Below you will find the wolfTPM ChangeLog documenting the changes that took place with each release of wolfTPM since the project’s beginning in 2018.

wolfTPM 2.3.0



Fixes for minor build issues, refactor of GPIO configure to combine and new PCR Read example.


  • Refactor GPIO support (single gpio_config) (PR #194)
  • Fix for Linux HAL IO try again timeout logic (PR #194)
  • Fix for big endian in TIS layer (PR #191)
  • Fix for RSAES padding (RSA_Encrypt) (PR #187)
  • Fix in tests to allow command code error for CreateLoaded (not supported on hardware) (PR #184)
  • Fix for compiler warning for file read in make_credential.c (PR #182)
  • Fixes for Windows builds (PR #181)
  • Fixes for RSA RNG in edge case builds (fixes wolfBoot build error) (PR #180)
  • Added PCR Read example (PR #185)

wolfTPM 2.2.0



Added new examples for remote attestation, make credential and GPIO support. Added Endorsement hierarchy support to many examples. Refactored the reference HAL IO code into separate files.


  • Fixed total auth area size when multiple auth sessions are used (PR #174)
  • Fixed `TPM2_SetupPCRSel` to only allow valid pcrIndex values (PR #165 and PR #167)
  • Fixed `TPM2_MakeCredential` to work without auth as TCG spec defines (PR #174)
  • Fixed `TPM2_MakeCredential` to support using EK pub to encrypt challenge (PR #174)
  • Fixed `TPM2_ActivateCredential` to work with EK pub to decrypt challenge (PR #174)
  • Fix to only enable `printf` in library proper if `DEBUG_WOLFTPM` is set (PR #154)
  • Added support for QNX with wolfTPM (PR #156)
  • Added credential examples for remote attestation (PR #161)
  • Added new example for sealing a secret using TPM key (PR #157)
  • Added GPIO config, read and set examples (PR #155 and #172)
  • Added GPIO support and examples for ST33 (PR #155)
  • Added GPIO support and examples for Nuvoton NPCT75x (PR #172)
  • Added Endorsement support for keygen and attestation examples using `-eh` (PR #174)
  • Added missing `TPM2_CreateLoaded` command and added wrapper `wolfTPM2_CreateLoadedKey` (PR #174)
  • Added new wrappers for public PEM support `wolfTPM2_RsaKey_TpmToPemPub` and `wolfTPM2_RsaKey_PemPubToTpm` (PR #174)
  • Added keygen option to output PEM files for TPM public keys (PR #174)
  • Added saving of EK's TPM2B_PUBLIC for attestation purposes (PR #174)
  • Added new wrapper for satisfying EK policy (PR #174)
  • Added unit test for `TPM2_CertifyCreation` (PR #169)
  • Added support for `--with-wolfcrypt=/dir/` (PR #166)
  • Added documentation for using QEMU with `--enable-devtpm` for testing (PR #146)
  • Modified keygen to use new `wolfTPM2_CreateLoaded` wrapper to acquire correct AK name (PR #174)
  • Modified keyload to be able to load keys created under the EK/EH (PR #174)
  • Cleanup the ECC point code to appease some coverity warnings (PR #168)
  • Cleanup obsolete `txBuf[4] = 0x00;` because handled with SPI check wait state logic (PR #162)
  • Improved API documentation using Doxygen for wolfTPM wrappers and proprietary API's (PR #164)
  • Improved the Windows TBS documentation (PR #163)
  • Refactor the assignment of structs to use memcpy (PR #176)
  • Refactor of the TPM IO code to separate files (PR #171)

wolfTPM 2.1.0



  • Fixed possible KDFa buffer overrun (PR #147)
  • Fixed typo on WOLFTPM_USER_SETTINGS (PR #140)
  • Improved examples to use the key templates. (PR #136)
  • Added symmetric key support for key generation examples (PR #143)
  • Added NVRAM examples (PR #145)
  • Added STM32 CubeMX I2C support (PR #142)
  • Added details for TPM 2.0 with Windows TBS (PR #144)
  • Added alternate subject name to example certificates for TLS (PR #141)
  • Updated expired wolfSSL certs (PR #139)
  • Removed EK from the attestation and signed timestamp examples (PR #152)

wolfTPM 2.0.0



Added AES CFB parameter encryption, HMAC sessions, TPM simulator, Windows TPM (TBSI) support and more examples for time/keys.


