Announcing SPDM Support in wolfTPM

    • Lightweight Device Authentication for Nuvoton and NSING TPMs

    Device Attestation and Authentication Are No Longer Optional

    From data center accelerators to automotive ECUs, the industry is moving toward verifying every component on every bus. Today, wolfSSL is proud to announce SPDM support in wolfTPM, enabling secure device authentication and attestation for Nuvoton NPCT75x and NSING NS350 TPMs using the DMTF Security Protocol and Data Model.
    Developed in partnership with NSING Technologies (NSING) and Nuvoton, wolfTPM is the first and only open-source SPDM implementation with native hardware TPM integration for multiple vendors.

    Getting started with wolfSSL? Download the latest libraries and start exploring.

    What Is SPDM?

    wolfTPM now includes a clean-room, native C implementation of the SPDM 1.3 requester protocol, located in the spdm/ directory. This enables a host to authenticate and attest connected devices using standardized cryptographic handshakes.
    It is not a wrapper around another library. It is a purpose-built, safety critical, from-scratch implementation designed for the constraints of embedded systems.

    Key Features

    No Dynamic Memory Allocation
    wolfTPM’s SPDM implementation uses zero malloc calls by default. All buffers are statically allocated, making it ideal for bare-metal deployments, safety-critical systems, and environments where heap usage is prohibited. For platforms with limited stack space, `–enable-smallstack` heap-allocates the SPDM context instead.

    Transport Agnostic
    The SPDM implementation uses a callback-based transport interface. Whether your bus is MCTP, PCIe DOE, SPI, or something proprietary, you supply the send/receive callbacks and wolfTPM handles the protocol.

    FIPS 140-3 Ready
    Cryptographic operations are handled entirely by wolfCrypt, wolfSSL’s FIPS 140-3 validated crypto engine. There are no external crypto dependencies.

    DO-178C DAL A Path
    wolfTPM supports a path to the highest level of DO-178C avionics certification for TPM 2.0 operations.

    Compatible with spdm-emu
    wolfTPM’s SPDM support is tested and validated against the DMTF’s spdm-emu reference emulator, ensuring interoperability with the standard ecosystem.

    Multi-Vendor TPM Support
    wolfTPM supports SPDM on two TPM families out of the box:

    Feature Nuvoton NPCT75x NSING NS350
    Session mode Identity key (ECDHE P-384) Identity key + PSK
    SPDM version 1.3 1.3
    Algorithm set Algorithm Set B Algorithm Set B
    SPDM control GPIO-based enable/disable + HW reset Command-based
    Certification FIPS 140-2 Level 1

    Both vendors negotiate SPDM 1.3 and use Algorithm Set B (P-384 / SHA-384 / AES-256-GCM / HKDF-SHA384).

    PSK Mode (NSING NS350)
    The NSING NS350 supports an additional session establishment mode using a 64-byte pre-shared key. PSK mode uses the standard SPDM 1.2+ PSK_EXCHANGE and PSK_FINISH messages, providing symmetric key-based session establishment as an alternative to ECDHE. PSK and identity key modes are mutually exclusive; both use AES-256-GCM for data transport.

    TCG SPDM Binding
    wolfTPM implements the full TCG SPDM binding specification. Once an SPDM session is established, all TPM commands are transparently wrapped in encrypted VENDOR_DEFINED_REQUEST(“TPM2_CMD”) messages. No application code changes are needed.
    The binding supports vendor-defined commands for key provisioning (GET_PUBK, GIVE_PUB), status queries (GET_STS_), SPDM-only mode enforcement (SPDMONLY), and NSING-specific PSK management (PSK_SET_, PSK_CLR_).

    Encrypted TPM Bus Transfers
    wolfTPM is the only implementation that can perform encrypted bus transfers with hardware TPMs (Nuvoton NPCT75x and NSING NS350), a capability unique to the wolfSSL stack.

    Who Is This For?

    wolfTPM’s SPDM support is built for OEMs and firmware engineers who need SPDM without the footprint of the reference implementation. It goes beyond device authentication; wolfTPM provides encrypted bus transfers, hardware-backed key storage, and PSK-based session establishment for fully secure communication channels. Whether you are building data center infrastructure, automotive ECUs, or IoT devices with NSING or Nuvoton TPMs, wolfTPM provides a production-ready SPDM stack.

    Expanding SPDM Support

    wolfTPM’s SPDM support now covers Nuvoton NPCT75x and NSING NS350 TPMs, developed in direct partnership with both manufacturers. wolfSSL is actively working with additional TPM vendors to expand coverage. The spdm/ directory is architected to support new vendors with minimal code changes and can be branched into a standalone repository for non-TPM SPDM use cases.
    Contact support@wolfssl.com to discuss your use case.

    Get Started

    wolfTPM with SPDM support is available now at github.com/wolfSSL/wolfTPM.
    To build with SPDM and Nuvoton support:

    ./autogen.sh
./configure --enable-spdm --enable-nuvoton
make

    To build with SPDM and NSING support:

    ./autogen.sh
./configure --enable-spdm --enable-nations
make

    For licensing, integration support, or to discuss your use case, please contact us at facts@wolfssl.com or +1 425 245 8247.

    Download wolfSSL Now