Merge pull request #458 from aidangarske/add-full-spdm-support

wolfTPM SPDM support (Nuvoton NPCT75x and NSING NS350)

Author: dgarske

.github/workflows/make-test-swtpm.yml

@@ -75,6 +75,36 @@ jobs:
           # STMicro ST33KTPM2
           - name: st33ktpm2 firmware
             wolftpm_config: --enable-st33 --enable-firmware
+          # SPDM + Nuvoton (compile-only, no hardware in CI)
+          - name: spdm-nuvoton
+            wolfssl_config: --enable-wolftpm --enable-ecc --enable-sha384 --enable-aesgcm --enable-hkdf --enable-sp
+            wolftpm_config: --enable-spdm --enable-nuvoton
+            needs_swtpm: false
+          # SPDM small stack (heap-allocated SPDM context)
+          - name: spdm-smallstack
+            wolfssl_config: --enable-wolftpm --enable-ecc --enable-sha384 --enable-aesgcm --enable-hkdf --enable-sp
+            wolftpm_config: --enable-spdm --enable-nuvoton --enable-smallstack
+            needs_swtpm: false
+          # SPDM debug
+          - name: spdm-debug
+            wolfssl_config: --enable-wolftpm --enable-ecc --enable-sha384 --enable-aesgcm --enable-hkdf --enable-sp
+            wolftpm_config: --enable-spdm --enable-nuvoton --enable-debug
+            needs_swtpm: false
+          # SPDM + Nations (compile-only, no hardware in CI)
+          - name: spdm-nations
+            wolfssl_config: --enable-wolftpm --enable-ecc --enable-sha384 --enable-aesgcm --enable-hkdf --enable-sp
+            wolftpm_config: --enable-spdm --enable-nations
+            needs_swtpm: false
+          # SPDM + Nations debug
+          - name: spdm-nations-debug
+            wolfssl_config: --enable-wolftpm --enable-ecc --enable-sha384 --enable-aesgcm --enable-hkdf --enable-sp
+            wolftpm_config: --enable-spdm --enable-nations --enable-debug
+            needs_swtpm: false
+          # SPDM + Nations small stack (heap-allocated SPDM context)
+          - name: spdm-nations-smallstack
+            wolfssl_config: --enable-wolftpm --enable-ecc --enable-sha384 --enable-aesgcm --enable-hkdf --enable-sp
+            wolftpm_config: --enable-spdm --enable-nations --enable-smallstack
+            needs_swtpm: false
           # Microchip
           - name: microchip
             wolftpm_config: --enable-microchip

.gitignore

@@ -92,6 +92,7 @@ examples/firmware/ifx_fw_update
 examples/firmware/st33_fw_update
 examples/endorsement/get_ek_certs
 examples/endorsement/verify_ek_cert
+examples/spdm/spdm_ctrl
 
 # Generated Cert Files
 certs/ca-*.pem
@@ -181,10 +182,18 @@ UpgradeLog.htm
 /IDE/Espressif/**/sdkconfig
 /IDE/Espressif/**/sdkconfig.old
 
+# SPDM build artifacts
+spdm/wolfspdm/options.h
+spdm/config.h
+spdm/stamp-h1
+spdm/src/.libs/
+spdm/src/.deps/
+spdm/test/.libs/
+spdm/test/unit_test
+
 # Firmware files
 examples/firmware/*.fi
 examples/firmware/*.BIN
 examples/firmware/*.DATA
 examples/firmware/*.MANIFEST
 examples/firmware/*.MANIFESTHASH
-

Makefile.am

@@ -46,6 +46,7 @@ include tests/include.am
 include docs/include.am
 include wrapper/include.am
 include hal/include.am
+include src/spdm/include.am
 include cmake/include.am
 include zephyr/include.am
 

configure.ac

@@ -22,6 +22,7 @@ AC_CANONICAL_HOST
 AC_CANONICAL_TARGET
 AC_CONFIG_MACRO_DIR([m4])
 
