wolfSPDM migration to wolfTPM/spdm with Nuvoton and spdm-emu support

.github/workflows/make-test-swtpm.yml

@@ -75,6 +75,24 @@ jobs:
           # STMicro ST33KTPM2
           - name: st33ktpm2 firmware
             wolftpm_config: --enable-st33 --enable-firmware
+          # SPDM (emulator mode, compile + unit test)
+          - name: spdm
+            wolfssl_config: --enable-wolftpm --enable-ecc --enable-sha384 --enable-aesgcm --enable-hkdf --enable-sp
+            wolftpm_config: --enable-spdm --enable-swtpm
+          # SPDM + Nuvoton (compile-only, no hardware in CI)
+          - name: spdm-nuvoton
+            wolfssl_config: --enable-wolftpm --enable-ecc --enable-sha384 --enable-aesgcm --enable-hkdf --enable-sp
+            wolftpm_config: --enable-spdm --enable-nuvoton
+            needs_swtpm: false
+          # SPDM dynamic memory
+          - name: spdm-dynamic-mem
+            wolfssl_config: --enable-wolftpm --enable-ecc --enable-sha384 --enable-aesgcm --enable-hkdf --enable-sp
+            wolftpm_config: --enable-spdm --enable-swtpm --enable-spdm-dynamic-mem
+          # SPDM debug
+          - name: spdm-debug
+            wolfssl_config: --enable-wolftpm --enable-ecc --enable-sha384 --enable-aesgcm --enable-hkdf --enable-sp
+            wolftpm_config: --enable-spdm --enable-nuvoton --enable-debug
+            needs_swtpm: false
           # Microchip
           - name: microchip
             wolftpm_config: --enable-microchip

.github/workflows/spdm-emu-test.yml

@@ -0,0 +1,76 @@
+name: SPDM Emulator Integration Test
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+    paths: [ 'spdm/**', 'src/tpm2_spdm.c', 'examples/spdm/**' ]
+  pull_request:
+    branches: [ '*' ]
+    paths: [ 'spdm/**', 'src/tpm2_spdm.c', 'examples/spdm/**' ]
+
+jobs:
+  spdm-emu-test:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-22.04
+            arch: x64
+          - os: ubuntu-24.04
+            arch: x64
+          - os: ubuntu-24.04-arm
+            arch: aarch64
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Checkout wolfTPM
+        uses: actions/checkout@v4
+
+      - name: Cache wolfSSL
+        id: cache-wolfssl
+        uses: actions/cache@v4
+        with:
+          path: wolfssl
+          key: wolfssl-spdm-${{ matrix.os }}-${{ hashFiles('.github/workflows/spdm-emu-test.yml') }}
+
+      - name: Build wolfSSL
+        if: steps.cache-wolfssl.outputs.cache-hit != 'true'
+        run: |
+          git clone --depth 1 https://github.com/wolfSSL/wolfssl.git
+          cd wolfssl
+          ./autogen.sh
+          ./configure --enable-wolftpm --enable-ecc --enable-sha384 --enable-aesgcm --enable-hkdf --enable-sp
+          make -j$(nproc)
+
+      - name: Install wolfSSL
+        run: |
+          cd wolfssl
+          sudo make install
+          sudo ldconfig
+
+      - name: Cache spdm-emu
+        id: cache-spdm-emu
+        uses: actions/cache@v4
+        with:
+          path: spdm-emu/build/bin
+          key: spdm-emu-${{ matrix.os }}-${{ hashFiles('.github/workflows/spdm-emu-test.yml') }}
+
+      - name: Build spdm-emu
+        if: steps.cache-spdm-emu.outputs.cache-hit != 'true'
+        run: |
+          git clone --depth 1 --recursive https://github.com/DMTF/spdm-emu.git
+          cd spdm-emu
+          mkdir build && cd build
+          cmake -DARCH=${{ matrix.arch }} -DTOOLCHAIN=GCC -DTARGET=Release -DCRYPTO=mbedtls ..
+          make copy_sample_key
+          make -j$(nproc)
+
+      - name: Build wolfTPM with SPDM
+        run: |
+          ./autogen.sh
+          ./configure --enable-spdm --enable-swtpm --enable-debug
+          make -j$(nproc)
+
+      - name: Run SPDM emulator tests
+        run: |
+          export SPDM_EMU_PATH=$PWD/spdm-emu/build/bin
+          ./examples/spdm/spdm_test.sh --emu

.gitignore

@@ -87,6 +87,7 @@ examples/firmware/ifx_fw_update
 examples/firmware/st33_fw_update
 examples/endorsement/get_ek_certs
 examples/endorsement/verify_ek_cert
+examples/spdm/spdm_demo
 
 # Generated Cert Files
 certs/ca-*.pem
@@ -176,10 +177,18 @@ UpgradeLog.htm
 /IDE/Espressif/**/sdkconfig
 /IDE/Espressif/**/sdkconfig.old
 
