diff --git a/conf/layer.conf b/conf/layer.conf index 7188cc0..2b1a6ac 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -186,4 +186,4 @@ BBFILES += "${@bb.utils.contains('WOLFENGINE_TYPE', \ '', d)}" # Versions of OpenEmbedded-Core which layer has been tested against -LAYERSERIES_COMPAT_wolfssl = "sumo thud warrior zeus hardknott gatesgarth dunfell kirkstone nanbield" +LAYERSERIES_COMPAT_wolfssl = "sumo thud warrior zeus hardknott gatesgarth dunfell kirkstone nanbield langdale scarthgap" diff --git a/recipes-wolfssl/wolfssh/wolfssh_1.4.15.bb b/recipes-wolfssl/wolfssh/wolfssh_1.4.17.bb similarity index 96% rename from recipes-wolfssl/wolfssh/wolfssh_1.4.15.bb rename to recipes-wolfssl/wolfssh/wolfssh_1.4.17.bb index b511992..631d028 100644 --- a/recipes-wolfssl/wolfssh/wolfssh_1.4.15.bb +++ b/recipes-wolfssl/wolfssh/wolfssh_1.4.17.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSING;md5=2c2d0ee3db6ceba278dd43212ed03733" DEPENDS += "wolfssl" -SRC_URI = "git://github.com/wolfssl/wolfssh.git;nobranch=1;protocol=https;rev=60a29602e5893fd4e2ca0f4b6e2e05c6324154ed" +SRC_URI = "git://github.com/wolfssl/wolfssh.git;nobranch=1;protocol=https;rev=9204ae711999facc7a6a386e1306ae5fb1506da5" S = "${WORKDIR}/git" diff --git a/recipes-wolfssl/wolftpm/files/wolftpm_3_1_0.patch b/recipes-wolfssl/wolftpm/files/wolftpm_3_1_0.patch deleted file mode 100644 index e38000c..0000000 --- a/recipes-wolfssl/wolftpm/files/wolftpm_3_1_0.patch +++ /dev/null @@ -1,6296 +0,0 @@ -diff --git a/.cyignore b/.cyignore -new file mode 100644 -index 0000000..0a3ff1d ---- /dev/null -+++ b/.cyignore -@@ -0,0 +1,4 @@ -+# wolfTPM folders -+$(SEARCH_wolftpm)/IDE -+$(SEARCH_wolftpm)/examples -+$(SEARCH_wolftpm)/tests -\ No newline at end of file -diff --git a/.github/workflows/cmake-build.yml b/.github/workflows/cmake-build.yml -index 158ac5c..0601e6f 100644 ---- a/.github/workflows/cmake-build.yml -+++ b/.github/workflows/cmake-build.yml -@@ -22,7 +22,8 @@ jobs: - sudo apt-get install -y cmake - - #pull and build wolfssl -- - uses: actions/checkout@master -+ - name: Checkout wolfssl -+ uses: actions/checkout@master - with: - repository: wolfssl/wolfssl - path: wolfssl -@@ -31,14 +32,16 @@ jobs: - run: | - mkdir build - cd build -- cmake -DWOLFSSL_TPM=yes .. -- make -- sudo make install -+ # wolfSSL PR 7188 broke "make install" unless WOLFSSL_INSTALL is set -+ cmake -DWOLFSSL_TPM=yes -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" .. -+ cmake --build . -+ cmake --install . - - #build wolftpm - - name: Build wolfTPM - run: | - mkdir build - cd build -- cmake -DWOLFTPM_INTERFACE=SWTPM .. -- make -+ cmake -DWOLFTPM_INTERFACE=SWTPM -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" -DWITH_WOLFSSL="$GITHUB_WORKSPACE/install" .. -+ cmake --build . -+ cmake --install . -diff --git a/.github/workflows/make-test-swtpm.yml b/.github/workflows/make-test-swtpm.yml -index f8fe999..e61e852 100644 ---- a/.github/workflows/make-test-swtpm.yml -+++ b/.github/workflows/make-test-swtpm.yml -@@ -132,6 +132,12 @@ jobs: - - name: make debug io - run: make - -+# build pedantic -+ - name: configure pedantic -+ run: ./configure CFLAGS="-Wpedantic" -+ - name: make pedantic -+ run: make -+ - # capture logs on failure - - name: Upload failure logs - if: failure() -diff --git a/.gitignore b/.gitignore -index b8b7b2a..ea9d1b8 100644 ---- a/.gitignore -+++ b/.gitignore -@@ -77,6 +77,8 @@ examples/attestation/activate_credential - examples/boot/secure_rot - examples/boot/secret_seal - examples/boot/secret_unseal -+examples/firmware/ifx_fw_extract -+examples/firmware/ifx_fw_update - - # Generated Cert Files - certs/ca-*.pem -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 9746974..4424505 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -1,6 +1,6 @@ - # CMakeList.txt - # --# Copyright (C) 2006-2022 wolfSSL Inc. -+# Copyright (C) 2006-2024 wolfSSL Inc. - # - # This file is part of wolfSSL. (formerly known as CyaSSL) - # -@@ -47,6 +47,27 @@ target_compile_definitions(wolftpm PRIVATE - "BUILDING_WOLFTPM" - ) - -+include(CheckIncludeFile) -+check_include_file("fcntl.h" HAVE_FCNTL_H) -+check_include_file("netdb.h" HAVE_NETDB_H) -+check_include_file("time.h" HAVE_TIME_H) -+check_include_file("sys/ioctl.h" HAVE_SYS_IOCTL_H) -+check_include_file("sys/socket.h" HAVE_SYS_SOCKET_H) -+check_include_file("sys/time.h" HAVE_SYS_TIME_H) -+check_include_file("errno.h" HAVE_ERRNO_H) -+check_include_file("stdint.h" HAVE_STDINT_H) -+check_include_file("stdlib.h" HAVE_STDLIB_H) -+check_include_file("string.h" HAVE_STRING_H) -+check_include_file("sys/stat.h" HAVE_SYS_STAT_H) -+check_include_file("sys/types.h" HAVE_SYS_TYPES_H) -+check_include_file("unistd.h" HAVE_UNISTD_H) -+ -+include(CheckFunctionExists) -+check_function_exists("gethostbyname" HAVE_GETHOSTBYNAME) -+check_function_exists("getaddrinfo" HAVE_GETADDRINFO) -+check_function_exists("gettimeofday" HAVE_GETTIMEOFDAY) -+ -+ - - # TODO - # * wrapper -@@ -132,7 +153,7 @@ if (WITH_WOLFSSL) - target_link_libraries(wolftpm PUBLIC wolfssl) - target_include_directories(wolftpm PUBLIC ${WITH_WOLFSSL}/include) - target_link_directories(wolftpm PUBLIC ${WITH_WOLFSSL}/lib) -- elseif (WITH_WOLFSSL_TREE) -+elseif (WITH_WOLFSSL_TREE) - set(WOLFSSL_TPM "yes" CACHE STRING "") - set(WOLFSSL_EXAMPLES "no" CACHE STRING "") - set(WOLFSSL_CRYPT_TESTS "no" CACHE STRING "") -@@ -221,7 +242,7 @@ file(REMOVE ${OPTION_FILE}) - file(APPEND ${OPTION_FILE} "/* wolftpm options.h\n") - file(APPEND ${OPTION_FILE} " * generated from cmake configure options\n") - file(APPEND ${OPTION_FILE} " *\n") --file(APPEND ${OPTION_FILE} " * Copyright (C) 2006-2022 wolfSSL Inc.\n") -+file(APPEND ${OPTION_FILE} " * Copyright (C) 2006-2024 wolfSSL Inc.\n") - file(APPEND ${OPTION_FILE} " *\n") - file(APPEND ${OPTION_FILE} " * This file is part of wolfSSL.\n") - file(APPEND ${OPTION_FILE} " *\n") -@@ -245,6 +266,26 @@ file(APPEND ${OPTION_FILE} "#endif\n\n\n") - file(APPEND ${OPTION_FILE} "#endif /* WOLFTPM_OPTIONS_H */\n\n") - - -+ -+# generate config.h -+message("Generating config header...") -+set(WOLFTPM_CONFIG_H "yes" CACHE STRING -+"Enable generation of config.h and define HAVE_CONFIG_H (default: enabled)") -+set_property(CACHE WOLFTPM_DEBUG -+ PROPERTY STRINGS "yes;no") -+if(WOLFTPM_CONFIG_H) -+ add_definitions("-DHAVE_CONFIG_H") -+ configure_file("${CMAKE_CURRENT_SOURCE_DIR}/cmake/config.in" -+ "${CMAKE_CURRENT_BINARY_DIR}/config.h" ) -+ # If config.h exists, delete it to avoid a mixup with build/config.h -+ if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/config.h") -+ file(REMOVE "${CMAKE_CURRENT_SOURCE_DIR}/config.h") -+ endif() -+endif() -+ -+ -+ -+ - if (WOLFTPM_EXAMPLES) - add_tpm_example(activate_credential attestation/activate_credential.c) - add_tpm_example(make_credential attestation/make_credential.c) -@@ -292,7 +333,8 @@ install(TARGETS wolftpm - # Install the export set - install(EXPORT wolftpm-targets - DESTINATION ${CMAKE_INSTALL_LIBDIR}/cmake/wolftpm -- FILE wolftpm-config.cmake) -+ FILE wolftpm-config.cmake -+ NAMESPACE wolfssl::) - - # Install the headers - install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/wolftpm/ -diff --git a/ChangeLog.md b/ChangeLog.md -index 7deb225..c83f76a 100644 ---- a/ChangeLog.md -+++ b/ChangeLog.md -@@ -22,7 +22,7 @@ Support for using TLS PK callbacks with TPM for ECC and RSA. Improved the crypto - * Cleanup KDF function return code checking to avoid scan-build warning. (PR #311) - * Fixed ECC encrypt secret integrity check failed due to zero pad issue. (PR #311) - * Fixed `wolfTPM2_GetRng` possibly not returning an initialized WC_RNG. (PR #311) --* Fixed TLS bidirectional shutdown socket issue to to port collision with SWTPM. (PR #311) -+* Fixed TLS bidirectional shutdown socket issue due to port collision with SWTPM. (PR #311) - * Fixed `policy_sign` issue when `r` or `s` is less than key size (needs zero padding). (PR #311) - * Fixed building wolfCrypt without PEM to DER support. (PR #311) - * Added support for TLS PK callbacks with ECC and RSA Sign using PKCSv1.5 and PSS padding (PR #312) -diff --git a/IDE/OPENSTM32/Inc/wolftpm_example.h b/IDE/OPENSTM32/Inc/wolftpm_example.h -index da90daa..cf360eb 100644 ---- a/IDE/OPENSTM32/Inc/wolftpm_example.h -+++ b/IDE/OPENSTM32/Inc/wolftpm_example.h -@@ -27,10 +27,6 @@ - #include - #include - --#ifdef HAVE_CONFIG_H -- #include --#endif -- - #ifndef WOLFSSL_USER_SETTINGS - #include - #endif -diff --git a/IDE/OPENSTM32/Src/wolftpm_example.c b/IDE/OPENSTM32/Src/wolftpm_example.c -index 0378510..89d8a9e 100644 ---- a/IDE/OPENSTM32/Src/wolftpm_example.c -+++ b/IDE/OPENSTM32/Src/wolftpm_example.c -@@ -19,6 +19,9 @@ - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include "wolftpm_example.h" - -diff --git a/IDE/STM32CUBE/default_conf.ftl b/IDE/STM32CUBE/default_conf.ftl -index 1f57309..b6e77e1 100644 ---- a/IDE/STM32CUBE/default_conf.ftl -+++ b/IDE/STM32CUBE/default_conf.ftl -@@ -29,8 +29,8 @@ - [/#list] - [/#if] - --[#-- SWIPdatas is a list of SWIPconfigModel --] --[#list SWIPdatas as SWIP] -+[#-- SWIPdatas is a list of SWIPconfigModel --] -+[#list SWIPdatas as SWIP] - [#-- Global variables --] - [#if SWIP.variables??] - [#list SWIP.variables as variable] -@@ -40,9 +40,9 @@ extern ${variable.value} ${variable.name}; - - [#-- Global variables --] - --[#assign instName = SWIP.ipName] --[#assign fileName = SWIP.fileName] --[#assign version = SWIP.version] -+[#assign instName = SWIP.ipName] -+[#assign fileName = SWIP.fileName] -+[#assign version = SWIP.version] - - /** - MiddleWare name : ${instName} -@@ -50,9 +50,9 @@ extern ${variable.value} ${variable.name}; - MiddleWare version : ${version} - */ - [#if SWIP.defines??] -- [#list SWIP.defines as definition] -+ [#list SWIP.defines as definition] - /*---------- [#if definition.comments??]${definition.comments}[/#if] -----------*/ --#define ${definition.name} #t#t ${definition.value} -+#define ${definition.name} #t#t ${definition.value} - [#if definition.description??]${definition.description} [/#if] - [/#list] - [/#if] -@@ -68,6 +68,14 @@ extern ${variable.value} ${variable.name}; - #define NO_MAIN_DRIVER - #define WOLFTPM_EXAMPLE_HAL - -+/* Set smaller default timeout for embedded devices */ -+#define TPM_TIMEOUT_TRIES 10000 -+ -+/* Example for TPM wait delay */ -+#if 0 -+ #define XTPM_WAIT() HAL_Delay(1) -+#endif -+ - /* ------------------------------------------------------------------------- */ - /* Enable Features */ - /* ------------------------------------------------------------------------- */ -@@ -81,11 +89,55 @@ extern ${variable.value} ${variable.name}; - #define USE_HW_SPI_CS - #endif - -+/* Small stack support */ -+#if defined(WOLFTPM_CONF_SMALL_STACK) && WOLFTPM_CONF_SMALL_STACK == 1 -+ #define WOLFTPM_SMALL_STACK -+ #define MAX_COMMAND_SIZE 1024 -+ #define MAX_RESPONSE_SIZE 1350 -+ #define WOLFTPM2_MAX_BUFFER 1500 -+ #define MAX_DIGEST_BUFFER 973 -+#endif -+ -+/* ------------------------------------------------------------------------- */ -+/* Hardware */ -+/* ------------------------------------------------------------------------- */ -+ -+/* Interface Selection SPI or I2C */ -+/* 0=SPI, 1=I2C */ -+#if defined(WOLFTPM_CONF_TRANSPORT) && WOLFTPM_CONF_TRANSPORT == 0 -+ /* SPI (default) */ -+#elif defined(WOLFTPM_CONF_TRANSPORT) && WOLFTPM_CONF_TRANSPORT == 1 -+ #define WOLFTPM_I2C -+ #define WOLFTPM_ADV_IO -+#endif -+ -+/* TPM Hardware Type (default automatic detect) */ -+#if 1 -+ #define WOLFTPM_AUTODETECT -+#else -+ //#define WOLFTPM_SLB9670 /* Infineon */ -+ //#define WOLFTPM_SLB9672 /* Infineon */ -+ //#define WOLFTPM_MICROCHIP /* ATTPM20 */ -+ //#define WOLFTPM_ST33 /* STM */ -+ //#define WOLFTPM_NUVOTON /* NPCT75x */ -+#endif -+ -+/* Example STM32 SPI Hal Configuration */ -+#if 0 -+ /* Use PD14 for SPI1 CS */ -+ #define USE_SPI_CS_PORT GPIOD -+ #define USE_SPI_CS_PIN 14 -+#endif -+ -+ - /* ------------------------------------------------------------------------- */ - /* Debugging */ - /* ------------------------------------------------------------------------- */ - #if defined(WOLFTPM_CONF_DEBUG) && WOLFTPM_CONF_DEBUG == 1 - #define DEBUG_WOLFTPM -+ //#define WOLFTPM_DEBUG_TIMEOUT -+ //#define WOLFTPM_DEBUG_VERBOSE -+ //#define WOLFTPM_DEBUG_IO - #endif - - #ifdef __cplusplus -diff --git a/Makefile.am b/Makefile.am -index 6a316e3..dc750f0 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -41,7 +41,9 @@ include tests/include.am - include docs/include.am - include wrapper/include.am - include hal/include.am -+include cmake/include.am - -+EXTRA_DIST+= .cyignore - EXTRA_DIST+= README.md - EXTRA_DIST+= ChangeLog.md - EXTRA_DIST+= LICENSE -diff --git a/README.md b/README.md -index 3fbaaed..95bb9c2 100644 ---- a/README.md -+++ b/README.md -@@ -7,7 +7,7 @@ Portable TPM 2.0 project designed for embedded use. - - * This implementation provides all TPM 2.0 API’s in compliance with the specification. - * Wrappers provided to simplify Key Generation/Loading, RSA encrypt/decrypt, ECC sign/verify, ECDH, NV, Hashing/HACM, AES, Sealing/Unsealing, Attestation, PCR Extend/Quote and Secure Root of Trust. --* Testing done using the following TPM 2.0 modules: STM ST33TP* SPI/I2C, Infineon OPTIGA SLB9670/SLB9672, Microchip ATTPM20, Nations Tech Z32H330TC and Nuvoton NPCT650/NPCT750. -+* Testing done using TPM 2.0 modules from STMicro ST33 (SPI/I2C), Infineon OPTIGA SLB9670/SLB9672, Microchip ATTPM20, Nations Tech Z32H330TC and Nuvoton NPCT650/NPCT750. - * wolfTPM uses the TPM Interface Specification (TIS) to communicate either over SPI, or using a memory mapped I/O range. - * wolfTPM can also use the Linux TPM kernel interface (/dev/tpmX) to talk with any physical TPM on SPI, I2C and even LPC bus. - * Platform support for Raspberry Pi (Linux), MMIO, STM32 with CubeMX, Atmel ASF, Xilinx, QNX Infineon TriCore and Barebox. -@@ -84,11 +84,12 @@ We also support an advanced IO option (`--enable-advio`/`WOLFTPM_ADV_IO`), which - - Tested with: - --* Infineon OPTIGA (TM) Trusted Platform Module 2.0 SLB 9670 and SLB9672. -- - LetsTrust: [http://letstrust.de] ( Compact Raspberry Pi TPM 2.0 board based on Infineon SLB 9670. --* ST ST33TP* TPM 2.0 module (SPI and I2C) -+* Infineon OPTIGA (TM) Trusted Platform Module 2.0 SLB9670, SLB9672 and SLB9673 (I2C). -+ - LetsTrust: Vendor for TPM development boards [http://letstrust.de](http://letstrust.de). -+* STMicro STSAFE-TPM, ST33TPHF2XSPI/2XI2C and ST33KTPM2X (SPI and I2C) - * Microchip ATTPM20 module - * Nuvoton NPCT65X or NPCT75x TPM2.0 module -+* Nations Technologies Z32H330 TPM 2.0 module - - #### Device Identification - -@@ -100,11 +101,19 @@ Infineon SLB9672: - TPM2: Caps 0x30000697, Did 0x001d, Vid 0x15d1, Rid 0x36 - Mfg IFX (1), Vendor SLB9672, Fw 16.10 (0x4068), FIPS 140-2 1, CC-EAL4 1 - --ST ST33TP SPI -+Infineon SLB9673: -+TPM2: Caps 0x1ae00082, Did 0x001c, Vid 0x15d1, Rid 0x16 -+Mfg IFX (1), Vendor SLB9673, Fw 26.13 (0x456a), FIPS 140-2 1, CC-EAL4 1 -+ -+STMicro ST33KTPM2XSPI -+TPM2: Caps 0x30000415, Did 0x0003, Vid 0x104a, Rid 0x 0 -+Mfg STM (2), Vendor ST33KTPM2XSPI, Fw 9.256 (0x0), FIPS 140-2 1, CC-EAL4 0 -+ -+STMicro ST33TPHF2XSPI - TPM2: Caps 0x1a7e2882, Did 0x0000, Vid 0x104a, Rid 0x4e - Mfg STM (2), Vendor , Fw 74.8 (1151341959), FIPS 140-2 1, CC-EAL4 0 - --ST ST33TP I2C -+STMicro ST33TPHF2XI2C - TPM2: Caps 0x1a7e2882, Did 0x0000, Vid 0x104a, Rid 0x4e - Mfg STM (2), Vendor , Fw 74.9 (1151341959), FIPS 140-2 1, CC-EAL4 0 - -@@ -152,8 +161,8 @@ autogen.sh requires: automake and libtool: `sudo apt-get install automake libtoo - --enable-tislock Enable Linux Named Semaphore for locking access to SPI device for concurrent access between processes - WOLFTPM_TIS_LOCK - - --enable-autodetect Enable Runtime Module Detection (default: enable - when no module specified) - WOLFTPM_AUTODETECT ----enable-infineon Enable Infineon SLB9670/SLB9672 TPM Support (default: disabled) ----enable-st Enable ST ST33TPM Support (default: disabled) - WOLFTPM_ST33 -+--enable-infineon Enable Infineon SLB9670/SLB9672/SLB9673 TPM Support (default: disabled) - WOLFTPM_SLB9670 / WOLFTPM_SLB9672 -+--enable-st Enable ST ST33 Support (default: disabled) - WOLFTPM_ST33 - --enable-microchip Enable Microchip ATTPM20 Support (default: disabled) - WOLFTPM_MICROCHIP - --enable-nuvoton Enable Nuvoton NPCT65x/NPCT75x Support (default: disabled) - WOLFTPM_NUVOTON - -@@ -167,7 +176,15 @@ TLS_BENCH_MODE Enables TLS benchmarking mode. - NO_TPM_BENCH Disables the TPM benchmarking example. - ``` - --### Building Infineon SLB9670/SLB9672 -+Note: For the I2C support on Raspberry Pi you may need to enable I2C. Here are the steps: -+1. Edit `sudo vim /boot/config.txt` -+2. Uncomment `dtparam=i2c_arm=on` -+3. Reboot `sudo reboot` -+ -+ -+### Building Infineon -+ -+Support for SLB9670 or SLB9672 (SPI) / SLB9673 (I2C) - - Build wolfTPM: - -@@ -175,11 +192,11 @@ Build wolfTPM: - git clone https://github.com/wolfSSL/wolfTPM.git - cd wolfTPM - ./autogen.sh --./configure --enable-infineon -+./configure --enable-infineon [--enable-i2c] - make - ``` - --### Building ST ST33TP* -+### Building ST ST33 - - Build wolfTPM: - -@@ -189,11 +206,6 @@ Build wolfTPM: - make - ``` - --For the I2C support on Raspberry Pi you may need to enable I2C. Here are the steps: --1. Edit `sudo vim /boot/config.txt` --2. Uncomment `dtparam=i2c_arm=on` --3. Reboot `sudo reboot` -- - ### Building Microchip ATTPM20 - - Build wolfTPM: -@@ -437,7 +449,75 @@ ECDSA 256 verify 42 ops took 1.013 sec, avg 24.114 ms, 41.470 ops/sec - ECDHE 256 agree 16 ops took 1.055 sec, avg 65.948 ms, 15.164 ops/sec - ``` - --Run on ST ST33TP SPI at 33MHz: -+Run on Infineon SLB9673 on I2C at 400kHz: -+ -+``` -+./examples/bench/bench -+TPM2 Benchmark using Wrapper API's -+ Use Parameter Encryption: NULL -+Loading SRK: Storage 0x81000200 (282 bytes) -+RNG 4 KB took 1.429 seconds, 2.799 KB/s -+Benchmark symmetric AES-128-CBC-enc not supported! -+Benchmark symmetric AES-128-CBC-dec not supported! -+Benchmark symmetric AES-256-CBC-enc not supported! -+Benchmark symmetric AES-256-CBC-dec not supported! -+Benchmark symmetric AES-128-CTR-enc not supported! -+Benchmark symmetric AES-128-CTR-dec not supported! -+Benchmark symmetric AES-256-CTR-enc not supported! -+Benchmark symmetric AES-256-CTR-dec not supported! -+AES-128-CFB-enc 4 KB took 1.022 seconds, 3.914 KB/s -+AES-128-CFB-dec 4 KB took 1.021 seconds, 3.916 KB/s -+AES-256-CFB-enc 4 KB took 1.023 seconds, 3.911 KB/s -+AES-256-CFB-dec 4 KB took 1.023 seconds, 3.912 KB/s -+SHA1 8 KB took 1.203 seconds, 6.650 KB/s -+SHA256 8 KB took 1.208 seconds, 6.623 KB/s -+SHA384 8 KB took 1.209 seconds, 6.617 KB/s -+RSA 2048 key gen 10 ops took 19.106 sec, avg 1910.554 ms, 0.523 ops/sec -+RSA 2048 Public 14 ops took 1.046 sec, avg 74.740 ms, 13.380 ops/sec -+RSA 2048 Private 6 ops took 1.008 sec, avg 168.057 ms, 5.950 ops/sec -+RSA 2048 Pub OAEP 15 ops took 1.008 sec, avg 67.231 ms, 14.874 ops/sec -+RSA 2048 Priv OAEP 7 ops took 1.126 sec, avg 160.789 ms, 6.219 ops/sec -+ECC 256 key gen 4 ops took 1.244 sec, avg 311.031 ms, 3.215 ops/sec -+ECDSA 256 sign 14 ops took 1.009 sec, avg 72.057 ms, 13.878 ops/sec -+ECDSA 256 verify 18 ops took 1.043 sec, avg 57.921 ms, 17.265 ops/sec -+ECDHE 256 agree 9 ops took 1.025 sec, avg 113.888 ms, 8.781 ops/sec -+``` -+ -+Run on STMicro ST33KTPM2XSPI at 33MHz: -+ -+``` -+./examples/bench/bench -+TPM2 Benchmark using Wrapper API's -+ Use Parameter Encryption: NULL -+Loading SRK: Storage 0x81000200 (282 bytes) -+RNG 24 KB took 1.042 seconds, 23.028 KB/s -+AES-128-CBC-enc 52 KB took 1.018 seconds, 51.077 KB/s -+AES-128-CBC-dec 52 KB took 1.027 seconds, 50.644 KB/s -+AES-256-CBC-enc 46 KB took 1.012 seconds, 45.446 KB/s -+AES-256-CBC-dec 46 KB took 1.021 seconds, 45.072 KB/s -+AES-128-CTR-enc 44 KB took 1.025 seconds, 42.927 KB/s -+AES-128-CTR-dec 44 KB took 1.024 seconds, 42.955 KB/s -+AES-256-CTR-enc 40 KB took 1.025 seconds, 39.016 KB/s -+AES-256-CTR-dec 40 KB took 1.026 seconds, 38.992 KB/s -+AES-128-CFB-enc 52 KB took 1.026 seconds, 50.674 KB/s -+AES-128-CFB-dec 46 KB took 1.023 seconds, 44.986 KB/s -+AES-256-CFB-enc 46 KB took 1.021 seconds, 45.047 KB/s -+AES-256-CFB-dec 42 KB took 1.033 seconds, 40.665 KB/s -+SHA1 138 KB took 1.009 seconds, 136.727 KB/s -+SHA256 128 KB took 1.010 seconds, 126.723 KB/s -+SHA384 116 KB took 1.001 seconds, 115.833 KB/s -+RSA 2048 key gen 9 ops took 17.497 sec, avg 1944.057 ms, 0.514 ops/sec -+RSA 2048 Public 155 ops took 1.003 sec, avg 6.468 ms, 154.601 ops/sec -+RSA 2048 Private 12 ops took 1.090 sec, avg 90.806 ms, 11.013 ops/sec -+RSA 2048 Pub OAEP 122 ops took 1.004 sec, avg 8.230 ms, 121.501 ops/sec -+RSA 2048 Priv OAEP 11 ops took 1.023 sec, avg 92.964 ms, 10.757 ops/sec -+ECC 256 key gen 12 ops took 1.070 sec, avg 89.172 ms, 11.214 ops/sec -+ECDSA 256 sign 40 ops took 1.010 sec, avg 25.251 ms, 39.602 ops/sec -+ECDSA 256 verify 28 ops took 1.023 sec, avg 36.543 ms, 27.365 ops/sec -+ECDHE 256 agree 16 ops took 1.062 sec, avg 66.391 ms, 15.062 ops/sec -+``` -+ -+Run on STMicro ST33TPHF2XSPI at 33MHz: - - ``` - ./examples/bench/bench -@@ -795,6 +875,7 @@ Connection: close - * Update to v1.59 of specification (adding CertifyX509). - * Inner wrap support for SensitiveToPrivate. - * Firmware upgrade support on TPM's. -+* Add support for IRQ (interrupt line) - - ## Support - -diff --git a/certs/wolf-ca-ecc-cert.pem b/certs/wolf-ca-ecc-cert.pem -index e4e4c7c..d088d30 100644 ---- a/certs/wolf-ca-ecc-cert.pem -+++ b/certs/wolf-ca-ecc-cert.pem -@@ -2,12 +2,12 @@ Certificate: - Data: - Version: 3 (0x2) - Serial Number: -- 65:67:42:4c:06:e7:e4:c3:68:01:a9:94:a9:07:e6:fe:bd:2c:d6:3d -+ 0f:17:46:70:fd:c2:70:d1:f9:42:49:9c:1a:c3:5d:dd:30:c8:5f:85 - Signature Algorithm: ecdsa-with-SHA256 - Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = info@wolfssl.com - Validity -- Not Before: Dec 16 21:17:49 2022 GMT -- Not After : Sep 11 21:17:49 2025 GMT -+ Not Before: Dec 13 22:19:28 2023 GMT -+ Not After : Sep 8 22:19:28 2026 GMT - Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = info@wolfssl.com - Subject Public Key Info: - Public Key Algorithm: id-ecPublicKey -@@ -31,16 +31,16 @@ Certificate: - X509v3 Key Usage: critical - Digital Signature, Certificate Sign, CRL Sign - Signature Algorithm: ecdsa-with-SHA256 -- 30:46:02:21:00:b0:12:16:03:26:79:d4:6b:94:d9:7e:ca:e1: -- 2d:24:64:ef:11:6e:f2:12:81:e4:ce:1d:77:7d:ca:5c:47:50: -- 62:02:21:00:80:bf:46:3c:5d:d8:e5:ab:47:ce:a2:19:bd:21: -- de:85:6f:ab:c9:8f:01:f3:ab:1b:b9:e1:53:d6:24:77:a6:4d -+ 30:45:02:21:00:c8:64:7f:ee:4b:be:83:48:13:ea:92:f8:1a: -+ 82:1e:85:b1:5a:a4:1c:e3:e8:ea:25:44:6f:e7:70:fd:eb:f3: -+ 76:02:20:44:02:a2:ec:c5:a1:ae:e2:a4:8a:d9:13:95:2b:a6: -+ 5b:09:57:86:61:42:96:97:f0:95:62:0c:03:e6:53:04:25 - -----BEGIN CERTIFICATE----- --MIICljCCAjugAwIBAgIUZWdCTAbn5MNoAamUqQfm/r0s1j0wCgYIKoZIzj0EAwIw -+MIIClTCCAjugAwIBAgIUDxdGcP3CcNH5QkmcGsNd3TDIX4UwCgYIKoZIzj0EAwIw - gZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT - ZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEY - MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv --bGZzc2wuY29tMB4XDTIyMTIxNjIxMTc0OVoXDTI1MDkxMTIxMTc0OVowgZcxCzAJ -+bGZzc2wuY29tMB4XDTIzMTIxMzIyMTkyOFoXDTI2MDkwODIyMTkyOFowgZcxCzAJ - BgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxl - MRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UE - AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu -@@ -48,6 +48,6 @@ Y29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAtPZbtYBjkXIuZAx5cBM456t - KTiYuhDW6QkqgKkuFyq5ir8zg0bjlQvkd0C1O0NFMw9hU3w3RMHL/IDK6EPqp6Nj - MGEwHQYDVR0OBBYEFFaOmsPwQt4YuUVVbvmTz+rD86UhMB8GA1UdIwQYMBaAFFaO - msPwQt4YuUVVbvmTz+rD86UhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD --AgGGMAoGCCqGSM49BAMCA0kAMEYCIQCwEhYDJnnUa5TZfsrhLSRk7xFu8hKB5M4d --d33KXEdQYgIhAIC/Rjxd2OWrR86iGb0h3oVvq8mPAfOrG7nhU9Ykd6ZN -+AgGGMAoGCCqGSM49BAMCA0gAMEUCIQDIZH/uS76DSBPqkvgagh6FsVqkHOPo6iVE -+b+dw/evzdgIgRAKi7MWhruKkitkTlSumWwlXhmFClpfwlWIMA+ZTBCU= - -----END CERTIFICATE----- -diff --git a/certs/wolf-ca-rsa-cert.pem b/certs/wolf-ca-rsa-cert.pem -index 58688a0..33d9079 100644 ---- a/certs/wolf-ca-rsa-cert.pem -+++ b/certs/wolf-ca-rsa-cert.pem -@@ -2,12 +2,12 @@ Certificate: - Data: - Version: 3 (0x2) - Serial Number: -- 2c:80:ce:db:47:9d:07:66:92:3d:68:d7:ca:ac:90:4f:ca:69:41:4b -+ 33:44:1a:a8:6c:01:ec:f6:60:f2:70:51:0a:4c:d1:14:fa:bc:e9:44 - Signature Algorithm: sha256WithRSAEncryption - Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com - Validity -- Not Before: Dec 16 21:17:49 2022 GMT -- Not After : Sep 11 21:17:49 2025 GMT -+ Not Before: Dec 13 22:19:28 2023 GMT -+ Not After : Sep 8 22:19:28 2026 GMT - Subject: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = info@wolfssl.