Lightweight Device Authentication for Nuvoton and NSING TPMs
Device Attestation and Authentication Are No Longer Optional
From data center accelerators to automotive ECUs, the industry is moving toward verifying every component on every bus. Today, wolfSSL is proud to announce SPDM support in wolfTPM, enabling secure device authentication and attestation for Nuvoton NPCT75x and NSING NS350 TPMs using the DMTF Security Protocol and Data Model.
Developed in partnership with NSING Technologies (NSING) and Nuvoton, wolfTPM is the first and only open-source SPDM implementation with native hardware TPM integration for multiple vendors.
What Is SPDM?
wolfTPM now includes a clean-room, native C implementation of the SPDM 1.3 requester protocol, located in the spdm/ directory. This enables a host to authenticate and attest connected devices using standardized cryptographic handshakes.
It is not a wrapper around another library. It is a purpose-built, safety critical, from-scratch implementation designed for the constraints of embedded systems.
Key Features
No Dynamic Memory Allocation
wolfTPM’s SPDM implementation uses zero malloc calls by default. All buffers are statically allocated, making it ideal for bare-metal deployments, safety-critical systems, and environments where heap usage is prohibited. For platforms with limited stack space, `–enable-smallstack` heap-allocates the SPDM context instead.
Transport Agnostic
The SPDM implementation uses a callback-based transport interface. Whether your bus is MCTP, PCIe DOE, SPI, or something proprietary, you supply the send/receive callbacks and wolfTPM handles the protocol.
FIPS 140-3 Ready
Cryptographic operations are handled entirely by wolfCrypt, wolfSSL’s FIPS 140-3 validated crypto engine. There are no external crypto dependencies.
DO-178C DAL A Path
wolfTPM supports a path to the highest level of DO-178C avionics certification for TPM 2.0 operations.
Compatible with spdm-emu
wolfTPM’s SPDM support is tested and validated against the DMTF’s spdm-emu reference emulator, ensuring interoperability with the standard ecosystem.
Multi-Vendor TPM Support
wolfTPM supports SPDM on two TPM families out of the box:
| Feature | Nuvoton NPCT75x | NSING NS350 |
| Session mode | Identity key (ECDHE P-384) | Identity key + PSK |
| SPDM version | 1.3 | 1.3 |
| Algorithm set | Algorithm Set B | Algorithm Set B |
| SPDM control | GPIO-based enable/disable + HW reset | Command-based |
| Certification | — | FIPS 140-2 Level 1 |
Both vendors negotiate SPDM 1.3 and use Algorithm Set B (P-384 / SHA-384 / AES-256-GCM / HKDF-SHA384).
PSK Mode (NSING NS350)
The NSING NS350 supports an additional session establishment mode using a 64-byte pre-shared key. PSK mode uses the standard SPDM 1.2+ PSK_EXCHANGE and PSK_FINISH messages, providing symmetric key-based session establishment as an alternative to ECDHE. PSK and identity key modes are mutually exclusive; both use AES-256-GCM for data transport.
TCG SPDM Binding
wolfTPM implements the full TCG SPDM binding specification. Once an SPDM session is established, all TPM commands are transparently wrapped in encrypted VENDOR_DEFINED_REQUEST(“TPM2_CMD”) messages. No application code changes are needed.
The binding supports vendor-defined commands for key provisioning (GET_PUBK, GIVE_PUB), status queries (GET_STS_), SPDM-only mode enforcement (SPDMONLY), and NSING-specific PSK management (PSK_SET_, PSK_CLR_).
Encrypted TPM Bus Transfers
wolfTPM is the only implementation that can perform encrypted bus transfers with hardware TPMs (Nuvoton NPCT75x and NSING NS350), a capability unique to the wolfSSL stack.
Who Is This For?
wolfTPM’s SPDM support is built for OEMs and firmware engineers who need SPDM without the footprint of the reference implementation. It goes beyond device authentication; wolfTPM provides encrypted bus transfers, hardware-backed key storage, and PSK-based session establishment for fully secure communication channels. Whether you are building data center infrastructure, automotive ECUs, or IoT devices with NSING or Nuvoton TPMs, wolfTPM provides a production-ready SPDM stack.
Expanding SPDM Support
wolfTPM’s SPDM support now covers Nuvoton NPCT75x and NSING NS350 TPMs, developed in direct partnership with both manufacturers. wolfSSL is actively working with additional TPM vendors to expand coverage. The spdm/ directory is architected to support new vendors with minimal code changes and can be branched into a standalone repository for non-TPM SPDM use cases.
Contact support@wolfssl.com to discuss your use case.
Get Started
wolfTPM with SPDM support is available now at github.com/wolfSSL/wolfTPM.
To build with SPDM and Nuvoton support:
./autogen.sh ./configure --enable-spdm --enable-nuvoton make
To build with SPDM and NSING support:
./autogen.sh ./configure --enable-spdm --enable-nations make
For licensing, integration support, or to discuss your use case, please contact us at facts@wolfssl.com or +1 425 245 8247.
Download wolfSSL Now