Add auto detection on linux

Author: aidangarske

.github/workflows/make-test-swtpm.yml

@@ -102,6 +102,16 @@ jobs:
             wolftpm_config: --enable-advio
             needs_swtpm: false
 
+          # Autodetect (default configure, /dev/tpm0 + SPI dual support)
+          - name: autodetect
+            wolftpm_config: ""
+            needs_swtpm: false
+
+          # Autodetect with debug
+          - name: autodetect-debug
+            wolftpm_config: --enable-debug
+            needs_swtpm: false
+
           # Clang ASAN
           - name: clang-asan
             wolftpm_cflags: "-fsanitize=address -fno-omit-frame-pointer -g"

README.md

@@ -9,6 +9,7 @@ Portable TPM 2.0 project designed for embedded use.
 * Wrappers provided to simplify Key Generation/Loading, RSA encrypt/decrypt, ECC sign/verify, ECDH, NV, Hashing/HACM, AES, Sealing/Unsealing, Attestation, PCR Extend/Quote and Secure Root of Trust.
 * Testing done using TPM 2.0 modules from STMicro ST33 (SPI/I2C), Infineon OPTIGA SLB9670/SLB9672/SLB9673, Microchip ATTPM20, Nations Tech Z32H330TC/NS350 and Nuvoton NPCT650/NPCT750.
 * wolfTPM uses the TPM Interface Specification (TIS) to communicate either over SPI, or using a memory mapped I/O range.
+* On Linux, wolfTPM auto-detects between the kernel TPM driver (`/dev/tpmX`) and direct SPI access at runtime — a simple `./configure && make` works with either interface.
 * wolfTPM can also use the Linux TPM kernel interface (`/dev/tpmX`) to talk with any physical TPM on SPI, I2C and even LPC bus.
 * Platform support for Raspberry Pi (Linux), MMIO, STM32 with CubeMX, Atmel ASF, Xilinx, QNX Infineon TriCore and Barebox.
 * The design allows for easy portability to different platforms:
@@ -192,12 +193,16 @@ make install
 --enable-firmware       Enable firmware upgrade support for Infineon SLB9672/SLB9673 and ST ST33 (default: disabled) - WOLFTPM_FIRMWARE_UPGRADE
 
 --enable-autodetect     Enable Runtime Module Detection (default: enable - when no module specified) - WOLFTPM_AUTODETECT
+                        On Linux this also auto-detects /dev/tpmrm0 or /dev/tpm0 at runtime,
+                        falling back to SPI if the kernel driver is not available.
 --enable-infineon       Enable Infineon SLB9670/SLB9672/SLB9673 TPM Support (default: disabled) - WOLFTPM_SLB9670 / WOLFTPM_SLB9672
 --enable-st             Enable ST ST33 Support (default: disabled) - WOLFTPM_ST33
 --enable-microchip      Enable Microchip ATTPM20 Support (default: disabled) - WOLFTPM_MICROCHIP
 --enable-nuvoton        Enable Nuvoton NPCT65x/NPCT75x Support (default: disabled) - WOLFTPM_NUVOTON
 
 --enable-devtpm         Enable using Linux kernel driver for /dev/tpmX (default: disabled) - WOLFTPM_LINUX_DEV
+                        Note: With autodetect (default) this is no longer required on Linux;
+                        the kernel driver is tried automatically before SPI.
 --enable-swtpm          Enable using SWTPM TCP protocol. For use with simulator. (default: disabled) - WOLFTPM_SWTPM
 --enable-winapi         Use Windows TBS API. (default: disabled) - WOLFTPM_WINAPI
 
@@ -283,7 +288,15 @@ idf.py build
 
 ### Building for "/dev/tpmX"
 
-The `--enable-devtpm` or `WOLFTPM_LINUX_DEV` build option allows you to use the Linux supplied TPM (TIS) driver.
+**Auto-detection (recommended):** On Linux, a default `./configure && make` will automatically try `/dev/tpmrm0` then `/dev/tpm0` at runtime. If the kernel driver is available it will be used; otherwise wolfTPM falls back to direct SPI access. No special configure options are needed.
+
+```bash
+./autogen.sh
+./configure
+make
+```
+
+Previously, using the kernel TPM driver required the `--enable-devtpm` flag. This is no longer necessary with autodetect (enabled by default). You can still use `--enable-devtpm` to force kernel-driver-only mode, which disables SPI fallback.
 
