wolfSSL/wolfTPM
GitHub: wolfSSL/wolfTPM
便携式 TPM 2.0 库与固件实现,为嵌入式平台提供可信计算与硬件级密钥保护。
Stars: 318 | Forks: 82
# wolfTPM (TPM 2.0)
适用于嵌入式使用的便携式 TPM 2.0 项目。
## 项目特性
* 此实现提供符合规范的完整 TPM 2.0 API。
* 提供包装器以简化密钥生成/加载、RSA 加密/解密、ECC 签名/验证、ECDH、NV、哈希/HACM、AES、密封/解封、证明、PCR 扩展/报价以及安全根信任。
* 使用 STMicro ST33 (SPI/I2C)、Infineon OPTIGA SLB9670/SLB9672/SLB9673、Microchip ATTPM20、Nations Tech Z32H330TC/NS350 以及 Nuvoton NPCT650/NPCT750 等 TPM 2.0 模块进行测试。
* wolfTPM 使用 TPM 接口规范 (TIS) 通过 SPI 或内存映射 I/O 范围进行通信。
* 在 Linux 上,wolfTPM 会在运行时自动检测内核 TPM 驱动 (`/dev/tpmX`) 与直接 SPI 访问 —— 简单的 `./configure && make` 即可兼容两种接口。
* wolfTPM 也可使用 Linux TPM 内核接口 (`/dev/tpmX`) 与任意物理 TPM 进行通信,无论其连接在 SPI、I2C 甚至 LPC 总线上。
* 支持平台包括:Raspberry Pi (Linux)、MMIO、带有 CubeMX 的 STM32、Atmel ASF、Xilinx、QNX Infineon TriCore 和 Barebox。
* 设计易于移植到不同平台:
* 面向嵌入式使用的原生 C 代码。
* 单个 I/O 回调用于硬件 SPI 接口。
* 无外部依赖。
* 代码紧凑,内存占用小。
* 包含示例代码,涵盖:
* 大多数 TPM2 原生 API
* 所有 TPM2 包装 API
* PKCS 7
* 证书签名请求 (CSR)
* TLS 客户端
* TLS 服务器
* 使用 TPM 的非易失性存储器
* 证明 (激活并生成凭证)
* 对 TPM 算法和 TLS 进行基准测试
* 密钥生成(主密钥、RSA/ECC 和对称密钥)、加载并存储到闪存 (NV 存储器)
* 使用 RSA 密钥或外部签名的策略对数据进行密封和解封。
* 带符号或设定的时间
* PCR 读/复位
* GPIO 配置、读写
* 认可密钥/证书获取与验证
* 使用 AES-CFB 或 XOR 的参数加密支持
* 支持带盐的未绑定认证会话
* 支持 HMAC 会话
* 支持读取认可证书 (EK Credential Profile)
* 包含适用于无离散 TPM 芯片的嵌入式平台的便携固件 TPM 2.0 实现 (fwTPM)。参见下文 [固件 TPM (fwTPM)](#firmware-tpm-fwtpm)。
注意:参见 [examples/README.md](examples/README.md) 获取使用示例的详细信息。
## 固件 TPM (fwTPM)
wolfTPM 包含一个便携式的固件 TPM 2.0 实现 (`fwtpm_server`)
完全基于 wolfCrypt 构建。它提供了一个符合标准的 TPM 2.0 命令处理器,可以替代无离散 TPM 芯片的嵌入式平台上的硬件 TPM,或作为 swtpm 或 Microsoft TPM 模拟器之类外部模拟器的即插即用开发与 CI/CD 替代方案。
特性:
* 实现了 105 条 TPM 2.0 命令 (v1.38 规范的 93%),使用 wolfCrypt 加密 (RSA、ECC、SHA、AES、HMAC)
* 与 `tpm2-tools` 和 wolfTPM 示例兼容的套接字传输 (Microsoft TPM 模拟器协议)
* 通过共享内存或 SPI/I2C 实现的 TIS 寄存器级传输,用于裸机集成
* 用于 I/O 传输和 NV 存储移植的 HAL 抽象层
* 通过 HAL 回调支持基于文件或自定义的 NV 存储
* 编译时算法和功能选择 (例如 `NO_RSA`、`FWTPM_NO_NV`)
* 支持 `WOLFTPM_SMALL_STACK` 以适应资源受限环境
参见 [docs/FWTPM.md](docs/FWTPM.md) 获取构建说明、配置和 API 参考。
## TPM 2.0 概述
### 层级结构
```
Platform TPM_RH_PLATFORM
Owner TPM_RH_OWNER
Endorsement TPM_RH_ENDORSEMENT
```
每个层级都有其由制造生成的种子。
在 `TPM2_Create` 或 `TPM2_CreatePrimary` 中使用的参数会创建一个模板,传入 KDF 以生成基于层级的相同密钥。生成的密钥每次相同;即使在重启后也是如此。生成一个新的 RSA 2048 位密钥大约需要 15 秒。通常这些密钥会被创建并通过 `TPM2_EvictControl` 存储在 NV 中。每个 TPM 根据种子独立生成自己的密钥。
还存在一个临时层级 (`TPM_RH_NULL`),可用于创建临时密钥。
### 平台配置寄存器 (PCRs)
包含 SHA-1 和 SHA-256 的哈希摘要,索引为 0-23。这些哈希摘要可以扩展以证明引导序列的完整性(安全引导)。
### 术语
本项目使用“追加”与“序列化/解析”与“反序列化”这两个术语。
缩写:
* HAL:硬件抽象层 (Hardware Abstraction Layer)
* NV:非易失性存储器 (Non-Volatile)
* TPM:可信平台模块 (Trusted Platform Module)
## 平台
本库的示例编写用于在 Raspberry Pi 上使用,并采用 `spi_dev` 接口。
### I/O 回调 (HAL)
参见 [hal/README.md](hal/README.md) 中的 HAL 手册。
要与您的硬件接口(SPI/I2C)进行交互,会使用一个单一的 HAL 回调,并在调用 `TPM2_Init` 或 `wolfTPM2_Init` 时进行配置初始化。
`hal` 目录中有针对以下平台的 HAL 示例:
* Atmel ASF
* BareBox
* Espressif ESP-IDF
* Infineon TriCore
* Linux
* STM32 CubeMX
* Xilinx
我们还支持高级 I/O 选项(`--enable-advio`/`WOLFTPM_ADV_IO`),该选项会将 IO 回调的参数添加寄存器和读写标志。这对于 I2C 支持是必需的。
### 硬件
已测试兼容:
* Infineon OPTIGA (TM) Trusted Platform Module 2.0 SLB9670、SLB9672 和 SLB9673 (I2C)。
- LetsTrust:TPM 开发板供应商 [http://letstrust.de](http://letstrust.de)。
* STMicro STSAFE-TPM、ST33TPHF2XSPI/2XI2C 和 ST33KTPM2X (SPI 和 I2C)
* Microchip ATTPM20 模块
* Nuvoton NPCT65X 或 NPCT75x TPM2.0 模块
* Nations Technologies Inc. Z32H330 或 NS350 TPM 2.0 模块
#### 设备识别
Infineon SLB9670:
TPM2: Caps 0x30000697, Did 0x001b, Vid 0x15d1, Rid 0x10
Mfg IFX (1), Vendor SLB9670, Fw 7.85 (4555), FIPS 140-2 1, CC-EAL4 1
Infineon SLB9672:
TPM2: Caps 0x30000697, Did 0x001d, Vid 0x15d1, Rid 0x36
Mfg IFX (1), Vendor SLB9672, Fw 16.10 (0x4068), FIPS 140-2 1, CC-EAL4 1
Infineon SLB9673:
TPM2: Caps 0x1ae00082, Did 0x001c, Vid 0x15d1, Rid 0x16
Mfg IFX (1), Vendor SLB9673, Fw 26.13 (0x456a), FIPS 140-2 1, CC-EAL4 1
STMicro ST33KTPM2XSPI:
TPM2: Caps 0x3000041, Did 0x0003, Vid 0x104a, Rid 0x0
Mfg STM (2), Vendor ST33KTPM2XSPI, Fw 9.256 (0x0), FIPS 140-2 1, CC-EAL4 0
