STM32C5A3ZG: bare-metal wolfIP port + TLS 1.3 mutual auth with a HUK-protected identity key#142
Draft
dgarske wants to merge 1 commit into
Draft
STM32C5A3ZG: bare-metal wolfIP port + TLS 1.3 mutual auth with a HUK-protected identity key#142dgarske wants to merge 1 commit into
dgarske wants to merge 1 commit into
Conversation
…tity key + shared STM32 wolfssl.mk
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
New wolfIP port for the NUCLEO-C5A3ZG (Cortex-M33F, no TrustZone), reusing the shared STM32 DWC GMAC driver (one
STM32C5alias insrc/port/stm32/stm32_eth.c). All milestones validated on hardware.What works (HW-validated)
openssl s_server -Verify 1,TLS_AES_128_GCM_SHA256; peer verifies the device client cert.verify return:1is the proof.Build
make(network only) /make ENABLE_CB_SELFTEST=1/make ENABLE_TLS_CLIENT=1/make ENABLE_TLS_CLIENT=1 ENABLE_DHUK_KEY=1.WOLFSSL_ROOT, default../wolfssl-c5tls).mode=UR). Flash 3.0% -> 21.9% across the variants.Notable fixes in this port
_sbrknow uses the linker.heapregion (was overlapping the Ethernet DMA buffers -> packet DMA corrupted malloc'd TLS objects).WC_STM32_RNG_CED_DISABLE/CR.CED; false-trips on the 48 MHz CK48).WOLFSSL_SMALL_STACK.Scope
Config A: identity key on the callback, ephemeral ECDHE in software. Config B (route ECDHE through the callback to strip software ECC) is a follow-on. Demo identity key is a public NIST CAVP vector; production provisions the wrapped blob off-device.