+# SPDM build artifacts
+spdm/wolfspdm/options.h
+spdm/config.h
+spdm/stamp-h1
+spdm/src/.libs/
+spdm/src/.deps/
+spdm/test/.libs/
+spdm/test/unit_test
+
 # Firmware files
 examples/firmware/*.fi
 examples/firmware/*.BIN
 examples/firmware/*.DATA
 examples/firmware/*.MANIFEST
 examples/firmware/*.MANIFESTHASH
-

Makefile.am

@@ -46,6 +46,7 @@ include tests/include.am
 include docs/include.am
 include wrapper/include.am
 include hal/include.am
+include spdm/include.am
 include cmake/include.am
 include zephyr/include.am
 

configure.ac

@@ -22,6 +22,7 @@ AC_CANONICAL_HOST
 AC_CANONICAL_TARGET
 AC_CONFIG_MACRO_DIR([m4])
 
+
 AM_INIT_AUTOMAKE([1.11 -Wall -Werror -Wno-portability foreign tar-ustar subdir-objects no-define color-tests])
 
 AC_ARG_PROGRAM
@@ -462,6 +463,52 @@ then
     AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_PROVISIONING"
 fi
 
+# SPDM Support
+AC_ARG_ENABLE([spdm],
+    [AS_HELP_STRING([--enable-spdm],[Enable SPDM support (default: disabled)])],
+    [ ENABLED_SPDM=$enableval ],
+    [ ENABLED_SPDM=no ]
+    )
+
+AC_ARG_WITH([wolfspdm],
+    [AS_HELP_STRING([--with-wolfspdm=PATH],[DEPRECATED: Use --enable-spdm instead.])],
+    [AC_MSG_ERROR([--with-wolfspdm is no longer needed. Use --enable-spdm instead.])])
+
+# SPDM dynamic memory (default: static/zero-malloc)
+AC_ARG_ENABLE([spdm-dynamic-mem],
+    [AS_HELP_STRING([--enable-spdm-dynamic-mem],[SPDM: Use heap allocation for context (default: static)])],
+    [ ENABLED_SPDM_DYNMEM=$enableval ],
+    [ ENABLED_SPDM_DYNMEM=no ]
+    )
+
+if test "x$ENABLED_SPDM" = "xyes"
+then
+    AC_DEFINE([WOLFTPM_SPDM], [1], [Enable SPDM support])
+
+    # Add spdm/ include path so all targets can find <wolfspdm/spdm.h>
+    AM_CPPFLAGS="$AM_CPPFLAGS -I\$(srcdir)/spdm"
+
+    # Nuvoton SPDM support
+    if test "x$ENABLED_NUVOTON" = "xyes"
+    then
+        if test "x$ENABLED_SWTPM" = "xyes"
+        then
+            AC_MSG_ERROR([Cannot enable both swtpm and nuvoton with SPDM. Use --enable-swtpm --enable-spdm for emulator testing, or --enable-nuvoton --enable-spdm for hardware.])
+        fi
+        AC_DEFINE([WOLFSPDM_NUVOTON], [1], [Enable SPDM Nuvoton TPM support])
+        AC_MSG_NOTICE([Nuvoton SPDM vendor commands enabled])
+    fi
+
+    if test "x$ENABLED_SPDM_DYNMEM" = "xyes"
+    then
+        AC_DEFINE([WOLFSPDM_DYNAMIC_MEMORY], [1], [SPDM: Enable dynamic memory allocation])
+    fi
+
+    if test "x$ax_enable_debug" != "xno"
+    then
+        AC_DEFINE([WOLFSPDM_DEBUG], [1], [SPDM: Enable debug output])
+    fi
+fi
 
 # HARDEN FLAGS
 AX_HARDEN_CC_COMPILER_FLAGS
@@ -493,6 +540,7 @@ AM_CONDITIONAL([BUILD_CHECKWAITSTATE], [test "x$ENABLED_CHECKWAITSTATE" = "xyes"
 AM_CONDITIONAL([BUILD_AUTODETECT], [test "x$ENABLED_AUTODETECT" = "xyes"])
 AM_CONDITIONAL([BUILD_FIRMWARE], [test "x$ENABLED_FIRMWARE" = "xyes"])
 AM_CONDITIONAL([BUILD_HAL], [test "x$ENABLED_EXAMPLE_HAL" = "xyes" || test "x$ENABLED_MMIO" = "xyes"])
+AM_CONDITIONAL([BUILD_SPDM], [test "x$ENABLED_SPDM" = "xyes"])
 
 
 CREATE_HEX_VERSION
@@ -578,6 +626,10 @@ for option in $OPTION_FLAGS; do
     fi
 done
 
