RECENT BLOG NEWS

So, what’s new at wolfSSL? Take a look below to check out the most recent news, or sign up to receive weekly email notifications containing the latest news from wolfSSL. wolfSSL also has a support-specific blog page dedicated to answering some of the more commonly received support questions.

wolfSSL 5.8.0 Released

We are excited to announce that wolfSSL version 5.8.0 is now available. This release brings several important new features and improvements. Below are the key new additions:

New Features

  • Implemented various fixes to support building for Open Watcom, including OS/2 support and Open Watcom 1.9 compatibility (PR 8505, 8484).
  • Added support for STM32H7S (tested on NUCLEO-H7S3L8) (PR 8488).
  • Added support for STM32WBA (PR 8550).
  • Added Extended Master Secret Generation Callback to the –enable-pkcallbacks build (PR 8303).
  • Implemented AES-CTS (–enable-aescts) in wolfCrypt (PR 8594).
  • Added support for libimobiledevice commit 860ffb (PR 8373).
  • Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 IPD (PR 8307).
  • Added blinding option when using a Curve25519 private key by defining the macro WOLFSSL_CURVE25519_BLINDING (PR 8392).

ML-DSA and Post-Quantum Cryptography Enhancements

In line with NIST’s latest documentation, wolfSSL has updated its Dilithium implementation to ML-DSA (Module-Lattice Digital Signature Algorithm), which is fully supported in this release. Additionally, the release includes updates to further optimize ML-DSA and LMS (Leighton–Micali Signature) schemes, reducing memory usage and improving performance.

Linux Kernel Module (linuxkm) Updates

wolfSSL 5.8.0 expands support for the Linux Kernel Module (linuxkm), with several important enhancements to improve kernel-level cryptographic integration. This includes extended LKCAPI registration support for rfc4106(gcm(aes)), ctr(aes), ofb(aes), ecb(aes), and the legacy one-shot AES-GCM backend. Compatibility improvements have been added for newer kernels (?6.8), and calls to scatterwalk_map() and scatterwalk_unmap() have been updated for Linux 6.15. The release also registers ECDSA, ECDH, and RSA algorithms with the kernel crypto API and introduces safeguards for key handling, including forced zeroing of shared secrets. These changes make it possible to use more wolfSSL functionality in the kernel space.

For a full list of fixes and optimizations check out the ChangeLog.md bundled with wolfSSL. Download the latest release from the download page. If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Coming Soon: tiny-curl for Zephyr RTOS

At wolfSSL, we’re excited to announce plans for a tiny-curl port tailored for Zephyr RTOS. This will bring lightweight HTTPS client capabilities to one of the most widely used real-time operating systems for embedded devices.

Stay tuned for updates as we work to integrate tiny-curl’s proven functionality into the Zephyr ecosystem.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Retrofitting Legacy Bootloaders with wolfBoot: a Modern Secure Bootloader for Embedded Systems

Introduction: Modernizing Legacy Devices with Secure Boot

Embedded developers often face the challenge of adding a secure bootloader for embedded systems to legacy hardware without overhauling the entire boot process. Many automotive and industrial devices – for example, older PowerPC-based electronic control units (ECUs) in vehicles or aging industrial controllers – still run insecure or outdated bootloaders. These legacy bootloaders may lack any firmware authentication, leaving devices vulnerable to malicious firmware replacement. Replacing them entirely can be risky and costly, especially if the existing boot code contains years’ worth of custom logic (like proprietary network protocols or special hardware init routines). Fortunately, wolfBoot provides a solution to retrofit secure boot in legacy devices without starting from scratch. In fact, many companies upgrading older products have successfully added a secure boot solution using wolfBoot while reusing their legacy software. wolfBoot’s flexibility allows it to be integrated as a static library alongside your current bootloader code, enhancing security through firmware signing and verification without requiring a full redesign. This post will explore how wolfBoot can seamlessly augment legacy boot processes – for automotive ECUs, industrial systems, and more – by acting as a drop-in secure boot component. We’ll also highlight wolfBoot’s unique features (ELF parsing, delta updates, post-quantum cryptography, TPM integration, etc.) that set it apart from typical alternatives.

Integrating wolfBoot as a Static Library in Existing Bootloaders

One of wolfBoot’s key strengths is its ability to integrate into existing bootloaders as a static library. Rather than mandating a wholesale replacement of your boot code, wolfBoot can be compiled into a single object and called from your current bootloader flow. This means you can enhance firmware signing and verification in your device’s boot process by simply invoking wolfBoot’s API, without rewriting your platform initialization, device drivers, or update logic.

wolfBoot’s library mode provides straightforward interfaces to do things like parse the firmware’s cryptographic manifest header, check version numbers for anti-rollback, and verify the integrity and authenticity of a firmware image that’s already been loaded or mapped in memory. Essentially, wolfBoot handles the security-critical steps (signature verification, hash checking, version enforcement) while your legacy bootloader can continue to do what it already does well (hardware setup, communication, firmware loading). The wolfBoot host tools for key management and firmware signing (such as the keygen and sign utilities) remain the same as those used in stand-alone wolfBoot deployments. This means you don’t have to reinvent your signing process – you can reuse the proven wolfBoot tooling to generate keys and sign firmware images offline, and then have your integrated wolfBoot code verify those images on the device. The firmware image format (with its signed manifest) stays consistent, independent of your hardware or architecture, which simplifies integration and testing.

By integrating wolfBoot’s static library, product engineers can replace a legacy bootloader in automotive ECUs or other systems incrementally. For example, if you have an existing boot flow in a car’s ECU that loads an application from flash, you can incorporate wolfBoot’s verification function right before jumping to the application. wolfBoot will check the cryptographic signature of the firmware using a public key (stored securely on the device), and only boot it if it’s authentic and not revoked. This approach drastically improves security with minimal changes to your codebase – you preserve all your custom boot logic and simply add a call to wolfBoot for the security check. As the wolfSSL team notes, starting a new bootloader from scratch is often underestimated in effort, so this augment-not-replace strategy is a huge win for development time. In short, wolfBoot’s library mode allows retrofitting a secure bootloader in legacy devices elegantly, bringing modern cryptographic boot verification to platforms that were never originally designed for it.

Use Case: Legacy Automotive and Industrial Systems

Legacy automotive and industrial systems highlight the value of wolfBoot’s flexible integration. Consider an automotive ECU built on an older PowerPC or ARM9 processor – it might be running a manufacturer-specific bootloader from decades ago. Such an ECU could be responsible for critical functions (engine control, braking, etc.) and thus a prime target for firmware tampering if left unsecured. Using wolfBoot, the development team can retrofit secure boot into this ECU without rewriting the time-tested OEM boot code. wolfBoot, compiled as a static library, can be invoked to authenticate the firmware update whenever the vehicle powers on or receives new firmware over-the-air. The ECU gains modern firmware signing and verification (e.g., ECC or RSA signatures with SHA-256 hashes) overnight, hardening it against unauthorized code. All the while, existing functionalities – whether a CAN bus bootloader protocol or a custom fail-safe routine – remain intact around the wolfBoot calls.

Similarly, in industrial IoT devices or PLCs that often have long lifecycles, wolfBoot can be integrated to replace legacy bootloaders that have no security. For instance, an industrial controller that loads its program from external flash can have wolfBoot inserted to verify that program’s signature before execution. This ensures that even if someone manages to drop in a malicious firmware, the device will reject it and prevent potentially catastrophic equipment behavior. In both automotive and industrial contexts, wolfBoot’s small footprint and quick verification (a signature check takes only a fraction of a second on typical microcontrollers) means added security doesn’t significantly delay boot time or require hardware upgrades. It’s a cost-effective path to meeting modern security standards (such as ISO 26262 in automotive or IEC 62443 in industrial control) by building on top of legacy infrastructure.

Unique Features of wolfBoot for Secure Boot Retrofits

While ease of integration is a major advantage, wolfBoot also brings a rich set of unique features that are not commonly found together in other bootloaders. These features not only solve typical secure boot needs (authenticating firmware), but also provide advanced capabilities that can future-proof your device’s update system and security architecture. Below are some of the standout features of wolfBoot and why they matter when upgrading legacy systems:

  • Delta Updates (Incremental OTA): wolfBoot supports incremental firmware updates, meaning you can apply “delta” updates that contain only the binary differences between the new firmware and the current one.

