wolfSSL · jackctj117 · Nov 13, 2025 · Nov 13, 2025 · Nov 14, 2025 · Nov 14, 2025
diff --git a/.github/workflows/baremetal.yml b/.github/workflows/baremetal.yml
@@ -0,0 +1,65 @@
+name: Bare-Metal Configuration Tests
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  baremetal_autotools:
+    name: Bare-metal build (autotools)
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    strategy:
+      fail-fast: false
+      matrix:
+        config: [
+          '--enable-baremetal --enable-cryptonly',
+          '--enable-baremetal'
+        ]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install -y autoconf automake libtool
+
+      - name: autogen
+        run: ./autogen.sh
+
+      - name: configure
+        run: CPPFLAGS="-DWOLFSSL_USER_IO -DWOLFSSL_GENSEED_FORTEST -DWOLFSSL_IGNORE_TESTSEED_WARN" ./configure ${{ matrix.config }}
+
+      - name: build
+        run: make -j$(nproc)
+
+      - name: Run tests
+        run: ./wolfcrypt/test/testwolfcrypt
+
+  baremetal_cmake:
+    name: Bare-metal build (CMake)
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install -y cmake build-essential
+
+      - name: Configure CMake
+        run: |
+          mkdir build && cd build
+          cmake -DWOLFSSL_BAREMETAL=yes -DCMAKE_C_FLAGS="-DWOLFSSL_USER_IO -DWOLFSSL_GENSEED_FORTEST -DWOLFSSL_IGNORE_TESTSEED_WARN" ..
+
+      - name: Build
+        run: cd build && cmake --build . -j$(nproc)
+
+      - name: Run tests
+        run: cd build && ./wolfcrypt/test/testwolfcrypt
+
diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras
@@ -736,6 +736,7 @@ WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
 WOLFSSL_I2D_ECDSA_SIG_ALLOC
 WOLFSSL_IAR_ARM_TIME
 WOLFSSL_IGNORE_BAD_CERT_PATH
+WOLFSSL_IGNORE_TESTSEED_WARN
 WOLFSSL_IMX6
 WOLFSSL_IMX6_CAAM
 WOLFSSL_IMX6_CAAM_BLOB

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -328,6 +328,15 @@ else()
     list(APPEND WOLFSSL_DEFINITIONS "-DSINGLE_THREADED")
 endif()
 
+# Bare metal
+add_option("WOLFSSL_BAREMETAL"
+    "Enable wolfSSL bare metal build (default: disabled)"
+    "no" "yes;no")
+
+if(WOLFSSL_BAREMETAL)
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_BAREMETAL")
+endif()
+
 # DTLS-SRTP
 add_option("WOLFSSL_SRTP"
     "Enables wolfSSL DTLS-SRTP (default: disabled)"

diff --git a/INSTALL b/INSTALL
@@ -319,3 +319,46 @@ We also have vcpkg ports for wolftpm, wolfmqtt and curl.
 
     Deprecated. wolfSSL now has its own XMMS/XMSS^MT implementation in
     wolfCrypt.
+
+21. Building for Bare-Metal Embedded Systems
+
+    wolfSSL provides a simplified configuration for bare-metal embedded
+    systems through the --enable-baremetal option. This configuration
+    disables OS-dependent features and is suitable for microcontrollers
+    and RTOS environments without POSIX support.
+
+    $ ./autogen.sh
+    $ ./configure --enable-baremetal
+    $ make
+
+    The --enable-baremetal option defines the following macros:
+
+    - SINGLE_THREADED: Disables multi-threading support
+    - NO_DEV_RANDOM: Removes /dev/random dependency
+    - NO_FILESYSTEM: Disables file system operations
+    - NO_WRITEV: Disables writev() system call
+    - NO_STDIO_FILESYSTEM: Removes stdio-based file I/O
+    - WOLFSSL_NO_SOCK: Disables socket support
+    - WOLFSSL_NO_GETPID: Removes getpid() dependency
+    - NO_ASN_TIME: Conditionally defined when WOLFCRYPT_ONLY is also set
+      (for systems without RTC to bypass certificate date checking)
+
+    For crypto-only builds (no TLS/SSL protocol layer), combine with
+    --enable-cryptonly:
+
+    $ ./configure --enable-baremetal --enable-cryptonly
+
+    Important: Bare-metal systems must provide their own entropy source.
+    You will need to implement wc_GenerateSeed() with platform-specific
+    hardware RNG or define CUSTOM_RAND_GENERATE_BLOCK and implement
+    wc_GenerateRand().
+
+    For CMake builds:
+
+    $ mkdir build && cd build
+    $ cmake -DWOLFSSL_BAREMETAL=yes ..
+    $ cmake --build .
+
+    Or with crypto-only:
+
+    $ cmake -DWOLFSSL_BAREMETAL=yes -DWOLFSSL_CRYPTONLY=yes ..
diff --git a/README.md b/README.md
@@ -287,6 +287,27 @@ https://www.wolfssl.com/docs/security-vulnerabilities/
 See INSTALL file for build instructions.
 More info can be found on-line at: https://wolfssl.com/wolfSSL/Docs.html
 