  • Refactor of the session authentication. New struct `TPM2_AUTH_SESSION`  and `wolfTPM2_SetAuth_*` API's. (PR #129 and #133)
  • Added Windows TPM TBSI support (PR #127)
  • Added TPM simulator support using TPM TCP protocol (PR #121)
  • Added minGW support (PR #127)
  • Added AES CFB parameter encryption support (PR #129)
  • Added XOR parameter encryption support (PR #122)
  • Added "-aes" or "-xor" option to some examples to enable parameter encryption. (PR #129)
  • Added HMAC session support (PR #129)
  • Added support for encrypted RSA salt for salted-unbounded session (PR #129)
  • Added innerWrap and outerWrap support for sensitive to private. (PR #129)
  • Improvements to the KDFa (PR #129)
  • Improved the param encryption to use buffers inline (PR #129)
  • Added Key generation and loading examples using disk to store the key (PR #131)
  • Added support for importing external private key to get a key blob for easy re-loading. (PR #132)
  • Add TPM clock increment example (PR #117)
  • Add test vectors for AES CFB and make it the default for tests (PR #125)
  • Improved documentation and code comments (PR #126)
  • Add script to run unit tests with software TPM (PR #124)

wolfTPM 1.9.0


  • Fix when building wolfSSL with old names `NO_OLD_WC_NAMES`. (PR #113)
  • Fix for TPM2 commands with more than one auth session. (PR #95)
  • Bugfixes for TPM2_Packet_AppendSymmetric and TPM2_Packet_ParseSymmetric. (PR #111)
  • TPM attestation fixes. (PR #103)
  • If creating an NV and it already exists, set auth and handle anyways. (PR #99)
  • Cleanups, removed unused code from the PCR examples. (PR #112)
  • Improvements to the signed timestamp example. (PR #108)
  • Add example of a TPM2.0 Quote using wolfTPM. (PR #107)
  • Added NPCT75x Nuvoton support and dynamic module detection support. (PR #102)
  • Added RSA sign/verify support and expanded RSA key loading API's. (PR #101)
  • Attestation key wrappers. (PR #100)
  • Add missing xor overload to TPMU_SYM_KEY_BITS. (PR #97)
  • Signed timestamp example (AIK and Attestation). (PR #96)
  • Adding more testing. (PR #93)
  • Add TPM benchmarking results for Nuvoton NPCT650 TPM2.0 module. (PR #92)

wolfTPM 1.8.0


  • Fixed obsolete workaround for ST33 and TIS header size. (PR #85)
  • Fixes for building with older wolfSSL versions not supporting `wc_HashFree`. (PR #87)
  • Fixes for building without wolfCrypt RSA (when `NO_RSA` is defined). (PR #89)
  • Fixes for ECC verify in crypto callback to try software if the curve is not supported (`TPM_RC_CURVE`) by the TPM hardware. (PR #89)
  • Fixes for building with `WOLFTPM2_USE_SW_ECDHE`. (PR #86)
  • Added support for using `/dev/tpmX`. (PR #91)
  • Added example for using an ECC primary storage key (root owner). (PR #84)
  • Added Xilinx Zynq MPSoC bare-metal SPI support. (PR #85)
  • Added support for Nuvoton TPM 2.0 NPCT650. (PR #91)
  • Added support for Nations Technologies Inc. TPM 2.0 module (Z32H330). (PR #88)
  • Cleanup of the session auth, so after being set it is also cleared. (PR #84)
  • Moved the chip specific settings to `tpm2_types.h`. (PR #85)

wolfTPM 1.7.0


  • Fixes for coverity checks on buffers. (PR #78)
  • Fix visibility warnings in Cygwin. (PR #80)
  • Added wrapper for changing a key's authentication wolfTPM2_ChangeAuthKey. (PR #77)
  • Added support for using authentication with NV. (PR #79)
  • Adds new wrapper API's: wolfTPM2_NVWriteAuthwolfTPM2_NVReadAuth and wolfTPM2_NVDeleteAuth. (PR #79)
  • Added new wrappers for shutdown and handle cleanup. (PR #81)