+
 AM_INIT_AUTOMAKE([1.11 -Wall -Werror -Wno-portability foreign tar-ustar subdir-objects no-define color-tests])
 
 AC_ARG_PROGRAM
@@ -332,6 +333,17 @@ then
     AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_NUVOTON"
 fi
 
+# Nations Technology NS350
+AC_ARG_ENABLE([nations],
+    [AS_HELP_STRING([--enable-nations],[Enable Nations Technology NS350 TPM Support (default: disabled)])],
+    [ ENABLED_NATIONS=$enableval ],
+    [ ENABLED_NATIONS=no ]
+    )
+if test "x$ENABLED_NATIONS" = "xyes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_NATIONS"
+fi
+
 # Infineon SLB9670/SLB9672/SLB9673
 AC_ARG_ENABLE([infineon],
     [AS_HELP_STRING([--enable-infineon],[Enable Infineon SLB9670/SLB9672 TPM Support (default: disabled)])],
@@ -407,7 +419,8 @@ if test "x$ENABLED_AUTODETECT" = "xtest"
 then
     # If a module hasn't been selected then enable auto-detection
     if test "x$ENABLED_INFINEON" = "xno" && test "x$ENABLED_MCHP" = "xno" && test "x$ENABLED_MICROCHIP" = "xno" && \
-       test "x$ENABLED_ST" = "xno" && test "x$ENABLED_ST33" = "xno" && test "x$ENABLED_NUVOTON" = "xno"
+       test "x$ENABLED_ST" = "xno" && test "x$ENABLED_ST33" = "xno" && test "x$ENABLED_NUVOTON" = "xno" && \
+       test "x$ENABLED_NATIONS" = "xno"
     then
         ENABLED_AUTODETECT=yes
     fi
@@ -462,6 +475,40 @@ then
     AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_PROVISIONING"
 fi
 
+# SPDM Support
+AC_ARG_ENABLE([spdm],
+    [AS_HELP_STRING([--enable-spdm],[Enable SPDM support (default: disabled)])],
+    [ ENABLED_SPDM=$enableval ],
+    [ ENABLED_SPDM=no ]
+    )
+
+AC_ARG_WITH([wolfspdm],
+    [AS_HELP_STRING([--with-wolfspdm=PATH],[DEPRECATED: Use --enable-spdm instead.])],
+    [AC_MSG_ERROR([--with-wolfspdm is no longer needed. Use --enable-spdm instead.])])
+
+if test "x$ENABLED_SPDM" = "xyes"
+then
+    AC_DEFINE([WOLFTPM_SPDM], [1], [Enable SPDM support])
+
+    # Nuvoton SPDM support (required for SPDM in wolfTPM)
+    if test "x$ENABLED_NUVOTON" = "xyes"
+    then
+        AC_DEFINE([WOLFSPDM_NUVOTON], [1], [Enable SPDM Nuvoton TPM support])
+        AC_MSG_NOTICE([Nuvoton SPDM vendor commands enabled])
+    fi
+
+    # Nations Technology SPDM support
+    if test "x$ENABLED_NATIONS" = "xyes"
+    then
+        AC_DEFINE([WOLFSPDM_NATIONS], [1], [Enable SPDM Nations Technology support])
+        AC_MSG_NOTICE([Nations Technology SPDM vendor commands enabled])
+    fi
+
+    if test "x$ax_enable_debug" != "xno"
+    then
+        AC_DEFINE([WOLFSPDM_DEBUG], [1], [SPDM: Enable debug output])
+    fi
+fi
 
