Add fwTPM CMake support. Peer review fixes.

Author: dgarske

.github/workflows/cmake-build.yml

@@ -84,6 +84,15 @@ jobs:
           # Test combination of options
           - name: "Combined Options"
             options: "-DWOLFTPM_INTERFACE=I2C -DWOLFTPM_MODULE=st33 -DWOLFTPM_ADVIO=yes -DWOLFTPM_CHECK_WAIT_STATE=yes"
+          # fwTPM server with socket transport
+          - name: "fwTPM Socket"
+            options: "-DWOLFTPM_FWTPM=yes -DWOLFTPM_INTERFACE=SWTPM"
+          # fwTPM server with TIS/shared-memory transport
+          - name: "fwTPM TIS"
+            options: "-DWOLFTPM_FWTPM=yes -DWOLFTPM_INTERFACE=SPI"
+          # fwTPM server-only mode (no client library or examples)
+          - name: "fwTPM Only"
+            options: "-DWOLFTPM_FWTPM_ONLY=yes -DWOLFTPM_INTERFACE=SWTPM"
 
     steps:
 #pull wolfTPM
@@ -107,7 +116,7 @@ jobs:
         mkdir build
         cd build
         # wolfSSL PR 7188 broke "make install" unless WOLFSSL_INSTALL is set
-        cmake -DWOLFSSL_TPM=yes -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" ..
+        cmake -DWOLFSSL_TPM=yes -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" -DCMAKE_C_FLAGS="-DWC_RSA_NO_PADDING" ..
         cmake --build .
         cmake --install .
 
@@ -119,3 +128,9 @@ jobs:
         cmake ${{ matrix.config.options }} -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" -DWITH_WOLFSSL="$GITHUB_WORKSPACE/install" ..
         cmake --build .
         cmake --install .
+
+    - name: Test fwTPM
+      if: contains(matrix.config.options, 'WOLFTPM_FWTPM')
+      run: |
+        cd build
+        LD_LIBRARY_PATH="$GITHUB_WORKSPACE/install/lib" ctest --output-on-failure

CMakeLists.txt

@@ -26,6 +26,32 @@ project(wolfTPM VERSION 3.10.0 LANGUAGES C)
 set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin)
 set(WOLFTPM_DEFINITIONS)
 
+# Firmware TPM (fwTPM) server
+set(WOLFTPM_FWTPM "no" CACHE STRING
+    "Enable firmware TPM (fwTPM) server (default: disabled)")
+set_property(CACHE WOLFTPM_FWTPM
+    PROPERTY STRINGS "yes;no")
+set(WOLFTPM_FWTPM_ONLY "no" CACHE STRING
+    "Build only the fwTPM server, skip client library and examples (default: disabled)")
+set_property(CACHE WOLFTPM_FWTPM_ONLY
+    PROPERTY STRINGS "yes;no")
+set(WOLFTPM_FWTPM_FUZZ "no" CACHE STRING
+    "Enable fwTPM fuzz target (requires libFuzzer, default: disabled)")
+set_property(CACHE WOLFTPM_FWTPM_FUZZ
+    PROPERTY STRINGS "yes;no")
+
+# fwtpm-only forces fwtpm on
+if(WOLFTPM_FWTPM_ONLY)
+    set(WOLFTPM_FWTPM "yes" CACHE STRING "" FORCE)
+endif()
+
+# Build wolftpm client library unless fwtpm-only mode
+if(WOLFTPM_FWTPM_ONLY)
+    set(BUILD_WOLFTPM_LIB OFF)
+else()
+    set(BUILD_WOLFTPM_LIB ON)
+endif()
+
 set(TPM_SOURCES
     src/tpm2.c
     src/tpm2_linux.c
@@ -45,10 +71,12 @@ set(TPM_SOURCES
 
 # default to build shared library
 option(BUILD_SHARED_LIBS "Build shared libraries (.dll/.so) instead of static ones (.lib/.a)" ON)
-add_library(wolftpm ${TPM_SOURCES})
-target_compile_definitions(wolftpm PRIVATE
-    "BUILDING_WOLFTPM"
-    )
+if(BUILD_WOLFTPM_LIB)
+    add_library(wolftpm ${TPM_SOURCES})
+    target_compile_definitions(wolftpm PRIVATE
+        "BUILDING_WOLFTPM"
+        )
+endif()
 
 include(CheckIncludeFile)
 check_include_file("fcntl.h" HAVE_FCNTL_H)
@@ -160,11 +188,11 @@ if("${WOLFTPM_INTERFACE}" STREQUAL "auto")
 endif("${WOLFTPM_INTERFACE}" STREQUAL "auto")
 
