Enforce NVM objects' flags

[rizlik]

TODO:

• consolidate internal key caching
• avoid duplicates id in key cache
• remove duplicated code in key cache
• enforce flag in counters NOT FOR THIS PR
• add nondestroyable flag
• fix she tests

[bigbrett]

@rizlik could you please squash the 25 commits before we start reviewing

[Copilot]

Pull request overview

This PR implements comprehensive flag enforcement for NVM objects, including the new WH_NVM_FLAGS_NONMODIFIABLE (renamed from WH_NVM_FLAGS_IMMUTABLE) and WH_NVM_FLAGS_NONDESTROYABLE flags. The implementation adds policy checking at both the NVM and keystore layers, consolidates internal key caching logic to avoid duplicates, and introduces a key revocation feature that marks keys as non-modifiable with no usage permissions.

Key changes:

• Centralized policy enforcement through _KeystoreCheckPolicy() and wh_Nvm_CheckPolicy() functions
• New "Checked" variants of API functions that enforce flag policies before operations
• Key revocation functionality that prevents key usage while blocking erasure
• Improved cache management that properly handles duplicate key IDs

Reviewed changes

Copilot reviewed 27 out of 27 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
wolfhsm/wh_common.h	Renamed WH_NVM_FLAGS_IMMUTABLE to WH_NVM_FLAGS_NONMODIFIABLE and added WH_NVM_FLAGS_NONDESTROYABLE flag
wolfhsm/wh_server_keystore.h	Added checked variants of keystore functions and revoke operation declarations
wolfhsm/wh_nvm.h	Added checked variants for NVM operations
wolfhsm/wh_message*.h	Added message structures for key revocation and SHE PreProgramKey
wolfhsm/wh_client*.h	Added client-side API for key revocation and SHE PreProgramKey
src/wh_nvm.c	Implemented centralized NVM policy checking for add/read/destroy operations
src/wh_server_keystore.c	Implemented keystore-level policy enforcement and key revocation logic
src/wh_server_nvm.c	Updated NVM request handlers to use checked variants and perform key ID translation
src/wh_server_she.c	Implemented PreProgramKey handler and updated to use checked variants
src/wh_server_crypto.c	Updated crypto functions to use checked cache slot allocation
src/wh_server_counter.c	Added key ID translation for counter operations
src/wh_server_cert.c	Updated to use checked cache slot functions
src/wh_client*.c	Implemented client-side request/response handlers for new operations
src/wh_message*.c	Implemented message translation functions for new message types
test/wh_test_nvmflags.*	Comprehensive test suite for flag enforcement on NVM objects, keys, and counters
test/wh_test_crypto.c	Added tests for duplicate key caching and key revocation
test/wh_test_cert.c	Updated flag usage from IMMUTABLE to NONMODIFIABLE
test/wh_test_clientserver.c	Fixed NvmList ID handling with proper key ID extraction
test/config/wolfhsm_cfg.h	Increased big cache count to 3 for test requirements
examples/posix/.../wolfhsm_cfg.h	Added big cache count configuration

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[rizlik]

@rizlik could you please squash the 25 commits before we start reviewing

reduced to 7 probably worth keeping separate

[Copilot]

Pull request overview

Copilot reviewed 27 out of 27 changed files in this pull request and generated 17 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[rizlik]

fixed copilot comments

[billphipps]

review in progress

[bigbrett]

As we discussed offline, no big architectural changes needed (yet), as those should be deployed across the codebase in one fell swoop. For now here are some items I noticed.

feedback addressed

[billphipps]

Looks like a great step in the right direction! Feel free to resolve all open comments and let me know when you are good to merge.

[billphipps]

Maybe it makes sense to erase the content when revoked? Save some space?