STMicro ST33TPHF2XSPI:
TPM2: Caps 0x1a7e2882, Did 0x0000, Vid 0x104a, Rid 0x4e
Mfg STM (2), Vendor , Fw 74.8 (1151341959), FIPS 140-2 1, CC-EAL4 0
STMicro ST33TPHF2XI2C:
TPM2: Caps 0x1a7e2882, Did 0x0000, Vid 0x104a, Rid 0x4e
Mfg STM (2), Vendor , Fw 74.9 (1151341959), FIPS 140-2 1, CC-EAL4 0
Microchip ATTPM20:
TPM2: Caps 0x30000695, Did 0x3205, Vid 0x1114, Rid 0x1
Mfg MCHP (3), Vendor , Fw 512.20481 (0), FIPS 140-2 0, CC-EAL4 0
Nations Technologies Inc. Z32H330 TPM 2.0 模块:
Mfg NTZ (0), Vendor Z32H330, Fw 7.51 (419631892), FIPS 140-2 0, CC-EAL4 0
Nations Technologies Inc. NS350 TPM 2.0 模块:
TPM2: Caps 0x30000615, Did 0x0701, Vid 0x9999, Rid 0x1
Mfg NSG (0), Vendor NS350, Fw 30.30 (0x24042510), FIPS 140-2 1, CC-EAL4 0
Nuvoton NPCT650 TPM2.0:
Mfg NTC (0), Vendor rlsNPCT , Fw 1.3 (65536), FIPS 140-2 0, CC-EAL4 0
Nuvoton NPCT750 TPM2.0:
TPM2: Caps 0x30000697, Did 0x00fc, Vid 0x1050, Rid 0x1
Mfg NTC (0), Vendor NPCT75x"!!4rls, Fw 7.2 (131072), FIPS 140-2 1, CC-EAL4 0
## 构建
### 构建 wolfSSL
```
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-wolftpm
make
sudo make install
sudo ldconfig
```
autogen.sh 需要:automake 和 libtool:`sudo apt-get install automake libtool`
### 在备用目录中构建 wolfSSL
```
# cd /your-wolfssl-repo
./autogen.h # as necessary
./configure --prefix=~/workspace/my_wolfssl_bin --enable-all
make install
# then for some other library such as wolfTPM:
# cd /your-wolftpm-repo
./configure --enable-swtpm --with-wolfcrypt=~/workspace/my_wolfssl_bin
```
### 构建选项与宏定义
```
--enable-debug Add debug code/turns off optimizations (yes|no|verbose|io) - DEBUG_WOLFTPM, WOLFTPM_DEBUG_VERBOSE, WOLFTPM_DEBUG_IO
--enable-examples Enable Examples (default: enabled)
--enable-wrapper Enable wrapper code (default: enabled) - WOLFTPM2_NO_WRAPPER
--enable-wolfcrypt Enable wolfCrypt hooks for RNG, Auth Sessions and Parameter encryption (default: enabled) - WOLFTPM2_NO_WOLFCRYPT
--enable-advio Enable Advanced IO (default: disabled) - WOLFTPM_ADV_IO
--enable-i2c Enable I2C TPM Support (default: disabled, requires advio) - WOLFTPM_I2C
--enable-checkwaitstate Enable TIS / SPI Check Wait State support (default: depends on chip) - WOLFTPM_CHECK_WAIT_STATE
--enable-smallstack Enable options to reduce stack usage
--enable-tislock Enable Linux Named Semaphore for locking access to SPI device for concurrent access between processes - WOLFTPM_TIS_LOCK
--enable-firmware Enable firmware upgrade support for Infineon SLB9672/SLB9673 and ST ST33 (default: disabled) - WOLFTPM_FIRMWARE_UPGRADE
--enable-autodetect Enable Runtime Module Detection (default: enable - when no module specified) - WOLFTPM_AUTODETECT
On Linux this also auto-detects /dev/tpmrm0 or /dev/tpm0 at runtime,
falling back to SPI if the kernel driver is not available.
--enable-infineon Enable Infineon SLB9670/SLB9672/SLB9673 TPM Support (default: disabled) - WOLFTPM_SLB9670 / WOLFTPM_SLB9672
--enable-st Enable ST ST33 Support (default: disabled) - WOLFTPM_ST33
--enable-microchip Enable Microchip ATTPM20 Support (default: disabled) - WOLFTPM_MICROCHIP
--enable-nuvoton Enable Nuvoton NPCT65x/NPCT75x Support (default: disabled) - WOLFTPM_NUVOTON
--enable-devtpm Enable using Linux kernel driver for /dev/tpmX (default: disabled) - WOLFTPM_LINUX_DEV
Note: With autodetect (default) this is no longer required on Linux;
the kernel driver is tried automatically before SPI.
--enable-swtpm Enable using SWTPM TCP protocol. For use with simulator. (default: disabled) - WOLFTPM_SWTPM
--enable-swtpm=uart Enable using SWTPM protocol over UART serial. For use with fwTPM on
embedded targets (e.g. STM32H5). Uses termios serial I/O instead of
TCP sockets. - WOLFTPM_SWTPM + WOLFTPM_SWTPM_UART
--enable-winapi Use Windows TBS API. (default: disabled) - WOLFTPM_WINAPI
WOLFTPM_USE_SYMMETRIC Enables symmetric AES/Hashing/HMAC support for TLS examples.
