wolfBoot, the secure bootloader from wolfSSL, has a new target: ST’s STM32WBA family of Cortex-M33 wireless microcontrollers with TrustZone and Bluetooth LE 5.4. The port has been validated on the NUCLEO-WBA55CG board (STM32WBA55CG: 1 MB flash, 128 KB SRAM).
Why the STM32WBA
The WBA family is ST’s current-generation wireless line: an Arm Cortex-M33 with TrustZone-M, Bluetooth LE 5.4, and 802.15.4 radio support, aimed at connected products that need both a long battery life and a modern security architecture. That combination is exactly where secure boot earns its keep. A connected device taking over-the-air firmware updates needs an on-chip trust anchor and rollback rules you control, not just a radio. Adding a verified-boot path to the WBA means BLE products can ship field updates without surrendering the root of trust.
Built on wolfHAL
This port runs on the wolfHAL backend rather than a chip-specific bare-metal HAL. wolfHAL is wolfSSL’s portable hardware abstraction layer, and the WBA board support pulls the flash, GPIO, and UART drivers straight from the upstream wolfHAL tree. The practical upshot: the board layer is thin, a board.c/board.h/board.mk triple under hal/boards/stm32wba55cg_nucleo/, and the heavy lifting lives in shared, reusable drivers.
What the port provides
- A new stm32wba target built for Cortex-M33 / ARMv8-M.
- Board support under hal/boards/stm32wba55cg_nucleo/ using the upstream wolfHAL flash, GPIO, and UART drivers, with no STM32Cube dependency.
- A linker script mapping 1 MB of flash at 0x08000000 and 128 KB of RAM.
- An example configuration that signs application images with ECC256 and SHA256.
- CI coverage, so the WBA build is checked on every change.
TrustZone support in progress
This initial port brings up verified boot on the WBA’s Cortex-M33 in a single-world configuration. Support for the chip’s TrustZone-M security extension, running wolfBoot in the secure world and handing off to a non-secure application across the secure/non-secure boundary, is in progress and will follow in a later update.
Try it
git clone https://github.com/wolfSSL/wolfBoot cd wolfBoot cp config/examples/stm32wba.config .config make STM32_Programmer_CLI -c port=swd -d factory.bin 0x08000000
Plug in a NUCLEO-WBA55CG and hit reset.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now

