Merge pull request #460 from aidangarske/fix-issue-457

Improve error logging when wolfTPM2_Init fails

Author: dgarske

.github/workflows/make-test-swtpm.yml

@@ -108,6 +108,16 @@ jobs:
             wolftpm_config: --enable-advio
             needs_swtpm: false
 
+          # Autodetect (default configure, /dev/tpm0 + SPI dual support)
+          - name: autodetect
+            wolftpm_config: ""
+            needs_swtpm: false
+
+          # Autodetect with debug
+          - name: autodetect-debug
+            wolftpm_config: --enable-debug
+            needs_swtpm: false
+
           # Clang ASAN
           - name: clang-asan
             wolftpm_cflags: "-fsanitize=address -fno-omit-frame-pointer -g"

README.md

@@ -9,6 +9,7 @@ Portable TPM 2.0 project designed for embedded use.
 * Wrappers provided to simplify Key Generation/Loading, RSA encrypt/decrypt, ECC sign/verify, ECDH, NV, Hashing/HACM, AES, Sealing/Unsealing, Attestation, PCR Extend/Quote and Secure Root of Trust.
 * Testing done using TPM 2.0 modules from STMicro ST33 (SPI/I2C), Infineon OPTIGA SLB9670/SLB9672/SLB9673, Microchip ATTPM20, Nations Tech Z32H330TC/NS350 and Nuvoton NPCT650/NPCT750.
 * wolfTPM uses the TPM Interface Specification (TIS) to communicate either over SPI, or using a memory mapped I/O range.
+* On Linux, wolfTPM auto-detects between the kernel TPM driver (`/dev/tpmX`) and direct SPI access at runtime — a simple `./configure && make` works with either interface.
 * wolfTPM can also use the Linux TPM kernel interface (`/dev/tpmX`) to talk with any physical TPM on SPI, I2C and even LPC bus.
 * Platform support for Raspberry Pi (Linux), MMIO, STM32 with CubeMX, Atmel ASF, Xilinx, QNX Infineon TriCore and Barebox.
 * The design allows for easy portability to different platforms:
@@ -192,12 +193,16 @@ make install
 --enable-firmware       Enable firmware upgrade support for Infineon SLB9672/SLB9673 and ST ST33 (default: disabled) - WOLFTPM_FIRMWARE_UPGRADE
 
 --enable-autodetect     Enable Runtime Module Detection (default: enable - when no module specified) - WOLFTPM_AUTODETECT
+                        On Linux this also auto-detects /dev/tpmrm0 or /dev/tpm0 at runtime,
+                        falling back to SPI if the kernel driver is not available.
 --enable-infineon       Enable Infineon SLB9670/SLB9672/SLB9673 TPM Support (default: disabled) - WOLFTPM_SLB9670 / WOLFTPM_SLB9672
 --enable-st             Enable ST ST33 Support (default: disabled) - WOLFTPM_ST33
 --enable-microchip      Enable Microchip ATTPM20 Support (default: disabled) - WOLFTPM_MICROCHIP
 --enable-nuvoton        Enable Nuvoton NPCT65x/NPCT75x Support (default: disabled) - WOLFTPM_NUVOTON
 
 --enable-devtpm         Enable using Linux kernel driver for /dev/tpmX (default: disabled) - WOLFTPM_LINUX_DEV
+                        Note: With autodetect (default) this is no longer required on Linux;
+                        the kernel driver is tried automatically before SPI.
 --enable-swtpm          Enable using SWTPM TCP protocol. For use with simulator. (default: disabled) - WOLFTPM_SWTPM
 --enable-winapi         Use Windows TBS API. (default: disabled) - WOLFTPM_WINAPI
 
@@ -283,7 +288,15 @@ idf.py build
 
 ### Building for "/dev/tpmX"
 
-The `--enable-devtpm` or `WOLFTPM_LINUX_DEV` build option allows you to use the Linux supplied TPM (TIS) driver.
+**Auto-detection (recommended):** On Linux, a default `./configure && make` will automatically try `/dev/tpmrm0` then `/dev/tpm0` at runtime. If the kernel driver is available it will be used; otherwise wolfTPM falls back to direct SPI access. No special configure options are needed.
+
+```bash
+./autogen.sh
+./configure
+make
+```
+
+Previously, using the kernel TPM driver required the `--enable-devtpm` flag. This is no longer necessary with autodetect (enabled by default). You can still use `--enable-devtpm` to force kernel-driver-only mode, which disables SPI fallback.
 
