Brief comparison of the existing TPM2.0 libraries

    • This is a comparison of key features in the available open-source stacks for using Trusted Platform Modules(TPM).

    TPMs are the most widely available TPM in modern computer systems and it is increasingly seeing adoption for IoT devices and various Embedded Systems. The communication between the TPM and the MCU happens using I2C or SPI bus. Adding a TPM to your systems enables functionalities beyond Secure Boot, such as attestation and TPM seal/unseal.

    The main difference between the available TPM stacks is the choice of API interface and environment support. Most stacks are meant to be used in a RichOS environment, such as Linux or Microsoft Windows. Our embedded systems TPM, wolfTPM, has no external dependencies and can be run as part of RTOS or bare metal application, such as medical solutions controlled by a state machine and industrial controllers run in super-loop. 

    As mentioned, another notable difference can be found in the API approach. The TSS2 stack created originally by Intel follows strictly the Trusted Computing Group (TCG) specification. Interestingly, the recently added FAPI layer is an abstraction on top of the already existing ESAPI layer, that is an API of the API to offer rich functionalities. WolfTPM took a different approach and allows writing applications with fewer lines of code and complications by using API wrappers. At the same time, wolfTPM, Go-TPM and the IBM TSS all offer API to call TPM commands. 

    TPM stack  Interface(s) 

    Attestation server

    or examples*

    		 Operating Systems
    Bare metal Linux  Win 
    Infineon/Intel TSS2 ESAPI and FAPI

    from the TCG specification

    		 No  Maybe  Yes  Yes 
    IBM TPM2.0 TSS  Own API exposing 

    1:1 TPM commands 

    		 Yes  No  Yes  Yes 
    Google Go-TPM  1:1 TPM commands 

    + mild layer on top  

    		 Yes  No  Yes  Yes 
    wolfSSL WolfTPM  Rich API (wrappers) 

    + 1:1 TPM commands 

    		 Yes  Yes  Yes  Yes 

     

    (*) There is a separate project called “CHARRA” by Frauhofer that uses the Infineon/Intel TSS2 for Remote Attestation. The other stacks directly link to own attestation servers or examples. IBM offer “ACS” on Sourceforge and Google have “Go-Attestation” available on GitHub, while “wolfTPM” offers Time and local attestation examples directly in its open-source code.  

    Three of the four stacks are written in C and only Google's stack is written in GoLang.  

    If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.