STM32 bare-metal crypto port (HASH / AES / PKA / RNG, DHUK, CCB)#10395
Open
dgarske wants to merge 6 commits into
Open
STM32 bare-metal crypto port (HASH / AES / PKA / RNG, DHUK, CCB)#10395dgarske wants to merge 6 commits into
dgarske wants to merge 6 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces a new STM32 “bare-metal” crypto port flavor (WOLFSSL_STM32_BARE) that uses CMSIS device-header register access (no HAL/StdPeriph dependency) and wires it into wolfCrypt’s AES/HASH/RNG paths, plus a direct-register PKA implementation used by the existing STM32 PKA integration.
Changes:
- Add
WOLFSSL_STM32_BAREselection in settings to include only CMSIS device headers and auto-enable the no-lib RNG path. - Add per-family bare-metal clock-enable macros and HAL/PKA stand-in types to support a direct-register PKA driver.
- Add bare-metal AES (CRYP + TinyAES), HASH clock enable override, and bare PKA shims/driver, plus AES dispatcher updates in
aes.cand RNG clock-enable macro use inrandom.c.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
wolfssl/wolfcrypt/settings.h |
Adds WOLFSSL_STM32_BARE selection, CMSIS header includes, and mutual exclusion with CubeMX. |
wolfssl/wolfcrypt/port/st/stm32.h |
Adds BARE clock-enable macros, HASH ALGO defines for new IP, and PKA stand-in types. |
wolfcrypt/src/port/st/stm32.c |
Implements bare-metal AES (CRYP/TinyAES), HASH clock enable override, and bare-metal PKA shims/driver. |
wolfcrypt/src/aes.c |
Routes ECB/CBC/CTR and GCM-encrypt through the BARE STM32 implementation with SW fallback behavior. |
wolfcrypt/src/random.c |
Uses a per-family RNG clock-enable macro (for BARE) instead of a fixed RCC register bit. |
wolfcrypt/src/ecc.c |
Adjusts STM32 PKA guards so BARE uses SW ECDSA paths while still leveraging HW scalar mul. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dgarske
force-pushed
the
stm32_bare
branch
3 times, most recently
from
8058c8c to
22ee90e
Compare
Member
Author
|
Note #10307 seems to have broken AES CBC on STM32... I will put the fix into my new wolfSSL/wolfssl-examples-stm32#13 |
dgarske
force-pushed
the
stm32_bare
branch
5 times, most recently
from
1c9091e to
3519503
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.
Comments suppressed due to low confidence (1)
wolfcrypt/src/port/st/stm32.c:1
- After
wc_Stm32_Aes_DhukOp()completes, the unwrapped key remains resident in SAES key registers (KEYR) until overwritten by a later operation. If the platform threat model includes debug/privileged register reads or post-operation key scraping, consider explicitly clearing KEYR/CR state (or triggering any available peripheral key/CCF/error clear mechanism) before releasing the mutex. This is especially relevant because DHUK is explicitly about protecting keys at rest/in RAM.
/* stm32.c
965e81b to
2c8100c
Compare
dgarske
force-pushed
the
stm32_bare
branch
4 times, most recently
from
0145fa0 to
b0ba9ce
Compare
Member
Author
|
Jenkins retest this please |
dgarske
force-pushed
the
stm32_bare
branch
3 times, most recently
from
65fc021 to
9b9eb3e
Compare
dgarske
force-pushed
the
stm32_bare
branch
2 times, most recently
from
7bb6ce8 to
511da24
Compare
|
retest this please |
- Wrap source lines >80 cols added by the STM32 bare/DHUK/CCB port: reformat the P-256 CCB curve constants to 8 bytes/line, break long SAES/PKA register writes and pka_read_be calls, and rewrap doxygen and in-code comments (port/st/stm32.c + stm32.h, aes.c, ecc.c, random.c, doc/dox_comments/header_files/stm32.h). - .wolfssl_known_macro_extras: add AES_CR_CPHASE, RCC_AHB2ENR_CCBEN, and WOLFSSL_STM32_RNG_LEGACY_FAILFAST; drop the now-recognized WOLFSSL_STM32_CCB.
