wolfSPDM migration to wolfTPM/spdm with Nuvoton and spdm-emu support#458
wolfSPDM migration to wolfTPM/spdm with Nuvoton and spdm-emu support#458aidangarske wants to merge 1 commit intowolfSSL:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request migrates the standalone wolfSPDM library (~7.9K lines) into wolfTPM as an in-tree spdm/ subdirectory, eliminating the external dependency and simplifying the build to a single --enable-spdm configure flag. The PR adds full SPDM 1.2/1.3 protocol support for encrypted TPM communication with both standard SPDM responders (libspdm emulator) and Nuvoton NPCT75x hardware TPMs.
Changes:
- Adds wolfSPDM library in
spdm/with Algorithm Set B (P-384, SHA-384, AES-256-GCM) - Integrates SPDM transport into wolfTPM with 13 new wrapper APIs and transparent command encryption
- Provides demo application with automated test suite for emulator and Nuvoton hardware
- Updates build system with
--enable-spdmflag and CI workflows
Reviewed changes
Copilot reviewed 38 out of 39 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| configure.ac | Adds --enable-spdm configuration with Nuvoton and dynamic memory options |
| Makefile.am / include files | Integrates SPDM build into automake system |
| wolftpm/tpm2_spdm.h | New header defining SPDM integration API and constants |
| wolftpm/tpm2_wrap.h | Adds 13 SPDM wrapper functions to public API |
| wolftpm/tpm2.h | Adds SPDM protocol constants and NTC2 vendor command support |
| src/tpm2_spdm.c | Implements SPDM context management and secured exchange |
| src/tpm2_wrap.c | Implements SPDM wrapper APIs and auto-SPDM detection |
| src/tpm2.c | Adds transparent SPDM routing in TPM2_SendCommand paths |
| spdm/wolfspdm/*.h | Public wolfSPDM headers (types, errors, Nuvoton support) |
| spdm/src/*.c | Core wolfSPDM implementation (context, crypto, sessions, secured messaging) |
| examples/spdm/* | Demo application and test scripts for emulator and hardware |
| tests/unit_tests.c | Adds SPDM API unit tests |
| .github/workflows/* | New CI workflow for emulator testing and SPDM build matrix |
| zephyr/CMakeLists.txt | Excludes tpm2_spdm.c from Zephyr builds |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 38 out of 39 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 39 out of 40 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (3)
zephyr/CMakeLists.txt:1
- The filter patterns use double backslash escaping which is unnecessary in CMake regex strings. Single backslash is sufficient for escaping the dot character.
wolftpm/tpm2_wrap.h:1 - The
acHandleCountandacHandlesfields are added toWOLFTPM2_CAPSbut are never populated or used in the provided code. If these are reserved for future use, add a comment explaining this. Otherwise, consider removing them until they're actually needed.
src/tpm2_swtpm.c:1 - The conditional includes replace the original
#ifdef HAVE_NETDB_Hguard with#ifndef WOLFTPM_ZEPHYR. This changes the portability logic - the original guard checked for actual header availability, while the new guard only excludes Zephyr. Consider using#if !defined(WOLFTPM_ZEPHYR) && defined(HAVE_NETDB_H)to preserve both checks.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 39 out of 40 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 39 out of 40 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
aidangarske
force-pushed
the
add-full-spdm-support
branch
from
b684e06 to
e56719c
Compare
Description
Migrates the standalone wolfSPDM library into wolfTPM as an in-tree
spdm/subdirectory (~7.9K lines). This eliminates the external dependency and simplifies the build to a single--enable-spdmconfigure flag.wolfSPDM Library (
spdm/)spdm_responder_emufor testing--enable-spdm-dynamic-mem)spdm/test/unit_test.c)wolfTPM Integration (
src/tpm2_spdm.c,src/tpm2_wrap.c)wolfTPM2_Spdm*()wrapper API functions intpm2_wrap.hTPM2_SendCommand()— when an SPDM session is active, all TPM commands are automatically encryptedSPDM Demo (
examples/spdm/)spdm_demo.c: Full-featured example supporting emulator and Nuvoton hardware modesspdm_test.sh: Automated test script with--emu(6 tests) and--nuvoton(6 tests) modesBuild & CI
--enable-spdmconfigure flag builds wolfSPDM in-tree (no external--with-wolfspdmneeded)--enable-spdm-dynamic-memfor heap allocation instead of static buffers--enable-wolftpm --enable-ecc --enable-sha384 --enable-aesgcm --enable-hkdf --enable-spspdm-emu-test.yml— builds and runs emulator tests against libspdmspdm_responder_emumake-test-swtpm.ymlmatrixTest plan
--enable-spdm --enable-nuvoton(static mem)--enable-spdm --enable-spdm-dynamic-mem --enable-nuvoton(dynamic mem)--enable-spdm(no breakage)spdm_test.sh --emu— 6/6 pass (static + dynamic mem)spdm_test.sh --nuvoton— 6/6 pass on hardware (static + dynamic mem)spdm-emu-test.ymlpassing and tested