From 266d86c5d2a2c123b85ef7ed131299cfbab2ba74 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 20 Nov 2025 19:22:07 +0000 Subject: [PATCH 01/12] Add CMake support for choosing a TPM module --- CMakeLists.txt | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 0eb658af..91644293 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -183,6 +183,38 @@ else() " ${INTERFACE_OPTS}") endif("${WOLFTPM_INTERFACE}" STREQUAL "SWTPM") +# TPM Module Selection +set(WOLFTPM_MODULE "auto" CACHE STRING + "Select TPM hardware module (default: auto)") +set_property(CACHE WOLFTPM_MODULE + PROPERTY STRINGS "auto;microchip;attpm20;mchp;st33;nuvoton;npct75x;slb9670;slb9672;slb9673") + +message("TPM MODULE ${WOLFTPM_MODULE}") + +if("${WOLFTPM_MODULE}" STREQUAL "auto") + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_AUTODETECT") +elseif("${WOLFTPM_MODULE}" STREQUAL "microchip" OR + "${WOLFTPM_MODULE}" STREQUAL "attpm20" OR + "${WOLFTPM_MODULE}" STREQUAL "mchp") + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_MICROCHIP") +elseif("${WOLFTPM_MODULE}" STREQUAL "st33") + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_ST33") +elseif("${WOLFTPM_MODULE}" STREQUAL "nuvoton" OR + "${WOLFTPM_MODULE}" STREQUAL "npct75x") + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_NUVOTON") +elseif("${WOLFTPM_MODULE}" STREQUAL "slb9670") + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_SLB9670") +elseif("${WOLFTPM_MODULE}" STREQUAL "slb9672") + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_SLB9672") +elseif("${WOLFTPM_MODULE}" STREQUAL "slb9673") + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_SLB9673") +else() + get_property(MODULE_OPTS CACHE WOLFTPM_MODULE + PROPERTY STRINGS) + message(FATAL_ERROR "\"${WOLFTPM_MODULE}\" is not a known WOLFTPM_MODULE:" + " ${MODULE_OPTS}") +endif() + # Examples set(WOLFTPM_EXAMPLES "yes" CACHE BOOL "Build examples") From 5217ca54ff3b3c99236dd4618e743b1bea2b30ec Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 20 Nov 2025 19:44:18 +0000 Subject: [PATCH 02/12] Finishing up the CMake options to sync with configure --- .github/workflows/cmake-build.yml | 66 +++++++++++++++- CMakeLists.txt | 123 +++++++++++++++++++++++++++--- examples/firmware/ifx_fw_update.c | 13 ++-- 3 files changed, 184 insertions(+), 18 deletions(-) diff --git a/.github/workflows/cmake-build.yml b/.github/workflows/cmake-build.yml index 0601e6f3..e21526db 100644 --- a/.github/workflows/cmake-build.yml +++ b/.github/workflows/cmake-build.yml @@ -10,6 +10,68 @@ jobs: build: runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + config: + # Default configuration + - name: "Default" + options: "-DWOLFTPM_INTERFACE=SWTPM" + # Test different TPM modules + - name: "Module Auto" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_MODULE=auto" + - name: "Module ST33" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_MODULE=st33" + - name: "Module Microchip" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_MODULE=microchip" + - name: "Module Nuvoton" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_MODULE=nuvoton" + - name: "Module SLB9670" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_MODULE=slb9670" + - name: "Module SLB9672" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_MODULE=slb9672" + - name: "Module SLB9673" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_MODULE=slb9673" + # Test wrapper disabled + - name: "No Wrapper" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_WRAPPER=no" + # Test I2C support (enables ADV_IO automatically) + - name: "I2C Enabled" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_I2C=yes" + # Test Advanced IO + - name: "Advanced IO" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_ADVIO=yes" + # Test MMIO (enables ADV_IO automatically) + - name: "MMIO Enabled" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_MMIO=yes" + # Test Check Wait State + - name: "Check Wait State Enabled" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_CHECK_WAIT_STATE=yes" + - name: "Check Wait State Disabled" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_CHECK_WAIT_STATE=no" + # Test TIS Lock + - name: "TIS Lock Enabled" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_TIS_LOCK=yes" + # Test Small Stack + - name: "Small Stack" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_SMALL_STACK=yes" + # Test HAL disabled + - name: "No HAL" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_HAL=no" + # Test Firmware disabled + - name: "No Firmware" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_FIRMWARE=no" + # Test Debug modes + - name: "Debug Verbose" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_DEBUG=verbose" + - name: "Debug IO" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_DEBUG=io" + # Test Examples disabled + - name: "No Examples" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_EXAMPLES=no" + # Test combination of options + - name: "Combined Options" + options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_MODULE=st33 -DWOLFTPM_I2C=yes -DWOLFTPM_ADVIO=yes -DWOLFTPM_CHECK_WAIT_STATE=yes" steps: #pull wolfTPM @@ -38,10 +100,10 @@ jobs: cmake --install . #build wolftpm - - name: Build wolfTPM + - name: Build wolfTPM (${{ matrix.config.name }}) run: | mkdir build cd build - cmake -DWOLFTPM_INTERFACE=SWTPM -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" -DWITH_WOLFSSL="$GITHUB_WORKSPACE/install" .. + cmake ${{ matrix.config.options }} -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" -DWITH_WOLFSSL="$GITHUB_WORKSPACE/install" .. cmake --build . cmake --install . diff --git a/CMakeLists.txt b/CMakeLists.txt index 91644293..50e0c489 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -72,13 +72,7 @@ check_function_exists("getpid" HAVE_GETPID) # TODO -# * wrapper -# * wolfcrypt -# * I2C -# * Advanced IO -# * Device specific (ST33, ATTPM20, NPCT, SLB, automatic) -# * wait state -# * small stack +# * (All major options have been implemented) # Single threaded set(WOLFTPM_SINGLE_THREADED "no" CACHE STRING @@ -129,14 +123,17 @@ endif() set(WOLFTPM_DEBUG "no" CACHE STRING "Enables option for debug (default: disabled)") set_property(CACHE WOLFTPM_DEBUG - PROPERTY STRINGS "yes;no;verbose") + PROPERTY STRINGS "yes;no;verbose;io") if(WOLFTPM_DEBUG) list(APPEND WOLFTPM_DEFINITIONS "-DDEBUG_WOLFTPM" "-DDEBUG") - if("${WOLFTPM_DEBUG}" STREQUAL "verbose") + if("${WOLFTPM_DEBUG}" STREQUAL "verbose" OR "${WOLFTPM_DEBUG}" STREQUAL "io") list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_DEBUG_VERBOSE") - endif("${WOLFTPM_DEBUG}" STREQUAL "verbose") + endif() + if("${WOLFTPM_DEBUG}" STREQUAL "io") + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_DEBUG_IO") + endif() endif() # Device Interface @@ -215,6 +212,112 @@ else() " ${MODULE_OPTS}") endif() +# Wrapper +set(WOLFTPM_WRAPPER "yes" CACHE STRING + "Enable wrapper code (default: enabled)") +set_property(CACHE WOLFTPM_WRAPPER + PROPERTY STRINGS "yes;no") +if(NOT WOLFTPM_WRAPPER) + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM2_NO_WRAPPER") +endif() + +# I2C Support +set(WOLFTPM_I2C "no" CACHE STRING + "Enable I2C TPM Support (default: disabled)") +set_property(CACHE WOLFTPM_I2C + PROPERTY STRINGS "yes;no") +if(WOLFTPM_I2C) + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_I2C") +endif() + +# MMIO Support +set(WOLFTPM_MMIO "no" CACHE STRING + "Enable built-in MMIO callbacks (default: disabled)") +set_property(CACHE WOLFTPM_MMIO + PROPERTY STRINGS "yes;no") +if(WOLFTPM_MMIO) + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_MMIO") +endif() + +# Advanced IO +set(WOLFTPM_ADVIO "no" CACHE STRING + "Enable Advanced IO (default: disabled)") +set_property(CACHE WOLFTPM_ADVIO + PROPERTY STRINGS "yes;no") +if(WOLFTPM_ADVIO OR WOLFTPM_I2C OR WOLFTPM_MMIO) + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_ADV_IO") +endif() + +# TIS / SPI Check Wait State support +set(WOLFTPM_CHECK_WAIT_STATE "auto" CACHE STRING + "Enable TIS / SPI Check Wait State support (default: auto - depends on chip)") +set_property(CACHE WOLFTPM_CHECK_WAIT_STATE + PROPERTY STRINGS "yes;no;auto") +# Auto-enable for certain modules +if("${WOLFTPM_CHECK_WAIT_STATE}" STREQUAL "auto") + if("${WOLFTPM_MODULE}" STREQUAL "auto" OR + "${WOLFTPM_MODULE}" STREQUAL "microchip" OR + "${WOLFTPM_MODULE}" STREQUAL "attpm20" OR + "${WOLFTPM_MODULE}" STREQUAL "mchp" OR + "${WOLFTPM_MODULE}" STREQUAL "st33" OR + "${WOLFTPM_MODULE}" STREQUAL "nuvoton" OR + "${WOLFTPM_MODULE}" STREQUAL "npct75x") + set(WOLFTPM_CHECK_WAIT_STATE_ENABLED ON) + else() + set(WOLFTPM_CHECK_WAIT_STATE_ENABLED OFF) + endif() +elseif(WOLFTPM_CHECK_WAIT_STATE) + set(WOLFTPM_CHECK_WAIT_STATE_ENABLED ON) +else() + set(WOLFTPM_CHECK_WAIT_STATE_ENABLED OFF) +endif() +if(WOLFTPM_CHECK_WAIT_STATE_ENABLED) + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_CHECK_WAIT_STATE") +endif() + +# TIS Layer Named Semaphore locking +set(WOLFTPM_TIS_LOCK "no" CACHE STRING + "TIS Layer Named Semaphore locking for concurrent access between processes (default: disabled)") +set_property(CACHE WOLFTPM_TIS_LOCK + PROPERTY STRINGS "yes;no") +if(WOLFTPM_TIS_LOCK) + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_TIS_LOCK") +endif() + +# Small Stack +set(WOLFTPM_SMALL_STACK "no" CACHE STRING + "Enable Small Stack Usage (default: disabled)") +set_property(CACHE WOLFTPM_SMALL_STACK + PROPERTY STRINGS "yes;no") +if(WOLFTPM_SMALL_STACK) + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_SMALL_STACK") + list(APPEND WOLFTPM_DEFINITIONS "-DMAX_COMMAND_SIZE=1024") + list(APPEND WOLFTPM_DEFINITIONS "-DMAX_RESPONSE_SIZE=1350") + list(APPEND WOLFTPM_DEFINITIONS "-DMAX_DIGEST_BUFFER=896") + # If wolfCrypt is disabled, set MAX_SESSION_NUM=1 + if(NOT WITH_WOLFSSL AND NOT WITH_WOLFSSL_TREE AND NOT WOLFSSL_FOUND AND NOT wolfssl_FOUND) + list(APPEND WOLFTPM_DEFINITIONS "-DMAX_SESSION_NUM=1") + endif() +endif() + +# Example HAL +set(WOLFTPM_HAL "yes" CACHE STRING + "Enable example HAL interfaces (default: enabled)") +set_property(CACHE WOLFTPM_HAL + PROPERTY STRINGS "yes;no") +if(WOLFTPM_HAL OR WOLFTPM_MMIO) + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_EXAMPLE_HAL") +endif() + +# Firmware Upgrade +set(WOLFTPM_FIRMWARE "yes" CACHE STRING + "Enable support for TPM firmware upgrades (default: enabled)") +set_property(CACHE WOLFTPM_FIRMWARE + PROPERTY STRINGS "yes;no") +if(WOLFTPM_FIRMWARE) + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_FIRMWARE_UPGRADE") +endif() + # Examples set(WOLFTPM_EXAMPLES "yes" CACHE BOOL "Build examples") diff --git a/examples/firmware/ifx_fw_update.c b/examples/firmware/ifx_fw_update.c index 33f2812f..4edd17bc 100644 --- a/examples/firmware/ifx_fw_update.c +++ b/examples/firmware/ifx_fw_update.c @@ -28,7 +28,8 @@ #include -#ifdef WOLFTPM_FIRMWARE_UPGRADE +#if defined(WOLFTPM_FIRMWARE_UPGRADE) && \ + (defined(WOLFTPM_SLB9672) || defined(WOLFTPM_SLB9673)) #include #include @@ -221,23 +222,23 @@ int TPM2_IFX_Firmware_Update(void* userCtx, int argc, char *argv[]) /******************************************************************************/ /* --- END TPM2.0 Firmware Update tool -- */ /******************************************************************************/ - -#endif /* WOLFTPM_FIRMWARE_UPGRADE */ +#endif /* WOLFTPM_FIRMWARE_UPGRADE && (WOLFTPM_SLB9672 || WOLFTPM_SLB9673) */ #ifndef NO_MAIN_DRIVER int main(int argc, char *argv[]) { int rc = -1; -#ifdef WOLFTPM_FIRMWARE_UPGRADE +#if defined(WOLFTPM_FIRMWARE_UPGRADE) && \ + (defined(WOLFTPM_SLB9672) || defined(WOLFTPM_SLB9673)) rc = TPM2_IFX_Firmware_Update(NULL, argc, argv); #else printf("Support for firmware upgrade not compiled in! " "See --enable-firmware or WOLFTPM_FIRMWARE_UPGRADE\n"); (void)argc; (void)argv; -#endif /* WOLFTPM_FIRMWARE_UPGRADE */ +#endif return rc; } -#endif +#endif /* !NO_MAIN_DRIVER */ From 535293df473c3dfbbbaeddedb11c6f84cfcf6a31 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 20 Nov 2025 13:38:07 -0800 Subject: [PATCH 03/12] Split up the make tests into matrix (improve test time) --- .github/workflows/make-test-swtpm.yml | 506 +++++++++++++------------- 1 file changed, 247 insertions(+), 259 deletions(-) diff --git a/.github/workflows/make-test-swtpm.yml b/.github/workflows/make-test-swtpm.yml index 91a1a1ff..cb4fa99f 100644 --- a/.github/workflows/make-test-swtpm.yml +++ b/.github/workflows/make-test-swtpm.yml @@ -8,266 +8,254 @@ on: jobs: build: - runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + # Defaults (applied when not specified in matrix entries): + # wolfssl_config: --enable-wolftpm --enable-pkcallbacks + # wolfssl_cflags: "" + # wolfssl_ref: master + # wolftpm_config: --enable-swtpm + # wolftpm_cflags: "" + # test_command: "true" + # needs_swtpm: true + # needs_mono: false + # needs_dist: false + # needs_install: false + # csharp_test: false + # wolftpm_cc: "" + include: + # Default build with simulator + - name: default + test_command: "make check && WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh" + needs_dist: true + needs_install: true + + # CSharp wrapper tests + - name: csharp + test_command: "true" + needs_mono: true + needs_install: true + csharp_test: true + + # No wolfCrypt + - name: no-wolfcrypt + wolftpm_config: --enable-swtpm --disable-wolfcrypt + test_command: "make check && WOLFSSL_PATH=./wolfssl WOLFCRYPT_ENABLE=0 ./examples/run_examples.sh" + + # No wrapper + - name: no-wrapper + wolftpm_config: --enable-swtpm --disable-wrapper + test_command: "./examples/native/native_test" + + # Small stack + - name: smallstack + wolftpm_config: --enable-swtpm --enable-smallstack + test_command: "make check && WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh" + + # TIS lock + - name: tislock + wolftpm_config: --enable-tislock + needs_swtpm: false + + # Debug + - name: debug + wolftpm_config: --enable-debug + needs_swtpm: false + + # Debug verbose + - name: debug-verbose + wolftpm_config: --enable-debug=verbose + needs_swtpm: false + + # Debug IO + - name: debug-io + wolftpm_config: --enable-debug=io + wolftpm_cflags: "-DWOLFTPM_DEBUG_TIMEOUT" + needs_swtpm: false + + # AdvIO + - name: advio + wolftpm_config: --enable-advio + needs_swtpm: false + + # Clang ASAN + - name: clang-asan + wolftpm_cflags: "-fsanitize=address -fno-omit-frame-pointer -g" + wolftpm_cc: clang + test_command: "make check && ASAN_OPTIONS=detect_leaks=1:abort_on_error=1 WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh" + + # Pedantic + - name: pedantic + wolftpm_config: "" + wolftpm_cflags: "-Wpedantic" + needs_swtpm: false + + # Not provisioning + - name: no-provisioning + wolftpm_config: --disable-provisioning + needs_swtpm: false + + # Symmetric encryption + - name: symmetric + wolftpm_cflags: "-DWOLFTPM_USE_SYMMETRIC" + test_command: "make check && WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh" + + # Software ECDHE + - name: swecdhe + wolftpm_cflags: "-DWOLFTPM2_USE_SW_ECDHE" + test_command: "make check && WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh" + + # No ECC + - name: no-ecc + wolfssl_config: --enable-wolftpm --disable-ecc + test_command: "make check && WOLFSSL_PATH=./wolfssl WOLFCRYPT_ECC=0 ./examples/run_examples.sh" + needs_install: true + + # No RSA + - name: no-rsa + wolfssl_config: --enable-wolftpm --disable-rsa + test_command: "make check && WOLFSSL_PATH=./wolfssl WOLFCRYPT_RSA=0 ./examples/run_examples.sh" + needs_install: true + + # Default configure (no AES CFB, no PKCS7, no crypto cb, no cert gen) + - name: default-configure + wolfssl_config: --enable-wolftpm + wolfssl_cflags: "-DWOLFSSL_PUBLIC_MP" + test_command: "make check && WOLFSSL_PATH=./wolfssl WOLFCRYPT_DEFAULT=1 ./examples/run_examples.sh" + needs_install: true + + # No filesystem + - name: no-filesystem + wolfssl_config: --enable-wolftpm --disable-filesystem --enable-singlethreaded + test_command: "make check && WOLFSSL_PATH=./wolfssl NO_FILESYSTEM=1 ./examples/run_examples.sh" + needs_install: true + + # Old wolfSSL (v4.7.0) + - name: old-wolfssl + wolfssl_config: --enable-wolftpm + wolfssl_cflags: "-DWOLFSSL_PUBLIC_MP -DWOLFSSL_TEST_CERT -DWOLFSSL_KEY_GEN" + wolfssl_ref: v4.7.0-stable + test_command: "make check && WOLFSSL_PATH=./wolfssl NO_PUBASPRIV=1 ./examples/run_examples.sh" + needs_install: true steps: -# pull wolfTPM - - uses: actions/checkout@master - -# setup wolfssl - - uses: actions/checkout@master - with: - repository: wolfssl/wolfssl - path: wolfssl - - name: wolfssl autogen - working-directory: ./wolfssl - run: ./autogen.sh - - name: wolfssl configure - working-directory: ./wolfssl - run: ./configure --enable-wolftpm --enable-pkcallbacks - - name: wolfssl make install - working-directory: ./wolfssl - run: | - make - sudo make install - sudo ldconfig - -# setup ibmswtpm2 - - uses: actions/checkout@master - with: - repository: kgoldman/ibmswtpm2 - path: ibmswtpm2 - - name: ibmswtpm2 make - working-directory: ./ibmswtpm2/src - run: | + - name: Checkout wolfTPM + uses: actions/checkout@master + + - name: Checkout wolfSSL + uses: actions/checkout@master + with: + repository: wolfssl/wolfssl + path: wolfssl + ref: ${{ matrix.wolfssl_ref || 'master' }} + + - name: Setup wolfSSL + working-directory: ./wolfssl + run: | + ./autogen.sh + WOLFSSL_CONFIG="${{ matrix.wolfssl_config || '--enable-wolftpm --enable-pkcallbacks' }}" + WOLFSSL_CFLAGS="${{ matrix.wolfssl_cflags || '' }}" + if [ -n "$WOLFSSL_CFLAGS" ]; then + CFLAGS="$WOLFSSL_CFLAGS" ./configure $WOLFSSL_CONFIG + else + ./configure $WOLFSSL_CONFIG + fi + make + sudo make install + sudo ldconfig + + - name: Setup ibmswtpm2 + if: matrix.needs_swtpm != false + uses: actions/checkout@master + with: + repository: kgoldman/ibmswtpm2 + path: ibmswtpm2 + + - name: Generate TPM port + if: matrix.needs_swtpm != false + run: | + # Generate random port in high range (32768-65535) + TPM_PORT=$((32768 + RANDOM % 32768)) + echo "TPM_PORT=$TPM_PORT" >> $GITHUB_ENV + echo "TPM2_SWTPM_PORT=$TPM_PORT" >> $GITHUB_ENV + echo "Generated TPM port: $TPM_PORT" + + - name: Start TPM simulator + if: matrix.needs_swtpm != false + working-directory: ./ibmswtpm2/src + run: | make - ./tpm_server & - -# setup and test defaults (with simulator) - - name: autogen - run: ./autogen.sh - - name: configure - run: ./configure --enable-swtpm - - name: make - run: make - - name: make check - run: | - make check - WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh - - name: make install - run: | - sudo make install - sudo ldconfig - - name: make dist - run: make dist - - name: make distcheck - run: make distcheck - -# build and test CSharp wrapper - - name: Install mono - run: | - sudo apt-get install -y mono-mcs mono-tools-devel nunit nunit-console - - name: Build CSharp wrapper - working-directory: ./wrapper/CSharp - run: | - mcs wolfTPM.cs wolfTPM-tests.cs -r:/usr/lib/cli/nunit.framework-2.6.3/nunit.framework.dll -t:library - - name: Run self test - working-directory: ./wrapper/CSharp - run: | - LD_LIBRARY_PATH=../../src/.libs/:../../wolfssl/src/.libs/ nunit-console wolfTPM.dll -run=tpm_csharp_test.WolfTPMTest.TrySelfTest - - name: Run unit tests - working-directory: ./wrapper/CSharp - run: | - LD_LIBRARY_PATH=../../src/.libs/:../../wolfssl/src/.libs/ nunit-console wolfTPM.dll - -# test no wolfcrypt - - name: configure no wolfCrypt - run: ./configure --enable-swtpm --disable-wolfcrypt - - name: make no wolfCrypt - run: make - - name: make check no wolfCrypt - run: | - make check - WOLFSSL_PATH=./wolfssl WOLFCRYPT_ENABLE=0 ./examples/run_examples.sh - -# test no wrapper - - name: configure no wrapper - run: ./configure --enable-swtpm --disable-wrapper - - name: make no wrapper - run: make - - name: make check no wrapper - run: ./examples/native/native_test - -# test small stack - - name: configure smallstack - run: ./configure --enable-swtpm --enable-smallstack - - name: make smallstack - run: make - - name: make check smallstack - run: | - make check - WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh - -# test tislock - - name: configure tislock - run: ./configure --enable-tislock - - name: make tislock - run: make - -# build debug - - name: configure debug - run: ./configure --enable-debug - - name: make debug - run: make - -# build verbose - - name: configure debug verbose - run: ./configure --enable-debug=verbose - - name: make debug verbose - run: make - -# build io - - name: configure debug io - run: ./configure --enable-debug=io CFLAGS="-DWOLFTPM_DEBUG_TIMEOUT" - - name: make debug io - run: make - -# build advio - - name: configure advio - run: ./configure --enable-advio - - name: make debug io - run: make - -# build with clang address sanitizer - - name: configure clang asan - run: ./configure --enable-swtpm CC=clang CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" - - name: make clang asan - run: make - - name: make check clang asan - run: | - make check - ASAN_OPTIONS=detect_leaks=1:abort_on_error=1 WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh - -# build pedantic - - name: configure pedantic - run: ./configure CFLAGS="-Wpedantic" - - name: make pedantic - run: make - -# build not provisioning - - name: configure not provisioning - run: ./configure --disable-provisioning - - name: make not provisioning - run: make - -# test with symmetric encryption - - name: configure