wolfTPM Zephyr Project Port #395 - Work by @aidangarske, @night1rider, and @dgarske

2025-05-14 13:56:08 -07:00 · 2025-05-14 13:56:08 -07:00 · 8b8bd479a4
parent 33a5f47eaf
commit 8b8bd479a4
27 changed files with 1034 additions and 36 deletions
--- a/.github/workflows/zephyr.yml
+++ b/.github/workflows/zephyr.yml
@ -0,0 +1,102 @@
+name: Zephyr wolfTPM Tests
+
+on:
+  push:
+    branches: [ '*' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  run_test:
+    name: Build
+    strategy:
+      matrix:
+        config:
+          - zephyr-ref: v3.4.0
+            zephyr-sdk: 0.16.1
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 25
+    steps:
+      - name: Install dependencies
+        run: |
+          # Don't prompt for anything
+          export DEBIAN_FRONTEND=noninteractive
+          sudo apt-get update
+          # most of the ci-base zephyr docker image packages
+          sudo apt-get install -y zip bridge-utils uml-utilities \
+            git cmake ninja-build gperf ccache dfu-util device-tree-compiler wget \
+            python3-dev python3-pip python3-setuptools python3-tk python3-wheel xz-utils file \
+            make gcc gcc-multilib g++-multilib libsdl2-dev libmagic1 \
+            autoconf automake bison build-essential ca-certificates cargo ccache chrpath cmake \
+            cpio device-tree-compiler dfu-util diffstat dos2unix doxygen file flex g++ gawk gcc \
+            gcovr git git-core gnupg gperf gtk-sharp2 help2man iproute2 lcov libcairo2-dev \
+            libglib2.0-dev libgtk2.0-0 liblocale-gettext-perl libncurses5-dev libpcap-dev \
+            libpopt0 libsdl1.2-dev libsdl2-dev libssl-dev libtool libtool-bin locales make \
+            net-tools openssh-client parallel pkg-config python3-dev python3-pip \
+            python3-ply python3-setuptools python-is-python3 qemu-kvm rsync socat srecord sudo \
+            texinfo unzip wget ovmf xz-utils
+
+      - name: Install west
+        run: sudo pip install west
+
+      - name: Init west workspace
+        run: west init --mr ${{ matrix.config.zephyr-ref }} zephyr
+
+      - name: Update west.yml
+        working-directory: zephyr/zephyr
+        run: |
+          REF=$(echo '${{ github.ref }}' | sed -e 's/\//\\\//g')
+          sed -e 's/remotes:/remotes:\n    \- name: wolfssl\n      url\-base: https:\/\/github.com\/wolfssl/' -i west.yml
+          sed -e "s/remotes:/remotes:\n    \- name: wolftpm\n      url\-base: https:\/\/github.com\/${{ github.repository_owner }}/" -i west.yml
+          sed -e "s/projects:/projects:\n    \- name: wolftpm\n      path: modules\/lib\/wolftpm\n      remote: wolftpm\n      revision: $REF/" -i west.yml
+          sed -e 's/projects:/projects:\n    \- name: wolfssl\n      path: modules\/crypto\/wolfssl\n      remote: wolfssl\n      revision: master/' -i west.yml
+
+      - name: Update west workspace
+        working-directory: zephyr
+        run: west update -n -o=--depth=1
+
+      - name: Export zephyr
+        working-directory: zephyr
+        run: west zephyr-export
+
+      - name: Install pip dependencies
+        working-directory: zephyr
+        run: sudo pip install -r zephyr/scripts/requirements.txt
+
+      - name: Install zephyr SDK
+        run: |
+          wget -q https://github.com/zephyrproject-rtos/sdk-ng/releases/download/v${{ matrix.config.zephyr-sdk }}/zephyr-sdk-${{ matrix.config.zephyr-sdk }}_linux-x86_64_minimal.tar.xz
+          tar xf zephyr-sdk-${{ matrix.config.zephyr-sdk }}_linux-x86_64_minimal.tar.xz
+          cd zephyr-sdk-${{ matrix.config.zephyr-sdk }}
+          ./setup.sh -h -c -t x86_64-zephyr-elf
+
+      - name: Build wolftpm tests
+        id: wolftpm_build
+        working-directory: zephyr
+        run : |
+          west build -p auto -b qemu_x86 modules/lib/wolftpm/zephyr/samples/wolftpm_wrap_test
+          west build -p auto -b qemu_x86 modules/lib/wolftpm/zephyr/samples/wolftpm_wrap_caps
+
+      # skipping tests, because no simulator TPM to run
+      #- name: Run wolftpm tests
+      #  id: wolftpm_tests
+      #  working-directory: zephyr
+      #  run: |
+      #    ./zephyr/scripts/twister --testsuite-root modules/lib/wolftpm --test zephyr/samples/wolftpm_wrap_caps/sample.lib.wolftpm_wrap_caps -vvv
+      #    rm -rf zephyr/twister-out
+      #    ./zephyr/scripts/twister --testsuite-root modules/lib/wolftpm --test zephyr/samples/wolftpm_wrap_test/sample.lib.wolftpm_wrap_test -vvv
+      #    rm -rf zephyr/twister-out
+
+      - name: Zip failure logs
+        if: ${{ failure() && steps.wolftpm_build.outcome == 'failure' }}
+        run: |
+          zip -9 -r logs.zip zephyr/twister-out
+
+      - name: Upload failure logs
+        if: ${{ failure() && steps.wolftpm_build.outcome == 'failure' }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: zephyr-client-test-logs
+          path: logs.zip
+          retention-days: 5
--- a/Makefile.am
+++ b/Makefile.am
@ -42,6 +42,7 @@ include docs/include.am
 include wrapper/include.am
 include hal/include.am
 include cmake/include.am
+include zephyr/include.am

 EXTRA_DIST+= .cyignore
 EXTRA_DIST+= README.md
--- a/examples/csr/csr.c
+++ b/examples/csr/csr.c
@ -38,12 +38,25 @@
 #include <wolfssl/wolfcrypt/asn_public.h>

