STM32 bare-metal crypto port and DHUK support#10395
Draft
dgarske wants to merge 2 commits into
Draft
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces a new STM32 “bare-metal” crypto port flavor (WOLFSSL_STM32_BARE) that uses CMSIS device-header register access (no HAL/StdPeriph dependency) and wires it into wolfCrypt’s AES/HASH/RNG paths, plus a direct-register PKA implementation used by the existing STM32 PKA integration.
Changes:
- Add
WOLFSSL_STM32_BAREselection in settings to include only CMSIS device headers and auto-enable the no-lib RNG path. - Add per-family bare-metal clock-enable macros and HAL/PKA stand-in types to support a direct-register PKA driver.
- Add bare-metal AES (CRYP + TinyAES), HASH clock enable override, and bare PKA shims/driver, plus AES dispatcher updates in
aes.cand RNG clock-enable macro use inrandom.c.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
wolfssl/wolfcrypt/settings.h |
Adds WOLFSSL_STM32_BARE selection, CMSIS header includes, and mutual exclusion with CubeMX. |
wolfssl/wolfcrypt/port/st/stm32.h |
Adds BARE clock-enable macros, HASH ALGO defines for new IP, and PKA stand-in types. |
wolfcrypt/src/port/st/stm32.c |
Implements bare-metal AES (CRYP/TinyAES), HASH clock enable override, and bare-metal PKA shims/driver. |
wolfcrypt/src/aes.c |
Routes ECB/CBC/CTR and GCM-encrypt through the BARE STM32 implementation with SW fallback behavior. |
wolfcrypt/src/random.c |
Uses a per-family RNG clock-enable macro (for BARE) instead of a fixed RCC register bit. |
wolfcrypt/src/ecc.c |
Adjusts STM32 PKA guards so BARE uses SW ECDSA paths while still leveraging HW scalar mul. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
dgarske
force-pushed
the
stm32_bare
branch
3 times, most recently
from
8058c8c to
22ee90e
Compare
Member
Author
|
Note #10307 seems to have broken AES CBC on STM32... I will put the fix into my new wolfSSL/wolfssl-examples-stm32#13 |
dgarske
force-pushed
the
stm32_bare
branch
5 times, most recently
from
1c9091e to
3519503
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.
Comments suppressed due to low confidence (1)
wolfcrypt/src/port/st/stm32.c:1
- After
wc_Stm32_Aes_DhukOp()completes, the unwrapped key remains resident in SAES key registers (KEYR) until overwritten by a later operation. If the platform threat model includes debug/privileged register reads or post-operation key scraping, consider explicitly clearing KEYR/CR state (or triggering any available peripheral key/CCF/error clear mechanism) before releasing the mutex. This is especially relevant because DHUK is explicitly about protecting keys at rest/in RAM.
/* stm32.c
965e81b to
2c8100c
Compare
dgarske
force-pushed
the
stm32_bare
branch
4 times, most recently
from
0145fa0 to
b0ba9ce
Compare
Member
Author
|
Jenkins retest this please |
dgarske
force-pushed
the
stm32_bare
branch
2 times, most recently
from
8e66aeb to
65fc021
Compare
Direct-register BARE path (WOLFSSL_STM32_BARE) alongside the CubeMX HAL integration: HASH, TinyAES/CRYP AES, V1/V2 PKA, RNG and SAES instance routing across the STM32 family. No DHUK in this commit.
Transparent DHUK on SAES+DHUK families (WC_STM32_HAS_DHUK): enable by setting an Aes/ecc_key devId to the registered STM32 crypto-callback device (wc_Stm32_DhukRegister), supply the 256-bit seed as the key (wc_AesGcmSetKey) or via wc_ecc_import_wrapped_private. Requires WOLF_CRYPTO_CB. The derived key never enters software.
dgarske
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a new
WOLFSSL_STM32_BAREbuild flag that enables direct-registeraccess to the STM32 crypto, hash, RNG and PKA peripherals using only
CMSIS (no CubeMX HAL, no Standard Peripheral Library). Lets wolfCrypt
link into HAL-free firmware against the chip's CMSIS device header
alone.
