wolfTPM Support for Das U-Boot

    • wolfTPM now includes support for Das U-Boot, extending TPM 2.0 access to early boot stages in secure embedded systems. This port enables direct TPM communication in U-Boot environments using software SPI and provides both native and high-level APIs for flexibility.

    Key Features

    • SOFT SPI Driver
    • Full TPM 2.0 command set
    • Both native API and wrapper APIs for complex TPM operations
    • Two integration paths:
      • __linux__: Uses tpm2_linux.c to communicate via standard Linux TPM interfaces
      • __UBOOT__: Direct SPI communication via tpm_io_uboot.c

    U-Boot TPM Commands

    The wolftpm command interface in U-Boot offers a rich set of TPM 2.0 operations. including:

    • Basic TPM control: init, startup, self_test, info
    • PCR management: pcr_extend, pcr_read, pcr_allocate, pcr_print
    • Security features: clear, change_auth, dam_reset, dam_parameters
    • Firmware management: firmware_update, firmware_cancel
    • Capability reporting: caps, get_capability

    These commands allow developers to initialize, configure, and query TPM state from within U-Boot, enabling security features even before the OS loads.

    Extended Functionality

    While U-Boot includes basic TPM 2.0 command support through its native library, wolfTPM extends this functionality with the ability to manage firmware updates.

    Firmware Management Support

    wolfTPM includes dedicated commands for managing TPM firmware, allowing users to directly perform updates and control firmware behavior from the U-Boot shell:

    • firmware_update <manifest_addr> <manifest_sz> <firmware_addr> <firmware_sz>
      Performs a full firmware update on the TPM by providing a signed manifest and firmware image.</styel=”font-family:courier>
    • firmware_cancel
      Allows users to cancel or abandon an ongoing firmware update process. 

    These capabilities are not present in U-Boot’s built-in TPM stack, which lacks any mechanism for managing TPM firmware or triggering a reboot of the TPM device. With wolfTPM, developers gain direct control over the TPM lifecycle, supporting scenarios like:

    • Field upgrades of TPM firmware
    • Factory provisioning with verified firmware images
    • TPM resets and recovery via startup/shutdown sequences

    By leveraging wolfTPM in U-Boot, embedded developers and security teams can take full advantage of the TPM 2.0 specification—including lifecycle and provisioning flows that go beyond what standard U-Boot TPM implementations provide.

    Getting Started

    For detailed build instructions, configuration options, and sample usage:

    Conclusion

    wolfTPM’s U-Boot support is ideal for securing early boot environments with TPM 2.0 features. With a rich command-line interface, flexible APIs, and tested support for QEMU and swtpm, it’s a robust solution for TPM integration in embedded platforms.

    If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

    Download wolfSSL Now