wolfBoot Now Supports the STM32WBA

wolfBoot, the secure bootloader from wolfSSL, has a new target: ST’s STM32WBA family of Cortex-M33 wireless microcontrollers with TrustZone and Bluetooth LE 5.4. The port has been validated on the NUCLEO-WBA55CG board (STM32WBA55CG: 1 MB flash, 128 KB SRAM).

Why the STM32WBA

The WBA family is ST’s current-generation wireless line: an Arm Cortex-M33 with TrustZone-M, Bluetooth LE 5.4, and 802.15.4 radio support, aimed at connected products that need both a long battery life and a modern security architecture. That combination is exactly where secure boot earns its keep. A connected device taking over-the-air firmware updates needs an on-chip trust anchor and rollback rules you control, not just a radio. Adding a verified-boot path to the WBA means BLE products can ship field updates without surrendering the root of trust.

Built on wolfHAL

This port runs on the wolfHAL backend rather than a chip-specific bare-metal HAL. wolfHAL is wolfSSL’s portable hardware abstraction layer, and the WBA board support pulls the flash, GPIO, and UART drivers straight from the upstream wolfHAL tree. The practical upshot: the board layer is thin, a board.c/board.h/board.mk triple under hal/boards/stm32wba55cg_nucleo/, and the heavy lifting lives in shared, reusable drivers.

What the port provides

  1. A new stm32wba target built for Cortex-M33 / ARMv8-M.
  2. Board support under hal/boards/stm32wba55cg_nucleo/ using the upstream wolfHAL flash, GPIO, and UART drivers, with no STM32Cube dependency.
  3. A linker script mapping 1 MB of flash at 0x08000000 and 128 KB of RAM.
  4. An example configuration that signs application images with ECC256 and SHA256.
  5. CI coverage, so the WBA build is checked on every change.

TrustZone support in progress

This initial port brings up verified boot on the WBA’s Cortex-M33 in a single-world configuration. Support for the chip’s TrustZone-M security extension, running wolfBoot in the secure world and handing off to a non-secure application across the secure/non-secure boundary, is in progress and will follow in a later update.

Try it

git clone https://github.com/wolfSSL/wolfBoot
cd wolfBoot
cp config/examples/stm32wba.config .config
make
STM32_Programmer_CLI -c port=swd -d factory.bin 0x08000000

Plug in a NUCLEO-WBA55CG and hit reset.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now