wolfSSL is excited to announce the first official release of wolfPSA 5.9.1, a wolfCrypt-backed implementation of the Arm PSA interfaces for embedded and connected systems.
What is PSA?
PSA, or Platform Security Architecture, defines standard interfaces for security services used in embedded systems. In practice, PSA gives applications, RTOSes, secure firmware, and test frameworks a common way to request cryptography and attestation services without tying the application to one specific secure-world implementation.
wolfPSA provides this compatibility layer on top of wolfCrypt. It acts as a PSA Crypto engine interface for operations such as random generation, key management, hashing, MAC, cipher, AEAD, signatures, key agreement, and key derivation. It also exposes the PSA Initial Attestation interface expected by PSA-based systems, helping projects build against a standard API surface while relying on wolfSSL components underneath.
What is included in wolfPSA 5.9.1?
wolfPSA 5.9.1 is the initial public wolfPSA release and follows the wolfSSL 5.9.1 version numbering. This release includes:
- PSA Crypto API entry points implemented in C on top of wolfCrypt
- Static and shared builds: libwolfpsa.a and libwolfpsa.so
- PSA lifecycle, RNG, key management, persistent key storage, cipher, AEAD, hash, MAC, asymmetric crypto, key derivation, and TLS 1.3 PRF/HKDF support
- Algorithm coverage including AES, ChaCha20, ChaCha20-Poly1305, SHA-1/SHA-2/SHA-3, HMAC, CMAC, RSA, ECC/ECDSA/ECDH, Curve25519/Curve448, Ed25519/Ed448, and configured compatibility options
- Integration points for post-quantum and hash-based algorithms when enabled in wolfCrypt, including ML-KEM, ML-DSA, LMS, and XMSS
- Standalone tests and demos, including PSA API calls, PSA-backed wolfCrypt benchmarking, and TLS examples using PSA-managed keys
First demo use case: wolfBoot secure domain + Zephyr
One of the first application-side integration cases for wolfPSA is the wolfBoot TrustZone-M secure domain work for Zephyr.
In this model, wolfBoot runs in the ARMv8-M secure world and provides the secure boot, firmware update, and secure service boundary. wolfPSA is hosted inside that secure domain, while Zephyr runs in the non-secure world and calls PSA Crypto APIs through the wolfBoot-backed TEE/NSC interface.
This demonstrates wolfPSA as more than a standalone library: it becomes a compatibility layer for PSA-aware applications and RTOS environments, while allowing wolfBoot and wolfCrypt to anchor the cryptographic boundary in the secure domain.
Availability
wolfPSA 5.9.1 is available now. It is designed for teams building PSA-compatible embedded systems, Zephyr TrustZone designs, secure boot chains, and products that want wolfCrypt-backed cryptography behind a standard PSA-facing API.
For questions about wolfPSA, wolfBoot secure-domain integration, licensing, or commercial support, contact us at facts@wolfssl.com or call +1 425 245 8247.
Download wolfSSL Now