Addressed two more comments

- Added option WOLFSSL_TA100_AUTO_LOCK to permanently store generated keys in the vault
- fixed key size for HW RSA keys in signature.c

Author: danielinux

wolfcrypt/src/port/atmel/README.md

@@ -98,6 +98,36 @@ ATECC508A HW accelerated implementation:
 
 ### Microchip Trust Anchor TA100 ECC/RSA
 
+## TA100 Support Notes
+
+The TA100 integration uses Microchip CryptoAuthLib TALIB APIs and supports
+ECC P-256 and RSA (2048 or 3072 depending on build options). This port is
+built against CryptoAuthLib v3.6.0. TA100 uses
+device handles rather than ATECC slot addresses; wolfSSL maps ECC slots to
+TA100 handles internally and uses a dedicated symmetric key handle for AES-GCM.
+
+Key points:
+* TA100 support is enabled via `WOLFSSL_MICROCHIP_TA100` and CryptoAuthLib
+  must be built with TA100 support enabled (`ATCA_TA100_SUPPORT`).
+* RSA key size selection uses `WOLFSSL_SP_NO_2048` / `WOLFSSL_SP_NO_3072`
+  to choose `WOLFSSL_TA_KEY_TYPE_RSA` and `WOLFSSL_TA_KEY_TYPE_RSA_SIZE`.
+* AES-GCM support requires `WOLFSSL_MICROCHIP_AESGCM` and CryptoAuthLib
+  TA100 AES-GCM support (`ATCA_TA100_AES_AUTH_SUPPORT`).
+
+### TA100 Auto-Lock Option
+
+By default, wolfSSL does **not** lock the TA100 setup/data zone when setting
+an AES key. If you want to lock the setup/data zone automatically after the
+AES key is loaded, define:
+
+`WOLFSSL_TA100_AUTO_LOCK=1`
+
+This gates the call to `talib_lock_setup()` inside
+`wc_Microchip_aes_set_key()` in `wolfcrypt/src/port/atmel/atmel.c`.
+Because locking is a one-way operation on real hardware, this option is
+disabled by default and should only be enabled in a controlled provisioning
+flow.
+
 rm -rf build-shared
 cmake -S . -B build-shared \
   -DCMAKE_BUILD_TYPE=Debug \

wolfcrypt/src/port/atmel/atmel.c

@@ -1898,12 +1898,14 @@ int wc_Microchip_aes_set_key(Aes* aes, const byte* key, word32 keylen,
     status = talib_aes_gcm_keyload(atcab_get_device(), aes->key_id, 0);
     CHECK_STATUS(status);
 
+#if WOLFSSL_TA100_AUTO_LOCK
     /* Test if data zone is locked */
     status = talib_is_setup_locked(atcab_get_device(), &is_locked);
     if (!is_locked) {
         status = talib_lock_setup(atcab_get_device());
         CHECK_STATUS(status);
     }
+#endif
 
     return atmel_ecc_translate_err(status);
 }

wolfcrypt/src/signature.c

@@ -114,9 +114,9 @@ int wc_SignatureGetSize(enum wc_SignatureType sig_type,
 #if defined(WOLFSSL_MICROCHIP_TA100)
                 if (sig_len <= 0) {
                     const RsaKey* r = (const RsaKey*)key;
-                    /* TA100 handles imply a 2048-bit RSA key. */
+                    /* TA100 handles imply a hardware RSA key. */
                     if (r->rKeyH != 0 || r->uKeyH != 0) {
-                        sig_len = 256;
+                        sig_len = WOLFSSL_TA_KEY_TYPE_RSA_SIZE;
                     }
                 }
 #endif

wolfssl/wolfcrypt/port/atmel/atmel.h

@@ -149,6 +149,10 @@ int  atmel_ecc_verify_ex(const byte* message, word32 message_len,
 
 #if defined(WOLFSSL_MICROCHIP_TA100)
 
+#ifndef WOLFSSL_TA100_AUTO_LOCK
+    #define WOLFSSL_TA100_AUTO_LOCK 0
+#endif
+
 #if !defined(NO_AES) && defined(HAVE_AESGCM) && \
     defined(WOLFSSL_MICROCHIP_AESGCM)
 #include <wolfssl/wolfcrypt/aes.h>