WOLFSSL_STM32_BAREis opt-in, off by default, and mutually exclusivewith
WOLFSSL_STM32_CUBEMX. Existing CubeMX HAL and StdPeriph buildsare unchanged.
Features
Direct-register HASH driver
STM32_HMAC) on families with HMAC mode.auto-detected via the CMSIS device header.
Direct-register AES driver
FIFOs.
with single-CR-write enable, KEYR + IVR + DINR + DOUTR poll.
silicon supports it (
STM32_CRYPTO_AES_GCM), AES-CCM.WC_STM32_AES_INST: defaults to CRYP, routesto SAES when
WOLFSSL_STM32_USE_SAESis set.AES_CR_*<-SAES_CR_*alias block for SAES-only chips (N6 deviceheader defines
SAES_CR_*only).Direct-register SAES + DHUK
WOLFSSL_DHUKumbrella flag, family-gated on H5 / U3 / U5 / WBA / C5.Existing
WOLFSSL_STM32U5_DHUKcontinues to work via macro alias.wc_Stm32_Aes_Wrap/wc_Stm32_Aes_DhukOpfor SAES key-wrap-with-silicon-bound-DHUK.
wc_Stm32_Aes_SetDHUK_IVfor the matching unwrap IV.Stm32SaesWaitInit/Stm32SaesEnsureRnghelpers (drain theSAES post-clock-enable BUSY phase while the IP fetches seeding
entropy from the RNG).
Direct-register RNG driver
WOLFSSL_STM32_RNG_NOLIBauto-enabled underWOLFSSL_STM32_BARE.RNGEN, drain pipeline reads, bounded retries). Replaces the
unbounded spin in the original NOLIB path.
(
RNG_CAND_NIST_CR_VALUE+ NSCR + HTCR write underCR.CONDRST),auto-detected via CMSIS symbol presence.
STM32_BARE_RNG_BYTE_TIMEOUT,STM32_BARE_RNG_MAX_RETRIES.WC_STM32_RNG_NO_NIST_INIT,WC_STM32_RNG_CED_DISABLE.Direct-register PKA driver
microcode (V1: WB / WL / L5 / G4; V2: U3 / U5 / H5 / WBA / C5 / N6).
WOLFSSL_STM32_PKA_V2auto-set when the device header exposes theV2 RAM slot constants.
coefBandprimeOrderparameter loading, double-zero RAM-end terminator, HAL-exact write order, HAL-exact
EXP_NB_BITS(from curve order MSB).wc_stm32_pka_processwith PROCENDF / RAMERRF / ADDRERRF /OPERRF status handling.
Family clock-enable macros
Per-family direct-register clock enable / disable macros for AES,
SAES, HASH, RNG, and PKA peripherals, gated on the exact CMSIS RCC
bit names each family exposes. Compile-time
#errorguards catchmis-configured boards (e.g.
STM32_CRYPTOenabled but no AES IPreachable on the chip).
Diagnostics
WC_STM32_PKA_DIAG-- printf mode / CR / SR on PKA timeout or error.WC_STM32_SAES_DIAG-- printf CR / ISR / SR on SAES CCF timeout.WC_STM32_RNG_DIAG-- printf state on RNG init failure paths.DEBUG_STM32_BARE_GCM-- trace HW vs SW GHASH selection.All gated, zero cost when undefined.
Supported families
The new BARE path covers every STM32 family that has an existing
wolfCrypt port arm:
Build flag
Add to
user_settings.h:The existing per-family flags (
WOLFSSL_STM32H5,WOLFSSL_STM32U5,etc.) drive the family arm selection in
stm32.h. The existingSTM32_CRYPTO,STM32_HASH,STM32_RNGenable the correspondingHW IPs, the same way they do under the HAL path.