 To specify a different `/dev/tpmX` device use `CFLAGS="-DTPM2_LINUX_DEV=/dev/tpm1"`
 

examples/bench/bench.c

@@ -262,7 +262,10 @@ int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[])
 
     /* Init the TPM2 device */
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
-    if (rc != 0) return rc;
+    if (rc != 0) {
+        printf("wolfTPM2_Init failed\n");
+        return rc;
+    }
 
     /* See if primary storage key already exists */
     rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA);

examples/pkcs7/pkcs7.c

@@ -417,7 +417,10 @@ int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[])
 
     /* Init the TPM2 device */
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
-    if (rc != 0) return rc;
+    if (rc != 0) {
+        printf("wolfTPM2_Init failed\n");
+        return rc;
+    }
 
     /* Setup the wolf crypto device callback */
     XMEMSET(&tpmCtx, 0, sizeof(tpmCtx));

examples/wrap/caps.c

@@ -106,7 +106,10 @@ int TPM2_Wrapper_CapsArgs(void* userCtx, int argc, char *argv[])
 
     /* Init the TPM2 device */
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
-    if (rc != 0) return rc;
+    if (rc != 0) {
+        printf("wolfTPM2_Init failed\n");
+        return rc;
+    }
 
     rc = wolfTPM2_GetCapabilities(&dev, &caps);
     if (rc != 0) goto exit;

examples/wrap/wrap_test.c

@@ -168,7 +168,10 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
 
     /* Init the TPM2 device */
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
-    if (rc != 0) return rc;
+    if (rc != 0) {
+        printf("wolfTPM2_Init failed\n");
+        return rc;
+    }
 
 #ifdef WOLFTPM_CRYPTOCB
     /* Setup the wolf crypto device callback */

hal/tpm_io_linux.c

@@ -63,12 +63,14 @@
     #endif
     #include <fcntl.h>
     #include <unistd.h>
+    #include <errno.h>
 
     #ifdef WOLFTPM_I2C
         /* I2C - (Only tested with SLB9673 and ST33 I2C) */
         #define TPM2_I2C_ADDR 0x2e
         #define TPM2_I2C_DEV  "/dev/i2c-1"
         #define TPM2_I2C_HZ   400000 /* 400kHz */
+        static int i2cOpenFailed = 0;
     #else
         /* SPI */
         #ifndef TPM2_SPI_DEV_CS
@@ -97,8 +99,10 @@
             static char TPM2_SPI_DEV[] = TPM2_SPI_DEV_PATH "0";
             #define MAX_SPI_DEV_CS '4'
             static int foundSpiDev = 0;
+            static int spiDevNotFound = 0;
         #else
             #define TPM2_SPI_DEV TPM2_SPI_DEV_PATH TPM2_SPI_DEV_CS
+            static int spiOpenFailed = 0;
         #endif
     #endif
 #endif
@@ -190,6 +194,20 @@
 
             close(i2cDev);
         }
+        else if (!i2cOpenFailed) {
+            i2cOpenFailed = 1;
+            if (errno == EACCES) {
+                printf("Permission denied on %s\n"
+                    "Use sudo or add appropriate group to user.\n",
+                    TPM2_I2C_DEV);
+            }
+        #ifdef DEBUG_WOLFTPM
+            else {
+                printf("Failed to open I2C device %s (errno %d)\n",
+                    TPM2_I2C_DEV, errno);
+            }
+        #endif
+        }
 