symmetric - run: ./configure --enable-swtpm CFLAGS="-DWOLFTPM_USE_SYMMETRIC" - - name: make symmetric - run: make - - name: make check symmetric - run: | - make check - WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh - -# test with software ecdhe - - name: configure swecdhe - run: ./configure --enable-swtpm CFLAGS="-DWOLFTPM2_USE_SW_ECDHE" - - name: make swecdhe - run: make - - name: make check swecdhe - run: | - make check - WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh - -# test without ECC - - name: wolfssl no ECC - working-directory: ./wolfssl - run: | - ./configure --enable-wolftpm --disable-ecc - make - sudo make install - - name: wolftpm no ECC - run: | - ./configure --enable-swtpm - make - make check - WOLFSSL_PATH=./wolfssl WOLFCRYPT_ECC=0 ./examples/run_examples.sh - -# test without RSA - - name: wolfssl no RSA - working-directory: ./wolfssl - run: | - ./configure --enable-wolftpm --disable-rsa - make - sudo make install - - name: wolftpm no RSA - run: | - ./configure --enable-swtpm - make - make check - WOLFSSL_PATH=./wolfssl WOLFCRYPT_RSA=0 ./examples/run_examples.sh - -# test with default configure (no AES CFB, no PKCS7, no crypto cb, no cert gen) - - name: wolfssl default configure - working-directory: ./wolfssl - run: | - ./configure CFLAGS="-DWOLFSSL_PUBLIC_MP" - make - sudo make install - - name: wolftpm default configure - run: | - ./configure --enable-swtpm - make - make check - WOLFSSL_PATH=./wolfssl WOLFCRYPT_DEFAULT=1 ./examples/run_examples.sh - -# test with no filesystem / threading - - name: wolfssl no filesystem - working-directory: ./wolfssl - run: | - ./configure --enable-wolftpm --disable-filesystem --enable-singlethreaded - make - sudo make install - - name: wolftpm no filesystem - run: | - ./configure --enable-swtpm - make - make check - WOLFSSL_PATH=./wolfssl NO_FILESYSTEM=1 ./examples/run_examples.sh - -# test with older wolfCrypt (v4.7.0) - - uses: actions/checkout@master - with: - repository: wolfssl/wolfssl - path: wolfssl-old - ref: v4.7.0-stable - - name: wolfssl old - working-directory: ./wolfssl - run: | - ./configure --enable-wolftpm CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_TEST_CERT -DWOLFSSL_KEY_GEN" - make - sudo make install - - name: wolftpm with old wolfssl - # Old wolfSSL before PR #5075 does not support using a public key in place of private key with - # crypto callbacks enabled. - # To use PKCS7 or TLS Server a dummy private key must be used for older wolfSSL versions. - # Use newer wolfSSL TLS client/server to resolve test certificate expirations - run: | - ./configure --enable-swtpm - make - make check - WOLFSSL_PATH=./wolfssl NO_PUBASPRIV=1 ./examples/run_examples.sh - -# capture logs on failure - - name: Upload failure logs - if: failure() - uses: actions/upload-artifact@v4 - with: - name: wolftpm-test-logs - path: | - run.out - test-suite.log - wolftpm-*/_build/sub/test-suite.log - retention-days: 5 + echo "Starting TPM simulator on port $TPM_PORT" + ./tpm_server -port $TPM_PORT & + + - name: Install mono + if: matrix.needs_mono == true + run: | + sudo apt-get install -y mono-mcs mono-tools-devel nunit nunit-console + + - name: Build wolfTPM + run: | + ./autogen.sh + WOLFTPM_CONFIG="${{ matrix.wolftpm_config || '--enable-swtpm' }}" + WOLFTPM_CFLAGS="${{ matrix.wolftpm_cflags || '' }}" + WOLFTPM_CC="${{ matrix.wolftpm_cc || '' }}" + # Add TPM port to CFLAGS if SWTPM is needed (as string) + if [ -n "$TPM_PORT" ]; then + PORT_DEF='-DTPM2_SWTPM_PORT="'$TPM_PORT'"' + if [ -n "$WOLFTPM_CFLAGS" ]; then + WOLFTPM_CFLAGS="$WOLFTPM_CFLAGS $PORT_DEF" + else + WOLFTPM_CFLAGS="$PORT_DEF" + fi + fi + if [ -n "$WOLFTPM_CC" ]; then + if [ -n "$WOLFTPM_CFLAGS" ]; then + CC="$WOLFTPM_CC" ./configure $WOLFTPM_CONFIG CFLAGS="$WOLFTPM_CFLAGS" + else + CC="$WOLFTPM_CC" ./configure $WOLFTPM_CONFIG + fi + else + if [ -n "$WOLFTPM_CFLAGS" ]; then + ./configure $WOLFTPM_CONFIG CFLAGS="$WOLFTPM_CFLAGS" + else + ./configure $WOLFTPM_CONFIG + fi + fi + make + + - name: Run tests + if: matrix.test_command && matrix.test_command != 'true' + run: ${{ matrix.test_command }} + + - name: Install + if: matrix.needs_install == true + run: | + sudo make install + sudo ldconfig + + - name: Build CSharp wrapper + if: matrix.csharp_test == true + working-directory: ./wrapper/CSharp + run: | + mcs wolfTPM.cs wolfTPM-tests.cs -r:/usr/lib/cli/nunit.framework-2.6.3/nunit.framework.dll -t:library + LD_LIBRARY_PATH=../../src/.libs/:../../wolfssl/src/.libs/ nunit-console wolfTPM.dll -run=tpm_csharp_test.WolfTPMTest.TrySelfTest + LD_LIBRARY_PATH=../../src/.libs/:../../wolfssl/src/.libs/ nunit-console wolfTPM.dll + + - name: Make dist + if: matrix.needs_dist == true + run: | + make dist + make distcheck + + - name: Upload failure logs + if: failure() + uses: actions/upload-artifact@v4 + with: + name: wolftpm-test-logs-${{ matrix.name }} + path: | + run.out + test-suite.log + wolftpm-*/_build/sub/test-suite.log + retention-days: 5 From a2ee75cd53178253f11e120074319344eb8b662a Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 20 Nov 2025 14:30:00 -0800 Subject: [PATCH 04/12] Further improvement to CMake interfaces and test scripts --- .github/workflows/cmake-build.yml | 67 +++++++++++++++------------ .github/workflows/make-test-swtpm.yml | 13 +++--- CMakeLists.txt | 55 +++++++++++++++------- 3 files changed, 82 insertions(+), 53 deletions(-) diff --git a/.github/workflows/cmake-build.yml b/.github/workflows/cmake-build.yml index e21526db..de5cbe2c 100644 --- a/.github/workflows/cmake-build.yml +++ b/.github/workflows/cmake-build.yml @@ -14,64 +14,73 @@ jobs: fail-fast: false matrix: config: - # Default configuration - - name: "Default" - options: "-DWOLFTPM_INTERFACE=SWTPM" - # Test different TPM modules - - name: "Module Auto" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_MODULE=auto" - - name: "Module ST33" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_MODULE=st33" + # Default configuration (SWTPM first) + - name: "Defaults" + options: "" + # ST33 supports both SPI and I2C + - name: "Module ST33 SPI" + options: "-DWOLFTPM_INTERFACE=SPI -DWOLFTPM_MODULE=st33" + - name: "Module ST33 I2C" + options: "-DWOLFTPM_INTERFACE=I2C -DWOLFTPM_MODULE=st33" + # Other modules use SPI - name: "Module Microchip" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_MODULE=microchip" + options: "-DWOLFTPM_INTERFACE=SPI -DWOLFTPM_MODULE=microchip" - name: "Module Nuvoton" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_MODULE=nuvoton" + options: "-DWOLFTPM_INTERFACE=SPI -DWOLFTPM_MODULE=nuvoton" - name: "Module SLB9670" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_MODULE=slb9670" + options: "-DWOLFTPM_INTERFACE=SPI -DWOLFTPM_MODULE=slb9670" - name: "Module SLB9672" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_MODULE=slb9672" - - name: "Module SLB9673" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_MODULE=slb9673" + options: "-DWOLFTPM_INTERFACE=SPI -DWOLFTPM_MODULE=slb9672" + # SLB9673 is I2C + - name: "Module SLB9673 I2C" + options: "-DWOLFTPM_INTERFACE=I2C -DWOLFTPM_MODULE=slb9673" # Test