wolfTPM SPDM support (tested with Nuvoton NPCT75x)

.github/workflows/make-test-swtpm.yml

@@ -75,6 +75,21 @@ jobs:
           # STMicro ST33KTPM2
           - name: st33ktpm2 firmware
             wolftpm_config: --enable-st33 --enable-firmware
+          # SPDM + Nuvoton (compile-only, no hardware in CI)
+          - name: spdm-nuvoton
+            wolfssl_config: --enable-wolftpm --enable-ecc --enable-sha384 --enable-aesgcm --enable-hkdf --enable-sp
+            wolftpm_config: --enable-spdm --enable-nuvoton
+            needs_swtpm: false
+          # SPDM dynamic memory
+          - name: spdm-dynamic-mem
+            wolfssl_config: --enable-wolftpm --enable-ecc --enable-sha384 --enable-aesgcm --enable-hkdf --enable-sp
+            wolftpm_config: --enable-spdm --enable-nuvoton --enable-spdm-dynamic-mem
+            needs_swtpm: false
+          # SPDM debug
+          - name: spdm-debug
+            wolfssl_config: --enable-wolftpm --enable-ecc --enable-sha384 --enable-aesgcm --enable-hkdf --enable-sp
+            wolftpm_config: --enable-spdm --enable-nuvoton --enable-debug
+            needs_swtpm: false
           # Microchip
           - name: microchip
             wolftpm_config: --enable-microchip

.gitignore

@@ -87,6 +87,7 @@ examples/firmware/ifx_fw_update
 examples/firmware/st33_fw_update
 examples/endorsement/get_ek_certs
 examples/endorsement/verify_ek_cert
+examples/spdm/spdm_demo
 
 # Generated Cert Files
 certs/ca-*.pem
@@ -176,10 +177,18 @@ UpgradeLog.htm
 /IDE/Espressif/**/sdkconfig
 /IDE/Espressif/**/sdkconfig.old
 
+# SPDM build artifacts
+spdm/wolfspdm/options.h
+spdm/config.h
+spdm/stamp-h1
+spdm/src/.libs/
+spdm/src/.deps/
+spdm/test/.libs/
+spdm/test/unit_test
+
 # Firmware files
 examples/firmware/*.fi
 examples/firmware/*.BIN
 examples/firmware/*.DATA
 examples/firmware/*.MANIFEST
 examples/firmware/*.MANIFESTHASH
-

Makefile.am

@@ -46,6 +46,7 @@ include tests/include.am
 include docs/include.am
 include wrapper/include.am
 include hal/include.am
+include spdm/include.am
 include cmake/include.am
 include zephyr/include.am
 

configure.ac

@@ -22,6 +22,7 @@ AC_CANONICAL_HOST
 AC_CANONICAL_TARGET
 AC_CONFIG_MACRO_DIR([m4])
 
+
 AM_INIT_AUTOMAKE([1.11 -Wall -Werror -Wno-portability foreign tar-ustar subdir-objects no-define color-tests])
 
 AC_ARG_PROGRAM
@@ -462,6 +463,48 @@ then
     AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_PROVISIONING"
 fi
 