 #ifndef NO_RSA
-static const char* gClientCsrRsaFile = "./certs/tpm-rsa-cert.csr";
-static const char* gClientCertRsaFile = "./certs/tpm-rsa-cert.pem";
+#ifndef RSA_CERT_CSR
+    #define RSA_CERT_CSR "./certs/tpm-rsa-cert.csr"
 #endif
+#ifndef RSA_CERT_PEM
+    #define RSA_CERT_PEM "./certs/tpm-rsa-cert.pem"
+#endif
+static const char* gClientCsrRsaFile = RSA_CERT_CSR;
+static const char* gClientCertRsaFile = RSA_CERT_PEM;
+#endif
+
 #ifdef HAVE_ECC
-static const char* gClientCsrEccFile = "./certs/tpm-ecc-cert.csr";
-static const char* gClientCertEccFile = "./certs/tpm-ecc-cert.pem";
+#ifndef ECC_CERT_CSR
+    #define ECC_CERT_CSR "./certs/tpm-ecc-cert.csr"
+#endif
+#ifndef ECC_CERT_PEM
+    #define ECC_CERT_PEM "./certs/tpm-ecc-cert.pem"
+#endif
+static const char* gClientCsrEccFile = ECC_CERT_CSR;
+static const char* gClientCertEccFile = ECC_CERT_PEM;
 #endif

 #ifndef MAX_PEM_SIZE
--- a/examples/keygen/keygen.c
+++ b/examples/keygen/keygen.c
@ -36,6 +36,28 @@
 #include <examples/tpm_test.h>
 #include <examples/tpm_test_keys.h>

+/* Output file path defines with defaults */
+#ifndef OUTPUT_FILE
+    #define OUTPUT_FILE "keyblob.bin"
+#endif
+#ifndef EK_PUB_FILE
+    #define EK_PUB_FILE "ek.pub"
+#endif
+#ifndef SRK_PUB_FILE
+    #define SRK_PUB_FILE "srk.pub"
+#endif
+
+#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
+    #ifndef AK_NAME_FILE
+        #define AK_NAME_FILE "ak.name"
+    #endif
+    #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
+        /* PEM_FILE is NULL by default, but can be overridden */
+        #ifndef PEM_FILE
+            #define PEM_FILE NULL
+        #endif
+    #endif
+#endif

 /******************************************************************************/
 /* --- BEGIN TPM Keygen Example -- */
@ -121,14 +143,14 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
    int keyBits = 256;
    const char* uniqueStr = NULL;
    const char* authStr = NULL;
-    const char *outputFile = "keyblob.bin";
-    const char *ekPubFile = "ek.pub";
-    const char *srkPubFile = "srk.pub";
+    const char *outputFile = OUTPUT_FILE;
+    const char *ekPubFile = EK_PUB_FILE;
+    const char *srkPubFile = SRK_PUB_FILE;
    const char *pubFilename = NULL;
 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
-    const char *nameFile = "ak.name"; /* Name Digest for attestation purposes */
+    const char *nameFile = AK_NAME_FILE; /* Name Digest for attestation purposes */
    #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
-    const char *pemFilename = NULL;
+    const char *pemFilename = PEM_FILE;
    #endif
 #endif
    const char* symMode = "aesctr";
--- a/examples/tls/tls_server.c
+++ b/examples/tls/tls_server.c
@ -46,6 +46,34 @@ static int mStop = 0;
    double benchStart;
 #endif

+/* CA Certificate path defines with defaults */
+#ifndef CA_RSA_CERT_PATH
+    #define CA_RSA_CERT_PATH "./certs/ca-rsa-cert.pem"
+#endif
+#ifndef WOLF_CA_RSA_CERT_PATH
+    #define WOLF_CA_RSA_CERT_PATH "./certs/wolf-ca-rsa-cert.pem"
+#endif
+#ifndef CA_ECC_CERT_PATH
+    #define CA_ECC_CERT_PATH "./certs/ca-ecc-cert.pem"
+#endif
+#ifndef WOLF_CA_ECC_CERT_PATH
+    #define WOLF_CA_ECC_CERT_PATH "./certs/wolf-ca-ecc-cert.pem"
+#endif
+
+/* Server Certificate path defines with defaults */
+#ifndef SERVER_RSA_CERT_PATH
+    #define SERVER_RSA_CERT_PATH "./certs/server-rsa-cert.pem"
+#endif
+#ifndef TPM_RSA_CERT_PATH
+    #define TPM_RSA_CERT_PATH "./certs/tpm-rsa-cert.pem"
+#endif
+#ifndef SERVER_ECC_CERT_PATH
+    #define SERVER_ECC_CERT_PATH "./certs/server-ecc-cert.pem"
+#endif
+#ifndef TPM_ECC_CERT_PATH
+    #define TPM_ECC_CERT_PATH "./certs/tpm-ecc-cert.pem"
+#endif
+
 /*
 * Generating the Server Certificate
 *
@ -380,14 +408,14 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
    /* Load CA Certificates */
    if (!useECC) {
    #ifndef NO_RSA
-        if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/ca-rsa-cert.pem",
+        if (wolfSSL_CTX_load_verify_locations(ctx, CA_RSA_CERT_PATH,
                                              0) != WOLFSSL_SUCCESS) {
-            printf("Error loading ca-rsa-cert.pem cert\n");
+            printf("Error loading %s cert\n", CA_RSA_CERT_PATH);
            goto exit;
        }
-        if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/wolf-ca-rsa-cert.pem",
+        if (wolfSSL_CTX_load_verify_locations(ctx, WOLF_CA_RSA_CERT_PATH,
                                              0) != WOLFSSL_SUCCESS) {
-            printf("Error loading wolf-ca-rsa-cert.pem cert\n");
+            printf("Error loading %s cert\n", WOLF_CA_RSA_CERT_PATH);
            goto exit;
        }
    #else
@ -398,16 +426,16 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
    }
    else {
    #ifdef HAVE_ECC
-        if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/ca-ecc-cert.pem",
+        if (wolfSSL_CTX_load_verify_locations(ctx, CA_ECC_CERT_PATH,
                                              0) != WOLFSSL_SUCCESS) {
-            printf("Error loading ca-ecc-cert.pem cert\n");
+            printf("Error loading %s cert\n", CA_ECC_CERT_PATH);
        #ifndef WOLFTPM_MFG_IDENTITY /* not fatal if using mfg identity */
            goto exit;
        #endif
        }
-        if (wolfSSL_CTX_load_verify_locations(ctx, "./certs/wolf-ca-ecc-cert.pem",
+        if (wolfSSL_CTX_load_verify_locations(ctx, WOLF_CA_ECC_CERT_PATH,
                                              0) != WOLFSSL_SUCCESS) {
-            printf("Error loading wolf-ca-ecc-cert.pem cert\n");
+            printf("Error loading %s cert\n", WOLF_CA_ECC_CERT_PATH);
            goto exit;
        }
    #else
@ -461,14 +489,18 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
                                                WOLFSSL_FILETYPE_ASN1);
        #endif
        #else
-        const char* useCert = "./certs/server-rsa-cert.pem";
+        const char* useCert = SERVER_RSA_CERT_PATH;
        if (useSelfSign) {
-            useCert = "./certs/tpm-rsa-cert.pem";
+            useCert = TPM_RSA_CERT_PATH;
        }
        rc = wolfSSL_CTX_use_certificate_file(ctx, useCert, WOLFSSL_FILETYPE_PEM);
        #endif
        if (rc != WOLFSSL_SUCCESS) {
+        #ifndef NO_FILESYSTEM
+            printf("Error loading RSA client cert: %s\n", useCert);
+        #else
            printf("Error loading RSA client cert\n");
+        #endif
            goto exit;
        }
 #else
@ -496,14 +528,18 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
                                                WOLFSSL_FILETYPE_ASN1);
        #endif
    #else
-        const char* useCert = "./certs/server-ecc-cert.pem";
+        const char* useCert = SERVER_ECC_CERT_PATH;
        if (useSelfSign) {
-            useCert = "./certs/tpm-ecc-cert.pem";
+            useCert = TPM_ECC_CERT_PATH;
        }
        rc = wolfSSL_CTX_use_certificate_file(ctx, useCert, WOLFSSL_FILETYPE_PEM);
    #endif
        if (rc != WOLFSSL_SUCCESS) {
+        #ifndef NO_FILESYSTEM
+            printf("Error loading ECC client cert: %s\n", useCert);
+        #else
            printf("Error loading ECC client cert\n");
+        #endif
            goto exit;
        }
 #else
@ -649,7 +685,7 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
    }

