wolfSSL
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 1 deletion b/‎.gitignore‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎examples/spdm/README.md‎
Lines changed: 53 additions & 18 deletions b/‎examples/spdm/README.md‎
Lines changed: 53 additions & 18 deletions
diff --git a/‎examples/spdm/include.am‎
Lines changed: 7 additions & 7 deletions b/‎examples/spdm/include.am‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎examples/spdm/spdm_demo.c‎ ‎examples/spdm/spdm_ctrl.c‎examples/spdm/spdm_demo.c renamed to examples/spdm/spdm_ctrl.c
Lines changed: 35 additions & 35 deletions b/‎examples/spdm/spdm_demo.c‎ ‎examples/spdm/spdm_ctrl.c‎examples/spdm/spdm_demo.c renamed to examples/spdm/spdm_ctrl.c
Lines changed: 35 additions & 35 deletions
diff --git a/‎examples/spdm/spdm_test.sh‎
Lines changed: 2 additions & 2 deletions b/‎examples/spdm/spdm_test.sh‎
Lines changed: 2 additions & 2 deletions
@@ -92,7 +92,7 @@ examples/firmware/ifx_fw_update
 examples/firmware/st33_fw_update
 examples/endorsement/get_ek_certs
 examples/endorsement/verify_ek_cert
-examples/spdm/spdm_demo
+examples/spdm/spdm_ctrl
 
 # Generated Cert Files
 certs/ca-*.pem
 
@@ -1,12 +1,17 @@
-# TPM SPDM Examples
+# TPM SPDM Setup/Control
 
-This directory contains the SPDM demo for Nuvoton NPCT75x TPMs with wolfTPM.
+This directory contains the SPDM setup and control tool for Nuvoton NPCT75x
+and Nations NS350 TPMs with wolfTPM.
 
 ## Overview
 
-The `spdm_demo` establishes an SPDM secure session between the host and a
-Nuvoton TPM over SPI, enabling AES-256-GCM encrypted bus communication. Once
-active, all TPM commands are automatically encrypted with no application changes.
+The `spdm_ctrl` tool establishes SPDM secure sessions between the host and a
+TPM over SPI, enabling AES-256-GCM encrypted bus communication. Once active,
+all TPM commands are automatically encrypted with no application changes.
+
+Supported hardware:
+- **Nuvoton NPCT75x** — Identity key mode (ECDHE P-384)
+- **Nations NS350** — Identity key mode + PSK mode
 
 For standard SPDM protocol support (spdm-emu, measurements, challenge, etc.),
 see the [wolfSPDM](https://github.com/aidangarske/wolfSPDM) standalone library.
@@ -33,7 +38,16 @@ cd wolfTPM
 make
 ```
 
-## Demo Commands
+### wolfTPM with Nations SPDM
+
+```bash
+cd wolfTPM
+./autogen.sh
+./configure --enable-spdm --enable-nations
+make
+```
+
+## Setup/Control Commands
 
 | Option | Description |
 |--------|-------------|
@@ -48,39 +62,60 @@ make
 ## Usage Examples
 
 ```bash
-# One-time setup: enable SPDM + GPIO reset
-./examples/spdm/spdm_demo --enable
-gpioset gpiochip0 4=0 && sleep 0.1 && gpioset gpiochip0 4=1 && sleep 2
+# One-time setup: enable SPDM + reset TPM
+./examples/spdm/spdm_ctrl --enable
+# Reset the TPM (see "TPM Reset Pin Control" below)
 
 # Query SPDM status
-./examples/spdm/spdm_demo --status
+./examples/spdm/spdm_ctrl --status
 
 # Get TPM identity key
-./examples/spdm/spdm_demo --get-pubkey
+./examples/spdm/spdm_ctrl --get-pubkey
 
 # Establish SPDM session
-./examples/spdm/spdm_demo --connect
+./examples/spdm/spdm_ctrl --connect
 
 # Lock SPDM-only mode (connect + lock in one session)
-./examples/spdm/spdm_demo --connect --lock
-gpioset gpiochip0 4=0 && sleep 0.1 && gpioset gpiochip0 4=1 && sleep 2
+./examples/spdm/spdm_ctrl --connect --lock
+# Reset the TPM
 