 To specify a different `/dev/tpmX` device use `CFLAGS="-DTPM2_LINUX_DEV=/dev/tpm1"`
 

hal/tpm_io_linux.c

@@ -99,9 +99,7 @@
             static char TPM2_SPI_DEV[] = TPM2_SPI_DEV_PATH "0";
             #define MAX_SPI_DEV_CS '4'
             static int foundSpiDev = 0;
-        #ifdef DEBUG_WOLFTPM
             static int spiDevNotFound = 0;
-        #endif
         #else
             #define TPM2_SPI_DEV TPM2_SPI_DEV_PATH TPM2_SPI_DEV_CS
             static int spiOpenFailed = 0;
@@ -218,6 +216,39 @@
     }
 
 #else
+    /* Called when SPI device cannot be opened or no TPM found on SPI bus.
+     * Checks if the Linux kernel TPM driver is available and suggests
+     * alternatives. */
+    static void spiOpenFailedMessage(void)
+    {
+    #ifdef WOLFTPM_LINUX_DEV_AUTODETECT
+        /* Autodetect already tried /dev/tpm0; SPI also failed */
+        #ifdef DEBUG_WOLFTPM
+        printf("Neither /dev/tpm0 nor SPI bus produced a TPM response.\n"
+            "Ensure a TPM is connected and the kernel driver or spidev "
+            "is enabled.\n");
+        #endif
+    #else
+        if (access("/dev/tpm0", F_OK) == 0 ||
+            access("/dev/tpmrm0", F_OK) == 0) {
+            printf("TPM kernel driver detected (/dev/tpm0).\n"
+                "Either build wolfTPM with ./configure --enable-devtpm\n"
+                "or disable the kernel driver by commenting out the TPM\n"
+                "overlay in /boot/config.txt or /boot/firmware/config.txt\n"
+                "and enable spidev to use direct SPI access.\n");
+        }
+        #ifdef DEBUG_WOLFTPM
+        else {
+            printf("If using Linux kernel TPM driver (/dev/tpm0), "
+                "build with --enable-devtpm.\n"
+                "To use SPI directly, make sure /dev/spidev is available "
+                "and the TPM\nkernel overlay is disabled in /boot/config.txt "
+                "or /boot/firmware/config.txt.\n");
+        }
+        #endif
+    #endif /* WOLFTPM_LINUX_DEV_AUTODETECT */
+    }
+
     /* Use Linux SPI synchronous access */
     int TPM2_IoCb_Linux_SPI(TPM2_CTX* ctx, const byte* txBuf, byte* rxBuf,
         word16 xferSz, void* userCtx)
@@ -336,12 +367,13 @@
                         "Use sudo or check device permissions.\n",
                         TPM2_SPI_DEV);
                 }
-            #ifdef DEBUG_WOLFTPM
                 else {
+                #ifdef DEBUG_WOLFTPM
                     printf("Failed to open SPI device %s (errno %d)\n",
                         TPM2_SPI_DEV, errno);
+                #endif
+                    spiOpenFailedMessage();
                 }
-            #endif
             }
         #endif
         }
@@ -362,13 +394,14 @@
                     TPM2_SPI_DEV[devLen-1]++;
                     goto tryagain;
                 }
-            #ifdef DEBUG_WOLFTPM
                 if (!spiDevNotFound) {
                     spiDevNotFound = 1;
+                #ifdef DEBUG_WOLFTPM
                     printf("TPM not found on SPI bus %s[0-%c]\n",
                         TPM2_SPI_DEV_PATH, MAX_SPI_DEV_CS);
+                #endif
+                    spiOpenFailedMessage();
                 }
-            #endif
             }
         }
     #endif

src/include.am

@@ -11,11 +11,8 @@ src_libwolftpm_la_SOURCES      = \
                                 src/tpm2_wrap.c \
                                 src/tpm2_asn.c \
                                 src/tpm2_param_enc.c \
-                                src/tpm2_cryptocb.c
-
-if BUILD_DEVTPM
-src_libwolftpm_la_SOURCES      += src/tpm2_linux.c
-endif
+                                src/tpm2_cryptocb.c \
+                                src/tpm2_linux.c
 if BUILD_SWTPM
 src_libwolftpm_la_SOURCES      += src/tpm2_swtpm.c
 endif

