This guide provides a systematic, step-by-step procedure to set up a complete RISC-V embedded development environment with Post-Quantum Cryptography ( ML-Kyber-512 and Dilithium2) support. Follow each section in order to successfully establish the development environment.
Ensure your system has the following installed:
- Python 3.8+
- Git
- Build tools:
build-essential,cmake,autoconf,automake,libtool - Linux environment (Ubuntu 20.04 or newer recommended)
This repository contains a complete RISC-V embedded system with Post-Quantum Cryptography support, organized into the following directories:
Bare-metal firmware for the RISC-V embedded client:
main.c- Main client firmware implementing DTLS 1.3 handshake with Dilithium PQC certificatescrt0.d/linker.ld- RISC-V bootloader and memory layout configurationMakefile- Build system for compiling the firmwarewolfssl/- WolfSSL/WolfCrypt headers and certificate datacerts_dilithium_data.h- Auto-generated C arrays containing embedded Dilithium certificates (CA, client cert, client key)
src/- Additional firmware source fileswolfcrypt/- WolfCrypt cryptographic library headers
Host-side server implementations and certificate generation tools:
dtls13_dilithium_server.c- DTLS 1.3 server with Dilithium PQC supportdtls13_ca_server.c- CA-based DTLS server implementationdtls13_pqc_server.c- Generic PQC DTLS serverserver- Compiled server binarygenerate_dilithium_certs_p256.sh- Primary script for generating Dilithium certificates with P-256 hybrid approachgenerate_dilithium_certs.sh/generate_dilithium_certs_simple.sh- Alternative certificate generation scriptsgenerate_dilithium_certs.c- C implementation for certificate generationcerts_dilithium_to_header.py- Converts PEM certificates to C header arrays for firmware embeddingcerts_to_header.py- Generic certificate-to-header conversion utilitygenerate_ca_certs.sh/generate_pqc_certs.sh- Alternative certificate generation scriptsinstall_pqc_wolfssl.sh- WolfSSL PQC installation automation scriptudp_echo_server.py- Simple UDP echo server for testingcerts/- Traditional (non-PQC) certificate storagecerts_dilithium/- Generated Dilithium PQC certificates (ca-cert.pem, server-cert.pem, client-cert.pem, keys)
Build artifacts and intermediate files:
sim/- LiteX simulation build output (CSR definitions, Verilog, memory maps)
These directories contain the LiteX SoC framework and peripherals:
Main LiteX SoC framework - provides FPGA/simulation infrastructure for RISC-V CPU and peripherals
Board support packages and hardware platform definitions
LiteDRAM controller - DRAM memory controller core
LiteEth - Ethernet MAC and PHY implementation (used for network communication in this project)
Logic analyzer for debugging FPGA designs
SD card controller module
SPI flash controller
SATA controller implementation
PCIe controller core
Inter-chip communication links (SerDes)
JESD204B high-speed serial interface
I2C controller implementation
RISC-V and other CPU implementations in Python HDL format:
VexRiscv - Primary RISC-V CPU core used in this project (32-bit, customizable pipeline)
VexRiscv SMP - Multi-core variant
VexiiRiscv - Next-generation VexRiscv implementation
pythondata-cpu-lm32/- LatticeMico32 soft processorpythondata-cpu-minerva/- Minerva RISC-V corepythondata-cpu-mor1kx/- OpenRISC processorpythondata-cpu-naxriscv/- NaxRiscv RISC-V corepythondata-cpu-sentinel/- Sentinel RISC-V corepythondata-cpu-serv/- SERV bit-serial RISC-V core
Migen - Python-based HDL (Hardware Description Language) toolbox, foundation for LiteX
Compiler runtime support libraries
Picolibc - Embedded C library for bare-metal systems
TAP network interface configuration utilities
USB OHCI controller implementation
USB device controller core
WolfSSL library source code with PQC support (Dilithium, ML-KEM, Kyber)
Python virtual environment containing all LiteX dependencies and tools
Master setup script for initializing LiteX environment and installing toolchains
boot.fbi- Firmware binary image (alternative format)csr.json- Control/Status Register definitions for the simulated SoCREADME.md- This comprehensive setup guideREADME.md.backup- Backup of previous README versionCA_IMPLEMENTATION_SUMMARY.md- Certificate Authority implementation documentationdemo_results.md- Demonstration results and performance metricsDILITHIUM_DEMO_RESULTS.md- Dilithium-specific test resultscsr.json- SoC CSR (Control and Status Register) map