wrapper disabled - name: "No Wrapper" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_WRAPPER=no" + options: "-DWOLFTPM_WRAPPER=no" # Test I2C support (enables ADV_IO automatically) - - name: "I2C Enabled" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_I2C=yes" + - name: "I2C Enabled (legacy)" + options: "-DWOLFTPM_I2C=yes" + # Test interface options + - name: "Interface I2C" + options: "-DWOLFTPM_INTERFACE=I2C" + - name: "Interface SPI" + options: "-DWOLFTPM_INTERFACE=SPI" # Test Advanced IO - name: "Advanced IO" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_ADVIO=yes" + options: "-DWOLFTPM_INTERFACE=SPI -DWOLFTPM_ADVIO=yes" + - name: "Advanced IO I2C" + options: "-DWOLFTPM_INTERFACE=I2C -DWOLFTPM_ADVIO=yes" # Test MMIO (enables ADV_IO automatically) - name: "MMIO Enabled" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_MMIO=yes" + options: "-DWOLFTPM_MMIO=yes" # Test Check Wait State - name: "Check Wait State Enabled" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_CHECK_WAIT_STATE=yes" + options: "-DWOLFTPM_INTERFACE=SPI -DWOLFTPM_CHECK_WAIT_STATE=yes" - name: "Check Wait State Disabled" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_CHECK_WAIT_STATE=no" + options: "-DWOLFTPM_INTERFACE=SPI -DWOLFTPM_CHECK_WAIT_STATE=no" # Test TIS Lock - name: "TIS Lock Enabled" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_TIS_LOCK=yes" + options: "-DWOLFTPM_INTERFACE=SPI -DWOLFTPM_TIS_LOCK=yes" # Test Small Stack - name: "Small Stack" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_SMALL_STACK=yes" + options: "-DWOLFTPM_INTERFACE=SPI -DWOLFTPM_SMALL_STACK=yes" # Test HAL disabled - name: "No HAL" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_HAL=no" + options: "-DWOLFTPM_HAL=no" # Test Firmware disabled - name: "No Firmware" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_FIRMWARE=no" + options: "-DWOLFTPM_FIRMWARE=no" # Test Debug modes - name: "Debug Verbose" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_DEBUG=verbose" + options: "-DWOLFTPM_DEBUG=verbose" - name: "Debug IO" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_DEBUG=io" + options: "-DWOLFTPM_DEBUG=io" # Test Examples disabled - name: "No Examples" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_EXAMPLES=no" + options: "-DWOLFTPM_EXAMPLES=no" # Test combination of options - name: "Combined Options" - options: "-DWOLFTPM_INTERFACE=SWTPM -DWOLFTPM_MODULE=st33 -DWOLFTPM_I2C=yes -DWOLFTPM_ADVIO=yes -DWOLFTPM_CHECK_WAIT_STATE=yes" + options: "-DWOLFTPM_INTERFACE=I2C -DWOLFTPM_MODULE=st33 -DWOLFTPM_ADVIO=yes -DWOLFTPM_CHECK_WAIT_STATE=yes" steps: #pull wolfTPM diff --git a/.github/workflows/make-test-swtpm.yml b/.github/workflows/make-test-swtpm.yml index cb4fa99f..e12a55b4 100644 --- a/.github/workflows/make-test-swtpm.yml +++ b/.github/workflows/make-test-swtpm.yml @@ -167,23 +167,24 @@ jobs: sudo ldconfig - name: Setup ibmswtpm2 - if: matrix.needs_swtpm != false + if: matrix.needs_swtpm == true || matrix.needs_swtpm == null uses: actions/checkout@master with: repository: kgoldman/ibmswtpm2 path: ibmswtpm2 - name: Generate TPM port - if: matrix.needs_swtpm != false + if: matrix.needs_swtpm == true || matrix.needs_swtpm == null run: | - # Generate random port in high range (32768-65535) - TPM_PORT=$((32768 + RANDOM % 32768)) + # Generate deterministic port from matrix name (base 40000, spacing 2 for port+1) + MATRIX_HASH=$(echo -n "${{ matrix.name }}" | cksum | cut -d' ' -f1) + TPM_PORT=$((40000 + (MATRIX_HASH % 1000) * 2)) echo "TPM_PORT=$TPM_PORT" >> $GITHUB_ENV echo "TPM2_SWTPM_PORT=$TPM_PORT" >> $GITHUB_ENV - echo "Generated TPM port: $TPM_PORT" + echo "Generated TPM port: $TPM_PORT (matrix: ${{ matrix.name }})" - name: Start TPM simulator - if: matrix.needs_swtpm != false + if: matrix.needs_swtpm == true || matrix.needs_swtpm == null working-directory: ./ibmswtpm2/src run: | make diff --git a/CMakeLists.txt b/CMakeLists.txt index 50e0c489..6d1953f4 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -140,7 +140,7 @@ endif() set(WOLFTPM_INTERFACE "auto" CACHE STRING "Select interface to TPM") set_property(CACHE WOLFTPM_INTERFACE - PROPERTY STRINGS "auto;SWTPM;WINAPI;DEVTPM") + PROPERTY STRINGS "auto;SWTPM;WINAPI;DEVTPM;SPI;I2C;MMIO") # automatically set message("INTERFACE ${WOLFTPM_INTERFACE}") @@ -173,12 +173,24 @@ elseif("${WOLFTPM_INTERFACE}" STREQUAL "DEVTPM") elseif("${WOLFTPM_INTERFACE}" STREQUAL "WINAPI") list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_WINAPI") target_link_libraries(wolftpm PRIVATE tbs) + +elseif("${WOLFTPM_INTERFACE}" STREQUAL "SPI") + # SPI interface + +elseif("${WOLFTPM_INTERFACE}" STREQUAL "I2C") + # I2C interface - requires I2C (ADV_IO will be enabled automatically in ADV_IO section) + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_I2C") + +elseif("${WOLFTPM_INTERFACE}" STREQUAL "MMIO") + # MMIO interface - requires MMIO (ADV_IO will be enabled automatically in ADV_IO section) + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_MMIO") + else() get_property(INTERFACE_OPTS CACHE WOLFTPM_INTERFACE PROPERTY STRINGS) message(FATAL_ERROR "\"${WOLFTPM_INTERFACE}\" is not known WOLFTPM_INTERFACE:" " ${INTERFACE_OPTS}") -endif("${WOLFTPM_INTERFACE}" STREQUAL "SWTPM") +endif() # TPM Module Selection set(WOLFTPM_MODULE "auto" CACHE STRING @@ -221,21 +233,28 @@ if(NOT WOLFTPM_WRAPPER) list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM2_NO_WRAPPER") endif() -# I2C Support +# I2C Support (for backward compatibility - use WOLFTPM_INTERFACE=I2C for new code) set(WOLFTPM_I2C "no" CACHE STRING - "Enable I2C TPM Support (default: disabled)") + "Enable I2C TPM Support (default: disabled, use WOLFTPM_INTERFACE=I2C for new code)") set_property(CACHE WOLFTPM_I2C PROPERTY STRINGS "yes;no") -if(WOLFTPM_I2C) + +# Handle I2C option for backward compatibility +# If interface is not SPI or I2C, and I2C is explicitly enabled, set interface to I2C +if(WOLFTPM_I2C OR "${WOLFTPM_INTERFACE}" STREQUAL "I2C") + # Backward compatibility: if I2C is enabled and interface is not SPI/I2C, enable I2C definition list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_I2C") + list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_ADV_IO") endif() -# MMIO Support +# MMIO Support (deprecated - use WOLFTPM_INTERFACE=MMIO for new code) set(WOLFTPM_MMIO "no" CACHE STRING - "Enable built-in MMIO callbacks (default: disabled)") + "Enable built-in MMIO callbacks (deprecated: use WOLFTPM_INTERFACE=MMIO for new code)") set_property(CACHE WOLFTPM_MMIO PROPERTY STRINGS "yes;no") -if(WOLFTPM_MMIO) +# Handle MMIO option for backward compatibility +# If interface is MMIO or MMIO is explicitly enabled, set MMIO definition +if(WOLFTPM_MMIO OR "${WOLFTPM_INTERFACE}" STREQUAL "MMIO") list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_MMIO") endif() @@ -244,7 +263,10 @@ set(WOLFTPM_ADVIO "no" CACHE STRING "Enable Advanced IO (default: disabled)") set_property(CACHE WOLFTPM_ADVIO PROPERTY STRINGS "yes;no") -if(WOLFTPM_ADVIO OR WOLFTPM_I2C OR WOLFTPM_MMIO) +# ADV_IO is automatically enabled for I2C or MMIO interfaces +if(WOLFTPM_ADVIO OR WOLFTPM_I2C OR WOLFTPM_MMIO OR + "${WOLFTPM_INTERFACE}" STREQUAL "I2C" OR + "${WOLFTPM_INTERFACE}" STREQUAL "MMIO") list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_ADV_IO") endif() @@ -253,15 +275,12 @@ set(WOLFTPM_CHECK_WAIT_STATE "auto" CACHE STRING "Enable TIS / SPI Check Wait State support (default: auto - depends on chip)") set_property(CACHE WOLFTPM_CHECK_WAIT_STATE PROPERTY STRINGS "yes;no;auto") -# Auto-enable for certain modules +# Check wait state is required for all TPM except Infineon if("${WOLFTPM_CHECK_WAIT_STATE}" STREQUAL "auto") - if("${WOLFTPM_MODULE}" STREQUAL "auto" OR - "${WOLFTPM_MODULE}" STREQUAL "microchip" OR - "${WOLFTPM_MODULE}" STREQUAL "attpm20" OR - "${WOLFTPM_MODULE}" STREQUAL "mchp" OR - "${WOLFTPM_MODULE}" STREQUAL "st33" OR - "${WOLFTPM_MODULE}" STREQUAL "nuvoton" OR - "${WOLFTPM_MODULE}" STREQUAL "npct75x") + if(NOT "${WOLFTPM_MODULE}" STREQUAL "infineon" AND + NOT "${WOLFTPM_MODULE}" STREQUAL "slb9670" AND + NOT "${WOLFTPM_MODULE}" STREQUAL "slb9672" AND + NOT "${WOLFTPM_MODULE}" STREQUAL "slb9673") set(WOLFTPM_CHECK_WAIT_STATE_ENABLED ON) else() set(WOLFTPM_CHECK_WAIT_STATE_ENABLED OFF) @@ -305,7 +324,7 @@ set(WOLFTPM_HAL "yes" CACHE STRING "Enable example HAL interfaces (default: enabled)") set_property(CACHE WOLFTPM_HAL PROPERTY STRINGS "yes;no") -if(WOLFTPM_HAL OR WOLFTPM_MMIO) +if(WOLFTPM_HAL OR WOLFTPM_MMIO OR "${WOLFTPM_INTERFACE}" STREQUAL "MMIO") list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_EXAMPLE_HAL") endif() From 7f37399aea24964b85ec6b8f469a6a341dbc52fb Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 20 Nov 2025 15:07:19 -0800 Subject: [PATCH 05/12] Support for swtpm port arguments --- .github/workflows/make-test-swtpm.yml | 32 ++++++++++++++++++--------- CMakeLists.txt | 5 +++++ Makefile.am | 4 +++- configure.ac | 27 ++++++++++++++++++++++ 4 files changed, 57 insertions(+), 11 deletions(-) diff --git a/.github/workflows/make-test-swtpm.yml b/.github/workflows/make-test-swtpm.yml index e12a55b4..fec1cf15 100644 --- a/.github/workflows/make-test-swtpm.yml +++ b/.github/workflows/make-test-swtpm.yml @@ -133,10 +133,9 @@ jobs: needs_install: true # Old wolfSSL (v4.7.0) + # Builds latest wolfSSL for examples/client/client and examples/server/server + # Builds old wolfSSL (v4.7.0) for linking wolfTPM against older shared library - name: old-wolfssl - wolfssl_config: --enable-wolftpm - wolfssl_cflags: "-DWOLFSSL_PUBLIC_MP -DWOLFSSL_TEST_CERT -DWOLFSSL_KEY_GEN" - wolfssl_ref: v4.7.0-stable test_command: "make check && WOLFSSL_PATH=./wolfssl NO_PUBASPRIV=1 ./examples/run_examples.sh" needs_install: true @@ -166,6 +165,24 @@ jobs: sudo make install sudo ldconfig + # For old-wolfssl test: checkout and build old wolfSSL for linking + - name: Checkout old wolfSSL + if: matrix.name == 'old-wolfssl' + uses: actions/checkout@master + with: + repository: wolfssl/wolfssl + path: wolfssl-old + ref: v4.7.0-stable + - name: Setup old wolfSSL for linking + if: matrix.name == 'old-wolfssl' + working-directory: ./wolfssl-old + run: | + ./autogen.sh + CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_TEST_CERT -DWOLFSSL_KEY_GEN" ./configure --enable-wolftpm + make + sudo make install + sudo ldconfig + - name: Setup ibmswtpm2 if: matrix.needs_swtpm == true || matrix.needs_swtpm == null uses: actions/checkout@master @@ -202,14 +219,9 @@ jobs: WOLFTPM_CONFIG="${{ matrix.wolftpm_config || '--enable-swtpm' }}" WOLFTPM_CFLAGS="${{ matrix.wolftpm_cflags || '' }}" WOLFTPM_CC="${{ matrix.wolftpm_cc || '' }}" - # Add TPM port to CFLAGS if SWTPM is needed (as string) + # Add TPM port to configure if SWTPM is needed if [ -n "$TPM_PORT" ]; then - PORT_DEF='-DTPM2_SWTPM_PORT="'$TPM_PORT'"' - if [ -n "$WOLFTPM_CFLAGS" ]; then - WOLFTPM_CFLAGS="$WOLFTPM_CFLAGS $PORT_DEF" - else - WOLFTPM_CFLAGS="$PORT_DEF" - fi + WOLFTPM_CONFIG="$WOLFTPM_CONFIG --with-swtpm-port=$TPM_PORT" fi if [ -n "$WOLFTPM_CC" ]; then if [ -n "$WOLFTPM_CFLAGS" ]; then diff --git a/CMakeLists.txt b/CMakeLists.txt index 6d1953f4..bb4a10f6 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -167,6 +167,11 @@ endif(WIN32) if("${WOLFTPM_INTERFACE}" STREQUAL "SWTPM") list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_SWTPM") + # SWTPM port configuration + set(WOLFTPM_SWTPM_PORT "2321" CACHE STRING + "Set SWTPM socket port (default: 2321)") + list(APPEND WOLFTPM_DEFINITIONS "-DTPM2_SWTPM_PORT=\"${WOLFTPM_SWTPM_PORT}\"") + elseif("${WOLFTPM_INTERFACE}" STREQUAL "DEVTPM") list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_LINUX_DEV") diff --git a/Makefile.am b/Makefile.am index 39a45e10..db655c22 100644 --- a/Makefile.am +++ b/Makefile.am @@ -26,7 +26,9 @@ dist_doc_DATA = DISTCLEANFILES+= aminclude.am # make sure we pass the correct flags to distcheck -AM_DISTCHECK_CONFIGURE_FLAGS = --enable-swtpm +# SWTPM_PORT can be set via --with-swtpm-port during configure +# Use @SWTPM_PORT@ substitution from configure.ac +AM_DISTCHECK_CONFIGURE_FLAGS = --enable-swtpm @DISTCHECK_SWTPM_PORT_FLAG@ exampledir = $(docdir)/example dist_example_DATA= diff --git a/configure.ac b/configure.ac index e2b9e339..abc8d9ff 100644 --- a/configure.ac +++ b/configure.ac @@ -231,6 +231,17 @@ AC_ARG_ENABLE([swtpm], [ ENABLED_SWTPM=no ] ) +# SWTPM port configuration +SWTPM_PORT="2321" +AC_ARG_WITH([swtpm-port], + [AS_HELP_STRING([--with-swtpm-port=PORT],[Set SWTPM socket port (default: 2321)])], + [ + if test "x$withval" != "xno" && test "x$withval" != "xyes"; then + SWTPM_PORT="$withval" + fi + ] +) + if test "x$ENABLED_SWTPM" = "xyes" then if test "x$ENABLED_DEVTPM" = "xyes" @@ -239,8 +250,21 @@ then fi AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_SWTPM" + AM_CFLAGS="$AM_CFLAGS -DTPM2_SWTPM_PORT=\"$SWTPM_PORT\"" + + # Set distcheck flag if port is not default (only when SWTPM is enabled) + if test "x$SWTPM_PORT" != "x2321"; then + DISTCHECK_SWTPM_PORT_FLAG="--with-swtpm-port=$SWTPM_PORT" + else + DISTCHECK_SWTPM_PORT_FLAG="" + fi +else + DISTCHECK_SWTPM_PORT_FLAG="" fi +AC_SUBST([SWTPM_PORT]) +AC_SUBST([DISTCHECK_SWTPM_PORT_FLAG]) + # Windows TBS device Support AC_ARG_ENABLE([wintbs],, [ ENABLED_WINTBS=$enableval ], @@ -579,6 +603,9 @@ echo " * Advanced IO: $ENABLED_ADVIO" echo " * I2C: $ENABLED_I2C" echo " * Linux kernel TPM device: $ENABLED_DEVTPM" echo " * SWTPM: $ENABLED_SWTPM" +if test "x$ENABLED_SWTPM" = "xyes"; then + echo " * SWTPM Port: $SWTPM_PORT" +fi echo " * WINAPI: $ENABLED_WINAPI" echo " * TIS/SPI Check Wait State: $ENABLED_CHECKWAITSTATE" From 9e29f5280ef540aca761a046f2d70de165b87450 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 21 Nov 2025 11:22:22 -0800 Subject: [PATCH 06/12] Fix for old wolfssl test --- .github/workflows/make-test-swtpm.