src/tpm2.c

@@ -60,6 +60,9 @@ static THREAD_LS_T TPM2_CTX* gActiveTPM;
 #ifdef WOLFTPM_LINUX_DEV
 #define INTERNAL_SEND_COMMAND      TPM2_LINUX_SendCommand
 #define TPM2_INTERNAL_CLEANUP(ctx)
+#elif defined(WOLFTPM_LINUX_DEV_AUTODETECT)
+#define INTERNAL_SEND_COMMAND      TPM2_LINUX_AUTODETECT_SendCommand
+#define TPM2_INTERNAL_CLEANUP(ctx)
 #elif defined(WOLFTPM_SWTPM)
 #define INTERNAL_SEND_COMMAND      TPM2_SWTPM_SendCommand
 #define TPM2_INTERNAL_CLEANUP(ctx)
@@ -647,6 +650,13 @@ TPM_RC TPM2_Init_ex(TPM2_CTX* ctx, TPM2HalIoCb ioCb, void* userCtx,
     if (ioCb != NULL || userCtx != NULL) {
         return BAD_FUNC_ARG;
     }
+#elif defined(WOLFTPM_LINUX_DEV_AUTODETECT)
+    /* Accept IO callback for SPI fallback path */
+    if (ioCb != NULL) {
+        rc = TPM2_SetHalIoCb(ctx, ioCb, userCtx);
+        if (rc != TPM_RC_SUCCESS)
+            return rc;
+    }
 #else
     #ifdef WOLFTPM_MMIO
     if (ioCb == NULL)
@@ -658,14 +668,18 @@ TPM_RC TPM2_Init_ex(TPM2_CTX* ctx, TPM2HalIoCb ioCb, void* userCtx,
         return rc;
 #endif
 
-#ifdef WOLFTPM_LINUX_DEV
+#if defined(WOLFTPM_LINUX_DEV) || defined(WOLFTPM_LINUX_DEV_AUTODETECT)
     ctx->fd = -1;
 #endif
 
     /* Set the active TPM global */
     TPM2_SetActiveCtx(ctx);
 
-    if (timeoutTries > 0) {
+    if (timeoutTries > 0
+    #ifdef WOLFTPM_LINUX_DEV_AUTODETECT
+        && ctx->ioCb != NULL /* autodetect: skip if no IO callback */
+    #endif
+    ) {
         /* Perform chip startup and assign locality */
         rc = TPM2_ChipStartup(ctx, timeoutTries);
     }
@@ -729,7 +743,8 @@ TPM_RC TPM2_Cleanup(TPM2_CTX* ctx)
     }
 #endif /* !WOLFTPM2_NO_WOLFCRYPT */
 
-#if defined(WOLFTPM_LINUX_DEV) && !defined(__UBOOT__)
+#if (defined(WOLFTPM_LINUX_DEV) || defined(WOLFTPM_LINUX_DEV_AUTODETECT)) \
+    && !defined(__UBOOT__)
     if (ctx->fd >= 0)
         close(ctx->fd);
 #endif

src/tpm2_linux.c

@@ -25,7 +25,7 @@
 
 #include <wolftpm/tpm2_types.h>
 
-#ifdef WOLFTPM_LINUX_DEV
+#if defined(WOLFTPM_LINUX_DEV) || defined(WOLFTPM_LINUX_DEV_AUTODETECT)
 #include <wolftpm/tpm2_linux.h>
 #include <wolftpm/tpm2_packet.h>
 
