Draft:wolfBoot

wolfBoot
wolfBoot
Developer	Daniele Lacamera
Initial release	December 4, 2015
Stable release	v2.6.0 / 02 August, 2025
Written in	C language
Operating system	Multi-platform
Type	Security library
License	GPL-3.0-or-later or proprietary license
Website	www.wolfssl.com/products/wolfboot/

Review waiting, please be patient.

This may take 6 weeks or more, since drafts are reviewed in no specific order. There are 1,169 pending submissions waiting for review.

If the submission is accepted, then this page will be moved into the article space.
If the submission is declined, then the reason will be posted here.
In the meantime, you can continue to improve this submission by editing normally.

Where to get help

If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews.
If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed.

How to improve a draft

Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia.
Help:Wikitext – how to use the markup
Help:Referencing for beginners – how to include references
Wikipedia:Article development – how to develop your article
Wikipedia:Writing better articles – how to improve your article
Wikipedia:Verifiability – make sure your article includes reliable third-party sources

You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article.

Improving your odds of a speedy review

To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags.

Add tags to your draft

Editor resources

Easy tools: Citation bot (help) | Advanced: Fix bare URLs

Reviewer tools

Instructions · What links here · WolfBoot (talk: + · bio) · (log) · Copyvios report · reFill · Citation Bot · (Search: Google, Wikipedia) · Submitted 11 days ago by Shy63 (talk: D · +) · Last edited 2 days ago by Shy63

wolfBoot is an open-source, portable, operating system (OS)-agnostic secure bootloader for embedded systems. It is designed to authenticate firmware images and support secure firmware updates on resource-constrained devices, regardless of the underlying operating system or bare-metal platform. wolfBoot uses the wolfCrypt cryptographic engine for image signature verification and offers a minimal hardware abstraction layer (HAL) API that enables integration into a wide range of microcontrollers and architectures. ^[3]

The bootloader has been described as a security-focused solution for embedded systems.^[4]

Platforms

wolfBoot is OS-agnostic, allowing it to run on bare-metal systems or within real-time operating systems (RTOS). Its minimal HAL enables adaptation across architectures and development environments. The bootloader supports deployment on Cortex-M microcontrollers, where it can be integrated by partitioning on-board flash memory.^[5]

The bootloader has been ported and tested on a wide range of processor families used in embedded and safety-critical applications, including Arm, RISC-V, PowerPC, and x86. Verified targets include Infineon Aurix TriCore, Renesas RA6M4, RH850, and RZ/N2L microcontrollers; STMicroelectronics STM32 families (F1, F4, F7, H7, L0, L5, U5, WB55); NXP i.MX RT and Layerscape platforms; TI TMS570 and DRA/TDA4 devices; and Intel 11th Gen Core i7 (Tiger Lake) processors.wolfBoot also supports ARMv8-M (TrustZone-M) and Cortex-R, Xilinx Zynq UltraScale+ (AArch64), and SiFive HiFive1 RISC-V boards.

wolfBoot has been adapted to Raspberry Pi platforms, including the Raspberry Pi 3, where the bootloader was demonstrated to authenticate and launch the Linux kernel after implementing hardware-specific modifications.^[6] Implementations on Raspberry Pi Pico 2 (RP2350) further illustrate its portability across microcontrollers and 64-bit SoCs.

Design and Implementation

wolfBoot is structured into components for cryptographic verification, hardware abstraction, and firmware lifecycle management.

It implements a software-based secure boot model in which firmware images are authenticated during the boot process. This software-based approach can introduce additional boot-time overhead on platforms lacking hardware cryptographic acceleration, as reported in independent evaluations.^[7]

It executes before any operating system or user application, verifying firmware integrity and authenticity prior to startup. Firmware authentication uses the wolfCrypt engine with asymmetric signature and hash algorithms, including RSA, ECC, Ed25519, and SHA-2. Firmware images are signed externally using host-side tools that generate metadata headers with version information and integrity checks.

The update process generally employs a dual-partition or multi-slot configuration, allowing new firmware to be written to inactive memory while retaining the previous version. On reboot, wolfBoot validates the new image and, if verification succeeds, activates it. This approach supports rollback protection and recovery from incomplete or failed updates.

