-
Notifications
You must be signed in to change notification settings - Fork 153
Releases: wolfSSL/wolfBoot
Releases · wolfSSL/wolfBoot
wolfBoot v2.8.0
@danielinux
danielinux
1253995
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Changelog
- New hardware targets
- AMD/Xilinx Versal Gen 1 VMK180 support, including SD/QSPI boot flows and PetaLinux boot support
- Microchip PolarFire SoC MPFS250 support extended to M-mode/QSPI/LIM boot flows, plus eMMC/SD support
- New target support for NXP MCXN and MCXW71, NXP S32K14x, NXP LPC55S69, and Nordic nRF54L15
- Added NXP T1040 RDB support and refreshed NXP T2080 vendor-board configurations
- Improvements to supported targets
- STM32H5 TrustZone/PKCS11 integration reworked with NSC veneers, plus additional OTP and flash handling fixes
- PSoC6 now supports external flash dual-bank updates and read-modify-erase-write flash programming
- AURIX TC3xx self-update and wolfHSM configurations expanded, including RSA4096 and cert-chain examples
- Renesas RA6M4 and RX projects refreshed, with improved RAM-function handling for CCRX builds
- Improved clang/LLVM support for embedded builds and test-app image generation, with dedicated CI coverage
- New features and improvements
- Added wolfPSA integration for secure storage and TrustZone-backed PSA services
- Added TrustZone PSA-crypto support and PSA attestation compliance, including DICE-based attestation flows
- Added Zephyr integration to replace the TEE layer, with PSA-facing interfaces and sample patches
- Added a generic hook framework for pre-init, post-init, and boot hooks
- Added custom encryption-key hooks, PKCS11-backed encrypted partitions, and improved image inspection/status tooling
- Added monolithic self-update builds, reproducible-build support, self-header support, and expanded simulator self-update / TrustZone test coverage
- Bug fixes and hardening
- Strengthened image parsing, signing, and update flows with stricter bounds/overflow checks for signatures, TLVs, delta images, GPT/FDT parsing, disk I/O, and partition overlap
- Added fail-closed flash protection, stricter rollback handling in non-flash paths, and final sanity checks in boot and library boot paths
- Expanded constant-time comparisons and zeroization for TPM, DICE, SATA, update, and key-generation code paths
- Fixed self-update regressions, encrypted-partition handling, SDHCI/MMC corner cases, and assorted build/test regressions across ARM, PPC, RISC-V, and simulator targets
- Updated modules
- wolfSSL v5.9.1-stable
- wolfTPM v3.10.0-88-gefaab4a
- wolfPKCS11 v2.0.0-stable-126-g8fec695
- wolfHSM v1.4.0-57-g977bf18
Assets 3
wolfBoot v2.7.0
@danielinux
danielinux
5ea3de1
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Changelog
- New hardware targets
- Vorago VA416x0 (new HAL, linker scripts, test application, and programming helpers)
- Nordic nRF5340 TrustZone build and configuration
- Improvements to supported targets
- TrustZone-M support unified across ARMv8-M targets
- TrustZone-M aware dual-bank configuration, increased update/erase reliability and isolation
- nRF5340: Added support for TrustZone-M
- STM32H5: SPI driver and TPM support with new TrustZone NSC APIs,
- Simulator: dual-bank flow and bank-swap test script to validate redundant-slot updates
- RP2350: RAM cache for flash writes to improve robustness
- Infineon AURIX TC3xx: replaced IDE project with HAL module integration and UART/boot flag handling fixes
- New features and improvements
- Filesystem-backed partition state access with
library_fstarget and CLI tool for querying or managing boot partitions - libwolfboot: added MTD (Memory Technology Device) backed tracking of update status
- CMake: Added presets. Improve support for more reliable out-of-tree builds and list handling. Improve documentation.