Member
Author
|
Jenkins retest this please: "Build PRB-valgrind-check-v3 #12810 completed: FAILURE" |
Comment on lines
+817
to
+822
| #if defined(WOLFSSL_DHUK) && \ | ||
| (defined(WOLFSSL_STM32U5) || defined(WOLFSSL_STM32U3) || \ | ||
| defined(WOLFSSL_STM32H5) || defined(WOLFSSL_STM32WBA) || \ | ||
| defined(WOLFSSL_STM32C5) || defined(WOLFSSL_STM32H7S)) | ||
| #define WC_STM32_HAS_DHUK | ||
| #endif |
Comment on lines
+8273
to
+8281
| ForceZero(d, MAX_ECC_BYTES); | ||
| if (tmpInit) { | ||
| wc_ecc_free(tmp); | ||
| } | ||
| #ifdef WOLFSSL_SMALL_STACK | ||
| XFREE(scratch, key->heap, DYNAMIC_TYPE_TMP_BUFFER); | ||
| XFREE(tmp, key->heap, DYNAMIC_TYPE_ECC); | ||
| #endif | ||
| return ret; |
|
|
||
| - Validated on STM32U385 (NUCLEO-U385RG-Q, TZEN=0), P-256, on both the bare-metal and CubeMX/HAL build paths: `wc_ecc_make_key` -> `wc_ecc_sign_hash` -> `wc_ecc_verify_hash` round-trips, with the private scalar never present in software. | ||
| - Also validated on STM32C5 (NUCLEO-C5A3ZG, TZEN=0), P-256, bare-metal: the same `wc_ecc_make_key` -> `wc_ecc_sign_hash` -> `wc_ecc_verify_hash` flow plus a persisted-blob re-import (`wc_ecc_import_wrapped_private_ex`) round-trip, all on the CCB hardware. On STM32C5 the blob-create step is a combined create-and-sign: the C5 OPSTEP machine only advances through the GCM-final phase when the random k is drawn and the PKA sign is started during creation (the r,s are a by-product and discarded). That extra sequence is gated by `WOLFSSL_STM32C5` in the bare driver; the U3 OPSTEP machine does not require it. | ||
| - `Stm32Ccb_Init()` pulse-resets the PKA / SAES / RNG before each operation, so the first CCB op is robust even when prior standalone crypto (RNG seeding, ECC keygen) left an engine in a state that would otherwise stall the CCB's chained SAES GCM step. The family-specific reset register name is abstracted (`WC_STM32_CCB_RSTR`). |
Comment on lines
+240
to
+244
| The caller is responsible for: | ||
|
|
||
| 1. Clock-tree bring-up (HSI/HSE, PLL, voltage scaling, flash latency). | ||
| 2. UART / VCP bring-up for stdout. | ||
| 3. Peripheral clock-enable for the IP blocks you use (RNG, CRYP/SAES, HASH, PKA). |
Comment on lines
4254
to
+4257
| /* Generate a RNG seed using the hardware random number generator | ||
| * on the STM32F2/F4/F7/L4. */ | ||
| #include <wolfssl/wolfcrypt/port/st/stm32.h> | ||
| /* Pulls in WC_STM32_RNG_CLK_ENABLE for WOLFSSL_STM32_BARE builds */ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a direct-register STM32 hardware-crypto integration that needs zero HAL or StdPeriphLib, for wolfBoot / no-OS / FreeRTOS / TrustZone-NS use. Builds and is validated across ~27 STM32 families. Layered as the bare IP drivers, DHUK device-bound keys, and CCB hardware-protected ECDSA.
Features
WOLFSSL_STM32_BARE): direct-register AES (TinyAES / CRYP / SAES), HASH (classic and new-gen IP), RNG, and PKA (V1 and V2 layouts: ECDSA sign/verify and ECC scalar-mul). The same code drives both the bare path and the CubeMX/HAL path. On STM32C5, whose PKA exposes only the side-channel-protected ECC modes, ECDSA sign runs in hardware and verify in software.devIdto it, and run normal AES / GMAC / ECDSA - the working key is derived inside SAES and never enters software.wc_ecc_make_keyto provision,wc_ecc_sign_hashto sign) - no CCB-specific public API; both bare and CubeMX/HAL backends.New build options
WOLFSSL_STM32_BARE- bare-metal direct-register path (vsWOLFSSL_STM32_CUBEMX).STM32_CRYPTO,STM32_HASH,STM32_RNG,WOLFSSL_STM32_PKA(+WC_STM32_PKA_VERIFY_ONLY/WC_STM32_PKA_SIGN_ONLYfor verify-only or sign-only parts such as STM32C5),WOLFSSL_STM32_USE_SAES.WOLFSSL_DHUK+WOLF_CRYPTO_CB- DHUK crypto-callback device (WOLFSSL_STM32_DHUK_UNWRAPfor the optional exact-key import).WOLFSSL_STM32_CCB- CCB-protected ECDSA (requires DHUK + crypto-cb, STM32U3 or STM32C5 silicon).WOLFSSL_STM32U3,WOLFSSL_STM32C5, ...) select register layouts.Testing performed
STM32_Bare_Testharness (wolfcrypt_test+ benchmark), covering ~27 STM32 families: F2/F3/F4/F7, G0/G4, H5/H7/H7RS, L4/L5, U0/U3/U5, WB/WBA/WL, C0/C5, N6, and more. Latest sweep: all attached boards PASS.wc_ecc_make_key->wc_ecc_sign_hash->wc_ecc_verify_hash, scalar never in software.check-source-textclean.Known limitations / follow-up
Reference
Per-board chip-support matrix, build sizes, and benchmarks (companion examples branch): https://github.com/dgarske/wolfssl-examples-stm32/blob/stm32_bare/STM32_Bare_Test/README.md