Topic: Separating Crypto into the secure memory with ARM TrustZone

I’m working on a project that uses an ARM Cortex M33 (Armv8-M) based processor with the ARM TrustZone feature. We would like to place the crypto library in the secure world but keep the TLS implementation on the non-secure side. Ideally the crypto library would a non-secure callable service that TLS implementation uses without ever knowing any private keys. WolfSSL has been identified as the only TLS library that fits our security needs and I’m new to it.

Based on what I’ve read in the documentation, this setup isn’t feasible with wolfSSL though. My understanding is that the WOLFSSL structure keeps track of the keys and certificates and then passes them to the crypto library. Is that accurate?

If the previous paragraph is accurate, is it possible to insert a shim between wolfSSL and the crypto calls or use a custom crypto library?

Thanks for any help anyone is able to provide!

Share

Re: Separating Crypto into the secure memory with ARM TrustZone

Hello Jon,

Thanks for joining the wolfSSL Forums. This is not currently supported, but we could achieve this type of separation using the crypto callbacks feature. We would like to discuss this in more detail with you. Could you please send us an email to facts@wolfssl.com ?

https://github.com/wolfSSL/wolfssl-exam … cryptocb.c

Thanks,
Eric @wolfSSL Support