- Key tools:
keygen --no-overwriteoption, stricter image header/sector size checks, and expanded ML-DSA test configurations - Added
WOLFBOOT_RESTORE_CLOCKconfiguration and additional logging/debugging for library filesystem status and keystore handling
- Filesystem-backed partition state access with
- Bug fixes
- Hardened encrypted and delta update flows (IV reuse prevention, fallback/regression fixes, improved unit coverage)
- Fixed SPI flash protocol errors and write verification issues
- Corrected STM32 internal flash page erase masks and multiple STM32H5 update path fixes (including dual-bank and TPM builds)
- Resolved P1021 stage1 and MMU build issues
- cleanup of compiler warnings across targets (STM32WB55 PKA, nRF5340 non-TZ, others)
- Updated modules
- wolfSSL v5.8.4-stable (59f4fa568)
- wolfTPM v2.4.0-594-g6d5df60
- wolfPKCS11 v2.0.0-stable-33-g81af264
- wolfHSM v1.3.0 (8ac56d7)
Assets 3
wolfBoot v2.6.0
@danielinux
danielinux
e07df6d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Changelog
- New hardware targets: PIC32CX and PIC32CZ
- New features:
- Added support for external flash in ELF scattering mode
- Added support for certificate chain verification (ECC/RSA) with wolfHSM client
- Added support for x509 auth with wolfHSM in server mode
- Added support for encrypted updates on Renesas RX (also via TSIP)
- Added support for assembly optimizations for PowerPC 32bit (SHA, AES)
- STM32F4: new clock configuration to support all models, added support for STM32F411
- Bugfixes:
- Fixed unaligned access in Cortex-A5
- Fixed compile flags to properly run code from RAM on ARM
- Use the correct
VTOR_NSregister when staging a non-secure image with TrustZone-M - Removed double-write-after-erase in
wolfBoot_update_trigger - Multiple fixes for STM32H5 running in TrustZone mode
- Updated modules
- wolfSSL v5.8.2+ (a06268f70)
- wolfTPM v3.9.1+ (6cfe800)
- wolfPKCS11: latest (ddeb887)
- wolfHSM: latest (e0b2019)
Assets 2
wolfBoot v2.5.0
@danielinux
danielinux
7c81d6a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
ChangeLog
- New hardware targets
- RP2350 (Raspberry Pi Pico 2, ARM Cortex-M33 with TrustZone)
- NXP MCXA153
- NXP MCXW716
- STM32F1 series (STM32F103 "Blue Pill" board)
- Improvements to supported targets
- Xilinx UltraScale+ (ZynqMP)
- Added hardware-accelerated SHA3 hashing via the CSU engine
- Added support for enabling JTAG at runtime when
CSU_DEBUGis set - Introduced support for the device’s PUF (Physically Unclonable Function) for unique key generation and secure key storage (requires eFuses)
- Renesas RX
- Added option for TSIP hardware crypto engine
- Infineon TriCore (AURIX TC3xx)
- Updated IDE project files for ARM Developer Studio 1.10.6, fixing build issues and ensuring support for latest toolchain
- Fix to support write operations spanning over multiple sectors
- Xilinx UltraScale+ (ZynqMP)
- New features and improvements
- Added support for non-contiguous elf sections, scattered elf firmware loading and verification.
- PQC: Simplified LMS/XMSS integration, deprecated support for third-party libraries
- Support to build wolfBoot as a static library (
libwolfboot.a) for easier integration and testing of the bootloader logic in custom workflows - Extended support for ARMORED glitch mitigations to the IAR toolchain
- CMake build refactoring, extended support to more targets
- Various documentation and configuration improvements
- Bug fixes
- Fix alignment enforcement on IAR compiler
- Fix build error on Windows in key generation tool (
_chsize_sdeclaration issue insign.c)
- Updated modules
- wolfSSL v5.8.0
- wolfTPM v3.9.0
- wolfPKCS11 latest
- wolfHSM latest
Assets 2
wolfBoot v2.4.0
@danielinux
danielinux
5fc2a50
This commit was created on GitHub.com and signed with GitHub’s verified signature.
ChangeLog
- New hardware targets
- Add support for NXP Layerscape LS1028A
- Improvements to supported targets
- ARMv7-M, ARMv8-M: Using Thumb2 version of ARMASM
- x86-FSP: improvements to stage1 code, added support for GDT tables
- Xilinx UltraScale+
- Support running from all Exception Levels
- Added QSPI DMA support and improved clock configuration
- Added FIT image support
- New features and improvements
- Added integration with wolfHSM
- Improve delta update detection of base image via SHA
- Remove compile-time dependencies for key tools
- Key tools: improve detection of delta base image version
- Bug fixes
- Fix potential failure in
NVM_FLASH_WRITEONCEmode
- Fix potential failure in
- Updated modules
- wolfSSL v5.7.6
- wolfTPM 3.8.0
- wolfPKCS11 latest
- wolfHSM latest
Assets 2
wolfBoot v2.3.0
@danielinux
danielinux
03aae5a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
ChangeLog
- New hardware targets
- New architecture: ARM Cortex-A 32 bit
- Add support for Microchip ATSAMA5D3
- Add support for Nordic nRF5340
- Add support for Infineon AURIX TriCore TCxxx
- Add support for 32-bit simulator target
- Improvements to supported targets
- Support for building HAB for i.MX-RT targets, fixed flash interaction, dcache invalidation
- Fixes for Renesas RX: full flash erase, IRQ on boot, flash write
- Raspberry Pi: add UART support
- STM32: refactoring of the PKCS11 storage driver
- Fixes for Xilinx Zynq+ build options
- New features
- Support for multiple key types in the same keystore
- New algorithm: ML-DSA
- Hybrid authentication (using one PQC in combination with ECC/RSA)
- Full assembly optimizations for ARM targets, including SHA, AES, Chacha (ARMASM)
- Benchmark scripts for performance testing
- Unit test coverage drastically increased
- Bug fixes
- Fix multiple type-punned pointer dereferences
- Fix for TPM to properly support more than one PCR
- Fixed order of digests in the header: public key digest is now signed
- Updated modules
- wolfSSL v5.7.4
- wolfTPM latest
- wolfPKCS11 latest
Assets 2
1 person reacted
wolfBoot v2.2.0
@danielinux
danielinux
8b1babb
This commit was created on GitHub.com and signed with GitHub’s verified signature.
