This is a major version for wolfTPM. We are excited for this release because it includes some really excellent new features and fixes!
Secure Boot Examples:
This release adds new examples for secure boot. See examples/boot/README.md for details.
We added a new secret sealing/unsealing example based on an externally signed policy. This is a complex use-case showing how to seal a secret based on a policy that is externally signed. The seal operation uses a public key. The private key associated with it is used to sign a policy to allow unsealing that secret. These examples use PCR registers, however there are other policy methods supported by the TPM. See secret_seal and secret_unseal.
We also added an example for anchoring a root of trust in the TPM using an NV in the platform hierarchy and optional NV lock feature. See secure_rot.
Support for ECC Parameter Encryption / Secrets:
We added support for encrypting secrets using ECC key. Allows using ECC for parameter encryption and importing ECC keys with custom seed. (See PR 276)
Authentication Refactor:
This release adds command information including the specific authentication requirements. If a command expects authentication and it is not provided the wolfTPM library will warn (if using –enable-debug). Likewise if a command does not use authentication it will automatically exclude it. If additional authenticated session(s) are available like HMAC or policy it will be included. The user is still required to set the correct session index.
HAL Improvements:
We have refactored the HAL to make it available with the library, not just in the examples. HAL support for Microchip Harmony SPI has been added. The STM32 I2C support has been fixed and performance improved. We added support for memory mapped (MMIO) found on Intel hardware.
PEM support:
We have added new API’s for making it easy to import and load PEM or DER/ASN.1 encoded ECC or RSA keys (private or public).
See “wolfTPM2_ImportPrivateKeyBuffer” and “wolfTPM2_ImportPublicKeyBuffer”
Security Best Practices:
We have added a new API “wolfTPM2_ChangePlatformAuth” to help set the platform authentication. This is useful during the boot phase to prevent access to the platform. Typically a random value is used, since this auth is cleared on reset or power cycle.
Testing has been greatly expanded in this release for our examples including greater use/support of -aes/-xor options for parameter encryption. See examples/run_examples.sh.
Full wolfTPM v3.0.0 Change Log:
Summary
Refactor of command authentication. Support for ECC sessions and secrets. Support for policy sealing/unsealing. Examples for secure boot.
Detail
- Refactor of the command authentication. If command does not require auth do not supply it (PR #305)
- Refactor HAL and added Microchip Harmony SPI HAL support (PR #251)
- Relocate crypto callback code to its own code file (PR #304)
- Fixed using a custom wolfTPM CSR sigType (PR #307)
- Fixed support for ECC 384-bit only support (PR #307)
- Fixed issue with using struct assignment (switched to memcpy) (PR #303)
- Fixed various issues building with C++ compiler (PR #303)
- Fixed issues with STM32 I2C build and improved performance (PR #302)
- Fixed seal with RSA and PCR extend auth. (PR #296)
- Fixed issue including user_settings.h when –disable-wolfcrypt set (PR #285)
- Fixed TPM private key import with custom seed (PR #281)
- Fixed autogen.sh (autoconf) to generate without warnings (PR #279)
- Fixed TPM2 create with decrypt or restricted flag set (PR #275)
- Fixed and improved low resource build options (PR #269)
- Fixed the TPM_E_COMMAND_BLOCKED macro to have the correct value (PR #257)
- Fixed casting and unused variable problems on windows (PR #255)
- Fixed Linux usage of cs_change and added config overrides (PR #268)
- Fixed and improved the NV auth and session auth set/unset (PR #299)
- Fixed capability to handle unknown TPM2_GetCapability type and fix bad printf (PR #293)
- Fixed macros for file IO XFEOF and XREWIND to make sure they are available (PR #277)
- Fixed seal/unseal example (PR #306)
- Fixed TLS examples with param enc enabled (PR #306)
- Fixed signed_timestamp with ECC (PR #306)
- Added CI tests for CSharp wrappers (PR #307)
- Added support for sealing/unsealing based on a PCR that is signed externally (PR #294)
- Added examples for Secure Boot solution to store root of trust in NV (PR’s #276, #289, #291 and #292)
- Added support for importing and loading public ECC/RSA keys formatted as PEM or DER (PR #290)
- Added new policy_nv example (PR #298)
- Added -nvhandle argument to nvram examples (PR #296)
- Added code to test external import between two TPM’s (PR #288)
- Added support for STM32 Cube Expansion Pack (PR #287)
- Added support memory mapped (MMIO) TPM’s (PR #271)
- Added wc_SetSeed_Cb call for FIPS ecc (PR #270)
- Added wrapper support for setting key usage (not just extended key usage) (PR #307)
- Added RSA key import methods to handle PEM and DER encoding directly (PR #252)
- Added thread local storage macro and make gActiveTPM local to the thread (PR #253)
- Added Microchip macro names and Support for bench with MPLABX Harmony (PR #256)
- Added support for encrypting secret using ECC key (PR #276)
- Added wolfTPM2_ChangePlatformAuth wrapper to help set the platform auth (PR #276)
- Improvements to CMake build (PR’s #280, #283 and #284)
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now