wolfSSL · jackctj117 · Nov 13, 2025 · Nov 13, 2025 · Nov 14, 2025 · Nov 14, 2025
diff --git a/.github/workflows/baremetal.yml b/.github/workflows/baremetal.yml
@@ -0,0 +1,151 @@
+name: Bare-Metal Configuration Tests
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  baremetal_autotools:
+    name: Bare-metal build (autotools)
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    strategy:
+      fail-fast: false
+      matrix:
+        config: [
+          '--enable-baremetal',
+          '--enable-baremetal --enable-cryptonly'
+        ]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install -y autoconf automake libtool
+
+      - name: autogen
+        run: ./autogen.sh
+
+      - name: configure
+        run: CPPFLAGS="-DWOLFSSL_USER_IO" ./configure ${{ matrix.config }} --disable-examples --enable-cryptocb
+
+      - name: build
+        run: make -j$(nproc)
+
+      - name: Verify macro definitions
+        run: |
+          cat > test_baremetal_defines.c <<'EOF'
+          #include <wolfssl/options.h>
+          #include <wolfssl/wolfcrypt/settings.h>
+          #include <stdio.h>
+
+          int main() {
+              int errors = 0;
+
+              #ifdef WOLFSSL_BAREMETAL
+                  printf("✓ WOLFSSL_BAREMETAL is defined\n");
+              #else
+                  printf("✗ ERROR: WOLFSSL_BAREMETAL should be defined\n");
+                  errors++;
+              #endif
+
+              #ifdef WOLFCRYPT_ONLY
+                  printf("✓ WOLFCRYPT_ONLY is defined\n");
+                  #ifdef NO_ASN_TIME
+                      printf("✓ NO_ASN_TIME is defined (expected with WOLFCRYPT_ONLY)\n");
+                  #else
+                      printf("✗ ERROR: NO_ASN_TIME should be defined when WOLFCRYPT_ONLY is set\n");
+                      errors++;
+                  #endif
+              #else
+                  printf("✓ WOLFCRYPT_ONLY is NOT defined\n");
+                  #ifdef NO_ASN_TIME
+                      printf("✗ ERROR: NO_ASN_TIME should NOT be defined without WOLFCRYPT_ONLY\n");
+                      errors++;
+                  #else
+                      printf("✓ NO_ASN_TIME is NOT defined (expected without WOLFCRYPT_ONLY)\n");
+                  #endif
+              #endif
+
+              return errors;
+          }
+          EOF
+          gcc -I. test_baremetal_defines.c -o test_baremetal_defines
+          ./test_baremetal_defines
+
+  baremetal_cmake:
+    name: Bare-metal build (CMake)
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    strategy:
+      fail-fast: false
+      matrix:
+        cryptonly: [false, true]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install -y cmake build-essential
+
+      - name: Configure CMake
+        run: |
+          mkdir build && cd build
+          if [ "${{ matrix.cryptonly }}" = "true" ]; then
+            cmake -DWOLFSSL_BAREMETAL=yes -DWOLFSSL_CRYPTONLY=yes -DWOLFSSL_EXAMPLES=no -DWOLFSSL_CRYPTOCB=yes -DCMAKE_C_FLAGS="-DWOLFSSL_USER_IO -DWOLFCRYPT_ONLY" ..
+          else
+            cmake -DWOLFSSL_BAREMETAL=yes -DWOLFSSL_EXAMPLES=no -DWOLFSSL_CRYPTOCB=yes -DCMAKE_C_FLAGS="-DWOLFSSL_USER_IO" ..
+          fi
+
+      - name: Build
+        run: cd build && cmake --build . -j$(nproc)
+
+      - name: Verify macro definitions
+        run: |
+          cd build
+          cat > test_baremetal_defines.c <<'EOF'
+          #include <wolfssl/options.h>
+          #include <wolfssl/wolfcrypt/settings.h>
+          #include <stdio.h>
+
+          int main() {
+              int errors = 0;
+
+              #ifdef WOLFSSL_BAREMETAL
+                  printf("✓ WOLFSSL_BAREMETAL is defined\n");
+              #else
+                  printf("✗ ERROR: WOLFSSL_BAREMETAL should be defined\n");
+                  errors++;
+              #endif
+
+              #ifdef WOLFCRYPT_ONLY
+                  printf("✓ WOLFCRYPT_ONLY is defined\n");
+                  #ifdef NO_ASN_TIME
+                      printf("✓ NO_ASN_TIME is defined (expected with WOLFCRYPT_ONLY)\n");
+                  #else
+                      printf("✗ ERROR: NO_ASN_TIME should be defined when WOLFCRYPT_ONLY is set\n");
+                      errors++;
+                  #endif
+              #else
+                  printf("✓ WOLFCRYPT_ONLY is NOT defined\n");
+                  #ifdef NO_ASN_TIME
+                      printf("✗ ERROR: NO_ASN_TIME should NOT be defined without WOLFCRYPT_ONLY\n");
+                      errors++;
+                  #else
+                      printf("✓ NO_ASN_TIME is NOT defined (expected without WOLFCRYPT_ONLY)\n");
+                  #endif
+              #endif
+
+              return errors;
+          }
+          EOF
+          # Key: -I. comes BEFORE -I.. so build/wolfssl/options.h is found first
+          gcc -I. -I.. test_baremetal_defines.c -o test_baremetal_defines
+          ./test_baremetal_defines
+
diff --git a/INSTALL b/INSTALL
@@ -319,3 +319,46 @@ We also have vcpkg ports for wolftpm, wolfmqtt and curl.
 