    This is extremely useful for legacy devices operating on low-bandwidth networks or with limited flash storage. Instead of transferring a full firmware image for every update, a tiny patch can be sent and applied on-device. The wolfBoot signing tool can generate a cryptographically signed patch file that the bootloader uses to reconstruct the new firmware from the old version. WolfBoot verifies the update package’s authenticity before applying the patch and then verifies the final patched firmware after applying it, ensuring end-to-end integrity. This two-step verification and the reduced update size result in faster, reliable over-the-air (OTA) updates – a major plus for legacy devices on constrained links. (For instance, industrial sensors on LPWAN networks or remote automotive ECUs can be updated without pulling them out of service for long periods.)
  • ELF Parsing and Scattered Section Support: Unlike many bootloaders that expect a flat binary, wolfBoot can directly load and authenticate ELF-format images, including those with scattered memory sections. This is particularly helpful when retrofitting systems that produce ELF firmware outputs (such as RTOS or Linux kernel images). wolfBoot’s loader understands complex image layouts – it supports booting raw binaries, Linux kernels, and even Multiboot2/ELF formatted images. As a result, you can secure a wider range of firmware types without extra post-processing. Legacy devices that have unusual memory maps or segmented firmware can still use wolfBoot for verification without repackaging everything into a single blob.
  • Hybrid Post-Quantum Cryptography (PQC) + Classic Signatures: Security longevity is a concern for any device being retrofitted now, as these devices might remain in the field for many years. wolfBoot stays ahead of the curve by supporting post-quantum signature schemes (stateful hash-based signatures like LMS/HSS and XMSS) alongside traditional algorithms. In fact, wolfBoot allows hybrid authentication, where a firmware image can be signed with both a classic algorithm (say ECDSA or RSA) and a PQC algorithm simultaneously. The bootloader will accept the image if either signature verifies. This dual-signature approach means you can deploy firmware updates that are secure against both today’s threats and future quantum attacks. It’s a rare feature that positions legacy hardware for the post-quantum era – ensuring that retrofitted ECUs or controllers aren’t the weak link a decade from now when quantum computers emerge.
  • TPM 2.0 Integration via wolfTPM (Measured Boot): wolfBoot can leverage Trusted Platform Module hardware (TPM 2.0) to enhance secure boot through measured boot and secure key storage. Through integration with the wolfTPM library, wolfBoot can utilize a TPM as a root of trust at boot time. For example, wolfBoot can extend TPM Platform Configuration Registers (PCRs) with measurements of the boot process, enabling remote attestation of exactly what firmware was booted. It can also use the TPM to seal secrets (like encryption keys) that only unseal if the correct firmware is running. This means that on devices equipped with a TPM – common in automotive gateways or high-end industrial controllers – wolfBoot can provide an even higher level of security, guaranteeing that even the bootloader itself hasn’t been tampered with. Additionally, wolfBoot’s TPM support allows storing the public keys or hash of the expected firmware in tamper-resistant hardware, preventing an attacker with physical access from altering the trust anchors. These capabilities go beyond simple signature checking, moving into the realm of hardware-based device trust, which is seldom found in off-the-shelf bootloaders. (wolfBoot inherits these capabilities from wolfCrypt and wolfTPM, so developers get the benefits without having to write any low-level TPM code themselves.)
  • Broad Platform Support and Portability: wolfBoot is designed to be highly portable and has been successfully run on an extremely wide range of hardware – from tiny Arm Cortex-M0+ microcontrollers all the way up to 64-bit x86 processors like the latest Intel platforms (e.g., Intel Raptor Lake). It has virtually no external dependencies (it doesn’t require an OS or complex runtime, just the wolfCrypt crypto library). This means whether your legacy device is a small bare-metal sensor node or a more powerful embedded Linux system, wolfBoot can likely be adapted to it. Out of the box, wolfBoot supports architectures including ARM (Cortex-M and A profiles), MIPS, RISC-V, x86, and PowerPC – covering most legacy CPU types found in automotive and industrial devices. In fact, wolfBoot’s existing hardware abstraction layer (HAL) only consists of a handful of functions (for flash read/write, booting the image, etc.), making new ports straightforward. Its minimal footprint (on the order of a few kilobytes of flash and memory) ensures it can fit in systems with tight resource constraints. This broad compatibility and light weight are critical for retrofitting; you can introduce wolfBoot into legacy designs without worrying about hardware incompatibilities or resource exhaustion. Many open-source bootloaders or OEM solutions struggle to support such diverse environments or carry OS-specific baggage – by contrast, wolfBoot’s agnostic design lets it drop in virtually anywhere.
  • Minimal External Dependencies: As noted, wolfBoot does not depend on any heavyweight frameworks or operating systems. It uses wolfSSL’s proven wolfCrypt library for cryptographic functions and otherwise runs standalone. There’s no need for libc or dynamic memory allocation (unless you choose to enable such features). For an engineer retrofitting an old system, this is a relief – you don’t have to pull in a large RTOS or file system code just to get secure boot. This also means fewer potential points of failure. wolfBoot’s slim design makes it easier to validate and certify as part of a system (which leads into its readiness for formal certification, below). The lack of external dependencies also simplifies maintenance: you only update the cryptography library (to get the latest security algorithms or patches) and wolfBoot itself when needed, without entangling other software components.
  • FIPS 140-Ready and DO-178C Certifiability: wolfBoot is built with high-assurance industries in mind. It can be compiled to use a FIPS 140-3 validated cryptographic module (wolfCrypt) for signature verification, which is crucial for government and defense applications that require FIPS-certified security. The design and development processes of wolfBoot also align with safety-critical standards. Notably, wolfSSL (the developer of wolfBoot) offers support for RTCA DO-178C DAL A certification – meaning the core cryptography and bootloader can come with the artifacts needed for avionics or other safety-critical certifications. This is a significant advantage if you plan to use wolfBoot in aerospace, automotive (ISO 26262), or industrial (IEC 61508) projects where certification is mandatory. Most open-source bootloaders were never intended for this level of compliance. In contrast, wolfBoot’s pedigree (developed by a security-focused company with certification experience) means it’s ready to be taken through rigorous certification processes. By retrofitting a legacy device with wolfBoot, you not only get a security upgrade, but you also get a path towards meeting regulatory requirements for cryptographic modules and software development standards – a key strategic consideration for product longevity and market compliance.