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption -@@ -38,7 +38,7 @@ Certificate: - X509v3 Authority Key Identifier: - keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5 - DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com -- serial:2C:80:CE:DB:47:9D:07:66:92:3D:68:D7:CA:AC:90:4F:CA:69:41:4B -+ serial:33:44:1A:A8:6C:01:EC:F6:60:F2:70:51:0A:4C:D1:14:FA:BC:E9:44 - - X509v3 Basic Constraints: - CA:TRUE -@@ -47,27 +47,27 @@ Certificate: - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - Signature Algorithm: sha256WithRSAEncryption -- ae:b0:a4:35:8e:8a:1b:a6:eb:b3:a2:57:cf:3a:1f:dc:6e:bc: -- d2:d0:a6:4a:8f:88:0a:6e:74:d5:d1:7c:d1:44:b1:d4:3b:17: -- 03:09:5a:46:ed:08:08:cf:f1:fd:20:07:67:c0:97:ec:35:f3: -- 75:ca:20:61:98:3e:f5:4d:be:e6:9d:75:1e:e4:03:ad:8c:a6: -- 1e:3d:ec:e4:1a:92:5b:f9:a3:ad:83:ca:4f:cd:aa:38:bb:6e: -- ae:ad:fa:a7:46:f1:8b:73:ec:09:23:bc:f2:18:e5:b7:92:86: -- 3e:a4:75:60:c7:3d:0f:3f:83:00:c3:06:08:9c:d1:54:d6:ba: -- 6d:95:3d:34:a1:be:24:91:cc:20:03:11:5b:72:1c:d4:65:d0: -- 11:88:75:26:04:26:ef:66:70:e6:3b:38:87:9c:53:71:1b:09: -- 51:70:50:99:4c:31:0c:62:44:57:30:60:04:fc:12:2c:a3:24: -- b4:f7:11:d5:0e:b5:21:0b:ed:86:11:67:4d:36:fa:57:a0:59: -- 55:21:b3:6d:e4:77:5e:ec:7e:f0:09:13:8e:99:98:b2:e1:82: -- b6:4b:3e:0f:41:a6:0c:cd:49:99:7e:e4:8a:cb:37:ed:53:cf: -- 86:5d:a9:26:a8:e5:01:25:5a:b4:bc:25:35:f1:fa:5a:5c:ce: -- d4:b8:9a:2c -+ 2d:fc:f9:32:5a:be:d6:9d:42:8b:86:4e:67:22:c3:50:2d:cb: -+ 14:27:1d:94:f3:cd:88:42:da:41:1c:39:24:67:a7:92:4d:27: -+ ea:56:82:19:bf:11:b2:43:a4:8d:5d:87:b2:27:64:66:82:81: -+ df:c4:fd:5b:62:b0:c2:4d:9d:29:f2:41:32:cc:2e:b5:da:38: -+ 06:1b:e8:7f:8c:6e:3d:80:1e:00:56:49:bf:39:e0:da:68:2f: -+ c4:fd:00:e6:d1:81:1a:d1:4a:bb:76:52:ce:4d:24:9d:c4:a3: -+ a7:f1:65:14:2f:1f:a8:2d:c6:cb:ce:b1:a7:89:74:26:27:c3: -+ f3:a3:84:4c:34:01:14:03:7d:16:3a:c8:8b:25:2e:7b:90:cc: -+ 46:b1:52:34:ba:93:6e:ef:fe:43:a3:ad:c6:6f:51:fb:ba:ea: -+ 38:e3:6f:d6:ee:63:62:36:ea:5e:08:b4:e2:2a:46:89:e3:ae: -+ b3:b4:06:ef:63:7a:6e:5d:dd:c9:ec:02:4f:f7:64:c0:27:07: -+ b4:6f:4a:18:72:5b:34:74:7c:d0:a9:04:8f:40:8b:6a:39:d2: -+ 6b:1a:01:f2:01:a8:81:34:3a:e5:b0:55:d1:3c:95:ca:b0:82: -+ d6:ed:98:28:15:59:7e:95:a7:69:c7:b5:7b:ec:01:a7:4d:e6: -+ b9:a2:fe:35 - -----BEGIN CERTIFICATE----- --MIIE/zCCA+egAwIBAgIULIDO20edB2aSPWjXyqyQT8ppQUswDQYJKoZIhvcNAQEL -+MIIE/zCCA+egAwIBAgIUM0QaqGwB7PZg8nBRCkzRFPq86UQwDQYJKoZIhvcNAQEL - BQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC - b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEY - MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv --bGZzc2wuY29tMB4XDTIyMTIxNjIxMTc0OVoXDTI1MDkxMTIxMTc0OVowgZQxCzAJ -+bGZzc2wuY29tMB4XDTIzMTIxMzIyMTkyOFoXDTI2MDkwODIyMTkyOFowgZQxCzAJ - BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREw - DwYDVQQKDAhTYXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwP - d3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29t -@@ -82,12 +82,12 @@ BgNVHSMEgcwwgcmAFCeOZxF0wyYdP+0zY7Ok2B0w5ejVoYGapIGXMIGUMQswCQYD - VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G - A1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3 - dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbYIU --LIDO20edB2aSPWjXyqyQT8ppQUswDAYDVR0TBAUwAwEB/zAcBgNVHREEFTATggtl -+M0QaqGwB7PZg8nBRCkzRFPq86UQwDAYDVR0TBAUwAwEB/zAcBgNVHREEFTATggtl - eGFtcGxlLmNvbYcEfwAAATAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw --DQYJKoZIhvcNAQELBQADggEBAK6wpDWOihum67OiV886H9xuvNLQpkqPiApudNXR --fNFEsdQ7FwMJWkbtCAjP8f0gB2fAl+w183XKIGGYPvVNvuaddR7kA62Mph497OQa --klv5o62Dyk/Nqji7bq6t+qdG8Ytz7AkjvPIY5beShj6kdWDHPQ8/gwDDBgic0VTW --um2VPTShviSRzCADEVtyHNRl0BGIdSYEJu9mcOY7OIecU3EbCVFwUJlMMQxiRFcw --YAT8EiyjJLT3EdUOtSEL7YYRZ002+legWVUhs23kd17sfvAJE46ZmLLhgrZLPg9B --pgzNSZl+5IrLN+1Tz4ZdqSao5QElWrS8JTXx+lpcztS4miw= -+DQYJKoZIhvcNAQELBQADggEBAC38+TJavtadQouGTmciw1AtyxQnHZTzzYhC2kEc -+OSRnp5JNJ+pWghm/EbJDpI1dh7InZGaCgd/E/VtisMJNnSnyQTLMLrXaOAYb6H+M -+bj2AHgBWSb854NpoL8T9AObRgRrRSrt2Us5NJJ3Eo6fxZRQvH6gtxsvOsaeJdCYn -+w/OjhEw0ARQDfRY6yIslLnuQzEaxUjS6k27v/kOjrcZvUfu66jjjb9buY2I26l4I -+tOIqRonjrrO0Bu9jem5d3cnsAk/3ZMAnB7RvShhyWzR0fNCpBI9Ai2o50msaAfIB -+qIE0OuWwVdE8lcqwgtbtmCgVWX6Vp2nHtXvsAadN5rmi/jU= - -----END CERTIFICATE----- -diff --git a/cmake/README.md b/cmake/README.md -new file mode 100644 -index 0000000..a138be5 ---- /dev/null -+++ b/cmake/README.md -@@ -0,0 +1,5 @@ -+# wolfTPM CMake -+ -+This directory contains some supplementary files for the [CMakeLists.txt](../CMakeLists.txt) in the root. -+ -+See also cmake notes in the [INSTALL](../INSTALL) documentation file. -diff --git a/cmake/config.in b/cmake/config.in -new file mode 100644 -index 0000000..8a0bc31 ---- /dev/null -+++ b/cmake/config.in -@@ -0,0 +1,48 @@ -+/* Define to 1 if you have the header file. */ -+#cmakedefine HAVE_FCNTL_H @HAVE_FCNTL_H@ -+ -+/* Define to 1 if you have the header file. */ -+#cmakedefine HAVE_NETDB_H @HAVE_NETDB_H@ -+ -+/* Define to 1 if you have the header file. */ -+#cmakedefine HAVE_TIME_H @HAVE_TIME_H@ -+ -+/* Define to 1 if you have the header file. */ -+#cmakedefine HAVE_SYS_IOCTL_H @HAVE_SYS_IOCTL_H@ -+ -+/* Define to 1 if you have the header file. */ -+#cmakedefine HAVE_SYS_SOCKET_H @HAVE_SYS_SOCKET_H@ -+ -+/* Define to 1 if you have the header file. */ -+#cmakedefine HAVE_SYS_TIME_H @HAVE_SYS_TIME_H@ -+ -+/* Define to 1 if you have the header file. */ -+#cmakedefine HAVE_ERRNO_H @HAVE_ERRNO_H@ -+ -+/* Define to 1 if you have the header file. */ -+#cmakedefine HAVE_STDINT_H @HAVE_STDINT_H@ -+ -+/* Define to 1 if you have the header file. */ -+#cmakedefine HAVE_STDLIB_H @HAVE_STDLIB_H@ -+ -+/* Define to 1 if you have the header file. */ -+#cmakedefine HAVE_STRING_H @HAVE_STRING_H@ -+ -+/* Define to 1 if you have the header file. */ -+#cmakedefine HAVE_SYS_STAT_H @HAVE_SYS_STAT_H@ -+ -+/* Define to 1 if you have the header file. */ -+#cmakedefine HAVE_SYS_TYPES_H @HAVE_SYS_TYPES_H@ -+ -+/* Define to 1 if you have the header file. */ -+#cmakedefine HAVE_UNISTD_H @HAVE_UNISTD_H@ -+ -+ -+/* Define to 1 if you have the `getaddrinfo' function. */ -+#cmakedefine HAVE_GETADDRINFO @HAVE_GETADDRINFO@ -+ -+/* Define to 1 if you have the `gethostbyname' function. */ -+#cmakedefine HAVE_GETHOSTBYNAME @HAVE_GETHOSTBYNAME@ -+ -+/* Define to 1 if you have the `gettimeofday' function. */ -+#cmakedefine HAVE_GETTIMEOFDAY @HAVE_GETTIMEOFDAY@ -diff --git a/cmake/include.am b/cmake/include.am -new file mode 100644 -index 0000000..ceec20a ---- /dev/null -+++ b/cmake/include.am -@@ -0,0 +1,2 @@ -+EXTRA_DIST += cmake/README.md -+EXTRA_DIST += cmake/config.in -diff --git a/configure.ac b/configure.ac -index 134e6b7..0841058 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -60,6 +60,7 @@ AC_CHECK_SIZEOF([long long], 8) - AC_CHECK_SIZEOF([long], 4) - - # Check headers/libs -+AC_CHECK_HEADERS([netdb.h]) - AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday inet_ntoa memset socket]) - AC_CHECK_LIB([network],[socket]) - -@@ -407,6 +408,18 @@ then - fi - - -+# Built-in TPM firmware upgrade support -+AC_ARG_ENABLE([firmware], -+ [AS_HELP_STRING([--enable-firmware],[Enable support for TPM firmware upgrades (default: enabled)])], -+ [ ENABLED_FIRMWARE=$enableval ], -+ [ ENABLED_FIRMWARE=yes ] -+ ) -+if test "x$ENABLED_FIRMWARE" = "xyes" -+then -+ AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_FIRMWARE_UPGRADE" -+fi -+ -+ - # HARDEN FLAGS - AX_HARDEN_CC_COMPILER_FLAGS - -@@ -430,6 +443,7 @@ AM_CONDITIONAL([BUILD_WINAPI], [test "x$ENABLED_WINAPI" = "xyes"]) - AM_CONDITIONAL([BUILD_NUVOTON], [test "x$ENABLED_NUVOTON" = "xyes"]) - AM_CONDITIONAL([BUILD_CHECKWAITSTATE], [test "x$ENABLED_CHECKWAITSTATE" = "xyes"]) - AM_CONDITIONAL([BUILD_AUTODETECT], [test "x$ENABLED_AUTODETECT" = "xyes"]) -+AM_CONDITIONAL([BUILD_FIRMWARE], [test "x$ENABLED_FIRMWARE" = "xyes"]) - AM_CONDITIONAL([BUILD_HAL], [test "x$ENABLED_EXAMPLE_HAL" = "xyes" || test "x$ENABLED_MMIO" = "xyes"]) - - -@@ -555,3 +569,4 @@ echo " * Microchip ATTPM20: $ENABLED_MICROCHIP" - echo " * Nuvoton NPCT75x: $ENABLED_NUVOTON" - - echo " * Runtime Module Detection: $ENABLED_AUTODETECT" -+echo " * Firmware Upgrade Support: $ENABLED_FIRMWARE" -diff --git a/docs/README.md b/docs/README.md -index 7f8b8ca..b72472f 100644 ---- a/docs/README.md -+++ b/docs/README.md -@@ -1,5 +1,8 @@ - # wolfTPM User Manual - -+The latest wolfTPM user manual is available at: https://www.wolfssl.com/documentation/manuals/wolftpm/index.html -+Source generated from: https://github.com/wolfSSL/documentation/blob/master/wolfTPM/src/ -+ - ## Introduction - - wolfTPM is a portable TPM 2.0 project, designed for embedded use. It is highly portable, due to having been written in native C, having a single IO callback for SPI hardware interface, no external dependencies, and its compacted code with low resource usage. -diff --git a/examples/README.md b/examples/README.md -index 89556aa..cc55709 100644 ---- a/examples/README.md -+++ b/examples/README.md -@@ -110,10 +110,14 @@ The script creates the following X.509 files (also in .pem format): - - Example signs and verifies data with PKCS #7 using a TPM based key. - --* Must first run: --1. `./examples/csr/csr` --2. `./certs/certreq.sh` --3. `./examples/pkcs7/pkcs7` -+```sh -+./examples/keygen/keygen rsa_test_blob.raw -rsa -t -+./examples/keygen/keygen ecc_test_blob.raw -ecc -t -+./examples/csr/csr -+./certs/certreq.sh -+./examples/pkcs7/pkcs7 -+./examples/pkcs7/pkcs7 -ecc -+``` - - The result is displayed to stdout on the console. - -diff --git a/examples/attestation/activate_credential.c b/examples/attestation/activate_credential.c -index 93b2bc4..673e985 100644 ---- a/examples/attestation/activate_credential.c -+++ b/examples/attestation/activate_credential.c -@@ -23,6 +23,10 @@ - * and extract the secret for challenge response to an attestation server - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #include -diff --git a/examples/attestation/make_credential.c b/examples/attestation/make_credential.c -index b2b85f6..99a2242 100644 ---- a/examples/attestation/make_credential.c -+++ b/examples/attestation/make_credential.c -@@ -21,6 +21,10 @@ - - /* This example shows how to create a challenge for Remote Attestation */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #ifndef WOLFTPM2_NO_WRAPPER -diff --git a/examples/bench/bench.c b/examples/bench/bench.c -index 7296713..e036c78 100644 ---- a/examples/bench/bench.c -+++ b/examples/bench/bench.c -@@ -22,6 +22,10 @@ - /* This example shows benchmarks using the TPM2 wrapper API's in - TPM2_Wrapper_Bench() below. */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - #include - -diff --git a/examples/boot/include.am b/examples/boot/include.am -index d7ec884..7a19340 100644 ---- a/examples/boot/include.am -+++ b/examples/boot/include.am -@@ -1,6 +1,8 @@ - # vim:ft=automake - # All paths should be given relative to the root - -+EXTRA_DIST += examples/boot/README.md -+ - if BUILD_EXAMPLES - noinst_HEADERS += examples/boot/boot.h - -diff --git a/examples/boot/secret_seal.c b/examples/boot/secret_seal.c -index c3be981..93ec084 100644 ---- a/examples/boot/secret_seal.c -+++ b/examples/boot/secret_seal.c -@@ -22,6 +22,9 @@ - /* Example for using TPM to seal a secret using an external key based on PCR(s) - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -@@ -279,6 +282,7 @@ int TPM2_Boot_SecretSeal_Example(void* userCtx, int argc, char *argv[]) - printHexString((const byte*)&sealBlob.pub.publicArea, sealBlob.pub.size, 32); - printf("Sealed keyed hash priv %d\n", sealBlob.priv.size); - printHexString(sealBlob.priv.buffer, sealBlob.priv.size, 32); -+ (void)outFile; - #endif - - exit: -diff --git a/examples/boot/secret_unseal.c b/examples/boot/secret_unseal.c -index 236f6a6..5b6c767 100644 ---- a/examples/boot/secret_unseal.c -+++ b/examples/boot/secret_unseal.c -@@ -22,6 +22,9 @@ - /* Example for using TPM to seal a secret using an external key based on PCR(s) - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -@@ -278,6 +281,8 @@ int TPM2_Boot_SecretUnseal_Example(void* userCtx, int argc, char *argv[]) - } - #else - printf("File system support not compiled in!\n"); -+ (void)publicKeyFile; -+ (void)pcrSigFile; - rc = NOT_COMPILED_IN; - #endif - if (rc != TPM_RC_SUCCESS) { -@@ -311,6 +316,7 @@ int TPM2_Boot_SecretUnseal_Example(void* userCtx, int argc, char *argv[]) - #ifndef NO_FILESYSTEM - rc = readKeyBlob(sealFile, &sealBlob); - #else -+ (void)sealFile; - rc = NOT_COMPILED_IN; - #endif - if (rc != TPM_RC_SUCCESS) { -@@ -325,7 +331,14 @@ int TPM2_Boot_SecretUnseal_Example(void* userCtx, int argc, char *argv[]) - goto exit; - } - printf("Loaded sealBlob to 0x%x\n", (word32)sealBlob.handle.hndl); -- wolfTPM2_SetAuthHandle(&dev, 0, &sealBlob.handle); -+ -+ /* use the policy session for unseal */ -+ rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, -+ (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | -+ TPMA_SESSION_continueSession)); -+ if (rc != 0) goto exit; -+ /* set the sealed object name 0 (required) */ -+ wolfTPM2_SetAuthHandleName(&dev, 0, &sealBlob.handle); - - /* unseal */ - unsealIn.itemHandle = sealBlob.handle.hndl; -diff --git a/examples/boot/secure_rot.c b/examples/boot/secure_rot.c -index 5f01325..814adfe 100644 ---- a/examples/boot/secure_rot.c -+++ b/examples/boot/secure_rot.c -@@ -22,6 +22,9 @@ - /* Example for using TPM for secure boot root of trust - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -diff --git a/examples/csr/csr.c b/examples/csr/csr.c -index 6bd3bd0..e2a0333 100644 ---- a/examples/csr/csr.c -+++ b/examples/csr/csr.c -@@ -19,6 +19,9 @@ - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -@@ -186,17 +189,18 @@ int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[]) - - rc = wolfTPM2_SetCryptoDevCb(&dev, wolfTPM2_CryptoDevCb, &tpmCtx, - &tpmDevId); -- if (rc == 0) { -- /* See if primary storage key already exists */ -- rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA); -- } - - #ifndef NO_RSA - if (rc == 0) { - tpmCtx.rsaKey = &key; /* Setup the wolf crypto device callback */ -- rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate, -+ -+ /* open the RSA SRK */ -+ rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA); -+ if (rc == 0) { -+ rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate, - TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth | - TPMA_OBJECT_decrypt | TPMA_OBJECT_sign | TPMA_OBJECT_noDA); -+ } - if (rc == 0) { - rc = getRSAkey(&dev, &storageKey, &key, NULL, tpmDevId, - (byte*)gKeyAuth, sizeof(gKeyAuth)-1, &publicTemplate); -@@ -207,6 +211,7 @@ int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[]) - makeSelfSignedCert, tpmDevId, CTC_SHA256wRSA); - } - wolfTPM2_UnloadHandle(&dev, &key.handle); -+ wolfTPM2_UnloadHandle(&dev, &storageKey.handle); - } - #endif /* !NO_RSA */ - -@@ -214,18 +219,21 @@ int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[]) - if (rc == 0) { - int sigType = CTC_SHA256wECDSA; - TPM_ECC_CURVE curve = TPM_ECC_NIST_P256; -- tpmCtx.eccKey = &key; -- - #if defined(NO_ECC256) && defined(HAVE_ECC384) && ECC_MIN_KEY_SZ <= 384 - /* make sure we use a curve that is enabled */ - sigType = CTC_SHA384wECDSA; - curve = TPM_ECC_NIST_P384; - #endif -+ tpmCtx.eccKey = &key; - -- rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate, -+ /* open the ECC SRK */ -+ rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_ECC); -+ if (rc == 0) { -+ rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate, - TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth | - TPMA_OBJECT_sign | TPMA_OBJECT_noDA, - curve, TPM_ALG_ECDSA); -+ } - if (rc == 0) { - rc = getECCkey(&dev, &storageKey, &key, NULL, tpmDevId, - (byte*)gKeyAuth, sizeof(gKeyAuth)-1, &publicTemplate); -@@ -236,6 +244,7 @@ int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[]) - makeSelfSignedCert, tpmDevId, sigType); - } - wolfTPM2_UnloadHandle(&dev, &key.handle); -+ wolfTPM2_UnloadHandle(&dev, &storageKey.handle); - } - #endif /* HAVE_ECC */ - -@@ -243,7 +252,6 @@ int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[]) - printf("Failure 0x%x: %s\n", rc, wolfTPM2_GetRCString(rc)); - } - -- wolfTPM2_UnloadHandle(&dev, &storageKey.handle); - wolfTPM2_Cleanup(&dev); - - return rc; -diff --git a/examples/firmware/Makefile b/examples/firmware/Makefile -new file mode 100644 -index 0000000..1bc53d2 ---- /dev/null -+++ b/examples/firmware/Makefile -@@ -0,0 +1,13 @@ -+CC=gcc -+CFLAGS=-Wall -Werror -Wextra -g -+LIBS= -+ -+all: clean ifx_fw_extract -+ -+ifx_fw_extract: ifx_fw_extract.o -+ $(CC) -o $@ $^ $(CFLAGS) $(LIBS) -+ -+.PHONY: clean -+ -+clean: -+ rm -f *.o ifx_fw_extract -diff --git a/examples/firmware/README.md b/examples/firmware/README.md -new file mode 100644 -index 0000000..45e4a60 ---- /dev/null -+++ b/examples/firmware/README.md -@@ -0,0 +1,104 @@ -+# TPM Firmware Update Support -+ -+Currently wolfTPM supports firmware update capability for the Infineon SLB9672 (SPI) and SLB9673 (I2C) TPM 2.0 modules. Infineon has open sourced their firmware update. -+ -+## Infineon Firmware -+ -+### Extracting the firmware -+ -+Infineon releases firmware as a .bin file (example: TPM20_15.23.17664.0_R1.BIN). -+ -+The .bin contains a 16-byte GUID header, at least one manifest based on key group and the firmware. A typical manifest is 3KB and firmware is 920KB. -+ -+We have included a host side tool `ifx_fw_extract` for extracting the manifest and firmware data file required for a TPM upgrade. -+ -+Example usage: -+ -+```sh -+# Build host tool -+make -+ -+# Help -+./ifx_fw_extract --help -+Usage: -+ ifx_fw_extract -+ ifx_fw_extract -+ -+# Find key groups in .bin -+./ifx_fw_extract TPM20_26.13.17770.0_R1.BIN -+Reading TPM20_26.13.17770.0_R1.BIN -+Found group 00000007 -+ -+# Extract manifest and firmware data files for key group -+./ifx_fw_extract TPM20_26.13.17770.0_R1.BIN 7 TPM20_26.13.17770.0_R1.MANIFEST TPM20_26.13.17770.0_R1.DATA -+Reading TPM20_26.13.17770.0_R1.BIN -+Found group 00000007 -+Chosen group found: 00000007 -+Manifest size is 3224 -+Data size is 934693 -+Writing TPM20_26.13.17770.0_R1.MANIFEST -+Writing TPM20_26.13.17770.0_R1.DATA -+``` -+ -+### Updating the firmware -+ -+The `ifx_fw_update` tool uses the manifest (header) and firmware data file. -+ -+The TPM has a vendor capability for getting the key group id. This is populated in the `WOLFTPM2_CAPS.keyGroupId` when `wolfTPM2_GetCapabilities` is called. This value should match the firmware extract tool `keygroup_id`. -+ -+```sh -+# Help -+./ifx_fw_update --help -+Infineon Firmware Update Usage: -+ ./ifx_fw_update (get info) -+ ./ifx_fw_update --abandon (cancel) -+ ./ifx_fw_update -+ -+# Run without arguments to display the current firmware information including key group id and operational mode -+./ifx_fw_update -+Infineon Firmware Update Tool -+TPM2: Caps 0x1ae00082, Did 0x001c, Vid 0x15d1, Rid 0x16 -+TPM2_Startup pass -+Mfg IFX (1), Vendor SLB9673, Fw 26.13 (0x456a) -+Operational mode: Normal TPM operational mode (0x0) -+KeyGroupId 0x7, FwCounter 1254 (255 same) -+ -+# Run with manifest and firmware files -+./ifx_fw_update TPM20_26.13.17770.0_R1.MANIFEST TPM20_26.13.17770.0_R1.DATA -+Infineon Firmware Update Tool -+ Manifest File: TPM20_26.13.17770.0_R1.MANIFEST -+ Firmware File: TPM20_26.13.17770.0_R1.DATA -+TPM2: Caps 0x1ae00082, Did 0x001c, Vid 0x15d1, Rid 0x16 -+TPM2_Startup pass -+Mfg IFX (1), Vendor SLB9673, Fw 26.13 (0x456a) -+Operational mode: Normal TPM operational mode (0x0) -+KeyGroupId 0x7, FwCounter 1254 (255 same) -+TPM2_StartAuthSession: handle 0x3000000, algorithm NULL -+TPM2_FlushContext: Closed handle 0x3000000 -+TPM2_StartAuthSession: handle 0x3000000, algorithm NULL -+Firmware manifest chunk 1024 offset (0 / 3224), state 1 -+Firmware manifest chunk 1024 offset (1024 / 3224), state 2 -+Firmware manifest chunk 1024 offset (2048 / 3224), state 2 -+Firmware manifest chunk 152 offset (3072 / 3224), state 0 -+Firmware data chunk offset 0 -+Firmware data chunk offset 1024 -+Firmware data chunk offset 2048 -+Firmware data chunk offset 3072 -+... -+Firmware data chunk offset 932864 -+Firmware data chunk offset 933888 -+Firmware data done -+Mfg IFX (1), Vendor , Fw 0.0 (0x0) -+Operational mode: After finalize or abandon, reboot required (0x4) -+KeyGroupId 0x7, FwCounter 1253 (254 same) -+TPM2_Shutdown failed 304: Unknown -+ -+# Reset or power cycle TPM -+./ifx_fw_update -+Infineon Firmware Update Tool -+TPM2: Caps 0x1ae00082, Did 0x001c, Vid 0x15d1, Rid 0x16 -+TPM2_Startup pass -+Mfg IFX (1), Vendor SLB9673, Fw 26.13 (0x456a) -+Operational mode: Normal TPM operational mode (0x0) -+KeyGroupId 0x7, FwCounter 1253 (254 same) -+``` -diff --git a/examples/firmware/ifx_fw_extract.c b/examples/firmware/ifx_fw_extract.c -new file mode 100644 -index 0000000..a2ddfc6 ---- /dev/null -+++ b/examples/firmware/ifx_fw_extract.c -@@ -0,0 +1,323 @@ -+/* ifx_fw_extract.c -+ * -+ * Copyright (C) 2006-2024 wolfSSL Inc. -+ * -+ * This file is part of wolfTPM. -+ * -+ * wolfTPM is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or -+ * (at your option) any later version. -+ * -+ * wolfTPM is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA -+ */ -+ -+/* Tool source based on simple-update example from -+ * Infineon Technologies AG (www.infineon.com). -+ * This is a stand-alone host side tool for extracting the firmware -+ * manifest and data files from a supplied .bin -+ */ -+ -+#define _DEFAULT_SOURCE -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+/* Endianess helpers */ -+#if defined(__MACH__) || defined(__APPLE__) -+ #include -+ #include -+ -+ #define htobe16(x) OSSwapHostToBigInt16(x) -+ #define htole16(x) OSSwapHostToLittleInt16(x) -+ #define be16toh(x) OSSwapBigToHostInt16(x) -+ #define le16toh(x) OSSwapLittleToHostInt16(x) -+ -+ #define htobe32(x) OSSwapHostToBigInt32(x) -+ #define htole32(x) OSSwapHostToLittleInt32(x) -+ #define be32toh(x) OSSwapBigToHostInt32(x) -+ #define le32toh(x) OSSwapLittleToHostInt32(x) -+ -+ #define htobe64(x) OSSwapHostToBigInt64(x) -+ #define htole64(x) OSSwapHostToLittleInt64(x) -+ #define be64toh(x) OSSwapBigToHostInt64(x) -+ #define le64toh(x) OSSwapLittleToHostInt64(x) -+#else -+ #include -+#endif -+ -+/* Helper to print file and line */ -+#define LOG(t) { printf(__FILE__":%i: %s\n", __LINE__, t); } -+ -+#define READ_BE16(dest, buf, size, off) { \ -+ if (off + sizeof(dest) >= size) { \ -+ LOG("FW file too short"); \ -+ return -1; \ -+ } \ -+ memcpy(&dest, &fw[off], sizeof(dest)); \ -+ dest = be16toh(dest); \ -+ off += sizeof(dest); \ -+} -+ -+#define READ_BE32(dest, buf, size, off) { \ -+ if (off + sizeof(dest) >= size) { \ -+ LOG("FW file too short"); \ -+ return -1; \ -+ } \ -+ memcpy(&dest, &fw[off], sizeof(dest)); \ -+ dest = be32toh(dest); \ -+ off += sizeof(dest); \ -+} -+ -+ -+/* portability macros for stdio */ -+#define XFILE FILE* -+#define XFOPEN fopen -+#define XFSEEK fseek -+#define XFTELL ftell -+#define XREWIND rewind -+#define XFREAD fread -+#define XFWRITE fwrite -+#define XFCLOSE fclose -+#define XSEEK_END SEEK_END -+#define XBADFILE NULL -+#define XFGETS fgets -+#define XFEOF feof -+ -+ -+/* Helper function to split .bin into manifest and firmware file -+ * based on key group id */ -+/* Can also display the key group */ -+static int extractFW( -+ uint8_t *fw, size_t fw_size, uint32_t keygroup_id, -+ uint8_t **manifest, size_t *manifest_size, -+ uint8_t **data, size_t *data_size) -+{ -+ size_t offset = 0, offset2; -+ uint16_t size16, num; -+ uint32_t size32, group; -+ int i; -+ -+ /* all Infineon firmware.bin files have this GUID header */ -+ const uint8_t guid[] = { 0x1a, 0x53, 0x66, 0x7a, -+ 0xfb, 0x12, 0x47, 0x9e, -+ 0xac, 0x58, 0xec, 0x99, -+ 0x58, 0x86, 0x10, 0x94 }; -+ -+ if (offset + sizeof(guid) > fw_size) { -+ LOG("FW file too short"); -+ return -1; -+ } -+ if (memcmp(&fw[offset], &guid[0], sizeof(guid)) != 0) { -+ LOG("Wrong GUID"); -+ return -1; -+ } -+ offset += sizeof(guid) + 1; -+ -+ READ_BE16(size16, fw, fw_size, offset); -+ offset += size16 + 1; -+ -+ READ_BE16(size16, fw, fw_size, offset); -+ offset += size16; -+ -+ READ_BE16(size16, fw, fw_size, offset); -+ offset2 = offset; -+ offset += size16; -+ -+ READ_BE16(size16, fw, offset, offset2); -+ offset2 += size16; -+ -+ READ_BE16(num, fw, offset, offset2); -+ -+ *manifest = NULL; -+ for (i = 0; i < num; i++) { -+ READ_BE32(group, fw, offset, offset2); -+ printf("Found group %08x\n", group); -+ -+ READ_BE16(size16, fw, offset, offset2); -+ -+ if (group == keygroup_id) { -+ printf("Chosen group found: %08x\n", group); -+ *manifest = &fw[offset2]; -+ *manifest_size = size16; -+ } -+ offset2 += size16; -+ } -+ if (*manifest == NULL) { -+ if (keygroup_id == 0) { -+ /* just list key groups */ -+ return 0; -+ } -+ LOG("Chosen group not found"); -+ return -1; -+ } -+ -+ printf("Manifest size is %zi\n", *manifest_size); -+ if (offset2 != offset) { -+ LOG("Bad Manifest size"); -+ return -1; -+ } -+ -+ READ_BE32(size32, fw, fw_size, offset); -+ if (offset + size32 >= fw_size) { -+ LOG("FW file too short"); -+ return -1; -+ } -+ *data = &fw[offset]; -+ *data_size = size32; -+ offset += size32; -+ printf("Data size is %zi\n", *data_size); -+ -+ READ_BE16(size16, fw, fw_size, offset); -+ offset += size16 + 4; -+ -+ if (offset != fw_size) { -+ LOG("Wrong FW file size"); -+ printf("offset at %zi, fw_size at %zi\n", offset, fw_size); -+ return -1; -+ } -+ -+ return 0; -+} -+ -+static int readfile(const char* fname, uint8_t** buf, size_t* bufLen) -+{ -+ int ret = 0; -+ ssize_t fileSz, readLen; -+ XFILE fp; -+ -+ if (fname == NULL || buf == NULL || bufLen == NULL) -+ return -1; -+ -+ /* open file (read-only binary) */ -+ fp = XFOPEN(fname, "rb"); -+ if (fp == XBADFILE) { -+ fprintf(stderr, "Error loading %s\n", fname); -+ return -1; -+ } -+ -+ XFSEEK(fp, 0, XSEEK_END); -+ fileSz = XFTELL(fp); -+ XREWIND(fp); -+ if (fileSz > 0) { -+ if (*buf == NULL) { -+ *buf = (uint8_t*)malloc(fileSz); -+ if (*buf == NULL) -+ ret = -1; -+ } -+ else if (*buf != NULL && fileSz > (ssize_t)*bufLen) { -+ ret = -1; -+ } -+ *bufLen = (size_t)fileSz; -+ if (ret == 0) { -+ readLen = XFREAD(*buf, 1, *bufLen, fp); -+ ret = (readLen == (ssize_t)*bufLen) ? 0 : -1; -+ } -+ } -+ else { -+ ret = -1; -+ } -+ XFCLOSE(fp); -+ return ret; -+} -+ -+static int writefile(const char* filename, const uint8_t *buf, size_t bufSz) -+{ -+ int rc = -1; -+ XFILE fp; -+ size_t fileSz = 0; -+ -+ if (filename == NULL || buf == NULL) -+ return -1; -+ -+ fp = XFOPEN(filename, "wb"); -+ if (fp != XBADFILE) { -+ fileSz = XFWRITE(buf, 1, bufSz, fp); -+ /* sanity check */ -+ if (fileSz == bufSz) { -+ rc = 0; -+ } -+ printf("Wrote %d bytes to %s\n", (int)fileSz, filename); -+ XFCLOSE(fp); -+ } -+ -+ return rc; -+} -+ -+int main(int argc, char **argv) -+{ -+ int rc; -+ uint8_t *manifest = NULL, *data = NULL, *fw = NULL; -+ size_t manifest_size, data_size, fw_size; -+ uint32_t keygroup_id = 0; -+ -+ if (argc <= 1 || -+ strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || -+ strcmp(argv[argc-1], "-h") == 0 || strcmp(argv[argc-1], "--help") == 0) -+ { -+ printf("Usage:\n"); -+ printf(" ifx_fw_extract \n"); -+ printf(" ifx_fw_extract " -+ " \n"); -+ exit(1); -+ } -+ -+ if (argc >= 2) { -+ if (readfile(argv[1], &fw, &fw_size) < 0) { -+ LOG("Cannot read FW file."); -+ rc = EXIT_FAILURE; -+ goto exit; -+ } -+ -+ if (argc >= 3) { -+ if (sscanf(argv[2], "0x%08x", &keygroup_id) != 1 && -+ sscanf(argv[2], "%08x", &keygroup_id) != 1) -+ { -+ LOG("Cannot read keygroup_id."); -+ rc = EXIT_FAILURE; -+ goto exit; -+ } -+ } -+ rc = extractFW(fw, fw_size, keygroup_id, -+ &manifest, &manifest_size, -+ &data, &data_size); -+ if (rc != 0) { -+ printf(__FILE__":%i: Received error 0x%08x\n", __LINE__, rc); -+ goto exit; -+ } -+ -+ if (argc >= 5) { -+ if (writefile(argv[3], manifest, manifest_size) < 0) { -+ rc = EXIT_FAILURE; -+ goto exit; -+ } -+ if (writefile(argv[4], data, data_size) < 0) { -+ rc = EXIT_FAILURE; -+ goto exit; -+ } -+ } -+ rc = 0; /* success */ -+ } -+ else { -+ printf("Bad arguments.