 
-if(WIN32)
+if(WIN32 AND BUILD_WOLFTPM_LIB)
     target_compile_definitions(wolftpm PRIVATE
         "WOLFTPM_DLL"
         )
-endif(WIN32)
+endif()
 
 if("${WOLFTPM_INTERFACE}" STREQUAL "SWTPM")
     list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_SWTPM")
@@ -179,7 +207,9 @@ elseif("${WOLFTPM_INTERFACE}" STREQUAL "DEVTPM")
 
 elseif("${WOLFTPM_INTERFACE}" STREQUAL "WINAPI")
     list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_WINAPI")
-    target_link_libraries(wolftpm PRIVATE tbs)
+    if(BUILD_WOLFTPM_LIB)
+        target_link_libraries(wolftpm PRIVATE tbs)
+    endif()
 
 elseif("${WOLFTPM_INTERFACE}" STREQUAL "SPI")
     # SPI interface
@@ -344,49 +374,91 @@ if(WOLFTPM_FIRMWARE)
     list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_FIRMWARE_UPGRADE")
 endif()
 
+# fwTPM definitions (after interface detection)
+if(WOLFTPM_FWTPM)
+    # WOLFTPM_FWTPM_BUILD goes into options.h for build detection
+    # Note: WOLFTPM_FWTPM itself is only set per-target on fwtpm_server/unit_test
+    list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_FWTPM_BUILD")
+    # Determine TIS vs socket transport
+    if(NOT "${WOLFTPM_INTERFACE}" STREQUAL "SWTPM")
+        list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_FWTPM_HAL")
+        list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_ADV_IO")
+        set(WOLFTPM_FWTPM_TIS ON)
+    else()
+        set(WOLFTPM_FWTPM_TIS OFF)
+    endif()
+endif()
+
+# If fwtpm-only, force examples off and disable wrapper
+if(WOLFTPM_FWTPM_ONLY)
+    set(WOLFTPM_EXAMPLES OFF CACHE BOOL "" FORCE)
+    list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM2_NO_WRAPPER")
+endif()
+
 # Examples
 set(WOLFTPM_EXAMPLES "yes" CACHE BOOL
     "Build examples")
 
-target_include_directories(wolftpm
-    PUBLIC
-    $<INSTALL_INTERFACE:include>
-    $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}>
-    $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}>
-    )
+if(BUILD_WOLFTPM_LIB)
+    target_include_directories(wolftpm
+        PUBLIC
+        $<INSTALL_INTERFACE:include>
+        $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}>
+        $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}>
+        )
+endif()
 
+# wolfSSL/wolfCrypt dependency (shared between wolftpm library and fwtpm targets)
+add_library(wolftpm_wolfssl_dep INTERFACE)
+set(WOLFCRYPT_AVAILABLE OFF)
 
 if (WITH_WOLFSSL)
-    target_link_libraries(wolftpm PUBLIC wolfssl)
-    target_include_directories(wolftpm PUBLIC ${WITH_WOLFSSL}/include)
-    target_link_directories(wolftpm PUBLIC ${WITH_WOLFSSL}/lib)
+    target_link_libraries(wolftpm_wolfssl_dep INTERFACE wolfssl)
+    target_include_directories(wolftpm_wolfssl_dep INTERFACE ${WITH_WOLFSSL}/include)
+    target_link_directories(wolftpm_wolfssl_dep INTERFACE ${WITH_WOLFSSL}/lib)
+    set(WOLFCRYPT_AVAILABLE ON)
 elseif (WITH_WOLFSSL_TREE)
     set(WOLFSSL_TPM "yes" CACHE STRING "")
     set(WOLFSSL_EXAMPLES "no" CACHE STRING "")
     set(WOLFSSL_CRYPT_TESTS "no" CACHE STRING "")
     add_subdirectory(${WITH_WOLFSSL_TREE} wolfssl)
-    target_link_libraries(wolftpm PUBLIC wolfssl)
+    target_link_libraries(wolftpm_wolfssl_dep INTERFACE wolfssl)
+    set(WOLFCRYPT_AVAILABLE ON)
 else()
     find_package(PkgConfig)
     pkg_check_modules(WOLFSSL wolfssl)
 
