STMicro and wolfBoot Video Series
We are excited to tell you about our partner collaboration with ST Micro! This collaboration is a video series about wolfBoot, a secure bootloader and the STM32, a family of 32-bit microcontrollers.
This is a 4 part video series showing how to use wolfBoot on various STM32 microcontrollers.
Video 1: wolfBoot for STM32, Part 1: Overview
“Overview of the wolfSSL products and the wolfBoot support for STM32 devices. The wolfBoot product features such as secure boot, measured boot, encrypted partitions and root of trust (in the bootloader, TPM or secure element). Comparison of the SBSFU, TFM and wolfBoot options for STM32 micro-controllers. Implementation details for design of wolfBoot and how the partitions are defined.”
Video 2: wolfBoot for STM32, Part 2: Getting Started
“How to download wolfBoot, where to find files and documentation. The wolfBoot product features such as secure boot, measured boot, encrypted partitions and root of trust (in the bootloader, TPM or secure element).”
Video 3: wolfBoot for STM32, Part 3: Out of the Box Experience
“How to configure, build, run, and debug wolfBoot on NUCLEO-G071RB board.”
Video 4: wolfBoot for STM32, Part 4: STM32U5
“How to configure, build, run and debug wolfBoot on STM32U5 (B-U585I-IOT02A) development board”
Please contact us at facts@wolfssl.com if you would like to receive a copy of the slides.
Additional Resources
https://www.st.com/en/embedded-software/wolfboot.html
https://www.wolfssl.com/products/wolfboot/
Please contact us at facts@wolfssl.com, or call us at +1 425 245 8247with any questions about the webinar.
For technical support, please contact support@wolfssl.com or view our FAQ page.
In the meanwhile, check out the wolfSSL embedded SSL/TLS library, star us on Github, and learn more about the latest TLS 1.3 is available in wolfSSL.
If you have questions about any of the above, please contact us at facts@wolfssl.com or +1 425 245 8247.
wolfEngine Works with the Final OpenSSL 1.1.1 Branch Release
As mentioned in a previous post, OpenSSL 1.1.1 branch of releases will hit End of Life (EoL) by September 11th, 2023. That’s right, it’s not a typo! It’s about 3 months away! It’s already listed as an old release branch here: https://www.openssl.org/source/old/ . Are you sure you are ready to tackle the migration to their new LTS branch of releases?
In that post (https://www.wolfssl.com/openssl-1-1-1-eol/) we listed 3 ways that wolfSSL could help. One of them was wolfEngine. You can continue using OpenSSL, but under the hood the wolfCrypt implementations of the cryptographic algorithms will be used. This might be especially useful if you are looking for an accelerated path to FIPS certification.
We have put in extra testing against 1.1.1s (which is likely to be the final release on that branch of releases) and can confirm that wolfEngine backed by wolfCrypt will work smoothly with it. Its as easy as setting the OPENSSL_CONF environment variable and adding the following to openssl.conf:
engine_id = libwolfengine dynamic_path = /path/to/libwolfengine.so init = 1
The other option is to set the OPENSSL_ENGINES environment variable to the directory containing libwolfengine.so and then calling the ENGINE_by_id() function.
And just like that, you will have meticulously optimized, well-supported, regularly updated and best-tested cryptographic implementations working for you; no changes to your code required!
Have questions? Want to learn more about your options in the face of the 1.1.1 release branch EoL? Reach out to facts@wolfssl.com, or call us at +1 425 245 8247
wolfSSL Zephyr Port Update
We have updated our Zephyr support to 3.4 for wolfSSL release 5.6.2! Zephyr is an open-source real-time operating system (RTOS). It is portable (supporting over 450 boards!) and secure with a comprehensive and lightweight kernel. All of these features make wolfSSL a great choice for security in Zephyr.