 # All commands now auto-encrypt:
 ./examples/wrap/caps          # auto-SPDM, AES-256-GCM encrypted
 ./tests/unit.test             # full test suite over encrypted bus
 
 # Unlock SPDM-only mode
-gpioset gpiochip0 4=0 && sleep 0.1 && gpioset gpiochip0 4=1 && sleep 2
-./examples/spdm/spdm_demo --connect --unlock
+# Reset the TPM
+./examples/spdm/spdm_ctrl --connect --unlock
+# Reset the TPM
+```
+
+## TPM Reset Pin Control
+
+SPDM enable/disable and SPDM-only mode changes require a TPM reset to take
+effect. The reset pin must be connected and controllable by the host.
+
+**Important for custom hardware designs:** Ensure the TPM reset pin is routed
+to a host-controllable GPIO. Without reset pin control, SPDM mode changes
+cannot be applied and recovery from SPDM-only mode is not possible.
+
+### Raspberry Pi Example (GPIO 4)
+
+```bash
+# Assert reset low, wait, release high, wait for TPM startup
 gpioset gpiochip0 4=0 && sleep 0.1 && gpioset gpiochip0 4=1 && sleep 2
 ```
 
+Other platforms will use their own GPIO control mechanism. The key requirement
+is toggling the TPM reset line (active low) with sufficient hold time.
+
 ## Automated Test Suite
 
-Runs 6 tests: status, connect, lock, unit test over SPDM, unlock, cleartext caps setup lifecycle on hardware.
+Runs the full SPDM setup lifecycle on hardware:
 
 ```bash
-./examples/spdm/spdm_test.sh
+./examples/spdm/spdm_test.sh ./examples/spdm/spdm_ctrl nuvoton
+./examples/spdm/spdm_test.sh ./examples/spdm/spdm_ctrl nations
+./examples/spdm/spdm_test.sh ./examples/spdm/spdm_ctrl nations-psk
 ```
 
 ## Support
 
@@ -3,16 +3,16 @@
 
 if BUILD_EXAMPLES
 if BUILD_SPDM
-noinst_PROGRAMS += examples/spdm/spdm_demo
+noinst_PROGRAMS += examples/spdm/spdm_ctrl
 
-examples_spdm_spdm_demo_SOURCES         = examples/spdm/spdm_demo.c
-examples_spdm_spdm_demo_LDADD           = src/libwolftpm.la $(LIB_STATIC_ADD)
-examples_spdm_spdm_demo_DEPENDENCIES    = src/libwolftpm.la
-examples_spdm_spdm_demo_CFLAGS          = $(AM_CFLAGS)
+examples_spdm_spdm_ctrl_SOURCES         = examples/spdm/spdm_ctrl.c
+examples_spdm_spdm_ctrl_LDADD           = src/libwolftpm.la $(LIB_STATIC_ADD)
+examples_spdm_spdm_ctrl_DEPENDENCIES    = src/libwolftpm.la
+examples_spdm_spdm_ctrl_CFLAGS          = $(AM_CFLAGS)
 endif
 endif
 
 example_spdmdir = $(exampledir)/spdm
-dist_example_spdm_DATA = examples/spdm/spdm_demo.c
+dist_example_spdm_DATA = examples/spdm/spdm_ctrl.c
 
-DISTCLEANFILES+= examples/spdm/.libs/spdm_demo
+DISTCLEANFILES+= examples/spdm/.libs/spdm_ctrl
@@ -1,4 +1,4 @@
-/* spdm_demo.c
+/* spdm_ctrl.c
  *
  * Copyright (C) 2006-2025 wolfSSL Inc.
  *
@@ -40,12 +40,12 @@
 #include <wolftpm/tpm2_spdm.h>
 #include <wolftpm/spdm/spdm.h>
 
-int TPM2_SPDM_Demo(void* userCtx, int argc, char *argv[]);
+int TPM2_SPDM_Ctrl(void* userCtx, int argc, char *argv[]);
 
 static void usage(void)
 {
     printf("SPDM Demo - TPM secure session\n\n"
-           "Usage: spdm_demo [options]\n"
+           "Usage: spdm_ctrl [options]\n"
 #ifdef WOLFSPDM_NUVOTON
            "  --enable       Enable SPDM via NTC2_PreConfig\n"
            "  --disable      Disable SPDM via NTC2_PreConfig\n"
@@ -76,7 +76,7 @@ static void usage(void)
 }
 
 #ifdef WOLFSPDM_NUVOTON
-static int demo_enable(WOLFTPM2_DEV* dev)
+static int ctrl_enable(WOLFTPM2_DEV* dev)
 {
     int rc;
     printf("\n=== Enable SPDM ===\n");
@@ -95,7 +95,7 @@ static int demo_enable(WOLFTPM2_DEV* dev)
     return rc;
 }
 
-static int demo_disable(WOLFTPM2_DEV* dev)
+static int ctrl_disable(WOLFTPM2_DEV* dev)
 {
     int rc;
     printf("\n=== Disable SPDM ===\n");
@@ -113,7 +113,7 @@ static int demo_disable(WOLFTPM2_DEV* dev)
     return rc;
 }
 
-static int demo_status(WOLFTPM2_DEV* dev)
+static int ctrl_status(WOLFTPM2_DEV* dev)
 {
     int rc;
     WOLFSPDM_NUVOTON_STATUS status;
@@ -143,7 +143,7 @@ static int demo_status(WOLFTPM2_DEV* dev)
     return rc;
 }
 
-static int demo_get_pubkey(WOLFTPM2_DEV* dev)
+static int ctrl_get_pubkey(WOLFTPM2_DEV* dev)
 {
     int rc;
     byte pubKey[128];
@@ -163,7 +163,7 @@ static int demo_get_pubkey(WOLFTPM2_DEV* dev)
     return rc;
 }
 
-static int demo_connect(WOLFTPM2_DEV* dev)
+static int ctrl_connect(WOLFTPM2_DEV* dev)
 {
     int rc;
 
@@ -186,7 +186,7 @@ static int demo_connect(WOLFTPM2_DEV* dev)
     return rc;
 }
 
-static int demo_lock(WOLFTPM2_DEV* dev, int lock)
+static int ctrl_lock(WOLFTPM2_DEV* dev, int lock)
 {
     int rc;
     printf("\n=== SPDM-Only: %s ===\n", lock ? "LOCK" : "UNLOCK");
@@ -220,7 +220,7 @@ static int hex2bin(const char* hex, byte* bin, word32* binSz)
     return 0;
 }
 
-static int demo_nations_status(WOLFTPM2_DEV* dev)
+static int ctrl_nations_status(WOLFTPM2_DEV* dev)
 {
     int rc;
     int isConn;
@@ -277,7 +277,7 @@ static int demo_nations_status(WOLFTPM2_DEV* dev)
     return 0; /* status is informational, don't fail */
 }
 
-static int demo_nations_psk_connect(WOLFTPM2_DEV* dev, const char* pskHex)
+static int ctrl_nations_psk_connect(WOLFTPM2_DEV* dev, const char* pskHex)
 {
     int rc;
     byte psk[128];
@@ -301,7 +301,7 @@ static int demo_nations_psk_connect(WOLFTPM2_DEV* dev, const char* pskHex)
     return rc;
 }
 
-static int demo_nations_psk_set(WOLFTPM2_DEV* dev,
+static int ctrl_nations_psk_set(WOLFTPM2_DEV* dev,
     const char* pskHex, const char* clearAuthHex)
 {
     int rc;
@@ -357,7 +357,7 @@ static int demo_nations_psk_set(WOLFTPM2_DEV* dev,
     return rc;
 }
 
-static int demo_nations_psk_clear(WOLFTPM2_DEV* dev, const char* authHex)
+static int ctrl_nations_psk_clear(WOLFTPM2_DEV* dev, const char* authHex)
 {
     int rc;
     byte clearAuth[256];
@@ -387,7 +387,7 @@ static int demo_nations_psk_clear(WOLFTPM2_DEV* dev, const char* authHex)
     return rc;
 }
 
-static int demo_nations_identity_key_set(WOLFTPM2_DEV* dev, int set)
+static int ctrl_nations_identity_key_set(WOLFTPM2_DEV* dev, int set)
 {
     int rc;
     printf("\n=== Nations Identity Key %s ===\n", set ? "Set" : "Unset");
@@ -400,7 +400,7 @@ static int demo_nations_identity_key_set(WOLFTPM2_DEV* dev, int set)
     return rc;
 }
 
-static int demo_nations_get_pubkey(WOLFTPM2_DEV* dev)
+static int ctrl_nations_get_pubkey(WOLFTPM2_DEV* dev)
 {
     int rc;
     byte pubKey[128];
@@ -428,7 +428,7 @@ static int demo_nations_get_pubkey(WOLFTPM2_DEV* dev)
     return rc;
 }
 
-static int demo_nations_caps184(WOLFTPM2_DEV* dev)
+static int ctrl_nations_caps184(WOLFTPM2_DEV* dev)
 {
     int rc;
     GetCapability_In capIn;
@@ -505,7 +505,7 @@ static int demo_nations_caps184(WOLFTPM2_DEV* dev)
     return 0;
 }
 
-static int demo_nations_connect(WOLFTPM2_DEV* dev)
+static int ctrl_nations_connect(WOLFTPM2_DEV* dev)
 {
     int rc;
 
@@ -529,7 +529,7 @@ static int demo_nations_connect(WOLFTPM2_DEV* dev)
 }
 #endif /* WOLFSPDM_NATIONS */
 
-int TPM2_SPDM_Demo(void* userCtx, int argc, char *argv[])
+int TPM2_SPDM_Ctrl(void* userCtx, int argc, char *argv[])
 {
     int rc, i;
     WOLFTPM2_DEV dev;
@@ -568,42 +568,42 @@ int TPM2_SPDM_Demo(void* userCtx, int argc, char *argv[])
     for (i = 1; i < argc; i++) {
 #ifdef WOLFSPDM_NUVOTON
         if (XSTRCMP(argv[i], "--enable") == 0)
-            rc = demo_enable(&dev);
+            rc = ctrl_enable(&dev);
         else if (XSTRCMP(argv[i], "--disable") == 0)
-            rc = demo_disable(&dev);
+            rc = ctrl_disable(&dev);
         else if (XSTRCMP(argv[i], "--status") == 0)
-            rc = demo_status(&dev);
+            rc = ctrl_status(&dev);
         else if (XSTRCMP(argv[i], "--get-pubkey") == 0)
-            rc = demo_get_pubkey(&dev);
+            rc = ctrl_get_pubkey(&dev);
         else if (XSTRCMP(argv[i], "--connect") == 0)
-            rc = demo_connect(&dev);
+            rc = ctrl_connect(&dev);