     if (WOLFSSL_FOUND)
-        target_link_libraries(wolftpm PUBLIC ${WOLFSSL_LIBRARIES})
-        target_include_directories(wolftpm PUBLIC ${WOLFSSL_INCLUDE_DIRS})
-        target_link_directories(wolftpm PUBLIC ${WOLFSSL_LIBRARY_DIRS})
-        target_compile_options(wolftpm PUBLIC ${WOLFSSL_CFLAGS_OTHER})
+        target_link_libraries(wolftpm_wolfssl_dep INTERFACE ${WOLFSSL_LIBRARIES})
+        target_include_directories(wolftpm_wolfssl_dep INTERFACE ${WOLFSSL_INCLUDE_DIRS})
+        target_link_directories(wolftpm_wolfssl_dep INTERFACE ${WOLFSSL_LIBRARY_DIRS})
+        target_compile_options(wolftpm_wolfssl_dep INTERFACE ${WOLFSSL_CFLAGS_OTHER})
+        set(WOLFCRYPT_AVAILABLE ON)
     else()
         # For support with vcpkg
         find_package(wolfssl CONFIG REQUIRED)
         if (wolfssl_FOUND)
-            target_link_libraries(wolftpm PUBLIC wolfssl::wolfssl)
+            target_link_libraries(wolftpm_wolfssl_dep INTERFACE wolfssl::wolfssl)
+            set(WOLFCRYPT_AVAILABLE ON)
         else()
             list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM2_NO_WOLFCRYPT")
         endif()
     endif()
 endif()
 
-if (WOLFTPM_EXAMPLES)
+# Link wolftpm library to wolfSSL
+if(BUILD_WOLFTPM_LIB)
+    target_link_libraries(wolftpm PUBLIC wolftpm_wolfssl_dep)
+endif()
+
+# fwTPM requires wolfCrypt
+if(WOLFTPM_FWTPM AND NOT WOLFCRYPT_AVAILABLE)
+    message(FATAL_ERROR
+        "fwTPM requires wolfCrypt. Provide wolfSSL via -DWITH_WOLFSSL=<path>, "
+        "-DWITH_WOLFSSL_TREE=<path>, or install it system-wide.")
+endif()
+
+if (WOLFTPM_EXAMPLES AND BUILD_WOLFTPM_LIB)
     add_library(tpm_test_lib STATIC
         examples/tpm_test_keys.c
         )
@@ -400,6 +472,104 @@ function(add_tpm_example name src)
     target_link_libraries(${name} wolftpm tpm_test_lib)
 endfunction()
 
+####################################################
+# fwTPM targets
+####################################################
+
+if(WOLFTPM_FWTPM)
+    # Core fwTPM sources (shared between server, unit test, and fuzz)
+    set(FWTPM_CORE_SOURCES
+        src/fwtpm/fwtpm.c
+        src/fwtpm/fwtpm_command.c
+        src/fwtpm/fwtpm_crypto.c
+        src/fwtpm/fwtpm_nv.c
+        src/tpm2_util.c
+        src/tpm2_packet.c
+        src/tpm2_crypto.c
+        src/tpm2_param_enc.c
+    )
+
+    # Server-specific sources
+    set(FWTPM_SERVER_SOURCES
+        ${FWTPM_CORE_SOURCES}
+        src/fwtpm/fwtpm_io.c
+        src/fwtpm/fwtpm_main.c
+    )
+
+    # TIS sources (when not using SWTPM socket transport)
+    if(WOLFTPM_FWTPM_TIS)
+        list(APPEND FWTPM_SERVER_SOURCES
+            src/fwtpm/fwtpm_tis.c
+            src/fwtpm/fwtpm_tis_shm.c
+        )
+    endif()
+
+    # fwtpm_server executable
+    add_executable(fwtpm_server ${FWTPM_SERVER_SOURCES})
+    target_compile_definitions(fwtpm_server PRIVATE "WOLFTPM_FWTPM")
+    if(WOLFTPM_FWTPM_TIS)
+        target_compile_definitions(fwtpm_server PRIVATE "WOLFTPM_FWTPM_TIS")
+    endif()
+    target_link_libraries(fwtpm_server PRIVATE wolftpm_wolfssl_dep)
+    target_include_directories(fwtpm_server PRIVATE
+        ${CMAKE_CURRENT_SOURCE_DIR}
+        ${CMAKE_CURRENT_BINARY_DIR}
+    )
+    if(UNIX AND NOT APPLE)
+        target_link_libraries(fwtpm_server PRIVATE pthread rt)
+    endif()
+
+    # fwtpm_unit_test executable
+    add_executable(fwtpm_unit_test
+        tests/fwtpm_unit_tests.c
+        ${FWTPM_CORE_SOURCES}
+    )
+    target_compile_definitions(fwtpm_unit_test PRIVATE
+        "WOLFTPM_FWTPM"
+        "FWTPM_NV_FILE=\"fwtpm_test_nv.bin\""
+    )
+    target_link_libraries(fwtpm_unit_test PRIVATE wolftpm_wolfssl_dep)
+    target_include_directories(fwtpm_unit_test PRIVATE
+        ${CMAKE_CURRENT_SOURCE_DIR}
+        ${CMAKE_CURRENT_BINARY_DIR}
+    )
+    if(UNIX AND NOT APPLE)
+        target_link_libraries(fwtpm_unit_test PRIVATE pthread)
+    endif()
+
+    # fwTPM fuzz target (libFuzzer)
+    if(WOLFTPM_FWTPM_FUZZ)
+        add_executable(fwtpm_fuzz
+            tests/fuzz/fwtpm_fuzz.c
+            ${FWTPM_CORE_SOURCES}
+        )
+        target_compile_definitions(fwtpm_fuzz PRIVATE "WOLFTPM_FWTPM")
+        target_link_libraries(fwtpm_fuzz PRIVATE wolftpm_wolfssl_dep)
+        target_include_directories(fwtpm_fuzz PRIVATE
+            ${CMAKE_CURRENT_SOURCE_DIR}
+            ${CMAKE_CURRENT_BINARY_DIR}
+        )
+        target_link_options(fwtpm_fuzz PRIVATE "-fsanitize=fuzzer")
+    endif()
+
+    # CTest integration
+    enable_testing()
+    add_test(NAME fwtpm_unit_test
+        COMMAND fwtpm_unit_test
+        WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+    )
+
+    message(STATUS "fwTPM server: enabled")
+    if(WOLFTPM_FWTPM_TIS)
+        message(STATUS "fwTPM transport: TIS/shared-memory")
+    else()
+        message(STATUS "fwTPM transport: socket (SWTPM)")
+    endif()
+    if(WOLFTPM_FWTPM_ONLY)
+        message(STATUS "fwTPM mode: server-only (no client library)")
+    endif()
+endif()
+
 function(add_to_options_file DEFINITIONS OPTION_FILE)
     list(REMOVE_DUPLICATES DEFINITIONS)
     foreach(DEF IN LISTS DEFINITIONS)
@@ -493,7 +663,7 @@ endif()
 