+## Building
+
+### Bare-Metal Embedded Systems
+
+For bare-metal embedded systems (microcontrollers, RTOS without POSIX), use the `--enable-baremetal` configuration:
+
+```bash
+./configure --enable-baremetal
+make
+```
+
+This configuration disables OS-dependent features including file systems, sockets, threading, and process management. For crypto-only builds without the TLS protocol layer, add `--enable-cryptonly`:
+
+```bash
+./configure --enable-baremetal --enable-cryptonly
+```
+
+**Important:** You must provide a platform-specific entropy source by implementing `wc_GenerateSeed()` or defining `CUSTOM_RAND_GENERATE_BLOCK`.
+
+See the INSTALL file for complete details.
+
 # Resources
 
 [wolfSSL Website](https://www.wolfssl.com/)

diff --git a/SCRIPTS-LIST b/SCRIPTS-LIST
@@ -21,7 +21,7 @@ pull_to_vagrant.sh - synchronize to a vm without using git
 certs/
  renewcerts.sh - renews test certs and crls
  crl/
-  gencrls.sh   - generates crls, used by renewcerts.sh
+  gencrls.sh   - generates CRL's, used by renewcerts.sh
  ocsp/
   renewcerts.sh - renews ocsp certs
   ocspd0.sh - ocsp responder for root-ca-cert.pem
@@ -33,7 +33,7 @@ certs/
 scripts/
  external.test - example client test against our website, part of tests
  google.test   - example client test against google, part of tests
- resume.test   - example sessoin resume test, part of tests
+ resume.test   - example session resume test, part of tests
  ocsp-stapling.test - example client test against globalsign, part of tests
  ocsp-stapling1_tls13multi.text - example client test against example server, part of tests
  ocsp-stapling2.test - example client test against example server, part of tests

diff --git a/cmake/options.h.in b/cmake/options.h.in
@@ -276,6 +276,8 @@ extern "C" {
 #cmakedefine WOLFSSL_ASIO
 #undef WOLFSSL_BASE64_ENCODE
 #cmakedefine WOLFSSL_BASE64_ENCODE
+#undef WOLFSSL_BAREMETAL
+#cmakedefine WOLFSSL_BAREMETAL
 #undef WOLFSSL_CAAM
 #cmakedefine WOLFSSL_CAAM
 #undef WOLFSSL_CERT_EXT

diff --git a/configure.ac b/configure.ac
@@ -1990,6 +1990,17 @@ AS_IF([ test "x$ENABLED_SINGLETHREADED" = "xno" ],[
 
 AS_IF([ test "x$ENABLED_SINGLETHREADED" = "xyes" ],[ AM_CFLAGS="$AM_CFLAGS -DSINGLE_THREADED" ])
 
+# BARE METAL
+AC_ARG_ENABLE([baremetal],
+    [AS_HELP_STRING([--enable-baremetal],[Enable wolfSSL bare metal build (default: disabled)])],
+    [ ENABLED_BAREMETAL=$enableval ],
+    [ ENABLED_BAREMETAL=no ])
+
+if test "$ENABLED_BAREMETAL" = "yes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_BAREMETAL"
+fi
+
 # Enable rwlock
 AC_ARG_ENABLE([rwlock],
     [AS_HELP_STRING([--enable-rwlock],[Enable use of rwlock (default: disabled)])],
@@ -11082,6 +11093,8 @@ AM_CONDITIONAL([BUILD_MAXQ10XX],[test "x$ENABLED_MAXQ10XX" = "xyes"])
 AM_CONDITIONAL([BUILD_ARIA],[test "x$ENABLED_ARIA" = "xyes"])
 AM_CONDITIONAL([BUILD_XILINX],[test "x$ENABLED_XILINX" = "xyes"])
 AM_CONDITIONAL([BUILD_AUTOSAR],[test "x$ENABLED_AUTOSAR" = "xyes"])
+AM_CONDITIONAL([BUILD_BAREMETAL],[test "x$ENABLED_BAREMETAL" = "xyes"])
+
 
 if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes" &&
    (test "$ax_enable_debug" = "yes" ||

