wolfTPM Release 3.6.0 (Nov 5, 2024)

Summary

Release includes minor bug fixes and new features such as TPM provisioning of IDevID/IAK, improved capabilities parsing, new TPM2_Certify example, new wolfTPM2_CreatePrimaryKey_ex API for creation ticket and tested support with Nations NS350 TPM.

Detail

• Fixed issue with TPM2_SetupPCRSel and added test cases. (PR #372)
• Fixed RC_WARN error codes (broken in commit f983525). (PR #378)
• Fixed issue with RSA/ECC symmetric field (should only be populated with restricted/decrypt) (PR #375)
• Fixed examples/keygen/keygen -sym= argument. (PR #372)
• Fixed building wolfCrypt/wolfTPM without ECC or RSA and added tests. (PR #371)
• Fixed file descriptor check for /dev/tpm0 (PR #366)
• Fixed STM32 GPIO SPI CS control to use pin number as bit offset, not direct value (PR #380)
• Fixed issues building with no filesystem. (PR #374)
• Added support for parsing all capabilities from (TPM2_GetCapability) (PR #383)
• Added support for creation of IDevID or IAK with examples/keygen/create_primary. (PR #369)
• Added support for Nations NS350. (PR #382)
• Added example for TPM2_Certify (see examples/attestation/certify) (PR #369)
• Added new wolfTPM2_CreatePrimaryKey_ex and WOLFTPM2_PKEY that supports returning creation ticket/hash. (PR #369)
• Added key templates for initial device (IDevID) and attestation keys (IAK). (PR #369)
• Added new build option for TPM provisioning (--enable-provisioning on by default). (PR #369)
• Added simple capabilities example (examples/wrap/caps) (PR #382)
• Added example to manual verify quote with ECC signature. (PR #379)
• Added tests for policy seal/unseal with multiple PCR's. (PR #377)
• Added -alg argument for PCR extend (PR #383)
• Added helper to get wolfCrypt hash type TPM2_GetTpmHashType (PR #384)
• Added new policy hash helper API wolfTPM2_PolicyHash (PR #369)
• Added documentation for /dev/tpm0 permissions (PR #366)
• Improved the TPM TLS examples for use with WOLFTPM_MFG_IDENTITY (PR #376)
• Moved PTHREAD definition from options.h to config.h (avoids possible re-declaration issue) PR (#381)
• Switched handle/nvIndex string parsing to use strtoul. (PR #369)
• Various spelling and documentation cleanups. (PR #366 / PR #373)

wolfTPM Release 3.4.0 (July 30, 2024)

Summary

Added Endorsement Key Certificate support. Added support for NV read/write with policy. Added policy password support. Refactor of the session authentication structures.

Detail

• Added EK Certificate Support (PR #360)
  • Added new API's wolfTPM2_GetKeyTemplate_EK and wolfTPM2_GetKeyTemplate_EK for getting EK public templates used for generating the EK primary key.
  • Added examples/endorsement/get_ek_certs for showing how to retrieve and validate the manufacturers endorsement key certificates.
• Improvements to auth handling to support Policy Password and Policy Auth Value (PR #350)
  • Refactor to eliminate confusing cast between TPMS_AUTH_COMMAND and TPM2_AUTH_SESSION.
  • Support for policy auth value and policy password.
  • Add new NV policy write/read API's wolfTPM2_NVWriteAuthPolicy and wolfTPM2_NVReadAuthPolicy.
• Fixed ST33KTPM IAK/IDevID provisioning NV indexes. (PR #361)
• Fixed TLS example build issues with wolfSSL not having crypto callback or PK callback enabled. (PR #360)
• Fixed CSR version (use version 0) (PR #359)
• Fixed issue with Doxygen generation of wolfTPM due to doxybook2 crashing on unnamed enum. (PR #357)
• Fixed HMAC session save last (not typically used) (PR #355)
• Fixed Infineon I2C HAL gating logic (PR #347)
• Added documentation for IAK/IDevID build options. (PR #361)
• Added support for Espressif IDE (see IDE/Espressif) (PR #321)
• Added tests for create_primary (PR #345)
• Improved software TPM (docs/SWTPM.md) documentation (PR #348)

wolfTPM Release 3.2.0 (Apr 24, 2024)

Summary

Added TPM Firmware update support (Infineon SLB9672/SLB9673). Added support for pre-provisioned device identity keys/certificates (STMicro ST33). Fixed issue with sealing secret to prevent userWithAuth by default. Expanded the TPM get capabilities support.