@@ -194,4 +194,46 @@ int TPM2_LINUX_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet)
     return rc;
 }
 #endif /* __UBOOT__ __linux__ */
-#endif /* WOLFTPM_LINUX_DEV */
+
+#ifdef WOLFTPM_LINUX_DEV_AUTODETECT
+#include <wolftpm/tpm2_tis.h>
+
+int TPM2_LINUX_TryOpen(TPM2_CTX* ctx)
+{
+    /* Try resource manager first (kernel 4.12+), then raw device */
+    ctx->fd = open("/dev/tpmrm0", O_RDWR | O_NONBLOCK);
+    if (ctx->fd >= 0) {
+    #ifdef DEBUG_WOLFTPM
+        printf("Opened /dev/tpmrm0\n");
+    #endif
+        return TPM_RC_SUCCESS;
+    }
+
+    ctx->fd = open("/dev/tpm0", O_RDWR | O_NONBLOCK);
+    if (ctx->fd >= 0) {
+    #ifdef DEBUG_WOLFTPM
+        printf("Opened /dev/tpm0\n");
+    #endif
+        return TPM_RC_SUCCESS;
+    }
+
+    /* Distinguish "not available" from "permission denied" */
+    if (errno == EACCES) {
+        printf("Permission denied on /dev/tpm0\n"
+            "Use sudo or add tss group to user.\n");
+        return TPM_RC_FAILURE;
+    }
+
+    /* ENOENT or other: device not present, caller should try SPI */
+    return TPM_RC_INITIALIZE; /* sentinel: "not found, try next" */
+}
+
+int TPM2_LINUX_AUTODETECT_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet)
+{
+    if (ctx->fd >= 0)
+        return TPM2_LINUX_SendCommand(ctx, packet);
+    return TPM2_TIS_SendCommand(ctx, packet);
+}
+#endif /* WOLFTPM_LINUX_DEV_AUTODETECT */
+
+#endif /* WOLFTPM_LINUX_DEV || WOLFTPM_LINUX_DEV_AUTODETECT */

src/tpm2_wrap.c

@@ -31,6 +31,9 @@
 /* For some struct to buffer conversions */
 #include <wolftpm/tpm2_packet.h>
 #include <hal/tpm_io.h> /* for default IO callback */
+#ifdef WOLFTPM_LINUX_DEV_AUTODETECT
+    #include <wolftpm/tpm2_linux.h>
+#endif
 
 /* Local Functions */
 static int wolfTPM2_GetCapabilities_NoDev(WOLFTPM2_CAPS* cap);
@@ -63,7 +66,53 @@ static int wolfTPM2_Init_ex(TPM2_CTX* ctx, TPM2HalIoCb ioCb, void* userCtx,
     if (ctx == NULL)
         return BAD_FUNC_ARG;
 
