Post-Quantum Firmware TPM Is Here
wolfTPM’s firmware TPM (fwTPM) is available with post-quantum cryptography support added through the TCG TPM 2.0 Library Specification v1.85. fwTPM is wolfSSL’s portable software TPM 2.0 implementation, built on wolfCrypt and intended for products that need a TPM 2.0 interface without a discrete TPM chip. The post-quantum work merged in PR #445.
New v1.85 Commands in the fwTPM Server
The following post-quantum commands are now implemented in the fwTPM server:
| Command | Description |
|---|---|
| TPM2_Encapsulate | ML-KEM key encapsulation |
| TPM2_Decapsulate | ML-KEM key decapsulation |
| TPM2_SignSequenceStart | ML-DSA signing of arbitrary-length messages |
| TPM2_SignSequenceComplete | ML-DSA sign sequence completion |
| TPM2_VerifySequenceStart | ML-DSA verification start |
| TPM2_VerifySequenceComplete | ML-DSA verification completion |
| TPM2_SignDigest | Hash-ML-DSA pre-hashed signing |
| TPM2_VerifyDigestSignature | Hash-ML-DSA pre-hashed verification |
Supported Parameter Sets
| Algorithm | FIPS Standard | Parameter Sets |
|---|---|---|
| ML-DSA | FIPS 204 | ML-DSA-44 / 65 / 87 |
| ML-KEM | FIPS 203 | ML-KEM-512 / 768 / 1024 |
Key Management and Persistence
Post-quantum primary keys are derived deterministically from the TPM hierarchy seed using KDFa, persist to non-volatile storage, survive TPM restart, and use the full TPM 2.0 authorization model. This preserves fwTPM’s existing cold-boot recovery model. PQC keys are managed through the same TPM 2.0 API as classical keys, with no special handling required from the application.
Embedded-First Design
The implementation preserves fwTPM’s existing operational profile:
- WOLFTPM_SMALL_STACK support: Compatible with constrained stack environments
- No dynamic allocation in hot paths: Ready for bare-metal, RTOS, and memory-constrained targets
- Portable transports: mssim socket for local testing, TIS over shared memory or SPI/I2C, UART for serial-only devices
Target platforms include Linux, RTOS environments, and bare-metal Cortex-M class MCUs.
Target Platforms
| Platform | Notes |
|---|---|
| Linux | User-space daemon with mssim or /dev/tpm0 interface |
| ARM Cortex-M33 | Bare-metal (STM32L5, STM32U5, TrustZone-capable MCUs) |
| STM32 secure enclaves | TrustZone-M partitions |
| RTOS | FreeRTOS, Zephyr, ThreadX via wolfSSL’s RTOS abstraction |
| POSIX | FreeBSD, QNX, VxWorks |
When to Use a Firmware TPM
A firmware TPM is not a substitute for the physical tamper resistance of a discrete TPM in high-assurance roles. It is appropriate where discrete silicon is not available, not on the board, or has not yet shipped post-quantum support. With this release, products that fall into any of those cases can adopt ML-DSA and ML-KEM today through a software update.
Build Instructions
To enable post-quantum support, build wolfSSL with the following configuration:
# wolfSSL with PQC + keygen
./configure --enable-wolftpm --enable-pkcallbacks \
--enable-keygen --enable-dilithium \
--enable-mlkem --enable-experimental \
--enable-harden CFLAGS="-DWC_RSA_NO_PADDING"
make && sudo make install
Then build wolfTPM with fwTPM and v1.85 support:
# wolfTPM with fwTPM + v1.85 ./configure --enable-fwtpm --enable-pqc make make check
The end-to-end test exercises ML-DSA and ML-KEM round-trips against a running fwTPM server:
# Run fwTPM server ./examples/fwtpm/fwtpm_server & # Run PQC end-to-end test ./examples/pqc/pqc_mssim_e2e
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now