STM32 bare-metal crypto port and DHUK support by dgarske · Pull Request #10395 · wolfSSL/wolfssl

dgarske · 2026-05-04T23:16:08Z

Adds a new WOLFSSL_STM32_BARE build flag that enables direct-register
access to the STM32 crypto, hash, RNG and PKA peripherals using only
CMSIS (no CubeMX HAL, no Standard Peripheral Library). Lets wolfCrypt
link into HAL-free firmware against the chip's CMSIS device header
alone.

WOLFSSL_STM32_BARE is opt-in, off by default, and mutually exclusive
with WOLFSSL_STM32_CUBEMX. Existing CubeMX HAL and StdPeriph builds
are unchanged.

Features

Direct-register HASH driver

HW SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.
Context save / restore for interleaved multi-stream hashing.
Optional HW HMAC (STM32_HMAC) on families with HMAC mode.
New-generation HASH IP (4-bit ALGO field on H5/U3/N6/C5/MP13/H7S)
auto-detected via the CMSIS device header.

Direct-register AES driver

Legacy fat-CRYP path (F4 / F7 / H7) with CR.ALGOMODE, DINR/DOUTR
FIFOs.
TinyAES path (H5 / U5 / U3 / WBA / C5 / L5 / L4 / G4 / G0 / WL / WB)
with single-CR-write enable, KEYR + IVR + DINR + DOUTR poll.
AES-CBC, AES-CTR (via ECB-as-transform), AES-GCM HW-native where the
silicon supports it (STM32_CRYPTO_AES_GCM), AES-CCM.
Build-time IP selector WC_STM32_AES_INST: defaults to CRYP, routes
to SAES when WOLFSSL_STM32_USE_SAES is set.
AES_CR_* <- SAES_CR_* alias block for SAES-only chips (N6 device
header defines SAES_CR_* only).

Direct-register SAES + DHUK

New WOLFSSL_DHUK umbrella flag, family-gated on H5 / U3 / U5 / WBA / C5.
Existing WOLFSSL_STM32U5_DHUK continues to work via macro alias.
wc_Stm32_Aes_Wrap / wc_Stm32_Aes_DhukOp for SAES key-wrap-with-
silicon-bound-DHUK.
New wc_Stm32_Aes_SetDHUK_IV for the matching unwrap IV.
Shared Stm32SaesWaitInit / Stm32SaesEnsureRng helpers (drain the
SAES post-clock-enable BUSY phase while the IP fetches seeding
entropy from the RNG).

Direct-register RNG driver

WOLFSSL_STM32_RNG_NOLIB auto-enabled under WOLFSSL_STM32_BARE.
Bounded DRDY poll with SECS / CECS recovery (clear status, toggle
RNGEN, drain pipeline reads, bounded retries). Replaces the
unbounded spin in the original NOLIB path.
New-generation C5 / H7S RNG NIST candidate-config init
(RNG_CAND_NIST_CR_VALUE + NSCR + HTCR write under CR.CONDRST),
auto-detected via CMSIS symbol presence.
Tunables: STM32_BARE_RNG_BYTE_TIMEOUT, STM32_BARE_RNG_MAX_RETRIES.
Opt-out flags: WC_STM32_RNG_NO_NIST_INIT, WC_STM32_RNG_CED_DISABLE.

Direct-register PKA driver

ECDSA sign / verify and ECC scalar multiplication via V1 and V2 PKA
microcode (V1: WB / WL / L5 / G4; V2: U3 / U5 / H5 / WBA / C5 / N6).
WOLFSSL_STM32_PKA_V2 auto-set when the device header exposes the
V2 RAM slot constants.
V2 path includes coefB and primeOrder parameter loading, double-
zero RAM-end terminator, HAL-exact write order, HAL-exact
EXP_NB_BITS (from curve order MSB).
HAL-shape wc_stm32_pka_process with PROCENDF / RAMERRF / ADDRERRF /
OPERRF status handling.

Family clock-enable macros

Per-family direct-register clock enable / disable macros for AES,
SAES, HASH, RNG, and PKA peripherals, gated on the exact CMSIS RCC
bit names each family exposes. Compile-time #error guards catch
mis-configured boards (e.g. STM32_CRYPTO enabled but no AES IP
reachable on the chip).

Diagnostics

WC_STM32_PKA_DIAG -- printf mode / CR / SR on PKA timeout or error.
WC_STM32_SAES_DIAG -- printf CR / ISR / SR on SAES CCF timeout.
WC_STM32_RNG_DIAG -- printf state on RNG init failure paths.
DEBUG_STM32_BARE_GCM -- trace HW vs SW GHASH selection.