The port update comes with a set of sample applications to showcase how to use wolfSSL inside Zephyr. The available samples are:
- wolfssl_benchmark – a benchmarking framework to test the performance of cryptographic algorithms
- wolfssl_test – a testing framework with unit tests for wolfSSL
- wolfssl_tls_thread – client and server example using threading and custom I/O callbacks
- wolfssl_tls_sock – client and server example using threading and unix sockets
Instructions and documentation on how to use wolfSSL inside Zephyr are available here https://github.com/wolfSSL/wolfssl/tree/master/zephyr.
For more information on our 5.6.2 release see https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.2-stable.
If you have questions on any of the above, please contact us at facts@wolfssl.com, or call us at +1 425 245 8247
wolfSSL on the Xtensa ESP32-S3 Linux
With our ongoing development of world-class commercial-grade cryptography solutions for the Espressif products, wolfSSL is proud to announce support for the ESP32-S3 Embedded Linux Kernel!
Our very own [gojimmypi] was able to get the wolfSSL wolfcrypt tests running successfully as an app on the embedded Linux environment thanks to the work of [jcmvbkbc] on linux-xtensa. For additional details on building the ESP32-S3 Linux kernel toolchain, see: https://gojimmypi.github.io/ESP32-S3-Linux/
Linux on the tiny and inexpensive ESP32-S3 is an exciting development that opens many more ideas of what is possible for embedded solutions.
If you’d like to build your own wolfSSL app for the ESP32-S3 Linux Kernel, here’s one possible configuration:
./configure \ --host=xtensa-esp32s3-linux-uclibcfdpic \ CC=xtensa-esp32s3-linux-uclibcfdpic-gcc \ AR=xtensa-esp32s3-linux-uclibcfdpic-ar \ STRIP=xtensa-esp32s3-linux-uclibcfdpic-strip \ RANLIB=xtensa-esp32s3-linux-uclibcfdpic-ranlib \ --prefix=/mnt/s3linux/build-xtensa-2023.02-fdpic-esp32s3/target/opt \ CFLAGS="-mfdpic -mforce-l32 -DNO_WRITEV -DWOLFSSL_USER_SETTINGS" \ "-DDEBUG_WOLFSSL -DTFM_NO_ASM -DALT_ECC_SIZE" \ --disable-filesystem --disable-shared --enable-psk
This new environment for wolfSSL also prompted addition of yet another test for the best tested cryptography: a read-only filesystem const pointer test in case you forget to compile with the proper read-only flash file system directives:
CFLAGS="-mfdpic -mforce-l32 …”
The first question many people ask: How fast is wolfSSL on an embedded Linux for the ESP32-S3? Initial findings show that the wolfSSL cipher computational benchmark performance is similar between the Linux app on the ESP32-S3 kernel and the ESP32-WROOM programmed with the ESP-IDF.
See some of our other recent prior blogs on Espressif news:
There’s also support for wolfSSL on Espressif and more Espressif resources.
Do you have any questions related to using wolfSSL in your next project? Contact us at facts@wolfSSL.com, or call us at +1 425 245 8247 to learn more.
Post-Quantum Interoperability? Confirmed! (Part II)
A while back, we posted the following entry on our blog:
https://www.wolfssl.com/wolfssh-post-quantum-interoperability-confirmed/
In it, we talked about post-quantum interoperability with both the OpenQuantumSafe’s OpenSSH fork and AWS’s implementation of SSH. More recently, our friends at AWS have posted a great set of detailed instructions on how to reproduce their interoperability test results:
There, you can find instructions on how to configure AWS Transfer Family to enable hybrid post-quantum key exchange with ECDHE and Kyber. There is then a link to further instructions on how to build liboqs, wolfSSL and finally wolfSSH with the liboqs integration. Finally, there is an example command line invocation of wolfsftp that connects to AWS Transfer Family.
Our friends at AWS also go into great detail about expected output and what you can expect from wireshark if you monitor the connection.
