U-Boot support for wolfTPM and firmware update for SLB9672/SLB9673

David Garske david at wolfssl.com
Fri May 30 21:45:57 CEST 2025 

Hi Ilias,

Thank you for the reply. I totally understand about being busy! There is nothing specific to discuss at this point. I’ll reach out again soon with the proposed u-boot wolfTPM patches.

Thanks,
David Garske
Software Engineer, wolfSSL
+1 (530) 409-2990
https://www.wolfssl.com <https://www.wolfssl.com/>
https://github.com/wolfssl

> On May 30, 2025, at 12:32 AM, Ilias Apalodimas <ilias.apalodimas at linaro.org> wrote:
> 
> Hi David,
> 
> On Wed, 21 May 2025 at 20:12, David Garske <david at wolfssl.com> wrote:
>> 
>> Hi Ilias,
>> 
>> Thank you! It’s a pleasure to meet you! I’m the author and maintainer or wolfTPM.
>> 
>> Perhaps it would be useful to meet and chat for a bit? Are you free next week May 28th at 7:30 AM PT?
>> 
>> I loved the feedback from Simon Glass and we will be implementing those and suggesting a new patch soon.
> 
> I am a bit overloaded. Is there anything specific you would like to discuss?
> 
> Thanks
> /Ilias
>> 
>> Thanks,
>> David Garske
>> Software Engineer, wolfSSL
>> +1 (530) 409-2990
>> https://www.wolfssl.com
>> https://github.com/wolfssl
>> 
>> On May 19, 2025, at 1:52 AM, Ilias Apalodimas <ilias.apalodimas at linaro.org> wrote:
>> 
>> On Fri, 9 May 2025 at 18:43, David Garske <david at wolfssl.com> wrote:
>> 
>> 
>> Hi Ilias,
>> 
>> Thank you for the quick reply. I am happy that you will consider wolfTPM as a submodule. We have 100’s of commercial customers and it is very actively maintained. In fact we will continue to provide direct maintenance for any u-boot issues that come up using wolfTPM. Also we’ve done safety critical DO-178 certification on wolfTPM.
>> 
>> 1) U-Boot subsystem maintainers. Can you point me to that list of maintainers?
>> 
>> 
>> it's in MAINTAINERS. I am responsible for TPM
>> 
>> 2) Size: I haven’t run any size comparisons but I expect to be inline with existing code. I will make sure we run some comparisons.
>> 3) Releases: Yes we have stable releases done each quarter. I am about to do a release v3.9.0 next week that includes the U-boot support, so I will update the submodule to use the tagged release when it’s ready.
>> 4) CVE: Yes we track and create CVE’s if we find issues or any are reported. We typically have a fix posted within 36 hours of a report. Vulnerabilities are published in the release notes and for our premium support customers they get early notification.
>> 5) Patch Size: I will work on reducing the changes and splitting them into logical commits.
>> 
>> Enjoy your time away. I’ll have updates to share soon.
>> 
>> 
>> Thanks
>> /Ilias
>> 
>> 
>> Thanks,
>> David Garske
>> Software Engineer, wolfSSL
>> +1 (530) 409-2990
>> https://www.wolfssl.com
>> https://github.com/wolfssl
>> 
>> On May 9, 2025, at 5:22 AM, Ilias Apalodimas <ilias.apalodimas at linaro.org> wrote:
>> 
>> Hi David
>> 
>> Hi Denx,
>> 
>> We at wolfSSL have developed a port for wolfTPM in U-Boot. The patch allows using the current built-in TPM 2.0 support or switching to wolfTPM via CONFIG_TPM_WOLF=y. It also supports TPM 2.0 firmware update for the Infineon SLB9672 and SLB9673.
>> 
>> I think there is probably some more cleanup and testing needed, but I wanted to submit this to start the discussion and see your thoughts.
>> 
>> 
>> It's easier if you CC the appropriate maintainers for each subsystem next
>> time!
>> 
>> 
>> The wolfTPM library is GPLv2 and added as a submodule. If the license or submodule is an issue let’s discuss! I’m positive we can resolve anything.
>> 
>> 
>> We recently added a few external libraries. mbedTLS and lwIP. Both of these
>> are pulled as subtrees, so I'd like to stick to that.
>> 
>> I briefly went through the patch and I don't disagree in pulling an
>> external library as long as it's reasonably stable and will continue
>> to be maintained. A few questions since I am not familiar with wolfTPM
>> 
>> - Have you made any size comparisons wrt to the final binary size?
>> - Does wolfTPM have stable releases that we can use?
>> - Is there a CVE policy ?
>> 
>> The current patch is quite big and I honestly don't have time to go
>> through all of it in detail. I'll be away next week, but I can give some
>> general feedback in ~10days. The easiest thing to do is try to split it
>> a reasonable amount of patches -- and only include the bare minimum of what's
>> required to work.
>> 
>> Thanks
>> /Ilias
>> 
>> 
>> Attached is the patch based on latest master 3b6760ddeb4 to review.
>> 
>>>> 
>> Thanks,
>> David Garske
>> Software Engineer, wolfSSL
>> +1 (530) 409-2990
>> https://www.wolfssl.com <https://www.wolfssl.com/>
>> https://github.com/wolfssl
>> 
>> 
>> 
>>

More information about the U-Boot mailing list