WOLFTPM2_USE_SW_ECDHE Disables use of TPM for ECC ephemeral key generation and shared secret for TLS examples.
TLS_BENCH_MODE Enables TLS benchmarking mode.
NO_TPM_BENCH Disables the TPM benchmarking example.
```
注意:在 Raspberry Pi 上支持 I2C 时,您可能需要启用 I2C。以下是步骤:
1. 编辑 `sudo vim /boot/config.txt`
2. 取消注释 `dtparam=i2c_arm=on`
3. 重启 `sudo reboot`
### 构建 Infineon
支持 SLB9670 或 SLB9672 (SPI) / SLB9673 (I2C)
构建 wolfTPM:
```
git clone https://github.com/wolfSSL/wolfTPM.git
cd wolfTPM
./autogen.sh
./configure --enable-infineon [--enable-i2c]
make
```
默认使用 SLB9672/SLB9673 (如果启用 I2C)。要指定 SLB9670,请使用 `--enable-infineon=slb9670`。
### 构建 ST ST33
构建 wolfTPM:
```
./autogen.sh
./configure --enable-st33 [--enable-i2c] [--enable-firmware]
make
```
注意:`--enable-firmware` 选项会启用 ST33 TPM 的固件升级支持。这会添加用于执行固件更新的 `st33_fw_update` 示例工具。
### 构建 Microchip ATTPM20
构建 wolfTPM:
```
./autogen.sh
./configure --enable-microchip
make
```
### 构建 Nuvoton
构建 wolfTPM:
```
./autogen.sh
./configure --enable-nuvoton
make
```
### 构建 Nations Tech
使用默认配置的 `./configure`。所有 TPM 2.0 模块均兼容。
Nations NS350 Raspberry Pi TPM 2.0 模块使用 `/dev/spidev0.0`。TPM 等待状态已启用(默认开启 WOLFTPM_CHECK_WAIT_STATE)。
### 构建 Espressif ESP-IDF
请参考 wolfTPM 特定的设置,位于 wolfSSL 的 `user_settings.h` 文件中,通常位于 `[project]/components/wolfssl/include`。
```
git clone https://github.com/wolfSSL/wolfTPM.git
cd wolfTPM/IDE/Espressif
# set your path to ESP-IDF, shown here for VisualGDB using v5.2
WRK_IDF_PATH=/mnt/c/SysGCC/esp32/esp-idf/v5.2
. ${WRK_IDF_PATH}/export.sh
idf.py build
```
### 构建用于 "/dev/tpmX"
**自动检测(推荐):** 在 Linux 上,默认的 `./configure && make` 会在运行时自动尝试 `/dev/tpmrm0` 然后是 `/dev/tpm0`。如果内核驱动可用则会使用它;否则 wolfTPM 会回退到直接 SPI 访问。无需特殊的配置选项。
```
./autogen.sh
./configure
make
```
此前,使用内核 TPM 驱动需要 `--enable-devtpm` 标志。这在自动检测(默认启用)下已不再必要。您仍可使用 `--enable-devtpm` 强制仅使用内核驱动模式,这会禁用 SPI 回退。
要指定不同的 `/dev/tpmX` 设备,请使用 `CFLAGS="-DTPM2_LINUX_DEV=/dev/tpm1"`
```
./autogen.sh
./configure --enable-devtpm
make
```
默认情况下,`/dev/tpmX` 需要 sudo 权限才能使用。如果使用 tpm2-tss,它会安装一个 "tss" 用户组,您可以将权限添加到该组:`sudo adduser [username] tss`。
要为 /dev/tpm0 添加自定义的 wolfTPM 规则,请执行以下操作:
1. 创建新用户组并将您的用户加入(将 "[username]" 替换为您的用户名):
```
sudo addgroup wolftpm
sudo adduser [username] wolftpm
sudo chgrp wolftpm /dev/tpm0
```
2. 创建新规则文件:`sudo vim /etc/udev/rules.d/wolftpm-udev.rules`
3. 将以下规则添加到文件中:
```
KERNEL=="tpm[0-9]*", TAG+="systemd", MODE="0660", GROUP="wolftpm"
```
4. 重新启动或重新加载规则:`sudo udevadm control -R`
### 构建用于 SWTPM
参见 `docs/SWTPM.md`
### 构建用于 Windows TBS API
参见 `docs/WindowTBS.md`
## 使用 CMake 构建
CMake 支持在许多环境中编译,包括 Visual Studio(如果已安装 CMake 支持)。以下命令可在
`Developer Command Prompt` 中运行。
```
mkdir build
cd build
# to use installed wolfSSL location (library and headers)
cmake .. -DWITH_WOLFSSL=/prefix/to/wolfssl/install/
# OR to use a wolfSSL source tree
cmake .. -DWITH_WOLFSSL_TREE=/path/to/wolfssl/
# build
cmake --build .
```
## 运行示例
这些示例演示了 TPM 2.0 模块的功能。示例会在 NV 中创建 RSA 和 ECC 密钥用于测试,使用 `./hal/tpm_io.h` 中定义的句柄。PKCS #7 和 TLS 示例需要生成 CSR 并使用测试脚本进行签名。请参见 `examples/README.md` 获取使用示例的详细信息。要在同一台机器上运行 TLS 服务器和客户端,必须使用 `WOLFTPM_TIS_LOCK` 构建以启用并发访问保护。
### TPM2 能力
一个简单的测试,用于获取 TPM 能力并搜索任何持久句柄。
```
./examples/wrap/caps
TPM2 Get Capabilities
wolfSSL Entering wolfCrypt_Init
Mfg NSG (0), Vendor NS350, Fw 30.30 (0x24042510), FIPS 140-2 1, CC-EAL4 0
Found 2 persistent handles
```
### TPM2 包装测试
```
./examples/wrap/wrap_test
TPM2 Demo for Wrapper API's
Mfg STM (2), Vendor , Fw 74.8 (1151341959), FIPS 140-2 1, CC-EAL4 0
RSA Encrypt/Decrypt Test Passed
RSA Encrypt/Decrypt OAEP Test Passed
RSA Key 0x80000000 Exported to wolf RsaKey
wolf RsaKey loaded into TPM: Handle 0x80000000
RSA Private Key Loaded into TPM: Handle 0x80000000
ECC Sign/Verify Passed
ECC DH Test Passed
ECC Verify Test Passed
ECC Key 0x80000000 Exported to wolf ecc_key
wolf ecc_key loaded into TPM: Handle 0x80000000
ECC Private Key Loaded into TPM: Handle 0x80000000
NV Test on index 0x1800200 with 1024 bytes passed
Hash SHA256 test success
HMAC SHA256 test success
Encrypt/Decrypt (known key) test success
Encrypt/Decrypt test success
```
### TPM2 基准测试
注意:密钥生成使用的是来自层级种子的现有模板。
在 Infineon OPTIGA SLB9670 上运行,频率 43MHz:
```
./examples/bench/bench
TPM2 Benchmark using Wrapper API's
RNG 16 KB took 1.140 seconds, 14.033 KB/s
Benchmark symmetric AES-128-CBC-enc not supported!
