Security doesn’t have to rhyme with “performance penalty”. That’s the premise behind wolfSSL, an embedded SSL/TLS library and a member of the ST Partner Program. wolfSSL offers significant performance gain and a footprint up to 20 times smaller than OpenSSL (between 20 kB and 100 kB) thanks to optimizations for embedded systems, thus ensuring that the code runs as close to the metal as possible. It also takes advantage of our crypto cores and other hardware IPs, thus ensuring users get the full benefit of an STM32 device. And to make WolfSSL even more practical, developers can install the library by downloading its I-CUBE package and selecting the component from within STM32CubeMX, our free STM32 initialization tool.
WolfSSL and the root of trust
The new reality of dependencies
Most developers would never attempt to write code from scratch when trying to use technologies like TLS or SSL. Using SSH to access a terminal remotely is extremely common, but no one writes support for all protocols and dependencies necessary. Instead, the entire IT world relies on publicly available tools without even thinking about it. Is it dangerous? It can be, such as the vulnerability discovered last year in a reasonably obscure utility that was inserted by a bad actor who gained the trust of the maintainers to create a backdoor that could have affected nearly all Linux distributions. Security features are far too complex to implement in-house. Consequently, knowing whom to trust is becoming ever more critical.
The new services from security experts
This is why the ST Partner Program aims to work with trusted experts who can deliver unique security solutions. It’s a way to help the STM32 community know who to rely on and who provides the best performance. WolfSSL even offers detailed benchmark analysis so developers can check the results themselves.* The company also provides best practice guidelines, integration tests, and guarantees an average response time to vulnerabilities of 36 hours. Moreover, wolfSSL thoroughly screens contributors, and every pull request is subject to a thorough internal review. Too often, developers underestimate the risk of a security flaw. In practice, teams should aim for the absence of security flaws but always assume there will be one and have contingency plans.
STM32H5 and STM32U5, and new certification objectives
As WolfSSL explained,
“We are seeing a shift in customers who are now prioritizing STM32U5 and STM32H5 devices because they want to benefit from their security features, something unheard of only a few years ago. Hence, WolSSL worked with ST to offer the most optimized library, so taking advantage of all these features doesn’t have to compromise performance or slow down developments to a crawl.”
Moreover, while the STM32U5 and STM32H5 can both target SESIP3 and PSA level 3 certifications, the wolfCrypt cryptographic library is FIPS 140–3 certified, which meets some of the most stringent requirements for governments, military, and aerospace applications. Furthermore, the wolfCrypt module, a software API library for WolfSSL/TLS, is the first module in the world to have received the SP800–140Br1-compliant FIPS 140–3 Validation Certificate.
Beyond wolfSSL
wolfTPM
As we just saw, WolfSSL is a lot more than just a library by the same name. In fact, ST recently held a webinar on wolfTPM and our ST33KTPM, a trusted platform module. The ST Authorized Partner even shared that many projects that use a competing microcontroller will select our FIPS140–3 certified ST33KTPM and wolfTPM for their TPM 2.0 stack. It’s probably one of the best testaments to the practicality and resilience of this solution and our partnership with wolfSSL that even projects using third-party MCUs would settle on our module and wolfTPM.
wolfBoot
Similarly, WolfSSL offers wolfBoot, a secure bootloader for STM32 microcontrollers. The solution already implements critical features like firmware authentication and updates and does it while meeting the RFC 9019 standard defined by the Internet Engineering Task Force. Consequently, using wolfBoot means that developers don’t have to deal with secure key storage and provisioning, post-quantum cryptographic support, anti-rollback protection, and more. Teams just take advantage of the hardware abstraction layer implemented by wolfBoot to access all features available, which simplifies development and significantly shortens the time to market.
Next steps
The best way to get started is to grab an STM32 development board and request an evaluation application on the WolfSSL website. wolfSSL provides free evaluation support to help guide teams during the integration process. As the industry prioritizes devices like the STM32H5 and STM32U5 for their advanced security features, many are contacting WolfSSL earlier in their development cycle. A few years ago, engineers would reach out late to implement wolfSSL. Today, many realize that a proper security implementation starts very early on. As a result, WolfSSL is also guiding its customers to use ST’s true random number generator, properly implement keys, and create a mechanism to revoke them, among many other things.
