ML-DSA and ML-KEM for Software TPM 2.0 on Embedded Targets
A First in Embedded Security: Post-Quantum Firmware TPM
wolfSSL is excited to announce that our firmware TPM (fPM), a software TPM 2.0 implementation built on wolfCrypt, will be among the first firmware TPMs with post-quantum cryptography support, implementing the new TCG TPM 2.0 Library Specification v1.85 alongside ML-DSA and ML-KEM post-quantum algorithms.
If your product needs a TPM 2.0 interface but doesn’t have room for a discrete TPM chip, such as embedded MCUs, edge IoT devices, automotive ECUs, bootloaders, or secure firmware update pipelines, wolfTPM’s fTPM provides a portable, fully-featured TPM 2.0 server built on wolfSSL’s cryptographic core. And soon, it will be quantum-safe.
Why This Matters
Hardware TPM chips from the major vendors will eventually ship with post-quantum support, but that rollout will take years, and discrete TPMs are not an option for every product form factor. Firmware TPMs fill that gap today, and a post-quantum firmware TPM closes the PQC gap without any board redesign. You just update your software.
With wolfTPM’s fTPM PQC support, you will be able to:
- Generate, sign, and verify using ML-DSA primary and ordinary keys at all three NIST parameter sets (44 / 65 / 87)
- Perform ML-KEM encapsulation and decapsulation at all three parameter sets (512 / 768 / 1024)
- Use the full v1.85 command set: TPM2_Encapsulate, Decapsulate, SignDigest, SignSequenceStart, SignSequenceComplete, VerifyDigestSignature, VerifySequenceStart, VerifySequenceComplete
- Persist PQC keys to NV storage, survive TPM restart, and use them via the full TPM 2.0 authorization model
- Run all of the above on Cortex-M33 bare-metal, STM32 secure enclaves, Linux, and any POSIX-capable target
Post-Quantum Commands
| Command | Description |
| TPM2_Encapsulate | ML-KEM key encapsulation |
| TPM2_Decapsulate | ML-KEM key decapsulation |
| TPM2_SignSequenceStart | ML-DSA signing for arbitrarily-sized messages |
| TPM2_SignSequenceComplete | ML-DSA sign sequence completion |
| TPM2_VerifySequenceStart | ML-DSA verification start |
| TPM2_VerifySequenceComplete | ML-DSA verification completion |
| TPM2_SignDigest | Hash-ML-DSA pre-hashed signing |
| TPM2_VerifyDigestSignature | Hash-ML-DSA pre-hashed verification |
Supported parameter sets:
| Algorithm | FIPS Standard | Parameter Sets |
| ML-KEM | FIPS 203 | ML-KEM-512 / 768 / 1024 |
| ML-DSA | FIPS 204 | ML-DSA-44 / 65 / 87 |
What’s Under the Hood
fTPM is built on wolfCrypt, the FIPS 140-3 in-process lab cryptographic core that also drives wolfSSL’s TLS 1.3 post-quantum support. This means:
- FIPS 203 / 204 compliance: Algorithm behavior matches NIST’s final standards, validated against NIST ACVP test vectors
- Deterministic keygen from hierarchy seed: PQC primary keys derive deterministically from the TPM’s primary seed using KDFa, keeping fTPM’s cold-boot recovery model intact
- Zero dynamic allocation in hot paths: Ready for bare-metal, RTOS, and memory-constrained targets
- Portable transports: mssim socket for local testing, TIS/SHM for embedded bus emulation, UART for serial-only devices
Firmware TPM vs Hardware TPM
| fTPM (Software) | Hardware TPM | ||
| PQC availability | Now (wolfTPM) | Years away | |
| Board redesign needed | No | Yes (new chip) | |
| Cost per unit | $0 (software) | $1–$5+ (BOM) | |
| Tamper resistance | Software-based | Physical | |
| Bare-metal support | Yes | Yes | |
| FIPS crypto path | Yes (wolfCrypt) | Vendor-dependent | |
| Full TPM 2.0 API | Yes | Yes |
A firmware TPM is not a replacement for a hardware TPM in high-assurance environments that require physical tamper resistance. It is the right choice when a discrete chip is not available, not practical, or when you need PQC today without waiting for silicon vendors to catch up.
Target Platforms
wolfTPM’s fTPM with PQC support runs on:
- ARM Cortex-M33 bare-metal (STM32L5, STM32U5, and similar TrustZone-capable MCUs)
- STM32 secure enclaves and TrustZone-M partitions
- Linux (user-space daemon with mssim or /dev/tpm0 interface)
- Any POSIX-capable target (FreeBSD, QNX, VxWorks)
- RTOS environments (FreeRTOS, Zephyr, ThreadX) via wolfSSL’s RTOS abstraction layer
Ready to Be First to Ship PQC in Firmware?
wolfTPM fTPM with post-quantum support is in active development. You can follow the implementation in the pull request: wolfSSL/wolfTPM#445: TPM 2.0 v1.85 Post-Quantum Support.
We’re working with customers now for early access, integration support, and design consultation on how best to deploy a firmware TPM with quantum-safe algorithms.
If your product roadmap includes PQC migration, or if you’re designing a product today that needs to survive into the quantum era, get in touch.
Contact us at facts@wolfssl.com
Watch this space for the full announcement, implementation details, and our companion blog post on TPM 2.0 v1.85 post-quantum support in the wolfTPM client library.
If you have questions about any of the above, please contact us at +1 425 245 8247
Download wplfSSL Now