 exit:
-
+    mStop = 0; /* Reset the stop flag for if example is compiled into a demo */
    if (rc != 0) {
        printf("Failure %d (0x%x): %s\n", rc, rc, wolfTPM2_GetRCString(rc));
    }
--- a/examples/tpm_test.h
+++ b/examples/tpm_test.h
@ -52,6 +52,19 @@

 #define TPM2_DEMO_PCR_INDEX             16

+#ifndef PEM_FILE_AK
+    #define PEM_FILE_AK "ak.pem"
+#endif
+#ifndef PEM_FILE_EK
+    #define PEM_FILE_EK "ek.pem"
+#endif
+#ifndef PEM_FILE_SRK
+    #define PEM_FILE_SRK "srk.pem"
+#endif
+#ifndef PEM_FILE_KEY
+    #define PEM_FILE_KEY "key.pem"
+#endif
+
 static const char gStorageKeyAuth[] = "ThisIsMyStorageKeyAuth";
 static const char gAiKeyAuth[] =      "ThisIsMyAiKeyAuth";
 static const char gKeyAuth[] =        "ThisIsMyKeyAuth";
@ -60,10 +73,10 @@ static const char gUsageAuth[] =      "ThisIsASecretUsageAuth";
 static const char gNvAuth[] =         "ThisIsMyNvAuth";
 static const char gXorAuth[] =        "ThisIsMyXorAuth";

-static const char pemFileAk[] = "ak.pem";
-static const char pemFileEk[] = "ek.pem";
-static const char pemFileSrk[] = "srk.pem";
-static const char pemFileKey[] = "key.pem";
+static const char pemFileAk[] = PEM_FILE_AK;
+static const char pemFileEk[] = PEM_FILE_EK;
+static const char pemFileSrk[] = PEM_FILE_SRK;
+static const char pemFileKey[] = PEM_FILE_KEY;

 /* Default Test PCR */
 /* PCR16 is for DEBUG purposes, thus safe to use */
@ -100,6 +113,8 @@ static const char pemFileKey[] = "key.pem";
        #include <time.h>
 #elif defined(WOLFTPM_MICROCHIP_HARMONY)
        #include "system/time/sys_time.h"
+#elif defined(WOLFTPM_ZEPHYR)
+        #include <zephyr/kernel.h>
 #else
        #include <sys/time.h>
 #endif
@ -119,6 +134,9 @@ static const char pemFileKey[] = "key.pem";
            SYS_TIME_CounterSet(0);
        return (double)(SYS_TIME_Counter64Get()) /
               (double)SYS_TIME_FrequencyGet();
+    #elif defined(WOLFTPM_ZEPHYR)
+        (void)reset;
+        return (double)k_uptime_get() / 1000.0;
    #else
        struct timeval tv;
        gettimeofday(&tv, 0);
--- a/examples/tpm_test_keys.c
+++ b/examples/tpm_test_keys.c
@ -40,8 +40,22 @@

 #include <stdio.h>

-#define RSA_FILENAME  "rsa_test_blob.raw"
-#define ECC_FILENAME  "ecc_test_blob.raw"
+#ifdef WOLFTPM_ZEPHYR
+    #include <zephyr/fs/fs.h>
+    #define XFILE struct fs_file_t*
+    /* Note: Other filesystem macros (XFOPEN, XFCLOSE etc) are already defined
+     * in wolfSSL's wc_port.h for Zephyr */
+#else
+    #define XFILE FILE*
+#endif
+
+#ifndef RSA_FILENAME
+    #define RSA_FILENAME  "rsa_test_blob.raw"
+#endif
+
+#ifndef ECC_FILENAME
+    #define ECC_FILENAME  "ecc_test_blob.raw"
+#endif

 #ifndef WOLFTPM2_NO_WRAPPER

--- a/examples/wrap/caps.c
+++ b/examples/wrap/caps.c
@ -129,6 +129,8 @@ int TPM2_Wrapper_CapsArgs(void* userCtx, int argc, char *argv[])
    /* Print the available PCR's */
    TPM2_PCRs_Print();

+    printf("wolfTPM caps read successfully\n");
+
 exit:
    /* Only doShutdown=1: Just shutdown the TPM */
    wolfTPM2_Reset(&dev, 1, 0);
--- a/examples/wrap/wrap_test.c
+++ b/examples/wrap/wrap_test.c
@ -997,6 +997,8 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
    if (rc != 0) goto exit;
 #endif

+    printf("wolfTPM wrapper test completed successfully\n");
+
 exit:

    if (rc != 0) {
--- a/hal/tpm_io.c
+++ b/hal/tpm_io.c
@ -73,6 +73,8 @@
 #include "hal/tpm_io_microchip.c"
 #elif defined(WOLFSSL_ESPIDF)
 #include "hal/tpm_io_espressif.c"
+#elif defined(WOLFSSL_ZEPHYR)
+#include "hal/tpm_io_zephyr.c"
 #endif

