{"id":2235247,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2235247/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/patch/766cbe833bbd3cc244d635040252a7fc338d1d5c.1778277334.git.aidan@wolfssl.com/","project":{"id":18,"url":"http://patchwork.ozlabs.org/api/1.2/projects/18/?format=json","name":"U-Boot","link_name":"uboot","list_id":"u-boot.lists.denx.de","list_email":"u-boot@lists.denx.de","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<766cbe833bbd3cc244d635040252a7fc338d1d5c.1778277334.git.aidan@wolfssl.com>","list_archive_url":null,"date":"2026-05-09T00:04:13","name":"[v3,06/12] tpm: add wolfTPM headers and SHA384 glue code","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"57978266ff150a5ed84ed0a681374cc6211cc700","submitter":{"id":92785,"url":"http://patchwork.ozlabs.org/api/1.2/people/92785/?format=json","name":"Aidan Garske","email":"aidan@wolfssl.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/uboot/patch/766cbe833bbd3cc244d635040252a7fc338d1d5c.1778277334.git.aidan@wolfssl.com/mbox/","series":[{"id":503464,"url":"http://patchwork.ozlabs.org/api/1.2/series/503464/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/list/?series=503464","date":"2026-05-09T00:04:07","name":"tpm: Add wolfTPM library support for TPM 2.0","version":3,"mbox":"http://patchwork.ozlabs.org/series/503464/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2235247/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2235247/checks/","tags":{},"related":[],"headers":{"Return-Path":"<u-boot-bounces@lists.denx.de>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=wolfssl-com.20251104.gappssmtp.com\n header.i=@wolfssl-com.20251104.gappssmtp.com header.a=rsa-sha256\n header.s=20251104 header.b=WHmTzsoU;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=fail (p=none dis=none) header.from=wolfssl.com","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=wolfssl-com.20251104.gappssmtp.com\n header.i=@wolfssl-com.20251104.gappssmtp.com header.b=\"WHmTzsoU\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=fail (p=none dis=none) header.from=wolfssl.com","phobos.denx.de;\n spf=pass smtp.mailfrom=aidan@wolfssl.com"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4gC6cC3XKBz1yCg\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 09 May 2026 10:41:15 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 9ACF384E29;\n\tSat,  9 May 2026 02:40:15 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id DA27184E0B; Sat,  9 May 2026 02:04:48 +0200 (CEST)","from mail-dl1-x122b.google.com (mail-dl1-x122b.google.com\n [IPv6:2607:f8b0:4864:20::122b])\n (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 83B7E84E02\n for <u-boot@lists.denx.de>; Sat,  9 May 2026 02:04:46 +0200 (CEST)","by mail-dl1-x122b.google.com with SMTP id\n a92af1059eb24-12dfee30612so2765329c88.0\n for <u-boot@lists.denx.de>; Fri, 08 May 2026 17:04:46 -0700 (PDT)","from localhost.localdomain ([207.231.76.218])\n by smtp.gmail.com with ESMTPSA id\n a92af1059eb24-132787673ffsm5505030c88.15.2026.05.08.17.04.43\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 08 May 2026 17:04:44 -0700 (PDT)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"*","X-Spam-Status":"No, score=1.