A Flexible, Future-Proof Secure Boot Solution

In summary, wolfBoot provides a flexible and mature secure bootloader solution for embedded systems, ideal for breathing new life into legacy bootloader environments. Its integration-as-a-library approach lets you add firmware signing and verification to existing boot processes with minimal changes, avoiding the cost and risk of a full rewrite. WolfBoot’s rich feature set – from ELF image support and reliable update/rollback mechanisms to cutting-edge crypto like post-quantum signatures and TPM-based measured boot – means you’re not just patching a hole in your legacy system, you’re uplifting it to state-of-the-art security. Importantly, wolfBoot achieves all this while remaining lightweight, hardware-agnostic, and easy to port, so it compares favorably to traditional bootloaders that might require extensive customization or lack such advanced capabilities.

By choosing wolfBoot to replace a legacy bootloader in automotive ECUs or other devices, product engineers gain a production-hardened boot security layer backed by wolfSSL’s extensive experience in embedded security (wolfSSL’s crypto is already in billions of devices). This gives confidence in the solution’s reliability and support. In practical terms, deploying wolfBoot in a legacy device means that every boot and firmware update is guarded by modern cryptography and best practices. The device will only run trusted code, mitigating the risk of bricking or malicious control – a non-negotiable requirement in today’s security-conscious landscape.

For developers, wolfBoot strikes an excellent balance between technical depth and integration simplicity. Strategically, it extends the lifespan and safety of legacy product lines, letting you retrofit secure boot in legacy devices to meet current security demands and even anticipate future ones. If you’re looking to modernize an existing embedded system’s boot process without a ground-up redesign, wolfBoot offers a proven path to achieve firmware signing and verification, robust updates, and a foundation of trust from power-on to application launch. Embracing wolfBoot is an investment in your device’s security future – ensuring that even your oldest devices can boot with the confidence of a modern, secure bootloader for embedded systems.