 #if !defined(WOLFTPM_I2C) && !defined(WOLFTPM_MMIO)
@ -155,6 +157,8 @@ int TPM2_IoCb(TPM2_CTX* ctx, INT32 isRead, UINT32 addr,
    #elif defined(WOLFTPM_MICROCHIP_HARMONY)
        /* Use Microchip Harmony I2C */
        ret = TPM2_IoCb_MicrochipHarmony_I2C(ctx, isRead, addr, buf, size, userCtx);
+    #elif defined(WOLFSSL_ZEPHYR)
+        ret = TPM2_IoCb_Zephyr_I2C(ctx, isRead, addr, buf, size, userCtx);
    #else
        /* TODO: Add your platform here for HW I2C interface */
        printf("Add your platform here for HW I2C interface\n");
--- a/hal/tpm_io.h
+++ b/hal/tpm_io.h
@ -92,6 +92,9 @@ WOLFTPM_LOCAL int TPM2_IoCb_Espressif_I2C(TPM2_CTX* ctx, int isRead, word32 addr
 #elif defined(WOLFTPM_MICROCHIP_HARMONY)
 WOLFTPM_LOCAL int TPM2_IoCb_MicrochipHarmony_I2C(TPM2_CTX* ctx, int isRead, word32 addr,
    byte* buf, word16 size, void* userCtx);
+#elif defined(WOLFSSL_ZEPHYR)
+WOLFTPM_LOCAL int TPM2_IoCb_Zephyr_I2C(TPM2_CTX* ctx, int isRead, word32 addr,
+    byte* buf, word16 size, void* userCtx);
 #endif /* __linux__ */

 #else /* SPI */
--- a/hal/tpm_io_zephyr.c
+++ b/hal/tpm_io_zephyr.c
@ -0,0 +1,186 @@
+/* tpm_io_zephyr.c
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfTPM.
+ *
+ * wolfTPM is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfTPM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* This example shows IO interfaces for Zephyr-based micro-controllers
+ * using Zephyr's kernel and drivers
+ */
+
+/*****************************************************************************/
+/* --- BEGIN IO Callback Logic -- */
+/*****************************************************************************/
+
+/* Included via tpm_io.c if WOLFTPM_INCLUDE_IO_FILE is defined */
+#ifdef WOLFTPM_INCLUDE_IO_FILE
+
+#ifdef WOLFTPM_ZEPHYR
+
+/* Zephyr Includes Start */
+#include <zephyr/kernel.h>
+#include <zephyr/sys/printk.h>
+#include <zephyr/drivers/i2c.h>
+/* Zephyr Includes End */
+
+#ifdef WOLFTPM_I2C
+
+/* Zephyr Configurations */
+
+/* I2C master clock frequency */
+/* Zephyr DTSI Defines this as I2C_BITRATE_STANDARD */
+/* This means we have a clock rate of 100 khz */
+
+
+/* Infineon 9673 I2C at 0x2e */
+#define TPM2_INFINEON_9673_ADDR     0x2e
+
+#if defined(WOLFTPM_I2C_CUST_ADDR)
+    #define TPM2_I2C_ADDR           WOLFTPM_I2C_CUST_ADDR
+#elif defined(WOLFTPM_SLB9673)
+    #define TPM2_I2C_ADDR           TPM2_INFINEON_9673_ADDR
+#else
+    #error Set WOLFTPM_I2C_CUST_ADDR to i2c device ID or use supported device
+#endif
+
+/* Set to slowest speed supported in zephyr */
+#if !defined(WOLFTPM_ZEPHYR_I2C_SPEED)
+    #warning WOLFTPM_ZEPHYR_I2C_SPEED set to slowest Zephyr supports
+    #define WOLFTPM_ZEPHYR_I2C_SPEED I2C_SPEED_STANDARD
+#endif
+
+#if !defined(WOLFTPM_ZEPHYR_I2C_BUS)
+    #error Set WOLFTPM_ZEPHYR_I2C_BUS to devicetree node label for i2c bus
+#endif
+
+/* Init to False */
+static int _is_initialized_i2c = 0;
+
+/* Grab pointer from device tree label */
+const struct device *i2c_dev = \
+                DEVICE_DT_GET(DT_NODELABEL(WOLFTPM_ZEPHYR_I2C_BUS));
+
+
+/* Setup the i2c tmp device */
+/* Pass in pointer to the target */
+int TPM2_I2C_Zephyr_Init(void)
+{
+    int ret = 0;
+    uint32_t config = 0;
+
+    config = I2C_MODE_CONTROLLER | I2C_SPEED_SET(WOLFTPM_ZEPHYR_I2C_SPEED);
+    ret = i2c_configure(i2c_dev, config);
+
+    return ret;
+}
+
+int TPM2_IoCb_Zephyr_I2C(TPM2_CTX* ctx, int isRead, word32 addr,
+                            byte* buf, word16 size, void* userCtx)
+{
+    int ret = 0;
+    byte* tempBuf = NULL;
+
+    if (buf == NULL) {
+        printf("Buffer passed is NULL");
+        return -1;
+    }
+
+    if (i2c_dev == NULL) {
+        printf("I2C device not found in Device Tree!\n");
+        return -1;
+    }
+
+    /* Confirm i2c bus is ready */
+    if (!device_is_ready(i2c_dev)) {
+        printf("Device is not ready");
+        return -1;
+    }
+
+    if (userCtx == NULL) {
+        //printf("UserCtx Cannot be NULL\n");
+    }
+
+
+    /* Init Zephyr I2C Driver */
+    if (_is_initialized_i2c == 0) {
+        if (TPM2_I2C_Zephyr_Init() != 0) {
+            printf("Could Not Init\n");
+            return -1;
+        }
+        _is_initialized_i2c = 1;
+    }
+
+    if (isRead) {
+        tempBuf = (byte*)XMALLOC(1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        if (tempBuf == NULL) {
+            printf("Failed to allocate temp buffer\n");
+        }
+
+        tempBuf[0] = (byte)(addr & 0xFF);
+
+        // Read operation: First send register address, then read data
+        ret = i2c_write_read(i2c_dev, TPM2_I2C_ADDR, tempBuf, 1, buf, size);
+        if (ret < 0) {
+            printf("Failed to read from TPM at register 0x%02X! Error: %d\n", addr, ret);
+        }
+
+        XFREE(tempBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+    else {
+        // Write operation: Register address + Data
+
+        tempBuf = (byte*)XMALLOC(size + 1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        if (tempBuf == NULL) {
+            printf("Failed to allocate temp buffer\n");
+        }
+
+        tempBuf[0] = (byte)(addr & 0xFF);
+        XMEMCPY((tempBuf + 1), buf, size);
+
+        ret = i2c_write(i2c_dev, tempBuf, size + 1, TPM2_I2C_ADDR);
+        if (ret < 0) {
+            printf("Failed to write to TPM at register 0x%02X! Error: %d\n", addr, ret);
+        }
+
+        XFREE(tempBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+
+    if (ret != 0) {
+        printf("Could not perform operation: %d\n", ret);
+        if (ret == -EIO) {
+            printf("Input/Output Error\n");
+        }
+    }
+
+
+
+    (void)ctx;
+    return ret;
+}
+
+#else /* If not I2C, it must be SPI  */
+    /* TODO implement SPI */
+    #error TPM2 SPI support on zephyr yet
+#endif
+
+#endif /* WOLFSSL_ZEPHYR */
+#endif /* WOLFTPM_INCLUDE_IO_FILE */
+
+/******************************************************************************/
+/* --- END IO Callback Logic -- */
+/******************************************************************************/
--- a/src/tpm2_swtpm.c
+++ b/src/tpm2_swtpm.c
@ -43,7 +43,12 @@
 #include <wolftpm/tpm2_swtpm.h>
 #include <wolftpm/tpm2_packet.h>

