We’re excited to share a new feature added to wolfTPM: a lightweight example for verifying TPM Endorsement Key (EK) Certificates without wolfCrypt. The new example, verify_ek_cert, retrieves and verifies the EK certificate stored in the TPM’s non-volatile memory. This supports TPMs like the Infineon SLB9672/SLB9673, STMicro ST33 series, and validates their RSA-signed EK certs using the manufacturer’s public CA certificate. This is essential for secure boot, remote attestation, and provisioning in trusted systems. Highlights:

Reads EK cert from NV memory (Index: 0x1C00002) Parses and validates the X.509 certificate Verifies hash and signature using CA public key Confirms TPM identity and trustworthiness

This example uses minimal ASN.1 parsing to reduce code size and avoid dependencies on wolfCrypt. This approach is especially valuable for DO-178C certification efforts, where reducing complexity and traceability is critical. wolfTPM remains the only TPM 2.0 stack specifically designed for bare-metal environments with a minimal code footprint—ideal for embedded, safety-critical systems. To try it:

$ git clone https://github.com/wolfSSL/wolfTPM.git
$ cd wolfTPM
$ ./configure --disable-wolfcrypt && make
$ ./examples/endorsement/verify_ek_cert

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247. Download wolfSSL Now