wolfBoot, the secure bootloader from wolfSSL, has a new target: ST’s STM32G4 family of mixed-signal Cortex-M4F microcontrollers. The port has been validated on the NUCLEO-G491RE board (STM32G491RET6: 512 KB flash, 96 KB SRAM, 170 MHz).
Why the STM32G4
The G4 family lands in a sweet spot for industrial and motor-control designs: enough FPU and DSP performance for serious signal processing, internal CCM RAM for time-critical code, and integrated analog (op-amps, comparators, fast ADCs) that closes the loop without external glue. Adding a verified-boot path means devices in that space can deliver field firmware updates while keeping the trust anchor on the chip and the rollback rules in code you control.
Verified on hardware
Two end-to-end tests were run on a NUCLEO-G491RE:
- First boot. Programmed factory.bin to flash, reset, watched the bootloader read its boot partition, run SHA256 integrity and ECC256 signature verification, and hand off to the signed v1 application. LD2 lit on PA5.
- A/B update. Signed a v2 image, assembled an update payload with the pBOOT trigger trailer, programmed it to the update partition at 0x08042000, and reset. The bootloader detected the trigger, performed a full 116-sector triangle swap between the boot and update partitions (the swap sector buffers each three-way move), re-verified the new image, and booted v2.
The swap path is the demanding test: it exercises the flash erase and program routines while they execute from RAM, on the same flash whose pages are being rewritten. Both runs completed without errors on stock silicon.
What’s “in the box”
- A bare-metal HAL with no STM32Cube dependency. The bootloader builds from the wolfBoot tree alone — no vendor library install required.
- A shared hal/stm32g4.h register map — the same definitions back both the bootloader and the test application, so the two halves cannot drift out of sync.
- Default configuration signs application images with ECC256 and SHA256, and lays out the 512 KB flash as a 32 KB bootloader, 232 KB application slot, 232 KB update slot, and a 16 KB swap sector.
- The test application uses standard printf over LPUART1 (routed through test-app/syscalls.c), so version banners and update-confirmation messages show up on the ST-LINK virtual COM port with no extra wiring.
- Optional DEBUG_UART=1 enables the bootloader’s own boot trace on the same UART so you can watch the integrity check, signature verification, and A/B swap live.
- Clock brought to 170 MHz via the internal HSI16 oscillator + PLL with PWR Range 1 Boost — the bootloader runs at the same speed your application will.
Try it
The change is added in PR #777.
git clone https://github.com/wolfSSL/wolfBoot
cd wolfBoot
cp config/examples/stm32g4.config .config
make
STM32_Programmer_CLI -c port=swd -d factory.bin 0x08000000
git clone https://github.com/wolfSSL/wolfBoot cd wolfBoot cp config/examples/stm32g4.config .config make STM32_Programmer_CLI -c port=swd -d factory.bin 0x08000000
Plug in a NUCLEO-G491RE, hit reset, and LD2 turns on. Add DEBUG_UART=1 to the build for boot logs over the ST-LINK VCP.
The wider STM32 picture
With G4 landing, wolfBoot covers most of ST’s general-purpose microcontroller lineup. The table below is the current state.
| Family | Core | Supported | Notes |
|---|---|---|---|
| STM32C0 | Cortex-M0+ | ☑ | Value line, single-bank |
| STM32C5 | Cortex-M33 | ☑ | New value line, dual-bank optional |
| STM32F0 | Cortex-M0 | ☐ | Legacy value line |
| STM32F1 | Cortex-M3 | ☑ | Classic mainstream |
| STM32F2 | Cortex-M3 | ☐ | Older high-performance |
| STM32F3 | Cortex-M4F | ☐ | Mixed-signal |
| STM32F4 | Cortex-M4F | ☑ | F407 / F411 / F429 / F439 examples |
| STM32F7 | Cortex-M7 | ☑ | Dual-bank example included |
| STM32G0 | Cortex-M0+ | ☑ | Single-bank, includes Secure Hide |
| STM32G4 | Cortex-M4F | ☑ | NUCLEO-G491RE, 170 MHz Boost |
| STM32H5 | Cortex-M33 + TZ | ☑ | Multiple TrustZone configs (OTP, LMS, PSA, TPM) |
| STM32H7 | Cortex-M7 | ☑ | OctoSPI external flash example |
| STM32L0 | Cortex-M0+ | ☑ | Ultra-low-power |
| STM32L1 | Cortex-M3 | ☐ | Legacy ultra-low-power |
| STM32L4 | Cortex-M4F | ☑ | Uses STM32CubeL4 HAL for flash driver |
| STM32L5 | Cortex-M33 + TZ | ☑ | Dual-bank, TrustZone, wolfCrypt-in-secure-world example |
| STM32U0 | Cortex-M0+ | ☐ | New ultra-low-power entry |
| STM32U3 | Cortex-M33 | ☑ | No TrustZone, 96 MHz from MSI RC0 |
| STM32U5 | Cortex-M33 + TZ | ☑ | Dual-bank, TrustZone, ultra-low-power performance |
| STM32WB | Cortex-M4F | ☑ | BLE 5.x, delta + encrypted update examples |
| STM32WBA | Cortex-M33 + TZ | ☐ | New BLE 5.4 with TrustZone |
| STM32WL | Cortex-M4F | ☐ | Sub-GHz LoRa SoC |
| STM32N6 | Cortex-M55 | ☐ | AI flagship, external XSPI flash |
| STM32MP1 | Cortex-A7 + M4 | ☐ | Linux application processor (Cortex-A); needs U-Boot/TF-A handoff design |
| STM32MP2 | Cortex-A35 + M33 | ☐ | Linux application processor (Cortex-A); needs U-Boot/TF-A handoff design |
Unsupported chips can be added quickly, so please contact us using facts@wolfssl.com if interested in a specific chip.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now