Skip to content

Added TCG TPM to the SWTPM documentation #424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
embhorn merged 3 commits into from
Jul 2, 2025
Merged

Added TCG TPM to the SWTPM documentation #424

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d729de9
Added TCG TPM to the SWTPM documentation. Various document cleanups.
dgarske Jul 2, 2025
c1a5945
Further cleanups
dgarske Jul 2, 2025
c09418d
Peer review cleanups.
dgarske Jul 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
109 changes: 59 additions & 50 deletions docs/SWTPM.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,56 +1,64 @@
# wolfTPM with Software Simulator (SWTPM) support

wolfTPM is to be able to interface with software TPM (SW TPM) interfaces defined by section D.3 of [TPM-Rev-2.0-Part-4-Supporting-Routines-01.38-code](https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-4-Supporting-Routines-01.38-code.pdf)

The SWTPM interface is not compatible with TIS or devtpm (/dev/tpm0). Transport is a socket connection by default, but can also be a UART.

This implementation only uses the TPM command interface typically on port 2321. It does not support the Platform interface typically on port 2322.
wolfTPM is to be able to use Software TPM (SW TPM) defined by section D.3 of [TPM-Rev-2.0-Part-4-Supporting-Routines-01.38-code](https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-4-Supporting-Routines-01.38-code.pdf)

Software TPM implementations tested:
* https://github.com/kgoldman/ibmswtpm2 or https://sourceforge.net/projects/ibmswtpm2/files/
* https://github.com/microsoft/ms-tpm-20-ref
* https://github.com/stefanberger/swtpm
* [Official TCG Reference](https://github.com/TrustedComputingGroup/TPM): Reference code from the specification maintained by TCG [build steps](#tcg-tpm)
* [IBM / Ken Goldman](https://github.com/kgoldman/ibmswtpm2): Fork of reference code maintained by IBM [build steps](#ibmswtpm2)
* [Microsoft](https://github.com/microsoft/ms-tpm-20-ref): Fork of reference code maintained by Microsoft (93% identical to official TCG) [build steps](#ms-tpm-20-ref)
* [Stefan Berger](https://github.com/stefanberger/swtpm): Uses libtpms front end interfaces. [build steps](#swtpm)

## Building SW TPM support
The software TPM transport is a socket connection by default, but we also support a UART.

By default a socket transport will be used.
This implementation only uses the TPM command interface typically on port 2321. It does not support the Platform interface typically on port 2322.

Some software TPM implementations require sending power up and startup commands on the platform interface before the command interface is enabled. You can use these commands to issue the required power up and startup:

```sh
./configure --enable-swtpm
make
echo -ne "\x00\x00\x00\x01" | nc 127.0.0.1 2322
echo -ne "\x00\x00\x00\x0B" | nc 127.0.0.1 2322
```

### Build SW TPM with UART transport
## wolfTPM SWTPM support

To enable the socket transport for SWTPM use `--enable-swtpm`. By default all software TPM simulators use TCP port 2321.

```sh
./configure --enable-swtpm=uart
./configure --enable-swtpm
make
```

## Build Options
Note: It is not possible to enable more than one transport interface at a time. If building with SWTPM socket interface the built-in TIS and devtpm (/dev/tpm0) interfaces are not available.

Build Options:

* `WOLFTPM_SWTPM`: Use socket transport (no TIS layer)
* `TPM2_SWTPM_HOST`: The serial device to use (default=/dev/ttyS0)
* `TPM2_SWTPM_PORT`: The baud rate (default=115200)
* `WOLFTPM_SWTPM_UART`: Use UART transport (no TIS layer)
* `TPM2_SWTPM_HOST`: The socket host (default is localhost)
* `TPM2_SWTPM_PORT`: The socket port (default is 2321)

## SWTPM simulator setup

### Xilinx UART
## Using a SWTPM

Alternatively for raw API calls with Xilinx
### TCG TPM

```sh
./cofnigure --enable-swtpm=uartns550
clone [email protected]:TrustedComputingGroup/TPM.git
cd TPM
cd TPMCmd
./bootstrap
./configure
make
```

