PRODUCTS

wolfBoot Secure Bootloader

wolfBoot is a portable, OS-agnostic, secure bootloader solution for 32-bit microcontrollers, relying on wolfCrypt for firmware authentication, providing firmware update mechanisms.

Due to the minimalist design of the bootloader and the tiny HAL API, wolfBoot is completely independent from any OS or bare-metal application, and can be easily ported and integrated in existing embedded software projects to provide a secure firmware update mechanism.

wolfBoot supports multiple keystores and/or hardware-based public-key accelerators, such as Freescale-LTE and STM32-PKA. TPM-2.0 support is provided through the integration with wolfTPM.

wolfBoot does not enforce any specific key provisioning. In the simplest case you simply create a private key and use it to sign authentic updates for your target. For this reason, it can be integrated with any specific provisioning system that supports the same algorithms.

Download Now

Get the latest open source GPLv2 version now!

Version: 1.5
Release Date: 04/28/2020
View ChangeLog

Highlights

  • Multi-slot partitioning of the flash device
  • Integrity verification of the firmware image(s) using SHA2 or SHA3
  • Authenticity verification of the firmware image(s) using wolfCrypt's digital signature algorithms (ECDSA SECP256R1, Ed25519, RSA 2048/4096)
  • Anti-rollback protection (via version numbering)
  • Hardware-assisted dual-bank swapping
  • Support for secure keystores, OTP memory, TPM 2.0

Portable

  • Supports multiple architectures (ARM, Risc-V)
  • Minimalist design
  • Tiny HAL API
  • OS-independent

Platform and Language Support

Due to its OS agnosticism, wolfBoot is easily ported and integrated in existing embedded software projects. However, some example platforms have been specifically tested and certain targets are supported, including the following:

  • STM32-F407
  • STM32L0x3
  • STM32G0x0/STM32G0x1
  • STM32WB55
  • SiFive HiFive1 RISC-V
  • STM32-F769
  • STM32H7
  • LPC54606
  • Cortex-A53 / Raspberry Pi 3
  • Xilinx Zynq UltraScale+ (Aarch64)

Python and C Key Tools

wolfBoot comes with an included key generation and image signature generator tools. These tools can be used to generate the private/public key pair, and to attach the required manifest header that contains the signature of the bootable image. The image generated by the tools will comply with the firmware image format required by the bootloader, and contains the signature used to authenticate the firmware.  Versions of these tools are available in both Python and C.

wolfSSL Training Course

Interested in getting trained by security experts on subjects related to wolfSSL and SSL/TLS? Learn more.

wolfBoot Examples

wolfSSL maintains a set of examples for wolfBoot on GitHub to easily and quickly get started and see how wolfBoot works!

 

Features

  • Multi-slot partitioning of the flash device
  • Integrity verification of the firmware image(s)
  • Authenticity verification of the firmware image(s) using wolfCrypt's digital signature algorithms (ECDSA SECP256R1/Ed25519/RSA 2048/4096) and hash algorithms (SHA-256, SHA-3-384)
  • Minimalist hardware abstraction layer (HAL) interface to facilitate portability across different vendors/MCUs
  • Copy/swap images from secondary slots into the primary slots to consent firmware update operations
  • In-place chain-loading of the firmware image in the primary slot
  • Able to leverage existing TPM 2.0 modules
    • Tested on STM32 with Infineon 9670
  • Support for external (e.g. SPI) flash for update/swap
  • Anti-rollback protection via version number
  • Support for updating the bootloader itself
  • Support for hardware-assisted signature verification:
    • STM32 PKA (e.g. STM32WB55)
    • Kinetis/Freescale PKHA (e.g. Kinetis K82F)
  • Contains key tools and image signing tools written in Python and C
  • Includes wolfBoot test applications
  • Secure key stores
  • TPM 2.0 support

Supported Chipmakers

Currently, wolfBoot has support for the the targets listed above. While more will be added in the future, please contact us if there are specific mechanisms you would like to see supported.