+#ifdef WOLFTPM_ZEPHYR
+#include <zephyr/posix/unistd.h>
+#include <zephyr/net/socket.h>
+#elif defined(HAVE_UNISTD_H)
 #include <unistd.h>
+#endif
 #include <errno.h>
 #include <string.h>
 #include <stdio.h>
@ -126,10 +131,54 @@ static TPM_RC SwTpmReceive(TPM2_CTX* ctx, void* buffer, size_t rxSz)
 static TPM_RC SwTpmConnect(TPM2_CTX* ctx, const char* host, const char* port)
 {
    TPM_RC rc = TPM_RC_FAILURE;
+    int s;
+    int fd = -1;
+
+    /* Zephyr doesnt support getaddrinfo;
+     * so we need to use Zephyr's socket API
+     */
+#ifdef WOLFTPM_ZEPHYR
+    struct zsock_addrinfo hints;
+    struct zsock_addrinfo *result, *rp;
+
+    if (ctx == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    memset(&hints, 0, sizeof(hints));
+    hints.ai_family = AF_UNSPEC;
+    hints.ai_socktype = SOCK_STREAM;
+
+    s = zsock_getaddrinfo(host, port, &hints, &result);
+    if (s != 0) {
+        // Handle error
+        return rc;
+    }
+
+    for (rp = result; rp != NULL; rp = rp->ai_next) {
+        fd = zsock_socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
+        if (fd < 0)
+            continue;
+        if (zsock_connect(fd, rp->ai_addr, rp->ai_addrlen) < 0) {
+            zsock_close(fd);
+        } else {
+            break;
+        }
+    }
+    zsock_freeaddrinfo(result);
+
+    if (rp != NULL) {
+        ctx->tcpCtx.fd = fd;
+        rc = TPM_RC_SUCCESS;
+    }
+    #ifdef DEBUG_WOLFTPM
+    else {
+        printf("Failed to connect to %s %s\n", host, port);
+    }
+    #endif
+#else /* !WOLFTPM_ZEPHYR */
    struct addrinfo hints;
    struct addrinfo *result, *rp;
-    int s;
-    int fd;

    if (ctx == NULL) {
        return BAD_FUNC_ARG;
@ -167,6 +216,7 @@ static TPM_RC SwTpmConnect(TPM2_CTX* ctx, const char* host, const char* port)
        printf("Failed to connect to %s %s\n", host, port);
    }
    #endif
+#endif /* WOLFTPM_ZEPHYR */

    return rc;
 }
--- a/wolftpm/tpm2_socket.h
+++ b/wolftpm/tpm2_socket.h
@ -36,6 +36,10 @@
    /* TODO: HACKY for win32 */
    #undef SOCKET_INVALID
    #define SOCKET_INVALID 0xFFFFFFFF
+#elif defined(WOLFTPM_ZEPHYR)
+    #include <zephyr/net/socket.h>
+
+    #define SOCKET_T int
 #else
    #include <sys/types.h>
    #include <sys/socket.h>
--- a/wolftpm/tpm2_types.h
+++ b/wolftpm/tpm2_types.h
@ -263,7 +263,11 @@ typedef int64_t  INT64;
    #define XFEOF      feof
 #endif
 #ifndef XREWIND /* used in tpm_test_keys.c */
+    #ifdef XFREWIND
+        #define XREWIND    XFREWIND
+    #else
        #define XREWIND    rewind
+    #endif
 #endif

 /* enable way for customer to override printf */
@ -475,11 +479,10 @@ typedef int64_t  INT64;