Benchmark symmetric AES-128-CBC-dec not supported!
Benchmark symmetric AES-256-CBC-enc not supported!
Benchmark symmetric AES-256-CBC-dec not supported!
Benchmark symmetric AES-128-CTR-enc not supported!
Benchmark symmetric AES-128-CTR-dec not supported!
Benchmark symmetric AES-256-CTR-enc not supported!
Benchmark symmetric AES-256-CTR-dec not supported!
Benchmark symmetric AES-256-CFB-enc not supported!
Benchmark symmetric AES-256-CFB-dec not supported!
SHA1 138 KB took 1.009 seconds, 136.783 KB/s
SHA256 138 KB took 1.009 seconds, 136.763 KB/s
RSA 2048 key gen 5 ops took 10.981 sec, avg 2196.230 ms, 0.455 ops/sec
RSA 2048 Public 113 ops took 1.005 sec, avg 8.893 ms, 112.449 ops/sec
RSA 2048 Private 7 ops took 1.142 sec, avg 163.207 ms, 6.127 ops/sec
RSA 2048 Pub OAEP 73 ops took 1.011 sec, avg 13.848 ms, 72.211 ops/sec
RSA 2048 Priv OAEP 6 ops took 1.004 sec, avg 167.399 ms, 5.974 ops/sec
ECC 256 key gen 5 ops took 1.157 sec, avg 231.350 ms, 4.322 ops/sec
ECDSA 256 sign 15 ops took 1.033 sec, avg 68.865 ms, 14.521 ops/sec
ECDSA 256 verify 9 ops took 1.022 sec, avg 113.539 ms, 8.808 ops/sec
ECDHE 256 agree 5 ops took 1.161 sec, avg 232.144 ms, 4.308 ops/sec
```
在 Infineon OPTIGA SLB9672 上运行,频率 43MHz:
```
./examples/bench/bench
TPM2 Benchmark using Wrapper API's
Use Parameter Encryption: NULL
Loading SRK: Storage 0x81000200 (282 bytes)
RNG 24 KB took 1.070 seconds, 22.429 KB/s
Benchmark symmetric AES-128-CBC-enc not supported!
Benchmark symmetric AES-128-CBC-dec not supported!
Benchmark symmetric AES-256-CBC-enc not supported!
Benchmark symmetric AES-256-CBC-dec not supported!
Benchmark symmetric AES-128-CTR-enc not supported!
Benchmark symmetric AES-128-CTR-dec not supported!
Benchmark symmetric AES-256-CTR-enc not supported!
Benchmark symmetric AES-256-CTR-dec not supported!
AES-128-CFB-enc 86 KB took 1.001 seconds, 85.890 KB/s
AES-128-CFB-dec 88 KB took 1.020 seconds, 86.267 KB/s
AES-256-CFB-enc 86 KB took 1.023 seconds, 84.073 KB/s
AES-256-CFB-dec 86 KB took 1.019 seconds, 84.370 KB/s
SHA1 88 KB took 1.021 seconds, 86.155 KB/s
SHA256 86 KB took 1.015 seconds, 84.717 KB/s
SHA384 90 KB took 1.007 seconds, 89.405 KB/s
RSA 2048 key gen 10 ops took 15.677 sec, avg 1567.678 ms, 0.638 ops/sec
RSA 2048 Public 110 ops took 1.000 sec, avg 9.095 ms, 109.951 ops/sec
RSA 2048 Private 14 ops took 1.078 sec, avg 76.996 ms, 12.988 ops/sec
RSA 2048 Pub OAEP 51 ops took 1.012 sec, avg 19.838 ms, 50.408 ops/sec
RSA 2048 Priv OAEP 12 ops took 1.053 sec, avg 87.738 ms, 11.398 ops/sec
ECC 256 key gen 8 ops took 1.088 sec, avg 135.956 ms, 7.355 ops/sec
ECDSA 256 sign 29 ops took 1.033 sec, avg 35.621 ms, 28.073 ops/sec
ECDSA 256 verify 42 ops took 1.013 sec, avg 24.114 ms, 41.470 ops/sec
ECDHE 256 agree 16 ops took 1.055 sec, avg 65.948 ms, 15.164 ops/sec
```
在 I2C 上运行的 Infineon SLB9673,频率 400kHz:
CODE_BLOCK_18/>
在 SPI 上运行的 STMicro ST33KTPM2X,频率 33MHz:
```
./examples/bench/bench
TPM2 Benchmark using Wrapper API's
Use Parameter Encryption: NULL
Loading SRK: Storage 0x81000200 (282 bytes)
RNG 24 KB took 1.042 seconds, 23.028 KB/s
AES-128-CBC-enc 52 KB took 1.018 seconds, 51.077 KB/s
AES-128-CBC-dec 52 KB took 1.027 seconds, 50.644 KB/s
AES-256-CBC-enc 46 KB took 1.012 seconds, 45.446 KB/s
AES-256-CBC-dec 46 KB took 1.021 seconds, 45.072 KB/s
AES-128-CTR-enc 44 KB took 1.025 seconds, 42.927 KB/s
AES-128-CTR-dec 44 KB took 1.024 seconds, 42.955 KB/s
AES-256-CTR-enc 40 KB took 1.025 seconds, 39.016 KB/s
AES-256-CTR-dec 40 KB took 1.026 seconds, 38.992 KB/s
AES-128-CFB-enc 52 KB took 1.026 seconds, 50.674 KB/s
AES-128-CFB-dec 46 KB took 1.023 seconds, 44.986 KB/s
AES-256-CFB-enc 46 KB took 1.021 seconds, 45.047 KB/s
AES-256-CFB-dec 42 KB took 1.033 seconds, 40.665 KB/s
SHA1 138 KB took 1.009 seconds, 136.727 KB/s
SHA256 128 KB took 1.010 seconds, 126.723 KB/s
SHA384 116 KB took 1.001 seconds, 115.833 KB/s
RSA 2048 key gen 9 ops took 17.497 sec, avg 1944.057 ms, 0.514 ops/sec
RSA 2048 Public 155 ops took 1.003 sec, avg 6.468 ms, 154.601 ops/sec
RSA 2048 Private 12 ops took 1.090 sec, avg 90.806 ms, 11.013 ops/sec