 
 
-if (WOLFTPM_EXAMPLES)
+if (WOLFTPM_EXAMPLES AND BUILD_WOLFTPM_LIB)
     add_tpm_example(activate_credential attestation/activate_credential.c)
     add_tpm_example(certify attestation/certify.c)
     add_tpm_example(make_credential attestation/make_credential.c)
@@ -548,18 +718,27 @@ endif()
 
 include(GNUInstallDirs)
 
-install(TARGETS wolftpm
-        EXPORT  wolftpm-targets
-        LIBRARY DESTINATION lib
-        ARCHIVE DESTINATION lib
-        RUNTIME DESTINATION bin
-        )
+if(BUILD_WOLFTPM_LIB)
+    install(TARGETS wolftpm wolftpm_wolfssl_dep
+            EXPORT  wolftpm-targets
+            LIBRARY DESTINATION lib
+            ARCHIVE DESTINATION lib
+            RUNTIME DESTINATION bin
+            )
+
+    # Install the export set
+    install(EXPORT wolftpm-targets
+            DESTINATION ${CMAKE_INSTALL_LIBDIR}/cmake/wolftpm
+            FILE wolftpm-config.cmake
+            NAMESPACE wolfssl::)
+endif()
 
-# Install the export set
-install(EXPORT wolftpm-targets
-        DESTINATION ${CMAKE_INSTALL_LIBDIR}/cmake/wolftpm
-        FILE wolftpm-config.cmake
-        NAMESPACE wolfssl::)
+# Install fwTPM server
+if(WOLFTPM_FWTPM)
+    install(TARGETS fwtpm_server
+            RUNTIME DESTINATION bin
+            )
+endif()
 
 # Install the headers
 install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/wolftpm/

examples/run_examples.sh

@@ -448,8 +448,6 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs] [tlsversi
     pushd $WOLFSSL_PATH >> $TPMPWD/run.out 2>&1
     echo -e "./examples/server/server -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem -R $READY_FILE"
     ./examples/server/server -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem -R "$READY_FILE" >> $TPMPWD/run.out 2>&1 &
-    RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1
     popd >> $TPMPWD/run.out 2>&1
     wait_for_ready "$READY_FILE" 500
     rm -f "$READY_FILE"
@@ -466,8 +464,6 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs] [tlsversi
 
     echo -e "./examples/tls/tls_server -p=$port -$1 $2"
     ./examples/tls/tls_server -p=$port -$1 $2 >> $TPMPWD/run.out 2>&1 &
-    RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "tpm tls server $1 $2 failed! $RESULT" && exit 1
     wait_for_port "$port" 500
     pushd $WOLFSSL_PATH >> $TPMPWD/run.out 2>&1