All gated, zero cost when undefined.

Supported families

The new BARE path covers every STM32 family that has an existing
wolfCrypt port arm:

Family	Chips on the bench / validated	IPs reached by BARE
STM32F4	F437, F439	CRYP, HASH, RNG
STM32F7	F767	RNG (F767 has no HASH/CRYP)
STM32H5	H563	HASH, RNG, V2 PKA
STM32H7	H753	CRYP, HASH, RNG
STM32U0	U083 (Cortex-M0+)	AES, RNG
STM32U3	U385	TinyAES, HASH, RNG, V2 PKA, SAES, DHUK
STM32U5	U575, U585, U545	TinyAES, HASH, RNG, V2 PKA, SAES, DHUK
STM32L5	L552, L562	TinyAES, HASH, RNG, V1 PKA, SAES, DHUK
STM32G4	G491	RNG, V1 PKA
STM32WB	WB55	AES1, RNG, V1 PKA
STM32WL	WL55	TinyAES, RNG, V1 PKA
STM32WBA	WBA52	TinyAES, HASH, RNG, V2 PKA, SAES, DHUK
STM32C5	C5A3	TinyAES, HASH, RNG, V2 PKA, SAES
STM32N6	N657	CRYP, HASH, RNG, V2 PKA, SAES
STM32G0	-	AES, RNG (arm only)
STM32F1, F2, L4	-	clock-enable arms
STM32MP13, H7S	-	clock-enable arms

Build flag

Add to user_settings.h:

#define WOLFSSL_STM32_BARE

The existing per-family flags (WOLFSSL_STM32H5, WOLFSSL_STM32U5,
etc.) drive the family arm selection in stm32.h. The existing
STM32_CRYPTO, STM32_HASH, STM32_RNG enable the corresponding
HW IPs, the same way they do under the HAL path.

Copilot

Pull request overview

This PR introduces a new STM32 “bare-metal” crypto port flavor (WOLFSSL_STM32_BARE) that uses CMSIS device-header register access (no HAL/StdPeriph dependency) and wires it into wolfCrypt’s AES/HASH/RNG paths, plus a direct-register PKA implementation used by the existing STM32 PKA integration.

Changes:

Add WOLFSSL_STM32_BARE selection in settings to include only CMSIS device headers and auto-enable the no-lib RNG path.
Add per-family bare-metal clock-enable macros and HAL/PKA stand-in types to support a direct-register PKA driver.
Add bare-metal AES (CRYP + TinyAES), HASH clock enable override, and bare PKA shims/driver, plus AES dispatcher updates in aes.c and RNG clock-enable macro use in random.c.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
`wolfssl/wolfcrypt/settings.h`	Adds `WOLFSSL_STM32_BARE` selection, CMSIS header includes, and mutual exclusion with CubeMX.
`wolfssl/wolfcrypt/port/st/stm32.h`	Adds BARE clock-enable macros, HASH ALGO defines for new IP, and PKA stand-in types.
`wolfcrypt/src/port/st/stm32.c`	Implements bare-metal AES (CRYP/TinyAES), HASH clock enable override, and bare-metal PKA shims/driver.
`wolfcrypt/src/aes.c`	Routes ECB/CBC/CTR and GCM-encrypt through the BARE STM32 implementation with SW fallback behavior.
`wolfcrypt/src/random.c`	Uses a per-family RNG clock-enable macro (for BARE) instead of a fixed RCC register bit.
`wolfcrypt/src/ecc.c`	Adjusts STM32 PKA guards so BARE uses SW ECDSA paths while still leveraging HW scalar mul.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

github-actions · 2026-05-05T00:38:37Z

MemBrowse Memory Report

No memory changes detected for:

dgarske · 2026-05-07T21:24:50Z

Note #10307 seems to have broken AES CBC on STM32... I will put the fix into my new wolfSSL/wolfssl-examples-stm32#13

Copilot

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.

Comments suppressed due to low confidence (1)

wolfcrypt/src/port/st/stm32.c:1

After wc_Stm32_Aes_DhukOp() completes, the unwrapped key remains resident in SAES key registers (KEYR) until overwritten by a later operation. If the platform threat model includes debug/privileged register reads or post-operation key scraping, consider explicitly clearing KEYR/CR state (or triggering any available peripheral key/CCF/error clear mechanism) before releasing the mutex. This is especially relevant because DHUK is explicitly about protecting keys at rest/in RAM.