RSA 2048 Pub OAEP 122 ops took 1.004 sec, avg 8.230 ms, 121.501 ops/sec
RSA 2048 Priv OAEP 11 ops took 1.023 sec, avg 92.964 ms, 10.757 ops/sec
ECC 256 key gen 12 ops took 1.070 sec, avg 89.172 ms, 11.214 ops/sec
ECDSA 256 sign 40 ops took 1.010 sec, avg 25.251 ms, 39.602 ops/sec
ECDSA 256 verify 28 ops took 1.023 sec, avg 36.543 ms, 27.365 ops/sec
ECDHE 256 agree 16 ops took 1.062 sec, avg 66.391 ms, 15.062 ops/sec
```
在 SPI 上运行的 STMicro ST33TPHF2XSPI,频率 33MHz:
```
./examples/bench/bench
TPM2 Benchmark using Wrapper API's
RNG 14 KB took 1.017 seconds, 13.763 KB/s
AES-128-CBC-enc 40 KB took 1.008 seconds, 39.666 KB/s
AES-128-CBC-dec 42 KB took 1.032 seconds, 40.711 KB/s
AES-256-CBC-enc 40 KB took 1.013 seconds, 39.496 KB/s
AES-256-CBC-dec 40 KB took 1.011 seconds, 39.563 KB/s
AES-128-CTR-enc 26 KB took 1.055 seconds, 24.646 KB/s
AES-128-CTR-dec 26 KB took 1.035 seconds, 25.117 KB/s
AES-256-CTR-enc 26 KB took 1.028 seconds, 25.302 KB/s
AES-256-CTR-dec 26 KB took 1.030 seconds, 25.252 KB/s
AES-128-CFB-enc 42 KB took 1.045 seconds, 40.201 KB/s
AES-128-CFB-dec 40 KB took 1.008 seconds, 39.699 KB/s
AES-256-CFB-enc 40 KB took 1.022 seconds, 39.151 KB/s
AES-256-CFB-dec 42 KB took 1.041 seconds, 40.362 KB/s
SHA1 86 KB took 1.005 seconds, 85.559 KB/s
SHA256 84 KB took 1.019 seconds, 82.467 KB/s
RSA 2048 key gen 1 ops took 7.455 sec, avg 7455.036 ms, 0.134 ops/sec
RSA 2048 Public 110 ops took 1.003 sec, avg 9.122 ms, 109.624 ops/sec
RSA 2048 Private 5 ops took 1.239 sec, avg 247.752 ms, 4.036 ops/sec
RSA 2048 Pub OAEP 81 ops took 1.001 sec, avg 12.364 ms, 80.880 ops/sec
RSA 2048 Priv OAEP 4 ops took 1.007 sec, avg 251.780 ms, 3.972 ops/sec
ECC 256 key gen 5 ops took 1.099 sec, avg 219.770 ms, 4.550 ops/sec
ECDSA 256 sign 24 ops took 1.016 sec, avg 42.338 ms, 23.619 ops/sec
ECDSA 256 verify 14 ops took 1.036 sec, avg 74.026 ms, 13.509 ops/sec
ECDHE 256 agree 5 ops took 1.235 sec, avg 247.085 ms, 4.047 ops/sec
```
在 33MHz 上运行的 Microchip ATTPM20:
```
./examples/bench/bench
TPM2 Benchmark using Wrapper API's
RNG 2 KB took 1.867 seconds, 1.071 KB/s
Benchmark symmetric AES-128-CBC-enc not supported!
Benchmark symmetric AES-128-CBC-dec not supported!
Benchmark symmetric AES-256-CBC-enc not supported!
Benchmark symmetric AES-256-CBC-dec not supported!
Benchmark symmetric AES-128-CTR-enc not supported!
Benchmark symmetric AES-128-CTR-dec not supported!
Benchmark symmetric AES-256-CTR-enc not supported!
Benchmark symmetric AES-256-CTR-dec not supported!
AES-128-CFB-enc 16 KB took 1.112 seconds, 14.383 KB/s
AES-128-CFB-dec 16 KB took 1.129 seconds, 14.166 KB/s
AES-256-CFB-enc 12 KB took 1.013 seconds, 11.845 KB/s
AES-256-CFB-dec 12 KB took 1.008 seconds, 11.909 KB/s
SHA1 22 KB took 1.009 seconds, 21.797 KB/s
SHA256 22 KB took 1.034 seconds, 21.270 KB/s
RSA 2048 key gen 3 ops took 15.828 sec, avg 5275.861 ms, 0.190 ops/sec
RSA 2048 Public 22 ops took 1.034 sec, avg 47.021 ms, 21.267 ops/sec
RSA 2048 Private 9 ops took 1.059 sec, avg 117.677 ms, 8.498 ops/sec
RSA 2048 Pub OAEP 21 ops took 1.007 sec, avg 47.959 ms, 20.851 ops/sec
RSA 2048 Priv OAEP 9 ops took 1.066 sec, avg 118.423 ms, 8.444 ops/sec
ECC 256 key gen 7 ops took 1.072 sec, avg 153.140 ms, 6.530 ops/sec
ECDSA 256 sign 18 ops took 1.056 sec, avg 58.674 ms, 17.043 ops/sec
ECDSA 256 verify 24 ops took 1.031 sec, avg 42.970 ms, 23.272 ops/sec
ECDHE 256 agree 16 ops took 1.023 sec, avg 63.934 ms, 15.641 ops/sec
```
在 33MHz 上运行的 Nations Technologies Inc. Z32H330 TPM 2.0 模块:
```
./examples/bench/bench
TPM2 Benchmark using Wrapper API's
RNG 12 KB took 1.065 seconds, 11.270 KB/s
AES-128-CBC-enc 48 KB took 1.026 seconds, 46.780 KB/s
AES-128-CBC-dec 48 KB took 1.039 seconds, 46.212 KB/s
AES-256-CBC-enc 48 KB took 1.035 seconds, 46.370 KB/s
AES-256-CBC-dec 48 KB took 1.025 seconds, 46.852 KB/s
Benchmark symmetric AES-128-CTR-enc not supported!
Benchmark symmetric AES-128-CTR-dec not supported!
Benchmark symmetric AES-256-CTR-enc not supported!
Benchmark symmetric AES-256-CTR-dec not supported!
