I’m working on a project that uses an ARM Cortex M33 (Armv8-M) based processor with the ARM TrustZone feature. We would like to place the crypto library in the secure world but keep the TLS implementation on the non-secure side. Ideally the crypto library would a non-secure callable service that TLS implementation uses without ever knowing any private keys. WolfSSL has been identified as the only TLS library that fits our security needs and I’m new to it.

Based on what I’ve read in the documentation, this setup isn’t feasible with wolfSSL though. My understanding is that the WOLFSSL structure keeps track of the keys and certificates and then passes them to the crypto library. Is that accurate?

If the previous paragraph is accurate, is it possible to insert a shim between wolfSSL and the crypto calls or use a custom crypto library?

Thanks for any help anyone is able to provide!