Thank you David,

The solution (in your patch) works well.


While compiling WolfTpm files on Ubuntu, gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0

I encounter this annoying warning as error. Can someone please help on how to get rid of this?

Build error: New warnings appeared:
../wolftpm/wolftpm/tpm2_types.h: In function ‘word64 ByteReverseWord64(word64)’:
../wolftpm/wolftpm/tpm2_types.h:655:66: warning: left shift count >= width of type [-Wshift-count-overflow]
     return (word64)((word64)ByteReverseWord32((word32)value)) << 32 |
../wolftpm/wolftpm/tpm2_types.h:656:66: warning: right shift count >= width of type [-Wshift-count-overflow]
                     (word64)ByteReverseWord32((word32)(value  >> 32));

The build flag: CFLAGS = -Wshift-count-overflow
does not help and neither does
#pragma GCC diagnostic ignored "-Wshift-count-overflow"

The problem is in this function in tpm2_types.h, but I don't want to modify it.

static inline word64 ByteReverseWord64(word64 value)
    return (word64)((word64)ByteReverseWord32((word32)value)) << 32 |
                    (word64)ByteReverseWord32((word32)(value  >> 32));



(5 replies, posted in wolfTPM)

dgarske wrote:

Hi tpm2user,

1) Load the TPM public key into a wolfCrypt ecc_key struct: … ent.c#L226

Thanks. For this, I see the functions:

 rc = wolfTPM2_GetKeyTemplate_ECC(..)
 rc = getECCkey(..)

I checked the getECCKey() function. It calls:
createAndLoadKey() and if I understand correctly, it generates its own keys from the TPM and loads the the public part into wolfEccKey object. I tried reading the context file via readKeyBlob and wolfTPM2_LoadKey(.) to receive a handle from TPM and pass it get getECCKey() function, but it failed.

I have my own context file generated by TPM [related to this post: (which I would like to have loaded externally to TPM. I don't understand how I can go ahead from here by letting TPM know that I already have what it wants.)


I have generated a context file (openssl.ctx) with tpm (but via tpm2_tools). I wanted to know IF and HOW exactly can this be used/imported via wolftpm?

1. Use OpenSSL to create the device's public-private key pair, forgoing TPM protections. i.e., the key material is not protected by the parent object's seed.

openssl req -new -newkey rsa:2048 -keyout $HOME/openssl_private.pem -nodes \
            -out "$HOME/openssl.csr" \
            -subj "/C=BE/ST=Belgium/L=Brussels/O=CPP-LS/OU=Development/"
openssl rsa -in "$HOME/openssl_private.pem" -out "$HOME/openssl_public.pem" -pubout

2. Load the non-protected key pair to the TPM. The private portion of an object can be loaded only to the Null hierarchy or the TPM will reject loading it.

tpm2_loadexternal --hierarchy n \
                  --key-algorithm rsa \
                  --public "$HOME/openssl_public.pem" \
                  --private "$HOME/openssl_private.pem" \
                  --key-context "$HOME/openssl.ctx" \
                  --name "$HOME/"

How can this file (openssl.ctx) be imported into wolftpm? I tried to convert it into base64 and import does not work. And directly importing it always results in Buffer Overflow from wolftpm side.

Many thanks!


(5 replies, posted in wolfTPM)

Thanks, will try this and report back.

On a side note, I have an context file generated via tpm2_loadexternal command.

tpm2_loadexternal --hierarchy n \
                  --key-algorithm rsa \
                  --public "$HOME/openssl_public.pem" \
                  --private "$HOME/openssl_private.pem" \
                  --key-context "$HOME/openssl.ctx" \
                  --name "$HOME/"

Is there a way that this openssl.ctx file can be loaded using wolfTPM commands? I tried using keyload, but this seems to be a different format:

linux@tpm2user:~/test/wolfTPM/examples/keygen$ file keyblob.bin
keyblob.bin: PDP-11 overlaid pure executable not stripped

linux@tpm2user:~/test/wolfTPM/examples/keygen$ file ~/openssl.ctx
~/openssl.ctx: data

I also tried base64 to convert openssl.ctx:
linux@tpm2user:~/test/wolfTPM/examples/keygen$ file to_b64_openssl.ctx
to_b64_openssl.ctx: ASCII text


(5 replies, posted in wolfTPM)

Thanks David.

I looked at the TLS example, there were some minor changes since the last time I saw it.

To get the basics right, I did the following:

# Generate keypair on TPM and generate ECC signed certificate for use:

sudo ./examples/keygen/keygen ecc_test_blob.raw -ecc -t
sudo ./examples/csr/csr
sudo ./certs/

So, now I have ca-ecc-cert.pem signed certificate file and ecc_test_blob.raw file (the latter holding the key-pair)

In software, I have done the following:
1. Setup TPM callback using wolfTPM2_CryptoDevCb and wolfSSL_CTX_SetDevId
2. Q. How do I load the buffer as PEM? I did the following:

  • a) Load the keyfile ecc_test_blob.raw into TPM and get back a TPM handle (OK)

  • b) Extract public_key from the above keyblob and store it as a buffer? The public_key is only available under WOLFTPM2_KEYBLOB

I am a bit lost now, because it did not work. All I need is how to get the buffer_key correctly (which I now understand is the public key provided to wolfSSL and private_key is on the TPM itself which will be used via crypto_callback).

if ((wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer_key, buffer_key_size, WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS)
    printf("Failed to set the key");   
    return -1;

Looking to get this sorted. Its been a sharp learning curve with existing examples and unable to find sufficient wolfTpm signing examples.

Many thanks!


(5 replies, posted in wolfTPM)


This is my first post in this forum. The earliest post on went unanswered. I hope someone can help clarify here. My question is two-fold:

FIRST: I wish to have equivalent of the below function, but for TPM:

if (wolfSSL_CTX_use_PrivateKey_file(ctx, KEY_FILE, WOLFSSL_FILETYPE_PEM)   != SSL_SUCCESS)
    // Turn off TLS
    return 0;

Note: Here, KEY_FILE is a plain .crt text file on filesystem containing a private key. (This was used prior to TPM present on hardware).

SECOND: Regarding signing inside of TPM2 chip, I see i could use the following function:

/* [This is part of wolftpm2/tls/tls_server.c example:
* Private key only exists on the TPM and crypto callbacks are used for
* signing. Public key is required to enable TLS server auth.
* This API accepts public keys when crypto callbacks are enabled */
if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, buffer_size, WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) 

It seems for the above function to use TPM2, we need to enable Crypto-callback and TPM2 should take care of signing using the callback. The following are the Steps I followed:

1. Generated raw file using keygen tool in wolftpm/examples (I renamed it to keyblob.bin)
2. I imported this to TPM to receive a temporary TPM2 handle (which went OK).
3. I have a public certificate (named test.crt) which contains public key (signed using CSR by Certificate Authority). so, this public certificate corresponds to the CSR generated by TPM for this private key.
4. I have enabled the crypto-dev callbacks.

So, now I have the TPM2 handle and certificate file. How can i register to the above buffer function using these for signing operations? In code I did:

readKeyblob -> get the private key
wolftpm2_load -> get the handle for the key stored by TPM
wolfSSL_CTX_use_PrivateKey_buffer -> The parameters were (ctx, keyBlob.priv.buffer, sizeof(keyBlob.priv.size)

What am I doing wrong?