Add TPM2.0 SPDM Support with Nuvoton NPCT75x / spdm-emu

.github/workflows/make-test-swtpm.yml

@@ -69,6 +69,17 @@ jobs:
           # STMicro ST33KTPM2
           - name: st33ktpm2 firmware
             wolftpm_config: --enable-st33 --enable-firmware
+
+          # SPDM with wolfSPDM (emulator mode, compile + unit test)
+          - name: spdm-wolfspdm
+            wolfssl_config: --enable-wolftpm --enable-all
+            wolftpm_config: --enable-spdm --enable-swtpm --with-wolfspdm=../wolfspdm
+          # SPDM + Nuvoton (compile-only, no hardware in CI)
+          - name: spdm-nuvoton
+            wolfssl_config: --enable-wolftpm --enable-all
+            wolftpm_config: --enable-spdm --enable-nuvoton --with-wolfspdm=../wolfspdm
+            needs_swtpm: false
+
           # Microchip
           - name: microchip
             wolftpm_config: --enable-microchip
@@ -187,6 +198,22 @@ jobs:
           sudo make install
           sudo ldconfig
 
+      - name: Checkout and build wolfSPDM
+        if: contains(matrix.wolftpm_config, '--enable-spdm')
+        run: |
+          # TODO: Change to wolfSSL/wolfSPDM when repo is moved over
+          git clone https://github.com/aidangarske/wolfSPDM.git ../wolfspdm
+          cd ../wolfspdm
+          ./autogen.sh
+          WOLFSPDM_CONFIG=""
+          if echo "${{ matrix.wolftpm_config }}" | grep -q -- '--enable-nuvoton'; then
+            WOLFSPDM_CONFIG="--enable-nuvoton"
+          fi
+          ./configure $WOLFSPDM_CONFIG
+          make
+          sudo make install
+          sudo ldconfig
+
       # For old-wolfssl test: checkout and build old wolfSSL for linking
       - name: Checkout old wolfSSL
         if: matrix.name == 'old-wolfssl'

configure.ac

@@ -22,6 +22,7 @@ AC_CANONICAL_HOST
 AC_CANONICAL_TARGET
 AC_CONFIG_MACRO_DIR([m4])
 
+
 AM_INIT_AUTOMAKE([1.11 -Wall -Werror -Wno-portability foreign tar-ustar subdir-objects no-define color-tests])
 
 AC_ARG_PROGRAM
@@ -462,6 +463,76 @@ then
     AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_PROVISIONING"
 fi
 
+# SPDM Authenticated Controller (AC) Support
+# Requires wolfSPDM library for all SPDM protocol operations
+AC_ARG_ENABLE([spdm],
+    [AS_HELP_STRING([--enable-spdm],[Enable SPDM support using wolfSPDM library (default: disabled)])],
+    [ ENABLED_SPDM=$enableval ],
+    [ ENABLED_SPDM=no ]
+    )
+
+# wolfSPDM path (required when --enable-spdm is used)
+WOLFSPDM_PATH=""
+AC_ARG_WITH([wolfspdm],
+    [AS_HELP_STRING([--with-wolfspdm=PATH],[Path to wolfSPDM install or source directory (required for --enable-spdm)])],
+    [
+        if test "x$withval" != "xno" && test "x$withval" != "xyes"
+        then
+            WOLFSPDM_PATH="$withval"
+        fi
+    ]
+)
+
+if test "x$ENABLED_SPDM" = "xyes"
+then
+    # wolfSPDM is required for SPDM support
+    if test "x$WOLFSPDM_PATH" = "x"
+    then
+        AC_MSG_ERROR([--enable-spdm requires --with-wolfspdm=PATH
+  wolfSPDM provides all SPDM protocol implementation.
+  Build wolfSPDM first:
+    cd /path/to/wolfspdm
+    ./autogen.sh
+    ./configure --with-wolfssl=/path/to/wolfssl
+    make
+  Then use: --with-wolfspdm=/path/to/wolfspdm])
+    fi
+
+    # Check for installed layout: PATH/include + PATH/lib
+    if test -d "${WOLFSPDM_PATH}/include" && test -d "${WOLFSPDM_PATH}/lib"
+    then
+        WOLFSPDM_INCDIR="${WOLFSPDM_PATH}/include"
+        WOLFSPDM_LIBDIR="${WOLFSPDM_PATH}/lib"
+    # Check for source tree layout: PATH/wolfspdm + PATH/.libs
+    elif test -d "${WOLFSPDM_PATH}/wolfspdm" && test -d "${WOLFSPDM_PATH}/.libs"
+    then
+        WOLFSPDM_INCDIR="${WOLFSPDM_PATH}"
+        WOLFSPDM_LIBDIR="${WOLFSPDM_PATH}/.libs"
+    else
+        AC_MSG_ERROR([wolfSPDM not found at: ${WOLFSPDM_PATH}
+  Expected either installed layout (PATH/include + PATH/lib)
+  or source tree layout (PATH/wolfspdm + PATH/.libs).
+  Build wolfSPDM first: cd wolfspdm && ./autogen.sh && ./configure && make])
+    fi
+
+    CPPFLAGS="-I${WOLFSPDM_INCDIR} $CPPFLAGS"
+    LDFLAGS="-L${WOLFSPDM_LIBDIR} $LDFLAGS"
+    LIBS="$LIBS -lwolfspdm"
+
+    # Check that wolfSPDM library is usable
+    AC_CHECK_HEADER([wolfspdm/spdm.h], [],
+        [AC_MSG_ERROR([wolfSPDM header not found at ${WOLFSPDM_INCDIR}])])
+
+    AC_DEFINE([WOLFTPM_SPDM], [1], [Enable SPDM support using wolfSPDM])
+    AC_MSG_NOTICE([SPDM support enabled using wolfSPDM at: ${WOLFSPDM_PATH}])
+
+    # Enable wolfSPDM Nuvoton support if Nuvoton TPM is also enabled
+    if test "x$ENABLED_NUVOTON" = "xyes"
+    then
+        AM_CFLAGS="$AM_CFLAGS -DWOLFSPDM_NUVOTON"
+        AC_MSG_NOTICE([Nuvoton SPDM vendor commands enabled])
+    fi
+fi
 
 # HARDEN FLAGS
 AX_HARDEN_CC_COMPILER_FLAGS
@@ -493,6 +564,7 @@ AM_CONDITIONAL([BUILD_CHECKWAITSTATE], [test "x$ENABLED_CHECKWAITSTATE" = "xyes"
 AM_CONDITIONAL([BUILD_AUTODETECT], [test "x$ENABLED_AUTODETECT" = "xyes"])
 AM_CONDITIONAL([BUILD_FIRMWARE], [test "x$ENABLED_FIRMWARE" = "xyes"])
 AM_CONDITIONAL([BUILD_HAL], [test "x$ENABLED_EXAMPLE_HAL" = "xyes" || test "x$ENABLED_MMIO" = "xyes"])
+AM_CONDITIONAL([BUILD_SPDM], [test "x$ENABLED_SPDM" = "xyes"])
 
 
 CREATE_HEX_VERSION
@@ -622,3 +694,7 @@ echo "   * Nuvoton NPCT75x:           $ENABLED_NUVOTON"
 
 echo "   * Runtime Module Detection:  $ENABLED_AUTODETECT"
 echo "   * Firmware Upgrade Support:  $ENABLED_FIRMWARE"
+echo "   * SPDM Support:              $ENABLED_SPDM"
+if test "x$ENABLED_SPDM" = "xyes"; then
+    echo "   * wolfSPDM:                  ${WOLFSPDM_PATH}"
+fi