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_SBL_CSS,SPF_HELO_NONE,\n SPF_PASS autolearn=no autolearn_force=no version=3.4.2","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=wolfssl-com.20251104.gappssmtp.com; s=20251104; t=1778285085; x=1778889885;\n darn=lists.denx.de;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=wOpeNUMlBWK7l7k0WjdMjU+ibuBWvxditEqOtdChToU=;\n b=WHmTzsoUdaRyOUjHrSTrsqPilguGeHYws/84kHqKir0F4b8V63PAkkmL3J3eVDxc+P\n JWDy37TxpldDIz20TLBV6uLxY687W0hqkHbbQPq3XksnzEkaGuPfgIxXFdXNFPH6JqTW\n E8LI8bCPGpRuDH8sN2qHzTAK3wabIOnon7SH+wjF/rLjzH7KyDlKQssr4Q3VLI6+z9Mu\n PzMbglTNhXfGCcpFKXjdEmfTzqX4LtBFouOQ7tFOvcmR7sl0IjVpqGtdqFh/32VA0Nsv\n WuQkynCJGyTuIX4axK3/c4mHn+MU4JmahMnlwOQZZNmRe4mUiZzJhOW2uajN+YHn/I50\n 5T8Q==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1778285085; x=1778889885;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=wOpeNUMlBWK7l7k0WjdMjU+ibuBWvxditEqOtdChToU=;\n b=cl3U+qhQpABcKADTLLls1c6MxxdBVf1Knn26Q2rPOzVhkTMtbFUQ9kETldRete7Ynw\n U93ldF21TZUiddnDKwtTSWxhb0wdDSDdDqPtPwsj5lDvaJzlhGP2Fybwem3hdG5gt2yO\n q6ZlMR0wlw/HhD5Gg8RgcFUTIzqwRXkWAPjR6w0/aGUJIflAsvrUhdTlgLycEuHuvm4i\n Ba40+7S4VvfqiDHOjcRBrtSzbuoA2MGkwHuCSy38lSjtRRXmOlYoBrbbMSg4UcUPisw7\n nh9pxc0XWZk8/0DbdD1E/KJa20vIbHpYmKWs+S7x9xTVg5kYzG3q1C5uGA8jC6wqmdzG\n btLw==","X-Gm-Message-State":"AOJu0Yy88JeTj4ebFkq2NCWUhO65+qmCsY7qJiKBST8YJf74AnGndvob\n RcaxzbHglxxhmAwITawXwdIDjvhFIztC6/xqN7qXrbTsgGs3mr1qmOxKSmFCp07rRJNVJ98dVcP\n 1fE7Z","X-Gm-Gg":"AeBDievP1qvXn4oYfesDPWSV6XuThGiCQWey5xlIu+igxJymKEsLuRhuQ5/8pVCBTMt\n DxZwN//VyxG8tph90fzOrHRhUbGgPj9foJtBSzV7DG98KaWgIcgXsPHmiT+8zKezIIenjhtw4mF\n NyMFnQUFD4E+iin5bESFnOnjIWhjWbsEkvnurXe6dQ7WXQH5u4uU3B1RfrMq7X69jrqVI2bw8iq\n zwghp6DbUO5qt8UNEXMFUIU7eZgNMTKioetutNHMTcpwNNbrBjlTRGCN7VXExPNdlHglvhP8yyo\n xNjQlMIAh+PFNJK/TsFPaXk07UpPVim5diWPj6RujVQIjtcDq+Zm8RYx7qy2lIAw6wwlyiGcxT6\n Hw/EEch0rTkW6cRDtvnnnm36BqexCryf9RlcWPR69TtCXY0Euvvgfk1XGW8FhXdzfHspUm8pqPG\n kVjiUUF1vjY0BCM9zY8gCk9jvsXmtnV7rJNxeEfSymoSQpwl+3EKXGvyB5DD3xymhniAaTv8QDL\n rJiC6qjs3K4iPLQWrrz/7cE6OXuNMsq","X-Received":"by 2002:a05:7022:6606:b0:11d:fd26:234e with SMTP id\n a92af1059eb24-13271382d62mr2781261c88.16.1778285084604;\n Fri, 08 May 2026 17:04:44 -0700 (PDT)","From":"Aidan Garske <aidan@wolfssl.com>","To":"u-boot@lists.denx.de","Cc":"David Garske <david@wolfssl.com>,\n Ilias Apalodimas <ilias.apalodimas@linaro.org>","Subject":"[PATCH v3 06/12] tpm: add wolfTPM headers and SHA384 glue code","Date":"Fri,  8 May 2026 17:04:13 -0700","Message-ID":"\n <766cbe833bbd3cc244d635040252a7fc338d1d5c.1778277334.git.aidan@wolfssl.com>","X-Mailer":"git-send-email 2.47.3","In-Reply-To":"<cover.1778277334.git.aidan@wolfssl.com>","References":"<cover.1778277334.git.aidan@wolfssl.