Detail

• Added new API wolfTPM2_NVCreateAuthPolicy for allowing NV creation with policy (PR #344)
• Added Infineon firmware update recovery support (PR #342)
• Added support for Infineon Firmware upgrade (PR #339)
  • Added support for Infineon SLB9672/SLB9673 Firmware upgrade (see examples/firmware/README.md)
  • Added Infineon Modus Toolbox support. See wolfssl/IDE/Infineon/README.md for setup instructions.
  • Added support for Infineon CyHal I2C support.
  • Added Firmware extraction tool
  • Added Firmware update example application examples/firmware/ifx_fw_update.
  • Added support for vendor capabilities TPM_CAP_VENDOR_PROPERTY.
  • Added XSLEEP_MS macro for firmware update delay.
  • Added support for getting key group id, operational mode and update counts.
  • Added support for abandoning an update.
  • Added support for firmware update done, but not finalized
  • Added Infineon CyHal SPI support.
  • Fixed auto-detect to not define SLB9672/SLB9673.
• Fixed TLS examples to not use openssl compatibility macros (PR #341)
• Added ST33 support for pre-provisioned device identity key and certificate (PR #336)
  • Added support for pre-provisioned TPM using the "TPM 2.0 Keys for Device Identity and Attestation" specification. See build macro: WOLFTPM_MFG_IDENTITY.
  • Added example for using TPM pre-provisioned device identity to TLS client example.
  • Fixed ST33 vendor command to enable command codes (TPM2_SetCommandSet) (it requires platform auth to be set).
  • Added benchmarks for new ST33KTPM2XI2C.
  • Fixed 0x1XX error code parsing.
  • Fixed ST33 part descriptions.
  • Updated example certificates.
• Fixes for building wolfTPM examples with NO_FILESYSTEM (PR #338)
• Fixed crypto callback hashing return code initialization (PR #334)
• Updated documentation for Infineon SLB9673 (I2C) (PR #337)
• Fixed Documentation references for generated user manual (PR #335)
• Fixed netdb.h include (PR #333)
• Fixes for building with "-Wpedantic" (PR #332)
• Added new API wolfTPM2_GetHandles to get list of handles from the TPM capabilities. (PR #328)
• Fixed config.h, which should only be included from .c files, not headers. (PR #330/#331)
• Fixed CMake tests (PR #329)
• Fixed and improved secret sealing/unsealing (PR #327)
  • Do not set userWithAuth by default when creating sealed objects. That flag allows password auth for the sealed object. Without the flag it only allows policy auth.
  • Allow setting policy auth with flags.
  • Fix secret_unseal to use policy session and valid sealed name.
  • Added expected failure test cases for seal/unseal with policy.
  • Improve the run_examples.sh script
• Improved types for htons and byte swap (PR #326)
  • Match byte swap logic with wolfSSL (use WOLF_ALLOW_BUILTIN).
  • Remove unused XHTONS and arpa/inet.h.
• Improved STMicro product naming (PR #325)
• Improved the STM32Cube template (PR #324)
  • Setup so next pack can add small stack and transport options: WOLFTPM_CONF_SMALL_STACK and WOLFTPM_CONF_TRANSPORT (0=SPI, 1=I2C).
• Fixed build error with missing wc_RsaKeyToPublicDer_ex (PR #323)
• Improved the ECC macro checks for wc_EccPublicKeyToDer (PR #323)
• Added PKCS7 ECC support to example (PR #322)
  • Added wrapper function to export TPM public key as DER/ASN.1 or PEM.
  • Fixed for crypto callback ECC sign to handle getting keySz for unknown cases (like PKCS7 without privateKey set).
• Added expanded key template and cleanups (PR #321)
  • Fixed mixed variable declaration.
  • Added _ex version for GetKeyTemplate RSA/ECC to allow setting all template parameters.

