wolfTPM’s firmware TPM (fTPM) now includes an SPDM responder in fwtpm_server, adding an authenticated, encrypted transport between a host and the software TPM 2.0. It supports both TCG certificate mode and DMTF DSP0274 pre-shared-key (PSK) mode, and is merged in PR #510.
A TPM for Environments Without Hardware TPM Support
The fTPM is a full software TPM 2.0 built on wolfCrypt. It exists for the systems where a discrete TPM chip is not an option: spacecraft and aerospace avionics, under-hood and high-vibration automotive electronics, and other thermal, radiation, or mechanical extremes that fall outside the ratings of a packaged TPM, as well as devices that simply ship without TPM silicon. In those systems, the TPM runs as software on a qualified SoC or companion MCU.
An Authenticated, Encrypted Link to the TPM
When the TPM is software reachable over an internal bus or socket, SPDM (DMTF DSP0274) authenticates the endpoint and wraps every command and response in an encrypted, integrity-protected session. For a firmware TPM in a safety-critical system, that raises the assurance level of the link: the TPM answers an authenticated session rather than anything that can reach the bus. SPDM layers on top of the TPM’s own protections rather than replacing them.
TCG Certificate and PSK Modes
The responder is exposed through the wolfSPDM_Resp* API and driven by the fTPM server. It negotiates SPDM 1.3 with Algorithm Set B (P-384, SHA-384, AES-256-GCM) and implements the full handshake in both modes: version, capability, and algorithm negotiation; the TCG certificate KEY_EXCHANGE / FINISH using a P-384 identity key generated at startup; the DSP0274 PSK exchange; the encrypted secured envelope; and VENDOR_DEFINED tunneling of TPM 2.0 commands. Vendor wire-format adapters for Nuvoton and Nations are available, with a runtime –vendor switch for dual-vendor builds.
Once SPDM-only mode is locked, the responder rejects plaintext TPM 2.0 frames with TPM_RC_DISABLED, matching how real Nuvoton and Nations silicon behave, so no unauthenticated command reaches the TPM.
Building and Testing
./configure --enable-fwtpm --enable-spdm --enable-tcg --enable-psk # optional vendor wire-format adapters: # --enable-nuvoton --enable-nations (runtime --vendor switch)
CI exercises the responder in software and on hardware. spdm-test.yml runs 8 build-only configurations plus 2 end-to-end modes, and the responder unit tests drive the requester and responder back-to-back across PSK, TCG, TCG+PSK, Nuvoton, and Nations. hw-spdm-test.yml keeps coverage on real silicon, so the same handshake runs in software and against hardware.
wolfTPM is dual-licensed (GPLv2+ or commercial); the source is in the public wolfSSL/wolfTPM repository.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now