Added Endorsement Key Certificate support. Added support for NV read/write with policy. Added policy password support. Refactor of the session authentication structures.
**Detail**
* Added EK Certificate Support (PR #360)
- Added new API's `wolfTPM2_GetKeyTemplate_EK` and `wolfTPM2_GetKeyTemplate_EK` for getting EK public templates used for generating the EK primary key.
- Added `examples/endorsement/get_ek_certs` for showing how to retrieve and validate the manufacturers endorsement key certificates.
* Improvements to auth handling to support Policy Password and Policy Auth Value (PR #350)
- Refactor to eliminate confusing cast between TPMS_AUTH_COMMAND and TPM2_AUTH_SESSION.
- Support for policy auth value and policy password.
- Add new NV policy write/read API's `wolfTPM2_NVWriteAuthPolicy` and `wolfTPM2_NVReadAuthPolicy`.
Added TPM Firmware update support (Infineon SLB9672/SLB9673). Added support for pre-provisioned device identity keys/certificates (STMicro ST33). Fixed issue with sealing secret to prevent `userWithAuth` by default. Expanded the TPM get capabilities support.
**Detail**
* Added new API `wolfTPM2_NVCreateAuthPolicy` for allowing NV creation with policy (PR #344)
* Added Infineon firmware update recovery support (PR #342)
* Added support for Infineon Firmware upgrade (PR #339)
- Added support for Infineon SLB9672/SLB9673 Firmware upgrade (see examples/firmware/README.md)
- Added Infineon Modus Toolbox support. See `wolfssl/IDE/Infineon/README.md` for setup instructions.
- Added support for Infineon CyHal I2C support.
- Added Firmware extraction tool
- Added Firmware update example application `examples/firmware/ifx_fw_update`.
- Added support for vendor capabilities `TPM_CAP_VENDOR_PROPERTY`.
- Added `XSLEEP_MS` macro for firmware update delay.
- Added support for getting key group id, operational mode and update counts.
- Added support for abandoning an update.
- Added support for firmware update done, but not finalized
- Added Infineon CyHal SPI support.
- Fixed auto-detect to not define SLB9672/SLB9673.
* Fixed TLS examples to not use openssl compatibility macros (PR #341)
* Added ST33 support for pre-provisioned device identity key and certificate (PR #336)
- Added support for pre-provisioned TPM using the "TPM 2.0 Keys for Device Identity and Attestation" specification. See build macro: `WOLFTPM_MFG_IDENTITY`.
- Added example for using TPM pre-provisioned device identity to TLS client example.
- Fixed ST33 vendor command to enable command codes (TPM2_SetCommandSet) (it requires platform auth to be set).
- Added benchmarks for new ST33KTPM2XI2C.
- Fixed 0x1XX error code parsing.
- Fixed ST33 part descriptions.
- Updated example certificates.
* Fixes for building wolfTPM examples with `NO_FILESYSTEM` (PR #338)
* Updated documentation for Infineon SLB9673 (I2C) (PR #337)
* Fixed Documentation references for generated user manual (PR #335)
* Fixed netdb.h include (PR #333)
* Fixes for building with "-Wpedantic" (PR #332)
* Added new API `wolfTPM2_GetHandles` to get list of handles from the TPM capabilities. (PR #328)
* Fixed config.h, which should only be included from .c files, not headers. (PR #330/#331)
* Fixed CMake tests (PR #329)
* Fixed and improved secret sealing/unsealing (PR #327)
- Do not set userWithAuth by default when creating sealed objects. That flag allows password auth for the sealed object. Without the flag it only allows policy auth.
- Allow setting policy auth with flags.
- Fix secret_unseal to use policy session and valid sealed name.
- Added expected failure test cases for seal/unseal with policy.
- Improve the run_examples.sh script
* Improved types for htons and byte swap (PR #326)
- Match byte swap logic with wolfSSL (use WOLF_ALLOW_BUILTIN).
- Remove unused `XHTONS` and `arpa/inet.h`.
* Improved STMicro product naming (PR #325)
* Improved the STM32Cube template (PR #324)
- Setup so next pack can add small stack and transport options: `WOLFTPM_CONF_SMALL_STACK` and `WOLFTPM_CONF_TRANSPORT` (0=SPI, 1=I2C).
* Fixed build error with missing `wc_RsaKeyToPublicDer_ex` (PR #323)
* Improved the ECC macro checks for `wc_EccPublicKeyToDer` (PR #323)
* Added PKCS7 ECC support to example (PR #322)
- Added wrapper function to export TPM public key as DER/ASN.1 or PEM.
- Fixed for crypto callback ECC sign to handle getting keySz for unknown cases (like PKCS7 without privateKey set).
* Added expanded key template and cleanups (PR #321)
- Fixed mixed variable declaration.
- Added _ex version for GetKeyTemplate RSA/ECC to allow setting all template parameters.
Support for using TLS PK callbacks with TPM for ECC and RSA. Improved the crypto callback support and added RSA Key generation. Fixed issues with endorsement hierarchy. Added Windows Visual Studio solution and project for wolfTPM. Improved the STM32 HAL IO callback options and logging.
**Detail**
* Removed use of `error-ssl.h` in library proper. (PR #308)
* Fixed CSR crypto callback to use a different (not default) `devId` to avoid conflict. (PR #310)
* Added TPM crypto callback support for RSA key generation (PR #311)
* Fixed and improved for ECC crypto callbacks (PR #311)
- Allow import of wolf ECC marked as private only (`ECC_PRIVATEKEY_ONLY`).
