fullPath[PATH_MAX];
+    if (realpath(filePath, fullPath) == NULL) {
+        fprintf(stderr, "Error: Unable to get full path for %s\n", filePath);
+        fclose(file);
+        return;
+    }
+
+    fprintf(file, "%u,%s\n", metadataId, fullPath);
+    fclose(file);
+}
+
+/* Initialize the NVM and server */
+static int initializeServer(whServerContext*      serverContext,
+                            whNvmContext*         nvmContext,
+                            const whServerConfig* serverConfig,
+                            const whNvmConfig*    nvmConfig)
+{
+    /* Initialize the NVM context */
+    int rc = wh_Nvm_Init(nvmContext, nvmConfig);
+    if (rc != 0) {
+        fprintf(stderr, "Error: Failed to initialize NVM, ret = %d\n", rc);
+        return EXIT_FAILURE;
+    }
+
+    rc = wh_Server_Init(serverContext, (whServerConfig*)serverConfig);
+    if (rc != 0) {
+        fprintf(stderr, "Failed to initialize wolfHSM server: ret = %d\n", rc);
+        return rc;
+    }
+    return 0;
+}
+
+static void cleanupServer(whServerContext* serverContext)
+{
+    wh_Server_Cleanup(serverContext);
+}
+
+int main(int argc, char* argv[])
+{
+    int                  rc = 0;
+    int                  opt;
+    char*                config_file        = NULL;
+    char*                image_file         = DEFAULT_IMAGE_FILE;
+    uint32_t             partition_size     = DEFAULT_PARTITION_SIZE;
+    uint8_t              erased_byte        = DEFAULT_ERASED_BYTE;
+    int                  invert_erased_byte = 0;
+    static struct option long_options[]     = {
+            {"test", no_argument, 0, 't'},
+            {"image", optional_argument, 0, 'i'},
+            {"size", required_argument, 0, 's'},
+            {"invert-erased-byte", no_argument, 0, 'e'},
+            {0, 0, 0, 0}};
+
+    while ((opt = getopt_long(argc, argv, "ti::s:e", long_options, NULL)) !=
+           -1) {
+        switch (opt) {
+            case 't':
+                gTestMode = 1;
+                break;
+            case 'i':
+                if (optarg) {
+                    image_file = optarg;
+                }
+                break;
+            case 's':
+                if (strncmp(optarg, "0x", 2) == 0) {
+                    partition_size = (uint32_t)strtoul(optarg + 2, NULL, 16);
+                }
+                else {
+                    partition_size = (uint32_t)strtoul(optarg, NULL, 10);
+                }
+                if (partition_size == 0) {
+                    fprintf(stderr, "Error: Invalid partition size\n");
+                    return EXIT_FAILURE;
+                }
+                break;
+            case 'e':
+                invert_erased_byte = 1;
+                break;
+            default:
+                fprintf(stderr,
+                        "Usage: %s [--test] [--image[=<file>]] [--size <size>] "
+                        "[--invert-erased-byte] <config-file>\n",
+                        argv[0]);
+                return EXIT_FAILURE;
+        }
+    }
+
+    if (optind >= argc) {
+        fprintf(stderr, "Error: Config file is mandatory\n");
+        fprintf(stderr,
+                "Usage: %s [--test] [--image[=<file>]] [--size <size>] "
+                "[--invert-erased-byte] <config-file>\n",
+                argv[0]);
+        return EXIT_FAILURE;
+    }
+
+    config_file = argv[optind];
+
+    if (invert_erased_byte) {
+        erased_byte = 0x00;
+    }
+
+    /* Server configuration/context */
+    whTransportServerCb            gTransportServerCb[1]      = {PTT_SERVER_CB};
+    posixTransportTcpServerContext gTransportServerContext[1] = {};
+    posixTransportTcpConfig        gTransportTcpConfig[1]     = {{
+                   .server_ip_string = "127.0.0.1",
+                   .server_port      = 8080,
+    }};
+
+    whCommServerConfig gCommServerConfig[1] = {{
+        .transport_cb      = gTransportServerCb,
+        .transport_context = (void*)gTransportServerContext,
+        .transport_config  = (void*)gTransportTcpConfig,