AES-128-CFB-enc 50 KB took 1.029 seconds, 48.591 KB/s
AES-128-CFB-dec 50 KB took 1.035 seconds, 48.294 KB/s
AES-256-CFB-enc 48 KB took 1.000 seconds, 47.982 KB/s
AES-256-CFB-dec 48 KB took 1.003 seconds, 47.855 KB/s
SHA1 80 KB took 1.009 seconds, 79.248 KB/s
SHA256 80 KB took 1.004 seconds, 79.702 KB/s
SHA384 78 KB took 1.018 seconds, 76.639 KB/s
RSA 2048 key gen 8 ops took 17.471 sec, avg 2183.823 ms, 0.458 ops/sec
RSA 2048 Public 52 ops took 1.004 sec, avg 19.303 ms, 51.805 ops/sec
RSA 2048 Private 8 ops took 1.066 sec, avg 133.243 ms, 7.505 ops/sec
RSA 2048 Pub OAEP 51 ops took 1.001 sec, avg 19.621 ms, 50.966 ops/sec
RSA 2048 Priv OAEP 8 ops took 1.073 sec, avg 134.182 ms, 7.453 ops/sec
ECC 256 key gen 20 ops took 1.037 sec, avg 51.871 ms, 19.279 ops/sec
ECDSA 256 sign 43 ops took 1.006 sec, avg 23.399 ms, 42.736 ops/sec
ECDSA 256 verify 28 ops took 1.030 sec, avg 36.785 ms, 27.185 ops/sec
ECDHE 256 agree 26 ops took 1.010 sec, avg 38.847 ms, 25.742 ops/sec
```
在 33MHz 上运行的 Nations Technologies Inc. NS350 TPM 2.0 模块:
```
./examples/bench/bench
TPM2 Benchmark using Wrapper API's
Use Parameter Encryption: NULL
RNG 6 KB took 1.052 seconds, 5.703 KB/s
Benchmark symmetric AES-128-CBC-enc not supported!
Benchmark symmetric AES-128-CBC-dec not supported!
Benchmark symmetric AES-256-CBC-enc not supported!
Benchmark symmetric AES-256-CBC-dec not supported!
Benchmark symmetric AES-128-CTR-enc not supported!
Benchmark symmetric AES-128-CTR-dec not supported!
Benchmark symmetric AES-256-CTR-enc not supported!
Benchmark symmetric AES-256-CTR-dec not supported!
Encrypt/Decrypt unavailable
AES-128-CFB-enc 0 bytes took 0.005 seconds, 0.000 bytes/s
Encrypt/Decrypt unavailable
AES-128-CFB-dec 0 bytes took 0.006 seconds, 0.000 bytes/s
Encrypt/Decrypt unavailable
AES-256-CFB-enc 0 bytes took 0.006 seconds, 0.000 bytes/s
Encrypt/Decrypt unavailable
AES-256-CFB-dec 0 bytes took 0.005 seconds, 0.000 bytes/s
SHA1 68 KB took 1.003 seconds, 67.772 KB/s
SHA256 68 KB took 1.002 seconds, 67.871 KB/s
SHA384 66 KB took 1.007 seconds, 65.548 KB/s
RSA 2048 key gen 7 ops took 16.652 sec, avg 2378.893 ms, 0.420 ops/sec
RSA 2048 Public 126 ops took 1.005 sec, avg 7.980 ms, 125.321 ops/sec
RSA 2048 Private 20 ops took 1.035 sec, avg 51.735 ms, 19.329 ops/sec
RSA 2048 Pub OAEP 81 ops took 1.008 sec, avg 12.443 ms, 80.366 ops/sec
RSA 2048 Priv OAEP 19 ops took 1.027 sec, avg 54.033 ms, 18.507 ops/sec
ECC 256 key gen 20 ops took 1.042 sec, avg 52.095 ms, 19.196 ops/sec
ECDSA 256 sign 60 ops took 1.009 sec, avg 16.816 ms, 59.466 ops/sec
ECDSA 256 verify 46 ops took 1.008 sec, avg 21.921 ms, 45.618 ops/sec
ECDHE 256 agree 38 ops took 1.008 sec, avg 26.532 ms, 37.691 ops/sec
```
在 Nuvoton NPCT650 上运行:
```
./examples/bench/bench
TPM2 Benchmark using Wrapper API's
RNG 8 KB took 1.291 seconds, 6.197 KB/s
Benchmark symmetric AES-128-CBC-enc not supported!
Benchmark symmetric AES-128-CBC-dec not supported!
Benchmark symmetric AES-256-CBC-enc not supported!
Benchmark symmetric AES-256-CBC-dec not supported!
Benchmark symmetric AES-256-CTR-enc not supported!
Benchmark symmetric AES-256-CTR-dec not supported!
Benchmark symmetric AES-256-CFB-enc not supported!
Benchmark symmetric AES-256-CFB-dec not supported!
SHA1 90 KB took 1.005 seconds, 89.530 KB/s
SHA256 90 KB took 1.010 seconds, 89.139 KB/s
RSA 2048 key gen 8 ops took 35.833 sec, avg 4479.152 ms, 0.223 ops/sec
RSA 2048 Public 77 ops took 1.007 sec, avg 13.078 ms, 76.463 ops/sec
RSA 2048 Private 2 ops took 1.082 sec, avg 540.926 ms, 1.849 ops/sec
RSA 2048 Pub OAEP 53 ops took 1.005 sec, avg 18.961 ms, 52.739 ops/sec
RSA 2048 Priv OAEP 2 ops took 1.088 sec, avg 544.075 ms, 1.838 ops/sec
ECC 256 key gen 7 ops took 1.033 sec, avg 147.608 ms, 6.775 ops/sec
ECDSA 256 sign 6 ops took 1.141 sec, avg 190.149 ms, 5.259 ops/sec
ECDSA 256 verify 4 ops took 1.061 sec, avg 265.216 ms, 3.771 ops/sec
ECDHE 256 agree 6 ops took 1.055 sec, avg 175.915 ms, 5.685 ops/sec
```
在 43MHz 上运行的 Nuvoton NPCT750:
```
RNG 16 KB took 1.114 seconds, 14.368 KB/s
Benchmark symmetric AES-128-CBC-enc not supported!
Benchmark symmetric AES-128-CBC-dec not supported!
Benchmark symmetric AES-256-CBC-enc not supported!
Benchmark symmetric AES-256-CBC-dec not supported!
