wolfSSL Renesas TSIP Support

The wolfSSL embedded SSL/TLS library supports the Renesas Trusted Secure IP Driver (TSIP) and has been tested on the Renesas RX65N platform.  Using the TSIP driver, wolfSSL can offload supported cryptographic and TLS operations to the underlying Renesas hardware for increased performance.

Supported TSIP Capabilities

wolfSSL has been integrated with the following TSIP capabilities:

  • TSIP driver open/close
  • Random number generation, tested with SP 800-22
  • SHA-1 and SHA-256 hash function support
  • AES-128-CBC and AES-256-CBC support
  • TLS capabilities including:
    • Root CA verification
    • Client and/or Server certificate verification including intermediate certificate verification
    • Support for four TLS cipher suites:
      • TLS_RSA_WITH_AES_128_CBC_SHA
      • TLS_RSA_WITH_AES_128_CBC_SHA256
      • TLS_RSA_WITH_AES_256_CBC_SHA
      • TLS_RSA_WITH_AES_256_CBC_SHA256
FunctionTSIP API
TSIP driver open/closeR_TSIP_Open
R_TSIP_Close
Random Number GenerationR_TSIP_GenerateRandomNumber
SHA-1 and SHA-256R_TSIP_Sha1/256Init
R_TSIP_Sha1/256Update
R_TSIP_Sha1/256Final
AES-128-CBC and AES-256-CBCR_TSIP_Aes128/256CbcEncryptInit
R_TSIP_Aes128/256CbcEncryptUpdate
R_TSIP_Aes128/256CbcEncryptFinal
R_TSIP_Aes128/256CbcDecryptInit
R_TSIP_Aes128/256CbcDecryptUpdate
R_TSIP_Aes128/256CbcDecryptFinal
Root CA VerificationR_TSIP_GenerateTlsRsaPublicKeyIndex
R_TSIP_TlsRootCertificateVerification
Client or Server Certificate VerificationR_TSIP_TlsCertificateVerification
TLS cipher suite support including AES-128-CBC, AES-256-CBCR_TSIP_TlsGeneratePreMasterSecret
R_TSIP_TlsEncryptPreMasterSecret
R_TSIP_TlsGenerateMasterSecret
R_TSIP_TlsGenerateSessionKey
R_TSIP_TlsGenerateVerifyData
R_TSIP_Sha1/256HmacVerifyInit
R_TSIP_Sha1/256HmacVerifyUpdate
R_TSIP_Sha1HmacVerifyFinal

The Renesas TSIP driver is outside the scope of the wolfSSL package download and needs to be obtained externally from Renesas.

Building wolfSSL with RX65N and TSIP Support

Support for Renesas RX65N and TSIP can be enabled at compile-time in wolfSSL by defining one or both of the following defines:

WOLFSSL_RENESAS_TSIP - enables Renesas TSIP support

WOLFSSL_RENESAS_RX65N - enables support for Renesas RX65N

wolfSSL TSIP Benchmarks

The following benchmarks show the performance improvement when using hardware cryptography on the Renesas RX65N through the Renesas TSIP driver.

AlgorithmSoftware CryptoTSIP Accelerated Crypto
RNG231.160 KB/s1.423 MB/s
SHA1.239 MB/s22.254 MB/s
SHA-256515.565 KB/s25.217 MB/s
Cipher SuiteSoftware Crypto (sec)TSIP Accelerated Crypto (sec)
TLS_RSA_WITH_AES_128_CBC_SHA0.3810.028
TLS_RSA_WITH_AES_128_CBC_SHA2560.3830.028
TLS_RSA_WITH_AES_256_CBC_SHA0.3820.030
TLS_RSA_WITH_AES_256_CBC_SHA2560.3850.029

Limitations of TSIP with wolfSSL

The following limitations exist when using wolfSSL with Renesas TSIP:

  • TSIP TLS capabilities are fully available only when using one of the TSIP-supported cipher suites.  These cipher suites include:
    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA256
  • The TSIP TLS capabilities support generation of the normal TLS master secret, but do not support the TLS Extended Master Secret Extension.  TSIP TLS is not available when Extended Master Secret is used.
  • The TSIP TLS certificate verification capability is only available when verifying a certificate signed by "RSA 2048 PSS with SHA-256".
  • The TSIP TLS capability, common cryptography, is available on client-side only.  Server-side is not currently supported by the TSIP driver.
  • TSIP uses one root CA certificate bundle signature signed by RSA-2048-PSS with SHA-256 available at runtime. When using a different root CA for TSIP TLS capabilities, applications need to call wolfCrypt_Init() to reset the TSIP driver state, then inform TSIP of a new signature and key through the tsip_inform_cert_sign() and tsip_inform_user_keys() APIs.

References

TSIP (Trusted Secure IP) Module Firmware Integration Technology APPLICATION NOTE Rev. 1.06

TSIP Product Page

Support

More information on using wolfSSL in combination with Renesas and wolfSSL's support for Renesas can be found here: https://www.wolfssl.com/docs/renesas/

For support and more information about wolfSSL TSIP support, please contact the wolfSSL support team at support@wolfssl.com.