Skip to content

STM32C5A3ZG: bare-metal wolfIP port + TLS 1.3 mutual auth with a HUK-protected identity key#142

Open
dgarske wants to merge 2 commits into
wolfSSL:masterfrom
dgarske:stm32c5a3_wolfip
Open

STM32C5A3ZG: bare-metal wolfIP port + TLS 1.3 mutual auth with a HUK-protected identity key#142
dgarske wants to merge 2 commits into
wolfSSL:masterfrom
dgarske:stm32c5a3_wolfip

Conversation

@dgarske

@dgarske dgarske commented Jul 9, 2026

Copy link
Copy Markdown
Member

Summary

New wolfIP port for the NUCLEO-C5A3ZG (Cortex-M33F, no TrustZone), reusing the shared STM32 DWC GMAC driver (one STM32C5 alias in src/port/stm32/stm32_eth.c). All milestones validated on hardware.

What works (HW-validated)

  • Network: DHCP + ICMP ping + TCP echo.
  • DHUK crypto callback self-test: ECDSA-sign (HW PKA), AES-GCM (SAES), HMAC-SHA256 (HASH), TRNG.
  • TLS 1.3 mutual-auth client: handshake to openssl s_server -Verify 1, TLS_AES_128_GCM_SHA256; peer verifies the device client cert.
  • HUK identity key in TLS: CertificateVerify signed via the DHUK callback (SAES unwrap -> HW PKA); the identity scalar never exists in software. Peer's verify return:1 is the proof.

Build

  • make (network only) / make ENABLE_CB_SELFTEST=1 / make ENABLE_TLS_CLIENT=1 / make ENABLE_TLS_CLIENT=1 ENABLE_DHUK_KEY=1.
  • TLS builds need the wolfSSL STM32 bare-crypto branch (WOLFSSL_ROOT, default ../wolfssl-c5tls).
  • Flash: STM32CubeProgrammer (SWD, mode=UR). Flash 3.0% -> 21.9% across the variants.

Notable fixes in this port

  • _sbrk now uses the linker .heap region (was overlapping the Ethernet DMA buffers -> packet DMA corrupted malloc'd TLS objects).
  • C5 RNG clock-error detector disabled (WC_STM32_RNG_CED_DISABLE / CR.CED; false-trips on the 48 MHz CK48).
  • RMII RXD0/RXD1 use AF12/AF13 (not AF10); MSPLIM wired to the real stack-limit symbol; 64K heap/stack + WOLFSSL_SMALL_STACK.

Scope

Config A: identity key on the callback, ephemeral ECDHE in software. Config B (route ECDHE through the callback to strip software ECC) is a follow-on. Demo identity key is a public NIST CAVP vector; production provisions the wrapped blob off-device.

@dgarske dgarske self-assigned this Jul 9, 2026
Copilot AI review requested due to automatic review settings July 9, 2026 20:39

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@dgarske dgarske force-pushed the stm32c5a3_wolfip branch 2 times, most recently from 9f824fd to 6f034bb Compare July 10, 2026 20:33
@dgarske dgarske requested a review from Copilot July 10, 2026 20:36

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 25 out of 26 changed files in this pull request and generated 3 comments.

Comments suppressed due to low confidence (5)

src/port/tls_client.c:159

  • debug_print_kv() negates val to print it, but -val is undefined/overflows for INT_MIN. That can produce incorrect output or UB in error paths. Use a safe absolute-value conversion for signed ints.
    src/port/tls_client.c:311
  • TLS client currently disables all server certificate verification (WOLFSSL_VERIFY_NONE). That makes TLS susceptible to MITM even when mutual-auth is enabled. Since tls_certs.h already embeds a CA certificate, consider adding a build-time option to verify the peer and load the CA when enabled.
    src/port/tls_client.c:306
  • In ENABLE_DHUK_KEY builds, tls_client_init still loads client_key_der via wolfSSL_CTX_use_PrivateKey_buffer(). That key is the raw identity scalar per tls_certs.h comments, so it will be parsed/held by wolfSSL in software memory, undermining the goal of keeping the identity key HUK/DHUK-protected. This likely needs a DHUK-only path that does not embed or load the raw private key (e.g., load only the cert and rely on the PK callback / a non-sensitive placeholder key).
    src/port/tls_client.c:60
  • dhuk_provision_key() uses wc_ForceZero() style wiping elsewhere in this repo, but tls_client.c doesn't include the header that declares it. Add <wolfssl/wolfcrypt/memory.h> before using wc_ForceZero to avoid implicit declarations / build breaks on stricter compilers.
    src/port/tls_client.c:243
  • dhuk_provision_key() leaves the wrapped scalar in a stack buffer (wrapped) and returns early on errors without wiping it. Even though the demo scalar is public, production provisioning would make this sensitive; wipe wrapped on both success and error paths once it has been populated.

Comment thread src/port/stm32c5a3/syscalls.c
Comment thread src/port/stm32c5a3/main.c
Comment thread src/port/stm32c5a3/target.ld
@dgarske dgarske force-pushed the stm32c5a3_wolfip branch from 6f034bb to 7eeb89b Compare July 10, 2026 22:30
@dgarske dgarske marked this pull request as ready for review July 10, 2026 23:06
@dgarske dgarske assigned danielinux and wolfSSL-Bot and unassigned dgarske Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants