wolfTPM is a portable, open-source TPM 2.0 stack with backward API compatibility, designed for embedded use. It is highly portable, and has native support for Linux and Windows. RTOS and bare metal environments can take advantage of a single IO callback for SPI hardware interface, no external dependencies, and compact code size with low resource usage.
wolfTPM offers API wrappers to help with complex TPM operations like attestation and examples to help with complex cryptographic processes like the generation of Certificate Signing Request (CSR) using a TPM.
Due to wolfTPM's portability, it is generally very easy to compile on new platforms.
- Provides all TPM 2.0 API’s in compliance with the specification.
- Wrappers provided to simplify Key Generation/Loading, RSA encrypt/decrypt, ECC sign/verify, ECDH, NV, Hashing/Hmac and AES.
- Testing done using the STM ST33TP* SPI/I2C, Infineon OPTIGA SLB9670/SLB9672, Microchip ATTPM20 TPM 2.0 modules and Nuvoton NPCT650.
- Uses the TPM Interface Specification (TIS) to communicate over SPI.
- Can also use the Linux TPM kernel interface (/dev/tpmX) to talk with any physical TPM on SPI, I2C and even LPC bus.
- Platform support for Raspberry Pi, STM32 with CubeMX, Atmel ASF, Xilinx, Infineon TriCore and Barebox.
- Design allows for easy portability to different platforms:
- Native C code designed for embedded use.
- Single IO callback for hardware SPI interface.
- No external dependencies.
- Compact code size and minimal memory use.
- Includes example code for:
- Most TPM2 native API’s
- All TPM2 wrapper API's
- PKCS 7
- Certificate Signing Request (CSR)
- TLS Client
- TLS Server
- Use of the TPM's Non-volatile memory
- Attestation (activate and make credential)
- Benchmarking TPM algorithms and TLS
- Key Generation (primary, RSA/ECC and symmetric), loading and storing to flash (NV memory)
- Sealing and Unsealing data with an RSA key
- Time signed or set
- PCR read/reset
- GPIO configure, read and write.
- Parameter encryption support using AES-CFB or XOR.
- Support for salted unbound authenticated sessions.
- Support for HMAC Sessions.
- Testing done using the following TPM 2.0 modules:
- Infineon OPTIGA (TM) Trusted Platform Module 2.0 SLB 9670 and SLB9672.
LetsTrust Compact Raspberry Pi TPM 2.0 board based on:
- Infineon SLB 9670
- ST ST33TP* TPM 2.0 module (SPI and I2C)
- Microchip ATTPM20
- Nuvoton NPCT65X or NPCT75x TPM2.0 module