 /* sleep helper, used in firmware update */
 #ifndef XSLEEP_MS
-    #ifdef WIN32
-        #include <windows.h>
-        #define XSLEEP_MS(ms) Sleep(ms)
-    #elif defined(FREERTOS)
-        #define XSLEEP_MS(ms) vTaskDelay(ms)
+    #if defined(WOLFTPM_ZEPHYR)
+        /* For Zephyr, use k_sleep() instead of usleep() */
+        #include <zephyr/kernel.h>
+        #define XSLEEP_MS(ms) k_msleep(ms)
    #elif defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 199309L
        #include <time.h>
        #define XSLEEP_MS(ms) ({ \
@ -488,6 +491,11 @@ typedef int64_t  INT64;
            ts.tv_nsec = (ms % 1000) * 1000000; \
            nanosleep(&ts, NULL); \
        })
+    #elif defined(WIN32)
+        #include <windows.h>
+        #define XSLEEP_MS(ms) Sleep(ms)
+    #elif defined(FREERTOS)
+        #define XSLEEP_MS(ms) vTaskDelay(ms)
    #else
        #include <unistd.h>
        #define XSLEEP_MS(ms) ({ \
--- a/zephyr/CMakeLists.txt
+++ b/zephyr/CMakeLists.txt
@ -0,0 +1,17 @@
+if(CONFIG_WOLFTPM)
+  zephyr_include_directories(${ZEPHYR_CURRENT_MODULE_DIR})
+  zephyr_include_directories(${ZEPHYR_CURRENT_MODULE_DIR}/zephyr)
+  zephyr_library_include_directories(${ZEPHYR_CURRENT_MODULE_DIR})
+  FILE(GLOB wolftpm_sources
+      ${ZEPHYR_CURRENT_MODULE_DIR}/src/*.c
+      ${ZEPHYR_CURRENT_MODULE_DIR}/hal/*.c
+  )
+  target_sources(app PRIVATE ${wolftpm_sources})
+
+  if(CONFIG_WOLFTPM_DEBUG)
+    target_compile_definitions(app PUBLIC DEBUG_WOLFTPM)
+  endif()
+
+  target_compile_definitions(app PUBLIC WOLFTPM_ZEPHYR)
+
+endif()
--- a/zephyr/Kconfig
+++ b/zephyr/Kconfig
@ -0,0 +1,27 @@
+menuconfig WOLFTPM
+	bool "wolfTPM module support"
+	select WOLFSSL
+
+if WOLFTPM
+config WOLFTPM_DEBUG
+	bool "wolfTPM debug activation"
+	help
+	  Enable debugging activation for wolfTPM.
+
+config WOLFTPM_I2C
+	bool "wolfTPM I2C support"
+	help
+		Enables the I2C HAL and Advanced IO
+
+config WOLFTPM_SPI
+	bool "wolfTPM SPI support"
+	help
+		Enables the SPI HAL (default)
+
+config ZEPHYR_WOLFTPM_MODULE
+	bool
+	depends on WOLFTPM
+endif
+
+# Add relevant macros for tpm
+
--- a/zephyr/README.md
+++ b/zephyr/README.md
@ -0,0 +1,82 @@
+Zephyr Project Port
+===================
+
+## Overview
+
+This port is for the Zephyr RTOS Project, available [here](https://www.zephyrproject.org/).
+
+
+It provides the following zephyr code.
+
+- modules/lib/wolftpm
+    - wolfTPM library code
+- modules/lib/wolftpm/zephyr/
+    - Configuration and CMake files for wolfTPM as a Zephyr module
+- modules/lib/wolftpm/zephyr/samples/wolftpm_wrap_caps
+    - wolfTPM test application
+- modules/lib/wolftpm/zephyr/samples/wolftpm_wrap_test
+    - wolfTPM test application
+
+## How to setup as a Zephyr Module
+
+Follow the [instructions](https://docs.zephyrproject.org/latest/develop/getting_started/index.html) to setup a zephyr project.
+
+### Modify your project's west manifest
+
+Add wolfTPM as a project to your west.yml:
+
+```
+manifest:
+  remotes:
+    # <your other remotes>
+    - name: wolftpm
+      url-base: https://github.com/wolfssl
+
+  projects:
+    # <your other projects>
+    - name: wolftpm
+      path: modules/lib/wolftpm
+      revision: master
+      remote: wolftpm
+```
+
+Note: wolfTPM has dependencies with wolfSSL so you need to also need to add wolfSSL into the west.yml like shown above.
+
+Update west's modules:
+
+```bash
+west update
+```
+
+Now west recognizes 'wolftpm' as a module, and will include it's Kconfig and
+CMakeFiles.txt in the build system.
+
+## Build and Run Tests
+
+### Build and Run wolfTPM wrap Test Application
+
+If you want to run build apps without running `west zephyr-export` then it is
+possible by setting the `CMAKE_PREFIX_PATH` variable to the location of the
+zephyr sdk and building from the `zephyr` directory. For example:
+
+```
+CMAKE_PREFIX_PATH=/path/to/zephyr-sdk-<VERSION> west build -p always -b qemu_x86 ../modules/lib/wolftpm/zephyr/samples/wolftpm_wrap_test/
+```
+
+build and execute `wolftpm_wrap_test`
+
+```
+cd [zephyrproject]
+west build -p auto -b qemu_x86 modules/lib/wolftpm/zephyr/samples/wolftpm_wrap_test
+west build -t run
+```
+
+### Build and Run wolfTPM wrap Capabilities Application
+
+build and execute `wolftpm_wrap_caps`
+
+```
+cd [zephyrproject]
+west build -p auto -b qemu_x86 modules/lib/wolftpm/zephyr/samples/wolftpm_wrap_caps
+west build -t run
+```
--- a/zephyr/include.am
+++ b/zephyr/include.am
@ -0,0 +1,15 @@
+# vim:ft=automake
+# included from Top Level Makefile.am
+# All paths should be given relative to the root
+
+EXTRA_DIST+= zephyr/CMakeLists.txt
+EXTRA_DIST+= zephyr/Kconfig
+EXTRA_DIST+= zephyr/module.yml
+EXTRA_DIST+= zephyr/README.md
+EXTRA_DIST+= zephyr/user_settings.h
+EXTRA_DIST+= zephyr/samples/wolftpm_wrap_caps/CMakeLists.txt
+EXTRA_DIST+= zephyr/samples/wolftpm_wrap_caps/prj.conf
+EXTRA_DIST+= zephyr/samples/wolftpm_wrap_caps/sample.yaml
+EXTRA_DIST+= zephyr/samples/wolftpm_wrap_test/CMakeLists.txt