+        .server_id         = 34,
+    }};
+
+    /* POSIX flash file NVM configuration */
+    posixFlashFileConfig gPosixFlashConfig = {
+        .filename       = image_file,
+        .partition_size = partition_size,
+        .erased_byte    = erased_byte,
+    };
+
+    /* POSIX flash file context */
+    posixFlashFileContext gPosixFlashContext = {0};
+
+    /* NVM Flash configuration using POSIX flash file */
+    const whFlashCb  gFlashCb[1]     = {POSIX_FLASH_FILE_CB};
+    whNvmFlashConfig gNvmFlashConfig = {.cb      = gFlashCb,
+                                        .context = &gPosixFlashContext,
+                                        .config  = &gPosixFlashConfig};
+
+    whNvmFlashContext gNvmFlashContext = {0};
+    const whNvmCb     gNvmCb[1]        = {WH_NVM_FLASH_CB};
+
+    whNvmConfig gNvmConfig = {.cb      = (whNvmCb*)gNvmCb,
+                              .context = &gNvmFlashContext,
+                              .config  = &gNvmFlashConfig};
+
+    whNvmContext gNvmContext = {0};
+
+    /* Server configuration */
+    whServerConfig gServerConfig = {
+        .comm_config = gCommServerConfig,
+        .nvm         = &gNvmContext,
+#ifndef WOLFHSM_CFG_NO_CRYPTO
+        .crypto = NULL,
+#ifdef WOLFHSM_CFG_SHE_EXTENSION
+        .she = NULL,
+#endif /* WOLFHSM_CFG_SHE_EXTENSION */
+#endif /* WOLFHSM_CFG_NO_CRYPTO */
+        .dmaConfig = NULL,
+    };
+
+    whServerContext gServerContext = {0};
+
+    /* Initialize the server */
+    rc = initializeServer(&gServerContext, &gNvmContext, &gServerConfig,
+                          &gNvmConfig);
+    if (rc != 0) {
+        fprintf(stderr, "Error: Failed to initialize server, ret = %d\n", rc);
+        return EXIT_FAILURE;
+    }
+
+    if (gTestMode) {
+        /* Clear the intermediate file before processing */
+        FILE* file = fopen(INTERMEDIATE_FILE, "w");
+        if (file != NULL) {
+            fclose(file);
+        }
+        else {
+            fprintf(stderr, "Warning: Unable to clear intermediate file\n");
+        }
+    }
+
+    /* Parse the configuration file */
+    parseConfigFile(config_file);
+
+    /* Process the entries */
+    processEntries(&gNvmContext);
+
+    /* Free the allocated memory */
+    freeEntries();
+
+    /* Cleanup the server */
+    cleanupServer(&gServerContext);
+
+    return EXIT_SUCCESS;
+}
diff --git a/tools/whnvmtool/wolfhsm_cfg.h b/tools/whnvmtool/wolfhsm_cfg.h
new file mode 100644
index 00000000..83cb5012
--- /dev/null
+++ b/tools/whnvmtool/wolfhsm_cfg.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2024 wolfSSL Inc.
+ *
+ * This file is part of wolfHSM.
+ *
+ * wolfHSM is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfHSM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with wolfHSM.  If not, see <http://www.gnu.org/licenses/>.
+ */
+/*
+ * wolfhsm_cfg.h
+ *
+ * wolfHSM compile-time options.  Override here for your application
+ */
+
+#ifndef WOLFHSM_CFG_H_
+#define WOLFHSM_CFG_H_
+
+
+/** wolfHSM settings.  Simple overrides to show they work */
+/* #define WOLFHSM_CFG_NO_CRYPTO */
+/* #define WOLFHSM_CFG_SHE_EXTENSION */
+
+#define WOLFHSM_CFG_COMM_DATA_LEN 1280
+
+#define WOLFHSM_CFG_NVM_OBJECT_COUNT 30
+#define WOLFHSM_CFG_SERVER_KEYCACHE_COUNT 9
+#define WOLFHSM_CFG_SERVER_KEYCACHE_BUFSIZE 300
+#define WOLFHSM_CFG_SERVER_KEYCACHE_BIG_COUNT 2
+#define WOLFHSM_CFG_SERVER_KEYCACHE_BIG_BUFSIZE 1280
+#define WOLFHSM_CFG_SERVER_DMAADDR_COUNT 8
+#define WOLFHSM_CFG_SERVER_CUSTOMCB_COUNT 6
+
+/* Test specific configuration */
+#define WOLFHSM_CFG_DMA
+
+#endif /* WOLFHSM_CFG_H_ */
diff --git a/wolfhsm/wh_flash_ramsim.h b/wolfhsm/wh_flash_ramsim.h
index 83f367b2..562e4c35 100644
--- a/wolfhsm/wh_flash_ramsim.h
+++ b/wolfhsm/wh_flash_ramsim.h
@@ -30,7 +30,8 @@ typedef struct {
     uint32_t sectorSize;
     uint32_t pageSize;
     uint8_t  erasedByte;
-    uint8_t WH_PAD[3];
+    const uint8_t* initData;  /* Optional initialization data */
+    uint8_t WH_PAD[7];
 } whFlashRamsimCfg;
 
