Add firmware TPM 2.0 (fwTPM) implementation

Add portable firmware TPM 2.0 implementation (fwTPM) built on wolfCrypt.
Implements 105/113 TPM 2.0 v1.38 commands (93%) as a standalone server
with socket and TIS transports, NV storage, and full CI/fuzz coverage.

Author: dgarske

.github/workflows/cmake-build.yml

@@ -84,6 +84,15 @@ jobs:
           # Test combination of options
           - name: "Combined Options"
             options: "-DWOLFTPM_INTERFACE=I2C -DWOLFTPM_MODULE=st33 -DWOLFTPM_ADVIO=yes -DWOLFTPM_CHECK_WAIT_STATE=yes"
+          # fwTPM server with socket transport
+          - name: "fwTPM Socket"
+            options: "-DWOLFTPM_FWTPM=yes -DWOLFTPM_INTERFACE=SWTPM"
+          # fwTPM server with TIS/shared-memory transport
+          - name: "fwTPM TIS"
+            options: "-DWOLFTPM_FWTPM=yes -DWOLFTPM_INTERFACE=SPI"
+          # fwTPM server-only mode (no client library or examples)
+          - name: "fwTPM Only"
+            options: "-DWOLFTPM_FWTPM_ONLY=yes -DWOLFTPM_INTERFACE=SWTPM"
 
     steps:
 #pull wolfTPM
@@ -107,7 +116,7 @@ jobs:
         mkdir build
         cd build
         # wolfSSL PR 7188 broke "make install" unless WOLFSSL_INSTALL is set
-        cmake -DWOLFSSL_TPM=yes -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" ..
+        cmake -DWOLFSSL_TPM=yes -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" -DCMAKE_C_FLAGS="-DWC_RSA_NO_PADDING" ..
         cmake --build .
         cmake --install .
 
@@ -119,3 +128,9 @@ jobs:
         cmake ${{ matrix.config.options }} -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" -DWITH_WOLFSSL="$GITHUB_WORKSPACE/install" ..
         cmake --build .
         cmake --install .
+
+    - name: Test fwTPM
+      if: contains(matrix.config.options, 'WOLFTPM_FWTPM')
+      run: |
+        cd build
+        LD_LIBRARY_PATH="$GITHUB_WORKSPACE/install/lib" ctest --output-on-failure

.github/workflows/codespell.yml

@@ -23,4 +23,4 @@ jobs:
         uses: codespell-project/actions-codespell@v2
         with:
           skip: .git,./IDE,./certs,./m4,*.der,*.pem
-          ignore_words_list: inh,inout,keypair,nd,parm,rcv,ser,loadIn,importIn,certifyIn,bu,fo
+          ignore_words_list: inh,inout,keypair,nd,parm,rcv,ser,loadIn,importIn,certifyIn,bu,fo,daa,pris,hsi

.github/workflows/coverity-scan-fixes.yml

@@ -24,7 +24,7 @@ jobs:
       run: ./autogen.sh
     - name: wolfssl configure
       working-directory: ./wolfssl
-      run: ./configure --enable-wolftpm
+      run: ./configure --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING"
     - name: wolfssl make
       working-directory: ./wolfssl
       run: make

.github/workflows/fuzz.yml

@@ -0,0 +1,95 @@
+name: Fuzz Testing
+
+on:
+  schedule:
+    - cron: '0 4 * * 1'  # Weekly Monday 4am UTC
+  workflow_dispatch:       # Manual trigger
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  fuzz:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # Full fuzz run (weekly/manual) - 10 minutes
+          - name: fuzz-full
+            fuzz_time: 600
+            smoke_only: false
+          # Quick smoke test (PR) - 60 seconds
+          - name: fuzz-smoke
+            fuzz_time: 60
+            smoke_only: true
+
+    steps:
+      - name: Checkout wolfTPM
+        uses: actions/checkout@v4
+
+      - name: Checkout wolfSSL
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/wolfssl
+          path: wolfssl
+
+      - name: ASLR workaround
+        run: sudo sysctl vm.mmap_rnd_bits=28
+
+      - name: Build wolfSSL with fuzzer support
+        working-directory: ./wolfssl
+        run: |
+          ./autogen.sh
+          CC=clang ./configure --enable-wolftpm --enable-pkcallbacks --enable-keygen \
+            CFLAGS="-fsanitize=fuzzer-no-link,address -fno-omit-frame-pointer -g -O1 -DWC_RSA_NO_PADDING" \
+            LDFLAGS="-fsanitize=address"
+          make -j$(nproc)
+          sudo make install
+          sudo ldconfig
+
+      - name: Build fuzz target
+        run: |
+          ./autogen.sh
+          CC=clang ./configure --enable-fwtpm --enable-fuzz \
+            CFLAGS="-fsanitize=fuzzer-no-link,address -fno-omit-frame-pointer -g -O1" \
+            LDFLAGS="-fsanitize=address"
+          make -j$(nproc)
+
+      - name: Generate seed corpus
+        run: python3 tests/fuzz/gen_corpus.py
+
+      - name: Run fuzzer
+        env:
+          ASAN_OPTIONS: "detect_leaks=1:abort_on_error=1:symbolize=1"
+        run: |
+          echo "Fuzzing for ${{ matrix.fuzz_time }} seconds..."
+          timeout ${{ matrix.fuzz_time }} \
+            ./tests/fuzz/fwtpm_fuzz \
+              tests/fuzz/corpus/ \
+              -dict=tests/fuzz/tpm2.dict \
+              -max_len=4096 \
+              -timeout=30 \
+              -rss_limit_mb=2048 \
+              -print_final_stats=1 \
+            || FUZZ_RC=$?
+          # timeout returns 124 on normal expiry, fuzzer returns 0 on no crash
+          if [ "${FUZZ_RC:-0}" -eq 124 ] || [ "${FUZZ_RC:-0}" -eq 0 ]; then
+            echo "Fuzzer completed without crashes"
+          else
+            echo "Fuzzer found crashes (exit code $FUZZ_RC)"
+            ls -la crash-* 2>/dev/null || true
+            exit 1
+          fi
+
+      - name: Upload crash artifacts
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: fuzz-crashes-${{ matrix.name }}
+          path: |
+            crash-*
+            oom-*
+            timeout-*
+          retention-days: 30
+          if-no-files-found: ignore