     Deprecated. wolfSSL now has its own XMMS/XMSS^MT implementation in
     wolfCrypt.
+
+21. Building for Bare-Metal Embedded Systems
+
+    wolfSSL provides a simplified configuration for bare-metal embedded
+    systems through the --enable-baremetal option. This configuration
+    disables OS-dependent features and is suitable for microcontrollers
+    and RTOS environments without POSIX support.
+
+    $ ./autogen.sh
+    $ ./configure --enable-baremetal
+    $ make
+
+    The --enable-baremetal option defines the following macros:
+
+    - SINGLE_THREADED: Disables multi-threading support
+    - NO_DEV_RANDOM: Removes /dev/random dependency
+    - NO_FILESYSTEM: Disables file system operations
+    - NO_WRITEV: Disables writev() system call
+    - NO_STDIO_FILESYSTEM: Removes stdio-based file I/O
+    - WOLFSSL_NO_SOCK: Disables socket support
+    - WOLFSSL_NO_GETPID: Removes getpid() dependency
+    - NO_ASN_TIME: Conditionally defined when WOLFCRYPT_ONLY is also set
+      (for systems without RTC to bypass certificate date checking)
+
+    For crypto-only builds (no TLS/SSL protocol layer), combine with
+    --enable-cryptonly:
+
+    $ ./configure --enable-baremetal --enable-cryptonly
+
+    Important: Bare-metal systems must provide their own entropy source.
+    You will need to implement wc_GenerateSeed() with platform-specific
+    hardware RNG or define CUSTOM_RAND_GENERATE_BLOCK and implement
+    wc_GenerateRand().
+
+    For CMake builds:
+
+    $ mkdir build && cd build
+    $ cmake -DWOLFSSL_BAREMETAL=yes ..
+    $ cmake --build .
+
+    Or with crypto-only:
+
+    $ cmake -DWOLFSSL_BAREMETAL=yes -DWOLFSSL_CRYPTONLY=yes ..
diff --git a/README.md b/README.md
@@ -287,6 +287,27 @@ https://www.wolfssl.com/docs/security-vulnerabilities/
 See INSTALL file for build instructions.
 More info can be found on-line at: https://wolfssl.com/wolfSSL/Docs.html
 
+## Building
+
+### Bare-Metal Embedded Systems
+
+For bare-metal embedded systems (microcontrollers, RTOS without POSIX), use the `--enable-baremetal` configuration:
+
+```bash
+./configure --enable-baremetal
+make
+```
+
+This configuration disables OS-dependent features including file systems, sockets, threading, and process management. For crypto-only builds without the TLS protocol layer, add `--enable-cryptonly`:
+
+```bash
+./configure --enable-baremetal --enable-cryptonly
+```
+
+**Important:** You must provide a platform-specific entropy source by implementing `wc_GenerateSeed()` or defining `CUSTOM_RAND_GENERATE_BLOCK`.
+
+See the INSTALL file for complete details.
+
 # Resources
 
 [wolfSSL Website](https://www.wolfssl.com/)

diff --git a/cmake/options.h.in b/cmake/options.h.in
@@ -276,6 +276,8 @@ extern "C" {
 #cmakedefine WOLFSSL_ASIO
 #undef WOLFSSL_BASE64_ENCODE
 #cmakedefine WOLFSSL_BASE64_ENCODE
+#undef WOLFSSL_BAREMETAL
+#cmakedefine WOLFSSL_BAREMETAL
 #undef WOLFSSL_CAAM
 #cmakedefine WOLFSSL_CAAM
 #undef WOLFSSL_CERT_EXT