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Mailman-Approved-At":"Sat, 09 May 2026 02:40:11 +0200","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion <u-boot.lists.denx.de>","List-Unsubscribe":"<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>","List-Archive":"<https://lists.denx.de/pipermail/u-boot/>","List-Post":"<mailto:u-boot@lists.denx.de>","List-Help":"<mailto:u-boot-request@lists.denx.de?subject=help>","List-Subscribe":"<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" <u-boot-bounces@lists.denx.de>","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"},"content":"From: Aidan <aidan@wolfssl.com>\n\nAdd the wolfTPM integration headers and hash wrapper needed to bridge\nwolfTPM with U-Boot's subsystems.\n\ninclude/wolftpm.h:\n  Public header exposing TPM2_PCRs_Print(), TPM2_Init_Device(), and\n  Infineon firmware update helpers (TPM2_IFX_FwData_Cb,\n  TPM2_IFX_GetOpModeStr, TPM2_IFX_PrintInfo). Includes the core\n  wolfTPM headers (tpm2.h, tpm2_wrap.h, tpm2_packet.h).\n\ninclude/configs/user_settings.h:\n  wolfTPM compile-time configuration. Selects TPM chip type\n  (SLB9672/SLB9673 for real hardware, WOLFTPM_AUTODETECT for\n  swtpm/QEMU), communication mode (native SPI TIS layer for real\n  hardware, WOLFTPM_LINUX_DEV for U-Boot driver model), timeout\n  tuning, and feature flags (WOLFTPM2_NO_WOLFCRYPT,\n  WOLFTPM2_NO_HEAP, WOLFTPM_CHECK_WAIT_STATE).\n\n  user_settings.h pulls in <asm/byteorder.h> up front so U-Boot's\n  cpu_to_beXX / beXX_to_cpu macros are defined before wolfTPM's\n  tpm2_packet.h, whose fallback definitions are #ifndef-guarded.\n  This keeps the workaround on the wolfTPM side rather than\n  modifying linux/byteorder/generic.h.\n\nlib/wolftpm.c:\n  Provides wc_Sha384Hash() implementation when wolfCrypt is disabled\n  (WOLFTPM2_NO_WOLFCRYPT). Uses U-Boot's hash_lookup_algo(\"sha384\")\n  to compute SHA-384 digests, which is required for Infineon TPM\n  firmware update manifest validation.\n\nSigned-off-by: Aidan Garske <aidan@wolfssl.com>\n---\n include/configs/user_settings.h | 123 ++++++++++++++++++++++++++++++++\n include/wolftpm.h               |  34 +++++++++\n lib/wolftpm.c                   |  56 +++++++++++++++\n 3 files changed, 213 insertions(+)\n create mode 100644 include/configs/user_settings.h\n create mode 100644 include/wolftpm.h\n create mode 100644 lib/wolftpm.c","diff":"diff --git a/include/configs/user_settings.h b/include/configs/user_settings.h\nnew file mode 100644\nindex 00000000000..6afd6ddc520\n--- /dev/null\n+++ b/include/configs/user_settings.h\n@@ -0,0 +1,123 @@\n+/* SPDX-License-Identifier: GPL-2.0+ */\n+/*\n+ * wolfTPM build configuration for U-Boot\n+ *\n+ * Copyright (C) 2025 wolfSSL Inc.\n+ * Author: Aidan Garske <aidan@wolfssl.com>\n+ */\n+\n+#ifndef USER_SETTINGS_H\n+#define USER_SETTINGS_H\n+\n+/* Define U-Boot's byte-order macros first so wolfTPM's #ifndef-guarded\n+ * fallbacks in tpm2_packet.h don't redefine them.