We here at wolfSSL would like to give a big round of applause and thank our friends at AWS for posting such a great piece on their blog! If you have any further questions about how post-quantum algorithms and protocols fit into our roadmap, If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
STMicro and wolfBoot Video Series
We are excited to tell you about our partner collaboration with ST Micro! This collaboration is a video series about wolfBoot, a secure bootloader and the STM32, a family of 32-bit microcontrollers.
This is a 4 part video series showing how to use wolfBoot on various STM32 microcontrollers.
Video 1: wolfBoot for STM32, Part 1: Overview https://www.youtube.com/watch?v=9R4Gl0qrzZ0
- “Overview of the wolfSSL products and the wolfBoot support for STM32 devices. The wolfBoot product features such as secure boot, measured boot, encrypted partitions and root of trust (in the bootloader, TPM or secure element). Comparison of the SBSFU, TFM and wolfBoot options for STM32 micro-controllers. Implementation details for design of wolfBoot and how the partitions are defined.”
Video 2: wolfBoot for STM32, Part 2: Getting Started https://www.youtube.com/watch?v=e5VwYA5kknA
- “How to download wolfBoot, where to find files and documentation. The wolfBoot product features such as secure boot, measured boot, encrypted partitions and root of trust (in the bootloader, TPM or secure element).”
Video 3: wolfBoot for STM32, Part 3: Out of the Box Experience https://youtu.be/VrgooHCoUNk
- “How to configure, build, run, and debug wolfBoot on NUCLEO-G071RB board.”
Video 4: wolfBoot for STM32, Part 4: STM32U5 https://youtu.be/dzcmscEyrKM
- “How to configure, build, run and debug wolfBoot on STM32U5 (B-U585I-IOT02A) development board”
Please contact us at facts@wolfssl.com if you would like to receive a copy of the slides.
Additional Resources
Please contact us at facts@wolfssl.com or call us at +1 425 245 8247 with any questions about the webinar.
For technical support, please contact support@wolfssl.com or view our FAQ page.
In the meanwhile, check out the wolfSSL embedded SSL/TLS library, star us on Github, and learn more about the latest TLS 1.3 is available in wolfSSL.
wolfSSL RT1170 CAAM
One of the features that makes wolfSSL stand out from other SSL/TLS libraries is its wide range of support for many hardware cryptographic accelerators. In particular, wolfSSL leverages the cryptographic accelerators built into the NXP i.MX6 and i.MX8 processors. How it uses the CAAM with i.MX6 and i.MX8 is dependent on the OS being used, varying from our own drivers to making use of existing drivers. With MCUEXPRESSO the use of NXP’s CAAM driver is leveraged and expanded on.
Recently, wolfSSL added support for the NXP i.MX RT1170 processor. The i.MX RT1170 is a powerful microcontroller that is designed for use in a wide range of applications, including industrial automation and medical devices. This new port of wolfSSL to the i.MX RT1170 takes advantage of the processor’s built-in cryptographic acceleration features, using the CAAM to perform fast and secure cryptographic operations.
Overall, the addition represents a significant improvement to the wolfSSL library for users of the i.MX RT1170 processor. By taking advantage of the CAAM hardware accelerator on the i.MX RT1170, wolfSSL is able to offload cryptographic operations and make ECC operations more secure with the use of black encrypted keys, making it an ideal choice for applications that require high performance and strong security. With the continued development of these features, wolfSSL is poised to remain a leading SSL/TLS library for resource-constrained environments.
If you have questions on any of the above, please contact us at facts@wolfssl.com, or call us at +1 425 245 8247
Versal Support
Did you know that wolfSSL has been ported to and tested on Xilinx Versal hardware? There is support also in wolfSSL to make use of the Xilinx hardened crypto, enhancing both security and performance. Xilinx hardened crypto has accelerated crypto operations (SHA3-384 / AES-GCM / RSA / ECDSA) available on Ultrascale+ devices and is available for use with the latest and greatest Versal boards. wolfSSL makes these calls using the API from Xilinx’s XilSecure library (https://github.com/Xilinx/embeddedsw/tree/master/lib/sw_services/xilsecure) and with the addition of Versal there was minor changes to the existing calls to make use of the new features available (ECC / RNG / AES-GCM with AAD). When benchmarking we saw well over a Gigabyte per second with AES-GCM operations in our demo and improvements in performance of RSA, ECDSA, and SHA3-384 over software only implementations.