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/make-test-swtpm.yml b/.github/workflows/make-test-swtpm.yml index fec1cf15..5a8368c2 100644 --- a/.github/workflows/make-test-swtpm.yml +++ b/.github/workflows/make-test-swtpm.yml @@ -178,7 +178,7 @@ jobs: working-directory: ./wolfssl-old run: | ./autogen.sh - CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_TEST_CERT -DWOLFSSL_KEY_GEN" ./configure --enable-wolftpm + ./configure --enable-wolftpm --disable-examples --enable-cryptonly CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_TEST_CERT -DWOLFSSL_KEY_GEN" make sudo make install sudo ldconfig From b042e4da67cf082d233e4c646e68fe8f6ff63bf3 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 21 Nov 2025 19:57:58 +0000 Subject: [PATCH 07/12] Fixes for build and testing with `--enable-infineon=9670`. Additional build tests. --- .github/workflows/make-test-swtpm.yml | 23 +++++++++++++++++++++-- examples/native/native_test.c | 3 +++ examples/tls/tls_client.c | 2 +- examples/tls/tls_server.c | 2 +- wolftpm/tpm2_types.h | 4 ++++ 5 files changed, 30 insertions(+), 4 deletions(-) diff --git a/.github/workflows/make-test-swtpm.yml b/.github/workflows/make-test-swtpm.yml index 5a8368c2..156ad885 100644 --- a/.github/workflows/make-test-swtpm.yml +++ b/.github/workflows/make-test-swtpm.yml @@ -54,6 +54,25 @@ jobs: wolftpm_config: --enable-swtpm --enable-smallstack test_command: "make check && WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh" + # Infineon SLB9670 + - name: slb9670 + wolftpm_config: --enable-infineon=slb9670 + # Infineon SLB9672 + - name: slb9672 + wolftpm_config: --enable-infineon=slb9672 + # Infineon SLB9673 + - name: slb9673 + wolftpm_config: --enable-infineon=slb9673 --enable-i2c + # STMicro ST33KTPM2 + - name: st33ktpm2 + wolftpm_config: --enable-st33 + # Microchip + - name: microchip + wolftpm_config: --enable-microchip + # Nuvoton + - name: nuvoton + wolftpm_config: --enable-nuvoton + # TIS lock - name: tislock wolftpm_config: --enable-tislock @@ -121,7 +140,7 @@ jobs: # Default configure (no AES CFB, no PKCS7, no crypto cb, no cert gen) - name: default-configure - wolfssl_config: --enable-wolftpm + wolfssl_config: "" wolfssl_cflags: "-DWOLFSSL_PUBLIC_MP" test_command: "make check && WOLFSSL_PATH=./wolfssl WOLFCRYPT_DEFAULT=1 ./examples/run_examples.sh" needs_install: true @@ -157,7 +176,7 @@ jobs: WOLFSSL_CONFIG="${{ matrix.wolfssl_config || '--enable-wolftpm --enable-pkcallbacks' }}" WOLFSSL_CFLAGS="${{ matrix.wolfssl_cflags || '' }}" if [ -n "$WOLFSSL_CFLAGS" ]; then - CFLAGS="$WOLFSSL_CFLAGS" ./configure $WOLFSSL_CONFIG + ./configure $WOLFSSL_CONFIG CFLAGS="$WOLFSSL_CFLAGS" else ./configure $WOLFSSL_CONFIG fi diff --git a/examples/native/native_test.c b/examples/native/native_test.c index abbdb257..135f74d1 100644 --- a/examples/native/native_test.c +++ b/examples/native/native_test.c @@ -1465,6 +1465,9 @@ int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[]) goto exit; } } + + printf("Native test passed\n"); + exit: /* Close session */ diff --git a/examples/tls/tls_client.c b/examples/tls/tls_client.c index fc8fb3f6..d4d7b57f 100644 --- a/examples/tls/tls_client.c +++ b/examples/tls/tls_client.c @@ -694,7 +694,7 @@ int main(int argc, char* argv[]) (void)argc; (void)argv; - printf("TPM Wrapper or PK//Crypto callback or TLS support not compiled in\n"); + printf("TPM Wrapper or PK/Crypto callback or TLS support not compiled in\n"); printf("Build wolfssl with ./configure --enable-wolftpm\n"); #endif diff --git a/examples/tls/tls_server.c b/examples/tls/tls_server.c index bfe3a701..b76aab0b 100644 --- a/examples/tls/tls_server.c +++ b/examples/tls/tls_server.c @@ -742,7 +742,7 @@ int main(int argc, char* argv[]) (void)argc; (void)argv; - printf("TPM Wrapper or PK//Crypto callback or TLS support not compiled in\n"); + printf("TPM Wrapper or PK/Crypto callback or TLS support not compiled in\n"); printf("Build wolfssl with ./configure --enable-wolftpm\n"); #endif diff --git a/wolftpm/tpm2_types.h b/wolftpm/tpm2_types.h index 6421a476..20c9661f 100644 --- a/wolftpm/tpm2_types.h +++ b/wolftpm/tpm2_types.h @@ -349,6 +349,10 @@ typedef int64_t INT64; #ifdef WOLFTPM_SLB9670 /* Max: 43MHz */ #define TPM2_SPI_MAX_HZ_INFINEON 43000000 + #ifndef MAX_AES_KEY_BITS + #define MAX_AES_KEY_BITS 128 + #endif + #elif !defined(WOLFTPM_AUTODETECT) #ifdef WOLFTPM_I2C #undef WOLFTPM_SLB9673 From 48eca3cd87bdb3cb478b92c4d712bc88a43103e9 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 21 Nov 2025 12:15:04 -0800 Subject: [PATCH 08/12] Fix issue with possible use of uninitialized in `rc` in `TPM2_GetNonceNoLock`. Attempt to fix build for old v4.7.0 wolfssl. --- .github/workflows/make-test-swtpm.yml | 8 +++++++- src/tpm2.c | 1 + 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/make-test-swtpm.yml b/.github/workflows/make-test-swtpm.yml index 156ad885..604c29e7 100644 --- a/.github/workflows/make-test-swtpm.yml +++ b/.github/workflows/make-test-swtpm.yml @@ -192,12 +192,18 @@ jobs: repository: wolfssl/wolfssl path: wolfssl-old ref: v4.7.0-stable + - name: Apply wolfssl-v4.7.0.patch to old wolfSSL + if: matrix.name == 'old-wolfssl' + working-directory: ./wolfssl-old + run: | + git apply ../.github/workflows/wolfssl-v4.7.0.patch - name: Setup old wolfSSL for linking if: matrix.name == 'old-wolfssl' working-directory: ./wolfssl-old run: | ./autogen.sh - ./configure --enable-wolftpm --disable-examples --enable-cryptonly CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_TEST_CERT -DWOLFSSL_KEY_GEN" + ./configure --enable-wolftpm --disable-examples CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_TEST_CERT -DWOLFSSL_KEY_GEN -DNO_WRITEV" + make sudo make install sudo ldconfig diff --git a/src/tpm2.c b/src/tpm2.c index d2836543..01e2891b 100644 --- a/src/tpm2.c +++ b/src/tpm2.c @@ -5746,6 +5746,7 @@ int TPM2_GetNonceNoLock(byte* nonceBuf, int nonceSz) #else /* Call GetRandom directly, so a custom packet buffer can be used. * This won't conflict when being called from TPM2_CommandProcess. */ + rc = 0; /* default to success */ while (randSz < nonceSz) { UINT16 inSz = nonceSz - randSz, outSz = 0; if (inSz > MAX_RNG_REQ_SIZE) { From 3120dac29763b4e5a52ce71c25640fb2431d85b8 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 21 Nov 2025 12:34:06 -0800 Subject: [PATCH 09/12] Add new `make cppcheck` option. Fixes for cppcheck. Added missing `wolfssl-v4.7.0.patch` --- .github/workflows/wolfssl-v4.7.0.patch | 19 +++++++++++++++++++ Makefile.am | 11 +++++++++++ configure.ac | 5 +++++ examples/keygen/keyimport.c | 4 +++- examples/pcr/extend.c | 6 ++---- src/tpm2_wrap.c | 11 +++++------ 6 files changed, 45 insertions(+), 11 deletions(-) create mode 100644 .github/workflows/wolfssl-v4.7.0.patch diff --git a/.github/workflows/wolfssl-v4.7.0.patch b/.github/workflows/wolfssl-v4.7.0.patch new file mode 100644 index 00000000..c10934c0 --- /dev/null +++ b/.github/workflows/wolfssl-v4.7.0.patch @@ -0,0 +1,19 @@ +diff --git a/src/tls13.c b/src/tls13.c +index b2fd50f2f..bcc912890 100644 +--- a/src/tls13.c ++++ b/src/tls13.c +@@ -421,6 +421,14 @@ static int DeriveKey(WOLFSSL* ssl, byte* output, int outputLen, + outputLen = hashSz; + if (includeMsgs) + hashOutSz = hashSz; ++ else { ++ /* Appease static analyzers by making sure hash is cleared, since it is ++ * passed into expand key label where older wc_Tls13_HKDF_Expand_Label ++ * will unconditionally try to call a memcpy on it, however length will ++ * always be 0. */ ++ XMEMSET(hash, 0, sizeof(hash)); ++ hashOutSz = 0; ++ } + + return HKDF_Expand_Label(output, outputLen, secret, hashSz, + protocol, protocolLen, label, labelLen, diff --git a/Makefile.am b/Makefile.am index db655c22..afee7851 100644 --- a/Makefile.am +++ b/Makefile.am @@ -116,3 +116,14 @@ merge-clean: @find ./ | $(GREP) \.OTHER | xargs rm -f @find ./ | $(GREP) \.BASE | xargs rm -f @find ./ | $(GREP) \~$$ | xargs rm -f + +cppcheck: + @if test "x@CPPCHECK@" = "xno"; then \ + echo "Error: cppcheck not found. Please install cppcheck."; \ + exit 1; \ + fi + @CPPCHECK@ -f --enable=warning \ + --enable=portability --check-level=exhaustive \ + --suppress=invalidPrintfArgType_sint \ + --error-exitcode=89 --std=c89 \ + -I wolftpm src/ hal/ examples diff --git a/configure.ac b/configure.ac index abc8d9ff..c1f7c543 100644 --- a/configure.ac +++ b/configure.ac @@ -466,6 +466,10 @@ fi # HARDEN FLAGS AX_HARDEN_CC_COMPILER_FLAGS +# Check for cppcheck (optional, for make cppcheck target) +AC_CHECK_PROG([CPPCHECK], [cppcheck], [cppcheck], [no]) +AM_CONDITIONAL([HAVE_CPPCHECK], [test "x$CPPCHECK" != "xno"]) + OPTION_FLAGS="$CFLAGS $CPPFLAGS $AM_CFLAGS" @@ -494,6 +498,7 @@ CREATE_HEX_VERSION AC_SUBST([AM_CPPFLAGS]) AC_SUBST([AM_CFLAGS]) AC_SUBST([AM_LDFLAGS]) +AC_SUBST([CPPCHECK]) # FINAL AC_CONFIG_FILES([Makefile]) diff --git a/examples/keygen/keyimport.c b/examples/keygen/keyimport.c index 439d8a8a..c1973f66 100644 --- a/examples/keygen/keyimport.c +++ b/examples/keygen/keyimport.c @@ -149,7 +149,9 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]) printf("\tAlgorithm: %s\n", TPM2_GetAlgName(alg)); printf("\tSRK: %s\n", TPM2_GetAlgName(srkAlg)); printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg)); - printf("\tpassword: %s\n", password); + if (password != NULL) { + printf("\tpassword: %s\n", password); + } rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); if (rc != TPM_RC_SUCCESS) { diff --git a/examples/pcr/extend.c b/examples/pcr/extend.c index 39d13fa2..69cb78df 100644 --- a/examples/pcr/extend.c +++ b/examples/pcr/extend.c @@ -149,10 +149,8 @@ int TPM2_PCR_Extend_Test(void* userCtx, int argc, char *argv[]) /* Prepare the hash from user file or predefined value */ #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) && \ !defined(WOLFTPM2_NO_WOLFCRYPT) - if (filename) { - fp = XFOPEN(filename, "rb"); - } - if (filename && fp != XBADFILE) { + fp = XFOPEN(filename, "rb"); + if (fp != XBADFILE) { rc = TPM2_GetHashType(alg); hashType = (enum wc_HashType)rc; wc_HashInit(&dig, hashType); diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index 08f517b4..71e337f7 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -2167,6 +2167,7 @@ int wolfTPM2_ComputeName(const TPM2B_PUBLIC* pub, TPM2B_NAME* out) #ifndef WOLFTPM2_NO_WOLFCRYPT /* Encode public into buffer */ XMEMSET(&packet, 0, sizeof(packet)); + XMEMSET(&data, 0, sizeof(data)); packet.buf = data.buffer; packet.size = sizeof(data.buffer); TPM2_Packet_AppendPublicArea(&packet, (TPMT_PUBLIC*)&pub->publicArea); @@ -7551,12 +7552,10 @@ int wolfTPM2_CSR_SetKeyUsage(WOLFTPM2_DEV* dev, WOLFTPM2_CSR* csr, rc = wc_SetKeyUsage(&csr->req, keyUsage); } #else - if (keyUsage != NULL) { - #ifdef DEBUG_WOLFTPM - printf("CSR_Generate key usage supplied, but not available\n"); - #endif - rc = NOT_COMPILED_IN; - } +#ifdef DEBUG_WOLFTPM + printf("CSR_Generate key usage supplied, but not available\n"); +#endif + rc = NOT_COMPILED_IN; #endif (void)dev; /* not used */ return rc; From 545c6b3df10740f9ca81b7c65f348ac917f40472 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 21 Nov 2025 13:53:17 -0800 Subject: [PATCH 10/12] Fix for RSA private key import with PKCS8 header --- examples/pcr/policy_sign.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/examples/pcr/policy_sign.c b/examples/pcr/policy_sign.c index 5e71d9ce..43a11180 100644 --- a/examples/pcr/policy_sign.c +++ b/examples/pcr/policy_sign.c @@ -138,6 +138,10 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password, if (rc == 0) { byte encHash[WC_MAX_DIGEST_SIZE + WC_MAX_ENCODED_DIG_ASN_SZ]; word32 idx = 0; + #ifdef HAVE_PKCS8 + /* skip PKCS8 header */ + (void)wc_GetPkcs8TraditionalOffset((byte*)buf, &idx, bufSz); + #endif rc = wc_RsaPrivateKeyDecode(buf, &idx, &key.rsa, (word32)bufSz); if (rc == 0) { rc = wolfTPM2_DecodeRsaDer(buf, (word32)bufSz, &authPubKey->pub, NULL, 0); From d936b8f551aee8cfa54bdfe7b9409c4e42081d94 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 21 Nov 2025 14:02:51 -0800 Subject: [PATCH 11/12] Fix for cast warning. Fix for WOLFTPM_DEBUG to show verbose/io also. --- CMakeLists.txt | 6 +++--- examples/pcr/policy_sign.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index bb4a10f6..1c453105 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -123,8 +123,8 @@ endif() set(WOLFTPM_DEBUG "no" CACHE STRING "Enables option for debug (default: disabled)") set_property(CACHE WOLFTPM_DEBUG - PROPERTY STRINGS "yes;no;verbose;io") -if(WOLFTPM_DEBUG) + PROPERTY STRINGS "no;yes;verbose;io") +if(NOT "${WOLFTPM_DEBUG}" STREQUAL "no") list(APPEND WOLFTPM_DEFINITIONS "-DDEBUG_WOLFTPM" "-DDEBUG") @@ -477,7 +477,7 @@ message("Generating config header...") set(WOLFTPM_CONFIG_H "yes" CACHE STRING "Enable generation of config.h and define HAVE_CONFIG_H (default: enabled)") set_property(CACHE WOLFTPM_DEBUG - PROPERTY STRINGS "yes;no") + PROPERTY STRINGS "yes;no;verbose;io") if(WOLFTPM_CONFIG_H) add_definitions("-DHAVE_CONFIG_H") configure_file("${CMAKE_CURRENT_SOURCE_DIR}/cmake/config.in" diff --git a/examples/pcr/policy_sign.c b/examples/pcr/policy_sign.c index 43a11180..4f1d19ed 100644 --- a/examples/pcr/policy_sign.c +++ b/examples/pcr/policy_sign.c @@ -140,7 +140,7 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password, word32 idx = 0; #ifdef HAVE_PKCS8 /* skip PKCS8 header */ - (void)wc_GetPkcs8TraditionalOffset((byte*)buf, &idx, bufSz); + (void)wc_GetPkcs8TraditionalOffset((byte*)buf, &idx, (word32)bufSz); #endif rc = wc_RsaPrivateKeyDecode(buf, &idx, &key.rsa, (word32)bufSz); if (rc == 0) { From a88d7ba6e03a63cb5e51a661dae99727cfe3f9a0 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 21 Nov 2025 14:32:44 -0800 Subject: [PATCH 12/12] Add note about ifx_fw_update tool requirements --- examples/firmware/ifx_fw_update.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/examples/firmware/ifx_fw_update.c b/examples/firmware/ifx_fw_update.c index 4edd17bc..5320d26e 100644 --- a/examples/firmware/ifx_fw_update.c +++ b/examples/firmware/ifx_fw_update.c @@ -233,8 +233,11 @@ int main(int argc, char *argv[]) (defined(WOLFTPM_SLB9672) || defined(WOLFTPM_SLB9673)) rc = TPM2_IFX_Firmware_Update(NULL, argc, argv); #else - printf("Support for firmware upgrade not compiled in! " + printf("Support for firmware upgrade not compiled in!\n" "See --enable-firmware or WOLFTPM_FIRMWARE_UPGRADE\n"); + printf("This tool is for the Infineon SLB9672 or SLB9673 TPMs only\n" + "\t--enable-infineon=slb9672 (WOLFTPM_SLB9672)\n" + "\t--enable-infineon=slb9673 --enable-i2c (WOLFTPM_SLB9673)\n"); (void)argc; (void)argv; #endif