+# Also capture SPDM defines from config.h (set via AC_DEFINE, not AM_CFLAGS)
+grep '^#define WOLFSPDM_' src/config.h >> $OPTION_FILE 2>/dev/null || true
+grep '^#define WOLFTPM_SPDM' src/config.h >> $OPTION_FILE 2>/dev/null || true
+
 echo "" >> $OPTION_FILE
 echo "#ifdef __cplusplus" >> $OPTION_FILE
 echo "}" >> $OPTION_FILE
@@ -622,3 +674,7 @@ echo "   * Nuvoton NPCT75x:           $ENABLED_NUVOTON"
 
 echo "   * Runtime Module Detection:  $ENABLED_AUTODETECT"
 echo "   * Firmware Upgrade Support:  $ENABLED_FIRMWARE"
+echo "   * SPDM Support:              $ENABLED_SPDM"
+if test "x$ENABLED_SPDM" = "xyes"; then
+    echo "   * SPDM Dynamic Mem:          $ENABLED_SPDM_DYNMEM"
+fi

examples/include.am

@@ -18,6 +18,7 @@ include examples/seal/include.am
 include examples/attestation/include.am
 include examples/firmware/include.am
 include examples/endorsement/include.am
+include examples/spdm/include.am
 
 if BUILD_EXAMPLES
 EXTRA_DIST += examples/run_examples.sh

examples/spdm/README.md

@@ -0,0 +1,90 @@
+# SPDM Examples
+
+This directory contains examples demonstrating SPDM (Security Protocol and Data Model)
+functionality with wolfTPM.
+
+## Overview
+
+The SPDM demo (`spdm_demo`) shows how to establish an SPDM secure session between
+the host and a TPM using the built-in wolfSPDM library. It supports both the standard
+spdm-emu emulator and Nuvoton hardware TPMs.
+
+For real SPDM support on hardware TPMs, contact **[email protected]**
+
+## Example
+
+### `spdm_demo.c` - SPDM Secure Session Demo
+
+**Quick test (emulator — starts/stops automatically):**
+
+```bash
+./examples/spdm/spdm_test.sh --emu
+```
+
+Runs session establishment, signed measurements, unsigned measurements,
+challenge authentication, heartbeat, and key update.
+
+**Quick test (Nuvoton hardware):**
+
+```bash
+./examples/spdm/spdm_test.sh --nuvoton
+```
+
+Runs connect, lock, caps-over-SPDM, unlock, and cleartext verification.
+
+**Manual commands:**
+
+```bash
+# Emulator (start spdm_responder_emu first, see spdm/README.md)
+./spdm_demo --emu                  # Session only
+./spdm_demo --meas                 # Session + signed measurements
+./spdm_demo --meas --no-sig        # Session + unsigned measurements
+./spdm_demo --challenge            # Sessionless challenge authentication
+./spdm_demo --emu --heartbeat      # Session + heartbeat keep-alive
+./spdm_demo --emu --key-update     # Session + key rotation
+
+# Nuvoton hardware
+./spdm_demo --enable               # Enable SPDM on TPM (one-time, requires reset)
+./spdm_demo --connect --status     # Connect + get SPDM status
+./spdm_demo --connect --lock       # Connect + lock SPDM-only mode
+./spdm_demo --connect --caps       # Connect + run TPM commands over SPDM
+./spdm_demo --connect --unlock     # Connect + unlock SPDM-only mode
+```
+
+## Building
+
+### Prerequisites
+
+Build wolfSSL with the cryptographic algorithms required by SPDM:
+
+```bash
+# wolfSSL (needs ECC P-384, SHA-384, AES-GCM, HKDF for SPDM)
+cd wolfssl
+./autogen.sh
+./configure --enable-wolftpm --enable-ecc --enable-sha384 --enable-aesgcm --enable-hkdf --enable-sp
+make && sudo make install && sudo ldconfig
+```
+
+### wolfTPM with SPDM
+
+SPDM support is built into wolfTPM (no external wolfSPDM needed):
+
+```bash
+cd wolfTPM
+./autogen.sh
+./configure --enable-spdm
+make
+```
+
+For Nuvoton hardware TPMs, add `--enable-nuvoton`:
+
+```bash
+./configure --enable-spdm --enable-nuvoton
+make
+```
+
+## Support
+
+For production use with hardware TPMs and full SPDM protocol support, contact:
+
+**[email protected]**

examples/spdm/include.am

@@ -0,0 +1,18 @@
+# vim:ft=automake
+# All paths should be given relative to the root
+
+if BUILD_EXAMPLES
+if BUILD_SPDM
+noinst_PROGRAMS += examples/spdm/spdm_demo
+
+examples_spdm_spdm_demo_SOURCES         = examples/spdm/spdm_demo.c
+examples_spdm_spdm_demo_LDADD           = src/libwolftpm.la $(LIB_STATIC_ADD)
+examples_spdm_spdm_demo_DEPENDENCIES    = src/libwolftpm.la
+examples_spdm_spdm_demo_CFLAGS          = $(AM_CFLAGS) -I$(srcdir)/spdm
+endif
+endif
+
+example_spdmdir = $(exampledir)/spdm
+dist_example_spdm_DATA = examples/spdm/spdm_demo.c
+
+DISTCLEANFILES+= examples/spdm/.libs/spdm_demo