A previous white paper going into the setup and use of wolfSSL on older Ultrascale+ devices with Xilinx hardened crypto can be found here (https://docs.xilinx.com/v/u/en-US/wp512-accel-crypto). The support for Versal along with a README can be found in the wolfSSL bundle located in IDE/XilinxSDK/.
If you have questions on any of the above, please contact us at facts@wolfssl.com, or call us at +1 425 245 8247
Live Webinar: 2 Day wolfSSL Training Week
Would you like to learn more about how SSL/TLS work, or more about the wolfSSL lightweight SSL library? If so, wolfSSL is offering a training course on SSL/TLS and wolfSSL. The FREE 2 day (4 hours each day) wolfSSL training course covers details of SSL/TLS as well as the wolfSSL embedded SSL library. Participants will have the opportunity to learn the inner workings of the SSL/TLS protocols as well as further their knowledge of the wolfSSL embedded SSL library. Topics covered will include library design, building and getting started with wolfSSL, features, portability/customizability, certificates and keys, debugging and troubleshooting SSL, wolfSSL best practices, and details about the wolfCrypt cryptography library
Course Objectives:
Upon completion of the wolfSSL training course, attendees will:
– Achieve a basic understanding of how SSL/TLS work
– Learn the package and design of wolfSSL
– Effectively build wolfSSL for target platforms
– Learn effective wolfSSL debugging strategies
– Add wolfSSL to different client and server applications
– Learn best practices for adding wolfSSL to embedded, desktop/enterprise, or cloud applications or devices
– Develop using wolfSSL’s underlying cryptography library
As always, our webinars will include Q&A sessions throughout the webinar. Please make sure to register for both days to get full access to the course.
Watch the 2-Day wolfSSL Training videos!
If you have questions on any of the above, please contact us at facts@wolfssl.com, or call us at +1 425 245 8247
wolfSSL adds ShangMi ciphers and algorithms SM2, SM3, and SM4 to wolfCrypt
As many people know, Chinese government regulators are now mandating use of SM2, SM3 and SM4 in critical systems, including automobiles, avionics, power systems, and communication systems. Since many of our customers are multi-nationals that do business in China, they have been requesting the addition of these algorithms in wolfSSL products.
Today we are about to release our supported versions of SM2, SM3, and SM4, with the intention to release the ZUC stream cipher at some point this year to completely satisfy SM9. We are also in contact with labs regarding support of OSCCA certification at some point in the future.
This is really great news for our customers selling into Chinese markets!
For those readers considering using wolfSSL products, here’s some additional notes:
- The SM Ciphers will be fully supported in wolfSSL’s TLS 1.3 implementation.
- wolfSSH, wolfBoot and our other products will support ShangMi ciphers.
- ARM, Intel, and RiscV assembly is in the works for our SM implementations for maximum performance.
- We will continue to support bare metal for ZUC, SM2, SM3, and SM4.
- True to form, we have maximized performance and minimized size, so the ShangMi algorithms will work well for embedded systems use cases on a wide variety of microcontrollers (MCU’s). They will be available for all of the MCU silicon that we currently support, including STM32, NXP i.MX, RISC-V, Renesas RA, RX, and Synergy, Nordic NRF32, Microchip PIC32, Infineon Aurix, TI MSP, and many others.
- Our GPLv2 licensed versions of the SM ciphers will be made available on GitHub and for download.
Commercially licensed versions are available.
If you have questions about our support for the ShangMi ciphers and algorithms, please contact us at facts@wolfssl.com, or call us at +1 425 245 8247.