Skip to content

Commit 01753bb

Browse files
committed
Fix to auto enable fwtpm and swtpm for x86_64/amd64/aarch64. Fix CMake issue. Fix minor ticket issue after new tests.
1 parent 9ee1722 commit 01753bb

5 files changed

Lines changed: 47 additions & 22 deletions

File tree

CMakeLists.txt

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -465,14 +465,16 @@ if (WOLFTPM_EXAMPLES AND BUILD_WOLFTPM_LIB)
465465
add_library(tpm_test_lib STATIC
466466
examples/tpm_test_keys.c
467467
)
468-
target_link_libraries(tpm_test_lib wolftpm)
468+
# wolftpm_wolfssl_dep is needed explicitly because wolftpm now links it
469+
# PRIVATE (so wolfSSL does not leak into wolftpm's installed export set).
470+
target_link_libraries(tpm_test_lib PRIVATE wolftpm wolftpm_wolfssl_dep)
469471
endif()
470472

471473
function(add_tpm_example name src)
472474
add_executable(${name}
473475
examples/${src}
474476
)
475-
target_link_libraries(${name} wolftpm tpm_test_lib)
477+
target_link_libraries(${name} PRIVATE wolftpm tpm_test_lib wolftpm_wolfssl_dep)
476478
endfunction()
477479

478480
####################################################

configure.ac

Lines changed: 19 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -225,16 +225,29 @@ then
225225
AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_LINUX_DEV"
226226
fi
227227

228-
# Defaults: fwTPM and swTPM are opt-in via --enable-fwtpm / --enable-swtpm.
229-
# Auto-enabling them on Linux/BSD changed default behavior for downstream
230-
# builders (new optional dependencies, different `make check`), so keep the
231-
# safer opt-in default. CI scripts pass these flags explicitly.
228+
# Native host defaults — auto-enable fwTPM and swTPM on Linux/BSD x86_64 / aarch64
229+
# so `make check` provides full coverage out of the box. Users can still
230+
# explicitly disable with --disable-fwtpm / --disable-swtpm.
232231
WOLFTPM_DEFAULT_FWTPM=no
233232
WOLFTPM_DEFAULT_SWTPM=no
233+
case $host_cpu in
234+
x86_64|amd64|aarch64)
235+
# Defensive exclusion: fwtpm_server uses POSIX sockets and is not
236+
# currently portable to Windows / Darwin. Auto-enable on Linux/BSD only.
237+
case $host_os in
238+
*mingw*|*cygwin*|*msys*|*darwin*|*win32*)
239+
;;
240+
*)
241+
WOLFTPM_DEFAULT_FWTPM=yes
242+
WOLFTPM_DEFAULT_SWTPM=yes
243+
;;
244+
esac
245+
;;
246+
esac
234247

235248
# SW TPM device Support
236249
AC_ARG_ENABLE([swtpm],
237-
[AS_HELP_STRING([--enable-swtpm],[Enable use of TPM through the SW socket driver (default: disabled)])],
250+
[AS_HELP_STRING([--enable-swtpm],[Enable use of TPM through the SW socket driver (default: enabled on Linux x86_64/aarch64, disabled elsewhere)])],
238251
[ ENABLED_SWTPM=$enableval ],
239252
[ ENABLED_SWTPM=$WOLFTPM_DEFAULT_SWTPM ]
240253
)
@@ -286,7 +299,7 @@ AC_SUBST([DISTCHECK_SWTPM_PORT_FLAG])
286299

287300
# Firmware TPM (fwTPM) - software TPM 2.0 simulator
288301
AC_ARG_ENABLE([fwtpm],
289-
[AS_HELP_STRING([--enable-fwtpm],[Enable firmware TPM (fwTPM) server (default: disabled)])],
302+
[AS_HELP_STRING([--enable-fwtpm],[Enable firmware TPM (fwTPM) server (default: enabled on Linux x86_64/aarch64, disabled elsewhere)])],
290303
[ ENABLED_FWTPM=$enableval ],
291304
[ ENABLED_FWTPM=$WOLFTPM_DEFAULT_FWTPM ]
292305
)