diff --git a/examples/server/server.c b/examples/server/server.c
@@ -925,8 +925,10 @@ static const char* server_usage_msg[][66] = {
         "-c <file>   Certificate file,           default",               /* 5 */
         "-k <file>   Key file,                   default",               /* 6 */
         "-A <file>   Certificate Authority file, default",               /* 7 */
+#ifndef NO_FILESYSTEM
         "-R <file>   Create Ready file for external monitor"
                                                      " default none\n",  /* 8 */
+#endif
 #ifndef NO_DH
         "-D <file>   Diffie-Hellman Params file, default",               /* 9 */
         "-Z <num>    Minimum DH key bits,        default",              /* 10 */

diff --git a/scripts/resume.test b/scripts/resume.test
@@ -26,20 +26,35 @@ resume_port=0
 no_pid=-1
 server_pid=$no_pid
 counter=0
+has_readyfile=no
+
 # let's use absolute path to a local dir (make distcheck may be in sub dir)
 # also let's add some randomness by adding pid in case multiple 'make check's
 # per source tree
 ready_file=`pwd`/wolfssl_resume_ready$$
 
 echo "ready file $ready_file"
 
+
 remove_ready_file() {
     if test -e "$ready_file"; then
         echo -e "removing existing ready file"
     rm "$ready_file"
     fi
 }
 
+check_ready_file_support() {
+    ./examples/server/server -? 2>&1 | grep -- 'Ready file '
+    if [ $? -eq 0 ]; then
+        has_readyfile=yes
+    fi
+
+    if [ $has_readyfile != "yes" ]; then
+        echo -e "\nReady file not supported with build"
+        exit 77
+    fi
+}
+
 
 do_cleanup() {
     echo "in cleanup"
@@ -73,6 +88,8 @@ do_test() {
         return;;
     esac
 
+    check_ready_file_support
+
     remove_ready_file
     echo "./examples/server/server -r -R \"$ready_file\" -p $resume_port"
     ./examples/server/server -r -R "$ready_file" -p $resume_port &

diff --git a/tests/api/test_tls.c b/tests/api/test_tls.c
@@ -346,7 +346,7 @@ int test_tls_certreq_order(void)
 }
 
 #if !defined(WOLFSSL_NO_TLS12) && !defined(NO_RSA) && defined(HAVE_ECC) && \
-    !defined(NO_WOLFSSL_SERVER)
+    !defined(NO_WOLFSSL_SERVER) && !defined(NO_FILESYSTEM)
 /* Called when writing. */
 static int CsSend(WOLFSSL* ssl, char* buf, int sz, void* ctx)
 {
@@ -382,7 +382,7 @@ int test_tls12_bad_cv_sig_alg(void)
 {
     EXPECT_DECLS;
 #if !defined(WOLFSSL_NO_TLS12) && !defined(NO_RSA) && defined(HAVE_ECC) && \
-    !defined(NO_WOLFSSL_SERVER)
+    !defined(NO_WOLFSSL_SERVER) && !defined(NO_FILESYSTEM)
     byte clientMsgs[] = {
         /* Client Hello */
         0x16, 0x03, 0x03, 0x00, 0xe7,

diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
@@ -4267,11 +4267,13 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
 #endif
 
 #ifdef USE_TEST_GENSEED
+    #ifndef WOLFSSL_IGNORE_TESTSEED_WARN
     #ifndef _MSC_VER
         #warning "write a real random seed!!!!, just for testing now"
     #else
         #pragma message("Warning: write a real random seed!!!!, just for testing now")
     #endif
+    #endif
     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
     {
         word32 i;

diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
@@ -342,6 +342,26 @@
     #endif
 #endif
 
+/* Bare metal configuration */
+#ifdef WOLFSSL_BAREMETAL
+    #define SINGLE_THREADED
+    #define NO_DEV_RANDOM
+    #define NO_FILESYSTEM
+    #define NO_WRITEV
+    #define NO_STDIO_FILESYSTEM
+    #define WOLFSSL_NO_GETPID
+    #ifndef HAVE_SYS_SOCKET_H
+        #define WOLFSSL_NO_SOCK
+    #endif
+
+    #ifdef WOLFCRYPT_ONLY
+        /* Only disable ASN time checking (by default) if building crypto-only.
+         * For systems without RTC this can be used to bypass certificate date
+         * checking. */
+        #define NO_ASN_TIME
+    #endif
+#endif
+
 #if !defined(WOLFSSL_CUSTOM_CONFIG) && \
     ((defined(BUILDING_WOLFSSL) && defined(WOLFSSL_USE_OPTIONS_H)) || \
      (defined(BUILDING_WOLFSSL) && defined(WOLFSSL_OPTIONS_H) &&      \