Adds new STM32 Bare support for Hash, SAES/AES and PKA#10395
Draft
dgarske wants to merge 2 commits into
Draft
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces a new STM32 “bare-metal” crypto port flavor (WOLFSSL_STM32_BARE) that uses CMSIS device-header register access (no HAL/StdPeriph dependency) and wires it into wolfCrypt’s AES/HASH/RNG paths, plus a direct-register PKA implementation used by the existing STM32 PKA integration.
Changes:
- Add
WOLFSSL_STM32_BAREselection in settings to include only CMSIS device headers and auto-enable the no-lib RNG path. - Add per-family bare-metal clock-enable macros and HAL/PKA stand-in types to support a direct-register PKA driver.
- Add bare-metal AES (CRYP + TinyAES), HASH clock enable override, and bare PKA shims/driver, plus AES dispatcher updates in
aes.cand RNG clock-enable macro use inrandom.c.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
wolfssl/wolfcrypt/settings.h |
Adds WOLFSSL_STM32_BARE selection, CMSIS header includes, and mutual exclusion with CubeMX. |
wolfssl/wolfcrypt/port/st/stm32.h |
Adds BARE clock-enable macros, HASH ALGO defines for new IP, and PKA stand-in types. |
wolfcrypt/src/port/st/stm32.c |
Implements bare-metal AES (CRYP/TinyAES), HASH clock enable override, and bare-metal PKA shims/driver. |
wolfcrypt/src/aes.c |
Routes ECB/CBC/CTR and GCM-encrypt through the BARE STM32 implementation with SW fallback behavior. |
wolfcrypt/src/random.c |
Uses a per-family RNG clock-enable macro (for BARE) instead of a fixed RCC register bit. |
wolfcrypt/src/ecc.c |
Adjusts STM32 PKA guards so BARE uses SW ECDSA paths while still leveraging HW scalar mul. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
dgarske
force-pushed
the
stm32_bare
branch
3 times, most recently
from
8058c8c to
22ee90e
Compare
Member
Author
|
Note #10307 seems to have broken AES CBC on STM32... I will put the fix into my new wolfSSL/wolfssl-examples-stm32#13 |
dgarske
force-pushed
the
stm32_bare
branch
5 times, most recently
from
1c9091e to
3519503
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.
Comments suppressed due to low confidence (1)
wolfcrypt/src/port/st/stm32.c:1
- After
wc_Stm32_Aes_DhukOp()completes, the unwrapped key remains resident in SAES key registers (KEYR) until overwritten by a later operation. If the platform threat model includes debug/privileged register reads or post-operation key scraping, consider explicitly clearing KEYR/CR state (or triggering any available peripheral key/CCF/error clear mechanism) before releasing the mutex. This is especially relevant because DHUK is explicitly about protecting keys at rest/in RAM.
/* stm32.c
965e81b to
2c8100c
Compare
dgarske
force-pushed
the
stm32_bare
branch
4 times, most recently
from
0145fa0 to
b0ba9ce
Compare
Member
Author
|
Jenkins retest this please |
Adds a direct-register "BARE" path for the STM32 family alongside the
existing CubeMX HAL integration. Selects via WOLFSSL_STM32_BARE +
WOLFSSL_STM32_PKA. Supports a wide matrix of C0 / C5 / F2 / F3 / F4 /
F7 / G0 / G4 / H5 / H7 / H7RS / L4 / L5 / N6 / U0 / U3 / U5 / WB / WBA
/ WL silicon. Covered:
- V1 PKA (WL/G4 layout) and V2 PKA (U5/H5/N6/C5/H7RS layout) shared
HAL_PKA_* shims sized for the wolfcrypt ECC / RSA / DH call sites
- TinyAES-shape AES IP (L4 / L5 / U5 / U3 / H5 / H573 / G0 / G4 /
WB / WL / WBA) with shared CCF-poll / IVR / KEYR helpers and a
BARE GCM path that piggy-backs HW ECB for the J0 / ENC blocks
- Fat CRYP IP (F4 / F7 / H7) on the existing register-level driver
- SAES (H573 / U5 / U3 / N6 / WBA / C5 / H7RS) with key wrap / unwrap
and DHUK ECB + CBC entry points
- HASH IP (F4 / F7 / H5 / H573 / U5 / U3 / N6 / C5 / H7RS / WBA)
with context save/restore and the new-gen 4-bit ALGO field
- RNG (all families, NIST candidate init for C5)
Debug switches WC_STM32_PKA_DIAG and WC_STM32_SAES_DIAG (off by
default) print diagnostics through the board's board_putc retarget --
useful for new-board bring-up. Both are documented at the top of the
BARE block in stm32.c.
