wolfSSL is excited to announce firmware TPM (fTPM) support in wolfTPM — a production-ready, open-source, embedded firmware TPM 2.0 implementation built on wolfCrypt. wolfTPM fTPM fills a critical gap in embedded security: teams that need software-based TPM services on MCUs and SoCs can now use an open-source implementation with commercial support, portable platform integration, and the ability to pair TPM functionality with wolfCrypt FIPS 140-3 validated cryptography configurations. Whether you are implementing secure boot, measured boot, remote attestation, or protected key storage, wolfTPM fTPM provides TPM 2.0 behavior without requiring a discrete TPM chip, using isolated execution such as TrustZone secure world, a dedicated FPGA softcore, or another hardware-enforced boundary.

Implementation details and discussion are available in PR #474.

Design assumptions and deployment targets

wolfTPM fTPM is designed for systems with a hardware isolation boundary. Typical deployment patterns include:

Arm TrustZone separation (secure/non-secure worlds) Dedicated core architectures for TPM service isolation FPGA softcore deployments, including RISC-V MiV-RV32 on AMD/Xilinx UltraScale+ and Microchip PolarFire MPSoC

An out-of-box STM32H563ZI TrustZone reference is being migrated to wolftpm-examples/puf.

Transport modes (socket, mssim/swtpm, and TIS)

wolfTPM fTPM supports two primary transport models, selected by build configuration and deployment model:

Socket transport (–enable-swtpm) Compatible with Microsoft simulator protocol (mssim) and swtpm TCTI styles. Works well for host-based bring-up, CI, and tool interoperability. Typical tpm2-tools environment settings: TPM2TOOLS_TCTI=”mssim:host=localhost,port=2321” TPM2TOOLS_TCTI=”swtpm:host=localhost,port=2321” TIS register transport (without –enable-swtpm) Uses TPM TIS register-level access (for example, shared memory or platform bus integration). Better aligned with embedded/bare-metal integration where direct register transport is required.

Architecture and feature set

The firmware TPM implementation is organized around clear subsystem boundaries:

Command engine for TPM 2.0 command decode/dispatch/response flow TIS transport layer for host communication over TPM-compatible interfaces Crypto integration layer mapped to wolfCrypt primitives and policy controls NV state subsystem for persistent TPM objects, counters, and state continuity

Key technical capabilities include:

TPM 2.0 command-path integration suitable for firmware-resident deployments Measured-boot and attestation-oriented integration points in embedded boot chains Portability across platform isolation models through the src/fwtpm/ports/ structure Alignment with existing TPM-oriented provisioning and lifecycle workflows Optional deployment with wolfCrypt FIPS 140-3 validated cryptography configurations for regulated environments

Secure layout:

Core firmware TPM code: src/fwtpm/ Platform ports: src/fwtpm/ports/ STM32H563ZI TrustZone reference: moving to wolftpm-examples/puf Firmware TPM documentation: docs/FWTPM.md

Getting Strated (build and try)

Quick local bring-up for socket mode (mssim/swtpm compatible):

./autogen.sh
./configure --enable-fwtpm --enable-swtpm
make

Then run the fwTPM build/test helper:

scripts/fwtpm_build_test.sh --quick

For full matrix testing:

scripts/fwtpm_build_test.sh --all

For platform-focused integration, start with:

wolftpm-examples/puf for STM32H563ZI + TrustZone reference material docs/FWTPM.md for configuration options and deployment notes

For production use, ensure platform-specific hardening for isolation policy, NV protection, key lifecycle, and secure update strategy.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now