\n"); -+ rc = EXIT_FAILURE; -+ } -+ -+exit: -+ if (fw != NULL) -+ free(fw); -+ return rc; -+} -diff --git a/examples/firmware/ifx_fw_update.c b/examples/firmware/ifx_fw_update.c -new file mode 100644 -index 0000000..35d35bf ---- /dev/null -+++ b/examples/firmware/ifx_fw_update.c -@@ -0,0 +1,235 @@ -+/* ifx_fw_update.c -+ * -+ * Copyright (C) 2006-2024 wolfSSL Inc. -+ * -+ * This file is part of wolfTPM. -+ * -+ * wolfTPM is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or -+ * (at your option) any later version. -+ * -+ * wolfTPM is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA -+ */ -+ -+/* This tool will perform a firmware update on Infineon SLB9672 or SLB9673 -+ * TPM 2.0 module */ -+ -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ -+#include -+ -+#ifdef WOLFTPM_FIRMWARE_UPGRADE -+ -+#include -+#include -+#include -+ -+/******************************************************************************/ -+/* --- BEGIN TPM2.0 Firmware Update tool -- */ -+/******************************************************************************/ -+ -+static void usage(void) -+{ -+ printf("Infineon Firmware Update Usage:\n"); -+ printf("\t./ifx_fw_update (get info)\n"); -+ printf("\t./ifx_fw_update --abandon (cancel)\n"); -+ printf("\t./ifx_fw_update \n"); -+} -+ -+typedef struct { -+ byte* manifest_buf; -+ byte* firmware_buf; -+ size_t manifest_bufSz; -+ size_t firmware_bufSz; -+} fw_info_t; -+ -+static int TPM2_IFX_FwData_Cb(uint8_t* data, uint32_t data_req_sz, -+ uint32_t offset, void* cb_ctx) -+{ -+ fw_info_t* fwinfo = (fw_info_t*)cb_ctx; -+ if (offset > fwinfo->firmware_bufSz) { -+ return BUFFER_E; -+ } -+ if (offset + data_req_sz > (uint32_t)fwinfo->firmware_bufSz) { -+ data_req_sz = (uint32_t)fwinfo->firmware_bufSz - offset; -+ } -+ if (data_req_sz > 0) { -+ XMEMCPY(data, &fwinfo->firmware_buf[offset], data_req_sz); -+ } -+ return data_req_sz; -+} -+ -+static const char* TPM2_IFX_GetOpModeStr(int opMode) -+{ -+ const char* opModeStr = "Unknown"; -+ switch (opMode) { -+ case 0x00: -+ opModeStr = "Normal TPM operational mode"; -+ break; -+ case 0x01: -+ opModeStr = "TPM firmware update mode (abandon possible)"; -+ break; -+ case 0x02: -+ opModeStr = "TPM firmware update mode (abandon not possible)"; -+ break; -+ case 0x03: -+ opModeStr = "After successful update, but before finalize"; -+ break; -+ case 0x04: -+ opModeStr = "After finalize or abandon, reboot required"; -+ break; -+ default: -+ break; -+ } -+ return opModeStr; -+} -+ -+static int TPM2_IFX_PrintInfo(WOLFTPM2_DEV* dev) -+{ -+ int rc; -+ WOLFTPM2_CAPS caps; -+ rc = wolfTPM2_GetCapabilities(dev, &caps); -+ if (rc == TPM_RC_SUCCESS) { -+ printf("Mfg %s (%d), Vendor %s, Fw %u.%u (0x%x)\n", -+ caps.mfgStr, caps.mfg, caps.vendorStr, caps.fwVerMajor, -+ caps.fwVerMinor, caps.fwVerVendor); -+ printf("Operational mode: %s (0x%x)\n", -+ TPM2_IFX_GetOpModeStr(caps.opMode), caps.opMode); -+ printf("KeyGroupId 0x%x, FwCounter %d (%d same)\n", -+ caps.keyGroupId, caps.fwCounter, caps.fwCounterSame); -+ if (caps.keyGroupId == 0) { -+ printf("Error getting key group id from TPM!\n"); -+ rc = -1; -+ } -+ } -+ return rc; -+} -+ -+int TPM2_IFX_Firmware_Update(void* userCtx, int argc, char *argv[]) -+{ -+ int rc; -+ WOLFTPM2_DEV dev; -+ const char* manifest_file = NULL; -+ const char* firmware_file = NULL; -+ fw_info_t fwinfo; -+ int abandon = 0; -+ -+ XMEMSET(&fwinfo, 0, sizeof(fwinfo)); -+ -+ if (argc >= 2) { -+ if (XSTRCMP(argv[1], "-?") == 0 || -+ XSTRCMP(argv[1], "-h") == 0 || -+ XSTRCMP(argv[1], "--help") == 0) { -+ usage(); -+ return 0; -+ } -+ if (XSTRCMP(argv[1], "--abandon") == 0) { -+ abandon = 1; -+ } -+ else { -+ manifest_file = argv[1]; -+ if (argc >= 3) { -+ firmware_file = argv[2]; -+ } -+ } -+ } -+ -+ printf("Infineon Firmware Update Tool\n"); -+ if (manifest_file != NULL) -+ printf("\tManifest File: %s\n", manifest_file); -+ if (firmware_file != NULL) -+ printf("\tFirmware File: %s\n", firmware_file); -+ -+ rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx); -+ if (rc != TPM_RC_SUCCESS) { -+ printf("wolfTPM2_Init failed 0x%x: %s\n", rc, TPM2_GetRCString(rc)); -+ goto exit; -+ } -+ -+ rc = TPM2_IFX_PrintInfo(&dev); -+ if (rc != 0) { -+ goto exit; -+ } -+ -+ if (abandon) { -+ printf("Firmware Update Abandon:\n"); -+ rc = wolfTPM2_FirmwareUpgradeCancel(&dev); -+ if (rc != 0) { -+ printf("Abandon failed 0x%x: %s\n", rc, TPM2_GetRCString(rc)); -+ } -+ else { -+ printf("Success: Please reset or power cycle TPM\n"); -+ } -+ return rc; -+ } -+ -+ if (manifest_file == NULL || firmware_file == NULL) { -+ if (argc > 1) { -+ printf("Manifest file or firmware file arguments missing!\n"); -+ } -+ goto exit; -+ } -+ -+ /* load manifest and data files */ -+ rc = loadFile(manifest_file, -+ &fwinfo.manifest_buf, &fwinfo.manifest_bufSz); -+ if (rc == 0) { -+ rc = loadFile(firmware_file, -+ &fwinfo.firmware_buf, &fwinfo.firmware_bufSz); -+ } -+ if (rc == 0) { -+ rc = wolfTPM2_FirmwareUpgrade(&dev, -+ fwinfo.manifest_buf, (uint32_t)fwinfo.manifest_bufSz, -+ TPM2_IFX_FwData_Cb, &fwinfo); -+ } -+ if (rc == 0) { -+ rc = TPM2_IFX_PrintInfo(&dev); -+ } -+ -+exit: -+ -+ if (rc != 0) { -+ printf("Infineon firmware update failed 0x%x: %s\n", -+ rc, TPM2_GetRCString(rc)); -+ } -+ -+ XFREE(fwinfo.firmware_buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); -+ XFREE(fwinfo.manifest_buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); -+ wolfTPM2_Cleanup(&dev); -+ -+ return rc; -+} -+ -+/******************************************************************************/ -+/* --- END TPM2.0 Firmware Update tool -- */ -+/******************************************************************************/ -+ -+#endif /* WOLFTPM_FIRMWARE_UPGRADE */ -+ -+#ifndef NO_MAIN_DRIVER -+int main(int argc, char *argv[]) -+{ -+ int rc = -1; -+ -+#ifdef WOLFTPM_FIRMWARE_UPGRADE -+ rc = TPM2_IFX_Firmware_Update(NULL, argc, argv); -+#else -+ printf("Support for firmware upgrade not compiled in! " -+ "See --enable-firmware or WOLFTPM_FIRMWARE_UPGRADE\n"); -+ (void)argc; -+ (void)argv; -+#endif /* WOLFTPM_FIRMWARE_UPGRADE */ -+ -+ return rc; -+} -+#endif -diff --git a/examples/firmware/ifx_fw_update.h b/examples/firmware/ifx_fw_update.h -new file mode 100644 -index 0000000..34d9fa5 ---- /dev/null -+++ b/examples/firmware/ifx_fw_update.h -@@ -0,0 +1,35 @@ -+/* ifx_firmware_update.h -+ * -+ * Copyright (C) 2006-2024 wolfSSL Inc. -+ * -+ * This file is part of wolfTPM. -+ * -+ * wolfTPM is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or -+ * (at your option) any later version. -+ * -+ * wolfTPM is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA -+ */ -+ -+#ifndef _IFX_FIRMWARE_H_ -+#define _IFX_FIRMWARE_H_ -+ -+#ifdef __cplusplus -+ extern "C" { -+#endif -+ -+int TPM2_IFX_Firmware_Update(void* userCtx, int argc, char *argv[]); -+ -+#ifdef __cplusplus -+ } /* extern "C" */ -+#endif -+ -+#endif /* _IFX_FIRMWARE_H_ */ -diff --git a/examples/firmware/include.am b/examples/firmware/include.am -new file mode 100644 -index 0000000..f233fe4 ---- /dev/null -+++ b/examples/firmware/include.am -@@ -0,0 +1,24 @@ -+# vim:ft=automake -+# All paths should be given relative to the root -+ -+EXTRA_DIST += examples/firmware/README.md -+EXTRA_DIST += examples/firmware/Makefile -+ -+# Host side tool for extracting the firmware manifest and data -+EXTRA_DIST += examples/firmware/ifx_fw_extract.c -+ -+if BUILD_EXAMPLES -+if BUILD_INFINEON -+noinst_PROGRAMS += examples/firmware/ifx_fw_update -+noinst_HEADERS += examples/firmware/ifx_fw_update.h -+examples_firmware_ifx_fw_update_SOURCES = examples/firmware/ifx_fw_update.c \ -+ examples/tpm_test_keys.c -+examples_firmware_ifx_fw_update_LDADD = src/libwolftpm.la $(LIB_STATIC_ADD) -+examples_firmware_ifx_fw_update_DEPENDENCIES = src/libwolftpm.la -+endif -+endif -+ -+example_firmwaredir = $(exampledir)/firmware -+dist_example_firmware_DATA = examples/firmware/ifx_fw_update.c -+ -+DISTCLEANFILES+= examples/firmware/.libs/ifx_fw_update -diff --git a/examples/gpio/gpio_config.c b/examples/gpio/gpio_config.c -index ebd5cac..0d37c71 100644 ---- a/examples/gpio/gpio_config.c -+++ b/examples/gpio/gpio_config.c -@@ -20,7 +20,12 @@ - */ - - /* This examples demonstrates the use of GPIO available on some TPM modules. -- * Support tested with STM ST33 and Nuvoton NPCT750 FW 7.2.3.0 or later */ -+ * Support tested with STM ST33 and Nuvoton NPCT750 FW 7.2.3.0 or later -+ */ -+ -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - -diff --git a/examples/gpio/gpio_read.c b/examples/gpio/gpio_read.c -index e5ce2ab..076f9b5 100644 ---- a/examples/gpio/gpio_read.c -+++ b/examples/gpio/gpio_read.c -@@ -25,6 +25,10 @@ - * - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #include -diff --git a/examples/gpio/gpio_set.c b/examples/gpio/gpio_set.c -index 8762ce9..77dc8cf 100644 ---- a/examples/gpio/gpio_set.c -+++ b/examples/gpio/gpio_set.c -@@ -25,6 +25,10 @@ - * - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #include -diff --git a/examples/include.am b/examples/include.am -index 421fa33..2599321 100644 ---- a/examples/include.am -+++ b/examples/include.am -@@ -16,6 +16,7 @@ include examples/nvram/include.am - include examples/gpio/include.am - include examples/seal/include.am - include examples/attestation/include.am -+include examples/firmware/include.am - - if BUILD_EXAMPLES - EXTRA_DIST += examples/run_examples.sh -diff --git a/examples/keygen/create_primary.c b/examples/keygen/create_primary.c -index c981bec..a5f4acc 100644 ---- a/examples/keygen/create_primary.c -+++ b/examples/keygen/create_primary.c -@@ -21,6 +21,10 @@ - - /* Tool and example for creating and storing primary keys using TPM2.0 */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #include -diff --git a/examples/keygen/external_import.c b/examples/keygen/external_import.c -index 48344c1..3b67dc4 100644 ---- a/examples/keygen/external_import.c -+++ b/examples/keygen/external_import.c -@@ -20,7 +20,12 @@ - */ - - /* Example for importing an external RSA key with seed and creating a -- * child key under it. */ -+ * child key under it. -+ */ -+ -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - -diff --git a/examples/keygen/keygen.c b/examples/keygen/keygen.c -index 7a7b6f5..ab87d47 100644 ---- a/examples/keygen/keygen.c -+++ b/examples/keygen/keygen.c -@@ -21,6 +21,10 @@ - - /* Tool and example for creating, storing and loading keys using TPM2.0 */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #include -@@ -232,14 +236,18 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) - } - - if (endorseKey) { -+ /* endorsement is always RSA */ - rc = wolfTPM2_CreateEK(&dev, &endorse, TPM_ALG_RSA); - endorse.handle.policyAuth = 1; /* EK requires Policy auth, not Password */ - pubFilename = ekPubFile; - primary = &endorse; - } - else { -- /* get SRK */ -- rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA); -+ /* SRK: Use RSA or ECC SRK only. Prefer ECC */ -+ TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC; -+ if (alg == TPM_ALG_RSA) -+ srkAlg = TPM_ALG_RSA; -+ rc = getPrimaryStoragekey(&dev, &storage, srkAlg); - pubFilename = srkPubFile; - primary = &storage; - } -@@ -403,7 +411,8 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) - - pemFilename = (endorseKey) ? pemFileEk : pemFileSrk; - pemSz = (word32)sizeof(pem); -- rc = wolfTPM2_RsaKey_TpmToPemPub(&dev, primary, pem, &pemSz); -+ rc = wolfTPM2_ExportPublicKeyBuffer(&dev, primary, -+ ENCODING_TYPE_PEM, pem, &pemSz); - if (rc == 0) { - rc = writeBin(pemFilename, pem, pemSz); - } -@@ -411,8 +420,8 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]) - - pemFilename = (bAIK) ? pemFileAk : pemFileKey; - pemSz = (word32)sizeof(pem); -- rc = wolfTPM2_RsaKey_TpmToPemPub(&dev, (WOLFTPM2_KEY*)&newKeyBlob, -- pem, &pemSz); -+ rc = wolfTPM2_ExportPublicKeyBuffer(&dev, (WOLFTPM2_KEY*)&newKeyBlob, -+ ENCODING_TYPE_PEM, pem, &pemSz); - if (rc == 0) { - rc = writeBin(pemFilename, pem, pemSz); - } -diff --git a/examples/keygen/keyimport.c b/examples/keygen/keyimport.c -index cf4c781..eb6c96d 100644 ---- a/examples/keygen/keyimport.c -+++ b/examples/keygen/keyimport.c -@@ -21,6 +21,10 @@ - - /* Tool and example for creating, storing and loading keys using TPM2.0 */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #include -@@ -217,6 +221,11 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]) - } - } - else -+#else -+ (void)encType; -+ (void)attributes; -+ (void)bufSz; -+ (void)isPublicKey; - #endif - if (alg == TPM_ALG_RSA) { - printf("Loading example RSA key (see kRsaKeyPrivQ)\n"); -diff --git a/examples/keygen/keyload.c b/examples/keygen/keyload.c -index 9225159..343d7bb 100644 ---- a/examples/keygen/keyload.c -+++ b/examples/keygen/keyload.c -@@ -21,6 +21,9 @@ - - /* Tool and example for creating, storing and loading keys using TPM2.0 */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - /* use ANSI stdio for support of format strings, must be set before - * including stdio.h -@@ -116,14 +119,29 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[]) - goto exit; - } - -+ /* Load encrypted key from the disk */ -+#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) -+ rc = readKeyBlob(inputFile, &newKey); -+ if (rc != 0) goto exit; -+#else -+ /* TODO: Option to load hex blob */ -+ printf("Loading blob from disk not supported. Enable wolfcrypt support.\n"); -+ goto exit; -+#endif -+ - if (endorseKey) { -+ /* endorsement is always RSA */ - rc = wolfTPM2_CreateEK(&dev, &endorse, TPM_ALG_RSA); - if (rc != 0) goto exit; - endorse.handle.policyAuth = 1; - primary = &endorse; - } -- else { /* SRK */ -- rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA); -+ else { -+ /* SRK: Use RSA or ECC SRK only. Prefer ECC */ -+ TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC; -+ if (newKey.pub.publicArea.type == TPM_ALG_RSA) -+ srkAlg = TPM_ALG_RSA; -+ rc = getPrimaryStoragekey(&dev, &storage, srkAlg); - if (rc != 0) goto exit; - primary = &storage; - } -@@ -153,15 +171,6 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[]) - if (rc != 0) goto exit; - } - -- /* Load encrypted key from the disk */ --#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) -- rc = readKeyBlob(inputFile, &newKey); -- if (rc != 0) goto exit; --#else -- /* TODO: Option to load hex blob */ -- printf("Loading blob from disk not supported. Enable wolfcrypt support.\n"); -- goto exit; --#endif - - if (newKey.priv.size == 0) { - rc = wolfTPM2_LoadPublicKey(&dev, (WOLFTPM2_KEY*)&newKey, &newKey.pub); -diff --git a/examples/management/flush.c b/examples/management/flush.c -index 82d0180..dc635f4 100644 ---- a/examples/management/flush.c -+++ b/examples/management/flush.c -@@ -21,6 +21,10 @@ - - /* This is a helper tool for reseting the value of a TPM2.0 PCR */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #include -diff --git a/examples/native/native_test.c b/examples/native/native_test.c -index e471bf0..646c6db 100644 ---- a/examples/native/native_test.c -+++ b/examples/native/native_test.c -@@ -21,6 +21,10 @@ - - /* This example shows using the TPM2_ specification API's in TPM2_Native_Test() */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - #include - -@@ -327,7 +331,7 @@ int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[]) - #if defined(WOLFTPM_ST33) || defined(WOLFTPM_AUTODETECT) - if (TPM2_GetVendorID() == TPM_VENDOR_STM) { - XMEMSET(&cmdIn.getRand, 0, sizeof(cmdIn.getRand)); -- i = (int)sizeof(cmdOut.getRand2.randomBytes); -+ i = (int)sizeof(cmdOut.getRand2.randomBytes.buffer); - if (i > (MAX_RESPONSE_SIZE-(int)sizeof(UINT16))) { - i = (MAX_RESPONSE_SIZE-(int)sizeof(UINT16)); - } -@@ -357,7 +361,7 @@ int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[]) - /* the getRand and getRand2 have same return size header in cmdOut union */ - if (cmdOut.getRand.randomBytes.size != i) { - printf("TPM2_GetRandom length mismatch %d != %d\n", -- cmdOut.getRand.randomBytes.size, MAX_RNG_REQ_SIZE); -+ cmdOut.getRand.randomBytes.size, i); - goto exit; - } - printf("TPM2_GetRandom: Got %d bytes\n", cmdOut.getRand.randomBytes.size); -@@ -367,7 +371,7 @@ int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[]) - - /* Stir Random */ - XMEMSET(&cmdIn.stirRand, 0, sizeof(cmdIn.stirRand)); -- cmdIn.stirRand.inData.size = cmdOut.getRand.randomBytes.size; -+ cmdIn.stirRand.inData.size = MAX_RNG_REQ_SIZE; - XMEMCPY(cmdIn.stirRand.inData.buffer, - cmdOut.getRand.randomBytes.buffer, cmdIn.stirRand.inData.size); - rc = TPM2_StirRandom(&cmdIn.stirRand); -diff --git a/examples/nvram/counter.c b/examples/nvram/counter.c -index 75e9e80..5d3dd82 100644 ---- a/examples/nvram/counter.c -+++ b/examples/nvram/counter.c -@@ -24,7 +24,11 @@ - * NB: This example uses Parameter Encryption to protect - * the Password Authorization of the TPM NVRAM Index - * -- **/ -+ */ -+ -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - -diff --git a/examples/nvram/policy_nv.c b/examples/nvram/policy_nv.c -index d8e575d..b858ca9 100644 ---- a/examples/nvram/policy_nv.c -+++ b/examples/nvram/policy_nv.c -@@ -24,7 +24,11 @@ - * NB: This example uses Parameter Encryption to protect the password of the - * TPM NVRAM Index, where the private and public parts of a TPM key is stored - * -- **/ -+ */ -+ -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - -diff --git a/examples/nvram/read.c b/examples/nvram/read.c -index 869cbb8..d90172f 100644 ---- a/examples/nvram/read.c -+++ b/examples/nvram/read.c -@@ -24,7 +24,11 @@ - * NB: This example uses Parameter Encryption to protect - * the Password Authorization of the TPM NVRAM Index - * -- **/ -+ */ -+ -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - -diff --git a/examples/nvram/store.c b/examples/nvram/store.c -index 4cb8e3b..007a6e7 100644 ---- a/examples/nvram/store.c -+++ b/examples/nvram/store.c -@@ -24,7 +24,11 @@ - * NB: This example uses Parameter Encryption to protect the password of the - * TPM NVRAM Index, where the private and public parts of a TPM key is stored - * -- **/ -+ */ -+ -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - -diff --git a/examples/pcr/extend.c b/examples/pcr/extend.c -index 0378b7e..5220948 100644 ---- a/examples/pcr/extend.c -+++ b/examples/pcr/extend.c -@@ -21,6 +21,10 @@ - - /* This is a helper tool for extending hash into a TPM2.0 PCR */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #ifndef WOLFTPM2_NO_WRAPPER -diff --git a/examples/pcr/policy.c b/examples/pcr/policy.c -index dc79608..dfaafef 100644 ---- a/examples/pcr/policy.c -+++ b/examples/pcr/policy.c -@@ -21,6 +21,10 @@ - - /* This is a helper tool for setting policies on a TPM 2.0 PCR */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #include -diff --git a/examples/pcr/policy_sign.c b/examples/pcr/policy_sign.c -index 72a3673..4cf64e1 100644 ---- a/examples/pcr/policy_sign.c -+++ b/examples/pcr/policy_sign.c -@@ -22,13 +22,17 @@ - /* Example for signing PCR(s) to create a policy for unsealing a secret - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include - - #include - --#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) -+#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \ -+ !defined(NO_FILESYSTEM) - - #include - #include -@@ -63,7 +67,6 @@ static void usage(void) - printf("./examples/pcr/policy_sign -pcr=16 -pcr=15 -pcrdigest=ba8ac02be16d9d33080d98611d70bb869aa8ac3fc684ab732b91f75f164b36bc\n"); - } - --#ifndef NO_FILESYSTEM - #ifndef WC_MAX_ENCODED_DIG_ASN_SZ - #define WC_MAX_ENCODED_DIG_ASN_SZ 9 /* enum(bit or octet) + length(4) */ - #endif -@@ -214,7 +217,6 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password, - } - return rc; - } --#endif /* !NO_FILESYSTEM */ - - int TPM2_PCR_PolicySign_Example(void* userCtx, int argc, char *argv[]) - { -@@ -358,9 +360,7 @@ int TPM2_PCR_PolicySign_Example(void* userCtx, int argc, char *argv[]) - if (rc == 0) { - printf("PCR Policy Signature (%d bytes):\n", sigSz); - printHexString(sig, sigSz, 32); -- #if !defined(NO_FILESYSTEM) - rc = writeBin(outFile, sig, sigSz); -- #endif - } - if (rc == 0) { - /* Create Signing Authority Policy */ -@@ -374,9 +374,7 @@ int TPM2_PCR_PolicySign_Example(void* userCtx, int argc, char *argv[]) - if (rc == 0) { - printf("Policy Authorize Digest (%d bytes):\n", digestSz); - printHexString(digest, digestSz, digestSz); -- #if !defined(NO_FILESYSTEM) - rc = writeBin(outPolicyFile, digest, digestSz); -- #endif - } - } - } -@@ -395,7 +393,7 @@ exit: - - return rc; - } --#endif /* !WOLFTPM2_NO_WRAPPER && !WOLFTPM2_NO_WOLFCRYPT */ -+#endif /* !WOLFTPM2_NO_WRAPPER && !WOLFTPM2_NO_WOLFCRYPT && !NO_FILESYSTEM */ - - /******************************************************************************/ - /* --- END TPM Secure Boot Sign Policy Example -- */ -@@ -406,7 +404,8 @@ int main(int argc, char *argv[]) - { - int rc = NOT_COMPILED_IN; - --#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) -+#if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \ -+ !defined(NO_FILESYSTEM) - rc = TPM2_PCR_PolicySign_Example(NULL, argc, argv); - #else - printf("Example not compiled in! Requires Wrapper and wolfCrypt\n"); -diff --git a/examples/pcr/quote.c b/examples/pcr/quote.c -index 1519692..dc30ad7 100644 ---- a/examples/pcr/quote.c -+++ b/examples/pcr/quote.c -@@ -23,6 +23,10 @@ - * PCR measurement. PCR values are used as basis for system integrity. - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #ifndef WOLFTPM2_NO_WRAPPER -diff --git a/examples/pcr/read_pcr.c b/examples/pcr/read_pcr.c -index 098a39b..2e9de46 100644 ---- a/examples/pcr/read_pcr.c -+++ b/examples/pcr/read_pcr.c -@@ -21,6 +21,10 @@ - - /* This is a helper tool for reading the value of a TPM2.0 PCR */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #include -diff --git a/examples/pcr/reset.c b/examples/pcr/reset.c -index 7ed1d80..e2caf50 100644 ---- a/examples/pcr/reset.c -+++ b/examples/pcr/reset.c -@@ -21,6 +21,10 @@ - - /* This is a helper tool for reseting the value of a TPM2.0 PCR */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #ifndef WOLFTPM2_NO_WRAPPER -diff --git a/examples/pkcs7/pkcs7.c b/examples/pkcs7/pkcs7.c -index 7ef8730..eac18f5 100644 ---- a/examples/pkcs7/pkcs7.c -+++ b/examples/pkcs7/pkcs7.c -@@ -19,6 +19,9 @@ - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -@@ -89,14 +92,14 @@ static int GetMyData(byte* buffer, word32 bufSz, word32 offset) - - /* The wc_PKCS7_EncodeSignedData_ex and wc_PKCS7_VerifySignedData_ex functions - were added in this PR https://github.com/wolfSSL/wolfssl/pull/1780. */ --static int PKCS7_SignVerifyEx(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* der) -+static int PKCS7_SignVerifyEx(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* derCert, -+ WOLFTPM2_BUFFER* derPubKey, int alg, enum wc_HashType hashType, const char* outFile) - { - int rc; - PKCS7 pkcs7; - wc_HashAlg hash; -- enum wc_HashType hashType = WC_HASH_TYPE_SHA256; -- byte hashBuf[TPM_SHA256_DIGEST_SIZE]; -- word32 hashSz = wc_HashGetDigestSize(hashType); -+ byte hashBuf[TPM_MAX_DIGEST_SIZE]; -+ word32 hashSz; - byte outputHead[MAX_PKCS7_SIZE], outputFoot[MAX_PKCS7_SIZE]; - int outputHeadSz, outputFootSz; - byte dataChunk[MY_DATA_CHUNKS]; -@@ -107,6 +110,11 @@ static int PKCS7_SignVerifyEx(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* - - XMEMSET(&pkcs7, 0, sizeof(pkcs7)); - -+ hashSz = wc_HashGetDigestSize(hashType); -+ if (hashSz <= 0) { -+ return hashSz; -+ } -+ - /* calculate hash for content */ - rc = wc_HashInit(&hash, hashType); - if (rc == 0) { -@@ -131,14 +139,18 @@ static int PKCS7_SignVerifyEx(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* - /* Generate and verify PKCS#7 files containing data using TPM key */ - rc = wc_PKCS7_Init(&pkcs7, NULL, tpmDevId); - if (rc != 0) goto exit; -- rc = wc_PKCS7_InitWithCert(&pkcs7, der->buffer, der->size); -+ rc = wc_PKCS7_InitWithCert(&pkcs7, derCert->buffer, derCert->size); - if (rc != 0) goto exit; - - pkcs7.content = NULL; /* not used */ - pkcs7.contentSz = dataChunkSz; -- pkcs7.encryptOID = RSAk; -- pkcs7.hashOID = SHA256h; -+ pkcs7.encryptOID = (alg == TPM_ALG_RSA) ? RSAk : ECDSAk; -+ pkcs7.hashOID = wc_HashGetOID(hashType); - pkcs7.rng = wolfTPM2_GetRng(dev); -+ /* pass public key instead of private here. The PKCS7 will try a public -+ * key decode if using crypto callbacks */ -+ pkcs7.privateKey = derPubKey->buffer; -+ pkcs7.privateKeySz = derPubKey->size; - - outputHeadSz = (int)sizeof(outputHead); - outputFootSz = (int)sizeof(outputFoot); -@@ -157,7 +169,7 @@ static int PKCS7_SignVerifyEx(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* - TPM2_PrintBin(outputFoot, outputFootSz); - - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) -- pemFile = XFOPEN("./examples/pkcs7/pkcs7tpmsignedex.p7s", "wb"); -+ pemFile = XFOPEN(outFile, "wb"); - if (pemFile != XBADFILE) { - - /* Header */ -@@ -192,6 +204,8 @@ static int PKCS7_SignVerifyEx(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* - - XFCLOSE(pemFile); - } -+#else -+ (void)outFile; - #endif - - /* Test verify with TPM */ -@@ -227,7 +241,8 @@ exit: - } - #endif /* ENABLE_PKCS7EX_EXAMPLE */ - --static int PKCS7_SignVerify(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* der) -+static