Learn more: You can find additional information and documentation on wolfBoot’s features and integration process on the official wolfSSL website and GitHub. With wolfBoot, retrofitting security into legacy bootloaders is no longer an uphill battle, but a straightforward enhancement to ensure your embedded devices start safe and stay secure.

If you have questions about any of the above, please contacts us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

Securing UEFI with wolfSSL’s FIPS 140-3 Cryptography

One of the biggest strengths of the wolfSSL portfolio is its ability to adapt and run in the most diverse environments, whether it’s a minimal bare-metal deployment or a complex, multi-layered operating system.

This blog highlights recent improvements in the wolfSSL products regarding integration with the Unified Extensible Firmware Interface (UEFI)—the modern way to interface with hardware firmware during the initial steps after booting a machine (UEFI has replaced the legacy BIOS).

wolfSSL can already enhance UEFI firmware with component authentication and secure updates, as wolfBoot—our secure boot solution—can run as a UEFI application inside UEFI environments (Check out the build instruction).

Recently, wolfSSL has made it even simpler for other UEFI applications to access wolfSSL cryptographic services (using wolfCrypt). wolfSSL has improved its use of UEFI features, leveraging TRNG and crypto accelerators exposed by UEFI.

UEFI applications can now consume a FIPS 140-3 certified range of wolfSSL cryptographic algorithms (AES, RSA, DSA, ECDSA, SHA), key derivation functions, and secure communication protocols (D)TLS up to v1.3.

As a leader in embedded FIPS certificates, wolfSSL can assist you in the certifying of your UEFI based operating environments (OE’s) and assists you in the ACVP (Automated Cryptographic Validation Protocol).

The use cases are many: OS-agnostic secure communication, TPM attestation, disk encryption, and more.

If you are interested in using wolfSSL cryptography, wolfSSL TLS communication, any wolfSSL product inside a UEFI environment, or have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfHSM Support for Renesas RH850

We’re happy to announce that we’ve added support for Renesas RH850 in wolfHSM.

The RH850 Family of 32-bit automotive microcontrollers (MCUs) is an automotive microcontroller equipped with an integrated Hardware Security Module (HSM). It ensures fast and secure key management, cryptographic processing, and authentication at the hardware level. Designed for next-generation ECUs, it combines functional safety with advanced security.

wolfHSM is a framework that combines the cryptographic algorithms provided by the processor with software cryptographic processing by wolfCrypt, allowing you to flexibly extend the crypt algorithms as needed.

wolfSSL has now ported wolfHSM on Renesas RH850 F1KM. RH850 F1KM supports true random number generation and the AES block cryptographic algorithm on the HSM core. The wolfHSM client running on the main core requests cryptographic processing to the wolfHSM server running on the HSM core through shared memory. Random number generation and AES cryptographic processing can be offloaded to the HSM core. In addition, it is possible to delegate key generation and storage for public key cryptography algorithms to the HSM core. The generated keys are securely protected in flash managed by the HSM core.

If you are interested in porting wolfHSM to the RH850, including a sample wolfHSM server and client, or if you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSL Java JSSE Provider Supports DTLS 1.3

wolfSSL’s Java JSSE provider (wolfJSSE) now supports DTLS 1.3! This support includes DTLS 1.3 on both client and server side through the SSLEngine interface. This support can be found in the wolfssljni GitHub master branch, and will be included in the next stable release.

Benefits of DTLS 1.3

DTLS 1.3 (see RFC 9147) brings improved security and performance over DTLS 1.2, including:

  • Reduced handshake latency (fewer round trips)
  • Enhanced privacy (encrypted handshake messages)
  • Improved resilience against network attacks
  • Modern cryptographic algorithms

Getting Started

wolfJSSE can be built on a number of platforms, including Unix/Linux, macOS, Windows, and Android. See the wolfSSL JNI/JSSE Manual for instructions on building the library.