\n+ */\n+#include <asm/byteorder.h>\n+\n+#ifdef __cplusplus\n+extern \"C\" {\n+#endif\n+\n+/******************************************************************************/\n+/* --- BEGIN wolfTPM U-boot Settings -- */\n+/******************************************************************************/\n+\n+/* =========================================================================\n+ * TPM Chip Configuration\n+ * =========================================================================\n+ *\n+ * CONFIG_TPM_AUTODETECT: For swtpm/QEMU testing (no specific chip)\n+ * !CONFIG_TPM_AUTODETECT: For real hardware (SLB9672/SLB9673)\n+ */\n+#ifdef CONFIG_TPM_AUTODETECT\n+\t#define WOLFTPM_AUTODETECT\n+#else\n+\t/* Real hardware - Infineon SLB9672/SLB9673\n+\t * Firmware upgrade only supported by these chips */\n+\t#define WOLFTPM_FIRMWARE_UPGRADE\n+\t#define WOLFTPM_SLB9672\n+\t/* #define WOLFTPM_SLB9673 */\n+#endif\n+\n+/* Include delay.h and types.h for\n+ * U-boot time delay and types */\n+#include <linux/delay.h>\n+#include <linux/types.h>\n+#include <stdint.h>\n+\n+/* wolfCrypt disabled - pcr_setauthpolicy/pcr_setauthvalue not available\n+ * To enable wolfCrypt, you would need to:\n+ * 1. Uncomment the line below to undefine WOLFTPM2_NO_WOLFCRYPT\n+ * 2. Add wolfCrypt source files to the U-Boot build (lib/Makefile)\n+ * 3. Add wolfCrypt settings for embedded/no-OS use\n+ */\n+#undef  WOLFTPM2_NO_WOLFCRYPT\n+#define WOLFTPM2_NO_WOLFCRYPT\n+\n+/* =========================================================================\n+ * TPM Communication Mode Selection (Auto-detected based on chip type)\n+ * =========================================================================\n+ *\n+ * For real SPI hardware (SLB9672/SLB9673):\n+ *   - Uses wolfTPM's native TIS layer with raw SPI via tpm_io_uboot.c\n+ *   - Requires CONFIG_SPI and CONFIG_DM_SPI enabled in U-Boot\n+ *\n+ * For swtpm/QEMU testing (no specific chip defined):\n+ *   - Uses WOLFTPM_LINUX_DEV mode with U-Boot's TPM driver (tpm_xfer())\n+ *   - Works with MMIO-based TPM via tpm2_tis_mmio.c\n+ */\n+\n+#if defined(WOLFTPM_SLB9672) || defined(WOLFTPM_SLB9673)\n+\t/* Real SPI hardware - use native wolfTPM TIS with raw SPI */\n+\t/* WOLFTPM_LINUX_DEV is NOT defined */\n+\t#define WOLFTPM_EXAMPLE_HAL\n+\n+\t/* SPI bus and chip select for TPM\n+\t * Official Raspberry Pi tpm-slb9670 overlay uses CE1 (GPIO7)\n+\t * This matches LetsTrust and most Infineon evaluation boards */\n+\t#ifndef TPM_SPI_BUS\n+\t\t#define TPM_SPI_BUS 0\n+\t#endif\n+\t#ifndef TPM_SPI_CS\n+\t\t#define TPM_SPI_CS 1   /* CE1/GPIO7 - official RPi TPM overlay setting */\n+\t#endif\n+#else\n+\t/* swtpm/QEMU - use U-Boot's TPM driver with MMIO communication mode */\n+\t#define WOLFTPM_LINUX_DEV\n+#endif\n+\n+#define XSLEEP_MS(ms) udelay(ms * 1000)\n+\n+/* Timeout configuration */\n+#ifdef WOLFTPM_FIRMWARE_UPGRADE\n+\t/* Firmware update requires much longer timeout for TPM processing */\n+\t#define TPM_TIMEOUT_TRIES 2000000\n+#else\n+\t/* Normal operations - reduce from default 1,000,000 to prevent long hangs */\n+\t#define TPM_TIMEOUT_TRIES 10000\n+#endif\n+\n+/* Add small delay between poll attempts to avoid tight spin loop */\n+#define XTPM_WAIT() udelay(100)\n+\n+/* Do not include API's that use heap(), they are not required */\n+#define