We’re excited to announce that wolfBoot now delivers full TrustZone-M support for the Nordic nRF5340, one of the most popular dual-core SoCs in the connected IoT space.
Beyond Basic Secure Boot
The nRF5340’s application core features an Arm Cortex-M33 with TrustZone-M capabilities, and wolfBoot now takes full advantage of this architecture. By configuring the System Protection Unit (SPU) – Nordic’s hardware security peripheral – wolfBoot creates an impenetrable barrier between privileged bootloader code and your application firmware.
Your bootloader runs in the Secure World where it handles firmware authentication and update management. Meanwhile, your application – with all its Bluetooth LE, Bluetooth Mesh, Thread, NFC or Zigbee complexity – executes in the Non-Secure World with limited privileges. An attacker who compromises your wireless stack cannot escalate to modify boot code or modify signing keys.
Secure Cryptographic API: a Game Changer
Here’s where the nRF5340 implementation really shines. We’ve integrated the WOLFCRYPT_TZ_PKCS11 option, which exposes a secure cryptographic API to Non-Secure applications through the industry-standard PKCS#11 interface.
What does this mean in practice?
Your application can perform RSA, ECC, AES, and other crypto operations by calling into the Secure World, so that signing, encryption, and key derivation happen behind the TrustZone boundary and your Non-Secure code only receives the results. In addition to this, any keys or other objects stored via the PKCS#11 API will stay locked in a secure flash partition.
This is crucial for IoT devices that need to establish secure connections, authenticate cloud services, or sign telemetry data. Even if your application has a buffer overflow or is running untrusted third-party code, the cryptographic material remains protected.
Built for Real-World Wireless Applications
The nRF5340 is a workhorse in Bluetooth LE, Thread, Zigbee, and Matter deployments. Its dual-core design dedicates the network core to real-time radio protocol handling while the application core manages higher-level logic.
wolfBoot’s TrustZone implementation complements this architecture perfectly. Firmware updates arrive over-the-air through potentially hostile networks, but the update verification and installation process is locked down in hardware-isolated code. Your device can’t be bricked, backdoored, or hijacked, even when your application is exposed to the open internet.
Ready to Deploy
You’ll find two new reference configurations in the config/examples directory in the wolfBoot repository:
- nrf5340-tz.config: just TrustZone support, without the PKCS#11 API
- nrf5340-wolfcrypt-tz.config: TrustZone support with the PKCS#11 API
These configurations are for the application core. The network core does not support TrustZone, but the non-TrustZone nrf5340_net.config works perfectly in tandem with the TrustZone-enabled application core configurations above.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now