/* stm32.c

Copilot

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 7 comments.

dgarske · 2026-05-22T03:16:08Z

Jenkins retest this please

Direct-register (WOLFSSL_STM32_BARE) wolfCrypt port -- no HAL/StdPeriph -- covering HASH, CRYP/TinyAES/SAES, PKA (V1 + V2) and RNG across the STM32 families (F2/F3/F4/F7/H5/H7/H7RS/L4/L5/G0/G4/U0/U3/U5/WB/WL/WBA/C0/C5/N6/ MP13). Per-family clock-enable macros are centralized via WC_STM32_CLK_EN/ WC_STM32_CLK_DIS. Includes STM32H563 'light' PKA support: H563 can ECDSA-verify in HW but not sign, so WC_STM32_PKA_VERIFY_ONLY (auto-enabled for STM32H563xx) routes sign to software while verify stays on the HW PKA; H573 keeps full PKA.

A vendor-neutral DHUK crypto-callback device (wc_Stm32_DhukRegister) that binds keys to the silicon's hardware-unique key via SAES: GMAC, AES-ECB/CBC and ECDSA-sign run with a key derived from a seed inside SAES (the key never enters software); wc_ecc_import_wrapped_private carries a wrapped scalar + seed on the ecc_key. Gated behind WOLFSSL_DHUK + WOLF_CRYPTO_CB. Includes the SAES kernel-clock fix this depends on: on STM32U5/U3 the SAES runs from the SHSI (secure HSI), which the bare driver now enables in Stm32SaesEnsureRng -- without it the wrapped-key derive never completes (CCF never asserts) and DHUK returned WC_TIMEOUT_E. Also factors the repeated SAES push/wait-CCF/read/clear idiom into Stm32SaesEcbBlock. Validated on NUCLEO-U545RE-Q and B-U585I-IOT02A (TZEN=1): all DHUK stages pass, with device-unique tags.

dgarske self-assigned this May 4, 2026

Copilot AI review requested due to automatic review settings May 4, 2026 23:16

Copilot started reviewing on behalf of dgarske May 4, 2026 23:19 View session

Copilot AI reviewed May 4, 2026

View reviewed changes

dgarske force-pushed the stm32_bare branch 3 times, most recently from 8058c8c to 22ee90e Compare May 7, 2026 18:11

dgarske force-pushed the stm32_bare branch 5 times, most recently from 1c9091e to 3519503 Compare May 11, 2026 21:35

dgarske requested a review from Copilot May 11, 2026 21:36

Copilot AI reviewed May 11, 2026

View reviewed changes

Comment thread wolfssl/wolfcrypt/port/st/stm32.h Outdated

Comment thread wolfssl/wolfcrypt/port/st/stm32.h

Comment thread wolfcrypt/src/port/st/stm32.c

Comment thread wolfcrypt/src/random.c

Comment thread wolfcrypt/src/port/st/stm32.c

dgarske force-pushed the stm32_bare branch 2 times, most recently from 965e81b to 2c8100c Compare May 12, 2026 20:16

dgarske requested a review from Copilot May 12, 2026 20:26

Copilot AI reviewed May 12, 2026

View reviewed changes

Copilot started reviewing on behalf of dgarske May 12, 2026 21:00 View session

dgarske force-pushed the stm32_bare branch 4 times, most recently from 0145fa0 to b0ba9ce Compare May 15, 2026 23:30

dgarske force-pushed the stm32_bare branch from b0ba9ce to 4264147 Compare May 22, 2026 01:45

dgarske force-pushed the stm32_bare branch 3 times, most recently from 65fc021 to 9b9eb3e Compare June 3, 2026 17:00

dgarske changed the title ~~Adds new STM32 Bare support for Hash, SAES/AES and PKA~~ STM32 bare-metal crypto port and DHUK support Jun 3, 2026

dgarske added 2 commits June 5, 2026 13:59

dgarske force-pushed the stm32_bare branch from 9b9eb3e to d64e0da Compare June 5, 2026 21:00

Conversation

dgarske commented May 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Features

Direct-register HASH driver

Direct-register AES driver

Direct-register SAES + DHUK

Direct-register RNG driver

Direct-register PKA driver

Family clock-enable macros

Diagnostics

Supported families

Build flag

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

github-actions Bot commented May 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

MemBrowse Memory Report

Uh oh!

dgarske commented May 7, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

dgarske commented May 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

dgarske commented May 4, 2026 •

edited

Loading

github-actions Bot commented May 5, 2026 •

edited

Loading

dgarske commented May 22, 2026 •

edited

Loading