Example Applications

wolfJSSE includes sample DTLS 1.3 client and server applications which can be used as a reference and to try out Java DTLS 1.3 functionality. To compile the examples run:

ant examples

The example client is located in “./examples/provider/DtlsClientEngine.java” and the server is located in “./examples/provider/DtlsServerEngine.java”. Each can be run from the root “wolfssljni” directory using the wrapper scripts that share the same name. Example output should be similar to:

./examples/provider/DtlsServerEngine.sh

DTLS 1.3 Server listening on port 11113
DTLS 1.3 Server Engine created
Waiting for client connection...
Client connected from /127.0.0.1:58703
DEBUG: Sent packet with 176 bytes
DEBUG: Received packet with 383 bytes
DEBUG: Sent packet with 176 bytes
DEBUG: Sent packet with 36 bytes
DEBUG: Sent packet with 69 bytes
DEBUG: Sent packet with 721 bytes
DEBUG: Sent packet with 109 bytes
DEBUG: Sent packet with 66 bytes
DEBUG: Received packet with 908 bytes
DEBUG: Received packet with 110 bytes
DEBUG: Received packet with 66 bytes
DEBUG: Sent packet with 72 bytes
DEBUG: Sent packet with 255 bytes
DTLS handshake completed successfully
Pausing briefly before processing application data...
DEBUG: Received packet with 40 bytes
DEBUG: Received packet with 49 bytes
Received from client: Hello from DTLS 1.3 Client!
Echoing message back to client
DEBUG: Sent packet with 49 bytes
Closing connection...
Connection closed

./examples/provider/DtlsClientEngine.sh
Client socket created, connecting to localhost:11113
DTLS 1.3 Client Engine created
Starting DTLS handshake...
DEBUG: Sent packet with 310 bytes to localhost/127.0.0.1:11113
DEBUG: Received packet with 176 bytes from /127.0.0.1:11113
DEBUG: Sent packet with 383 bytes to localhost/127.0.0.1:11113
DEBUG: Received packet with 176 bytes from /127.0.0.1:11113
DEBUG: Received packet with 36 bytes from /127.0.0.1:11113
DEBUG: Received packet with 69 bytes from /127.0.0.1:11113
DEBUG: Received packet with 721 bytes from /127.0.0.1:11113
DEBUG: Received packet with 109 bytes from /127.0.0.1:11113
DEBUG: Received packet with 66 bytes from /127.0.0.1:11113
DEBUG: Sent packet with 908 bytes to localhost/127.0.0.1:11113
DEBUG: Sent packet with 110 bytes to localhost/127.0.0.1:11113
DEBUG: Sent packet with 66 bytes to localhost/127.0.0.1:11113
DEBUG: Received packet with 72 bytes from /127.0.0.1:11113
DTLS handshake completed successfully
Processing post-handshake session tickets...
Received post-handshake packet of 255 bytes, processing...
Processed post-handshake packet: OK, consumed: 255, produced: 0
Pausing briefly before sending data...
Pausing after handshake to allow connection to stabilize...
Sending application data: Hello from DTLS 1.3 Client!
DEBUG: Sent packet with 40 bytes to localhost/127.0.0.1:11113
DEBUG: Sent packet with 49 bytes to localhost/127.0.0.1:11113
Waiting for server response (allowing time for processing)...
Now attempting to receive server response...
Waiting for application data packet from server...
Received packet of 49 bytes
Raw bytes: 2F DA 82 00 2C DB B7 A5 0D 19 31 20 68 A2 0C 1C 91 75 F6 65 ...
Unwrap result: OK, consumed: 49, produced: 27
Successfully decrypted data: Hello from DTLS 1.3 Client!
Closing connection...
Connection closed

If you have questions about using DTLS 1.3 from your Java application, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Xilinx vs STM: wolfSSL Integration and Build Experience Compared

Selecting the right hardware for an embedded project can be a complex decision—but choosing a security library doesn’t have to be. wolfSSL offers broad platform support, running seamlessly on everything from bare-metal systems to full-featured operating systems. In this post, we’ll compare how wolfSSL integrates with two widely used embedded platforms: Xilinx and STM. While both are popular choices, they offer distinct differences in architecture, development tools, and integration workflows.