         (void)ctx;
         (void)userCtx;
@@ -198,6 +216,39 @@
     }
 
 #else
+    /* Called when SPI device cannot be opened or no TPM found on SPI bus.
+     * Checks if the Linux kernel TPM driver is available and suggests
+     * alternatives. */
+    static void spiOpenFailedMessage(void)
+    {
+    #ifdef WOLFTPM_LINUX_DEV_AUTODETECT
+        /* Autodetect already tried /dev/tpm0; SPI also failed */
+        #ifdef DEBUG_WOLFTPM
+        printf("Neither /dev/tpm0 nor SPI bus produced a TPM response.\n"
+            "Ensure a TPM is connected and the kernel driver or spidev "
+            "is enabled.\n");
+        #endif
+    #else
+        if (access("/dev/tpm0", F_OK) == 0 ||
+            access("/dev/tpmrm0", F_OK) == 0) {
+            printf("TPM kernel driver detected (/dev/tpm0).\n"
+                "Either build wolfTPM with ./configure --enable-devtpm\n"
+                "or disable the kernel driver by commenting out the TPM\n"
+                "overlay in /boot/config.txt or /boot/firmware/config.txt\n"
+                "and enable spidev to use direct SPI access.\n");
+        }
+        #ifdef DEBUG_WOLFTPM
+        else {
+            printf("If using Linux kernel TPM driver (/dev/tpm0), "
+                "build with --enable-devtpm.\n"
+                "To use SPI directly, make sure /dev/spidev is available "
+                "and the TPM\nkernel overlay is disabled in /boot/config.txt "
+                "or /boot/firmware/config.txt.\n");
+        }
+        #endif
+    #endif /* WOLFTPM_LINUX_DEV_AUTODETECT */
+    }
+
     /* Use Linux SPI synchronous access */
     int TPM2_IoCb_Linux_SPI(TPM2_CTX* ctx, const byte* txBuf, byte* rxBuf,
         word16 xferSz, void* userCtx)
@@ -308,6 +359,23 @@
         else {
             /* Failed to open device */
             ret = TPM_RC_FAILURE;
+        #ifndef WOLFTPM_AUTODETECT
+            if (!spiOpenFailed) {
+                spiOpenFailed = 1;
+                if (errno == EACCES) {
+                    printf("Permission denied on %s\n"
+                        "Use sudo or check device permissions.\n",
+                        TPM2_SPI_DEV);
+                }
+                else {
+                #ifdef DEBUG_WOLFTPM
+                    printf("Failed to open SPI device %s (errno %d)\n",
+                        TPM2_SPI_DEV, errno);
+                #endif
+                    spiOpenFailedMessage();
+                }
+            }
+        #endif
         }
 
     #ifdef WOLFTPM_AUTODETECT
@@ -326,6 +394,14 @@
                     TPM2_SPI_DEV[devLen-1]++;
                     goto tryagain;
                 }
+                if (!spiDevNotFound) {
+                    spiDevNotFound = 1;
+                #ifdef DEBUG_WOLFTPM
+                    printf("TPM not found on SPI bus %s[0-%c]\n",
+                        TPM2_SPI_DEV_PATH, MAX_SPI_DEV_CS);
+                #endif
+                    spiOpenFailedMessage();
+                }
             }
         }
     #endif

src/include.am

@@ -11,11 +11,8 @@ src_libwolftpm_la_SOURCES      = \
                                 src/tpm2_wrap.c \
                                 src/tpm2_asn.c \
                                 src/tpm2_param_enc.c \
-                                src/tpm2_cryptocb.c
-
-if BUILD_DEVTPM
-src_libwolftpm_la_SOURCES      += src/tpm2_linux.c
-endif
+                                src/tpm2_cryptocb.c \
+                                src/tpm2_linux.c
 if BUILD_SWTPM
 src_libwolftpm_la_SOURCES      += src/tpm2_swtpm.c
 endif

src/tpm2.c

@@ -60,6 +60,9 @@ static THREAD_LS_T TPM2_CTX* gActiveTPM;
 #ifdef WOLFTPM_LINUX_DEV
 #define INTERNAL_SEND_COMMAND      TPM2_LINUX_SendCommand
 #define TPM2_INTERNAL_CLEANUP(ctx)
+#elif defined(WOLFTPM_LINUX_DEV_AUTODETECT)
+#define INTERNAL_SEND_COMMAND      TPM2_LINUX_AUTODETECT_SendCommand
+#define TPM2_INTERNAL_CLEANUP(ctx)
 #elif defined(WOLFTPM_SWTPM)
 #define INTERNAL_SEND_COMMAND      TPM2_SWTPM_SendCommand
 #define TPM2_INTERNAL_CLEANUP(ctx)
@@ -647,6 +650,13 @@ TPM_RC TPM2_Init_ex(TPM2_CTX* ctx, TPM2HalIoCb ioCb, void* userCtx,
     if (ioCb != NULL || userCtx != NULL) {
         return BAD_FUNC_ARG;
     }
+#elif defined(WOLFTPM_LINUX_DEV_AUTODETECT)
+    /* Accept IO callback for SPI fallback path */
+    if (ioCb != NULL) {
+        rc = TPM2_SetHalIoCb(ctx, ioCb, userCtx);
+        if (rc != TPM_RC_SUCCESS)
+            return rc;
+    }
 #else
     #ifdef WOLFTPM_MMIO
     if (ioCb == NULL)
@@ -658,14 +668,18 @@ TPM_RC TPM2_Init_ex(TPM2_CTX* ctx, TPM2HalIoCb ioCb, void* userCtx,
         return rc;
 #endif
 
