Address Fenrir feedback: tighten ZGen_2Phase size check and document env-var override risk

dgarske · dgarske · commit 9ee1722f5f03 · 2026-04-15T13:09:32.000-07:00
diff --git a/docs/SWTPM.md b/docs/SWTPM.md
@@ -53,6 +53,15 @@ Build Options:
 
 The UART transport uses the same mssim protocol as the socket transport. The serial port is configured as 8N1 raw mode with no flow control. Unlike the socket transport, the serial port file descriptor is kept open across commands (no reconnect per command).
 
+#### Security note: environment variable override
+
+The `TPM2_SWTPM_HOST` environment variable is a development convenience that overrides the compile-time serial device path. On systems where untrusted local users share the environment with the TPM client, an attacker could redirect TPM I/O to a rogue device (e.g. a PTY they control). For production / hardened deployments:
+
+* Unset `TPM2_SWTPM_HOST` in the process environment, and
+* Rely on the compile-time default (set via `TPM2_SWTPM_HOST` as a build `-D` macro) to pin the serial path.
+
+The same guidance applies to `TPM2_SWTPM_PORT` (baud rate) and, for the socket transport, to using the env var to redirect the TCP host.
+
 ### Example: wolfTPM fwTPM on STM32H5
 
 The wolfTPM project includes a firmware TPM server port for STM32 Cortex-M33 targets with TrustZone support. See [wolftpm-examples/STM32/fwtpm-stm32h5](https://github.com/wolfSSL/wolftpm-examples/pull/1) for build, flash, and test instructions.
diff --git a/examples/native/native_test.c b/examples/native/native_test.c
@@ -1171,11 +1171,20 @@ int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[])
         cmdIn.zgen2.counter = cmdOut.ecEph.counter;
         rc = TPM2_ZGen_2Phase(&cmdIn.zgen2, &cmdOut.zgen2);
         if (rc == TPM_RC_SUCCESS) {
+            /* For the P-256 curve configured above (TPM_ECC_NIST_P256),
+             * each Z output is the x-coordinate of the shared point, so
+             * its size must equal the curve byte length (32). A mutant
+             * that returns any non-zero-sized output would otherwise
+             * slip past a plain non-empty check. */
+            const int expectedZSz = 32; /* P-256 coordinate size */
             printf("TPM2_ZGen_2Phase: outZ1 %d, outZ2 %d\n",
                 cmdOut.zgen2.outZ1.size, cmdOut.zgen2.outZ2.size);
-            if (cmdOut.zgen2.outZ1.size == 0 ||
-                cmdOut.zgen2.outZ2.size == 0) {
-                printf("TPM2_ZGen_2Phase: FAIL (empty output)\n");
+            if (cmdOut.zgen2.outZ1.size != expectedZSz ||
+                cmdOut.zgen2.outZ2.size != expectedZSz) {
+                printf("TPM2_ZGen_2Phase: FAIL (expected Z size %d, "
+                    "got outZ1=%d outZ2=%d)\n",
+                    expectedZSz,
+                    cmdOut.zgen2.outZ1.size, cmdOut.zgen2.outZ2.size);
                 rc = -1;
                 goto exit;
             }