-#if defined(WOLFTPM_LINUX_DEV) || defined(WOLFTPM_SWTPM) || \
+#if defined(WOLFTPM_LINUX_DEV_AUTODETECT)
+    /* Phase 1: Minimal init (sets up IO callback, no TIS chip startup) */
+    rc = TPM2_Init_ex(ctx, ioCb, userCtx, 0);
+    if (rc != TPM_RC_SUCCESS) {
+        printf("TPM2_Init failed 0x%x: %s\n", rc, wolfTPM2_GetRCString(rc));
+        return rc;
+    }
+
+    /* Phase 2: Try /dev/tpmrm0 then /dev/tpm0 */
+    rc = TPM2_LINUX_TryOpen(ctx);
+    if (rc == TPM_RC_SUCCESS) {
+        /* Using kernel driver - startup/locality handled by kernel */
+    #ifdef DEBUG_WOLFTPM
+        printf("TPM2: Using Linux kernel driver\n");
+    #endif
+        return TPM_RC_SUCCESS;
+    }
+    else if (rc == TPM_RC_FAILURE) {
+        /* Permission denied or hard error - don't try SPI */
+        return rc;
+    }
+    /* rc == TPM_RC_INITIALIZE means "not found", fall through to SPI */
+
+    /* Phase 3: SPI fallback - requires IO callback */
+    if (ioCb == NULL) {
+    #ifdef DEBUG_WOLFTPM
+        printf("TPM2: Kernel driver not available and no IO callback for SPI\n");
+    #endif
+        return TPM_RC_FAILURE;
+    }
+#ifdef DEBUG_WOLFTPM
+    printf("TPM2: Kernel driver not available, trying SPI\n");
+#endif
+    if (timeoutTries > 0) {
+        rc = TPM2_ChipStartup(ctx, timeoutTries);
+        if (rc != TPM_RC_SUCCESS) {
+            printf("TPM2_Init failed 0x%x: %s\n", rc,
+                wolfTPM2_GetRCString(rc));
+            return rc;
+        }
+    }
+    else {
+        rc = TPM_RC_SUCCESS; /* clear TryOpen sentinel */
+    }
+    /* Fall through to Startup/SelfTest below */
+
+#elif defined(WOLFTPM_LINUX_DEV) || defined(WOLFTPM_SWTPM) || \
     defined(WOLFTPM_WINAPI)
     rc = TPM2_Init_minimal(ctx);
     /* Using standard file I/O for the Linux TPM device */
@@ -8254,6 +8303,9 @@ static int tpm2_ifx_firmware_start(WOLFTPM2_DEV* dev, TPM_ALG_ID hashAlg,
         #if !defined(WOLFTPM_LINUX_DEV) && !defined(WOLFTPM_SWTPM) && \
             !defined(WOLFTPM_WINAPI)
             /* Do chip startup and request locality again */
+        #ifdef WOLFTPM_LINUX_DEV_AUTODETECT
+            if (dev->ctx.fd < 0) /* Only needed for SPI path */
+        #endif
             rc = TPM2_ChipStartup(&dev->ctx, 10);
         #endif
         }
@@ -8367,6 +8419,9 @@ static int tpm2_ifx_firmware_data(WOLFTPM2_DEV* dev,
     #if !defined(WOLFTPM_LINUX_DEV) && !defined(WOLFTPM_SWTPM) && \
         !defined(WOLFTPM_WINAPI)
         /* Do chip startup and request locality again */
+    #ifdef WOLFTPM_LINUX_DEV_AUTODETECT
+        if (dev->ctx.fd < 0) /* Only needed for SPI path */
+    #endif
         rc = TPM2_ChipStartup(&dev->ctx, 10);
     #endif
     }
@@ -8610,6 +8665,9 @@ static int tpm2_st33_firmware_start_common(WOLFTPM2_DEV* dev,
     #if !defined(WOLFTPM_LINUX_DEV) && !defined(WOLFTPM_SWTPM) && \
         !defined(WOLFTPM_WINAPI)
         /* Do chip startup and request locality again */
+    #ifdef WOLFTPM_LINUX_DEV_AUTODETECT
+        if (dev->ctx.fd < 0) /* Only needed for SPI path */
+    #endif
         rc = TPM2_ChipStartup(&dev->ctx, 10);
     #endif
     }
@@ -8732,6 +8790,9 @@ static int tpm2_st33_firmware_data(WOLFTPM2_DEV* dev,
     #if !defined(WOLFTPM_LINUX_DEV) && !defined(WOLFTPM_SWTPM) && \
         !defined(WOLFTPM_WINAPI)
         /* Do chip startup and request locality again */
+    #ifdef WOLFTPM_LINUX_DEV_AUTODETECT
+        if (dev->ctx.fd < 0) /* Only needed for SPI path */
+    #endif
         rc = TPM2_ChipStartup(&dev->ctx, 10);
     #endif
     }

wolftpm/tpm2.h

@@ -1899,7 +1899,7 @@ typedef struct TPM2_CTX {
     unsigned int rngInit:1;
     #endif
 #endif
-#ifdef WOLFTPM_LINUX_DEV
+#if defined(WOLFTPM_LINUX_DEV) || defined(WOLFTPM_LINUX_DEV_AUTODETECT)
     int fd;
 #endif
 } TPM2_CTX;

wolftpm/tpm2_linux.h

@@ -32,6 +32,17 @@
 /* TPM2 IO for using TPM through the Linux kernel driver */
 WOLFTPM_LOCAL int TPM2_LINUX_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet);
 
+#ifdef WOLFTPM_LINUX_DEV_AUTODETECT
+/* Try opening /dev/tpmrm0 then /dev/tpm0. Returns TPM_RC_SUCCESS if opened,
+ * sets ctx->fd. On EACCES prints permission message and returns FAILURE.
+ * Returns TPM_RC_INITIALIZE if device not found (caller should try SPI). */
+WOLFTPM_LOCAL int TPM2_LINUX_TryOpen(TPM2_CTX* ctx);
+
+/* Runtime dispatch: uses /dev/tpm0 if ctx->fd >= 0, otherwise TIS/SPI */
+WOLFTPM_LOCAL int TPM2_LINUX_AUTODETECT_SendCommand(TPM2_CTX* ctx,
+    TPM2_Packet* packet);
+#endif
+
 #ifdef __cplusplus
     }  /* extern "C" */
 #endif