Five V1+V2 PKA bug fixes captured during silicon bring-up:
- INITOK wait gate for V2 PKA before HAL_PKA returns
- B_COEFF parameter load for ECC scalar multiplication on V2
- Success-code sentinel divergence between V1 and V2 PKA out-error
- MOD_NB_BITS save / restore in the ECC_MUL flow
- coefSign default handling for V1 PKA (WL55 ECC regression fix)
Aes.c BARE branches in wc_AesCbcEncrypt and wc_AesCbcDecrypt route the
WOLFSSL_DHUK_WRAPPED_DEVID through wc_Stm32_Aes_DhukOp_ex() with HW
IV chaining via SAES native CBC mode. ECC zero-digest guard added in
ecc.c so V1 PKA does not fault on the (zero-)message edge case.
Random.c gains an STM32C5 RNG NIST candidate init path (config 1/2/3,
NSCR, HTCR write under CONDRST) -- still under investigation on
silicon, currently held off in user_settings via NO_STM32_RNG until
the C5 conditioning sequence is resolved.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a new
WOLFSSL_STM32_BAREbuild flag that enables direct-registeraccess to the STM32 crypto, hash, RNG and PKA peripherals using only
CMSIS (no CubeMX HAL, no Standard Peripheral Library). Lets wolfCrypt
link into HAL-free firmware against the chip's CMSIS device header
alone.
WOLFSSL_STM32_BAREis opt-in, off by default, and mutually exclusivewith
WOLFSSL_STM32_CUBEMX. Existing CubeMX HAL and StdPeriph buildsare unchanged.
Features
Direct-register HASH driver
STM32_HMAC) on families with HMAC mode.auto-detected via the CMSIS device header.
Direct-register AES driver
FIFOs.
with single-CR-write enable, KEYR + IVR + DINR + DOUTR poll.
silicon supports it (
STM32_CRYPTO_AES_GCM), AES-CCM.WC_STM32_AES_INST: defaults to CRYP, routesto SAES when
WOLFSSL_STM32_USE_SAESis set.AES_CR_*<-SAES_CR_*alias block for SAES-only chips (N6 deviceheader defines
SAES_CR_*only).Direct-register SAES + DHUK
WOLFSSL_DHUKumbrella flag, family-gated on H5 / U3 / U5 / WBA / C5.Existing
WOLFSSL_STM32U5_DHUKcontinues to work via macro alias.wc_Stm32_Aes_Wrap/wc_Stm32_Aes_DhukOpfor SAES key-wrap-with-silicon-bound-DHUK.
wc_Stm32_Aes_SetDHUK_IVfor the matching unwrap IV.Stm32SaesWaitInit/Stm32SaesEnsureRnghelpers (drain theSAES post-clock-enable BUSY phase while the IP fetches seeding
entropy from the RNG).
Direct-register RNG driver
WOLFSSL_STM32_RNG_NOLIBauto-enabled underWOLFSSL_STM32_BARE.RNGEN, drain pipeline reads, bounded retries). Replaces the
unbounded spin in the original NOLIB path.
(
RNG_CAND_NIST_CR_VALUE+ NSCR + HTCR write underCR.CONDRST),auto-detected via CMSIS symbol presence.
STM32_BARE_RNG_BYTE_TIMEOUT,STM32_BARE_RNG_MAX_RETRIES.WC_STM32_RNG_NO_NIST_INIT,WC_STM32_RNG_CED_DISABLE.Direct-register PKA driver
microcode (V1: WB / WL / L5 / G4; V2: U3 / U5 / H5 / WBA / C5 / N6).
WOLFSSL_STM32_PKA_V2auto-set when the device header exposes theV2 RAM slot constants.
coefBandprimeOrderparameter loading, double-zero RAM-end terminator, HAL-exact write order, HAL-exact
EXP_NB_BITS(from curve order MSB).wc_stm32_pka_processwith PROCENDF / RAMERRF / ADDRERRF /OPERRF status handling.
Family clock-enable macros
Per-family direct-register clock enable / disable macros for AES,
SAES, HASH, RNG, and PKA peripherals, gated on the exact CMSIS RCC
bit names each family exposes. Compile-time
#errorguards catchmis-configured boards (e.g.
STM32_CRYPTOenabled but no AES IPreachable on the chip).
Diagnostics
WC_STM32_PKA_DIAG-- printf mode / CR / SR on PKA timeout or error.WC_STM32_SAES_DIAG-- printf CR / ISR / SR on SAES CCF timeout.WC_STM32_RNG_DIAG-- printf state on RNG init failure paths.DEBUG_STM32_BARE_GCM-- trace HW vs SW GHASH selection.All gated, zero cost when undefined.
Supported families
The new BARE path covers every STM32 family that has an existing
wolfCrypt port arm:
Build flag
Add to
user_settings.h:The existing per-family flags (
WOLFSSL_STM32H5,WOLFSSL_STM32U5,etc.) drive the family arm selection in
stm32.h. The existingSTM32_CRYPTO,STM32_HASH,STM32_RNGenable the correspondingHW IPs, the same way they do under the HAL path.