 # HARDEN FLAGS
 AX_HARDEN_CC_COMPILER_FLAGS
@@ -489,10 +536,12 @@ AM_CONDITIONAL([BUILD_DEVTPM], [test "x$ENABLED_DEVTPM" = "xyes"])
 AM_CONDITIONAL([BUILD_SWTPM], [test "x$ENABLED_SWTPM" = "xyes"])
 AM_CONDITIONAL([BUILD_WINAPI], [test "x$ENABLED_WINAPI" = "xyes"])
 AM_CONDITIONAL([BUILD_NUVOTON], [test "x$ENABLED_NUVOTON" = "xyes"])
+AM_CONDITIONAL([BUILD_NATIONS], [test "x$ENABLED_NATIONS" = "xyes"])
 AM_CONDITIONAL([BUILD_CHECKWAITSTATE], [test "x$ENABLED_CHECKWAITSTATE" = "xyes"])
 AM_CONDITIONAL([BUILD_AUTODETECT], [test "x$ENABLED_AUTODETECT" = "xyes"])
 AM_CONDITIONAL([BUILD_FIRMWARE], [test "x$ENABLED_FIRMWARE" = "xyes"])
 AM_CONDITIONAL([BUILD_HAL], [test "x$ENABLED_EXAMPLE_HAL" = "xyes" || test "x$ENABLED_MMIO" = "xyes"])
+AM_CONDITIONAL([BUILD_SPDM], [test "x$ENABLED_SPDM" = "xyes"])
 
 
 CREATE_HEX_VERSION
@@ -578,6 +627,10 @@ for option in $OPTION_FLAGS; do
     fi
 done
 
+# Also capture SPDM defines from config.h (set via AC_DEFINE, not AM_CFLAGS)
+grep '^#define WOLFSPDM_' src/config.h >> $OPTION_FILE 2>/dev/null || true
+grep '^#define WOLFTPM_SPDM' src/config.h >> $OPTION_FILE 2>/dev/null || true
+
 echo "" >> $OPTION_FILE
 echo "#ifdef __cplusplus" >> $OPTION_FILE
 echo "}" >> $OPTION_FILE
@@ -619,6 +672,8 @@ echo "   * Infineon SLB967X           $ENABLED_INFINEON"
 echo "   * STM ST33:                  $ENABLED_ST"
 echo "   * Microchip ATTPM20:         $ENABLED_MICROCHIP"
 echo "   * Nuvoton NPCT75x:           $ENABLED_NUVOTON"
+echo "   * Nations Tech NS350:        $ENABLED_NATIONS"
 
 echo "   * Runtime Module Detection:  $ENABLED_AUTODETECT"
 echo "   * Firmware Upgrade Support:  $ENABLED_FIRMWARE"
+echo "   * SPDM Support:              $ENABLED_SPDM"

examples/include.am

@@ -18,6 +18,7 @@ include examples/seal/include.am
 include examples/attestation/include.am
 include examples/firmware/include.am
 include examples/endorsement/include.am
+include examples/spdm/include.am
 