The bootloader occupies approximately 32 kB of flash memory, reflecting its broader feature set compared to minimal bootloaders.^[4]

wolfBoot supports post-quantum cryptography (PQC) authentication algorithms are supported through the wolfCrypt engine, including LMS/HSS, XMSS/XMSS^MT, ML-DSA (up to Level 5), and hybrid authentication (PQC + classic), aligning with emerging CNSA 2.0 requirements.

wolfBoot is actively developed as an open-source project, with external contributors submitting upstream fixes and enhancements.^[6]

Security

wolfBoot integrates with hardware security elements such as TPM 2.0 to provide measured boot capabilities, including PCR extensions and authenticated state reporting.^[6]

It also supports integration with hardware security modules (HSMs), and when used as a TEE-secure hypervisor, exposes a PKCS#11 interface for secure key storage and cryptographic operations after the operating system or application is staged.

wolfBoot includes software-based countermeasures designed to mitigate fault-injection attacks during signature verification. Academic evaluations have noted that these protections apply at the bootloader level, while the underlying cryptographic library remains outside the scope of such countermeasures. wolfBoot has additionally been included in comparative analyses of secure boot implementations assessing robustness against fault-injection techniques.^[8]

Certification and Compliance

wolfBoot can be built with the wolfCrypt cryptographic library when FIPS 140-3 validation is required, enabling use in systems that mandate certified cryptographic modules.

The development process follows the principles of DO-178C, and has been integrated into environments targeting up to Design Assurance Level A (DAL A) certification for avionics applications.

Licensing

wolfBoot is open source and dual licensed under both the GNU GPL-3.0-or-later and commercial licensing.^[9]

References

^ "wolfBoot ChangeLog". GitHub.
^ "wolfBoot release note". GitHub.
^ "wolfBoot". wolfSSL Inc.
^ ^a ^b Alexandre Abadie, Said Alvarado-Marin, Filip Maksimovic, Mališa Vučinić and Thomas Watteyne (2024-05-21). RobOTAP: Over-the-Air Programming of Robotic Swarms (PDF). HAL open science.{{cite conference}}: CS1 maint: multiple names: authors list (link)
^ Alexios Papaioannou,Asimina Dimara,Charalampos S. Kouzinopoulos,Stelios Krinidis,Christos-Nikolaos Anagnostopoulos,Dimosthenis Ioannidis, andDimitrios Tzovaras (2024). "LP-OPTIMA: A Framework for Prescriptive Maintenance and Optimization of IoT Resources for Low-Power Embedded Systems". Sensors. 24 (7): 2125.{{cite journal}}: CS1 maint: multiple names: authors list (link)
^ ^a ^b ^c Kasper Kyllönen (2024). Implementing Secure Boot for Raspberry Pi (PDF) (Thesis). University of Oulu.
^ Akihiro Saiki, Yu Omori, and Keiji Kimura (2023). Parallel Verification in RISC-V Secure Boot (PDF). IEEE.{{cite conference}}: CS1 maint: multiple names: authors list (link)
^ Kevin Schneider, Lukas Auer, and Alexander Wagner (2025-11-04). "Fault Attacks on ECC Signature Verification". IACR Transactions on Cryptographic Hardware and Embedded Systems.{{cite journal}}: CS1 maint: multiple names: authors list (link)
^ "Product Licensing".

[wolfBot-ChangeLog-1] "wolfBoot ChangeLog". GitHub.

[2] "wolfBoot release note". GitHub.

[3] "wolfBoot". wolfSSL Inc.

[RobOTAP2024-4] Alexandre Abadie, Said Alvarado-Marin, Filip Maksimovic, Mališa Vučinić and Thomas Watteyne (2024-05-21). RobOTAP: Over-the-Air Programming of Robotic Swarms (PDF). HAL open science.{{cite conference}}: CS1 maint: multiple names: authors list (link)

[MDPI2024-5] Alexios Papaioannou,Asimina Dimara,Charalampos S. Kouzinopoulos,Stelios Krinidis,Christos-Nikolaos Anagnostopoulos,Dimosthenis Ioannidis, andDimitrios Tzovaras (2024). "LP-OPTIMA: A Framework for Prescriptive Maintenance and Optimization of IoT Resources for Low-Power Embedded Systems". Sensors. 24 (7): 2125.{{cite journal}}: CS1 maint: multiple names: authors list (link)

[Oulu2024-6] Kasper Kyllönen (2024). Implementing Secure Boot for Raspberry Pi (PDF) (Thesis). University of Oulu.

[Waseda2023-7] Akihiro Saiki, Yu Omori, and Keiji Kimura (2023). Parallel Verification in RISC-V Secure Boot (PDF). IEEE.{{cite conference}}: CS1 maint: multiple names: authors list (link)

[TCHES2024-8] Kevin Schneider, Lukas Auer, and Alexander Wagner (2025-11-04). "Fault Attacks on ECC Signature Verification". IACR Transactions on Cryptographic Hardware and Embedded Systems.{{cite journal}}: CS1 maint: multiple names: authors list (link)

[9] "Product Licensing".

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]