WOLFTPM2_NO_HEAP\n+\n+/* Debugging - disabled for clean output */\n+/* #define DEBUG_WOLFTPM */\n+/* #define WOLFTPM_DEBUG_VERBOSE */\n+/* #define WOLFTPM_DEBUG_IO */\n+/* #define WOLFTPM_DEBUG_TIMEOUT */\n+\n+/* SPI Wait state checking - most TPMs use this */\n+#define WOLFTPM_CHECK_WAIT_STATE\n+\n+/******************************************************************************/\n+/* --- END wolfTPM U-boot Settings -- */\n+/******************************************************************************/\n+\n+#ifdef __cplusplus\n+}\n+#endif\n+\n+#endif /* USER_SETTINGS_H */\ndiff --git a/include/wolftpm.h b/include/wolftpm.h\nnew file mode 100644\nindex 00000000000..a3cd9d0d2dd\n--- /dev/null\n+++ b/include/wolftpm.h\n@@ -0,0 +1,34 @@\n+/* SPDX-License-Identifier: GPL-2.0+ */\n+/*\n+ * wolfTPM integration header for U-Boot\n+ *\n+ * Copyright (C) 2025 wolfSSL Inc.\n+ * Author: Aidan Garske <aidan@wolfssl.com>\n+ */\n+\n+#ifndef __WOLFTPM_H__\n+#define __WOLFTPM_H__\n+\n+#include <wolftpm/tpm2.h>\n+#include <wolftpm/tpm2_wrap.h>\n+#include <wolftpm/tpm2_packet.h>\n+\n+#ifdef __cplusplus\n+extern \"C\" {\n+#endif\n+\n+#ifdef WOLFTPM_FIRMWARE_UPGRADE\n+int TPM2_IFX_FwData_Cb(uint8_t *data, uint32_t data_req_sz,\n+\t\t\tuint32_t offset, void *cb_ctx);\n+const char *TPM2_IFX_GetOpModeStr(int opMode);\n+void TPM2_IFX_PrintInfo(WOLFTPM2_CAPS *caps);\n+#endif\n+\n+int TPM2_PCRs_Print(void);\n+int TPM2_Init_Device(WOLFTPM2_DEV *dev, void *userCtx);\n+\n+#ifdef __cplusplus\n+}\n+#endif\n+\n+#endif /* __WOLFTPM_H__ */\ndiff --git a/lib/wolftpm.c b/lib/wolftpm.c\nnew file mode 100644\nindex 00000000000..49e35401236\n--- /dev/null\n+++ b/lib/wolftpm.c\n@@ -0,0 +1,56 @@\n+// SPDX-License-Identifier: GPL-2.0+\n+/*\n+ * wolfTPM wrapper layer for U-Boot\n+ *\n+ * Copyright (C) 2025 wolfSSL Inc.\n+ * Author: Aidan Garske <aidan@wolfssl.com>\n+ */\n+\n+/* wolfTPM wrapper layer to expose U-boot API\n+ * when wolfCrypt is not available. This is used by\n+ * the U-boot firmware update command.\n+ */\n+\n+#include <configs/user_settings.h>\n+#include <hash.h>\n+#include <linux/types.h>\n+#include <stdint.h>\n+#include <stdio.h>\n+#include <string.h>\n+#include <malloc.h>\n+#include <mapmem.h>\n+#include <asm/cache.h>\n+#include <errno.h>\n+\n+/* Add wolfTPM type definitions */\n+typedef uint8_t byte;\n+typedef uint32_t word32;\n+\n+#ifdef WOLFTPM2_NO_WOLFCRYPT\n+int wc_Sha384Hash(const byte *data, word32 len, byte *hash)\n+{\n+\tstruct hash_algo *algo;\n+\tu8 *output;\n+\tvoid *buf;\n+\n+\tif (hash_lookup_algo(\"sha384\", &algo)) {\n+\t\tprintf(\"Unknown hash algorithm 'sha384'\\n\");\n+\t\treturn -1;\n+\t}\n+\n+\toutput = (u8 *)memalign(ARCH_DMA_MINALIGN,\n+\t\t\t\talgo->digest_size);\n+\tif (!output) {\n+\t\treturn -ENOMEM;\n+\t}\n+\n+\tbuf = (void *)map_sysmem((ulong)data, len);\n+\talgo->hash_func_ws(buf, len, output, algo->chunk_size);\n+\tunmap_sysmem(buf);\n+\n+\tmemcpy(hash, output, algo->digest_size);\n+\n+\tfree(output);\n+\treturn 0;\n+}\n+#endif /* WOLFTPM2_NO_WOLFCRYPT */\n","prefixes":["v3","06/12"]}