- Improve the ECC key import scheme for signing.
- Improve logic for finding TPM curve in ECC key generation. A call to wc_ecc_make_key can use curve_id 0 (to detect), but we can get it from the "dp".
- Properly translate a TPM ECC signature verify error for compatibility.
- Support ECC KeyGen for signing or derive based on callback context `eccKey` or `ecdhKey` population.
- Fix to make sure leading ECC sign leading zeros are removed when not required.
- Fix leading zero issue on ECC verify.
* Cleanup KDF function return code checking to avoid scan-build warning. (PR #311)
* Fixed ECC encrypt secret integrity check failed due to zero pad issue. (PR #311)
* Fixed `wolfTPM2_GetRng` possibly not returning an initialized WC_RNG. (PR #311)
Fix for CSharp wrapper when setting a custom OID for a CSR. Added CSharp wrapper documentation and improved a few others. Added CSharp function to set key password for blob.
**Detail**
* Fix for CSharp `SetCustomExtension` to use allocated byte buffer instead of passing string (PR #239)
* Fixed for CMake `wolftpm/options.h` generation to support disabled source tree changes (`CMAKE_DISABLE_SOURCE_CHANGES`) (PR #235)
Added new examples for remote attestation, make credential and GPIO support. Added Endorsement hierarchy support to many examples. Refactored the reference HAL IO code into separate files.
**Detail**
* Fixed total auth area size when multiple auth sessions are used (PR #174)
* Fixed `TPM2_SetupPCRSel` to only allow valid pcrIndex values (PR #165 and PR #167)
* Fixed `TPM2_MakeCredential` to work without auth as TCG spec defines (PR #174)
* Fixed `TPM2_MakeCredential` to support using EK pub to encrypt challenge (PR #174)
* Fixed `TPM2_ActivateCredential` to work with EK pub to decrypt challenge (PR #174)
* Fix to only enable `printf` in library proper if `DEBUG_WOLFTPM` is set (PR #154)
* Added support for QNX with wolfTPM (PR #156)
* Added credential examples for remote attestation (PR #161)
* Added new example for sealing a secret using TPM key (PR #157)
* Added GPIO config, read and set examples (PR #155 and #172)
* Added GPIO support and examples for ST33 (PR #155)
* Added GPIO support and examples for Nuvoton NPCT75x (PR #172)
* Added Endorsement support for keygen and attestation examples using `-eh` (PR #174)
Improvements for compatibility, chip detection, initialization options and small stack. Adds new wrapper API's for PCR extend. Adds support for using HMAC with existing key.
**Detail**
* Fix for wolfCrypt init/cleanup issue with reference count. (PR #75)
* Fix to restore existing TPM context after calling `wolfTPM2_Test`. (PR #74)
* Fix to resolve handling of unsupported ECC curves with the TPM module and ECDHE. (PR #69)
* Fix for `wolfTPM2_SetCommand` to ensure auth is cleared. (PR #69)
Adds support for the Microchip ATTPM20 TPM 2.0 module and Barebox bootloader. Improvements for TLS client/server examples and overall performance. Adds TPM wrappers for HMAC, AES Key Loading and Benchmarking support for RNG/AES/Hashing/TLS.
**Detail**
* Fixed issue with cleanup not unregistering the crypto callback. (PR #60)
* Added support for Microchip ATTPM20 part. (PR #59)
* Added support for Barebox (experimental). (PR #52)
* Added TLS benchmarking for CPS and KB/Sec. Enabled with `TLS_BENCH_MODE`. (PR #56)
* Fixed cryptodev ECC callback to use R and S for the signature verify. (PR #39)
* Fixed printf type warnings with `DEBUG_WOLFTPM` defined. (PR #37)
* Fixed detection of correct hash algorithm in `wolfTPM2_VerifyHash`. (PR #39)
* Fix bug with native example where TPM2_Shutdown failure would loop. (PR #34)
* Fix to decoupled the fixed TPM algorithms/sizes from wolfCrypt build options. (PR #35)
* Fix for building with different wolfCrypt options. (PR #26)
* Fix for byte swap build error. (PR #26)
* Fix CSR example CertName to use designated initializers to resolve use against different wolfSSL versions. (PR #25)
* Improved portability by eliminating the packed TPM2_HEADER. (PR #45)
* Improved stack reduction by eliminating the private section from WOLFTPM2_KEY struct. (PR #31)
* Added TLS server example for wolfTPM. (PR #30)
* Added more RSA and ECC key loading examples. (PR #47)
* Added support for loading an external private keys using new API's `wolfTPM2_LoadPrivateKey`, `wolfTPM2_LoadRsaPrivateKey`, and `wolfTPM2_LoadEccPrivateKey`. (PR #46)
* Added example for reading the firmware version using `TPM2_GetCapability` with `TPM_PT_FIRMWARE_VERSION_1`. (PR #44)
* Added hashing wrappers and tests using new API's: `wolfTPM2_HashStart`, `wolfTPM2_HashUpdate` and `wolfTPM2_HashFinish`. (PR #40)
* Added PKCS7 7 sign/verify example demonstrating large data case using chunked buffer and new `_ex` functions. (PR #32)