+EXTRA_DIST+= zephyr/samples/wolftpm_wrap_test/prj.conf
+EXTRA_DIST+= zephyr/samples/wolftpm_wrap_test/sample.yaml
--- a/zephyr/module.yml
+++ b/zephyr/module.yml
@ -0,0 +1,6 @@
+name: wolftpm
+build:
+  cmake: zephyr
+  kconfig: zephyr/Kconfig
+  depends:
+    - wolfssl
--- a/zephyr/samples/wolftpm_wrap_caps/CMakeLists.txt
+++ b/zephyr/samples/wolftpm_wrap_caps/CMakeLists.txt
@ -0,0 +1,24 @@
+cmake_minimum_required(VERSION 3.13.1)
+find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
+project(wolftpm_wrap_caps)
+
+# Include source code for wrap test
+target_sources(app PRIVATE ${ZEPHYR_WOLFTPM_MODULE_DIR}/examples/wrap/caps.c)
+target_sources(app PRIVATE ${app_sources})
+
+# Include header files
+target_include_directories(app PRIVATE
+    ${ZEPHYR_BASE}/include
+    ${ZEPHYR_BASE}/include/zephyr
+    ${ZEPHYR_WOLFTPM_MODULE_DIR}/zephyr
+    ${ZEPHYR_WOLFTPM_MODULE_DIR}/hal
+    ${ZEPHYR_WOLFTPM_MODULE_DIR}/tests
+    ${ZEPHYR_WOLFTPM_MODULE_DIR}/wolftpm
+    ${ZEPHYR_WOLFTPM_MODULE_DIR}/examples/wrap
+    ${ZEPHYR_WOLFTPM_MODULE_DIR}/examples
+    ${ZEPHYR_WOLFTPM_MODULE_DIR}
+)
+
+add_definitions(-DWOLFSSL_ZEPHYR)
+add_definitions(-DWOLFSSL_USER_SETTINGS)
+add_definitions(-DWOLFTPM_USER_SETTINGS)
--- a/zephyr/samples/wolftpm_wrap_caps/prj.conf
+++ b/zephyr/samples/wolftpm_wrap_caps/prj.conf
@ -0,0 +1,45 @@
+# Configure stack and heap sizes
+CONFIG_MAIN_STACK_SIZE=32768
+CONFIG_COMMON_LIBC_MALLOC_ARENA_SIZE=8192
+
+# Include wolfTPM config
+CONFIG_WOLFTPM=y
+CONFIG_WOLFTPM_I2C=n
+CONFIG_WOLFTPM_SPI=n
+
+# POSIX file operations
+CONFIG_POSIX_API=y
+CONFIG_POSIX_FS=n
+
+# Pthreads
+CONFIG_PTHREAD_IPC=y
+
+# Clock for time()
+CONFIG_POSIX_CLOCK=y
+
+# TLS configuration
+CONFIG_WOLFSSL=y
+CONFIG_WOLFSSL_BUILTIN=y
+
+# Floating Point
+CONFIG_FPU=y
+
+# Networking configuration
+CONFIG_NETWORKING=y
+CONFIG_NET_SOCKETS=y
+
+# Logging
+CONFIG_PRINTK=y
+CONFIG_CBPRINTF_LIBC_SUBSTS=y
+CONFIG_CBPRINTF_FP_SUPPORT=y
+CONFIG_CONSOLE=y
+CONFIG_LOG=y
+CONFIG_LOG_BACKEND_UART=y
+CONFIG_LOG_BUFFER_SIZE=15360
+CONFIG_LOG_MODE_IMMEDIATE=y
+#CONFIG_WOLFSSL_DEBUG=y
+
+# Entropy
+CONFIG_TEST_RANDOM_GENERATOR=y
+CONFIG_ENTROPY_GENERATOR=y
+CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y
--- a/zephyr/samples/wolftpm_wrap_caps/sample.yaml
+++ b/zephyr/samples/wolftpm_wrap_caps/sample.yaml
@ -0,0 +1,15 @@
+sample:
+  description: wolfTPM wrap caps
+  name: wolfTPM wrap caps
+common:
+  harness: console
+  harness_config:
+    type: one_line
+    regex:
+      - "wolfTPM caps read successfully"
+tests:
+  sample.lib.wolftpm_wrap_caps:
+    timeout: 200
+    platform_allow: qemu_x86
+    integration_platforms:
+      - qemu_x86
--- a/zephyr/samples/wolftpm_wrap_test/CMakeLists.txt
+++ b/zephyr/samples/wolftpm_wrap_test/CMakeLists.txt
@ -0,0 +1,24 @@
+cmake_minimum_required(VERSION 3.13.1)
+find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
+project(wolftpm_wrap_test)
+
+# Include source code for wrap test
+target_sources(app PRIVATE ${ZEPHYR_WOLFTPM_MODULE_DIR}/examples/wrap/wrap_test.c)
+target_sources(app PRIVATE ${app_sources})
+
+# Include header files
+target_include_directories(app PRIVATE
+    ${ZEPHYR_BASE}/include
+    ${ZEPHYR_BASE}/include/zephyr
+    ${ZEPHYR_WOLFTPM_MODULE_DIR}/zephyr
+    ${ZEPHYR_WOLFTPM_MODULE_DIR}/hal
+    ${ZEPHYR_WOLFTPM_MODULE_DIR}/tests
+    ${ZEPHYR_WOLFTPM_MODULE_DIR}/wolftpm
+    ${ZEPHYR_WOLFTPM_MODULE_DIR}/examples/wrap
+    ${ZEPHYR_WOLFTPM_MODULE_DIR}/examples
+    ${ZEPHYR_WOLFTPM_MODULE_DIR}
+)
+
+add_definitions(-DWOLFSSL_ZEPHYR)
+add_definitions(-DWOLFSSL_USER_SETTINGS)
+add_definitions(-DWOLFTPM_USER_SETTINGS)
--- a/zephyr/samples/wolftpm_wrap_test/prj.conf
+++ b/zephyr/samples/wolftpm_wrap_test/prj.conf
@ -0,0 +1,45 @@
+# Configure stack and heap sizes
+CONFIG_MAIN_STACK_SIZE=32768
+CONFIG_COMMON_LIBC_MALLOC_ARENA_SIZE=8192
+
+# Include wolfTPM config
+CONFIG_WOLFTPM=y
+CONFIG_WOLFTPM_I2C=n
+CONFIG_WOLFTPM_SPI=n
+
+# POSIX file operations
+CONFIG_POSIX_API=y
+CONFIG_POSIX_FS=n
+
+# Pthreads
+CONFIG_PTHREAD_IPC=y
+
+# Clock for time()
+CONFIG_POSIX_CLOCK=y
+
+# TLS configuration
+CONFIG_WOLFSSL=y
+CONFIG_WOLFSSL_BUILTIN=y
+
+# Floating Point
+CONFIG_FPU=y
+
+# Networking configuration
+CONFIG_NETWORKING=y
+CONFIG_NET_SOCKETS=y
+
+# Logging
+CONFIG_PRINTK=y
+CONFIG_CBPRINTF_LIBC_SUBSTS=y
+CONFIG_CBPRINTF_FP_SUPPORT=y
+CONFIG_CONSOLE=y
+CONFIG_LOG=y
+CONFIG_LOG_BACKEND_UART=y
+CONFIG_LOG_BUFFER_SIZE=15360
+CONFIG_LOG_MODE_IMMEDIATE=y
+#CONFIG_WOLFSSL_DEBUG=y
+
+# Entropy
+CONFIG_TEST_RANDOM_GENERATOR=y
+CONFIG_ENTROPY_GENERATOR=y
+CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y
--- a/zephyr/samples/wolftpm_wrap_test/sample.yaml
+++ b/zephyr/samples/wolftpm_wrap_test/sample.yaml
@ -0,0 +1,15 @@
+sample:
+  description: wolfTPM wrap test
+  name: wolfTPM wrap test
+common:
+  harness: console
+  harness_config:
+    type: one_line
+    regex:
+      - "wolfTPM wrapper test completed successfully"