int PKCS7_SignVerify(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* derCert, -+ WOLFTPM2_BUFFER* derPubKey, int alg, enum wc_HashType hashType, const char* outFile) - { - int rc; - PKCS7 pkcs7; -@@ -243,14 +258,18 @@ static int PKCS7_SignVerify(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* de - /* Generate and verify PKCS#7 files containing data using TPM key */ - rc = wc_PKCS7_Init(&pkcs7, NULL, tpmDevId); - if (rc != 0) goto exit; -- rc = wc_PKCS7_InitWithCert(&pkcs7, der->buffer, der->size); -+ rc = wc_PKCS7_InitWithCert(&pkcs7, derCert->buffer, derCert->size); - if (rc != 0) goto exit; - - pkcs7.content = data; - pkcs7.contentSz = (word32)sizeof(data); -- pkcs7.encryptOID = RSAk; -- pkcs7.hashOID = SHA256h; -+ pkcs7.encryptOID = (alg == TPM_ALG_RSA) ? RSAk : ECDSAk; -+ pkcs7.hashOID = wc_HashGetOID(hashType); - pkcs7.rng = wolfTPM2_GetRng(dev); -+ /* pass public key instead of private here. The PKCS7 will try a public -+ * key decode if using crypto callbacks */ -+ pkcs7.privateKey = derPubKey->buffer; -+ pkcs7.privateKeySz = derPubKey->size; - - rc = wc_PKCS7_EncodeSignedData(&pkcs7, output, sizeof(output)); - if (rc <= 0) goto exit; -@@ -261,7 +280,7 @@ static int PKCS7_SignVerify(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* de - TPM2_PrintBin(output, outputSz); - - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) -- pemFile = XFOPEN("./examples/pkcs7/pkcs7tpmsigned.p7s", "wb"); -+ pemFile = XFOPEN(outFile, "wb"); - if (pemFile != XBADFILE) { - rc = (int)XFWRITE(output, 1, outputSz, pemFile); - XFCLOSE(pemFile); -@@ -297,6 +316,16 @@ exit: - return rc; - } - -+static void usage(void) -+{ -+ printf("Expected usage:\n"); -+ printf("./examples/pkcs7/pkcs7 [-ecc/-rsa] [-out=]\n"); -+ printf("* -ecc/-rsa: Use RSA or ECC key (default is RSA)\n"); -+ printf("* -incert=file: Certificate for key used\n"); -+ printf("\tDefault: RSA=./certs/client-rsa-cert.der, ECC=./certs/client-ecc-cert.der\n"); -+ printf("* -out=file: Generated PKCS7 file containing signed data and certificate\n"); -+} -+ - int TPM2_PKCS7_Example(void* userCtx) - { - return TPM2_PKCS7_ExampleArgs(userCtx, 0, NULL); -@@ -306,22 +335,62 @@ int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[]) - int rc; - WOLFTPM2_DEV dev; - WOLFTPM2_KEY storageKey; -- WOLFTPM2_KEY rsaKey; -+ WOLFTPM2_KEY tpmKey; - TPMT_PUBLIC publicTemplate; - TpmCryptoDevCtx tpmCtx; - int tpmDevId; -- WOLFTPM2_BUFFER der; -+ WOLFTPM2_BUFFER derCert; -+ WOLFTPM2_BUFFER derPubKey; - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - XFILE derFile; -+ const char* inCert = NULL; - #endif -+ TPM_ALG_ID alg = TPM_ALG_RSA; -+ const char* outFile = "./examples/pkcs7/pkcs7tpmsigned.p7s"; -+ const char* outFileEx = "./examples/pkcs7/pkcs7tpmsignedex.p7s"; -+ enum wc_HashType hashType = WC_HASH_TYPE_SHA256; - -- (void)argc; -- (void)argv; -+ if (argc >= 2) { -+ if (XSTRCMP(argv[1], "-?") == 0 || -+ XSTRCMP(argv[1], "-h") == 0 || -+ XSTRCMP(argv[1], "--help") == 0) { -+ usage(); -+ return 0; -+ } -+ } -+ while (argc > 1) { -+ if (XSTRCMP(argv[argc-1], "-ecc") == 0) { -+ alg = TPM_ALG_ECC; -+ } -+ else if (XSTRCMP(argv[argc-1], "-rsa") == 0) { -+ alg = TPM_ALG_RSA; -+ } -+ #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) -+ else if (XSTRNCMP(argv[argc-1], "-incert=", -+ XSTRLEN("-incert=")) == 0) { -+ inCert = argv[argc-1] + XSTRLEN("-incert="); -+ } -+ #endif -+ else if (XSTRNCMP(argv[argc-1], "-out=", -+ XSTRLEN("-out=")) == 0) { -+ outFile = argv[argc-1] + XSTRLEN("-out="); -+ } -+ else if (XSTRNCMP(argv[argc-1], "-outex=", -+ XSTRLEN("-outex=")) == 0) { -+ outFileEx = argv[argc-1] + XSTRLEN("-outex="); -+ } -+ else { -+ printf("Warning: Unrecognized option: %s\n", argv[argc-1]); -+ } -+ argc--; -+ } - - printf("TPM2 PKCS7 Example\n"); - -- XMEMSET(&der, 0, sizeof(der)); -- XMEMSET(&rsaKey, 0, sizeof(rsaKey)); -+ -+ XMEMSET(&derCert, 0, sizeof(derCert)); -+ XMEMSET(&derPubKey, 0, sizeof(derPubKey)); -+ XMEMSET(&tpmKey, 0, sizeof(tpmKey)); - XMEMSET(&storageKey, 0, sizeof(storageKey)); - - /* Init the TPM2 device */ -@@ -331,60 +400,110 @@ int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[]) - /* Setup the wolf crypto device callback */ - XMEMSET(&tpmCtx, 0, sizeof(tpmCtx)); - #ifndef NO_RSA -- tpmCtx.rsaKey = &rsaKey; -+ if (alg == TPM_ALG_RSA) -+ tpmCtx.rsaKey = &tpmKey; -+#endif -+#ifdef HAVE_ECC -+ if (alg == TPM_ALG_ECC) -+ tpmCtx.eccKey = &tpmKey; - #endif - rc = wolfTPM2_SetCryptoDevCb(&dev, wolfTPM2_CryptoDevCb, &tpmCtx, &tpmDevId); - if (rc < 0) goto exit; - - /* get SRK */ -- rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA); -+ rc = getPrimaryStoragekey(&dev, &storageKey, alg); - if (rc != 0) goto exit; - -- /* Create/Load RSA key for PKCS7 signing */ -- rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate, -- TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth | -- TPMA_OBJECT_decrypt | TPMA_OBJECT_sign | TPMA_OBJECT_noDA); -- if (rc != 0) goto exit; -+ /* Create/Load key for PKCS7 signing */ -+ if (alg == TPM_ALG_RSA) { -+ rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate, -+ TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth | -+ TPMA_OBJECT_decrypt | TPMA_OBJECT_sign | TPMA_OBJECT_noDA); -+ if (rc == 0) { -+ rc = getRSAkey(&dev, -+ &storageKey, -+ &tpmKey, -+ NULL, -+ tpmDevId, -+ (byte*)gKeyAuth, sizeof(gKeyAuth)-1, -+ &publicTemplate); -+ } -+ if (rc == 0) { -+ /* export public key as DER for PKCS7, so it has the key information */ - -- rc = getRSAkey(&dev, -- &storageKey, -- &rsaKey, -- NULL, -- tpmDevId, -- (byte*)gKeyAuth, sizeof(gKeyAuth)-1, -- &publicTemplate); -- if (rc != 0) goto exit; -- wolfTPM2_SetAuthHandle(&dev, 0, &rsaKey.handle); -+ } -+ } -+ else { -+ TPM_ECC_CURVE curve; -+ #if defined(NO_ECC256) && defined(HAVE_ECC384) && ECC_MIN_KEY_SZ <= 384 -+ /* make sure we use a curve that is enabled */ -+ curve = TPM_ECC_NIST_P384; -+ #else -+ curve = TPM_ECC_NIST_P256; -+ #endif -+ -+ rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate, -+ TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth | -+ TPMA_OBJECT_sign | TPMA_OBJECT_noDA, -+ curve, TPM_ALG_ECDSA); -+ if (rc == 0) { -+ rc = getECCkey(&dev, -+ &storageKey, -+ &tpmKey, -+ NULL, -+ tpmDevId, -+ (byte*)gKeyAuth, sizeof(gKeyAuth)-1, -+ &publicTemplate); -+ } -+ if (rc == 0) { -+ /* export public key as DER for PKCS7, so it has the key information */ - -+ } -+ } -+ if (rc != 0) goto exit; -+ wolfTPM2_SetAuthHandle(&dev, 0, &tpmKey.handle); - - /* load DER certificate for TPM key (obtained by running -- `./examples/csr/csr` and `./certs/certreq.sh`) */ -+ * `./examples/csr/csr` and `./certs/certreq.sh`) */ - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) -- derFile = XFOPEN("./certs/client-rsa-cert.der", "rb"); -+ if (inCert == NULL) { -+ if (alg == TPM_ALG_RSA) -+ inCert = "./certs/client-rsa-cert.der"; -+ else -+ inCert = "./certs/client-ecc-cert.der"; -+ } -+ derFile = XFOPEN(inCert, "rb"); - if (derFile != XBADFILE) { - XFSEEK(derFile, 0, XSEEK_END); -- der.size = (int)XFTELL(derFile); -+ derCert.size = (int)XFTELL(derFile); - XREWIND(derFile); -- if (der.size > (int)sizeof(der.buffer)) { -+ if (derCert.size > (int)sizeof(derCert.buffer)) { - rc = BUFFER_E; - } - else { -- rc = (int)XFREAD(der.buffer, 1, der.size, derFile); -- rc = (rc == der.size) ? 0 : -1; -+ rc = (int)XFREAD(derCert.buffer, 1, derCert.size, derFile); -+ rc = (rc == derCert.size) ? 0 : -1; - } - XFCLOSE(derFile); - if (rc != 0) goto exit; - } - #endif - -+ /* Export TPM public key as DER/ASN.1 (should match certificate) */ -+ derPubKey.size = (int)sizeof(derPubKey.buffer); -+ rc = wolfTPM2_ExportPublicKeyBuffer(&dev, &tpmKey, -+ ENCODING_TYPE_ASN1, derPubKey.buffer, (word32*)&derPubKey.size); -+ if (rc != 0) goto exit; - - /* PKCS 7 sign/verify example */ -- rc = PKCS7_SignVerify(&dev, tpmDevId, &der); -+ rc = PKCS7_SignVerify(&dev, tpmDevId, &derCert, &derPubKey, alg, hashType, -+ outFile); - if (rc != 0) goto exit; - - #ifdef ENABLE_PKCS7EX_EXAMPLE - /* PKCS 7 large data sign/verify example */ -- rc = PKCS7_SignVerifyEx(&dev, tpmDevId, &der); -+ rc = PKCS7_SignVerifyEx(&dev, tpmDevId, &derCert, &derPubKey, alg, hashType, -+ outFileEx); - if (rc != 0) goto exit; - #endif - -@@ -394,7 +513,7 @@ exit: - printf("Failure 0x%x: %s\n", rc, wolfTPM2_GetRCString(rc)); - } - -- wolfTPM2_UnloadHandle(&dev, &rsaKey.handle); -+ wolfTPM2_UnloadHandle(&dev, &tpmKey.handle); - - wolfTPM2_Cleanup(&dev); - -diff --git a/examples/run_examples.sh b/examples/run_examples.sh -index 8f4ba75..01c1b64 100755 ---- a/examples/run_examples.sh -+++ b/examples/run_examples.sh -@@ -16,23 +16,23 @@ touch run.out - - # Native API test TPM2_x - echo -e "Native tests for TPM2_x API's" --./examples/native/native_test >> run.out -+./examples/native/native_test >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "native_test failed! $RESULT$RESULT" && exit 1 - - - # Wrapper tests - echo -e "Wrapper tests" --./examples/wrap/wrap_test >> run.out -+./examples/wrap/wrap_test >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "wrap_test failed! $RESULT" && exit 1 - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then -- ./examples/wrap/wrap_test -xor >> run.out -+ ./examples/wrap/wrap_test -xor >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "wrap_test (XOR param enc) failed! $RESULT" && exit 1 - fi - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then -- ./examples/wrap/wrap_test -aes >> run.out -+ ./examples/wrap/wrap_test -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "wrap_test (AES param enc) failed! $RESULT" && exit 1 - fi -@@ -40,78 +40,78 @@ fi - - # Key Generation Tests - echo -e "Key Generation Tests" --./examples/keygen/keygen keyblob.bin -rsa >> run.out -+./examples/keygen/keygen keyblob.bin -rsa >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen rsa failed! $RESULT" && exit 1 --./examples/keygen/keyload keyblob.bin >> run.out -+./examples/keygen/keyload keyblob.bin >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload rsa failed! $RESULT" && exit 1 - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then -- ./examples/keygen/keygen keyblob.bin -rsa -aes >> run.out -+ ./examples/keygen/keygen keyblob.bin -rsa -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen rsa param enc failed! $RESULT" && exit 1 -- ./examples/keygen/keyload keyblob.bin -aes >> run.out -+ ./examples/keygen/keyload keyblob.bin -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload rsa param enc failed! $RESULT" && exit 1 - -- ./examples/keygen/keyimport rsakeyblob.bin -rsa >> run.out -+ ./examples/keygen/keyimport rsakeyblob.bin -rsa >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload rsa import load failed! $RESULT" && exit 1 -- ./examples/keygen/keyload rsakeyblob.bin >> run.out -+ ./examples/keygen/keyload rsakeyblob.bin >> run.out 2>&1 - RESULT=$? - rm -f rsakeyblob.bin - [ $RESULT -ne 0 ] && echo -e "keyload rsa import load failed! $RESULT" && exit 1 - fi - # keeping keyblob.bin for later tests - --./examples/keygen/keygen ecckeyblob.bin -ecc >> run.out -+./examples/keygen/keygen ecckeyblob.bin -ecc >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen ecc failed! $RESULT" && exit 1 --./examples/keygen/keyload ecckeyblob.bin >> run.out -+./examples/keygen/keyload ecckeyblob.bin >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload ecc failed! $RESULT" && exit 1 - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then -- ./examples/keygen/keygen ecckeyblob.bin -ecc -aes >> run.out -+ ./examples/keygen/keygen ecckeyblob.bin -ecc -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen ecc param enc failed! $RESULT" && exit 1 -- ./examples/keygen/keyload ecckeyblob.bin -aes >> run.out -+ ./examples/keygen/keyload ecckeyblob.bin -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload ecc param enc failed! $RESULT" && exit 1 -- ./examples/keygen/keyimport ecckeyblob.bin -ecc >> run.out -+ ./examples/keygen/keyimport ecckeyblob.bin -ecc >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload ecc import failed! $RESULT" && exit 1 - fi - rm -f ecckeyblob.bin - --./examples/keygen/keygen symkeyblob.bin -sym=aescfb128 >> run.out -+./examples/keygen/keygen symkeyblob.bin -sym=aescfb128 >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen sym aes failed! $RESULT" && exit 1 --./examples/keygen/keyload symkeyblob.bin >> run.out -+./examples/keygen/keyload symkeyblob.bin >> run.out 2>&1 - RESULT=$? - rm -f symkeyblob.bin - [ $RESULT -ne 0 ] && echo -e "keygen sym aes load failed! $RESULT" && exit 1 - --./examples/keygen/keygen keyedhashblob.bin -keyedhash >> run.out -+./examples/keygen/keygen keyedhashblob.bin -keyedhash >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen keyed hash failed! $RESULT" && exit 1 --./examples/keygen/keyload keyedhashblob.bin >> run.out -+./examples/keygen/keyload keyedhashblob.bin >> run.out 2>&1 - RESULT=$? - rm -f keyedhashblob.bin - [ $RESULT -ne 0 ] && echo -e "keygen keyed hash load failed! $RESULT" && exit 1 - - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - # KeyGen under Endorsement -- ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh >> run.out -+ ./examples/keygen/keygen rsakeyblobeh.bin -rsa -eh >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1 -- ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> run.out -+ ./examples/keygen/keyload rsakeyblobeh.bin -rsa -eh >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keyload endorsement rsa failed! $RESULT" && exit 1 - -- ./examples/keygen/keygen ecckeyblobeh.bin -ecc -eh >> run.out -+ ./examples/keygen/keygen ecckeyblobeh.bin -ecc -eh >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1 -- ./examples/keygen/keyload ecckeyblobeh.bin -ecc -eh >> run.out -+ ./examples/keygen/keyload ecckeyblobeh.bin -ecc -eh >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen endorsement rsa failed! $RESULT" && exit 1 - fi -@@ -120,73 +120,77 @@ fi - # NV Tests - echo -e "NV Tests" - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then -- ./examples/nvram/store -aes >> run.out -+ ./examples/nvram/store -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv store param enc failed! $RESULT" && exit 1 -- ./examples/nvram/read -aes >> run.out -+ ./examples/nvram/read -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv read param enc failed! $RESULT" && exit 1 - fi --./examples/nvram/store -priv >> run.out -+./examples/nvram/store -priv >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv store priv only failed! $RESULT" && exit 1 --./examples/nvram/read -priv >> run.out -+./examples/nvram/read -priv >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv read priv only failed! $RESULT" && exit 1 - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then -- ./examples/nvram/store -priv -aes >> run.out -+ ./examples/nvram/store -priv -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv store priv only param enc failed! $RESULT" && exit 1 -- ./examples/nvram/read -priv -aes >> run.out -+ ./examples/nvram/read -priv -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv read priv only param enc failed! $RESULT" && exit 1 - fi --./examples/nvram/store -pub >> run.out -+./examples/nvram/store -pub >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv store pub only failed! $RESULT" && exit 1 --./examples/nvram/read -pub >> run.out -+./examples/nvram/read -pub >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv read pub only failed! $RESULT" && exit 1 - --./examples/nvram/policy_nv >> run.out -+./examples/nvram/policy_nv >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv policy nv failed! $RESULT" && exit 1 --./examples/nvram/policy_nv -aes >> run.out -+./examples/nvram/policy_nv -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv policy nv aes failed! $RESULT" && exit 1 - - - # CSR Tests --./examples/keygen/keygen rsa_test_blob.raw -rsa -t >> run.out -+./examples/keygen/keygen rsa_test_blob.raw -rsa -t >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen rsa test for csr failed! $RESULT" && exit 1 --./examples/keygen/keygen ecc_test_blob.raw -ecc -t >> run.out -+./examples/keygen/keygen ecc_test_blob.raw -ecc -t >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen ecc test for csr failed! $RESULT" && exit 1 - - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then -- ./examples/csr/csr -cert >> run.out -+ ./examples/csr/csr -cert >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "cert self-signed failed! $RESULT" && exit 1 - -- cp ./certs/tpm-rsa-cert.pem $WOLFSSL_PATH/certs/tpm-rsa-cert.pem >> run.out -- cp ./certs/tpm-ecc-cert.pem $WOLFSSL_PATH/certs/tpm-ecc-cert.pem >> run.out -+ cp ./certs/tpm-rsa-cert.pem $WOLFSSL_PATH/certs/tpm-rsa-cert.pem >> run.out 2>&1 -+ cp ./certs/tpm-ecc-cert.pem $WOLFSSL_PATH/certs/tpm-ecc-cert.pem >> run.out 2>&1 - -- ./examples/csr/csr >> run.out -+ ./examples/csr/csr >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "csr gen failed! $RESULT" && exit 1 - -- ./certs/certreq.sh 2>&1 >> run.out -- cp ./certs/ca-ecc-cert.pem $WOLFSSL_PATH/certs/tpm-ca-ecc-cert.pem >> run.out -- cp ./certs/ca-rsa-cert.pem $WOLFSSL_PATH/certs/tpm-ca-rsa-cert.pem >> run.out -+ ./certs/certreq.sh 2>&1 >> run.out 2>&1 -+ cp ./certs/ca-ecc-cert.pem $WOLFSSL_PATH/certs/tpm-ca-ecc-cert.pem >> run.out 2>&1 -+ cp ./certs/ca-rsa-cert.pem $WOLFSSL_PATH/certs/tpm-ca-rsa-cert.pem >> run.out 2>&1 - fi - - # PKCS7 Tests - echo -e "PKCS7 tests" - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then -- ./examples/pkcs7/pkcs7 >> run.out -+ ./examples/pkcs7/pkcs7 >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "pkcs7 failed! $RESULT" && exit 1 -+ -+ ./examples/pkcs7/pkcs7 -ecc >> run.out 2>&1 -+ RESULT=$? -+ [ $RESULT -ne 0 ] && echo -e "pkcs7 ecc failed! $RESULT" && exit 1 - fi - - # TLS Tests -@@ -196,22 +200,22 @@ generate_port() { - # Note: The SW TPM uses many local ports, which can cause bind() issue - port=11111 - echo -e "Using port $port" -- echo -e "Using port $port" >> run.out -+ echo -e "Using port $port" >> run.out 2>&1 - } - - run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]] - echo -e "TLS test (TPM as client) $1 $2" - generate_port -- pushd $WOLFSSL_PATH >> run.out -+ pushd $WOLFSSL_PATH >> run.out 2>&1 - echo -e "./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem" -- ./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out & -+ ./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem &> $PWD/run.out & - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1 -- popd >> run.out -+ popd >> run.out 2>&1 - sleep 0.1 - - echo -e "./examples/tls/tls_client -p=$port -$1 $2" -- ./examples/tls/tls_client -p=$port -$1 $2 2>&1 >> run.out -+ ./examples/tls/tls_client -p=$port -$1 $2 >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1 - } -@@ -220,16 +224,18 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]] - echo -e "TLS test (TPM as server) $1 $2" - generate_port - -- ./examples/tls/tls_server -p=$port -$1 $2 2>&1 >> run.out & -+ echo -e "./examples/tls/tls_server -p=$port -$1 $2" -+ ./examples/tls/tls_server -p=$port -$1 $2 >> run.out 2>&1 & - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "tpm tls server $1 $2 failed! $RESULT" && exit 1 -- pushd $WOLFSSL_PATH >> run.out -+ pushd $WOLFSSL_PATH >> run.out 2>&1 - sleep 0.1 - -- ./examples/client/client -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem 2>&1 >> $PWD/run.out -+ echo -e "./examples/client/client -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem" -+ ./examples/client/client -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem &> $PWD/run.out - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "tls client $1 $2 failed! $RESULT" && exit 1 -- popd >> run.out -+ popd >> run.out 2>&1 - } - - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then -@@ -259,49 +265,49 @@ fi - - # Clock Tests - echo -e "Clock tests" --./examples/timestamp/clock_set >> run.out -+./examples/timestamp/clock_set >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "clock set failed! $RESULT" && exit 1 - - - # Attestation tests - echo -e "Attestation tests" --./examples/timestamp/signed_timestamp >> run.out -+./examples/timestamp/signed_timestamp >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "signed_timestamp failed! $RESULT" && exit 1 - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then -- ./examples/timestamp/signed_timestamp -aes >> run.out -+ ./examples/timestamp/signed_timestamp -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "signed_timestamp param enc failed! $RESULT" && exit 1 - fi --./examples/timestamp/signed_timestamp -ecc >> run.out -+./examples/timestamp/signed_timestamp -ecc >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "signed_timestamp ecc failed! $RESULT" && exit 1 - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then -- ./examples/timestamp/signed_timestamp -ecc -aes >> run.out -+ ./examples/timestamp/signed_timestamp -ecc -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "signed_timestamp ecc param enc failed! $RESULT" && exit 1 - fi - - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then -- ./examples/keygen/keygen keyblob.bin -rsa >> run.out -+ ./examples/keygen/keygen keyblob.bin -rsa >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen rsa failed! $RESULT" && exit 1 -- ./examples/attestation/make_credential >> run.out -+ ./examples/attestation/make_credential >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "make_credential failed! $RESULT" && exit 1 -- ./examples/attestation/activate_credential >> run.out -+ ./examples/attestation/activate_credential >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "activate_credential failed! $RESULT" && exit 1 - - # Endorsement hierarchy -- ./examples/keygen/keygen keyblob.bin -rsa -eh >> run.out -+ ./examples/keygen/keygen keyblob.bin -rsa -eh >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "keygen rsa endorsement failed! $RESULT" && exit 1 -- ./examples/attestation/make_credential -eh >> run.out -+ ./examples/attestation/make_credential -eh >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "make_credential endorsement failed! $RESULT" && exit 1 -- ./examples/attestation/activate_credential -eh >> run.out -+ ./examples/attestation/activate_credential -eh >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "activate_credential endorsement failed! $RESULT" && exit 1 - -@@ -313,25 +319,25 @@ fi - - # PCR Quote Tests - echo -e "PCR Quote tests" --./examples/pcr/reset 16 >> run.out -+./examples/pcr/reset 16 >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "pcr reset failed! $RESULT" && exit 1 --./examples/pcr/extend 16 /usr/bin/zip >> run.out -+./examples/pcr/extend 16 /usr/bin/zip >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "pcr extend file failed! $RESULT" && exit 1 --./examples/pcr/quote 16 zip.quote >> run.out -+./examples/pcr/quote 16 zip.quote >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "pcr quote failed! $RESULT" && exit 1 - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then -- ./examples/pcr/quote 16 zip.quote -aes >> run.out -+ ./examples/pcr/quote 16 zip.quote -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "pcr quote param enc failed! $RESULT" && exit 1 - fi --./examples/pcr/quote 16 zip.quote -ecc >> run.out -+./examples/pcr/quote 16 zip.quote -ecc >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "pcr quote ecc failed! $RESULT" && exit 1 - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then -- ./examples/pcr/quote 16 zip.quote -ecc -aes >> run.out -+ ./examples/pcr/quote 16 zip.quote -ecc -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "pcr quote ecc param enc failed! $RESULT" && exit 1 - fi -@@ -340,11 +346,11 @@ rm -f zip.quote - - # Benchmark tests - echo -e "Benchmark tests" --./examples/bench/bench -maxdur=25 >> run.out -+./examples/bench/bench -maxdur=25 >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "bench failed! $RESULT" && exit 1 - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then -- ./examples/bench/bench -maxdur=25 -aes >> run.out -+ ./examples/bench/bench -maxdur=25 -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "bench (AES param enc) failed! $RESULT" && exit 1 - fi -@@ -352,55 +358,55 @@ fi - # Secure Boot ROT - echo -e "Secure Boot ROT (Root of Trust) test" - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then -- ./examples/boot/secure_rot -nvindex=0x1400200 -authstr=test -write=./certs/example-ecc256-key-pub.der >> run.out -+ ./examples/boot/secure_rot -nvindex=0x1400200 -authstr=test -write=./certs/example-ecc256-key-pub.der >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "secure rot write ecc256! $RESULT" && exit 1 -- ./examples/boot/secure_rot -nvindex=0x1400201 -authstr=test -write=./certs/example-ecc384-key-pub.der -sha384 >> run.out -+ ./examples/boot/secure_rot -nvindex=0x1400201 -authstr=test -write=./certs/example-ecc384-key-pub.der -sha384 >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "secure rot write ecc384! $RESULT" && exit 1 -- ./examples/boot/secure_rot -nvindex=0x1400202 -authstr=test -write=./certs/example-rsa2048-key-pub.der >> run.out -+ ./examples/boot/secure_rot -nvindex=0x1400202 -authstr=test -write=./certs/example-rsa2048-key-pub.der >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "secure rot write rsa2048! $RESULT" && exit 1 -- ./examples/boot/secure_rot -nvindex=0x1400201 -authstr=test -sha384 -hash=e77dd3112a27948a3f2d87f32dc69ebeed0b3344c5d7726f5742f4f0c0f451aabe4213f8b3b986639e69ed0ea8b49d94 >> run.out -+ ./examples/boot/secure_rot -nvindex=0x1400201 -authstr=test -sha384 -hash=e77dd3112a27948a3f2d87f32dc69ebeed0b3344c5d7726f5742f4f0c0f451aabe4213f8b3b986639e69ed0ea8b49d94 >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "secure rot write ecc384 again! $RESULT" && exit 1 - - if test $ENABLE_DESTRUCTIVE_TESTS -eq 1 - then -- ./examples/boot/secure_rot -nvindex=0x1400201 -authstr=test -lock >> run.out -+ ./examples/boot/secure_rot -nvindex=0x1400201 -authstr=test -lock >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "secure rot write ecc384 lock! $RESULT" && exit 1 - # Test expected failure case -- ./examples/boot/secure_rot -nvindex=0x1400201 -write=./certs/example-ecc384-key-pub.der -sha384 >> run.out -+ ./examples/boot/secure_rot -nvindex=0x1400201 -write=./certs/example-ecc384-key-pub.der -sha384 >> run.out 2>&1 - RESULT=$? - [ $RESULT -eq 0 ] && echo -e "secure rot write ecc384 should be locked! $RESULT" && exit 1 - fi - -- ./examples/boot/secure_rot -nvindex=0x1400201 -authstr=test >> run.out -+ ./examples/boot/secure_rot -nvindex=0x1400201 -authstr=test >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "secure rot write ecc384 read! $RESULT" && exit 1 - - # Test expected failure case -- ./examples/boot/secure_rot -nvindex=0x1400201 >> run.out -+ ./examples/boot/secure_rot -nvindex=0x1400201 >> run.out 2>&1 - RESULT=$? - [ $RESULT -eq 0 ] && echo -e "secure rot write ecc384 read no auth! $RESULT" && exit 1 - fi - - # Seal/Unseal (PCR Policy) - echo -e "Seal/Unseal (PCR policy)" --./examples/seal/seal sealedkeyblob.bin mySecretMessage >> run.out -+./examples/seal/seal sealedkeyblob.bin mySecretMessage >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "seal failed! $RESULT" && exit 1 --./examples/seal/unseal message.raw sealedkeyblob.bin >> run.out -+./examples/seal/unseal message.raw sealedkeyblob.bin >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "unseal failed! $RESULT" && exit 1 - rm -f sealedkeyblob.bin - - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then -- ./examples/seal/seal sealedkeyblob.bin mySecretMessage -aes >> run.out -+ ./examples/seal/seal sealedkeyblob.bin mySecretMessage -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "seal aes failed! $RESULT" && exit 1 -- ./examples/seal/unseal message.raw sealedkeyblob.bin -aes >> run.out -+ ./examples/seal/unseal message.raw sealedkeyblob.bin -aes >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "unseal aes failed! $RESULT" && exit 1 - rm -f sealedkeyblob.bin -@@ -411,83 +417,134 @@ echo -e "Seal/Unseal (Policy auth)" - if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - # Extend "aaa" to test PCR 16 - echo aaa > aaa.bin -- ./examples/pcr/reset 16 >> run.out -+ ./examples/pcr/reset 16 >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "pcr 16 reset failed! $RESULT" && exit 1 -- ./examples/pcr/extend 16 aaa.bin >> run.out -+ ./examples/pcr/extend 16 aaa.bin >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "pcr 16 extend failed! $RESULT" && exit 1 - - # RSA -- ./examples/pcr/policy_sign -pcr=16 -rsa -key=./certs/example-rsa2048-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out -+ ./examples/pcr/policy_sign -pcr=16 -rsa -key=./certs/example-rsa2048-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "policy sign rsa der failed! $RESULT" && exit 1 -- ./examples/pcr/policy_sign -pcr=16 -rsa -key=./certs/example-rsa2048-key.pem -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out -+ ./examples/pcr/policy_sign -pcr=16 -rsa -key=./certs/example-rsa2048-key.pem -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "policy sign rsa pem failed! $RESULT" && exit 1 - - TMPFILE=$(mktemp) - SECRET_STRING=`head -c 32 /dev/random | base64` -- ./examples/boot/secret_seal -rsa -policy=policyauth.bin -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out -+ ./examples/boot/secret_seal -rsa -policy=policyauth.bin -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "secret seal rsa failed! $RESULT" && exit 1 -- ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -rsa -publickey=./certs/example-rsa2048-key-pub.der -seal=sealblob.bin | tee $TMPFILE >> run.out -+ ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -rsa -publickey=./certs/example-rsa2048-key-pub.der -seal=sealblob.bin &> $TMPFILE - RESULT=$? -+ cat $TMPFILE >> run.out - [ $RESULT -ne 0 ] && echo -e "secret unseal rsa failed! $RESULT" && exit 1 -- grep "$SECRET_STRING" $TMPFILE >> run.out -+ grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "secret unseal rsa match failed! $RESULT" && exit 1 - - # RSA (recreate policy auth using public key instead of using policyauth.bin) - TMPFILE=$(mktemp) - SECRET_STRING=`head -c 32 /dev/random | base64` -- ./examples/boot/secret_seal -rsa -publickey=./certs/example-rsa2048-key-pub.der -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out -+ ./examples/boot/secret_seal -rsa -publickey=./certs/example-rsa2048-key-pub.der -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "secret seal rsa alt failed! $RESULT" && exit 1 -- ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -rsa -publickey=./certs/example-rsa2048-key-pub.der -seal=sealblob.bin | tee $TMPFILE >> run.out -+ ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -rsa -publickey=./certs/example-rsa2048-key-pub.der -seal=sealblob.bin &> $TMPFILE - RESULT=$? -+ cat $TMPFILE >> run.out - [ $RESULT -ne 0 ] && echo -e "secret unseal rsa alt failed! $RESULT" && exit 1 -- grep "$SECRET_STRING" $TMPFILE >> run.out -+ grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1 - RESULT=$? - rm -f $TMPFILE - [ $RESULT -ne 0 ] && echo -e "secret unseal rsa alt match failed! $RESULT" && exit 1 - -+ # Test RSA Unseal Expected Failure Case -+ # Create different ECC policy key to test failure case -+ openssl genrsa -out tmp-rsa2048-key.pem 2048 >> run.out 2>&1 -+ openssl rsa -in tmp-rsa2048-key.pem -outform der -out tmp-rsa2048-key-pub.der -pubout >> run.out 2>&1 -+ -+ # Sign policy using different private key -+ ./examples/pcr/policy_sign -pcr=16 -rsa -key=tmp-rsa2048-key.pem -out=pcrsig_fail.bin -outpolicy=policyauth.bin >> run.out 2>&1 -+ RESULT=$? -+ [ $RESULT -ne 0 ] && echo -e "policy sign (expected failure case) rsa pem failed! $RESULT" && exit 1 -+ -+ # This RSA unseal should fail! -+ ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig_fail.bin -rsa -publickey=tmp-rsa2048-key-pub.der -seal=sealblob.bin >> run.out 2>&1 -+ RESULT=$? -+ [ $RESULT -eq 0 ] && echo -e "secret unseal rsa should have failed! $RESULT" && exit 1 -+ -+ -+ rm -f tmp-rsa2048-key.pem -+ rm -f tmp-rsa2048-key-pub.der -+ rm -f pcrsig_fail.bin -+ -+ - # ECC -- ./examples/pcr/policy_sign -pcr=16 -ecc -key=./certs/example-ecc256-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out -+ ./examples/pcr/policy_sign -pcr=16 -ecc -key=./certs/example-ecc256-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "policy sign ecc der failed! $RESULT" && exit 1 -- ./examples/pcr/policy_sign -pcr=16 -ecc -key=./certs/example-ecc256-key.pem -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out -+ ./examples/pcr/policy_sign -pcr=16 -ecc -key=./certs/example-ecc256-key.pem -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "policy sign ecc pem failed! $RESULT" && exit 1 - - TMPFILE=$(mktemp) - SECRET_STRING=`head -c 32 /dev/random | base64` -- ./examples/boot/secret_seal -ecc -policy=policyauth.bin -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out -+ ./examples/boot/secret_seal -ecc -policy=policyauth.bin -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "secret seal ecc failed! $RESULT" && exit 1 -- ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -ecc -publickey=./certs/example-ecc256-key-pub.der -seal=sealblob.bin | tee $TMPFILE >> run.out -+ ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -ecc -publickey=./certs/example-ecc256-key-pub.der -seal=sealblob.bin &> $TMPFILE - RESULT=$? -+ cat $TMPFILE >> run.out - [ $RESULT -ne 0 ] && echo -e "secret unseal ecc failed! $RESULT" && exit 1 -- grep "$SECRET_STRING" $TMPFILE >> run.out -+ -+ grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1 - RESULT=$? - rm -f $TMPFILE - [ $RESULT -ne 0 ] && echo -e "secret unseal ecc match failed! $RESULT" && exit 1 - -+ - # ECC (recreate policy auth using public key instead of using policyauth.bin) - TMPFILE=$(mktemp) - SECRET_STRING=`head -c 32 /dev/random | base64` -- ./examples/boot/secret_seal -ecc -publickey=./certs/example-ecc256-key-pub.der -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out -+ ./examples/boot/secret_seal -ecc -publickey=./certs/example-ecc256-key-pub.der -out=sealblob.bin -secretstr=$SECRET_STRING >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "secret seal ecc alt failed! $RESULT" && exit 1 -- ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -ecc -publickey=./certs/example-ecc256-key-pub.der -seal=sealblob.bin | tee $TMPFILE >> run.out -+ ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig.bin -ecc -publickey=./certs/example-ecc256-key-pub.der -seal=sealblob.bin &> $TMPFILE - RESULT=$? -+ cat $TMPFILE >> run.out - [ $RESULT -ne 0 ] && echo -e "secret unseal ecc alt failed! $RESULT" && exit 1 -- grep "$SECRET_STRING" $TMPFILE >> run.out -+ grep "$SECRET_STRING" $TMPFILE >> run.out 2>&1 - RESULT=$? - rm -f $TMPFILE - [ $RESULT -ne 0 ] && echo -e "secret unseal ecc alt match failed! $RESULT" && exit 1 - -+ -+ # Test ECC Unseal Expected Failure Case -+ # Create different ECC policy key to test failure case -+ openssl ecparam -name prime256v1 -genkey -noout -out tmp-ecc256-key.pem >> run.out 2>&1 -+ openssl ec -in tmp-ecc256-key.pem -outform der -out tmp-ecc256-key-pub.der -pubout >> run.out 2>&1 -+ -+ # Sign policy using different private key -+ ./examples/pcr/policy_sign -pcr=16 -ecc -key=tmp-ecc256-key.pem -out=pcrsig_fail.bin -outpolicy=policyauth.bin >> run.out 2>&1 -+ RESULT=$? -+ [ $RESULT -ne 0 ] && echo -e "policy sign (expected failure case) ecc pem failed! $RESULT" && exit 1 -+ -+ # This ECC unseal should fail! -+ ./examples/boot/secret_unseal -pcr=16 -pcrsig=pcrsig_fail.bin -ecc -publickey=tmp-ecc256-key-pub.der -seal=sealblob.bin >> run.out 2>&1 -+ RESULT=$? -+ [ $RESULT -eq 0 ] && echo -e "secret unseal ecc should have failed! $RESULT" && exit 1 -+ -+ rm -f tmp-ecc256-key.pem -+ rm -f tmp-ecc256-key-pub.der -+ rm -f pcrsig_fail.bin -+ -+ rm -f pcrsig.bin -+ rm -f policyauth.bin -+ rm -f sealblob.bin - rm -f aaa.bin -+ - fi - - rm -f keyblob.bin -diff --git a/examples/seal/seal.c b/examples/seal/seal.c -index 5c31ff8..8d4066a 100644 ---- a/examples/seal/seal.c -+++ b/examples/seal/seal.c -@@ -21,6 +21,10 @@ - - /* Example for TPM 2.0 sealing a user secret using TPM key */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #include -@@ -124,6 +128,8 @@ int TPM2_Seal_Example(void* userCtx, int argc, char *argv[]) - } - - wolfTPM2_GetKeyTemplate_KeySeal(&publicTemplate, TPM_ALG_SHA256); -+ /* Allow password based unsealing */ -+ publicTemplate.objectAttributes |= TPMA_OBJECT_userWithAuth; - - /* set session for authorization key */ - auth.size = (int)sizeof(gKeyAuth)-1; -diff --git a/examples/seal/unseal.c b/examples/seal/unseal.c -index 402fff1..c61d99c 100644 ---- a/examples/seal/unseal.c -+++ b/examples/seal/unseal.c -@@ -21,6 +21,10 @@ - - /* This example demonstrates how to extract the data from a TPM seal object */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #include -diff --git a/examples/timestamp/clock_set.c b/examples/timestamp/clock_set.c -index 9db5cbc..1122254 100644 ---- a/examples/timestamp/clock_set.c -+++ b/examples/timestamp/clock_set.c -@@ -21,6 +21,10 @@ - - /* This example shows how to increment the TPM2 clock */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #include -diff --git a/examples/timestamp/signed_timestamp.c b/examples/timestamp/signed_timestamp.c -index 67deb1d..f3e192c 100644 ---- a/examples/timestamp/signed_timestamp.c -+++ b/examples/timestamp/signed_timestamp.c -@@ -23,6 +23,10 @@ - * generate a signed timestamp from the TPM using a Attestation Identity Key. - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #include -diff --git a/examples/tls/tls_client.c b/examples/tls/tls_client.c -index bd9fffb..5ef60df 100644 ---- a/examples/tls/tls_client.c -+++ b/examples/tls/tls_client.c -@@ -19,6 +19,9 @@ - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -@@ -103,11 +106,9 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) - WOLFTPM2_KEY storageKey; - #ifndef NO_RSA - WOLFTPM2_KEY rsaKey; -- RsaKey wolfRsaKey; - #endif - #ifdef HAVE_ECC - WOLFTPM2_KEY eccKey; -- ecc_key wolfEccKey; - #ifndef WOLFTPM2_USE_SW_ECDHE - WOLFTPM2_KEY ecdhKey; - #endif -@@ -141,11 +142,9 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) - XMEMSET(&tpmCtx, 0, sizeof(tpmCtx)); - #ifndef NO_RSA - XMEMSET(&rsaKey, 0, sizeof(rsaKey)); -- XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey)); - #endif - #ifdef HAVE_ECC - XMEMSET(&eccKey, 0, sizeof(eccKey)); -- XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey)); - #ifndef WOLFTPM2_USE_SW_ECDHE - /* Ephemeral Key */ - XMEMSET(&ecdhKey, 0, sizeof(ecdhKey)); -@@ -222,7 +221,8 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) - } - #endif - /* See if primary storage key already exists */ -- rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA); -+ rc = getPrimaryStoragekey(&dev, &storageKey, -+ useECC ? TPM_ALG_ECC : TPM_ALG_RSA); - if (rc != 0) goto exit; - - /* Start an authenticated session (salted / unbound) with parameter encryption */ -@@ -250,7 +250,7 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) - rc = getRSAkey(&dev, - &storageKey, - &rsaKey, -- &wolfRsaKey, -+ NULL, - tpmDevId, - (byte*)gKeyAuth, sizeof(gKeyAuth)-1, - &publicTemplate); -@@ -260,19 +260,31 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) - - #ifdef HAVE_ECC - if (useECC) { -- /* Create/Load ECC key for TLS authentication */ -- rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate, -- TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth | -- TPMA_OBJECT_sign | TPMA_OBJECT_noDA, -- TPM_ECC_NIST_P256, TPM_ALG_ECDSA); -- if (rc != 0) goto exit; -- rc = getECCkey(&dev, -- &storageKey, -- &eccKey, -- &wolfEccKey, -- tpmDevId, -- (byte*)gKeyAuth, sizeof(gKeyAuth)-1, -- &publicTemplate); -+ #ifdef WOLFTPM_MFG_IDENTITY -+ /* Attempt to use pre-provisioned identity key */ -+ rc = wolfTPM2_ReadPublicKey(&dev, &eccKey, TPM2_IDEVID_KEY_HANDLE); -+ if (rc == 0) { -+ /* TODO: Supply master password (if not TEST_SAMPLE) */ -+ wolfTPM2_SetIdentityAuth(&dev, &eccKey.handle, NULL, 0); -+ } -+ else -+ #endif -+ { -+ /* Create/Load ECC key for TLS authentication */ -+ rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate, -+ TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth | -+ TPMA_OBJECT_sign | TPMA_OBJECT_noDA, -+ TPM_ECC_NIST_P256, TPM_ALG_ECDSA); -+ if (rc == 0) { -+ rc = getECCkey(&dev, -+ &storageKey, -+ &eccKey, -+ NULL, -+ tpmDevId, -+ (byte*)gKeyAuth, sizeof(gKeyAuth)-1, -+ &publicTemplate); -+ } -+ } - if (rc != 0) goto exit; - } - -@@ -377,17 +389,16 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) - * public key instead (if crypto callbacks are enabled). - */ - #ifndef NO_TLS_MUTUAL_AUTH -- if (!useECC) { -- #ifndef NO_RSA -- byte der[1024]; -- word32 derSz = sizeof(der); -- rc = wc_RsaKeyToPublicDer_ex(&wolfRsaKey, der, derSz, 1); -+ { -+ /* Export TPM public key as DER */ -+ byte der[1024]; -+ word32 derSz = (word32)sizeof(der); -+ rc = wolfTPM2_ExportPublicKeyBuffer(&dev, !useECC ? &rsaKey : &eccKey, -+ ENCODING_TYPE_ASN1, der, &derSz); - if (rc < 0) { - printf("Failed to export RSA public key!\n"); - goto exit; - } -- derSz = rc; -- rc = 0; - - /* Private key only exists on the TPM and crypto callbacks are used for - * signing. Public key is required to enable TLS client (mutual auth). -@@ -397,37 +408,6 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) - printf("Failed to set RSA key!\n"); - goto exit; - } -- #else -- printf("Error: RSA not compiled in\n"); -- rc = -1; -- goto exit; -- #endif /* !NO_RSA */ -- } -- else { -- #ifdef HAVE_ECC -- byte der[256]; -- word32 derSz = sizeof(der); -- rc = wc_EccPublicKeyToDer(&wolfEccKey, der, derSz, 1); -- if (rc < 0) { -- printf("Failed to export ECC public key!\n"); -- goto exit; -- } -- derSz = rc; -- rc = 0; -- -- /* Private key only exists on the TPM and crypto callbacks are used for -- * signing. Public key is required to enable TLS client (mutual auth). -- * This API accepts public keys when crypto callbacks are enabled */ -- if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz, -- WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) { -- printf("Failed to set ECC key!\n"); -- goto exit; -- } -- #else -- printf("RSA not supported in this build\n"); -- rc = -1; -- goto exit; -- #endif /* HAVE_ECC */ - } - - /* Client Certificate (Mutual Authentication) */ -@@ -436,8 +416,10 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) - printf("Loading RSA certificate\n"); - #ifdef NO_FILESYSTEM - /* Load "cert" buffer with ASN.1/DER certificate */ -+ #if 0 - rc = wolfSSL_CTX_use_certificate_buffer(ctx, cert.buffer, (long)cert.size, - WOLFSSL_FILETYPE_ASN1); -+ #endif - #else - rc = wolfSSL_CTX_use_certificate_file(ctx, "./certs/client-rsa-cert.pem", - WOLFSSL_FILETYPE_PEM); -@@ -455,10 +437,22 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) - else { - #ifdef HAVE_ECC - printf("Loading ECC certificate\n"); -- #ifdef NO_FILESYSTEM -+ #ifdef WOLFTPM_MFG_IDENTITY -+ uint8_t cert[800]; -+ uint32_t certSz = (uint32_t)sizeof(cert); -+ rc = wolfTPM2_NVReadCert(&dev, TPM2_IDEVID_CERT_HANDLE, cert, &certSz); -+ if (rc == 0) { -+ /* Load "cert" buffer with ASN.1/DER certificate */ -+ rc = wolfSSL_CTX_use_certificate_buffer(ctx, cert, (long)certSz, -+ WOLFSSL_FILETYPE_ASN1); -+ -+ } -+ #elif defined(NO_FILESYSTEM) - /* Load "cert" buffer with ASN.1/DER certificate */ -+ #if 0 - rc = wolfSSL_CTX_use_certificate_buffer(ctx, cert.buffer, (long)cert.size, - WOLFSSL_FILETYPE_ASN1); -+ #endif - #else - rc = wolfSSL_CTX_use_certificate_file(ctx, "./certs/client-ecc-cert.pem", - WOLFSSL_FILETYPE_PEM); -@@ -600,7 +594,7 @@ exit: - } - - /* Bidirectional shutdown */ -- while (wolfSSL_shutdown(ssl) == SSL_SHUTDOWN_NOT_DONE) { -+ while (wolfSSL_shutdown(ssl) == WOLFSSL_SHUTDOWN_NOT_DONE) { - printf("Shutdown not complete\n"); - } - -@@ -611,11 +605,9 @@ exit: - - wolfTPM2_UnloadHandle(&dev, &storageKey.handle); - #ifndef NO_RSA -- wc_FreeRsaKey(&wolfRsaKey); - wolfTPM2_UnloadHandle(&dev, &rsaKey.handle); - #endif - #ifdef HAVE_ECC -- wc_ecc_free(&wolfEccKey); - wolfTPM2_UnloadHandle(&dev, &eccKey.handle); - #ifndef WOLFTPM2_USE_SW_ECDHE - wolfTPM2_UnloadHandle(&dev, &ecdhKey.handle); -diff --git a/examples/tls/tls_client_notpm.c b/examples/tls/tls_client_notpm.c -index 090464f..93d583f 100644 ---- a/examples/tls/tls_client_notpm.c -+++ b/examples/tls/tls_client_notpm.c -@@ -19,6 +19,9 @@ - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -diff --git a/examples/tls/tls_common.h b/examples/tls/tls_common.h -index faa98fd..348ad2d 100644 ---- a/examples/tls/tls_common.h -+++ b/examples/tls/tls_common.h -@@ -95,6 +95,9 @@ typedef struct SockIoCbCtx { - - #ifndef WOLFSSL_USER_IO - /* socket includes */ -+#ifdef HAVE_NETDB_H -+#include -+#endif - - static inline int SockIORecv(WOLFSSL* ssl, char* buff, int sz, void* ctx) - { -diff --git a/examples/tls/tls_server.c b/examples/tls/tls_server.c -index 5fe5bd9..2fc0b16 100644 ---- a/examples/tls/tls_server.c -+++ b/examples/tls/tls_server.c -@@ -19,6 +19,9 @@ - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -@@ -101,11 +104,9 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) - WOLFTPM2_KEY storageKey; - #ifndef NO_RSA - WOLFTPM2_KEY rsaKey; -- RsaKey wolfRsaKey; - #endif - #ifdef HAVE_ECC - WOLFTPM2_KEY eccKey; -- ecc_key wolfEccKey; - #ifndef WOLFTPM2_USE_SW_ECDHE - WOLFTPM2_KEY ecdhKey; - #endif -@@ -152,11 +153,9 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) - XMEMSET(&tpmCtx, 0, sizeof(tpmCtx)); - #ifndef NO_RSA - XMEMSET(&rsaKey, 0, sizeof(rsaKey)); -- XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey)); - #endif - #ifdef HAVE_ECC - XMEMSET(&eccKey, 0, sizeof(eccKey)); -- XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey)); - #ifndef WOLFTPM2_USE_SW_ECDHE - /* Ephemeral Key */ - XMEMSET(&ecdhKey, 0, sizeof(ecdhKey)); -@@ -239,7 +238,8 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) - } - #endif - /* See if primary storage key already exists */ -- rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA); -+ rc = getPrimaryStoragekey(&dev, &storageKey, -+ useECC ? TPM_ALG_ECC : TPM_ALG_RSA); - if (rc != 0) goto exit; - - /* Start an authenticated session (salted / unbound) with parameter encryption */ -@@ -267,7 +267,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) - rc = getRSAkey(&dev, - &storageKey, - &rsaKey, -- &wolfRsaKey, -+ NULL, - tpmDevId, - (byte*)gKeyAuth, sizeof(gKeyAuth)-1, - &publicTemplate); -@@ -286,7 +286,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) - rc = getECCkey(&dev, - &storageKey, - &eccKey, -- &wolfEccKey, -+ NULL, - tpmDevId, - (byte*)gKeyAuth, sizeof(gKeyAuth)-1, - &publicTemplate); -@@ -383,12 +383,32 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) - goto exit; - } - #endif -+ (void)useSelfSign; - #else -+ { -+ /* Export TPM public key as DER */ -+ byte der[1024]; -+ word32 derSz = (word32)sizeof(der); -+ rc = wolfTPM2_ExportPublicKeyBuffer(&dev, !useECC ? &rsaKey : &eccKey, -+ ENCODING_TYPE_ASN1, der, &derSz); -+ if (rc < 0) { -+ printf("Failed to export TPM public key!\n"); -+ goto exit; -+ } -+ -+ /* Private key only exists on the TPM and crypto callbacks are used for -+ * signing. Public key is required to enable TLS client (mutual auth). -+ * This API accepts public keys when crypto callbacks are enabled */ -+ if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz, -+ WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) { -+ printf("Failed to set RSA key!\n"); -+ goto exit; -+ } -+ } -+ - /* Server certificate */ - if (!useECC) { - #ifndef NO_RSA -- byte der[1024]; -- word32 derSz = sizeof(der); - const char* useCert = "./certs/server-rsa-cert.pem"; - if (useSelfSign) { - useCert = "./certs/tpm-rsa-cert.pem"; -@@ -401,23 +421,6 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) - printf("Error loading RSA client cert\n"); - goto exit; - } -- -- rc = wc_RsaKeyToPublicDer_ex(&wolfRsaKey, der, derSz, 1); -- if (rc < 0) { -- printf("Failed to export RSA public key!\n"); -- goto exit; -- } -- derSz = rc; -- rc = 0; -- -- /* Private key only exists on the TPM and crypto callbacks are used for -- * signing. Public key is required to enable TLS client (mutual auth). -- * This API accepts public keys when crypto callbacks are enabled */ -- if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz, -- WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) { -- printf("Failed to set RSA key!\r\n"); -- goto exit; -- } - #else - printf("Error: RSA not compiled in\n"); - rc = -1; -@@ -426,8 +429,6 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) - } - else { - #ifdef HAVE_ECC -- byte der[256]; -- word32 derSz = sizeof(der); - const char* useCert = "./certs/server-ecc-cert.pem"; - if (useSelfSign) { - useCert = "./certs/tpm-ecc-cert.pem"; -@@ -440,23 +441,6 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) - printf("Error loading ECC client cert\n"); - goto exit; - } -- -- rc = wc_EccPublicKeyToDer(&wolfEccKey, der, derSz, 1); -- if (rc < 0) { -- printf("Failed to export ECC public key!\n"); -- goto exit; -- } -- derSz = rc; -- rc = 0; -- -- /* Private key only exists on the TPM and crypto callbacks are used for -- * signing. Public key is required to enable TLS server auth. -- * This API accepts public keys when crypto callbacks are enabled */ -- if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz, -- WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) { -- printf("Failed to set ECC key!