Platform High Level Overview

Xilinx

  • Primarily FPGA-based (Zynq, Zynq Ultrascale+, Versal)
  • Offers ARM Cortex-A cores alongside programmable logic
  • Development environment: Xilinx Vitis / Petalinux
  • OS: Often uses Linux (Yocto or Petalinux), FreeRTOS or bare-metal

STM (STMicroelectronics)

  • Microcontroller-focused (e.g., STM32 family)
  • Most are based on ARM Cortex-M cores, with some series using Cortex-A cores
  • Development environment: STM32CubeIDE, Makefiles, or bare-metal toolchains
  • OS: Often bare-metal or FreeRTOS

wolfSSL Build Process

Xilinx

  • Autotools or CMake to build wolfSSL in userspace
  • Cross-compilation with Petalinux SDK or Vitis toolchain
  • Hardware acceleration via Xilinx’s crypto engine, ARM assembly optimizations or custom logic in the PL with crypto callbacks

STM (STMicroelectronics)

  • Predefined example configuration files in wolfSSL/IDE/STM32Cube
  • Integration with STM32CubeMX-generated projects
  • Support for HAL/LL drivers, and FreeRTOS (if applicable)

Cryptographic Acceleration

Xilinx

  • Advanced FPGAs allow for hardware acceleration of cryptographic primitives
  • Can use custom IP cores or external crypto accelerators
  • wolfSSL’s ARM assembly optimizations
  • Potential for extreme performance gains, but at the cost of complexity

STM (STMicroelectronics)

  • Some STM32 parts support hardware ECC, AES, SHA, and RNG
  • wolfSSL can use these via direct calls to HAL drivers
  • Easier to configure and use but offers less flexibility compared to FPGAs and on average has a less powerful CPU
  • wolfSSL’s ARM assembly optimizations

Some Use Cases We See

  • Xilinx if:
    • You need programmable logic and customizable crypto acceleration
    • Your application runs Linux and demands high throughput
    • You have a complex security architecture
  • STM if:
    • You want quick integration for a bare-metal or FreeRTOS-based project
    • Your focus is low power and minimal footprint
    • You need an edge microcontroller

Both Xilinx and STM platforms are well-supported by wolfSSL, but the experience differs significantly. Xilinx generally offers power and flexibility—ideal for high-performance secure systems—while STM excels in simplicity and efficiency, making it perfect for lightweight, resource-constrained designs.

Whether you’re targeting a Linux-based Zynq application or a real-time STM32 sensor node, wolfSSL provides the building blocks you need to implement robust embedded security.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Secure Your Oracle Linux 8 Deployment with wolfSSL’s FIPS 140-3 Validated Module

If you’re stuck on OL8 for some reason, have no desire to migrate to OL9 or later, and still need FIPS support for OpenSSL 1.x, then we can help with our FIPS 140-3 module, which plugs into the OpenSSL 1.x engine interface.

If you have questions about FIPS, please reach out to us at fips@wolfssl.com. For any other inquiries, contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

Live webinar: Open Source Secure Boot Meets Open Hardware: wolfBoot Integration with TROPIC01 Secure Element

Join us for an exciting webinar showcasing the integration of the TROPIC01 secure element with wolfBoot, bringing open source secure boot down to the hardware level.

Register Now: Open Source Secure Boot Meets Open Hardware: wolfBoot Integration with TROPIC01 Secure Element
Date: June 25th | 9 AM PT

The Tropic Square team has integrated support for the TROPIC01 secure element into wolfBoot, using it as a hardware Root-of-Trust for the secure boot process. This integration is a milestone because it extends wolfBoot’s open source transparency right down to the hardware, enabling users and security researchers to audit the entire security chain—from software to hardware.

This approach aligns with Kerckhoff’s principle, which states that a cryptosystem should remain secure even if everything about it, except the secret key, is publicly known. By opening the design and implementation, users don’t have to blindly trust that the secure element is free from vulnerabilities or backdoors.

This webinar will cover:

  • An overview of the TROPIC01 open architecture secure element and wolfBoot
  • A demo of TROPIC01 integrated into the secure boot process
  • Why “security by obscurity” fails—and how Tropic Square and wolfSSL deliver transparent, Open Source security that builds trust

Register now to learn how to build transparent, auditable, open source secure boot solutions from silicon to software.

As always, our webinar will include Q&A throughout. If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfTPM Support for Das U-Boot

wolfTPM now includes support for Das U-Boot, extending TPM 2.0 access to early boot stages in secure embedded systems. This port enables direct TPM communication in U-Boot environments using software SPI and provides both native and high-level APIs for flexibility.