## Build Options
Run with: `./Simulator/src/tpm2-simulator`

To use the TPM on port 2321 you must first connect to the platform server on port 2322 and send the power on and startup commands. An easy way to do this is using:

```sh
echo -ne "\x00\x00\x00\x01" | nc 127.0.0.1 2322
echo -ne "\x00\x00\x00\x0B" | nc 127.0.0.1 2322
```

* `WOLFTPM_SWTPM`: Use socket transport (no TIS layer)
* `TPM2_SWTPM_PORT`: Used as the default baud rate (default=115200)
* `TPM2_SWTPM_HOST`: The device to connect with (default=XPAR_MB0_AXI_UART16550_2_DEVICE_ID)
* `WOLFTPM_SWTPM_UARTNS550`: Use Xilinx UART transport (no TIS layer)

### ibmswtpm2

Expand All @@ -61,12 +69,10 @@ cd ibmswtpm2/src/
make
```

Running:
```sh
./tpm_server -rm
```
Run with: `./tpm_server`

Note: You can use the `-rm` switch to remove the cache file NVChip. Alternately you can delete the NVChip file (`rm NVChip`)

The rm switch is optional and remove the cache file NVChip. Alternately you can `rm NVChip`

### ms-tpm-20-ref

Expand All @@ -76,16 +82,18 @@ cd ms-tpm-20-ref/TPMCmd
./bootstrap
./configure
make
./Simulator/src/tpm2-simulator
```

In another terminal power on ms-tpm-20-ref and start NV
Run with: `./Simulator/src/tpm2-simulator`

To use the TPM on port 2321 you must first connect to the platform server on port 2322 and send the power on and startup commands. An easy way to do this is using:

```sh
echo -ne "\x00\x00\x00\x01" | nc 127.0.0.1 2322 | exit
echo -ne "\x00\x00\x00\x0B" | nc 127.0.0.1 2322 | exit
echo -ne "\x00\x00\x00\x01" | nc 127.0.0.1 2322
echo -ne "\x00\x00\x00\x0B" | nc 127.0.0.1 2322
```


### swtpm

Build libtpms
Expand Down Expand Up @@ -125,16 +133,6 @@ mkdir -p /tmp/myvtpm
swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init
```

## Running examples

```sh
./examples/pcr/extend
./examples/wrap/wrap_test
```

See `README.md` for more examples


### swtpm with QEMU

This demonstrates using wolfTPM in QEMU to communicate using the linux
Expand All @@ -145,7 +143,7 @@ method to build. You may need to consult the instructions for
and
[swtpm](https://github.com/stefanberger/swtpm/wiki#compile-and-install-on-linux)

```
```sh
PREFIX=$PWD/inst
git clone [email protected]:stefanberger/libtpms.git
cd libtpms/
Expand All @@ -163,7 +161,7 @@ You can setup a basic linux installation. Other installation bases can
be used. This step will take some time to install the base linux
system.

```
```sh
# download mini install image
curl -O http://archive.ubuntu.com/ubuntu/dists/bionic-updates/main/installer-amd64/current/images/netboot/mini.iso
# create qemu image file
Expand All @@ -183,7 +181,7 @@ qemu-system-x86_64 -m 1024 -boot d -bios bios-256k.bin -boot menu=on \
Once a base system is installed it's ready to start the qemu and build
wolfSSL and wolfTPM in the qemu instance.

```
```sh
# start swtpm again
$PREFIX/bin/swtpm socket --tpm2 --tpmstate dir=$PREFIX/mytpm \
--ctrl type=unixio,path=$PREFIX/mytpm/swtpm-sock --log level=20 &
Expand All @@ -196,7 +194,7 @@ qemu-system-x86_64 -m 1024 -boot d -bios bios-256k.bin -boot menu=on \

To build checkout and build wolfTPM, in the QEMU terminal

```
```sh
sudo apt install automake libtool gcc git make

# get and build wolfSSL
Expand All @@ -219,3 +217,14 @@ popd

You can now run the examples such as `sudo ./examples/wrap/wrap`
within QEMU. Using `sudo` maybe required for access to `/dev/tpm0`.


## Running examples

```sh
./examples/wrap/caps
./examples/pcr/extend
./examples/wrap/wrap_test
```

See [examples/README.md](/examples/README.md) for additional example usage.