+# SPDM Support
+AC_ARG_ENABLE([spdm],
+    [AS_HELP_STRING([--enable-spdm],[Enable SPDM support (default: disabled)])],
+    [ ENABLED_SPDM=$enableval ],
+    [ ENABLED_SPDM=no ]
+    )
+
+AC_ARG_WITH([wolfspdm],
+    [AS_HELP_STRING([--with-wolfspdm=PATH],[DEPRECATED: Use --enable-spdm instead.])],
+    [AC_MSG_ERROR([--with-wolfspdm is no longer needed. Use --enable-spdm instead.])])
+
+# SPDM dynamic memory (default: static/zero-malloc)
+AC_ARG_ENABLE([spdm-dynamic-mem],
+    [AS_HELP_STRING([--enable-spdm-dynamic-mem],[SPDM: Use heap allocation for context (default: static)])],
+    [ ENABLED_SPDM_DYNMEM=$enableval ],
+    [ ENABLED_SPDM_DYNMEM=no ]
+    )
+
+if test "x$ENABLED_SPDM" = "xyes"
+then
+    AC_DEFINE([WOLFTPM_SPDM], [1], [Enable SPDM support])
+
+    # Add spdm/ include path so all targets can find <wolfspdm/spdm.h>
+    AM_CPPFLAGS="$AM_CPPFLAGS -I\$(srcdir)/spdm"
+
+    # Nuvoton SPDM support (required for SPDM in wolfTPM)
+    if test "x$ENABLED_NUVOTON" = "xyes"
+    then
+        AC_DEFINE([WOLFSPDM_NUVOTON], [1], [Enable SPDM Nuvoton TPM support])
+        AC_MSG_NOTICE([Nuvoton SPDM vendor commands enabled])
+    fi
+
+    if test "x$ENABLED_SPDM_DYNMEM" = "xyes"
+    then
+        AC_DEFINE([WOLFSPDM_DYNAMIC_MEMORY], [1], [SPDM: Enable dynamic memory allocation])
+    fi
+
+    if test "x$ax_enable_debug" != "xno"
+    then
+        AC_DEFINE([WOLFSPDM_DEBUG], [1], [SPDM: Enable debug output])
+    fi
+fi
 
 # HARDEN FLAGS
 AX_HARDEN_CC_COMPILER_FLAGS
@@ -493,6 +536,7 @@ AM_CONDITIONAL([BUILD_CHECKWAITSTATE], [test "x$ENABLED_CHECKWAITSTATE" = "xyes"
 AM_CONDITIONAL([BUILD_AUTODETECT], [test "x$ENABLED_AUTODETECT" = "xyes"])
 AM_CONDITIONAL([BUILD_FIRMWARE], [test "x$ENABLED_FIRMWARE" = "xyes"])
 AM_CONDITIONAL([BUILD_HAL], [test "x$ENABLED_EXAMPLE_HAL" = "xyes" || test "x$ENABLED_MMIO" = "xyes"])
+AM_CONDITIONAL([BUILD_SPDM], [test "x$ENABLED_SPDM" = "xyes"])
 
 
 CREATE_HEX_VERSION
@@ -578,6 +622,10 @@ for option in $OPTION_FLAGS; do
     fi
 done
 
+# Also capture SPDM defines from config.h (set via AC_DEFINE, not AM_CFLAGS)
+grep '^#define WOLFSPDM_' src/config.h >> $OPTION_FILE 2>/dev/null || true
+grep '^#define WOLFTPM_SPDM' src/config.h >> $OPTION_FILE 2>/dev/null || true
+
 echo "" >> $OPTION_FILE
 echo "#ifdef __cplusplus" >> $OPTION_FILE
 echo "}" >> $OPTION_FILE
@@ -622,3 +670,7 @@ echo "   * Nuvoton NPCT75x:           $ENABLED_NUVOTON"
 
 echo "   * Runtime Module Detection:  $ENABLED_AUTODETECT"
 echo "   * Firmware Upgrade Support:  $ENABLED_FIRMWARE"
+echo "   * SPDM Support:              $ENABLED_SPDM"
+if test "x$ENABLED_SPDM" = "xyes"; then
+    echo "   * SPDM Dynamic Mem:          $ENABLED_SPDM_DYNMEM"
+fi

examples/include.am

@@ -18,6 +18,7 @@ include examples/seal/include.am
 include examples/attestation/include.am
 include examples/firmware/include.am
 include examples/endorsement/include.am
+include examples/spdm/include.am
 