Key Features

  • SOFT SPI Driver
  • Full TPM 2.0 command set
  • Both native API and wrapper APIs for complex TPM operations
  • Two integration paths:
    • __linux__: Uses tpm2_linux.c to communicate via standard Linux TPM interfaces
    • __UBOOT__: Direct SPI communication via tpm_io_uboot.c

U-Boot TPM Commands

The wolftpm command interface in U-Boot offers a rich set of TPM 2.0 operations. including:

  • Basic TPM control: init, startup, self_test, info
  • PCR management: pcr_extend, pcr_read, pcr_allocate, pcr_print
  • Security features: clear, change_auth, dam_reset, dam_parameters
  • Firmware management: firmware_update, firmware_cancel
  • Capability reporting: caps, get_capability

These commands allow developers to initialize, configure, and query TPM state from within U-Boot, enabling security features even before the OS loads.

Extended Functionality

While U-Boot includes basic TPM 2.0 command support through its native library, wolfTPM extends this functionality with the ability to manage firmware updates.

Firmware Management Support

wolfTPM includes dedicated commands for managing TPM firmware, allowing users to directly perform updates and control firmware behavior from the U-Boot shell:

  • firmware_update <manifest_addr> <manifest_sz> <firmware_addr> <firmware_sz>
    Performs a full firmware update on the TPM by providing a signed manifest and firmware image.</styel=”font-family:courier>
  • firmware_cancel
    Allows users to cancel or abandon an ongoing firmware update process. 

These capabilities are not present in U-Boot’s built-in TPM stack, which lacks any mechanism for managing TPM firmware or triggering a reboot of the TPM device. With wolfTPM, developers gain direct control over the TPM lifecycle, supporting scenarios like:

  • Field upgrades of TPM firmware
  • Factory provisioning with verified firmware images
  • TPM resets and recovery via startup/shutdown sequences

By leveraging wolfTPM in U-Boot, embedded developers and security teams can take full advantage of the TPM 2.0 specification—including lifecycle and provisioning flows that go beyond what standard U-Boot TPM implementations provide.

Getting Started

For detailed build instructions, configuration options, and sample usage:

Conclusion

wolfTPM’s U-Boot support is ideal for securing early boot environments with TPM 2.0 features. With a rich command-line interface, flexible APIs, and tested support for QEMU and swtpm, it’s a robust solution for TPM integration in embedded platforms.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfTPM Support for Zephyr RTOS

wolfSSL now has support for Zephyr RTOS through a newly added wolfTPM Zephyr port. This enables easy integration of TPM 2.0 functionality in embedded projects using Zephyr, expanding the flexibility and portability of secure applications.

Below is a summary of the key features introduced in the PR#395:

Key Changes and Features

Zephyr Module Integration

wolfTPM has been added as a Zephyr module, complete with CMake and Kconfig support. This makes it simple to include TPM functionality in any Zephyr-based project using standard module inclusion through west.

Sample Applications

Two test/sample applications are included in the port:

  • wolftpm_wrap_test – tests core TPM wrapper functionality
  • wolftpm_wrap_caps – displays TPM capabilities

Both examples build and run successfully on qemu_x86, providing developers with a solid foundation to build on.

Custom Configuration Support

The module uses a user_settings.h configuration file, which can be customized or replaced as needed by developers to match project-specific requirements.

CI Integration

A new zephyr.yml GitHub CI workflow has been added to automatically build and verify the wolfTPM Zephyr samples, ensuring continued build stability and integration with upstream Zephyr changes.

Device Tree Integration

Communicating with your TPM in zephyr is as simple as setting WOLFTPM_ZEPHYR_I2C_BUS in user_settings.h to the node describing the i2c bus on your device. You can also set the speed of the i2c line with WOLFTPM_ZEPHYR_I2C_SPEED.

Getting Started

To learn more about using wolfTPM with Zephyr and how to set it up in your project, see:

Conclusion

wolfTPM now supports Zephyr RTOS, enabling robust TPM 2.0 integration in lightweight embedded systems. With CI coverage, modular design, and working samples, developers can confidently build secure applications using wolfTPM on Zephyr.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

Posts navigation

1 2 3 4 203 204 205

Weekly updates

Archives