-#ifdef WOLFTPM_LINUX_DEV
+#if defined(WOLFTPM_LINUX_DEV) || defined(WOLFTPM_LINUX_DEV_AUTODETECT)
     ctx->fd = -1;
 #endif
 
     /* Set the active TPM global */
     TPM2_SetActiveCtx(ctx);
 
-    if (timeoutTries > 0) {
+    if (timeoutTries > 0
+    #ifdef WOLFTPM_LINUX_DEV_AUTODETECT
+        && ctx->ioCb != NULL /* autodetect: skip if no IO callback */
+    #endif
+    ) {
         /* Perform chip startup and assign locality */
         rc = TPM2_ChipStartup(ctx, timeoutTries);
     }
@@ -729,7 +743,8 @@ TPM_RC TPM2_Cleanup(TPM2_CTX* ctx)
     }
 #endif /* !WOLFTPM2_NO_WOLFCRYPT */
 
-#if defined(WOLFTPM_LINUX_DEV) && !defined(__UBOOT__)
+#if (defined(WOLFTPM_LINUX_DEV) || defined(WOLFTPM_LINUX_DEV_AUTODETECT)) \
+    && !defined(__UBOOT__)
     if (ctx->fd >= 0)
         close(ctx->fd);
 #endif

src/tpm2_linux.c

@@ -25,7 +25,7 @@
 
 #include <wolftpm/tpm2_types.h>
 
-#ifdef WOLFTPM_LINUX_DEV
+#if defined(WOLFTPM_LINUX_DEV) || defined(WOLFTPM_LINUX_DEV_AUTODETECT)
 #include <wolftpm/tpm2_linux.h>
 #include <wolftpm/tpm2_packet.h>
 
@@ -194,4 +194,46 @@ int TPM2_LINUX_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet)
     return rc;
 }
 #endif /* __UBOOT__ __linux__ */
-#endif /* WOLFTPM_LINUX_DEV */
+
+#ifdef WOLFTPM_LINUX_DEV_AUTODETECT
+#include <wolftpm/tpm2_tis.h>
+
+int TPM2_LINUX_TryOpen(TPM2_CTX* ctx)
+{
+    /* Try resource manager first (kernel 4.12+), then raw device */
+    ctx->fd = open("/dev/tpmrm0", O_RDWR | O_NONBLOCK);
+    if (ctx->fd >= 0) {
+    #ifdef DEBUG_WOLFTPM
+        printf("Opened /dev/tpmrm0\n");
+    #endif
+        return TPM_RC_SUCCESS;
+    }
+
+    ctx->fd = open("/dev/tpm0", O_RDWR | O_NONBLOCK);
+    if (ctx->fd >= 0) {
+    #ifdef DEBUG_WOLFTPM
+        printf("Opened /dev/tpm0\n");
+    #endif
+        return TPM_RC_SUCCESS;
+    }
+
+    /* Distinguish "not available" from "permission denied" */
+    if (errno == EACCES) {
+        printf("Permission denied on /dev/tpm0\n"
+            "Use sudo or add tss group to user.\n");
+        return TPM_RC_FAILURE;
+    }
+
+    /* ENOENT or other: device not present, caller should try SPI */
+    return TPM_RC_INITIALIZE; /* sentinel: "not found, try next" */
+}
+
+int TPM2_LINUX_AUTODETECT_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet)
+{
+    if (ctx->fd >= 0)
+        return TPM2_LINUX_SendCommand(ctx, packet);
+    return TPM2_TIS_SendCommand(ctx, packet);
+}
+#endif /* WOLFTPM_LINUX_DEV_AUTODETECT */
+
+#endif /* WOLFTPM_LINUX_DEV || WOLFTPM_LINUX_DEV_AUTODETECT */