         else if (XSTRCMP(argv[i], "--lock") == 0)
-            rc = demo_lock(&dev, 1);
+            rc = ctrl_lock(&dev, 1);
         else if (XSTRCMP(argv[i], "--unlock") == 0)
-            rc = demo_lock(&dev, 0);
+            rc = ctrl_lock(&dev, 0);
         else
 #endif
 #ifdef WOLFSPDM_NATIONS
         if (XSTRCMP(argv[i], "--identity-key-set") == 0)
-            rc = demo_nations_identity_key_set(&dev, 1);
+            rc = ctrl_nations_identity_key_set(&dev, 1);
         else if (XSTRCMP(argv[i], "--identity-key-unset") == 0)
-            rc = demo_nations_identity_key_set(&dev, 0);
+            rc = ctrl_nations_identity_key_set(&dev, 0);
         else if (XSTRCMP(argv[i], "--get-pubkey") == 0)
-            rc = demo_nations_get_pubkey(&dev);
+            rc = ctrl_nations_get_pubkey(&dev);
         else if (XSTRCMP(argv[i], "--connect") == 0)
-            rc = demo_nations_connect(&dev);
+            rc = ctrl_nations_connect(&dev);
         else if (XSTRCMP(argv[i], "--status") == 0)
-            rc = demo_nations_status(&dev);
+            rc = ctrl_nations_status(&dev);
         else if (XSTRCMP(argv[i], "--psk") == 0 && i + 1 < argc)
-            rc = demo_nations_psk_connect(&dev, argv[++i]);
+            rc = ctrl_nations_psk_connect(&dev, argv[++i]);
         else if (XSTRCMP(argv[i], "--psk-set") == 0 && i + 2 < argc)
         {
             const char* pskArg = argv[++i];
             const char* authArg = argv[++i];
-            rc = demo_nations_psk_set(&dev, pskArg, authArg);
+            rc = ctrl_nations_psk_set(&dev, pskArg, authArg);
         }
         else if (XSTRCMP(argv[i], "--psk-clear") == 0 && i + 1 < argc)
-            rc = demo_nations_psk_clear(&dev, argv[++i]);
+            rc = ctrl_nations_psk_clear(&dev, argv[++i]);
         else if (XSTRCMP(argv[i], "--lock") == 0)
             rc = wolfTPM2_SpdmNationsSetOnlyMode(&dev, 1);
         else if (XSTRCMP(argv[i], "--unlock") == 0)
@@ -614,7 +614,7 @@ int TPM2_SPDM_Demo(void* userCtx, int argc, char *argv[])
             printf("  %s (rc=0x%x)\n", rc == 0 ? "Success" : "FAILED", rc);
         }
         else if (XSTRCMP(argv[i], "--caps184") == 0)
-            rc = demo_nations_caps184(&dev);
+            rc = ctrl_nations_caps184(&dev);
         else
 #endif
         { printf("Unknown option: %s\n", argv[i]); usage(); rc = BAD_FUNC_ARG; }
@@ -631,7 +631,7 @@ int main(int argc, char *argv[])
 {
     int rc = -1;
 #ifndef WOLFTPM2_NO_WRAPPER
-    rc = TPM2_SPDM_Demo(NULL, argc, argv);
+    rc = TPM2_SPDM_Ctrl(NULL, argc, argv);
 #else
     printf("Wrapper code not compiled in\n");
     (void)argc; (void)argv;
 
@@ -19,7 +19,7 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 
-SPDM_DEMO="${1:-./examples/spdm/spdm_demo}"
+SPDM_DEMO="${1:-./examples/spdm/spdm_ctrl}"
 CAPS_DEMO="./examples/wrap/caps"
 UNIT_TEST="./tests/unit.test"
 GPIO_CHIP="gpiochip0"
@@ -102,7 +102,7 @@ run_test_no_reset() {
 
 if [ ! -x "$SPDM_DEMO" ]; then
     echo "Error: $SPDM_DEMO not found."
-    echo "Usage: $0 [path-to-spdm_demo] [nuvoton|nations|nations-psk]"
+    echo "Usage: $0 [path-to-spdm_ctrl] [nuvoton|nations|nations-psk]"
     exit 1
 fi