ChangeLog
- New hardware targets
- Add STM32H5 port with support for Dual-bank, OTP, TrustZone-M
- Add native support for Renesas RX family, using gcc toolchain
- Improvements to supported targets
- NXP i.MX-RT:
- New flash geometry configurations
- Support for LPUART4
- Add port for RT1061
- Disable DCACHE upon flash access
- Support for building with HAB
- STM32:
- Refactoring of TrustZone-M support
- OTP driver for STM32H5/H7
- Full firmware update demo on STM32H5
- Add support for QSPI in STM32U5
- Renesas RZ:
- Add support for RSIP
- x86-64 (FSP):
- Improve x86-64 specific code, add features
- Clean-up and re-arrange scripts for qemu demo
- NXP i.MX-RT:
- Post-quantum crypto
- LMS and XMSS support now using native wolfCrypt implementation
- Tools improvements
- Keystore: now supports .der ECC key via
--der - Add
otp_primerfirmware, to provision keystores in OTP - Add
otp_gentool to provide a pre-assembled keystore to flash into OTP
- Keystore: now supports .der ECC key via
- Bug fixes
- Fix regression in x86-EFI builds
- Fix setting
VTOR_NSwhen staging a non-secure app/os from TrustZone - Fix delta updates: patches with invalid base versions were not discarded
- Fix potential array bound overflow in
NVM_FLASH_WRITEONCEmode - Fix dereferencing type-punned pointer in flash update
Assets 2
1 person reacted
wolfBoot v2.1.0
@danielinux
danielinux
a553dc9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Changelog
- New features
- Custom TLVs in manifest header for custom authenticated options
- Bug fixes and improvements:
- DUALBANK: fork bootloader only once
- Improved
NO_BACKUPmode, DISABLE BACKUP mode is now powerfail-safe - Fault-injection mitigation: added clobbers to assembly code
- Post-quantum algorithms: fixed build issue with conflicting wolfCrypt version
- New signature verification algorithm:
- Added support for ECC521
- New hardware targets:
- Microchip ATSAM-E51, including DUALBANK support
- Renesas RZN2L
- NXP i.MX-RT1040
- NXP MCXA-153
- Improved support to existing targets:
- Build fixes for TI-Hercules
- Improved support for Integrity OS on NXP T1024
- wolfTPM integration
- Fixes in sealing/unsealing mechanism
- Updated modules
- wolfSSL v5.7.0
- wolfPKCS11 v1.3.0
- wolfTPM v3.2.0
Assets 2
wolfBoot v2.0.2
@danielinux
danielinux
a020852
This commit was created on GitHub.com and signed with GitHub’s verified signature.
The key has expired.
Changelog
- Fixed bug in sign tool when using ECC keys
- Improved documentation
- Added customizable DCD for NXP targets
Assets 2
wolfBoot v2.0.0
@danielinux
danielinux
ee4a70f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
The key has expired.
Release Notes
- New feature: post-quantum stateful hash-based signature schemes.
- Support for LMS/HSS
- Support for XMSS/XMSS^MT
- New feature: PKCS11 engine in TrustZone-M secure mode
- wolfBoot as secure-mode supervisor on ARMv8-M
- New TPM features
- TPM NV as root of trust
- Password-based access to NV slots
- Measured boot via PCR extensions
- Sealing/unsealing NV based on externally signed PCR policy and/or password
- New architecture: x86-64bit using FSP
- Intel FSP support
- Integration with TPM
- Two-stages model with support for PCI enumeration, AHCI drivers, SATA lock mechanism
- Multiboot2/ELF payload support
- New hardware targets
- Intel TigerLake in FSP mode
- STM32C0
- Bug fixing: core
- Fixed several bugs in
NVM_FLASH_WRITEONCEmode - Fixed bugs in delta updates
- Fixed several bugs in
- Improved support to existing targets
- Fixed issues in TSIP project
- Improved support for NXP QoriQ/p1021
- Improved support for NXP T1084
- Reworked SPI support for NXP RT1050
- STM32L4: Fixed clock speed
- ARMv7-m: improved assembly support for Cortex-M4
- ARMv8-m: enabled assembly optimizations by default
- Reworked keytools and build environment
- Improved build experience for MacOS users
- Fix for building in windows/minGW
- Deprecated python keytools
- Keytools: support multiple key formats, don't assume raw keys
- Fixed bug in delta image generation
- Keystore improvements: support multiple key format in the same keystore
- Testing
- Added new sets of power-failure automated tests on simulator target
- Simulator: tests can now run on MacOS
- Unit tests: improved coverage. Added gcov reports
- Static analysis: added cppcheck tests, fixed all relevant warnings