TPM device support

[itsManjeet]

Hi Team,

We’re exploring how to integrate TPM (Trusted Platform Module) capabilities into libspdm.
The goal is to enable libspdm to perform signing, verification, measurement collection, and certificate retrieval directly through a TPM device node.

This work is still experimental — at this stage, we aim to understand how to structure and align TPM-related APIs within libspdm’s architecture.

---

Current Work

PR - #3285 and DMTF/spdm-emu#436

We’ve introduced a preliminary implementation under:

os_stub/spdm_device_secret_lib_tpm/

that can be enabled via CMake option -D DEVICE=tpm

and TPM specific implementation in

os_stub/spdm_device_secret_lib_tpm/crypto_stub.c

This is currently a sample TPM device stub, not a complete implementation.
It serves as a scaffold to evaluate how TPM-backed operations can integrate with libspdm’s existing cryptographic and platform layers.

We are currently assessing where these new APIs should live and how to interface with existing components:

• Should TPM API hooks at crypto_stub.c remain under os_stub/spdm_device_secret_lib_tpm only, or integrate into:

  • cryptlib_openssl/
  • openssl/
    or may be
  • platform_lib/

for following TPM APIs implementation

• void libspdm_tpm_device_init();
• bool libspdm_tpm_get_private_key(const char *handle, void **context);
• bool libspdm_tpm_get_public_key(const char* handle, void **context);
• bool libspdm_tpm_get_measurement(...);

and since openssl APIs for EC are provider aware we can use context directly with spdm crypto libraries eg libspdm_req_asym_sign_hash like one implemented in os_stub/spdm_device_secret_lib_tpm/sign.c

[steven-bellock]

As discussed in the meeting, it is fine to make it OpenSSL-specific for now. Later on we can make the code more generic if needed.