Skip to content

Add STM33TPM Firmware Update Support for LMS/non-LMS #446

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aidangarske wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Add STM33TPM Firmware Update Support for LMS/non-LMS #446

aidangarske wants to merge 7 commits into from
+1,783 −32

Conversation

@aidangarske
Copy link
Contributor

@aidangarske aidangarske commented Jan 1, 2026
edited
Loading

Description

This PR adds comprehensive firmware update support for STMicroelectronics ST33KTPM2X TPM modules, including both legacy non-LMS and modern LMS (Leighton-Micali Signature) signature formats.

Overview

The implementation supports firmware updates for ST33 TPMs across two firmware generations:

  • Generation 1 (< 512): Legacy firmware requiring non-LMS format (177-byte manifest)
  • Generation 2 (>= 512): Modern firmware requiring LMS format (2697-byte manifest with embedded signature)

Main Functions Created

Core API Functions

  1. wolfTPM2_FirmwareUpgradeHash() - Main firmware upgrade function

    • Handles version detection and routes to appropriate path (non-LMS or LMS)
    • Sends full manifest (blob0) directly to TPM via FieldUpgradeStart command
    • Processes firmware data as blobs per ST reference implementation
    • Supports recovery/continuation from TPM_RC_UPGRADE state

  2. wolfTPM2_FirmwareUpgradeWithLMS() - LMS signature path

    • Dedicated function for LMS signature-based firmware updates
    • Validates LMS signature format and size
    • Handles Generation 2 firmware (>= 512) requiring LMS signatures

  3. wolfTPM2_FirmwareUpgradeCancel() - Cancel/abandon firmware update

    • Allows cancellation of in-progress firmware updates
    • Uses ST33's password-based authentication (TPM_RS_PW)

Helper Functions

  • tpm2_st33_firmware_start() - Non-LMS firmware upgrade start
  • tpm2_st33_firmware_start_lms() - LMS firmware upgrade start
  • tpm2_st33_firmware_upgrade_hash() - Version detection and routing logic
  • tpm2_st33_firmware_send_blob() - Send firmware blob chunks to TPM

Key Implementation Details

Firmware Version Detection

The implementation uses a simplified two-state model matching ST's reference tools:

  • Firmware < 512 (e.g., 9.257): Legacy Generation 1, non-LMS format required
  • Firmware >= 512 (e.g., 9.512): Modern Generation 2, LMS format required

Version threshold is 512 (0x0200), matching ST's policy where 9.512 is the first firmware version that mandates LMS signatures.

Testing

All functionality was tested on real ST33KTPM2X hardware:

  • Firmware 9.256 (legacy): Verified non-LMS firmware update path
  • Firmware 9.512 (modern): Verified LMS format detection, enforcement, and successful updates

Tested firmware update and all examples with LMS and non-LMS and confirmed update to LMS version

Added test script (examples/firmware/test_st33_firmware.sh) with selective testing via --lms and --no-lms flags.

  • updated .github/workflows/cmake-build.yml with --enable-firmware
  • updated .github/workflows/make-test-swtpm.yml with --enable-firmware

@aidangarske
Add initial wolfTPM firmware update support for stm33KTPM
71d482e
@aidangarske
Add non-LMS capabilities, unit test, examples - tested non-LMS needs …
5aab9da 
…gating
@aidangarske
Add ST33 LMS firmware update support
ae025a8 
  - Add wolfTPM2_FirmwareUpgradeWithLMS() for LMS signature path
  - Implement three-state LMS detection (UNSUPPORTED/CAPABLE/REQUIRED)
  - Send full manifest (blob0) in FieldUpgradeStart instead of hash
  - Parse and send firmware as blobs per ST reference implementation
  - Add --lms flag to st33_fw_update example for V2 firmware files
  - Handle TPM_RC_UPGRADE state for recovery/continuation
  - Remove unnecessary finalize command (ST33 doesn't use it)
  - Increase blob buffer size to handle 1075+ byte blobs
  - Add test script for ST33 firmware update verification

  Tested with ST33KTPM2X firmware 9.512 using LMS V2 format.
@aidangarske
Fix ST33 firmware version cutoff from 915 to 512 for LMS requirement
ee4770d 
Corrected the firmware version threshold for LMS signature requirement from
915 to 512 (0x0200) to match ST's actual firmware policy. Version 9.512 is
the first modern firmware (Generation 2) that requires LMS signatures,
while firmware < 512 (e.g., 9.257) uses legacy non-LMS format (Generation 1).

Changes:
- Updated ST33_FW_VERSION_LMS_REQUIRED constant from 915 to 512
- Simplified two-state model: < 512 (legacy/non-LMS) vs >= 512 (modern/LMS)
- Updated version detection logic throughout codebase
- Updated help text and error messages to reflect 512 threshold
- Updated documentation to clarify Generation 1 vs Generation 2 firmware
- Enhanced test script with --lms and --no-lms flags for selective testing
- Fixed error messages in test script to use correct flag names

The cutoff at 512 matches ST's reference implementation which uses separate
tools for Generation 1 (< 512) vs Generation 2 (>= 512) firmware.

Tested on hardware with firmware 9.512, confirming LMS format is required
and correctly enforced for modern firmware versions.
@aidangarske
Simplify long comments fix unit test
63faf0d
@aidangarske
Update readme with new info
81d9c75
@aidangarske aidangarske self-assigned this Jan 1, 2026
@dgarske dgarske self-requested a review January 1, 2026 19:55
@dgarske dgarske self-assigned this Jan 1, 2026
@aidangarske aidangarske force-pushed the stm33KTPM-support-clean branch from 4827185 to 018e15f Compare January 1, 2026 19:57
@aidangarske
Fix build for no-wolfcrypt and Infineon-only configs
1a7c490 
   - Gate wolfTPM2_FirmwareUpgrade and wolfTPM2_FirmwareUpgradeWithLMS
     declarations with WOLFTPM2_NO_WOLFCRYPT (they use wc_Sha384Hash)
   - Fix unit tests to only call wolfcrypt-dependent firmware functions
     when wolfcrypt is enabled
   - Add unused parameter suppressions in FirmwareUpgradeHashWithLMS
     when ST33 is not enabled (fixes -Werror for SLB9672/SLB9673 builds)
@aidangarske aidangarske force-pushed the stm33KTPM-support-clean branch from 018e15f to 1a7c490 Compare January 1, 2026 20:15
@aidangarske aidangarske marked this pull request as ready for review January 1, 2026 20:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgarske dgarske Awaiting requested review from dgarske

At least 1 approving review is required to merge this pull request.

Assignees

@dgarske dgarske

@aidangarske aidangarske

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aidangarske @dgarske