SHA1 120 KB took 1.012 seconds, 118.618 KB/s
SHA256 122 KB took 1.012 seconds, 120.551 KB/s
SHA384 120 KB took 1.003 seconds, 119.608 KB/s
RSA 2048 key gen 5 ops took 17.043 sec, avg 3408.678 ms, 0.293 ops/sec
RSA 2048 Public 134 ops took 1.004 sec, avg 7.490 ms, 133.517 ops/sec
RSA 2048 Private 15 ops took 1.054 sec, avg 70.261 ms, 14.233 ops/sec
RSA 2048 Pub OAEP 116 ops took 1.002 sec, avg 8.636 ms, 115.797 ops/sec
RSA 2048 Priv OAEP 15 ops took 1.061 sec, avg 70.716 ms, 14.141 ops/sec
ECC 256 key gen 12 ops took 1.008 sec, avg 84.020 ms, 11.902 ops/sec
ECDSA 256 sign 18 ops took 1.015 sec, avg 56.399 ms, 17.731 ops/sec
ECDSA 256 verify 26 ops took 1.018 sec, avg 39.164 ms, 25.533 ops/sec
ECDHE 256 agree 35 ops took 1.029 sec, avg 29.402 ms, 34.011 ops/sec
```
### TPM2 原生测试
```
./examples/native/native_test
TPM2 Demo using Native API's
TPM2: Caps 0x30000495, Did 0x0000, Vid 0x104a, Rid 0x4e
TPM2_Startup pass
TPM2_SelfTest pass
TPM2_GetTestResult: Size 12, Rc 0x0
TPM2_IncrementalSelfTest: Rc 0x0, Alg 0x1 (Todo 0)
TPM2_GetCapability: Property FamilyIndicator 0x322e3000
TPM2_GetCapability: Property PCR Count 24
TPM2_GetCapability: Property FIRMWARE_VERSION_1 0x004a0008
TPM2_GetCapability: Property FIRMWARE_VERSION_2 0x44a01587
TPM2_GetRandom: Got 32 bytes
TPM2_StirRandom: success
TPM2_PCR_Read: Index 0, Count 1
TPM2_PCR_Read: Index 0, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 1, Count 1
TPM2_PCR_Read: Index 1, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 2, Count 1
TPM2_PCR_Read: Index 2, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 3, Count 1
TPM2_PCR_Read: Index 3, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 4, Count 1
TPM2_PCR_Read: Index 4, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 5, Count 1
TPM2_PCR_Read: Index 5, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 6, Count 1
TPM2_PCR_Read: Index 6, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 7, Count 1
TPM2_PCR_Read: Index 7, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 8, Count 1
TPM2_PCR_Read: Index 8, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 9, Count 1
TPM2_PCR_Read: Index 9, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 10, Count 1
TPM2_PCR_Read: Index 10, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 11, Count 1
TPM2_PCR_Read: Index 11, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 12, Count 1
TPM2_PCR_Read: Index 12, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 13, Count 1
TPM2_PCR_Read: Index 13, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 14, Count 1
TPM2_PCR_Read: Index 14, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 15, Count 1
TPM2_PCR_Read: Index 15, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 16, Count 1
TPM2_PCR_Read: Index 16, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 17, Count 1
TPM2_PCR_Read: Index 17, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 18, Count 1
TPM2_PCR_Read: Index 18, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 19, Count 1
TPM2_PCR_Read: Index 19, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 20, Count 1
TPM2_PCR_Read: Index 20, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 21, Count 1
TPM2_PCR_Read: Index 21, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 22, Count 1
TPM2_PCR_Read: Index 22, Digest Sz 32, Update Counter 20
TPM2_PCR_Read: Index 23, Count 1
TPM2_PCR_Read: Index 23, Digest Sz 32, Update Counter 20
TPM2_PCR_Extend success
TPM2_PCR_Read: Index 0, Count 1
TPM2_PCR_Read: Index 0, Digest Sz 32, Update Counter 21
TPM2_StartAuthSession: sessionHandle 0x3000000
TPM2_PolicyGetDigest: size 32
TPM2_PCR_Read: Index 0, Digest Sz 20, Update Counter 21
wc_Hash of PCR[0]: size 32
TPM2_PolicyPCR failed 0x1c4: TPM_RC_AUTHSIZE
TPM2_PolicyRestart: Done
TPM2_HashSequenceStart: sequenceHandle 0x80000000
Hash SHA256 test success
TPM2_CreatePrimary: Endorsement 0x80000000 (314 bytes)
TPM2_CreatePrimary: Storage 0x80000002 (282 bytes)
TPM2_LoadExternal: 0x80000004
TPM2_MakeCredential: credentialBlob 68, secret 256
TPM2_ReadPublic Handle 0x80000004: pub 314, name 34, qualifiedName 34
Create HMAC-SHA256 Key success, public 48, Private 137
TPM2_Load New HMAC Key Handle 0x80000004
TPM2_PolicyCommandCode: success
TPM2_ObjectChangeAuth: private 137
TPM2_ECC_Parameters: CurveID 3, sz 256, p 32, a 32, b 32, gX 32, gY 32, n 32, h 1
TPM2_Create: New ECDSA Key: pub 88, priv 126
TPM2_Load ECDSA Key Handle 0x80000004
TPM2_Sign: ECC S 32, R 32
TPM2_VerifySignature: Tag 32802
TPM2_Create: New ECDH Key: pub 88, priv 126
TPM2_Load ECDH Key Handle 0x80000004
TPM2_ECDH_KeyGen: zPt 68, pubPt 68
TPM2_ECDH_ZGen: zPt 68
TPM2 ECC Shared Secret Pass
TPM2_Create: New RSA Key: pub 278, priv 222
TPM2_Load RSA Key Handle 0x80000004
TPM2_RSA_Encrypt: 256