\n"); -- goto exit; -- } - #else - printf("Error: ECC not compiled in\n"); - rc = -1; -@@ -580,7 +564,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) - } - - /* Bidirectional shutdown */ -- while (wolfSSL_shutdown(ssl) == SSL_SHUTDOWN_NOT_DONE) { -+ while (wolfSSL_shutdown(ssl) == WOLFSSL_SHUTDOWN_NOT_DONE) { - printf("Shutdown not complete\n"); - } - -@@ -599,7 +583,7 @@ exit: - - if (ssl != NULL) { - /* Bidirectional shutdown */ -- while (wolfSSL_shutdown(ssl) == SSL_SHUTDOWN_NOT_DONE) { -+ while (wolfSSL_shutdown(ssl) == WOLFSSL_SHUTDOWN_NOT_DONE) { - printf("Shutdown not complete\n"); - } - -@@ -611,11 +595,9 @@ exit: - - wolfTPM2_UnloadHandle(&dev, &storageKey.handle); - #ifndef NO_RSA -- wc_FreeRsaKey(&wolfRsaKey); - wolfTPM2_UnloadHandle(&dev, &rsaKey.handle); - #endif - #ifdef HAVE_ECC -- wc_ecc_free(&wolfEccKey); - wolfTPM2_UnloadHandle(&dev, &eccKey.handle); - #ifndef WOLFTPM2_USE_SW_ECDHE - wolfTPM2_UnloadHandle(&dev, &ecdhKey.handle); -diff --git a/examples/tpm_test_keys.c b/examples/tpm_test_keys.c -index 1e0e53e..c5df182 100644 ---- a/examples/tpm_test_keys.c -+++ b/examples/tpm_test_keys.c -@@ -19,6 +19,10 @@ - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - /* use ANSI stdio for support of format strings, must be set before - * including stdio.h - */ -@@ -44,14 +48,15 @@ - int writeBin(const char* filename, const byte *buf, word32 bufSz) - { - int rc = TPM_RC_FAILURE; -+#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) -+ XFILE fp = NULL; -+ size_t fileSz = 0; -+#endif - - if (filename == NULL || buf == NULL) - return BAD_FUNC_ARG; - - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) -- XFILE fp = NULL; -- size_t fileSz = 0; -- - fp = XFOPEN(filename, "wb"); - if (fp != XBADFILE) { - fileSz = XFWRITE(buf, 1, bufSz, fp); -@@ -73,15 +78,16 @@ int writeBin(const char* filename, const byte *buf, word32 bufSz) - int readBin(const char* filename, byte *buf, word32* bufSz) - { - int rc = TPM_RC_FAILURE; -- -- if (filename == NULL || buf == NULL) -- return BAD_FUNC_ARG; -- - #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - XFILE fp = NULL; - size_t fileSz = 0; - size_t bytes_read = 0; -+#endif - -+ if (filename == NULL || buf == NULL) -+ return BAD_FUNC_ARG; -+ -+#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) - fp = XFOPEN(filename, "rb"); - if (fp != XBADFILE) { - XFSEEK(fp, 0, XSEEK_END); -diff --git a/examples/wrap/wrap_test.c b/examples/wrap/wrap_test.c -index cc347c7..ddf8377 100644 ---- a/examples/wrap/wrap_test.c -+++ b/examples/wrap/wrap_test.c -@@ -19,7 +19,12 @@ - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - --/* This example shows using the TPM2 wrapper API's in TPM2_Wrapper_Test() below. */ -+/* This example shows using the TPM2 wrapper API's in TPM2_Wrapper_Test() below. -+ */ -+ -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -@@ -193,6 +198,16 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) - "FIPS 140-2 %d, CC-EAL4 %d\n", - caps.mfgStr, caps.mfg, caps.vendorStr, caps.fwVerMajor, - caps.fwVerMinor, caps.fwVerVendor, caps.fips140_2, caps.cc_eal4); -+#if defined(WOLFTPM_SLB9672) || defined(WOLFTPM_SLB9673) -+ printf("\tKeyGroupId 0x%x, Operational Mode 0x%x, FwCounter %d (%d same)\n", -+ caps.keyGroupId, caps.opMode, caps.fwCounter, caps.fwCounterSame); -+#endif -+ -+ /* List the active persistent handles */ -+ rc = wolfTPM2_GetHandles(PERSISTENT_FIRST, NULL); -+ if (rc >= 0) { -+ printf("Found %d persistent handles\n", rc); -+ } - - if (resetTPM) { - /* reset all content on TPM and reseed */ -diff --git a/hal/tpm_io.c b/hal/tpm_io.c -index c0d8751..f132430 100644 ---- a/hal/tpm_io.c -+++ b/hal/tpm_io.c -@@ -31,6 +31,10 @@ - * - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - #include - #include "tpm_io.h" -@@ -61,7 +65,7 @@ - #include "hal/tpm_io_qnx.c" - #elif defined(__XILINX__) - #include "hal/tpm_io_xilinx.c" --#elif defined(WOLFTPM_INFINEON_TRICORE) -+#elif defined(WOLFTPM_INFINEON_TRICORE) || defined(CY_USING_HAL) - #include "hal/tpm_io_infineon.c" - #elif defined(WOLFTPM_MICROCHIP_HARMONY) - #include "hal/tpm_io_microchip.c" -@@ -85,6 +89,8 @@ static int TPM2_IoCb_SPI(TPM2_CTX* ctx, const byte* txBuf, byte* rxBuf, - ret = TPM2_IoCb_QNX_SPI(ctx, txBuf, rxBuf, xferSz, userCtx); - #elif defined(__XILINX__) - ret = TPM2_IoCb_Xilinx_SPI(ctx, txBuf, rxBuf, xferSz, userCtx); -+#elif defined(CY_USING_HAL) -+ ret = TPM2_IoCb_Infineon_SPI(ctx, txBuf, rxBuf, xferSz, userCtx); - #elif defined(WOLFTPM_INFINEON_TRICORE) - ret = TPM2_IoCb_Infineon_TriCore_SPI(ctx, txBuf, rxBuf, xferSz, userCtx); - #elif defined(WOLFTPM_MICROCHIP_HARMONY) -@@ -136,6 +142,8 @@ int TPM2_IoCb(TPM2_CTX* ctx, INT32 isRead, UINT32 addr, - #elif defined(WOLFSSL_STM32_CUBEMX) - /* Use STM32 CubeMX HAL for I2C */ - ret = TPM2_IoCb_STCubeMX_I2C(ctx, isRead, addr, buf, size, userCtx); -+ #elif defined(CY_USING_HAL) -+ ret = TPM2_IoCb_Infineon_I2C(ctx, isRead, addr, buf, size, userCtx); - #else - /* TODO: Add your platform here for HW I2C interface */ - printf("Add your platform here for HW I2C interface\n"); -diff --git a/hal/tpm_io.h b/hal/tpm_io.h -index 402412b..371782a 100644 ---- a/hal/tpm_io.h -+++ b/hal/tpm_io.h -@@ -82,6 +82,9 @@ WOLFTPM_LOCAL int TPM2_IoCb_Linux_I2C(TPM2_CTX* ctx, int isRead, word32 addr, by - #elif defined(WOLFSSL_STM32_CUBEMX) - WOLFTPM_LOCAL int TPM2_IoCb_STCubeMX_I2C(TPM2_CTX* ctx, int isRead, word32 addr, - byte* buf, word16 size, void* userCtx); -+#elif defined(CY_USING_HAL) -+WOLFTPM_LOCAL int TPM2_IoCb_Infineon_I2C(TPM2_CTX* ctx, int isRead, word32 addr, -+ byte* buf, word16 size, void* userCtx); - #endif /* __linux__ */ - - #else /* SPI */ -@@ -104,6 +107,9 @@ WOLFTPM_LOCAL int TPM2_IoCb_QNX_SPI(TPM2_CTX* ctx, const byte* txBuf, - #elif defined(__XILINX__) - WOLFTPM_LOCAL int TPM2_IoCb_Xilinx_SPI(TPM2_CTX* ctx, const byte* txBuf, - byte* rxBuf, word16 xferSz, void* userCtx); -+#elif defined(CY_USING_HAL) -+WOLFTPM_LOCAL int TPM2_IoCb_Infineon_SPI(TPM2_CTX* ctx, const byte* txBuf, -+ byte* rxBuf, word16 xferSz, void* userCtx); - #elif defined(WOLFTPM_INFINEON_TRICORE) - WOLFTPM_LOCAL int TPM2_IoCb_Infineon_TriCore_SPI(TPM2_CTX* ctx, const byte* txBuf, - byte* rxBuf, word16 xferSz, void* userCtx); -diff --git a/hal/tpm_io_atmel.c b/hal/tpm_io_atmel.c -index bbb3f8f..31c3778 100644 ---- a/hal/tpm_io_atmel.c -+++ b/hal/tpm_io_atmel.c -@@ -21,6 +21,9 @@ - - /* This example shows IO interfaces for ATMEL microcontrollers using ASF */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -diff --git a/hal/tpm_io_barebox.c b/hal/tpm_io_barebox.c -index 3513d50..478b140 100644 ---- a/hal/tpm_io_barebox.c -+++ b/hal/tpm_io_barebox.c -@@ -21,6 +21,9 @@ - - /* This example shows IO interfaces for Barebox */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -diff --git a/hal/tpm_io_infineon.c b/hal/tpm_io_infineon.c -index 252b986..7689f7a 100644 ---- a/hal/tpm_io_infineon.c -+++ b/hal/tpm_io_infineon.c -@@ -1,6 +1,6 @@ - /* tpm_io_infineon.c - * -- * Copyright (C) 2006-2022 wolfSSL Inc. -+ * Copyright (C) 2006-2024 wolfSSL Inc. - * - * This file is part of wolfTPM. - * -@@ -19,10 +19,14 @@ - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA - */ - --/* This example shows IO interfaces for Infineon TriCore hardware: -+/* This example shows IO interfaces for Infineon CyHal or TriCore hardware: -+ * - PSoC6 CyHal set automatically with `CY_USING_HAL`. - * - TC2XX/TC3XX using macro: `WOLFTPM_INFINEON_TRICORE`. - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -@@ -39,12 +43,143 @@ - defined(WOLFTPM_SWTPM) || \ - defined(WOLFTPM_WINAPI) ) - --/* Use the max speed by default - see tpm2_types.h for chip specific max values */ --#ifndef TPM2_SPI_HZ -- #define TPM2_SPI_HZ TPM2_SPI_MAX_HZ --#endif -+#ifdef WOLFTPM_I2C -+ #ifndef TPM_I2C_TRIES -+ #define TPM_I2C_TRIES 10 -+ #endif -+ #ifndef TPM2_I2C_ADDR -+ #define TPM2_I2C_ADDR 0x2e -+ #endif -+ -+ #if defined(CY_USING_HAL) -+ #include "cyhal_i2c.h" -+ -+ static int tpm_ifx_i2c_read(void* userCtx, word32 reg, byte* data, int len) -+ { -+ int ret = TPM_RC_FAILURE; -+ cy_rslt_t result; -+ cyhal_i2c_t* i2c = (cyhal_i2c_t*)userCtx; -+ int timeout = TPM_I2C_TRIES; -+ byte buf[1]; -+ -+ /* TIS layer should never provide a buffer larger than this, -+ * but double check for good coding practice */ -+ if (i2c == NULL || len > MAX_SPI_FRAMESIZE) -+ return BAD_FUNC_ARG; -+ -+ buf[0] = (reg & 0xFF); /* convert to simple 8-bit address for I2C */ -+ -+ /* The I2C takes about 80us to wake up and will NAK until it is ready */ -+ do { -+ /* Write address to read from - retry until ack */ -+ result = cyhal_i2c_master_write(i2c, TPM2_I2C_ADDR, buf, sizeof(buf), -+ 0, true); -+ /* for read we always need this guard time (success wake or real read) */ -+ XSLEEP_MS(1); /* guard time - should be 250us */ -+ } while (result != CY_RSLT_SUCCESS && --timeout > 0); -+ -+ if (result == CY_RSLT_SUCCESS) { -+ timeout = TPM_I2C_TRIES; -+ do { -+ result = cyhal_i2c_master_read(i2c, TPM2_I2C_ADDR, data, len, -+ 0, true); -+ if (result != CY_RSLT_SUCCESS) { -+ XSLEEP_MS(1); /* guard time - should be 250us */ -+ } -+ } while (result != CY_RSLT_SUCCESS && --timeout > 0); -+ } -+ if (result == CY_RSLT_SUCCESS) { -+ ret = TPM_RC_SUCCESS; -+ } -+ else { -+ printf("CyHAL I2C Read failure %d (tries %d)\n", -+ (int)result, TPM_I2C_TRIES - timeout); -+ } -+ return ret; -+ } - --#if defined(WOLFTPM_INFINEON_TRICORE) -+ static int tpm_ifx_i2c_write(void* userCtx, word32 reg, byte* data, int len) -+ { -+ int ret = TPM_RC_FAILURE; -+ cy_rslt_t result; -+ cyhal_i2c_t* i2c = (cyhal_i2c_t*)userCtx; -+ int timeout = TPM_I2C_TRIES; -+ byte buf[MAX_SPI_FRAMESIZE+1]; -+ -+ /* TIS layer should never provide a buffer larger than this, -+ * but double check for good coding practice */ -+ if (i2c == NULL || len > MAX_SPI_FRAMESIZE) -+ return BAD_FUNC_ARG; -+ -+ /* Build packet with TPM register and data */ -+ buf[0] = (reg & 0xFF); /* convert to simple 8-bit address for I2C */ -+ XMEMCPY(buf + 1, data, len); -+ -+ /* The I2C takes about 80us to wake up and will NAK until it is ready */ -+ do { -+ result = cyhal_i2c_master_write(i2c, TPM2_I2C_ADDR, buf, len+1, -+ 0, true); -+ if (result != CY_RSLT_SUCCESS) { -+ XSLEEP_MS(1); /* guard time - should be 250us */ -+ } -+ } while (result != CY_RSLT_SUCCESS && --timeout > 0); -+ if (result == CY_RSLT_SUCCESS) { -+ ret = TPM_RC_SUCCESS; -+ } -+ else { -+ printf("CyHAL I2C Write failure %d\n", (int)result); -+ } -+ return ret; -+ } -+ -+ int TPM2_IoCb_Infineon_I2C(TPM2_CTX* ctx, int isRead, word32 addr, -+ byte* buf, word16 size, void* userCtx) -+ { -+ int ret = TPM_RC_FAILURE; -+ if (userCtx != NULL) { -+ if (isRead) -+ ret = tpm_ifx_i2c_read(userCtx, addr, buf, size); -+ else -+ ret = tpm_ifx_i2c_write(userCtx, addr, buf, size); -+ } -+ (void)ctx; -+ return ret; -+ } -+ -+ #else -+ #error Infineon I2C support on this platform not supported yet -+ #endif /* CY_USING_HAL or WOLFTPM_INFINEON_TRICORE */ -+ -+#else /* SPI */ -+ -+ #ifndef TPM2_SPI_HZ -+ /* Use the max speed by default -+ * See tpm2_types.h for chip specific max values */ -+ #define TPM2_SPI_HZ TPM2_SPI_MAX_HZ -+ #endif -+ #ifdef WOLFTPM_CHECK_WAIT_STATE -+ #error SPI check wait state logic not supported -+ #endif -+ -+ #if defined(CY_USING_HAL) -+ #include "cyhal_spi.h" -+ int TPM2_IoCb_Infineon_SPI(TPM2_CTX* ctx, const byte* txBuf, -+ byte* rxBuf, word16 xferSz, void* userCtx) -+ { -+ cyhal_spi_t* spi = (cyhal_spi_t*)userCtx; -+ cy_rslt_t result; -+ -+ if (userCtx == NULL) { -+ return BAD_FUNC_ARG; -+ } -+ -+ result = cyhal_spi_transfer(spi, txBuf, xferSz, rxBuf, xferSz, 0); -+ if (result != CY_RSLT_SUCCESS) { -+ return TPM_RC_FAILURE; -+ } -+ return TPM_RC_SUCCESS; -+ } -+ #elif defined(WOLFTPM_INFINEON_TRICORE) - - #include - #include -@@ -57,10 +192,6 @@ - { - int ret = TPM_RC_FAILURE; - -- #ifdef WOLFTPM_CHECK_WAIT_STATE -- #error SPI check wait state logic not supported -- #endif -- - /* wait for SPI not busy */ - while (IfxQspi_SpiMaster_getStatus(&spiMasterChannel) == - SpiIf_Status_busy) {}; -@@ -76,8 +207,11 @@ - - return ret; - } -+ #else -+ #error Infineon I2C support on this platform not supported yet -+ #endif /* CY_USING_HAL or WOLFTPM_INFINEON_TRICORE */ -+#endif /* SPI or I2C */ - --#endif /* WOLFTPM_INFINEON_TRICORE */ - #endif /* !(WOLFTPM_LINUX_DEV || WOLFTPM_SWTPM || WOLFTPM_WINAPI) */ - #endif /* WOLFTPM_INCLUDE_IO_FILE */ - -diff --git a/hal/tpm_io_linux.c b/hal/tpm_io_linux.c -index 5ca01e8..8e340c6 100644 ---- a/hal/tpm_io_linux.c -+++ b/hal/tpm_io_linux.c -@@ -23,8 +23,11 @@ - * - * NB: To use /dev/tpm0, wolfTPM does not require an IO callback, just pass NULL - * -- * */ -+ */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -@@ -62,7 +65,7 @@ - #include - - #ifdef WOLFTPM_I2C -- /* I2C - (Only tested with ST33HTPH I2C) */ -+ /* I2C - (Only tested with SLB9673 and ST33 I2C) */ - #define TPM2_I2C_ADDR 0x2e - #define TPM2_I2C_DEV "/dev/i2c-1" - #define TPM2_I2C_HZ 400000 /* 400kHz */ -diff --git a/hal/tpm_io_microchip.c b/hal/tpm_io_microchip.c -index 46403c5..178963f 100644 ---- a/hal/tpm_io_microchip.c -+++ b/hal/tpm_io_microchip.c -@@ -20,8 +20,12 @@ - */ - - /* This example shows IO interfaces for Microchip micro-controllers using -- * MPLAB X and Harmony */ -+ * MPLAB X and Harmony -+ */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -diff --git a/hal/tpm_io_mmio.c b/hal/tpm_io_mmio.c -index 0ea70ee..1156c93 100644 ---- a/hal/tpm_io_mmio.c -+++ b/hal/tpm_io_mmio.c -@@ -21,6 +21,9 @@ - - /* Support for Memory Mapped I/O for accessing TPM */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -diff --git a/hal/tpm_io_qnx.c b/hal/tpm_io_qnx.c -index 495e559..eb42afa 100644 ---- a/hal/tpm_io_qnx.c -+++ b/hal/tpm_io_qnx.c -@@ -21,6 +21,9 @@ - - /* This example shows IO interfaces for QNX */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -diff --git a/hal/tpm_io_st.c b/hal/tpm_io_st.c -index 6eedfc3..d6744b2 100644 ---- a/hal/tpm_io_st.c -+++ b/hal/tpm_io_st.c -@@ -21,6 +21,9 @@ - - /* This example shows IO interfaces for STM32 CubeMX HAL */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -diff --git a/hal/tpm_io_xilinx.c b/hal/tpm_io_xilinx.c -index 43f20ff..6516b73 100644 ---- a/hal/tpm_io_xilinx.c -+++ b/hal/tpm_io_xilinx.c -@@ -21,6 +21,9 @@ - - /* This example shows IO interfaces for Xilinx */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -diff --git a/src/tpm2.c b/src/tpm2.c -index 75f7ec7..89f6b13 100644 ---- a/src/tpm2.c -+++ b/src/tpm2.c -@@ -19,6 +19,9 @@ - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -@@ -572,7 +575,7 @@ TPM_RC TPM2_SetHalIoCb(TPM2_CTX* ctx, TPM2HalIoCb ioCb, void* userCtx) - } - - /* If timeoutTries <= 0 then it will not try and startup chip and will -- use existing default locality */ -+ * use existing default locality */ - TPM_RC TPM2_Init_ex(TPM2_CTX* ctx, TPM2HalIoCb ioCb, void* userCtx, - int timeoutTries) - { -@@ -844,7 +847,8 @@ TPM_RC TPM2_GetCapability(GetCapability_In* in, GetCapability_Out* out) - TPM2_Packet_ParseU32(&packet, &out->capabilityData.capability); - - switch (out->capabilityData.capability) { -- case TPM_CAP_TPM_PROPERTIES: { -+ case TPM_CAP_TPM_PROPERTIES: -+ { - TPML_TAGGED_TPM_PROPERTY* prop = - &out->capabilityData.data.tpmProperties; - TPM2_Packet_ParseU32(&packet, &prop->count); -@@ -856,6 +860,30 @@ TPM_RC TPM2_GetCapability(GetCapability_In* in, GetCapability_Out* out) - } - break; - } -+ case TPM_CAP_HANDLES: -+ { -+ TPML_HANDLE* handles = -+ &out->capabilityData.data.handles; -+ TPM2_Packet_ParseU32(&packet, &handles->count); -+ for (i=0; i<(int)handles->count; i++) { -+ TPM2_Packet_ParseU32(&packet, &handles->handle[i]); -+ } -+ break; -+ } -+ case TPM_CAP_VENDOR_PROPERTY: -+ { -+ out->capabilityData.data.vendor.size = -+ packet.size - packet.pos; -+ if (out->capabilityData.data.vendor.size > -+ sizeof(out->capabilityData.data.vendor.buffer)) { -+ out->capabilityData.data.vendor.size = -+ sizeof(out->capabilityData.data.vendor.buffer); -+ } -+ TPM2_Packet_ParseBytes(&packet, -+ out->capabilityData.data.vendor.buffer, -+ out->capabilityData.data.vendor.size); -+ break; -+ } - default: - #ifdef DEBUG_WOLFTPM - printf("Unknown capability type 0x%x\n", -@@ -5163,6 +5191,7 @@ int TPM2_SetCommandSet(SetCommandSet_In* in) - TPM2_Packet packet; - CmdInfo_t info = {0,0,0,0}; - info.inHandleCnt = 1; -+ info.flags = (CMD_FLAG_AUTH_USER1); - - TPM2_Packet_Init(ctx, &packet); - -@@ -5195,6 +5224,7 @@ int TPM2_SetMode(SetMode_In* in) - TPM2_Packet packet; - CmdInfo_t info = {0,0,0,0}; - info.inHandleCnt = 1; -+ info.flags = (CMD_FLAG_AUTH_USER1); - - TPM2_Packet_Init(ctx, &packet); - -@@ -5242,6 +5272,45 @@ TPM_RC TPM2_GetRandom2(GetRandom2_In* in, GetRandom2_Out* out) - } - return rc; - } -+ -+TPM_RC TPM2_GetProductInfo(uint8_t* info, uint16_t size) -+{ -+ TPM_RC rc; -+ TPM2_CTX* ctx = TPM2_GetActiveCtx(); -+ -+ if (ctx == NULL || info == NULL) -+ return BAD_FUNC_ARG; -+ -+ rc = TPM2_AcquireLock(ctx); -+ if (rc == TPM_RC_SUCCESS) { -+ TPM2_Packet packet; -+ TPM2_Packet_Init(ctx, &packet); -+ TPM2_Packet_AppendU32(&packet, TPM_CAP_VENDOR_PROPERTY); -+ TPM2_Packet_AppendU32(&packet, 3); /* cTPM_SUBCAP_VENDOR_GET_PRODUCT_INFO */ -+ TPM2_Packet_AppendU32(&packet, 1); /* only 1 property */ -+ TPM2_Packet_Finalize(&packet, TPM_ST_NO_SESSIONS, TPM_CC_GetCapability); -+ -+ /* send command */ -+ rc = TPM2_SendCommand(ctx, &packet); -+ if (rc == TPM_RC_SUCCESS) { -+ /* Product info is: -+ * Serial Number (7 bytes) -+ * Pad (1 byte) -+ * Product ID (PIN) (2 bytes) -+ * Master Product ID (MPIN) (2 bytes) -+ * Product Internal Revision (1 byte) -+ * Pad (3 bytes) -+ * Firmware kernel version (4 bytes) -+ */ -+ -+ /* start of product info starts at byte 26 */ -+ if (size > packet.size - 26) -+ size = packet.size - 26; -+ XMEMCPY(info, &packet.buf[25], size); -+ } -+ } -+ return rc; -+} - #endif /* WOLFTPM_ST33 || WOLFTPM_AUTODETECT */ - - /* GPIO Vendor Specific API's */ -@@ -5339,6 +5408,63 @@ int TPM2_NTC2_GetConfig(NTC2_GetConfig_Out* out) - return rc; - } - #endif /* WOLFTPM_NUVOTON */ -+ -+ -+#ifdef WOLFTPM_FIRMWARE_UPGRADE -+#if defined(WOLFTPM_SLB9672) || defined(WOLFTPM_SLB9673) -+int TPM2_IFX_FieldUpgradeStart(TPM_HANDLE sessionHandle, -+ uint8_t* data, uint32_t size) -+{ -+ int rc; -+ TPM2_CTX* ctx = TPM2_GetActiveCtx(); -+ TPMS_AUTH_COMMAND session; -+ -+ rc = TPM2_AcquireLock(ctx); -+ if (rc == TPM_RC_SUCCESS) { -+ TPM2_Packet packet; -+ int tmpSz = 0; -+ TPM2_Packet_Init(ctx, &packet); -+ TPM2_Packet_AppendU32(&packet, TPM_RH_PLATFORM); -+ -+ XMEMSET(&session, 0, sizeof(session)); -+ session.sessionHandle = sessionHandle; -+ -+ TPM2_Packet_MarkU32(&packet, &tmpSz); -+ TPM2_Packet_AppendAuthCmd(&packet, &session); -+ TPM2_Packet_PlaceU32(&packet, tmpSz); -+ -+ TPM2_Packet_AppendBytes(&packet, data, size); -+ -+ TPM2_Packet_Finalize(&packet, TPM_ST_SESSIONS, -+ TPM_CC_FieldUpgradeStartVendor); -+ -+ rc = TPM2_SendCommand(ctx, &packet); -+ -+ TPM2_ReleaseLock(ctx); -+ } -+ return rc; -+} -+int TPM2_IFX_FieldUpgradeCommand(TPM_CC cc, uint8_t* data, uint32_t size) -+{ -+ int rc; -+ TPM2_CTX* ctx = TPM2_GetActiveCtx(); -+ -+ rc = TPM2_AcquireLock(ctx); -+ if (rc == TPM_RC_SUCCESS) { -+ TPM2_Packet packet; -+ TPM2_Packet_Init(ctx, &packet); -+ TPM2_Packet_AppendBytes(&packet, data, size); -+ TPM2_Packet_Finalize(&packet, TPM_ST_NO_SESSIONS, cc); -+ rc = TPM2_SendCommand(ctx, &packet); -+ TPM2_ReleaseLock(ctx); -+ } -+ return rc; -+} -+ -+ -+#endif /* WOLFTPM_SLB9672 || WOLFTPM_SLB9673 */ -+#endif /* WOLFTPM_FIRMWARE_UPGRADE */ -+ - /******************************************************************************/ - /* --- END Manufacture Specific TPM API's -- */ - /******************************************************************************/ -@@ -5572,7 +5698,7 @@ const char* TPM2_GetRCString(int rc) - return "Success"; - } - -- if ((rc & RC_WARN) && (rc & RC_FMT1) == 0) { -+ if ((rc & RC_WARN) && (rc & RC_FMT1) == 0 && (rc & RC_VER1) == 0) { - int rc_warn = rc & RC_MAX_WARN; - - switch (rc_warn) { -diff --git a/src/tpm2_cryptocb.c b/src/tpm2_cryptocb.c -index dd30009..4746374 100644 ---- a/src/tpm2_cryptocb.c -+++ b/src/tpm2_cryptocb.c -@@ -19,6 +19,10 @@ - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #if !defined(WOLFTPM2_NO_WRAPPER) -@@ -248,8 +252,14 @@ int wolfTPM2_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx) - word32 rsLen = sizeof(sigRS), keySz; - word32 inlen = info->pk.eccsign.inlen; - -- /* truncate input to match key size */ -+ /* get key size from wolf signing key */ - keySz = wc_ecc_size(info->pk.eccsign.key); -+ if (keySz == 0) { -+ /* if not populated fallback to key size for TPM key */ -+ keySz = TPM2_GetCurveSize( -+ tlsCtx->eccKey->pub.publicArea.parameters.eccDetail.curveID); -+ } -+ /* truncate input to match key size */ - if (inlen > keySz) - inlen = keySz; - -@@ -426,8 +436,8 @@ int wolfTPM2_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx) - if (hashCtx) - hash.handle.hndl = hashCtx->handle; - -+ rc = 0; /* initialize return code */ - if (info->hash.in != NULL) { /* Update */ -- rc = 0; - /* If not single shot (update and final) then allocate context */ - if (hashCtx == NULL && info->hash.digest == NULL) { - hashCtx = (WOLFTPM2_HASHCTX*)XMALLOC(sizeof(*hashCtx), NULL, -diff --git a/src/tpm2_linux.c b/src/tpm2_linux.c -index c1b2032..9c3f354 100644 ---- a/src/tpm2_linux.c -+++ b/src/tpm2_linux.c -@@ -19,6 +19,10 @@ - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #ifdef WOLFTPM_LINUX_DEV -diff --git a/src/tpm2_packet.c b/src/tpm2_packet.c -index ac2a8cc..e7f687f 100644 ---- a/src/tpm2_packet.c -+++ b/src/tpm2_packet.c -@@ -19,27 +19,12 @@ - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - -- --/* Endianess Helpers */ --#ifdef LITTLE_ENDIAN_ORDER -- #define cpu_to_be16(d) ByteReverseWord16(d) -- #define cpu_to_be32(d) ByteReverseWord32(d) -- #define cpu_to_be64(d) ByteReverseWord64(d) -- #define be16_to_cpu(d) ByteReverseWord16(d) -- #define be32_to_cpu(d) ByteReverseWord32(d) -- #define be64_to_cpu(d) ByteReverseWord64(d) --#else -- #define cpu_to_be16(d) (d) -- #define cpu_to_be32(d) (d) -- #define cpu_to_be64(d) (d) -- #define be16_to_cpu(d) (d) -- #define be32_to_cpu(d) (d) -- #define be64_to_cpu(d) (d) --#endif -- - /* convert 16 bit integer to opaque */ - static inline void c16toa(word16 wc_u16, byte* c) - { -@@ -332,8 +317,7 @@ int TPM2_GetCmdAuthCount(TPM2_CTX* ctx, const CmdInfo_t* info) - } - - /* Allow policy auth */ -- else if (authReq && TPM2_IS_POLICY_SESSION(sessionHandle) && -- sessionAttributes == 0) { -+ else if (authReq && TPM2_IS_POLICY_SESSION(sessionHandle)) { - authSessCount++; - } - else if (!authReq) { -diff --git a/src/tpm2_param_enc.c b/src/tpm2_param_enc.c -index f040fdf..2df0d28 100644 ---- a/src/tpm2_param_enc.c -+++ b/src/tpm2_param_enc.c -@@ -19,6 +19,10 @@ - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - #include - -diff --git a/src/tpm2_swtpm.c b/src/tpm2_swtpm.c -index f67cee1..dcdda6f 100644 ---- a/src/tpm2_swtpm.c -+++ b/src/tpm2_swtpm.c -@@ -32,6 +32,10 @@ - * See docs/SWTPM.md - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - - #ifdef WOLFTPM_SWTPM -@@ -43,6 +47,9 @@ - #include - #include - #include -+#ifdef HAVE_NETDB_H -+#include -+#endif - - #include - -diff --git a/src/tpm2_tis.c b/src/tpm2_tis.c -index 4004f74..da6d04c 100644 ---- a/src/tpm2_tis.c -+++ b/src/tpm2_tis.c -@@ -19,6 +19,9 @@ - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - -@@ -44,18 +47,18 @@ enum tpm_tis_status { - TPM_STS_RESP_RETRY = 0x02, - }; - --enum tpm_tis_int_flags { -- TPM_GLOBAL_INT_ENABLE = 0x80000000, -- TPM_INTF_BURST_COUNT_STATIC = 0x100, -- TPM_INTF_CMD_READY_INT = 0x080, -- TPM_INTF_INT_EDGE_FALLING = 0x040, -- TPM_INTF_INT_EDGE_RISING = 0x020, -- TPM_INTF_INT_LEVEL_LOW = 0x010, -- TPM_INTF_INT_LEVEL_HIGH = 0x008, -- TPM_INTF_LOC_CHANGE_INT = 0x004, -- TPM_INTF_STS_VALID_INT = 0x002, -- TPM_INTF_DATA_AVAIL_INT = 0x001, --}; -+/* enum tpm_tis_int_flags */ -+#define TPM_GLOBAL_INT_ENABLE 0x80000000UL -+#define TPM_INTF_BURST_COUNT_STATIC 0x100 -+#define TPM_INTF_CMD_READY_INT 0x080 -+#define TPM_INTF_INT_EDGE_FALLING 0x040 -+#define TPM_INTF_INT_EDGE_RISING 0x020 -+#define TPM_INTF_INT_LEVEL_LOW 0x010 -+#define TPM_INTF_INT_LEVEL_HIGH 0x008 -+#define TPM_INTF_LOC_CHANGE_INT 0x004 -+#define TPM_INTF_STS_VALID_INT 0x002 -+#define TPM_INTF_DATA_AVAIL_INT 0x001 -+ - - #ifndef TPM_BASE_ADDRESS - #define TPM_BASE_ADDRESS (0xD40000u) -diff --git a/src/tpm2_winapi.c b/src/tpm2_winapi.c -index fcd8a46..840a5c2 100644 ---- a/src/tpm2_winapi.c -+++ b/src/tpm2_winapi.c -@@ -19,6 +19,9 @@ - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - -diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c -index d2257dd..6f1e95e 100644 ---- a/src/tpm2_wrap.c -+++ b/src/tpm2_wrap.c -@@ -19,6 +19,10 @@ - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif -+ - #include - #include - -@@ -615,6 +619,15 @@ int wolfTPM2_SelfTest(WOLFTPM2_DEV* dev) - * TPM_PT_MODES = Bit 0 = FIPS_140_2 - */ - -+#if defined(WOLFTPM_SLB9672) || defined(WOLFTPM_SLB9673) -+ /* Infineon SLB9672 or SLB9673 Firmware Upgrade support */ -+ #define TPM_PT_VENDOR_FIX 0x80000000 -+ #define TPM_PT_VENDOR_FIX_FU_COUNTER (TPM_PT_VENDOR_FIX + 3) -+ #define TPM_PT_VENDOR_FIX_FU_COUNTER_SAME (TPM_PT_VENDOR_FIX + 4) -+ #define TPM_PT_VENDOR_FIX_FU_OPERATION_MODE (TPM_PT_VENDOR_FIX + 7) -+ #define TPM_PT_VENDOR_FIX_FU_KEYGROUP_ID (TPM_PT_VENDOR_FIX + 8) -+#endif -+ - /* ST33TP - * TPM_PT_MANUFACTURER 0x53544D20: "STM" - * TPM_PT_FIRMWARE_VERSION_1 TPM FW version: 0x00006400 -@@ -694,6 +707,44 @@ static int wolfTPM2_ParseCapabilities(WOLFTPM2_CAPS* caps, - return rc; - } - -+#if defined(WOLFTPM_SLB9672) || defined(WOLFTPM_SLB9673) -+static int tpm2_ifx_cap_vendor_get(WOLFTPM2_CAPS* cap, uint32_t property, -+ uint8_t* val, size_t valSz) -+{ -+ int rc; -+ GetCapability_In in; -+ GetCapability_Out out; -+ -+ XMEMSET(&in, 0, sizeof(in)); -+ XMEMSET(&out, 0, sizeof(out)); -+ in.capability = TPM_CAP_VENDOR_PROPERTY; -+ in.property = property; -+ in.propertyCount = 1; -+ rc = TPM2_GetCapability(&in, &out); -+ if (rc == TPM_RC_SUCCESS) { -+ TPM2B_MAX_BUFFER* buf = &out.capabilityData.data.vendor; -+ /* 4 bytes=count + 2 bytes=len + vendor value */ -+ if (buf->buffer[3] == 1 && buf->buffer[5] == valSz) { -+ XMEMCPY(val, &buf->buffer[6], valSz); -+ if (valSz == 2) { -+ *((uint16_t*)val) = be16_to_cpu(*((uint16_t*)val)); -+ } -+ else if (valSz == 4) { -+ *((uint32_t*)val) = be32_to_cpu(*((uint32_t*)val)); -+ } -+ } -+ } -+ else { -+ #ifdef DEBUG_WOLFTPM -+ printf("TPM2_GetCapability vendor prop 0x%x failed 0x%x: %s\n", -+ property, rc, TPM2_GetRCString(rc)); -+ #endif -+ } -+ (void)cap; -+ return rc; -+} -+#endif -+ - static int wolfTPM2_GetCapabilities_NoDev(WOLFTPM2_CAPS* cap) - { - int rc; -@@ -708,14 +759,15 @@ static int wolfTPM2_GetCapabilities_NoDev(WOLFTPM2_CAPS* cap) - - /* Get Capabilities TPM_PT_MANUFACTURER thru TPM_PT_FIRMWARE_VERSION_2 */ - XMEMSET(&in, 0, sizeof(in)); -+ XMEMSET(&out, 0, sizeof(out)); - in.capability = TPM_CAP_TPM_PROPERTIES; - in.property = TPM_PT_MANUFACTURER; - in.propertyCount = 8; - rc = TPM2_GetCapability(&in, &out); - if (rc != TPM_RC_SUCCESS) { - #ifdef DEBUG_WOLFTPM -- printf("TPM2_GetCapability failed 0x%x: %s\n", rc, -- TPM2_GetRCString(rc)); -+ printf("TPM2_GetCapability manufacture failed 0x%x: %s\n", -+ rc, TPM2_GetRCString(rc)); - #endif - return rc; - } -@@ -725,19 +777,40 @@ static int wolfTPM2_GetCapabilities_NoDev(WOLFTPM2_CAPS* cap) - - /* Get Capability TPM_PT_MODES */ - XMEMSET(&in, 0, sizeof(in)); -+ XMEMSET(&out, 0, sizeof(out)); - in.capability = TPM_CAP_TPM_PROPERTIES; - in.property = TPM_PT_MODES; - in.propertyCount = 1; - rc = TPM2_GetCapability(&in, &out); - if (rc != TPM_RC_SUCCESS) { - #ifdef DEBUG_WOLFTPM -- printf("TPM2_GetCapability failed 0x%x: %s\n", rc, -- TPM2_GetRCString(rc)); -+ printf("TPM2_GetCapability modes failed 0x%x: %s\n", -+ rc, TPM2_GetRCString(rc)); - #endif - return rc; - } - rc = wolfTPM2_ParseCapabilities(cap, &out.capabilityData.data.tpmProperties); - -+#if defined(WOLFTPM_SLB9672) || defined(WOLFTPM_SLB9673) -+ /* Get vendor specific information */ -+ if (rc == 0) { -+ rc = tpm2_ifx_cap_vendor_get(cap, TPM_PT_VENDOR_FIX_FU_OPERATION_MODE, -+ &cap->opMode, sizeof(cap->opMode)); -+ } -+ if (rc == 0) { -+ rc = tpm2_ifx_cap_vendor_get(cap, TPM_PT_VENDOR_FIX_FU_KEYGROUP_ID, -+ (uint8_t*)&cap->keyGroupId, sizeof(cap->keyGroupId)); -+ } -+ if (rc == 0) { -+ rc = tpm2_ifx_cap_vendor_get(cap, TPM_PT_VENDOR_FIX_FU_COUNTER, -+ (uint8_t*)&cap->fwCounter, sizeof(cap->fwCounter)); -+ } -+ if (rc == 0) { -+ rc = tpm2_ifx_cap_vendor_get(cap, TPM_PT_VENDOR_FIX_FU_COUNTER_SAME, -+ (uint8_t*)&cap->fwCounterSame, sizeof(cap->fwCounterSame)); -+ } -+#endif -+ - return rc; - } - -@@ -749,6 +822,42 @@ int wolfTPM2_GetCapabilities(WOLFTPM2_DEV* dev, WOLFTPM2_CAPS* cap) - return wolfTPM2_GetCapabilities_NoDev(cap); - } - -+int wolfTPM2_GetHandles(TPM_HANDLE handle, TPML_HANDLE* handles) -+{ -+ int rc; -+ GetCapability_In in; -+ GetCapability_Out out; -+#ifdef DEBUG_WOLFTPM -+ UINT32 i; -+#endif -+ -+ /* Get Capability TPM_CAP_HANDLES - PCR */ -+ XMEMSET(&in, 0, sizeof(in)); -+ in.capability = TPM_CAP_HANDLES; -+ in.property = handle; -+ in.propertyCount = MAX_CAP_HANDLES; -+ rc = TPM2_GetCapability(&in, &out); -+ if (rc != TPM_RC_SUCCESS) { -+ #ifdef DEBUG_WOLFTPM -+ printf("TPM2_GetCapability handles failed 0x%x: %s\n", rc, -+ TPM2_GetRCString(rc)); -+ #endif -+ return rc; -+ } -+ if (handles != NULL) { -+ /* optionally return handles count/list */ -+ XMEMCPY(handles, &out.capabilityData.data.handles, sizeof(TPML_HANDLE)); -+ } -+ handles = &out.capabilityData.data.handles; -+#ifdef DEBUG_WOLFTPM -+ printf("Handles Cap: Start 0x%x, Count %d\n", handle, handles->count); -+ for (i=0; icount; i++) { -+ printf("\tHandle 0x%x\n", handles->handle[i]); -+ } -+#endif -+ return handles->count; -+} -+ - int wolfTPM2_UnsetAuth(WOLFTPM2_DEV* dev, int index) - { - TPM2_AUTH_SESSION* session; -@@ -1104,7 +1213,7 @@ static int wolfTPM2_EncryptSecret_ECC(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* tpm - TPM2B_ECC_POINT pubPoint, secretPoint; - ecc_point r[1]; - mp_int prime, a; -- word32 keySz; -+ word32 keySz = 0; - - publicArea = &tpmKey->pub.publicArea; - XMEMSET(&rng, 0, sizeof(rng)); -@@ -2729,6 +2838,112 @@ int wolfTPM2_DecodeEccDer(const byte* der, word32 derSz, TPM2B_PUBLIC* pub, - } - #endif /* HAVE_ECC */ - -+int wolfTPM2_ExportPublicKeyBuffer(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, -+ int encodingType, byte* out, word32* outSz) -+{ -+ int rc; -+ word32 derSz = 0; -+ union keyUnion { -+ #ifndef NO_RSA -+ RsaKey rsa; -+ #endif -+ #ifdef HAVE_ECC -+ ecc_key ecc; -+ #endif -+ } key; -+ -+ if (dev == NULL || tpmKey == NULL) { -+ return BAD_FUNC_ARG; -+ } -+ -+ XMEMSET(&key, 0, sizeof(key)); -+ -+ /* determine the type of key in WOLFTPM2_KEY */ -+ if (tpmKey->pub.publicArea.type == TPM_ALG_ECC) { -+ #if defined(HAVE_ECC) && \ -+ defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT) -+ rc = wc_ecc_init(&key.ecc); -+ if (rc == 0) { -+ /* load public portion of key into wolf ECC Key */ -+ rc = wolfTPM2_EccKey_TpmToWolf(dev, tpmKey, &key.ecc); -+ if (rc == 0) { -+ rc = wc_EccPublicKeyToDer(&key.ecc, out, *outSz, 1); -+ if (rc > 0) { -+ derSz = rc; -+ rc = 0; -+ } -+ else { -+ rc = BUFFER_E; -+ } -+ } -+ } -+ #else -+ rc = NOT_COMPILED_IN; -+ #endif -+ } -+ else if (tpmKey->pub.publicArea.type == TPM_ALG_RSA) { -+ /* RSA public key export only enabled with: -+ * cert gen, key gen or openssl extra */ -+ #if !defined(NO_RSA) && \ -+ (defined(WOLFSSL_CERT_GEN) || defined(OPENSSL_EXTRA) || \ -+ defined(WOLFSSL_KEY_GEN)) -+ rc = wc_InitRsaKey(&key.rsa, NULL); -+ if (rc == 0) { -+ /* load public portion of key into wolf RSA Key */ -+ rc = wolfTPM2_RsaKey_TpmToWolf(dev, tpmKey, &key.rsa); -+ if (rc == 0) { -+ rc = wc_RsaKeyToPublicDer_ex(&key.rsa, out, *outSz, 1); -+ if (rc > 0) { -+ derSz = rc; -+ rc = 0; -+ } -+ else { -+ rc = BUFFER_E; -+ } -+ } -+ } -+ #else -+ rc = NOT_COMPILED_IN; -+ #endif -+ } -+ else { -+ #ifdef DEBUG_WOLFTPM -+ printf("Invalid tpmKey type!\n"); -+ #endif -+ rc = BAD_FUNC_ARG; -+ } -+ -+ /* Optionally convert to PEM */ -+ if (rc == 0 && encodingType == ENCODING_TYPE_PEM) { -+ #ifdef WOLFSSL_DER_TO_PEM -+ WOLFTPM2_BUFFER tmp; -+ if (derSz > (word32)sizeof(tmp.buffer)) { -+ rc = BUFFER_E; -+ } -+ else { -+ /* move DER to temp variable */ -+ tmp.size = derSz; -+ XMEMCPY(tmp.buffer, out, derSz); -+ XMEMSET(out, 0, *outSz); -+ rc = wc_DerToPem(tmp.buffer, tmp.size, out, *outSz, PUBLICKEY_TYPE); -+ if (rc > 0) { -+ *outSz = rc; -+ rc = 0; -+ } -+ else { -+ rc = BUFFER_E; -+ } -+ } -+ #else -+ rc = NOT_COMPILED_IN; -+ #endif -+ } -+ else if (rc == 0) { -+ *outSz = derSz; -+ } -+ return rc; -+} -+ - int wolfTPM2_ImportPublicKeyBuffer(WOLFTPM2_DEV* dev, int keyType, - WOLFTPM2_KEY* key, int encodingType, const char* input, word32 inSz, - TPMA_OBJECT objectAttributes) -@@ -2991,61 +3206,8 @@ int wolfTPM2_RsaKey_TpmToWolf(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, - int wolfTPM2_RsaKey_TpmToPemPub(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, - byte* pem, word32* pemSz) - { -- int rc = TPM_RC_FAILURE; --#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFSSL_DER_TO_PEM) && \ -- (defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA)) && !defined(NO_RSA) -- RsaKey rsaKey; -- byte* derBuf = NULL; -- int derSz = 0; --#endif -- -- if (dev == NULL || tpmKey == NULL || pem == NULL || pemSz == NULL) -- return BAD_FUNC_ARG; -- --#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFSSL_DER_TO_PEM) && \ -- (defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA)) && !defined(NO_RSA) -- -- /* Prepare wolfCrypt key structure */ -- rc = wc_InitRsaKey(&rsaKey, NULL); -- if (rc == 0) { -- /* Convert the wolfTPM key to wolfCrypt format */ -- rc = wolfTPM2_RsaKey_TpmToWolf(dev, tpmKey, &rsaKey); -- if (rc == 0) { -- /* Get DER size - newer API can be called with NULL to get size */ -- rc = wc_RsaKeyToPublicDer(&rsaKey, NULL, 0); -- if (rc > 0) { -- derSz = rc; -- rc = 0; -- } -- else if (rc == BAD_FUNC_ARG) { -- /* for older wolfSSL estimate based on key size */ -- derSz = wc_RsaEncryptSize(&rsaKey) * 2; -- rc = 0; -- } -- } -- if (derSz > 0) { -- derBuf = (byte*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); -- if (derBuf == NULL) -- rc = MEMORY_E; -- } -- if (rc == 0) { -- /* Convert the wolfCrypt key to DER format */ -- rc = wc_RsaKeyToPublicDer(&rsaKey, derBuf, derSz); -- } -- if (rc >= 0) { -- /* Convert the DER key to PEM format */ -- derSz = rc; -- rc = wc_DerToPem(derBuf, derSz, pem, *pemSz, PUBLICKEY_TYPE); -- } -- if (rc >= 0) { -- *pemSz = rc; -- rc = TPM_RC_SUCCESS; -- } -- XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); -- wc_FreeRsaKey(&rsaKey); -- } --#endif -- return rc; -+ return wolfTPM2_ExportPublicKeyBuffer(dev, tpmKey, -+ ENCODING_TYPE_PEM, pem, pemSz); - } - - static word32 wolfTPM2_RsaKey_Exponent(byte* e, word32 eSz) -@@ -4328,6 +4490,43 @@ int wolfTPM2_NVReadAuth(WOLFTPM2_DEV* dev, WOLFTPM2_NV* nv, - return rc; - } - -+int wolfTPM2_NVReadCert(WOLFTPM2_DEV* dev, TPM_HANDLE handle, -+ uint8_t* buffer, uint32_t* len) -+{ -+ int rc; -+ WOLFTPM2_NV nv; -+ TPMS_NV_PUBLIC nvPublic; -+ -+ XMEMSET(&nvPublic, 0, sizeof(nvPublic)); -+ XMEMSET(&nv, 0, sizeof(nv)); -+ -+ /* Get or check size of NV */ -+ rc = wolfTPM2_NVReadPublic(dev, handle, &nvPublic); -+ if (rc == 0) { -+ if (buffer == NULL) { -+ /* just set size and return success */ -+ *len = nvPublic.dataSize; -+ return 0; -+ } -+ if (nvPublic.dataSize > *len) { -+ return BUFFER_E; -+ } -+ *len = nvPublic.dataSize; -+ } -+ else { -+ #ifdef DEBUG_WOLFTPM -+ printf("NV public read of handle 0x%x failed %d: %s\n", -+ handle, rc, wolfTPM2_GetRCString(rc)); -+ #endif -+ return rc; -+ } -+ -+ /* Perform read of NV without auth password */ -+ nv.handle.hndl = handle; -+ rc = wolfTPM2_NVReadAuth(dev, &nv, handle, buffer, (word32*)len, 0); -+ return rc; -+} -+ - /* older API kept for compatibility, recommend using wolfTPM2_NVReadAuth */ - int wolfTPM2_NVRead(WOLFTPM2_DEV* dev, TPM_HANDLE authHandle, - word32 nvIndex, byte* dataBuf, word32* pDataSz, word32 offset) -@@ -4960,6 +5159,9 @@ int wolfTPM2_EncryptDecryptBlock(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key, - /* try to enable support */ - rc = wolfTPM2_SetCommand(dev, TPM_CC_EncryptDecrypt2, YES); - if (rc == TPM_RC_SUCCESS) { -+ /* reset session auth for key */ -+ wolfTPM2_SetAuthHandle(dev, 0, &key->handle); -+ - /* try command again */ - rc = TPM2_EncryptDecrypt2(&encDecIn, &encDecOut); - } -@@ -5024,6 +5226,9 @@ int wolfTPM2_SetCommand(WOLFTPM2_DEV* dev, TPM_CC commandCode, int enableFlag) - if (TPM2_GetVendorID() == TPM_VENDOR_STM) { - SetCommandSet_In in; - -+ /* set blank platform auth */ -+ wolfTPM2_SetAuthPassword(dev, 0, NULL); -+ - /* Enable commands (like TPM2_EncryptDecrypt2) */ - XMEMSET(&in, 0, sizeof(in)); - in.authHandle = TPM_RH_PLATFORM; -@@ -5419,6 +5624,14 @@ int GetKeyTemplateECC(TPMT_PUBLIC* publicTemplate, - return TPM_RC_SUCCESS; - } - -+int wolfTPM2_GetKeyTemplate_RSA_ex(TPMT_PUBLIC* publicTemplate, -+ TPM_ALG_ID nameAlg, TPMA_OBJECT objectAttributes, int keyBits, long exponent, -+ TPM_ALG_ID sigScheme, TPM_ALG_ID sigHash) -+{ -+ return GetKeyTemplateRSA(publicTemplate, nameAlg, -+ objectAttributes, keyBits, exponent, sigScheme, sigHash); -+} -+ - int wolfTPM2_GetKeyTemplate_RSA(TPMT_PUBLIC* publicTemplate, - TPMA_OBJECT objectAttributes) - { -@@ -5427,6 +5640,14 @@ int wolfTPM2_GetKeyTemplate_RSA(TPMT_PUBLIC* publicTemplate, - TPM_ALG_NULL, WOLFTPM2_WRAP_DIGEST); - } - -+int wolfTPM2_GetKeyTemplate_ECC_ex(TPMT_PUBLIC* publicTemplate, -+ TPM_ALG_ID nameAlg, TPMA_OBJECT objectAttributes, TPM_ECC_CURVE curve, -+ TPM_ALG_ID sigScheme, TPM_ALG_ID sigHash) -+{ -+ return GetKeyTemplateECC(publicTemplate, nameAlg, -+ objectAttributes, curve, sigScheme, sigHash); -+} -+ - int wolfTPM2_GetKeyTemplate_ECC(TPMT_PUBLIC* publicTemplate, - TPMA_OBJECT objectAttributes, TPM_ECC_CURVE curve, TPM_ALG_ID sigScheme) - { -@@ -5490,7 +5711,7 @@ int wolfTPM2_GetKeyTemplate_KeySeal(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID name - publicTemplate->nameAlg = nameAlg; - publicTemplate->objectAttributes = ( - TPMA_OBJECT_fixedTPM | TPMA_OBJECT_fixedParent | -- TPMA_OBJECT_userWithAuth | TPMA_OBJECT_noDA); -+ TPMA_OBJECT_noDA); - publicTemplate->parameters.keyedHashDetail.scheme.scheme = TPM_ALG_NULL; - return TPM_RC_SUCCESS; - } -@@ -6894,4 +7115,404 @@ int wolfTPM2_PolicyAuthorizeMake(TPM_ALG_ID pcrAlg, - /* --- END Policy Support -- */ - /******************************************************************************/ - -+ -+ -+/******************************************************************************/ -+/* --- BEGIN Provisioned TPM Support -- */ -+/******************************************************************************/ -+ -+/* pre-provisioned IAK and IDevID key/cert from TPM vendor */ -+#ifdef WOLFTPM_MFG_IDENTITY -+ -+#ifdef TEST_SAMPLE -+static const uint8_t TPM2_IAK_SAMPLE_MASTER_PASSWORD[] = { -+ 0xFE, 0xEF, 0x8C, 0xDF, 0x1B, 0x77, 0xBD, 0x00, -+ 0x30, 0x58, 0x5E, 0x47, 0xB8, 0x21, 0x46, 0x0B -+}; -+#endif -+ -+int wolfTPM2_SetIdentityAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* handle, -+ uint8_t* masterPassword, uint16_t masterPasswordSz) -+{ -+ int rc; -+ uint8_t serialNum[7]; -+ wc_HashAlg hash_ctx; -+ enum wc_HashType hashType = WC_HASH_TYPE_SHA256; -+ uint8_t digest[TPM_SHA256_DIGEST_SIZE]; -+ -+ /* Get TPM serial number */ -+ rc = TPM2_GetProductInfo(serialNum, (uint16_t)sizeof(serialNum)); -+ if (rc != 0) { -+ #ifdef DEBUG_WOLFTPM -+ printf("TPM2_GetProductInfo failed %d: %s\n", -+ rc, wolfTPM2_GetRCString(rc)); -+ #endif -+ return rc; -+ } -+ -+ /* Hash both values */ -+ rc = wc_HashInit(&hash_ctx, hashType); -+ if (rc == 0) { -+ rc = wc_HashUpdate(&hash_ctx, hashType, serialNum, sizeof(serialNum)); -+ if (rc == 0) { -+ #ifdef TEST_SAMPLE -+ rc = wc_HashUpdate(&hash_ctx, hashType, -+ TPM2_IAK_SAMPLE_MASTER_PASSWORD, -+ sizeof(TPM2_IAK_SAMPLE_MASTER_PASSWORD)); -+ (void)masterPassword; -+ (void)masterPasswordSz; -+ #else -+ rc = wc_HashUpdate(&hash_ctx, hashType, -+ masterPassword, masterPasswordSz); -+ #endif -+ } -+ if (rc == 0) { -+ rc = wc_HashFinal(&hash_ctx, hashType, digest); -+ } -+ -+ wc_HashFree(&hash_ctx, hashType); -+ } -+ -+ /* Hash Final truncate to 16 bytes */ -+ /* Use 16-byte for auth when accessing key */ -+ handle->auth.size = 16; -+ XMEMCPY(handle->auth.buffer, &digest[16], 16); -+ -+ (void)dev; -+ -+ return rc; -+} -+ -+#endif /* WOLFTPM_MFG_IDENTITY */ -+ -+/******************************************************************************/ -+/* --- END Provisioned TPM Support -- */ -+/******************************************************************************/ -+ -+ -+ -+ -+ -+/******************************************************************************/ -+/* --- BEGIN Firmware Upgrade Support -- */ -+/******************************************************************************/ -+ -+#ifdef WOLFTPM_FIRMWARE_UPGRADE -+#if defined(WOLFTPM_SLB9672) || defined(WOLFTPM_SLB9673) -+ -+/* Maximum size of firmware chunks */ -+#define IFX_FW_MAX_CHUNK_SZ 1024 -+ -+/* Setup the policy to enable firmware upgrade start */ -+static int tpm2_ifx_firmware_enable_policy(WOLFTPM2_DEV* dev) -+{ -+ int rc; -+ PolicyCommandCode_In policyCC; -+ SetPrimaryPolicy_In policy; -+ WOLFTPM2_SESSION tpmSession; -+ -+ XMEMSET(&tpmSession, 0, sizeof(tpmSession)); -+ XMEMSET(&policyCC, 0, sizeof(policyCC)); -+ XMEMSET(&policy, 0, sizeof(policy)); -+ -+ rc = wolfTPM2_StartSession(dev, &tpmSession, NULL, NULL, -+ TPM_SE_POLICY, TPM_ALG_NULL); -+ if (rc == TPM_RC_SUCCESS) { -+ policyCC.policySession = tpmSession.handle.hndl; -+ policyCC.code = TPM_CC_FieldUpgradeStartVendor; -+ rc = TPM2_PolicyCommandCode(&policyCC); -+ if (rc == TPM_RC_SUCCESS) { -+ word32 policySz = (word32)sizeof(policy.authPolicy.buffer); -+ rc = wolfTPM2_GetPolicyDigest(dev, tpmSession.handle.hndl, -+ policy.authPolicy.buffer, &policySz); -+ policy.authPolicy.size = policySz; -+ } -+ wolfTPM2_UnloadHandle(dev, &tpmSession.handle); -+ } -+ if (rc == TPM_RC_SUCCESS) { -+ policy.authHandle = TPM_RH_PLATFORM; -+ policy.hashAlg = TPM_ALG_SHA256; -+ rc = TPM2_SetPrimaryPolicy(&policy); -+ } -+ -+#ifdef DEBUG_WOLFTPM -+ if (rc != TPM_RC_SUCCESS) { -+ printf("Enable firmware start policy failed 0x%x: %s\n", -+ rc, TPM2_GetRCString(rc)); -+ } -+#endif -+ return rc; -+} -+ -+static int tpm2_ifx_firmware_start(WOLFTPM2_DEV* dev, TPM_ALG_ID hashAlg, -+ uint8_t* manifest_hash, uint32_t manifest_hash_sz) -+{ -+ int rc; -+ WOLFTPM2_SESSION tpmSession; -+ PolicyCommandCode_In policyCC; -+ -+ XMEMSET(&tpmSession, 0, sizeof(tpmSession)); -+ XMEMSET(&policyCC, 0, sizeof(policyCC)); -+ -+ rc = wolfTPM2_StartSession(dev, &tpmSession, NULL, NULL, -+ TPM_SE_POLICY, TPM_ALG_NULL); -+ if (rc == TPM_RC_SUCCESS) { -+ policyCC.policySession = tpmSession.handle.hndl; -+ policyCC.code = TPM_CC_FieldUpgradeStartVendor; -+ rc = TPM2_PolicyCommandCode(&policyCC); -+ if (rc == TPM_RC_SUCCESS) { -+ /* build command for manifest header */ -+ uint16_t val16; -+ /* max cmd: type (1) + data sz (2) + hash alg (2) + max digest (64) */ -+ uint8_t cmd[1 + 2 + 2 + TPM_SHA512_DIGEST_SIZE]; -+ cmd[0] = 0x01; /* type */ -+ val16 = be16_to_cpu(manifest_hash_sz + 2); -+ XMEMCPY(&cmd[1], &val16, sizeof(val16)); /* data size */ -+ val16 = be16_to_cpu(hashAlg); -+ XMEMCPY(&cmd[3], &val16, sizeof(val16)); /* hash algorithm */ -+ XMEMCPY(&cmd[5], manifest_hash, manifest_hash_sz); -+ -+ rc = TPM2_IFX_FieldUpgradeStart(tpmSession.handle.hndl, -+ cmd, 1 + 2 + 2 + manifest_hash_sz); -+ } -+ if (rc == TPM_RC_SUCCESS) { -+ /* delay to give the TPM time to switch modes */ -+ XSLEEP_MS(300); -+ /* it is not required to release session handle, -+ * since TPM reset into firmware upgrade mode */ -+ -+ #if !defined(WOLFTPM_LINUX_DEV) && !defined(WOLFTPM_SWTPM) && \ -+ !defined(WOLFTPM_WINAPI) -+ /* Do chip startup and request locality again */ -+ rc = TPM2_ChipStartup(&dev->ctx, 10); -+ #endif -+ } -+ else { -+ wolfTPM2_UnloadHandle(dev, &tpmSession.handle); -+ } -+ } -+#ifdef DEBUG_WOLFTPM -+ if (rc != TPM_RC_SUCCESS) { -+ printf("Firmware upgrade start failed 0x%x: %s\n", -+ rc, TPM2_GetRCString(rc)); -+ } -+#endif -+ return rc; -+} -+ -+static int tpm2_ifx_firmware_manifest(WOLFTPM2_DEV* dev, -+ uint8_t* manifest, uint32_t manifest_sz) -+{ -+ int rc = TPM_RC_FAILURE; -+ uint32_t offset, chunk_sz; -+ uint8_t state; /* 1=start, 2=more, 0=done */ -+ -+ (void)dev; -+ for (offset = 0; offset < manifest_sz; offset += chunk_sz) { -+ /* max cmd: type (1) + chunk sz (2) + max chunk (1024) */ -+ uint8_t cmd[1 + 2 + IFX_FW_MAX_CHUNK_SZ]; -+ uint16_t val16; -+ -+ chunk_sz = manifest_sz - offset; -+ if (chunk_sz > IFX_FW_MAX_CHUNK_SZ) { -+ chunk_sz = IFX_FW_MAX_CHUNK_SZ; -+ state = (offset == 0) ? 1 : 2; -+ } -+ else { -+ state = 0; -+ } -+ #ifdef DEBUG_WOLFTPM -+ printf("Firmware manifest chunk %u offset (%u / %u), state %d\n", -+ chunk_sz, offset, manifest_sz, state); -+ #endif -+ -+ cmd[0] = state; -+ val16 = be16_to_cpu(chunk_sz); -+ XMEMCPY(&cmd[1], &val16, sizeof(val16)); /* chunk size */ -+ XMEMCPY(&cmd[3], &manifest[offset], chunk_sz); -+ -+ rc = TPM2_IFX_FieldUpgradeCommand(TPM_CC_FieldUpgradeManifestVendor, -+ cmd, 1 + 2 + chunk_sz); -+ if (rc != TPM_RC_SUCCESS) { -+ break; -+ } -+ } -+#ifdef DEBUG_WOLFTPM -+ if (rc != TPM_RC_SUCCESS) { -+ printf("Firmware upgrade manifest failed 0x%x: %s\n", -+ rc, TPM2_GetRCString(rc)); -+ } -+#endif -+ return rc; -+} -+ -+static int tpm2_ifx_firmware_data(WOLFTPM2_DEV* dev, -+ wolfTPM2FwDataCb cb, void* cb_ctx) -+{ -+ int rc; -+ uint32_t offset, chunk_sz; -+ uint8_t cmd[2 + IFX_FW_MAX_CHUNK_SZ]; -+ uint16_t val16; -+ -+ (void)dev; -+ for (offset = 0; ; offset += chunk_sz) { -+ XMEMSET(cmd, 0, sizeof(cmd)); -+ -+ /* get chunk */ -+ rc = cb(&cmd[2], IFX_FW_MAX_CHUNK_SZ, offset, cb_ctx); -+ if (rc > 0 && rc <= IFX_FW_MAX_CHUNK_SZ) { -+ chunk_sz = rc; -+ rc = 0; -+ } -+ else if (rc == 0) { -+ #ifdef DEBUG_WOLFTPM -+ printf("Firmware data done\n"); -+ #endif -+ break; -+ } -+ else { -+ #ifdef DEBUG_WOLFTPM -+ printf("Firmware data callback error! %d\n", rc); -+ #endif -+ break; -+ } -+ -+ #ifdef DEBUG_WOLFTPM -+ printf("Firmware data chunk offset %u\n", offset); -+ #endif -+ -+ val16 = be16_to_cpu(chunk_sz); -+ XMEMCPY(&cmd[0], &val16, sizeof(val16)); /* chunk size */ -+ -+ rc = TPM2_IFX_FieldUpgradeCommand(TPM_CC_FieldUpgradeDataVendor, -+ cmd, 2 + chunk_sz); -+ if (rc != TPM_RC_SUCCESS) { -+ break; -+ } -+ } -+ -+ if (rc == TPM_RC_SUCCESS) { -+ /* Give the TPM time to start the new firmware */ -+ XSLEEP_MS(300); -+ -+ #if !defined(WOLFTPM_LINUX_DEV) && !defined(WOLFTPM_SWTPM) && \ -+ !defined(WOLFTPM_WINAPI) -+ /* Do chip startup and request locality again */ -+ rc = TPM2_ChipStartup(&dev->ctx, 10); -+ #endif -+ } -+#ifdef DEBUG_WOLFTPM -+ else { -+ printf("Firmware upgrade data failed 0x%x: %s\n", -+ rc, TPM2_GetRCString(rc)); -+ } -+#endif -+ return rc; -+} -+ -+static int tpm2_ifx_firmware_final(WOLFTPM2_DEV* dev) -+{ -+ int rc; -+ uint8_t cmd[2]; -+ uint16_t val16; -+ -+ (void)dev; -+ -+ val16 = 0; -+ XMEMCPY(&cmd[0], &val16, sizeof(val16)); /* data size */ -+ -+ rc = TPM2_IFX_FieldUpgradeCommand(TPM_CC_FieldUpgradeFinalizeVendor, -+ cmd, sizeof(cmd)); -+#ifdef DEBUG_WOLFTPM -+ if (rc != TPM_RC_SUCCESS) { -+ printf("Firmware finalize failed 0x%x: %s\n", -+ rc, TPM2_GetRCString(rc)); -+ } -+#endif -+ return rc; -+} -+ -+int wolfTPM2_FirmwareUpgrade(WOLFTPM2_DEV* dev, -+ uint8_t* manifest, uint32_t manifest_sz, -+ wolfTPM2FwDataCb cb, void* cb_ctx) -+{ -+ int rc; -+ WOLFTPM2_CAPS caps; -+ TPM_ALG_ID hashAlg; -+ uint8_t manifest_hash[TPM_SHA384_DIGEST_SIZE]; -+ uint32_t manifest_hash_sz = (uint32_t)sizeof(manifest_hash); -+ -+ /* Can use SHA2-384 or SHA2-512 for manifest hash */ -+ hashAlg = TPM_ALG_SHA384; -+ -+ /* check the operational mode */ -+ rc = wolfTPM2_GetCapabilities(dev, &caps); -+ if (rc == TPM_RC_SUCCESS) { -+ if (caps.opMode == 0x03) { -+ /* firmware update is done, just needs finalized and TPM reset */ -+ #ifdef DEBUG_WOLFTPM -+ printf("Firmware update done, finalizing\n"); -+ #endif -+ return tpm2_ifx_firmware_final(dev); -+ } -+ } -+ -+ if (rc == TPM_RC_SUCCESS) { -+ /* hash the manifest */ -+ rc = wc_Sha384Hash(manifest, manifest_sz, manifest_hash); -+ } -+ if (rc == TPM_RC_SUCCESS) { -+ rc = tpm2_ifx_firmware_enable_policy(dev); -+ } -+ if (rc == TPM_RC_SUCCESS) { -+ rc = tpm2_ifx_firmware_start(dev, hashAlg, manifest_hash, manifest_hash_sz); -+ } -+ if (rc == TPM_RC_SUCCESS) { -+ rc = tpm2_ifx_firmware_manifest(dev, manifest, manifest_sz); -+ } -+ if (rc == TPM_RC_SUCCESS) { -+ rc = tpm2_ifx_firmware_data(dev, cb, cb_ctx); -+ } -+ if (rc == TPM_RC_SUCCESS) { -+ rc = tpm2_ifx_firmware_final(dev); -+ } -+#ifdef DEBUG_WOLFTPM -+ if (rc != TPM_RC_SUCCESS) { -+ printf("Firmware update failed 0x%x: %s\n", -+ rc, TPM2_GetRCString(rc)); -+ } -+#endif -+ return rc; -+} -+ -+/* terminate a firmware update */ -+int wolfTPM2_FirmwareUpgradeCancel(WOLFTPM2_DEV* dev) -+{ -+ int rc; -+ uint8_t cmd[2]; -+ uint16_t val16; -+ -+ (void)dev; -+ -+ val16 = 0; /* data size */ -+ XMEMCPY(&cmd[0], &val16, sizeof(val16)); -+ -+ rc = TPM2_IFX_FieldUpgradeCommand(TPM_CC_FieldUpgradeAbandonVendor, -+ cmd, sizeof(cmd)); -+#ifdef DEBUG_WOLFTPM -+ if (rc != TPM_RC_SUCCESS) { -+ printf("Firmware abandon failed 0x%x: %s\n", -+ rc, TPM2_GetRCString(rc)); -+ } -+#endif -+ return rc; -+} -+ -+#endif /* WOLFTPM_SLB9672 || WOLFTPM_SLB9673 */ -+#endif /* WOLFTPM_FIRMWARE_UPGRADE */ -+ -+/******************************************************************************/ -+/* --- END Firmware Upgrade Support -- */ -+/******************************************************************************/ -+ - #endif /* !WOLFTPM2_NO_WRAPPER */ -diff --git a/tests/unit_tests.c b/tests/unit_tests.c -index ab2fffe..301db1b 100644 ---- a/tests/unit_tests.c -+++ b/tests/unit_tests.c -@@ -21,6 +21,9 @@ - - /* wolfTPM 2.0 unit tests */ - -+#ifdef HAVE_CONFIG_H -+ #include -+#endif - - #include - #include -diff --git a/wolftpm/tpm2.h b/wolftpm/tpm2.h -index 63288ae..5dd01cd 100644 ---- a/wolftpm/tpm2.h -+++ b/wolftpm/tpm2.h -@@ -66,15 +66,13 @@ typedef UINT32 TPM_GENERATED; - /* ENUMERATIONS */ - /* ---------------------------------------------------------------------------*/ - --enum { -- TPM_SPEC_FAMILY = 0x322E3000, -- TPM_SPEC_LEVEL = 0, -- TPM_SPEC_VERSION = 138, -- TPM_SPEC_YEAR = 2016, -- TPM_SPEC_DAY_OF_YEAR = 273, -- -- TPM_GENERATED_VALUE = 0xff544347, --}; -+#define TPM_SPEC_FAMILY 0x322E3000 -+#define TPM_SPEC_LEVEL 0 -+#define TPM_SPEC_VERSION 138 -+#define TPM_SPEC_YEAR 2016 -+#define TPM_SPEC_DAY_OF_YEAR 273 -+ -+#define TPM_GENERATED_VALUE 0xff544347 - - - typedef enum { -@@ -263,6 +261,13 @@ typedef enum { - TPM_CC_NTC2_PreConfig = CC_VEND + 0x0211, - TPM_CC_NTC2_GetConfig = CC_VEND + 0x0213, - #endif -+#if defined(WOLFTPM_SLB9672) || defined(WOLFTPM_SLB9673) -+ TPM_CC_FieldUpgradeStartVendor = CC_VEND + 0x12F, -+ TPM_CC_FieldUpgradeAbandonVendor = CC_VEND + 0x130, -+ TPM_CC_FieldUpgradeManifestVendor = CC_VEND + 0x131, -+ TPM_CC_FieldUpgradeDataVendor = CC_VEND + 0x132, -+ TPM_CC_FieldUpgradeFinalizeVendor = CC_VEND + 0x133, -+#endif - } TPM_CC_T; - typedef UINT32 TPM_CC; - -@@ -649,37 +654,38 @@ typedef enum { - typedef UINT32 TPM_RH; - - /* Handle Value Constants */ --typedef enum { -- HR_HANDLE_MASK = 0x00FFFFFF, -- HR_RANGE_MASK = 0xFF000000, -- HR_SHIFT = 24, -- HR_PCR = ((UINT32)TPM_HT_PCR << HR_SHIFT), -- HR_HMAC_SESSION = ((UINT32)TPM_HT_HMAC_SESSION << HR_SHIFT), -- HR_POLICY_SESSION = ((UINT32)TPM_HT_POLICY_SESSION << HR_SHIFT), -- HR_TRANSIENT = ((UINT32)TPM_HT_TRANSIENT << HR_SHIFT), -- HR_PERSISTENT = ((UINT32)TPM_HT_PERSISTENT << HR_SHIFT), -- HR_NV_INDEX = ((UINT32)TPM_HT_NV_INDEX << HR_SHIFT), -- HR_PERMANENT = ((UINT32)TPM_HT_PERMANENT << HR_SHIFT), -- PCR_FIRST = (HR_PCR + 0), -- PCR_LAST = (PCR_FIRST + IMPLEMENTATION_PCR-1), -- HMAC_SESSION_FIRST = (HR_HMAC_SESSION + 0), -- HMAC_SESSION_LAST = (HMAC_SESSION_FIRST+MAX_ACTIVE_SESSIONS-1), -- LOADED_SESSION_FIRST = HMAC_SESSION_FIRST, -- LOADED_SESSION_LAST = HMAC_SESSION_LAST, -- POLICY_SESSION_FIRST = (HR_POLICY_SESSION + 0), -- POLICY_SESSION_LAST = (POLICY_SESSION_FIRST+MAX_ACTIVE_SESSIONS-1), -- TRANSIENT_FIRST = (HR_TRANSIENT + 0), -- ACTIVE_SESSION_FIRST = POLICY_SESSION_FIRST, -- ACTIVE_SESSION_LAST = POLICY_SESSION_LAST, -- TRANSIENT_LAST = (TRANSIENT_FIRST+MAX_LOADED_OBJECTS-1), -- PERSISTENT_FIRST = (HR_PERSISTENT + 0), -- PERSISTENT_LAST = (PERSISTENT_FIRST + 0x00FFFFFF), -- PLATFORM_PERSISTENT = (PERSISTENT_FIRST + 0x00800000), -- NV_INDEX_FIRST = (HR_NV_INDEX + 0), -- NV_INDEX_LAST = (NV_INDEX_FIRST + 0x00FFFFFF), -- PERMANENT_FIRST = TPM_RH_FIRST, -- PERMANENT_LAST = TPM_RH_LAST, --} TPM_HC_T; -+/* Using defines, not "enum TPM_HC_T" to avoid pedantic error: -+ * "ISO C restricts enumerator values to range of 'int'" -+ */ -+#define HR_HANDLE_MASK 0x00FFFFFFUL -+#define HR_RANGE_MASK 0xFF000000UL -+#define HR_SHIFT 24 -+#define HR_PCR ((UINT32)TPM_HT_PCR << HR_SHIFT) -+#define HR_HMAC_SESSION ((UINT32)TPM_HT_HMAC_SESSION << HR_SHIFT) -+#define HR_POLICY_SESSION ((UINT32)TPM_HT_POLICY_SESSION << HR_SHIFT) -+#define HR_TRANSIENT ((UINT32)TPM_HT_TRANSIENT << HR_SHIFT) -+#define HR_PERSISTENT ((UINT32)TPM_HT_PERSISTENT << HR_SHIFT) -+#define HR_NV_INDEX ((UINT32)TPM_HT_NV_INDEX << HR_SHIFT) -+#define HR_PERMANENT ((UINT32)TPM_HT_PERMANENT << HR_SHIFT) -+#define PCR_FIRST (HR_PCR + 0) -+#define PCR_LAST (PCR_FIRST + IMPLEMENTATION_PCR-1) -+#define HMAC_SESSION_FIRST (HR_HMAC_SESSION + 0) -+#define HMAC_SESSION_LAST (HMAC_SESSION_FIRST+MAX_ACTIVE_SESSIONS-1) -+#define LOADED_SESSION_FIRST HMAC_SESSION_FIRST -+#define LOADED_SESSION_LAST HMAC_SESSION_LAST -+#define POLICY_SESSION_FIRST (HR_POLICY_SESSION + 0) -+#define POLICY_SESSION_LAST (POLICY_SESSION_FIRST+MAX_ACTIVE_SESSIONS-1) -+#define