wolfTPM Release 3.1.0 (Dec 29, 2023)

Summary

Support for using TLS PK callbacks with TPM for ECC and RSA. Improved the crypto callback support and added RSA Key generation. Fixed issues with endorsement hierarchy. Added Windows Visual Studio solution and project for wolfTPM. Improved the STM32 HAL IO callback options and logging.

Detail

• Removed use of error-ssl.h in library proper. (PR #308)
• Fixed CSR crypto callback to use a different (not default) devId to avoid conflict. (PR #310)
• Added TPM crypto callback support for RSA key generation (PR #311)
• Fixed and improved for ECC crypto callbacks (PR #311)
  • Allow import of wolf ECC marked as private only (ECC_PRIVATEKEY_ONLY).
  • Improve the ECC key import scheme for signing.
  • Improve logic for finding TPM curve in ECC key generation. A call to wc_ecc_make_key can use curve_id 0 (to detect), but we can get it from the "dp".
  • Properly translate a TPM ECC signature verify error for compatibility.
  • Support ECC KeyGen for signing or derive based on callback context eccKey or ecdhKey population.
  • Fix to make sure leading ECC sign leading zeros are removed when not required.
  • Fix leading zero issue on ECC verify.
• Cleanup KDF function return code checking to avoid scan-build warning. (PR #311)
• Fixed ECC encrypt secret integrity check failed due to zero pad issue. (PR #311)
• Fixed wolfTPM2_GetRng possibly not returning an initialized WC_RNG. (PR #311)
• Fixed TLS bidirectional shutdown socket issue to to port collision with SWTPM. (PR #311)
• Fixed policy_sign issue when r or s is less than key size (needs zero padding). (PR #311)
• Fixed building wolfCrypt without PEM to DER support. (PR #311)
• Added support for TLS PK callbacks with ECC and RSA Sign using PKCSv1.5 and PSS padding (PR #312)
  • Fixed building wolfTPM without crypto callbacks.
  • Fixed building/running with FIPS.
  • Cleanup TLS PK callback RSA PSS padding.
  • Cleanup TLS server/client.
  • Added server -i option to keep running unless failure.
  • Added TLS server option -self to use the self signed certs.
  • Added tests for the TLS PK with TPM.
• Added CMakeList.txt to autoconf, so its in the "make dist" commercial bundles. (PR #313)
• Fixed HAL IO prototype to match (TPM2HalIoCb and TPM2_IoCb) and cast warnings. (PR #313)
• Added support for getting the keyblob sizes if buffer is NULL. (PR #315)
• Added tests for keyblob buffer export/import. (PR #315)
• Added Windows Visual Studio project for wolfTPM. Added GitHub Actions to test it. (PR #316)
• Added support for overriding the PORT/PIN for the STM32 Cube HAL. (PR #314)
• Fixed ECC sign with key that is marked for sign and decrypt detect the ECDSA hash algorithm. (PR #317)
• Fixes for compiler type warnings. (PR #318)
• Added WOLFTPM_NO_LOCK. (PR #318)
• Improved STM IO options/logging. (PR #318)
• Fixed attestation with endorsement key (PR #320)
  • Enabled the broken endorsement tests.
  • Improved TPM2_GetRCString error rendering to correctly resolve RC_WARN.
    • Added error debug for parameter, session and handle number.
    • Refactor line length / alignment.
    • Removed duplicate "success".
  • Removed the WOLFTPM2_KEYBLOB.name (deprecated). It is/has been moved to handle.name.
  • Fixed native test TPM2_PolicyPCR.
  • Fixed CMake build broken, since cryptocb refactor in PR #304.
  • Added CI tests for CMake.

wolfTPM Release 3.0.0 (Oct 30, 2023)

Summary

Refactor of command authentication. Support for ECC sessions and secrets. Support for policy sealing/unsealing. Examples for secure boot.