 if BUILD_EXAMPLES
 EXTRA_DIST += examples/run_examples.sh

examples/spdm/README.md

@@ -0,0 +1,88 @@
+# TPM SPDM Examples
+
+This directory contains the SPDM demo for Nuvoton NPCT75x TPMs with wolfTPM.
+
+## Overview
+
+The `spdm_demo` establishes an SPDM secure session between the host and a
+Nuvoton TPM over SPI, enabling AES-256-GCM encrypted bus communication. Once
+active, all TPM commands are automatically encrypted with no application changes.
+
+For standard SPDM protocol support (spdm-emu, measurements, challenge, etc.),
+see the [wolfSPDM](https://github.com/aidangarske/wolfSPDM) standalone library.
+
+## Building
+
+### Prerequisites
+
+wolfSSL with crypto algorithms required for SPDM Algorithm Set B:
+
+```bash
+cd wolfssl
+./autogen.sh
+./configure --enable-wolftpm --enable-ecc --enable-sha384 --enable-aesgcm --enable-hkdf --enable-sp
+make && sudo make install && sudo ldconfig
+```
+
+### wolfTPM with Nuvoton SPDM
+
+```bash
+cd wolfTPM
+./autogen.sh
+./configure --enable-spdm --enable-nuvoton
+make
+```
+
+## Demo Commands
+
+| Option | Description |
+|--------|-------------|
+| `--enable` | Enable SPDM on TPM via NTC2_PreConfig (one-time, requires reset) |
+| `--disable` | Disable SPDM on TPM via NTC2_PreConfig (requires reset) |
+| `--status` | Query SPDM status from TPM |
+| `--get-pubkey` | Get TPM's SPDM-Identity P-384 public key |
+| `--connect` | Establish SPDM session (ECDH P-384 handshake) |
+| `--lock` | Lock SPDM-only mode (use with `--connect`) |
+| `--unlock` | Unlock SPDM-only mode (use with `--connect`) |
+
+## Usage Examples
+
+```bash
+# One-time setup: enable SPDM + GPIO reset
+./examples/spdm/spdm_demo --enable
+gpioset gpiochip0 4=0 && sleep 0.1 && gpioset gpiochip0 4=1 && sleep 2
+
+# Query SPDM status
+./examples/spdm/spdm_demo --status
+
+# Get TPM identity key
+./examples/spdm/spdm_demo --get-pubkey
+
+# Establish SPDM session
+./examples/spdm/spdm_demo --connect
+
+# Lock SPDM-only mode (connect + lock in one session)
+./examples/spdm/spdm_demo --connect --lock
+gpioset gpiochip0 4=0 && sleep 0.1 && gpioset gpiochip0 4=1 && sleep 2
+
+# All commands now auto-encrypt:
+./examples/wrap/caps          # auto-SPDM, AES-256-GCM encrypted
+./tests/unit.test             # full test suite over encrypted bus
+
+# Unlock SPDM-only mode
+gpioset gpiochip0 4=0 && sleep 0.1 && gpioset gpiochip0 4=1 && sleep 2
+./examples/spdm/spdm_demo --connect --unlock
+gpioset gpiochip0 4=0 && sleep 0.1 && gpioset gpiochip0 4=1 && sleep 2
+```
+
+## Automated Test Suite
+
+Runs 6 tests: status, connect, lock, unit test over SPDM, unlock, cleartext caps setup lifecycle on hardware.
+
+```bash
+./examples/spdm/spdm_test.sh
+```
+
+## Support
+
+For production use with hardware TPMs and SPDM support, contact **support@wolfssl.com**.

examples/spdm/include.am

@@ -0,0 +1,18 @@
+# vim:ft=automake
+# All paths should be given relative to the root
+
+if BUILD_EXAMPLES
+if BUILD_SPDM
+noinst_PROGRAMS += examples/spdm/spdm_demo
+
+examples_spdm_spdm_demo_SOURCES         = examples/spdm/spdm_demo.c
+examples_spdm_spdm_demo_LDADD           = src/libwolftpm.la $(LIB_STATIC_ADD)
+examples_spdm_spdm_demo_DEPENDENCIES    = src/libwolftpm.la
+examples_spdm_spdm_demo_CFLAGS          = $(AM_CFLAGS) -I$(srcdir)/spdm
+endif
+endif
+
+example_spdmdir = $(exampledir)/spdm
+dist_example_spdm_DATA = examples/spdm/spdm_demo.c
+
+DISTCLEANFILES+= examples/spdm/.libs/spdm_demo