wolfHSM Image Manager

    • wolfSSL is pleased to introduce the wolfHSM Image Manager, a new module for authenticated firmware verification in automotive and industrial systems. It provides a flexible, callback-based architecture for cryptographically verifying firmware before execution, complementing wolfBoot to form a secure chain of trust anchored in HSM hardware.

    Features

    • Hardware-backed verification: All cryptographic operations use HSM-protected keys
    • Multiple verification methods: Supports ECC, RSA, and AES-128 CMAC
    • Flexible architecture: Customizable verification and post-verification actions via callbacks

    purpose

    The Image Manager allows the wolfHSM server to verify firmware images—typically for application cores that act as wolfHSM clients—and invoke user-defined actions based on verification results. It extends the HSM chain of trust to client core bootloaders once the wolfHSM server has been securely started by wolfBoot.

    Use Case: Multi-Stage Chain of Trust for Application Cores

    The wolfHSM server uses the image manager to perform a lightweight authentication of each client image before releasing the corresponding CPU core—without handling firmware updates (that’s wolfBoot’s job).

    Typically, the HSM core boots first and uses wolfBoot to verify the wolfHSM server application. The server then uses the Image Manager to perform quick integrity and signature checks on each client’s image (often the client’s own wolfBoot). Once released, wolfBoot on each application core performs full image verification and update management, relying on wolfHSM for secure key storage and cryptographic operations.

    How It Works

    The Image Manager follows a simple, callback-based design.

    1. Configuration

    Enable the Image Manager by defining:

    #define WOLFHSM_CFG_SERVER_IMG_MGR

    in your wolfhsm_cfg.h file.
    You can set the maximum number of managed images with:

    #define WOLFHSM_CFG_SERVER_IMG_MGR_MAX_IMG_COUNT

    Then you can define images and their verification parameters:

    whServerImgMgrImg images[] = {
    {
        .addr = FIRMWARE_BASE_ADDR,
        .size = FIRMWARE_SIZE,
        .keyId = VERIFY_KEY_ID,
        .sigNvmId = SIGNATURE_NVM_ID,
        .verifyMethod = wh_Server_ImgMgrVerifyMethodEccWithSha256,
        .verifyAction = wh_Server_ImgMgrVerifyActionDefault
    }
};

    2. Initialization

    Initialize the Image Manager with your configuration:

    whServerImgMgrConfig config = {
    .images = images,
    .imageCount = 1,
    .server = serverContext
};
wh_Server_ImgMgrInit(&imgMgrContext, &config);;

    3. Verification

    Run verification on all registered images or individual ones:

    // Verify all images
wh_Server_ImgMgrVerifyAll(&imgMgrContext, results, resultCount, &errorIdx);

// Or verify a specific image
wh_Server_ImgMgrVerifyImgIdx(&imgMgrContext, 0, &result);

    Built-in Verification Methods

    The Image Manager includes three ready-to-use verification methods:

    • wh_Server_ImgMgrVerifyMethodEccWithSha256 – ECC P-256 with SHA-256
    • wh_Server_ImgMgrVerifyMethodRsaSslWithSha256 – RSA-2048 with SHA-256
    • wh_Server_ImgMgrVerifyMethodAesCmac – AES-128 CMAC authentication

    All methods use wolfCrypt’s cryptographic primitives, with key material securely stored in the HSM.

    Custom Verification Actions

    Custom post-verification behavior can be defined through the verifyAction callback. This enables:

    • Conditional firmware activation or core release
    • Security logging and audit trails
    • Integration with bootloader state machines
    • Custom failure-handling policies

    The Image Manager is available in wolfHSM v1.3.0 and later.

    For detailed API documentation, integration examples, or technical support, contact facts@wolfssl.com or call +1 425 245 8247.
    Download wolfSSL Now