 if BUILD_EXAMPLES
 EXTRA_DIST += examples/run_examples.sh

examples/spdm/README.md

@@ -0,0 +1,123 @@
+# TPM SPDM Setup/Control
+
+This directory contains the SPDM setup and control tool for Nuvoton NPCT75x
+and Nations NS350 TPMs with wolfTPM.
+
+## Overview
+
+The `spdm_ctrl` tool establishes SPDM secure sessions between the host and a
+TPM over SPI, enabling AES-256-GCM encrypted bus communication. Once active,
+all TPM commands are automatically encrypted with no application changes.
+
+Supported hardware:
+- **Nuvoton NPCT75x** — Identity key mode (ECDHE P-384)
+- **Nations NS350** — Identity key mode + PSK mode
+
+For standard SPDM protocol support (spdm-emu, measurements, challenge, etc.),
+see the [wolfSPDM](https://github.com/aidangarske/wolfSPDM) standalone library.
+
+## Building
+
+### Prerequisites
+
+wolfSSL with crypto algorithms required for SPDM Algorithm Set B:
+
+```bash
+cd wolfssl
+./autogen.sh
+./configure --enable-wolftpm --enable-ecc --enable-sha384 --enable-aesgcm --enable-hkdf --enable-sp
+make && sudo make install && sudo ldconfig
+```
+
+### wolfTPM with Nuvoton SPDM
+
+```bash
+cd wolfTPM
+./autogen.sh
+./configure --enable-spdm --enable-nuvoton
+make
+```
+
+### wolfTPM with Nations SPDM
+
+```bash
+cd wolfTPM
+./autogen.sh
+./configure --enable-spdm --enable-nations
+make
+```
+
+## Setup/Control Commands
+
+| Option | Description |
+|--------|-------------|
+| `--enable` | Enable SPDM on TPM via NTC2_PreConfig (one-time, requires reset) |
+| `--disable` | Disable SPDM on TPM via NTC2_PreConfig (requires reset) |
+| `--status` | Query SPDM status from TPM |
+| `--get-pubkey` | Get TPM's SPDM-Identity P-384 public key |
+| `--connect` | Establish SPDM session (ECDH P-384 handshake) |
+| `--lock` | Lock SPDM-only mode (use with `--connect`) |
+| `--unlock` | Unlock SPDM-only mode (use with `--connect`) |
+
+## Usage Examples
+
+```bash
+# One-time setup: enable SPDM + reset TPM
+./examples/spdm/spdm_ctrl --enable
+# Reset the TPM (see "TPM Reset Pin Control" below)
+
+# Query SPDM status
+./examples/spdm/spdm_ctrl --status
+
+# Get TPM identity key
+./examples/spdm/spdm_ctrl --get-pubkey
+
+# Establish SPDM session
+./examples/spdm/spdm_ctrl --connect
+
+# Lock SPDM-only mode (connect + lock in one session)
+./examples/spdm/spdm_ctrl --connect --lock
+# Reset the TPM
+
+# All commands now auto-encrypt:
+./examples/wrap/caps          # auto-SPDM, AES-256-GCM encrypted
+./tests/unit.test             # full test suite over encrypted bus
+
+# Unlock SPDM-only mode
+# Reset the TPM
+./examples/spdm/spdm_ctrl --connect --unlock
+# Reset the TPM
+```
+
+## TPM Reset Pin Control
+
+SPDM enable/disable and SPDM-only mode changes require a TPM reset to take
+effect. The reset pin must be connected and controllable by the host.
+
+**Important for custom hardware designs:** Ensure the TPM reset pin is routed
+to a host-controllable GPIO. Without reset pin control, SPDM mode changes
+cannot be applied and recovery from SPDM-only mode is not possible.
+
+### Raspberry Pi Example (GPIO 4)
+
+```bash
+# Assert reset low, wait, release high, wait for TPM startup
+gpioset gpiochip0 4=0 && sleep 0.1 && gpioset gpiochip0 4=1 && sleep 2
+```
+
+Other platforms will use their own GPIO control mechanism. The key requirement
+is toggling the TPM reset line (active low) with sufficient hold time.
+
+## Automated Test Suite
+
+Runs the full SPDM setup lifecycle on hardware:
+
+```bash
+./examples/spdm/spdm_test.sh ./examples/spdm/spdm_ctrl nuvoton
+./examples/spdm/spdm_test.sh ./examples/spdm/spdm_ctrl nations
+./examples/spdm/spdm_test.sh ./examples/spdm/spdm_ctrl nations-psk
+```
+
+## Support
+
+For production use with hardware TPMs and SPDM support, contact **support@wolfssl.com**.

examples/spdm/include.am

@@ -0,0 +1,18 @@
+# vim:ft=automake
+# All paths should be given relative to the root
+
+if BUILD_EXAMPLES
+if BUILD_SPDM
+noinst_PROGRAMS += examples/spdm/spdm_ctrl
+
+examples_spdm_spdm_ctrl_SOURCES         = examples/spdm/spdm_ctrl.c
+examples_spdm_spdm_ctrl_LDADD           = src/libwolftpm.la $(LIB_STATIC_ADD)
+examples_spdm_spdm_ctrl_DEPENDENCIES    = src/libwolftpm.la
+examples_spdm_spdm_ctrl_CFLAGS          = $(AM_CFLAGS)
+endif
+endif
+
+example_spdmdir = $(exampledir)/spdm
+dist_example_spdm_DATA = examples/spdm/spdm_ctrl.c
+
+DISTCLEANFILES+= examples/spdm/.libs/spdm_ctrl