┌─────────────────────────────────────────────────────────────┐
│ Certificate Generation │
│ host/generate_dilithium_certs_p256.sh │
│ ↓ │
│ host/certs_dilithium/*.pem │
│ ↓ │
│ host/certs_dilithium_to_header.py │
│ ↓ │
│ boot/wolfssl/certs_dilithium_data.h │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ Firmware Build │
│ boot/main.c + boot/wolfssl/certs_dilithium_data.h │
│ ↓ │
│ litex_bare_metal_demo │
│ ↓ │
│ boot.bin (RISC-V firmware with embedded PQC certs) │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ Runtime Execution │
│ Server: host/server (192.168.1.100:6000) │
│ ↕ DTLS 1.3 + Dilithium + Kyber │
│ Client: litex_sim + boot.bin (192.168.1.50:60000) │
│ ↑ │
│ VexRiscv CPU @ 1MHz with LiteEth network │
└─────────────────────────────────────────────────────────────┘
Clone the project repository containing the LiteX configuration and simulation modules:
git clone https://github.com/divyansh-1009/Inter_IIT_Cybersecurity_ID-67.git
cd Inter_IIT_Cybersecurity_ID-67Isolate LiteX and Python dependencies using a virtual environment:
python3 -m venv litex-env
source litex-env/bin/activateInstall required system packages:
sudo apt update
sudo apt install -y libevent-dev libjson-c-dev verilator meson ninja-build autoconf automake libtoolMake the setup script executable and initialize:
chmod +x litex_setup.py
./litex_setup.py --init --installInstall additional Python dependencies:
pip3 install meson ninjaInstall the RISC-V GCC toolchain using the LiteX setup utility:
sudo ./litex_setup.py --gcc=riscvClone the WolfSSL repository:
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfsslRun the autoconf setup:
./autogen.shConfigure with comprehensive PQC and DTLS support:
./configure \
--enable-opensslcoexist \
--enable-opensslextra \
--enable-opensslall \
--enable-dilithium \
--enable-mlkem \
--enable-kyber \
--enable-sp \
--enable-debug \
--enable-certgen \
--enable-pkcs7 \
--enable-pkcs12 \
--enable-tlsx \
--enable-dtls \
--enable-dtls13 \
--enable-dtls-frag-ch \
CFLAGS="-DWC_ENABLE_DILITHIUM -DWC_ENABLE_MLKEM -DWOLFSSL_STATIC_RSA -DWOLFSSL_STATIC_DH"Build and install:
make -j$(nproc)
sudo make install
sudo ldconfigReturn to the project directory:
cd ..Ensure the virtual environment is still active:
source litex-env/bin/activateGenerate Dilithium CA, server, and client certificates:
./host/generate_dilithium_certs_p256.shThis creates the following certificates in host/certs_dilithium/:
- ca-cert.pem - Dilithium Root CA certificate
- server-cert.pem - Dilithium Server certificate
- server-key.pem - Dilithium Server private key
- client-cert.pem - Dilithium Client certificate
- client-key.pem - Dilithium Client private key
Convert the generated Dilithium certificates to C header format for firmware embedding:
python3 host/certs_dilithium_to_header.pyThis generates:
- boot/wolfssl/certs_dilithium_data.h - C header containing embedded certificate arrays for the firmware
Verify the header file was created:
ls -la boot/wolfssl/certs_dilithium_data.hConfigure the tap0 virtual network interface for RISC-V simulation to communicate with the host server:
If tap0 already exists and is busy, remove it first:
sudo ip link set tap0 down
sudo ip link del tap0Create and configure tap0:
sudo ip tuntap add dev tap0 mode tap
sudo ip addr flush dev tap0
sudo ip addr add 192.168.1.100/24 dev tap0
sudo ip link set tap0 upVerify the interface:
ip addr show tap0You should see output similar to:
3: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000
link/ether 12:34:56:78:9a:bc brd ff:ff:ff:ff:ff:ff
inet 192.168.1.100/24 scope global tap0
Compile the server binary with WolfSSL support:
gcc host/dtls13_dilithium_server.c -o host/server \
-I/usr/local/include \
-L/usr/local/lib \
-Wl,-rpath=/usr/local/lib \
-lwolfsslVerify the server binary was created:
ls -la host/serverTerminal 1 - Start the DTLS Server:
./host/serverThe server will:
- Listen on
192.168.1.100:6000 - Load the Dilithium CA certificate to verify client authenticity
- Load the Dilithium server certificate and private key
- Require mutual TLS authentication with PQC certificates
- Use DTLS 1.3 with AES-128-GCM-SHA256 cipher suite
- Enable Kyber post-quantum key exchange
Expected output:
Starting Dilithium PQC DTLS Server...
Listening on 192.168.1.100:6000
Waiting for client connections...