wolfTPM 1.6.0


  • Fix for wolfCrypt init/cleanup issue with reference count. (PR #75)
  • Fix to restore existing TPM context after calling `wolfTPM2_Test`. (PR #74)
  • Fix to resolve handling of unsupported ECC curves with the TPM module and ECDHE. (PR #69)
  • Fix for `wolfTPM2_SetCommand` to ensure auth is cleared. (PR #69)
  • Added `--enable-smallstack` build options for reducing stack usage. (PR #73)
  • Added support for keeping an HMAC key loaded. (PR #72)
  • Added API unit test framework. (PR #71)
  • Added new wrapper API `wolfTPM2_OpenExisting` for accessing device that's already started. (PR #71)
  • Added new `wolfTPM2_ExtendPCR` wrapper. (PR #70)
  • Added crypto callback flags for FIPS mode and Use Symmetric options. (PR #69)
  • Added `WOLFTPM_DEBUG_TIMEOUT` macro for debugging the timeout checking. (PR #69)
  • Added support for ST33 `TPM2_SetMode` command for disabling power saving. (PR #69)
  • Improvements for chip detection, compatibility and startup performance (PR #67)
  • Added support for `XPRINTF`.
  • Fix printf type warnings.
  • Moved the TPM hardware type build macro detection until after the `user_settings.h` include.
  • Optimization to initialize Mutex and RNG only when use is required.
  • Added missing stdio.h for printf in examples.
  • Added new API's `TPM2_SetActiveCtx`, `TPM2_ChipStartup`, `TPM2_SetHalIoCb` and `TPM2_Init_ex`. 
  • Allowed way to indicate `BOOL` type already defined.
  • Added C++ support.
  • Added new API `wolfTPM2_Test` for testing for TPM and optionally returning capabilities. (PR #66)
  • Added way to include generated `wolftpm/options.h` (or customized one) using `WOLFTPM_USER_SETTINGS`. (PR #63)

wolfTPM 1.5.0


  • Fixed issue with cleanup not unregistering the crypto callback.
  • Added support for Microchip ATTPM20 part.
  • Added support for Barebox (experimental).
  • Added TLS benchmarking for CPS and KB/Sec. Enabled with TLS_BENCH_MODE.
  • Added TLS client/server support for symmetric AES/HMAC/RNG. Enabled with WOLFTPM_USE_SYMMETRIC.
  • Added TLS client/server support for mutual authentication.
  • Added TIS locking protection for concurrent process access. Enabled using WOLFTPM_TIS_LOCK.
  • Added symmetric AES encrypt and decrypt wrappers and examples.
  • Added HMAC wrappers and examples.
  • Added wrappers and examples for loading external HMAC and AES keys.
  • Added delete key wrapper and example.
  • Added ECDH support for ephemeral key generation and shared secret.
  • Added benchmark support for RNG, AES (CTR, CBC, CFB) 128/256 and SHA-1, SHA-256, SHA-384 and SHA-512.
  • Added new wolfTPM2_GetCapabilities wrapper API for getting chip info.
  • Added command and response logging using ./configure --enable-debug=verbose or #define WOLFTPM_DEBUG_VERBOSE.
  • Added option to enable raw IO logging using WOLFTPM_DEBUG_IO.
  • Added option to disable TPM Benchmark code using NO_TPM_BENCH.
  • Added examples/README.md for setup instructions.
  • Tuned max SPI clock and performance for supported TPM 2.0 chips.
  • Cleanup to move common test parameters into examples/tpm_test.h.
  • Updated benchmarks and console output for examples in README.md.