src/fwtpm/fwtpm_command.c

Lines changed: 22 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -5512,6 +5512,9 @@ static TPM_RC FwCmd_Sign(FWTPM_CTX* ctx, TPM2_Packet* cmd,
55125512
UINT16 ticketTag = 0;
55135513
UINT32 ticketHier = 0;
55145514
byte ticketDigest[TPM_MAX_DIGEST_SIZE];
5515+
byte expectedHmac[TPM_MAX_DIGEST_SIZE];
5516+
int expectedSz = 0;
5517+
int ticketSupplied = 0;
55155518
FWTPM_Object* obj = NULL;
55165519
int paramSzPos = 0;
55175520
int paramStart = 0;
@@ -5603,24 +5606,30 @@ static TPM_RC FwCmd_Sign(FWTPM_CTX* ctx, TPM2_Packet* cmd,
56035606
}
56045607
}
56055608

5606-
/* For restricted signing keys: verify the ticket proves the digest
5607-
* was produced by this TPM per TPM 2.0 Part 3 Section 12.4 */
5608-
if (rc == 0 && (obj->pub.objectAttributes & TPMA_OBJECT_restricted)) {
5609-
if (ticketTag != TPM_ST_HASHCHECK || ticketHier == TPM_RH_NULL) {
5609+
/* Validate TK_HASHCHECK ticket per TPM 2.0 Part 3 Section 18.7 / 12.4:
5610+
* - Restricted signing keys REQUIRE a valid ticket.
5611+
* - For any key, if a ticket is supplied, it must verify. */
5612+
if (rc == 0) {
5613+
ticketSupplied = (ticketHier != TPM_RH_NULL && vdSz > 0);
5614+
if ((obj->pub.objectAttributes & TPMA_OBJECT_restricted) &&
5615+
!ticketSupplied) {
56105616
rc = TPM_RC_TICKET;
56115617
}
5612-
if (rc == 0) {
5613-
byte expectedHmac[TPM_MAX_DIGEST_SIZE];
5614-
int expectedSz = 0;
5615-
int trc = FwComputeTicketHmac(ctx, ticketHier, obj->pub.nameAlg,
5616-
digest.buffer, digest.size, expectedHmac, &expectedSz);
5617-
if (trc != 0 || vdSz != (UINT16)expectedSz ||
5618+
}
5619+
if (rc == 0 && ticketSupplied) {
5620+
if (ticketTag != TPM_ST_HASHCHECK) {
5621+
rc = TPM_RC_TICKET;
5622+
}
5623+
}
5624+
if (rc == 0 && ticketSupplied) {
5625+
rc = FwComputeTicketHmac(ctx, ticketHier, obj->pub.nameAlg,
5626+
digest.buffer, digest.size, expectedHmac, &expectedSz);
5627+
if (rc != 0 || vdSz != (UINT16)expectedSz ||
56185628
TPM2_ConstantCompare(ticketDigest, expectedHmac,
56195629
(word32)expectedSz) != 0) {
5620-
rc = TPM_RC_TICKET;
5621-
}
5622-
TPM2_ForceZero(expectedHmac, sizeof(expectedHmac));
5630+
rc = TPM_RC_TICKET;
56235631
}
5632+
TPM2_ForceZero(expectedHmac, sizeof(expectedHmac));
56245633
}
56255634

56265635
#ifdef DEBUG_WOLFTPM

src/tpm2_crypto.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@
2323
#include <config.h>
2424
#endif
2525

26+
#include <wolftpm/tpm2.h>
2627
#include <wolftpm/tpm2_crypto.h>
2728
#include <wolftpm/tpm2_packet.h>
2829

tests/unit_tests.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -853,7 +853,7 @@ static void test_TPM2_KDFa(void)
853853
static void test_TPM2_KDFe(void)
854854
{
855855
int rc;
856-
#define TEST_KDFE_KEYSZ 32
856+
enum { TEST_KDFE_KEYSZ = 32 };
857857
/* Use a simple known Z, label, and party info */
858858
const byte Z[TEST_KDFE_KEYSZ] = {
859859
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,

0 commit comments

Comments
 (0)