Detail

• Refactor of the command authentication. If command does not require auth do not supply it (PR #305)
• Refactor HAL and added Microchip Harmony SPI HAL support (PR #251)
• Relocate crypto callback code to its own code file (PR #304)
• Fixed using a custom wolfTPM CSR sigType (PR #307)
• Fixed support for ECC 384-bit only support (PR #307)
• Fixed issue with using struct assignment (switched to memcpy) (PR #303)
• Fixed various issues building with C++ compiler (PR #303)
• Fixed issues with STM32 I2C build and improved performance (PR #302)
• Fixed seal with RSA and PCR extend auth. (PR #296)
• Fixed issue including user_settings.h when --disable-wolfcrypt set (PR #285)
• Fixed TPM private key import with custom seed (PR #281)
• Fixed autogen.sh (autoconf) to generate without warnings (PR #279)
• Fixed TPM2 create with decrypt or restricted flag set (PR #275)
• Fixed and improved low resource build options (PR #269)
• Fixed the TPM_E_COMMAND_BLOCKED macro to have the correct value (PR #257)
• Fixed casting and unused variable problems on windows (PR #255)
• Fixed Linux usage of cs_change and added config overrides (PR #268)
• Fixed and improved the NV auth and session auth set/unset (PR #299)
• Fixed capability to handle unknown TPM2_GetCapability type and fix bad printf (PR #293)
• Fixed macros for file IO XFEOF and XREWIND to make sure they are available (PR #277)
• Fixed seal/unseal example (PR #306)
• Fixed TLS examples with param enc enabled (PR #306)
• Fixed signed_timestamp with ECC (PR #306)
• Added CI tests for CSharp wrappers (PR #307)
• Added support for sealing/unsealing based on a PCR that is signed externally (PR #294)
• Added examples for Secure Boot solution to store root of trust in NV (PR's #276, #289, #291 and #292)
• Added support for importing and loading public ECC/RSA keys formatted as PEM or DER (PR #290)
• Added new policy_nv example (PR #298)
• Added -nvhandle argument to nvram examples (PR #296)
• Added code to test external import between two TPM's (PR #288)
• Added support for STM32 Cube Expansion Pack (PR #287)
• Added support memory mapped (MMIO) TPM's (PR #271)
• Added wc_SetSeed_Cb call for FIPS ecc (PR #270)
• Added wrapper support for setting key usage (not just extended key usage) (PR #307)
• Added RSA key import methods to handle PEM and DER encoding directly (PR #252)
• Added thread local storage macro and make gActiveTPM local to the thread (PR #253)
• Added Microchip macro names and Support for bench with MPLABX Harmony (PR #256)
• Added support for encrypting secret using ECC key. Allows using ECC for parameter encryption and importing ECC keys with custom seed. (PR #276)
• Added wolfTPM2_ChangePlatformAuth wrapper to help set the platform auth. This is useful from the bootloader to make sure no one can use the platform hierarchy from application (PR #276)
• Improvements to cmake build (PR's #280, #283 and #284)

wolfTPM Release 2.7.0 (Dec 27, 2022)

Summary

Added Infineon TriCore HAL support and examples for Keyed Hash / NV counter increment. Minor fixes for NV auth and Keyed Hash.

Detail

• Support for Infineon TriCore (TC2XX/TC3XX) using macro WOLFTPM_INFINEON_TRICORE (PR #229)
• Added NV counter increment example (PR #243)
• Added Key Generation example for Keyed Hash. (PR #245)
• Fixed for Keyed Hash with HMAC (PR #243)
• Fixed for NV auth handling (PR #243)
• Fixed missing call to Close(), since Windows won't flush unless its called (PR #242)
• Fixed tpm2.c issue with variable declarations not being at top of function (PR #246)

wolfTPM Release 2.6 (09/01/2022)

Summary

Fix for CSharp wrapper when setting a custom OID for a CSR. Added CSharp wrapper documentation and improved a few others. Added CSharp function to set key password for blob.