Terminal 2 - In a new terminal, ensure virtual environment is active:
source litex-env/bin/activateRegenerate the bare-metal demo firmware (now with embedded Dilithium certificates):
litex_bare_metal_demo --build-path=build/simThis creates:
- boot.bin - Compiled RISC-V firmware with embedded Dilithium certificates
Terminal 2 - Launch the RISC-V simulation client:
litex_sim --csr-json csr.json \
--cpu-type=vexriscv \
--cpu-variant=full \
--integrated-main-ram-size=0x06400000 \
--ram-init=boot.bin \
--with-ethernetThe simulation will:
- Start a RISC-V VexRiscv CPU running at 1MHz
- Load the compiled firmware (
boot.bin) into simulated RAM - Initialize network interface at
192.168.1.50:60000 - Perform DTLS 1.3 handshake with server using Dilithium certificates
- Validate server's certificate against Dilithium CA
- Present client certificate for mutual authentication
- Establish encrypted channel with post-quantum cryptography
- Server Ready - Waiting for client connection on
192.168.1.100:6000 - Client Boot - RISC-V loads firmware from boot.bin
- Network Initialize - Embedded system obtains IP
192.168.1.50(simulated) - DTLS Initiation - Client initiates handshake with server
- Certificate Exchange - Both parties exchange and validate Dilithium certificates
- Handshake Completion - Mutual authentication established (takes 30-60 seconds due to 1MHz CPU)
- Encrypted Communication - Application data exchanged over secured channel
- Loads Dilithium CA certificate (558 bytes) from embedded arrays
- Loads Dilithium client certificate (476 bytes) and private key (121 bytes)
- Initiates DTLS 1.3 handshake with server
- Validates server's Dilithium certificate against CA
- Presents client Dilithium certificate for mutual authentication
- Uses TLS13-AES128-GCM-SHA256 cipher
- Enables Post-Quantum Key Exchange (Kyber)
- Sends encrypted application data
- Loads Dilithium CA certificate to verify client
- Loads server certificate and private key
- Validates client Dilithium certificate against CA
- Completes DTLS 1.3 handshake with PQC support
- Receives and processes encrypted data
- Demonstrates quantum-resistant mutual authentication
In a third terminal, capture traffic on the tap0 interface:
sudo tcpdump -i tap0 -nn udp and port 6000Monitor client output in Terminal 2 (simulation) and server output in Terminal 1 to observe the handshake progress.
Verify tap0 is active during the simulation:
ip addr show tap0| Issue | Solution |
|---|---|
| "No such file or directory" (certificates) | Ensure Dilithium certificates are generated: ./host/generate_dilithium_certs_p256.sh |
| "Device or resource busy" (tap0) | Remove and recreate tap0: sudo ip link del tap0 then repeat Step 9 |
| "Command not found" (litex_sim) | Activate virtual environment: source litex-env/bin/activate |
| Server compilation fails | Verify wolfSSL installed: ldconfig -p | grep wolfssl |
| Handshake timeout | Normal behavior with 1MHz simulated CPU - wait 30-60 seconds |
| Client won't connect | Ensure tap0 is up and server is running on correct IP (192.168.1.100:6000) |
| ASN_SIG_KEY_E error | Ensure certificates use prime256v1 (P-256), not secp384r1 |
host/generate_dilithium_certs_p256.sh- Certificate generation script with Dilithium naminghost/certs_dilithium_to_header.py- Converts Dilithium certificates to C headershost/dtls13_dilithium_server.c- Server implementation with Dilithium PQC supportboot/main.c- Client firmware with embedded Dilithium certificatesboot/wolfssl/certs_dilithium_data.h- Embedded Dilithium certificate arrays (auto-generated)
source litex-env/bin/activatecd Constraint_Env_Sim
source litex-env/bin/activate
./host/generate_dilithium_certs_p256.sh
python3 host/certs_dilithium_to_header.py
sudo ip tuntap add dev tap0 mode tap
sudo ip addr add 192.168.1.100/24 dev tap0
sudo ip link set tap0 up# Terminal 1: Start server
./host/server
# Terminal 2: Build and run client
source litex-env/bin/activate
litex_bare_metal_demo --build-path=build/sim
litex_sim --csr-json csr.json --cpu-type=vexriscv --cpu-variant=full \
--integrated-main-ram-size=0x06400000 --ram-init=boot.bin --with-ethernet
# Terminal 3: Monitor traffic (optional)
sudo tcpdump -i tap0 -nn udp and port 6000✅ Repository cloning and environment setup
✅ WolfSSL with comprehensive PQC support (Dilithium, ML-KEM, Kyber)
✅ Dilithium certificate generation and conversion
✅ tap0 network interface configuration
✅ DTLS 1.3 server with PQC authentication
✅ Embedded client firmware with quantum-resistant certificates
✅ Mutual TLS authentication with CA validation
✅ Post-quantum key exchange (Kyber)
- WolfSSL Documentation: https://github.com/wolfSSL/wolfssl
- LiteX Documentation: https://github.com/enjoy-digital/litex
- Post-Quantum Cryptography: https://en.wikipedia.org/wiki/Post-quantum_cryptography
- DTLS 1.3 RFC: https://tools.ietf.org/html/rfc9147
Last Updated: December 2024
Version: 1.0
Status: Production Ready