 typedef struct {

From 2c4e413e88fdaff686ad0cd5d12e7aa84e84aac2 Mon Sep 17 00:00:00 2001
From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com>
Date: Thu, 17 Oct 2024 09:38:10 -0600
Subject: [PATCH 2/3] fix doc issues

---
 tools/whnvmtool/README.md | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/tools/whnvmtool/README.md b/tools/whnvmtool/README.md
index b0788de9..1553669d 100644
--- a/tools/whnvmtool/README.md
+++ b/tools/whnvmtool/README.md
@@ -1,7 +1,8 @@
 # whnvmtool
 
 ## Overview
-`whnvmtool` is a utility for creating Non-Volatile Memory (NVM) images for wolfHSM. It allows users to create NVM images with predefined objects and keys, which can be used for provisioning a wolfHSM device. THe tool creates an NVM image and loads it with objects and keys specified by the user in a configuration file. The generated image can then be loaded into device memory, or used for to initialize an instance of a `whNvmFlash` provider.
+
+`whnvmtool` is a utility for creating Non-Volatile Memory (NVM) images for wolfHSM. It allows users to create NVM images with predefined objects and keys, which can be used for provisioning a wolfHSM device. The tool creates an NVM image and loads it with objects and keys specified by the user in a configuration file. The generated image can then be loaded into device memory, or used for to initialize an instance of a `whNvmFlash` provider.
 
 ## Supported NVM Providers
 
@@ -13,6 +14,8 @@ Currently, `whnvmtool` only supports the `whNvmFlash` provider.
 ./whnvmtool [--test] [--image[=<file>]] [--size <size>] [--invert-erased-byte] <config-file>
 ```
 
+where:
+
 - `--image[=<file>]`: Specifies the output NVM image file. If not provided, defaults to `whNvmImage.bin`.
 - `--size <size>`: Sets the partition size for the NVM image. Can be specified in decimal or hexadecimal (with '0x' prefix).
 - `--invert-erased-byte`: Inverts the erased byte value (default is 0xFF, this option changes it to 0x00).
@@ -32,7 +35,7 @@ obj <metaDataId> <access> <flags> <label> <file>
 
 where:
 
-- `<metaDataId>`: Unsigned 16-bit integer (0-65535) representing the object metadata ID.
+- `<metaDataId>`: Unsigned 16-bit integer (1-65535) representing the object metadata ID. Note that 0 is an invalid metadata ID.
 - `<access>`: Unsigned 16-bit integer (0-65535) representing the access permissions.
 - `<flags>`: Unsigned 16-bit integer (0-65535) representing object flags.
 - `<label>`: Label string enclosed in double quotes, maximum 24 characters.
@@ -49,7 +52,7 @@ key <clientId> <keyId> <access> <flags> <label> <file>
 where:
 
 - `<clientId>`: Unsigned 8-bit integer (0-255) representing the client ID the key belongs to.
-- `<keyId>`: Unsigned 16-bit integer (0-65535) representing the key ID.
+- `<keyId>`: Unsigned 16-bit integer (1-65535) representing the key ID. Note that 0 is an invalid key ID.
 - `<access>`: Unsigned 16-bit integer (0-65535) representing access permissions.
 - `<flags>`: Unsigned 16-bit integer (0-65535) representing key flags.
 - `<label>`: Label string enclosed in double quotes, maximum 24 characters.
@@ -93,7 +96,7 @@ objcopy -I binary -O ihex --change-address <offset> <input-file> <output-file>
 
 where:
 
-- `<offset>` is the offset into the NVM image for the start of the NVM partition
+- `<offset>` is the offset to the base address that will be applied to the generated hex file. Without this option, the offset is 0x0, so automated programming tools will attempt to load the hex file starting at address 0x0, which is likely not the desired behavior. The <offset> parameter should correspond to the base address of the NVM partition used by wolfHSM in the device's address space.
 - `<input-file>` is the NVM image file generated by `whnvmtool`
 - `<output-file>` is the name of the output hex file
 

From dae5ac4f77d6b74917ee2045c8c74531f4dd2d50 Mon Sep 17 00:00:00 2001
From: Brett Nicholas <7547222+bigbrett@users.noreply.github.com>
Date: Thu, 17 Oct 2024 09:39:10 -0600
Subject: [PATCH 3/3] fix doc issues

---
 tools/whnvmtool/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/whnvmtool/README.md b/tools/whnvmtool/README.md
index 1553669d..a131e815 100644
--- a/tools/whnvmtool/README.md
+++ b/tools/whnvmtool/README.md
@@ -96,7 +96,7 @@ objcopy -I binary -O ihex --change-address <offset> <input-file> <output-file>
 
 where:
 
-- `<offset>` is the offset to the base address that will be applied to the generated hex file. Without this option, the offset is 0x0, so automated programming tools will attempt to load the hex file starting at address 0x0, which is likely not the desired behavior. The <offset> parameter should correspond to the base address of the NVM partition used by wolfHSM in the device's address space.
+- `<offset>` is the offset to the base address that will be applied to the generated hex file. Without this option, the offset is 0x0, so automated programming tools will attempt to load the hex file starting at address 0x0, which is likely not the desired behavior. The `<offset>` parameter should correspond to the base address of the NVM partition used by wolfHSM in the device's address space.
 - `<input-file>` is the NVM image file generated by `whnvmtool`
 - `<output-file>` is the name of the output hex file