Detail

• Fix for CSharp SetCustomExtension to use allocated byte buffer instead of passing string (PR #239)
• Fixed for CMake wolftpm/options.h generation to support disabled source tree changes (CMAKE_DISABLE_SOURCE_CHANGES) (PR #235)
• Fixed CMake / vcpkg issue with options.h output location (PR #235)
• Added CSharp KeyBlob.SetKeyAuthPassword and test case (PR #237)
• Added API documentation for the CSharp wrappers (PR #234)
• Fixed documentation error on wolfTPM2_GetKeyBlobAsBuffer (PR #234)
• Fixed documentation for encDecAlg with authenticated session (PR #236)
• Fixed software TPM (docs/SWTPM.md) example argument for -rm (PR #238)

wolfTPM Release 2.5 (07/22/2022)

Summary

Major expansion of the C# wrapper for key handling, CSR/Cert generation, RSA enc/dec and sign/verify.
Added Infineon SLB9672 support.
Enhancements to the CMake support.
Added new keygen example for creating a primary key.

Detail

• Fixed issue with sign signature buffer size checking (PR #232)
• Fixed support for using nonce from TPM (when using no wolfCrypt RNG WOLFTPM2_USE_HW_RNG) (PR #216)
• Fixed workaround for Windows TBS self test (PR #224)
• Fixed issue with CSharp handle unloading (PR #212)
• Fixed TPM support for using the public key with TLS (PR #210)
• Added crypto callback support for seeding RNG with TPM (PR #216)
• Added Infineon SLB9672 support (PR #214)
• Added support for using a unique template with create and create primary (PR #215)
• Added CSharp wrapper support for RSA encrypt/decrypt and Sign/Verify. (PR #232)
• Added CSharp wrapper documentation for CSR functions (PR #232)
• Added CSharp support for handling TPM errors with exception (PR #224)
• Added CSR wrappers and tests to assist with TPM based CSR/Self-Signed-Cert generation (including CSharp wrappers) (PR #219)
  • Support for subject, key usage, custom request extensions and output as PEM or DER
  • New structure WOLFTPM2_CSR, new API's wolfTPM2_CSR_* and new CSharp class Csr
• Added CSharp create primary key example (PR #215)
• Added CSharp wrapper and tests for wolfTPM2_CreatePrimaryKey() (PR #213)
• Added CSharp tests for authenticated sessions (PR #212)
• Added CSharp wrappers wolfTPM2_SetAuthSession and wolfTPM2_NVStoreKey (PR #209)
• Added CSharp IDisposable in classes for cleanup of unmanaged resources (PR #225)
• Added support for wolfTPM CMake to output the options.h (PR #211)
• Added CMake WOLFTPM_DEBUG option (PR #211)
• Improved the byte swapping logic for GCC (PR #231)

Full Changelog:
https://github.com/wolfSSL/wolfTPM/compare/v2.4.0..v2.5.0

wolfTPM Release 2.4.0 (05/09/2022)

Summary

Add CMake support. Add C# wrappers. Add ST33 GetRandom2. Improve TPM2_SetupPCRSel. Fixes for C++ compilers, example install and writing PEM.

Detail

• Fixes for c++ compiler (PR #206)
• Adding a C# wrappers (PR #203)
• CMake support (PR #202, #204, #205)
• Add support for ST33 vendor specific command TPM_CC_GetRandom2 (PR #200)
• Fix writing PEM in wolfTPM2_RsaKey_TpmToPemPub (PR #201)
• Improve TPM2_SetupPCRSel (multiple calls) (PR #198)
• Fix for a few spelling errors and whitespace cleanup (PR #199)
• v2.3.1 updates (PR #197)
• Fix make install by renaming pcr example read.c (PR #196)

Full Changelog: v2.3.1...v2.4.0

wolfTPM Release 2.3.1 (11/18/2021)

Summary

Fix for make install

Detail

• Fix for installing example code on linux builds (PR #196)