We’re excited to share a new feature added to wolfTPM: a lightweight example for verifying TPM Endorsement Key (EK) Certificates without wolfCrypt.
The new example, `verify_ek_cert`, retrieves and verifies the EK certificate stored in the TPM’s non-volatile memory. This supports TPMs like the Infineon SLB9672/SLB9673, STMicro ST33 series, and validates their RSA-signed EK certs using the manufacturer’s public CA certificate. This is essential for secure boot, remote attestation, and provisioning in trusted systems.
Highlights:
- Reads EK cert from NV memory (Index: 0x1C00002)
- Parses and validates the X.509 certificate
- Verifies hash and signature using CA public key
- Confirms TPM identity and trustworthiness
This example uses minimal ASN.1 parsing to reduce code size and avoid dependencies on wolfCrypt. This approach is especially valuable for DO-178C certification efforts, where reducing complexity and traceability is critical. wolfTPM remains the only TPM 2.0 stack specifically designed for bare-metal environments with a minimal code footprint—ideal for embedded, safety-critical systems.
To try it:
$ git clone https://github.com/wolfSSL/wolfTPM.git $ cd wolfTPM $ ./configure --disable-wolfcrypt && make $ ./examples/endorsement/verify_ek_cert
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now