Advantages of using wolfTPM with ST33 TPM 2.0

wolfTPM is the only TPM 2.0 library designed for baremetal and embedded systems. It also has native Windows and Linux support, alongside a TPM simulator for rapid development and testing.

When it comes to choosing a TPM 2.0 dedicated chip for your project, there are multiple options: Nuvoton NPCT75x, STMicroelectronics ST33, Infineon SLB9670, Microchip ATTPM20P, etc.

Here are our highlights when using ST33 chip with wolfTPM:

  • Only wolfTPM supports GPIO control for ST33
    • Depending on the chip variant, a ST33 could offer up to four(4) extra GPIO 
    • The access to these GPIO is protected by the TPM 2.0 authorization
    • Making the GPIO control offered by wolfTPM a great tool for signaling across subsystems for critical, important or security events
    • wolfTPM also provides an open-source example code ready for use

  • ST33 has the most Non-volatile memory storage on the market, right now
    • Typically, TPM 2.0 NVRAM storage is limited, this makes ST33  stand out. Multiple certificates and keys can be stored in the ST33 non-volatile memory
    • wolfTPM offers open-source examples on how to securely store secrets and keys in the TPM’s NVRAM
  • Using ST33 for Automotive, Industrial, Medical and Aerospace devices with wolfTPM is easy
    • Critical-safety systems often use state machines and RTOS
    • Baremetal and RTOS do not provide driver for TPM 2.0
    • Thanks to wolfTPM’s design, using ST33 without a driver is possible
    • wolfTPM has its own internal TIS layer and direct support for I2C and SPI
  • Using ST33 for IoT devices with wolfTPM is highly recommended, because our TPM 2.0 stack is lightweight. In comparison with other libraries, wolfTPM produces 20 times less code and 100 times less memory.
  • Only ST33 supports AES symmetric operations for encryption and decryption by default, using TPM2_EncryptDecrypt2. Other TPM 2.0 modules support by default only AES CFB for parameter encryption.


Contact us at if you want more information about wolfTPM or if you have any questions about using ST33 TPM 2.0 in embedded systems.


Cryptographic benchmarks on the new Apple M1

wolfSSL is up and running and tested on Apple’s new M1 chip, and with the right options it is blazing fast! We have decided to benchmark our wolfCrypt/wolfSSL libraries on the Apple M1, to show you just how well the the M1 will perform in our standard cryptographic benchmarks.

See below for more details!

GMAC Table 4-bit349.384347.8431133.42MB/s
RSA 2048 public19270.45819386.08361480.153ops/sec
RSA 2048 private310.831312.8181855.512ops/sec
DH 2048 agree1032.4021019.9013984.282ops/sec
ECDHE P-256 agree1627.5512351.7322747.658ops/sec
ECDSA P-256 sign1570.6059734.15640588.639ops/sec
ECDSA P-256 verify2388.1269321.69822289.143ops/sec
ECC P-256 key gen1613.47611507.20464141.471ops/sec
DH 2048 key gen2042.7262059.9964098.742ops/sec

If you have questions on these benchmarks, or if you would like some support to help replicate them on your system, let us know at or give us a call!

wolfSSL support for NXP i.MX RT1060

The i.MX RT1060 is a powerful crossover MCU implementation of the Arm Cortex-M7 core, designed and produced by NXP. This MCU contains a TRNG and a data co-processor (DCP). The latter is capable of performing AES encryption and decryption, as well as calculating SHA and SHA256 digest.

Starting from version 4.7.0, wolfSSL provides a port driver that can redirect all the AES and SHA/SHA256 operations to the DCP, which has a number of advantages over the software implementation counterparts, reducing the footprint of the compiled library, improving performance and using less power.

The DCP driver can be enabled via the compile-time flag WOLFSSL_IMXRT_DCP, which delegates all the AES and SHA/SHA256 operations to the hardware co-processor. When this option is enabled, all TLS connections using these algorithms will rely on the hardware to perform the operations.

wolfSSL can also use the TRNG present in this core as an entropy source to seed the DRBG. Support for TRNG on this board can be enabled by adding the compile-time flag FREESCALE_KSDK_2_0_TRNG.

WolfSSL is not the only component in the product family that directly benefits from the presence of these secure elements on this target platform. SSH servers and clients based on wolfSSH will automatically use the accelerators for both SHA and AES when available and compiled in. The port for i.MX-RT1060 of wolfBoot, our secure bootloader, uses the SHA256 hardware acceleration to speed up the verification of the integrity of the firmware image. A full port of wolfBoot for i.MX-RT1060 is available, and its hardware abstraction layer is distributed with wolfBoot since version 1.7.1.

i.MX-RT1060 is a popular choice as edge computing platform, often deployed in combination with a real-time operating system and TCP/IP connectivity. WolfSSL, wolfSSH, wolfBoot and wolfMQTT can be easily added to these scenarios to enable secure communication, secure remote shell and filesystem services, as well as secure boot and remote firmware updates. The extra hardware security provided by DCP and TRNG makes the i.MX-RT1060 a reliable platform to build professional grade security with the latest standards.

Ask us more information about solutions based on i.MX RT1060 and other embedded systems, contact us today at

Posts navigation

1 2