wolfTPM 1.4.0


  • Fixed cryptodev ECC callback to use R and S for the signature verify.
  • Fixed printf type warnings with DEBUG_WOLFTPM defined.
  • Fixed detection of correct hash algorithm in wolfTPM2_VerifyHash.
  • Fix bug with native example where TPM2_Shutdown failure would loop.
  • Fix to decoupled the fixed TPM algorithms/sizes from wolfCrypt build options.
  • Fix for building with different wolfCrypt options.
  • Fix for byte swap build error.
  • Fix CSR example CertName to use designated initializers to resolve use against different wolfSSL versions.
  • Improved portability by eliminating the packed TPM2_HEADER.
  • Improved stack reduction by eliminating the private section from WOLFTPM2_KEY struct.
  • Added TLS server example for wolfTPM.
  • Added more RSA and ECC key loading examples.
  • Added support for loading an external private keys using new API's wolfTPM2_LoadPrivateKey, wolfTPM2_LoadRsaPrivateKey, and wolfTPM2_LoadEccPrivateKey.
  • Added example for reading the firmware version using TPM2_GetCapability with TPM_PT_FIRMWARE_VERSION_1.
  • Added hashing wrappers and tests using new API's: wolfTPM2_HashStart, wolfTPM2_HashUpdate and wolfTPM2_HashFinish.
  • Added PKCS7 7 sign/verify example demonstrating large data case using chunked buffer and new _ex functions.
  • Added Key Generation to benchmark.
  • Added ST33TP I2C TPM 2.0 support (./configure --enable-st33 --enable-i2c).
  • Added ST33TP SPI TPM 2.0 support (--enable-st33 or #define WOLFTPM_ST33).
  • Added support for Atmel ASF SPI.
  • Added example for IAR EWARM.
  • Added ECC verify test using public key and NIST test vectors.
  • Added new RNG wrapper API wolfTPM2_GetRandom.
  • Added macro for hardware RNG max request as MAX_RNG_REQ_SIZE.
  • Added instructions for enabling SPI and I2C on the Raspberry Pi.
  • Added support for symmetric AES encrypt/decrypt.
  • Added wrapper to help with creation of symmetric keys.
  • Added advanced IO callback support (enabled using --enable-advio or #define WOLFTPM_ADV_IO).
  • Added overridable define WOLFTPM_LOCALITY_DEFAULT for the locality used.
  • Added XTPM_WAIT() macro to enable custom wait between polling.
  • Added build option to disable wolfCrypt dependency using ./configure --disable-wolfcrypt or #define WOLFTPM2_NO_WOLFCRYPT.
  • Removed unused SET, CLEAR, TRUE, FALSE macros.
  • Cleanup DEBUG_WOLFTPM ifdef's around all printfs in library proper.
  • Cleanup of line lengths.
  • Cleanup of wrapper test to move test data into tpm_test.h.
  • Cleanup of the packet code to handle determining of size (mark/place).
  • Cleanup of the IO callback examples.
  • Cleanup of TIS layer improve return code and timeout handling.
  • Cleanup to move types and configuration/port specific items into new tpm2_types.h.

wolfTPM 1.3.0


  • Fixed the TIS TPM_BASE_ADDRESS to conform to specification.
  • Fixed static analysis warnings.
  • Fixed minor build warnings with different compilers.
  • Fixed TPM failure for RSA exponents less than 7 by using software based RSA.
  • Added TPM bechmarking support.
  • Added functions to import/export public keys as wolf format.
  • Added PKCS7 example to show sign/verify with TPM.
  • Added CSR example to generate certificate request based on TPM key.
  • Added CSR signing script ./certs/certreq.sh to create certificate using self-signed CA.
  • Added TLS Client example that uses TPM based key for client certificate.
  • Added support for wolfSSL WOLF_CRYPT_DEV callbacks to enable TPM based ECC and RSA private keys.
  • Added ability to clear/reset TPM using ./examples/wrap/wrap_test 1
  • Moved some of the example configuration into ./examples/tpm_io.h

wolfTPM 1.1.0


  • Added TPM2 wrapper layer to simplify key creation, RSA encrypt/decrypt, ECC sign/verify and ECDH.
  • Added TPM2 wrapper example code.
  • Added Linux SPI support for running on Raspberry Pi.
  • Fixes for TPM2 command and response assembly and parsing.
  • Fixes to support authentication for command and response.
  • Progress on supporting parameter encryption/decryption.
  • Refactor of TIS and Packet layers into new files.
  • Fixes/improvements to wolfTPM2_GetRCString for error code and string reporting.
  • Added new TPM2_Cleanup function.
  • New tests for TPM2 native API's (test coverage is about 75%).

wolfTPM 1.0


  • Support for all TPM2 native API's using TIS and SPI IO callback.
  • Helper for getting TPM return code string TPM2_GetRCString.
  • TPM 2.0 demo code in examples/tpm/tpm2_demo.c with support for STM32 CubeMX SPI as reference.