+tests:
+  sample.lib.wolftpm_wrap_test:
+    timeout: 200
+    platform_allow: qemu_x86
+    integration_platforms:
+      - qemu_x86
--- a/zephyr/user_settings.h
+++ b/zephyr/user_settings.h
@ -0,0 +1,218 @@
+/* user_settings.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfTPM.
+ *
+ * wolfTPM is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfTPM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef _ZEPHYR_USER_SETTINGS_H_
+#define _ZEPHYR_USER_SETTINGS_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* -- WOLFTPM ZEPHYR SETTINGS -- */
+#undef  WOLFTPM_USER_SETTINGS
+#define WOLFTPM_USER_SETTINGS
+
+#undef  WOLFTPM_EXAMPLE_HAL
+#define WOLFTPM_EXAMPLE_HAL
+
+#undef WOLFTPM_ZEPHYR
+#define WOLFTPM_ZEPHYR
+
+/* -- WOLFSSL SETTINGS -- */
+#undef  WOLFSSL_USER_SETTINGS
+#define WOLFSSL_USER_SETTINGS
+
+#ifdef CONFIG_WOLFTPM_I2C
+    #define WOLFTPM_I2C
+    #define WOLFTPM_ADV_IO
+
+    //#define WOLFTPM_ZEPHYR_I2C_BUS flexcomm3_lpi2c3
+    //#define WOLFTPM_ZEPHYR_I2C_SPEED I2C_SPEED_STANDARD /* I2C_SPEED_FAST */
+#elif defined(CONFIG_WOLFTPM_SPI)
+    /* default */
+#else
+    #undef  WOLFTPM_SWTPM
+    #define WOLFTPM_SWTPM
+#endif
+
+#undef  WOLF_CRYPTO_CB
+#define WOLF_CRYPTO_CB
+
+#undef  WOLFSSL_AES_CFB
+#define WOLFSSL_AES_CFB
+
+/* -- WOLFTPM SETTINGS -- */
+
+/* enable for low resource options */
+#if 0
+    #define USE_LOW_RESOURCE
+#endif
+
+#ifdef USE_LOW_RESOURCE
+    /* wolfCrypt only (no SSL/TLS) */
+    #define WOLFCRYPT_ONLY
+#else
+    /* wolfTPM with TLS example (v1.3 only) */
+    #define WOLFSSL_TLS13
+    #define WOLFSSL_NO_TLS12
+    #define NO_OLD_TLS
+
+    #define HAVE_TLS_EXTENSIONS
+    #define HAVE_SUPPORTED_CURVES
+    #define HAVE_SERVER_RENEGOTIATION_INFO
+    #define HAVE_ENCRYPT_THEN_MAC
+
+    #define HAVE_HKDF
+    #define WC_RSA_PSS
+    #define WOLFSSL_PSS_LONG_SALT
+#endif
+
+/* No threading or file system */
+#define SINGLE_THREADED
+
+#ifdef USE_LOW_RESOURCE
+    /* Single Precision math for RSA 2048 only (small) */
+    #define WOLFSSL_HAVE_SP_RSA
+    #define WOLFSSL_SP_MATH
+    #define WOLFSSL_SP_SMALL
+    #define WOLFSSL_SP_NO_3072 /* 2048-only */
+#else
+    /* Enable SP math all (sp_int.c) with multi-precision support */
+    #define WOLFSSL_SP_MATH_ALL
+#endif
+
+/* Enable hardening (timing resistance) */
+#define TFM_TIMING_RESISTANT
+#define ECC_TIMING_RESISTANT
+#define WC_RSA_BLINDING
+
+/* Enable PRNG (SHA2-256) */
+#ifdef USE_LOW_RESOURCE
+    /* use TPM TRNG */
+    #define WC_NO_HASHDRBG
+#else
+    #define HAVE_HASHDRBG
+#endif
+
+/* Asymmetric */
+#if 1 /* RSA - needed to encrypt salt */
+    #undef  NO_RSA
+    #ifdef USE_LOW_RESOURCE
+        #define WOLFSSL_RSA_PUBLIC_ONLY
+        #define WOLFSSL_RSA_VERIFY_INLINE
+        #define NO_CHECK_PRIVATE_KEY
+    #endif
+#else
+    #define NO_RSA
+#endif
+#if 1 /* ECC - needed for encrypt ECC salt */
+    #define HAVE_ECC
+    #define ECC_USER_CURVES /* default to only SECP256R1 */
+#endif
+#ifndef USE_LOW_RESOURCE /* DH */
+    #undef  NO_DH
+    #define HAVE_FFDHE_2048
+    #define HAVE_DH_DEFAULT_PARAMS
+#else
+    #define NO_DH
+#endif
+
+/* Symmetric Hash */
+#undef NO_SHA
+#undef NO_SHA256
+#ifndef USE_LOW_RESOURCE
+    #define WOLFSSL_SHA512
+    #define WOLFSSL_SHA384
+#endif
+
+/* Symmetric Cipher */
+#define WOLFSSL_AES_CFB
+#define HAVE_AES_DECRYPT
+#ifndef USE_LOW_RESOURCE
+    #define HAVE_AES_KEYWRAP
+    #define WOLFSSL_AES_DIRECT
+    #define HAVE_AESGCM
+    #define GCM_TABLE_4BIT
+#else
+    #define NO_AES_CBC
+#endif
+
+#if 0 /* ChaCha20 / Poly1305 */
+    #define HAVE_POLY1305
+    #define HAVE_CHACHA
+#endif
+
+/* Features */
+#define WOLFSSL_ASN_TEMPLATE
+#define WOLFSSL_USER_IO /* user recv/send callbacks for network IO */
+#ifndef USE_LOW_RESOURCE
+    #define WOLFSSL_CERT_GEN
+    #define WOLFSSL_CERT_REQ
+    #define WOLFSSL_CERT_EXT
+
+    #define HAVE_PKCS7
+    #define HAVE_X963_KDF
+    #define WOLFSSL_BASE64_ENCODE
+#endif
+
+/* Disables */
+#define NO_PKCS8
+#define NO_PKCS12
+#define NO_PWDBASED
+#define NO_DSA
+#define NO_DES3
+#define NO_RC4
+#define NO_PSK
+#define NO_MD4
+#define NO_MD5
+#define WOLFSSL_NO_SHAKE128
+#define WOLFSSL_NO_SHAKE256
+#define NO_WRITEV
+
+/* Low Resource Options */
+#ifdef USE_LOW_RESOURCE
+    #define NO_FILESYSTEM /* File system disable */
+    #define NO_ERROR_STRINGS
+    #define WOLFSSL_NO_ASM
+    #define TFM_NO_ASM
+    #define NO_WOLFSSL_MEMORY
+    #define NO_SESSION_CACHE
+    #define RSA_LOW_MEM
+    #define WOLFSSL_AES_SMALL_TABLES
+    #define WOLFSSL_AES_NO_UNROLL
+    #define GCM_SMALL
+    #undef  GCM_TABLE_4BIT
+    #define NO_AES_192
+    #define NO_AES_256
+    #define USE_SLOW_SHA
+    #define USE_SLOW_SHA256
+    #define USE_SLOW_SHA512
+    #define NO_SIG_WRAPPER
+    #define NO_ASN_TIME
+    #define NO_CODING
+    #define NO_BIG_INT
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _ZEPHYR_USER_SETTINGS_H_ */