TRANSIENT_FIRST (HR_TRANSIENT + 0) -+#define ACTIVE_SESSION_FIRST POLICY_SESSION_FIRST -+#define ACTIVE_SESSION_LAST POLICY_SESSION_LAST -+#define TRANSIENT_LAST (TRANSIENT_FIRST+MAX_LOADED_OBJECTS-1) -+#define PERSISTENT_FIRST (HR_PERSISTENT + 0) -+#define PERSISTENT_LAST (PERSISTENT_FIRST + 0x00FFFFFFUL) -+#define PLATFORM_PERSISTENT (PERSISTENT_FIRST + 0x00800000UL) -+#define NV_INDEX_FIRST (HR_NV_INDEX + 0) -+#define NV_INDEX_LAST (NV_INDEX_FIRST + 0x00FFFFFFUL) -+#define PERMANENT_FIRST TPM_RH_FIRST -+#define PERMANENT_LAST TPM_RH_LAST - typedef UINT32 TPM_HC; - - -@@ -741,13 +747,14 @@ enum TPMA_PERMANENT_mask { - }; - - typedef UINT32 TPMA_STARTUP_CLEAR; --enum TPMA_STARTUP_CLEAR_mask { -- TPMA_STARTUP_CLEAR_phEnable = 0x00000001, -- TPMA_STARTUP_CLEAR_shEnable = 0x00000002, -- TPMA_STARTUP_CLEAR_ehEnable = 0x00000004, -- TPMA_STARTUP_CLEAR_phEnableNV = 0x00000008, -- TPMA_STARTUP_CLEAR_orderly = 0x80000000, --}; -+/* Using defines, not "enum TPMA_STARTUP_CLEAR_mask" to avoid pedantic error: -+ * "ISO C restricts enumerator values to range of 'int'" -+ */ -+#define TPMA_STARTUP_CLEAR_phEnable 0x00000001UL -+#define TPMA_STARTUP_CLEAR_shEnable 0x00000002UL -+#define TPMA_STARTUP_CLEAR_ehEnable 0x00000004UL -+#define TPMA_STARTUP_CLEAR_phEnableNV 0x00000008UL -+#define TPMA_STARTUP_CLEAR_orderly 0x80000000UL - - typedef UINT32 TPMA_MEMORY; - enum TPMA_MEMORY_mask { -@@ -1017,6 +1024,7 @@ typedef union TPMU_CAPABILITIES { - TPML_TAGGED_PCR_PROPERTY pcrProperties; /* TPM_CAP_PCR_PROPERTIES */ - TPML_ECC_CURVE eccCurves; /* TPM_CAP_ECC_CURVES */ - TPML_TAGGED_POLICY authPolicies; /* TPM_CAP_AUTH_POLICIES */ -+ TPM2B_MAX_BUFFER vendor; - } TPMU_CAPABILITIES; - - typedef struct TPMS_CAPABILITY_DATA { -@@ -1122,7 +1130,7 @@ typedef struct TPMT_SYM_DEF { - TPMI_ALG_SYM algorithm; - TPMU_SYM_KEY_BITS keyBits; - TPMU_SYM_MODE mode; -- //TPMU_SYM_DETAILS details; -+ /*TPMU_SYM_DETAILS details;*/ /* not used */ - } TPMT_SYM_DEF; - - typedef TPMT_SYM_DEF TPMT_SYM_DEF_OBJECT; -@@ -1493,10 +1501,12 @@ typedef struct TPM2B_ID_OBJECT { - /* NV Storage Structures */ - - typedef UINT32 TPM_NV_INDEX; --enum TPM_NV_INDEX_mask { -- TPM_NV_INDEX_index = 0x00FFFFFF, -- TPM_NV_INDEX_RH_NV = 0xFF000000, --}; -+/* Using defines, not "enum TPM_NV_INDEX_mask" to avoid pedantic error: -+ * "ISO C restricts enumerator values to range of 'int'" -+ */ -+#define TPM_NV_INDEX_index 0x00FFFFFFUL -+#define TPM_NV_INDEX_RH_NV 0xFF000000UL -+ - - typedef enum TPM_NT { - TPM_NT_ORDINARY = 0x0, -@@ -1514,30 +1524,31 @@ typedef struct TPMS_NV_PIN_COUNTER_PARAMETERS { - } TPMS_NV_PIN_COUNTER_PARAMETERS; - - typedef UINT32 TPMA_NV; --enum TPMA_NV_mask { -- TPMA_NV_PPWRITE = 0x00000001, -- TPMA_NV_OWNERWRITE = 0x00000002, -- TPMA_NV_AUTHWRITE = 0x00000004, -- TPMA_NV_POLICYWRITE = 0x00000008, -- TPMA_NV_TPM_NT = 0x000000F0, -- TPMA_NV_POLICY_DELETE = 0x00000400, -- TPMA_NV_WRITELOCKED = 0x00000800, -- TPMA_NV_WRITEALL = 0x00001000, -- TPMA_NV_WRITEDEFINE = 0x00002000, -- TPMA_NV_WRITE_STCLEAR = 0x00004000, -- TPMA_NV_GLOBALLOCK = 0x00008000, -- TPMA_NV_PPREAD = 0x00010000, -- TPMA_NV_OWNERREAD = 0x00020000, -- TPMA_NV_AUTHREAD = 0x00040000, -- TPMA_NV_POLICYREAD = 0x00080000, -- TPMA_NV_NO_DA = 0x02000000, -- TPMA_NV_ORDERLY = 0x04000000, -- TPMA_NV_CLEAR_STCLEAR = 0x08000000, -- TPMA_NV_READLOCKED = 0x10000000, -- TPMA_NV_WRITTEN = 0x20000000, -- TPMA_NV_PLATFORMCREATE = 0x40000000, -- TPMA_NV_READ_STCLEAR = 0x80000000, --}; -+/* Using defines, not "enum TPMA_NV_mask" to avoid pedantic error: -+ * "ISO C restricts enumerator values to range of 'int'" -+ */ -+#define TPMA_NV_PPWRITE 0x00000001UL -+#define TPMA_NV_OWNERWRITE 0x00000002UL -+#define TPMA_NV_AUTHWRITE 0x00000004UL -+#define TPMA_NV_POLICYWRITE 0x00000008UL -+#define TPMA_NV_TPM_NT 0x000000F0UL -+#define TPMA_NV_POLICY_DELETE 0x00000400UL -+#define TPMA_NV_WRITELOCKED 0x00000800UL -+#define TPMA_NV_WRITEALL 0x00001000UL -+#define TPMA_NV_WRITEDEFINE 0x00002000UL -+#define TPMA_NV_WRITE_STCLEAR 0x00004000UL -+#define TPMA_NV_GLOBALLOCK 0x00008000UL -+#define TPMA_NV_PPREAD 0x00010000UL -+#define TPMA_NV_OWNERREAD 0x00020000UL -+#define TPMA_NV_AUTHREAD 0x00040000UL -+#define TPMA_NV_POLICYREAD 0x00080000UL -+#define TPMA_NV_NO_DA 0x02000000UL -+#define TPMA_NV_ORDERLY 0x04000000UL -+#define TPMA_NV_CLEAR_STCLEAR 0x08000000UL -+#define TPMA_NV_READLOCKED 0x10000000UL -+#define TPMA_NV_WRITTEN 0x20000000UL -+#define TPMA_NV_PLATFORMCREATE 0x40000000UL -+#define TPMA_NV_READ_STCLEAR 0x80000000UL - - typedef struct TPMS_NV_PUBLIC { - TPMI_RH_NV_INDEX nvIndex; -@@ -2818,7 +2829,22 @@ WOLFTPM_API TPM_RC TPM2_NV_Certify(NV_Certify_In* in, NV_Certify_Out* out); - * error is returned, but the TPM returns as much data as a TPM2B_DATA - * buffer can contain. */ - WOLFTPM_API TPM_RC TPM2_GetRandom2(GetRandom2_In* in, GetRandom2_Out* out); --#endif -+ -+ WOLFTPM_API TPM_RC TPM2_GetProductInfo(uint8_t* info, uint16_t size); -+#endif /* ST33 Vendor Specific */ -+ -+ -+#if defined(WOLFTPM_SLB9672) || defined(WOLFTPM_SLB9673) || \ -+ defined(WOLFTPM_AUTODETECT) -+ -+#ifdef WOLFTPM_FIRMWARE_UPGRADE -+WOLFTPM_API int TPM2_IFX_FieldUpgradeStart(TPM_HANDLE sessionHandle, -+ uint8_t* data, uint32_t size); -+WOLFTPM_API int TPM2_IFX_FieldUpgradeCommand(TPM_CC cc, uint8_t* data, uint32_t size); -+#endif /* WOLFTPM_FIRMWARE_UPGRADE */ -+ -+#endif /* Infineon SLB Vendor Specific */ -+ - - /* Vendor Specific GPIO */ - #ifdef WOLFTPM_ST33 -@@ -2954,8 +2980,7 @@ WOLFTPM_API TPM_RC TPM2_NV_Certify(NV_Certify_In* in, NV_Certify_Out* out); - CFG_STRUCT preConfig; - } NTC2_GetConfig_Out; - WOLFTPM_API int TPM2_NTC2_GetConfig(NTC2_GetConfig_Out* out); -- --#endif /* WOLFTPM_ST33 || WOLFTPM_AUTODETECT */ -+#endif /* Vendor GPIO Commands */ - - - /* Non-standard API's */ -diff --git a/wolftpm/tpm2_packet.h b/wolftpm/tpm2_packet.h -index 76ac00a..fa9da7f 100644 ---- a/wolftpm/tpm2_packet.h -+++ b/wolftpm/tpm2_packet.h -@@ -30,6 +30,23 @@ - - #define TPM2_HEADER_SIZE 10 /* expected TPM2 header size */ - -+/* Endianess Helpers */ -+#ifdef LITTLE_ENDIAN_ORDER -+ #define cpu_to_be16(d) ByteReverseWord16(d) -+ #define cpu_to_be32(d) ByteReverseWord32(d) -+ #define cpu_to_be64(d) ByteReverseWord64(d) -+ #define be16_to_cpu(d) ByteReverseWord16(d) -+ #define be32_to_cpu(d) ByteReverseWord32(d) -+ #define be64_to_cpu(d) ByteReverseWord64(d) -+#else -+ #define cpu_to_be16(d) (d) -+ #define cpu_to_be32(d) (d) -+ #define cpu_to_be64(d) (d) -+ #define be16_to_cpu(d) (d) -+ #define be32_to_cpu(d) (d) -+ #define be64_to_cpu(d) (d) -+#endif -+ - /* For reference here is the TPM2 header (not used) */ - typedef struct TPM2_HEADER { - UINT16 tag; -diff --git a/wolftpm/tpm2_socket.h b/wolftpm/tpm2_socket.h -index d011426..0515eab 100644 ---- a/wolftpm/tpm2_socket.h -+++ b/wolftpm/tpm2_socket.h -@@ -39,7 +39,6 @@ - #else - #include - #include -- #include - - #define SOCKET_T int - #endif -diff --git a/wolftpm/tpm2_types.h b/wolftpm/tpm2_types.h -index 7f4b93d..82333dd 100644 ---- a/wolftpm/tpm2_types.h -+++ b/wolftpm/tpm2_types.h -@@ -22,10 +22,6 @@ - #ifndef __TPM2_TYPES_H__ - #define __TPM2_TYPES_H__ - --#ifdef HAVE_CONFIG_H -- #include --#endif -- - #include - #include - -@@ -134,7 +130,6 @@ typedef int64_t INT64; - #include - #include - #include -- #include - - #ifdef WOLFTPM_USER_SETTINGS - #include "user_settings.h" -@@ -231,20 +226,6 @@ typedef int64_t INT64; - #ifndef WOLFTPM_CUSTOM_TYPES - #include - -- #ifndef XHTONS -- /* WOLFCRYPT_ONLY means no wolfio and no arpa/inet.h */ -- #ifdef WOLFCRYPT_ONLY -- #ifdef BIG_ENDIAN_ORDER -- #define XHTONS(s) (s) -- #else -- #define XHTONS(s) ((((s) & 0xff) << 8) | (((s) & 0xff00) >> 8)) -- #endif -- #else -- #include -- #define XHTONS(s) htons((s)) -- #endif -- #endif -- - #define XSTRTOL(s,e,b) strtol((s),(e),(b)) - #define XATOI(s) atoi((s)) - -@@ -327,13 +308,19 @@ typedef int64_t INT64; - #define TPM2_SPI_MAX_HZ TPM2_SPI_MAX_HZ_NUVOTON - #endif - #else -- /* Infineon OPTIGA SLB9670/SLB9672 */ -+ /* Infineon OPTIGA SLB9670/SLB9672/SLB9673 */ - #ifdef WOLFTPM_SLB9670 - /* Max: 43MHz */ - #define TPM2_SPI_MAX_HZ_INFINEON 43000000 -- #else -- #undef WOLFTPM_SLB9672 -- #define WOLFTPM_SLB9672 -+ #elif !defined(WOLFTPM_AUTODETECT) -+ #ifdef WOLFTPM_I2C -+ #undef WOLFTPM_SLB9673 -+ #define WOLFTPM_SLB9673 -+ #else -+ #undef WOLFTPM_SLB9672 -+ #define WOLFTPM_SLB9672 -+ #endif -+ - /* Max: 33MHz */ - #define TPM2_SPI_MAX_HZ_INFINEON 33000000 - #endif -@@ -460,6 +447,29 @@ typedef int64_t INT64; - #define XTPM_WAIT() /* just poll without delay by default */ - #endif - -+/* sleep helper, used in firmware update */ -+#ifndef XSLEEP_MS -+ #ifdef WIN32 -+ #include -+ #define XSLEEP_MS(ms) Sleep(ms) -+ #elif defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 199309L -+ #include -+ #define XSLEEP_MS(ms) ({ \ -+ struct timespec ts; \ -+ ts.tv_sec = ms / 1000; \ -+ ts.tv_nsec = (ms % 1000) * 1000000; \ -+ nanosleep(&ts, NULL); \ -+ }) -+ #else -+ #include -+ #define XSLEEP_MS(ms) ({ \ -+ if (ms >= 1000) \ -+ sleep(ms / 1000); \ -+ usleep((ms % 1000) * 1000); \ -+ }) -+ #endif -+#endif -+ - #ifndef BUFFER_ALIGNMENT - #define BUFFER_ALIGNMENT 4 - #endif -@@ -664,6 +674,15 @@ typedef int64_t INT64; - #define WOLFTPM2_PEM_DECODE - #endif - -+/* Firmware upgrade requires wolfCrypt for hash and supported -+ * only for Infineon SLB9672/SLB9673 */ -+#if defined(WOLFTPM_FIRMWARE_UPGRADE) && \ -+ (defined(WOLFTPM2_NO_WOLFCRYPT) || \ -+ (!defined(WOLFTPM_SLB9672) && !defined(WOLFTPM_SLB9673))) -+ #undef WOLFTPM_FIRMWARE_UPGRADE -+#endif -+ -+ - /* ---------------------------------------------------------------------------*/ - /* ENDIANESS HELPERS */ - /* ---------------------------------------------------------------------------*/ -@@ -718,7 +737,7 @@ static inline word16 ByteReverseWord16(word16 value) - - static inline word32 ByteReverseWord32(word32 value) - { --#if !defined(WOLF_NO_BUILTIN) && defined(__GNUC_PREREQ) && __GNUC_PREREQ(4, 3) -+#if defined(WOLF_ALLOW_BUILTIN) && defined(__GNUC_PREREQ) && __GNUC_PREREQ(4, 3) - return (word32)__builtin_bswap32(value); - #elif defined(PPC_INTRINSICS) - /* PPC: load reverse indexed instruction */ -@@ -758,7 +777,7 @@ static inline word32 ByteReverseWord32(word32 value) - - static inline word64 ByteReverseWord64(word64 value) - { --#if !defined(WOLF_NO_BUILTIN) && defined(__GNUC_PREREQ) && __GNUC_PREREQ(4, 3) -+#if defined(WOLF_ALLOW_BUILTIN) && defined(__GNUC_PREREQ) && __GNUC_PREREQ(4, 3) - return (word64)__builtin_bswap64(value); - #else - return (word64)((word64)ByteReverseWord32((word32)value)) << 32 | -diff --git a/wolftpm/tpm2_wrap.h b/wolftpm/tpm2_wrap.h -index e2d43d4..4889a27 100644 ---- a/wolftpm/tpm2_wrap.h -+++ b/wolftpm/tpm2_wrap.h -@@ -118,6 +118,12 @@ typedef struct WOLFTPM2_CAPS { - word16 fwVerMajor; - word16 fwVerMinor; - word32 fwVerVendor; -+#if defined(WOLFTPM_SLB9672) || defined(WOLFTPM_SLB9673) -+ word32 keyGroupId; -+ word16 fwCounter; -+ word16 fwCounterSame; -+ byte opMode; -+#endif - - /* bits */ - word16 fips140_2 : 1; /* using FIPS mode */ -@@ -323,7 +329,7 @@ WOLFTPM_API int wolfTPM2_SelfTest(WOLFTPM2_DEV* dev); - - /*! - \ingroup wolfTPM2_Wrappers -- \brief Reported the available TPM capabilities -+ \brief Reports the available TPM capabilities - - \return TPM_RC_SUCCESS: successful - \return TPM_RC_FAILURE: generic failure (check TPM IO communication and TPM return code) -@@ -351,6 +357,31 @@ WOLFTPM_API int wolfTPM2_SelfTest(WOLFTPM2_DEV* dev); - */ - WOLFTPM_API int wolfTPM2_GetCapabilities(WOLFTPM2_DEV* dev, WOLFTPM2_CAPS* caps); - -+ -+/*! -+ \ingroup wolfTPM2_Wrappers -+ \brief Gets a list of handles -+ -+ \return 0 or greater: successful, count of handles -+ \return TPM_RC_FAILURE: generic failure (check TPM IO communication and TPM return code) -+ \return BAD_FUNC_ARG: check the provided arguments -+ -+ \param handle handle to start from (example: PCR_FIRST, NV_INDEX_FIRST, HMAC_SESSION_FIRST, POLICY_SESSION_FIRST, PERMANENT_FIRST, TRANSIENT_FIRST or PERSISTENT_FIRST) -+ \param handles pointer to TPML_HANDLE to return handle results (optional) -+ -+ _Example_ -+ \code -+ int persistent_handle_count; -+ -+ // get count of persistent handles -+ persistent_handle_count = wolfTPM2_GetHandles(PERSISTENT_FIRST, NULL); -+ \endcode -+ -+ \sa wolfTPM2_GetCapabilities -+*/ -+WOLFTPM_API int wolfTPM2_GetHandles(TPM_HANDLE handle, TPML_HANDLE* handles); -+ -+ - /*! - \ingroup wolfTPM2_Wrappers - \brief Clears one of the TPM Authorization slots, pointed by its index number -@@ -520,7 +551,7 @@ WOLFTPM_API int wolfTPM2_StartSession(WOLFTPM2_DEV* dev, - \return TPM_RC_FAILURE: check TPM return code, check available handles, check TPM IO - - \param dev pointer to a TPM2_DEV struct -- \param session pointer to an empty WOLFTPM2_SESSION struct -+ \param tpmSession pointer to an empty WOLFTPM2_SESSION struct - - \sa wolfTPM2_SetAuthSession - \sa wolfTPM2_StartSession -@@ -837,6 +868,7 @@ WOLFTPM_API int wolfTPM2_ImportRsaPrivateKey(WOLFTPM2_DEV* dev, - \param rsaPrivSz integer value of word32 type, specifying the private material buffer size - \param scheme value of TPMI_ALG_RSA_SCHEME type, specifying the RSA scheme - \param hashAlg integer value of TPMI_ALG_HASH type, specifying a supported TPM 2.0 hash algorithm -+ \param attributes integer value of TPMA_OBJECT type, can contain one or more attributes, e.g. TPMA_OBJECT_fixedTPM (or 0 to automatically populate) - \param seedSz Optional (use NULL) or supply a custom seed for KDF - \param seed Size of the seed (use 32 bytes for SHA2-256) - -@@ -983,6 +1015,7 @@ WOLFTPM_API int wolfTPM2_ImportEccPrivateKey(WOLFTPM2_DEV* dev, - \param eccPubYSz integer value of word32 type, specifying the point Y buffer size - \param eccPriv pointer to a byte buffer containing the private material - \param eccPrivSz integer value of word32 type, specifying the private material size -+ \param attributes integer value of TPMA_OBJECT type, can contain one or more attributes, e.g. TPMA_OBJECT_fixedTPM (or 0 to automatically populate) - \param seedSz Optional (use NULL) or supply a custom seed for KDF - \param seed Size of the seed (use 32 bytes for SHA2-256) - -@@ -1189,6 +1222,24 @@ WOLFTPM_API int wolfTPM2_ImportPublicKeyBuffer(WOLFTPM2_DEV* dev, int keyType, - WOLFTPM2_KEY* key, int encodingType, const char* input, word32 inSz, - TPMA_OBJECT objectAttributes); - -+/*! -+ \ingroup wolfTPM2_Wrappers -+ \brief Helper function to export a TPM RSA/ECC public key with PEM/DER formatting -+ -+ \return TPM_RC_SUCCESS: successful - populates key->pub -+ \return TPM_RC_FAILURE: generic failure (check TPM IO and TPM return code) -+ \return BUFFER_E: insufficient space in provided buffer -+ \return BAD_FUNC_ARG: check the provided arguments -+ -+ \param dev pointer to a TPM2_DEV struct -+ \param tpmKey pointer to a WOLFTPM2_KEY with populated key -+ \param encodingType ENCODING_TYPE_PEM or ENCODING_TYPE_ASN1 (DER) -+ \param out buffer to export public key -+ \param outSz pointer to length of the out buffer -+*/ -+WOLFTPM_API int wolfTPM2_ExportPublicKeyBuffer(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey, -+ int encodingType, byte* out, word32* outSz); -+ - #ifndef NO_RSA - /*! - \ingroup wolfTPM2_Wrappers -@@ -1252,8 +1303,8 @@ WOLFTPM_API int wolfTPM2_RsaKey_TpmToWolf(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKe - - /*! - \ingroup wolfTPM2_Wrappers -- \brief Convert a public RSA TPM key to PEM format public key -- Note: pem and tempBuf must be different buffers, of equal size -+ \brief Convert a public RSA TPM key to PEM format public key. -+ Note: This API is a wrapper around wolfTPM2_ExportPublicKeyBuffer - - \return TPM_RC_SUCCESS: successful - \return TPM_RC_FAILURE: generic failure (check TPM IO and TPM return code) -@@ -1264,6 +1315,7 @@ WOLFTPM_API int wolfTPM2_RsaKey_TpmToWolf(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKe - \param pem pointer to an array of byte type, used as temporary storage for PEM conversation - \param pemSz pointer to integer variable, to store the used buffer size - -+ \sa wolfTPM2_ExportPublicKeyBuffer - \sa wolfTPM2_RsaKey_TpmToWolf - \sa wolfTPM2_RsaKey_WolfToTpm - */ -@@ -1335,7 +1387,6 @@ WOLFTPM_API int wolfTPM2_RsaKey_PubPemToTpm(WOLFTPM2_DEV* dev, - \return TPM_RC_SUCCESS: successful - \return TPM_RC_FAILURE: generic failure (check TPM IO and TPM return code) - -- \param dev pointer to a TPM2_DEV struct - \param der The der encoding of the content of the extension. - \param derSz The size in bytes of the der encoding. - \param pub pointer to a populated structure of TPM2B_PUBLIC type -@@ -1432,7 +1483,6 @@ WOLFTPM_API int wolfTPM2_EccKey_WolfToPubPoint(WOLFTPM2_DEV* dev, ecc_key* wolfK - \return TPM_RC_SUCCESS: successful - \return TPM_RC_FAILURE: generic failure (check TPM IO and TPM return code) - -- \param dev pointer to a TPM2_DEV struct - \param der The der encoding of the content of the extension. - \param derSz The size in bytes of the der encoding. - \param pub pointer to a populated structure of TPM2B_PUBLIC type -@@ -1867,6 +1917,9 @@ WOLFTPM_API int wolfTPM2_NVWriteAuth(WOLFTPM2_DEV* dev, WOLFTPM2_NV* nv, - WOLFTPM_API int wolfTPM2_NVReadAuth(WOLFTPM2_DEV* dev, WOLFTPM2_NV* nv, - word32 nvIndex, byte* dataBuf, word32* pDataSz, word32 offset); - -+WOLFTPM_API int wolfTPM2_NVReadCert(WOLFTPM2_DEV* dev, TPM_HANDLE handle, -+ uint8_t* buffer, uint32_t* len); -+ - /*! - \ingroup wolfTPM2_Wrappers - \brief Increments an NV one-way counter -@@ -2354,6 +2407,7 @@ WOLFTPM_API int wolfTPM2_UnloadHandles_AllTransient(WOLFTPM2_DEV* dev); - \param publicTemplate pointer to an empty structure of TPMT_PUBLIC type, to store the new RSA template - \param objectAttributes integer value of TPMA_OBJECT type, can contain one or more attributes, e.g. TPMA_OBJECT_fixedTPM - -+ \sa wolfTPM2_GetKeyTemplate_RSA_ex - \sa wolfTPM2_GetKeyTemplate_ECC - \sa wolfTPM2_GetKeyTemplate_Symmetric - \sa wolfTPM2_GetKeyTemplate_KeyedHash -@@ -2362,6 +2416,32 @@ WOLFTPM_API int wolfTPM2_UnloadHandles_AllTransient(WOLFTPM2_DEV* dev); - WOLFTPM_API int wolfTPM2_GetKeyTemplate_RSA(TPMT_PUBLIC* publicTemplate, - TPMA_OBJECT objectAttributes); - -+/*! -+ \ingroup wolfTPM2_Wrappers -+ \brief Prepares a TPM public template for new RSA key based on user selected object attributes -+ -+ \return TPM_RC_SUCCESS: successful -+ \return BAD_FUNC_ARG: check the provided arguments -+ -+ \param publicTemplate pointer to an empty structure of TPMT_PUBLIC type, to store the new RSA template -+ \param nameAlg integer value of TPM_ALG_ID type, specifying a TPM supported hashing algorithm, typically TPM_ALG_SHA256 for SHA 256 -+ \param objectAttributes integer value of TPMA_OBJECT type, can contain one or more attributes, e.g. TPMA_OBJECT_fixedTPM -+ \param keyBits integer value, specifying the size of the symmetric key, typically 128 or 256 bits -+ \param exponent integer value of word32 type, specifying the RSA exponent -+ \param sigScheme integer value of TPM_ALG_ID type, specifying a TPM supported signature scheme -+ \param sigHash integer value of TPM_ALG_ID type, specifying a TPM supported signature hash scheme -+ -+ \sa wolfTPM2_GetKeyTemplate_RSA -+ \sa wolfTPM2_GetKeyTemplate_ECC -+ \sa wolfTPM2_GetKeyTemplate_ECC_ex -+ \sa wolfTPM2_GetKeyTemplate_Symmetric -+ \sa wolfTPM2_GetKeyTemplate_KeyedHash -+ \sa wolfTPM2_GetKeyTemplate_KeySeal -+*/ -+WOLFTPM_API int wolfTPM2_GetKeyTemplate_RSA_ex(TPMT_PUBLIC* publicTemplate, -+ TPM_ALG_ID nameAlg, TPMA_OBJECT objectAttributes, int keyBits, long exponent, -+ TPM_ALG_ID sigScheme, TPM_ALG_ID sigHash); -+ - /*! - \ingroup wolfTPM2_Wrappers - \brief Prepares a TPM public template for new ECC key based on user selected object attributes -@@ -2374,6 +2454,7 @@ WOLFTPM_API int wolfTPM2_GetKeyTemplate_RSA(TPMT_PUBLIC* publicTemplate, - \param curve integer value of TPM_ECC_CURVE type, specifying a TPM supported ECC curve ID - \param sigScheme integer value of TPM_ALG_ID type, specifying a TPM supported signature scheme - -+ \sa wolfTPM2_GetKeyTemplate_ECC_ex - \sa wolfTPM2_GetKeyTemplate_RSA - \sa wolfTPM2_GetKeyTemplate_Symmetric - \sa wolfTPM2_GetKeyTemplate_KeyedHash -@@ -2382,6 +2463,30 @@ WOLFTPM_API int wolfTPM2_GetKeyTemplate_RSA(TPMT_PUBLIC* publicTemplate, - WOLFTPM_API int wolfTPM2_GetKeyTemplate_ECC(TPMT_PUBLIC* publicTemplate, - TPMA_OBJECT objectAttributes, TPM_ECC_CURVE curve, TPM_ALG_ID sigScheme); - -+/*! -+ \ingroup wolfTPM2_Wrappers -+ \brief Prepares a TPM public template for new ECC key based on user selected object attributes -+ -+ \return TPM_RC_SUCCESS: successful -+ \return BAD_FUNC_ARG: check the provided arguments -+ -+ \param publicTemplate pointer to an empty structure of TPMT_PUBLIC type, to store the new ECC key template -+ \param nameAlg integer value of TPM_ALG_ID type, specifying a TPM supported hashing algorithm, typically TPM_ALG_SHA256 for SHA 256 -+ \param objectAttributes integer value of TPMA_OBJECT type, can contain one or more attributes, e.g. TPMA_OBJECT_fixedTPM -+ \param curve integer value of TPM_ECC_CURVE type, specifying a TPM supported ECC curve ID -+ \param sigScheme integer value of TPM_ALG_ID type, specifying a TPM supported signature scheme -+ \param sigHash integer value of TPM_ALG_ID type, specifying a TPM supported signature hash scheme -+ -+ \sa wolfTPM2_GetKeyTemplate_ECC -+ \sa wolfTPM2_GetKeyTemplate_RSA -+ \sa wolfTPM2_GetKeyTemplate_Symmetric -+ \sa wolfTPM2_GetKeyTemplate_KeyedHash -+ \sa wolfTPM2_GetKeyTemplate_KeySeal -+*/ -+WOLFTPM_API int wolfTPM2_GetKeyTemplate_ECC_ex(TPMT_PUBLIC* publicTemplate, -+ TPM_ALG_ID nameAlg, TPMA_OBJECT objectAttributes, TPM_ECC_CURVE curve, -+ TPM_ALG_ID sigScheme, TPM_ALG_ID sigHash); -+ - /*! - \ingroup wolfTPM2_Wrappers - \brief Prepares a TPM public template for new Symmetric key -@@ -3359,6 +3464,7 @@ WOLFTPM_API int wolfTPM2_PolicyAuthorize(WOLFTPM2_DEV* dev, TPM_HANDLE sessionHa - \return INPUT_SIZE_E: policyDigestSz is too small to hold the returned digest - \return BAD_FUNC_ARG: check the provided arguments - -+ \param dev pointer to a TPM2_DEV struct - \param pcrAlg the hash algorithm to use with pcr policy - \param pcrArray array of pcr Index to use when creating the policy - \param pcrArraySz the number of Index in the pcrArray -@@ -3442,6 +3548,23 @@ WOLFTPM_API int wolfTPM2_PolicyAuthorizeMake(TPM_ALG_ID pcrAlg, - const byte* policyRef, word32 policyRefSz); - - -+/* pre-provisioned IAK and IDevID key/cert from TPM vendor */ -+#ifdef WOLFTPM_MFG_IDENTITY -+ -+/* Initial attestation key (IAK) and an initial device ID (IDevID) */ -+/* Default is: ECDSA SECP384P1, SHA2-384 */ -+#define TPM2_IAK_KEY_HANDLE 0x81080000 -+#define TPM2_IAK_CERT_HANDLE 0x1C20100 -+ -+#define TPM2_IDEVID_KEY_HANDLE 0x81080001 -+#define TPM2_IDEVID_CERT_HANDLE 0x1C20101 -+ -+WOLFTPM_API int wolfTPM2_SetIdentityAuth(WOLFTPM2_DEV* dev, WOLFTPM2_HANDLE* handle, -+ uint8_t* masterPassword, uint16_t masterPasswordSz); -+ -+#endif /* WOLFTPM_MFG_IDENTITY */ -+ -+ - /* Internal API's */ - WOLFTPM_LOCAL int GetKeyTemplateRSA(TPMT_PUBLIC* publicTemplate, - TPM_ALG_ID nameAlg, TPMA_OBJECT objectAttributes, int keyBits, long exponent, -@@ -3450,6 +3573,18 @@ WOLFTPM_LOCAL int GetKeyTemplateECC(TPMT_PUBLIC* publicTemplate, - TPM_ALG_ID nameAlg, TPMA_OBJECT objectAttributes, TPM_ECC_CURVE curve, - TPM_ALG_ID sigScheme, TPM_ALG_ID sigHash); - -+ -+#ifdef WOLFTPM_FIRMWARE_UPGRADE -+typedef int (*wolfTPM2FwDataCb)( -+ uint8_t* data, uint32_t data_req_sz, uint32_t offset, void* cb_ctx); -+ -+WOLFTPM_API int wolfTPM2_FirmwareUpgrade(WOLFTPM2_DEV* dev, -+ uint8_t* manifest, uint32_t manifest_sz, -+ wolfTPM2FwDataCb cb, void* cb_ctx); -+WOLFTPM_API int wolfTPM2_FirmwareUpgradeCancel(WOLFTPM2_DEV* dev); -+ -+#endif /* WOLFTPM_FIRMWARE_UPGRADE */ -+ - #ifdef __cplusplus - } /* extern "C" */ - #endif diff --git a/recipes-wolfssl/wolftpm/wolftpm_3.1.0.bb b/recipes-wolfssl/wolftpm/wolftpm_3.2.0.bb similarity index 94% rename from recipes-wolfssl/wolftpm/wolftpm_3.1.0.bb rename to recipes-wolfssl/wolftpm/wolftpm_3.2.0.bb index 8ee6b31..2182d2b 100644 --- a/recipes-wolfssl/wolftpm/wolftpm_3.1.0.bb +++ b/recipes-wolfssl/wolftpm/wolftpm_3.2.0.bb @@ -12,8 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" DEPENDS += "wolfssl" -SRC_URI = "git://github.com/wolfssl/wolfTPM.git;nobranch=1;protocol=https;rev=e54734a3ab2507fbba378567d16aa3e27c54655b \ - file://wolftpm_3_1_0.patch" +SRC_URI = "git://github.com/wolfssl/wolfTPM.git;nobranch=1;protocol=https;rev=1fa15951eb91a8fe89b3326077b9be6fb105edeb" S = "${WORKDIR}/git" diff --git a/update-version.sh b/update-version.sh index 94e4d3d..7b1cd64 100755 --- a/update-version.sh +++ b/update-version.sh @@ -101,42 +101,32 @@ update() { } +check_and_update() { -printf "Checking version of wolfSSL to use..." -get_current "wolfssl" -get_new "wolfssl" -update "wolfssl" +printf "Checking version of ${1} to use..." +get_current "${1}" +get_new "${1}" +update "${1}" -printf "Checking version of wolfMQTT to use..." -get_current "wolfmqtt" -get_new "wolfmqtt" -update "wolfmqtt" +} -printf "Checking version of wolfSSH to use..." -get_current "wolfssh" -get_new "wolfssh" -update "wolfssh" +check_and_update "wolfssl" -printf "Checking version of wolfTPM to use..." -get_current "wolftpm" -get_new "wolftpm" -update "wolftpm" +check_and_update "wolfmqtt" -printf "Checking version of wolfCLU to use..." -get_current "wolfclu" -get_new "wolfclu" -update "wolfclu" +check_and_update "wolfssh" -printf "Checking version of wolfssl-py to use..." -get_current "wolfssl-py" -get_new "wolfssl-py" -update "wolfssl-py" +check_and_update "wolftpm" +check_and_update "wolfclu" -printf "Checking version of wolfcrypt-py to use..." -get_current "wolfcrypt-py" -get_new "wolfcrypt-py" -update "wolfcrypt-py" +check_and_update "wolfssl-py" + +check_and_update "wolfcrypt-py" + +check_and_update "wolfengine" + +check_and_update "wolfprovider"