TPM2_RSA_Decrypt: 68
RSA Encrypt/Decrypt test passed
TPM2_NV_DefineSpace: 0x1bfffff
TPM2_NV_ReadPublic: Sz 14, Idx 0x1bfffff, nameAlg 11, Attr 0x2020002, authPol 0, dataSz 32, name 34
Create AES128 CFB Key success, public 50, Private 142
TPM2_Load New AES Key Handle 0x80000004
Encrypt/Decrypt test success
```
### TPM2 CSR 示例
```
./examples/csr/csr
TPM2 CSR Example
Generated/Signed Cert (DER 860, PEM 1236)
-----BEGIN CERTIFICATE REQUEST-----
MIIDWDCCAkACAQIwgZsxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANSU0ExGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBANtFRTX9CIW489vdmfy0qoffKtXBIfEGo07XgbvHPqk/KLx9NpK4
fDLRdh5Kh7mDIGQI0hKDQMQ4GRTzRlE+wXlTqGQaQohac1LRxe21RCCKn0ZXvbCJ
Wd1cIAGQyDyOb8WYCquQB79r2pIAKnVbedu+G1jx3tVrwB8ZCosKF86au7cEDxvD
sdmt2vcEIlMcgfWQNo8TkWEKW33qu/rOOfJAUkVOUKENvj8zz/Iw4pX9nImiclMC
/pMcgjpnFUlG5a0Jwg2PR7pXyRYUCciMq20UF5LDZG3NmFirVqigOmBIFsrpVCjt
wf/Ep6DxFgmy7KNJ/0kzQByySvjKrIOqynsCAwEAAaB3MHUGCSqGSIb3DQEJDjFo
MGYwHQYDVR0OBBYEFBHIhJ44Ide+SKGpL2neKuusXBZxMEUGA1UdJQQ+MDwGCCsG
AQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYI
KwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggEBACGHTZE5BVonf9OM3bYZvl2SiKdj
fo+f8a5COgBgCiNK8DPXCr+RMfp7jy8+3NP0bUPppi46F6Eq80YIZuQJgoyd0l8l
F+0KXq/FuoHtTLH7joHCKcYta1yPpnvKAG9195aIruAHesXwDxklqTvlVx3/e9No
YtmWUMdrLvTZrI1L1/0OuHbPgCGmdyHOXEh0xY0VTE1I0ff0b8UC3dQCsf8uROhO
fXXYwZz9LLSdO/QuDSxXThEe4m1/AUJkiaQ/T2zNEiR5Imk+jluXLz8bVM7w+HMt
l/076ekjTI+7PwzBZIG2F3nOIDUmHwe0lAWdU8h9IoAlM6kS22fh6gZZqQg=
-----END CERTIFICATE REQUEST-----
Generated/Signed Cert (DER 467, PEM 704)
-----BEGIN CERTIFICATE REQUEST-----
MIIBzzCCAXUCAQIwgZsxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAP
BgNVBAcMCFBvcnRsYW5kMQ0wCwYDVQQEDARUZXN0MRAwDgYDVQQKDAd3b2xmU1NM
MQwwCgYDVQQLDANFQ0MxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqG
SIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABIokJgsrMSW8f6si4S1saUXABXbqWKWVQn+D6z9LQe/wkPqozP/hV/3qTtpE
I/E3HjcHqRY+nsosjlEz36mzrRagdzB1BgkqhkiG9w0BCQ4xaDBmMB0GA1UdDgQW
BBRyZJhX+sHZEE117OKL0/CPVGbAKzBFBgNVHSUEPjA8BggrBgEFBQcDAQYIKwYB
BQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJMAoG
CCqGSM49BAMCA0gAMEUCIQCR9cbyRt3cbEZUIOBa4GNSRTlgFdB3X1EOwm+cA5/k
6AIgBm+EU6m5SDsk7BYmxTQAhgJFrelwymOa7m16kAXnFuU=
-----END CERTIFICATE REQUEST-----
```
### TPM2 PKCS 7 示例
```
./examples/pkcs7/pkcs7
TPM2 PKCS7 Example
PKCS7 Signed Container 1625
PKCS7 Container Verified (using TPM)
PKCS7 Container Verified (using software)
```
### TPM TLS 客户端示例
wolfSSL TLS 客户端需要加载公钥以指示使用相互认证。加密回调使用 TPM 进行私钥签名。
```
./examples/tls/tls_client
TPM2 TLS Client Example
Write (29): GET /index.html HTTP/1.0
Read (193): HTTP/1.1 200 OK
Content-Type: text/html
Connection: close
Welcome to wolfSSL!
Welcome to wolfSSL!
```
示例输出:
```
ST33 Firmware Update Tool
Mfg STM (2), Vendor ST33KTPM2X, Fw 9.512 (0x0)
Firmware version details: Major=9, Minor=512, Vendor=0x0
Hardware: ST33K (modern firmware, Generation 2)
Firmware update: LMS format required
```
## 设备身份与证明密钥
TCG 发布了用于设置可用于设备身份和证明的密钥的制造指南。
此功能已在 ST33KTPM 上测试,并通过 `WOLFTPM_MFG_IDENTITY` 启用。ST33KTPM 示例已预置默认主密码,并启用 `TEST_SAMPLE`。要定义您自己的主密码,请使用 `TPM2_IAK_SAMPLE_MASTER_PASSWORD`。主密码会与设备序列号一起哈希,以生成访问这些密钥的认证。
默认密钥为 ECDSA SECP384R1,使用 SHA2-384,并存储在由 `TPM2_IAK_KEY_HANDLE`、`TPM2_IAK_CERT_HANDLE`、`TPM2_IDEVID_KEY_HANDLE` 和 `TPM2_IDEVID_CERT_HANDLE` 定义的 NV 索引中。
### TPM 认可密钥证书
TCG EK 认可凭证配置文件定义了制造商如何在 TCG NV 索引范围(参见 TPM_20_TCG_NV_SPACE)中预置认可证书。
`get_ek_certs` 示例展示了如何检索这些 EK 证书、验证它们并创建用于签名的 EK 主句柄。
参见 `./examples/endorsement/get_ek_certs`。
## 待办事项
* 更新至规范 v1.59(添加 CertifyX509)。
* 内部封装支持 SensitiveToPrivate。
* 添加 IRQ(中断线)支持。
## 支持
请发送邮件至 [support@wolfssl.com](mailto:support@wolfssl.com)。
wolfSSL has successfully performed handshake!
``` ### TPM TLS 服务器示例 wolfSSL TLS 服务器加载 TPM 公钥,加密回调使用 TPM 进行私钥签名。 ``` ./examples/tls/tls_server TPM2 TLS Server Example Loading RSA certificate and public key Read (29): GET /index.html HTTP/1.0 Write (193): HTTP/1.1 200 OK Content-Type: text/html Connection: closewolfSSL has successfully performed handshake!
``` ### ST33 固件更新示例 固件更新示例允许更新 STMicro ST33 TPM 的固件。使用 `--enable-st33 --enable-firmware` 构建以启用此示例。 LMS (Leighton-Micali Signature) 支持取决于固件版本: - **固件 < 512**:旧版固件 - 需要非 LMS 格式 - **固件 >= 512**:现代固件 - 需要 LMS 格式 ``` # Display firmware information ./examples/firmware/st33_fw_update # Cancel any in-progress firmware update ./examples/firmware/st33_fw_update --abandon # Perform firmware update (format auto-detected from TPM firmware version) ./examples/firmware/st33_fw_update标签:AES加密, CSR证书签名请求, ECC签名, ECDH, GPIO操作, HMAC, Infineon, Linux驱动, Microchip, Nuvoton, NV存储, PCR扩展, PKCS7, Raspberry Pi, RSA加密, SPI通信, STM32, TLS客户端, TLS服务器, TPM 2.0, wolfTPM, 内存优化, 内存执行, 内存映射I/O, 可信平台模块, 哈希算法, 国家科技, 客户端加密, 密封解封, 密码库, 密钥生成, 嵌入式Linux, 嵌入式安全, 平台认证, 报价, 无依赖, 根信任, 硬件安全, 示例代码