IDevID: allow using pre-computed auth values#803
Open
rizlik wants to merge 8 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a build-time option to support TPM manufacturing identity (IAK/IDevID) authorization using precomputed per-device authValues (default) instead of always deriving authValues on-device from a shared master secret.
Changes:
- Introduces
WOLFBOOT_TPM_MFG_AUTH_DERIVEmake/config option and plumbs it through build configuration. - Updates TPM MFG identity paths to either derive authValues on-device (existing behavior) or set precomputed authValues directly into TPM handles.
- Documents the two modes and adds an STM32H5 TZ example config enabling derive mode for sample TPM usage.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/config.mk | Adds WOLFBOOT_TPM_MFG_AUTH_DERIVE default and exports it via CONFIG_VARS. |
| options.mk | Adds -DWOLFBOOT_TPM_MFG_AUTH_DERIVE when the option is enabled. |
| src/tpm.c | Implements derive vs precomputed authValue handling for AIK and EH authorization. |
| include/tpm.h | Adds MFG identity auth provisioning macros and documentation for both modes. |
| docs/TPM.md | Documents the new option and explains precomputed vs derive provisioning modes. |
| config/examples/stm32h5-tz-tpm-mfgid.config | New example enabling TPM MFG identity on STM32H5, with derive mode for sample devices. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Allow to either use a master different that the sample one or to directly use the pre-computed per-device auth values for EH and AIK. Using the per-device value is preferred as it doesn't expose the auth value of the sibling devices in the same fleet.
rizlik
force-pushed
the
tpm_mfg_auth_value
branch
from
9dd326b to
dd4387e
Compare
dgarske
approved these changes
Jun 17, 2026
dgarske
reviewed
Jun 17, 2026
dgarske
left a comment
dgarske
left a comment
Member
There was a problem hiding this comment.
Skoll Multi-Scan Review
Modes: review + review-securityOverall recommendation: COMMENT
Findings: 8 total — 7 posted, 1 skipped
5 finding(s) posted as inline comments (see file-level comments below)
Posted findings
- [Medium] [review] New default (precomputed) authValue path has no build/CI coverage —
src/tpm.c:1372-1385 - [Medium] [review] masterPassword parameter has overloaded semantics based on a compile-time macro —
src/tpm.c:1348-1388 - [Low] [review-security] Master secret on stack not zeroized after use in derive mode —
src/tpm.c:1394-1418 - [Low] [review+review-security] Typo 'wolfBott_tpm2_get_aik' in new header comment —
include/tpm.h:70 - [Low] [review] Trailing whitespace on added lines —
include/tpm.h:69, docs/TPM.md:35, docs/TPM.md:40 - [Low] [review] Duplicated authValue-into-handle copy; EH bounds check is a compile-time constant —
src/tpm.c:1380-1384, src/tpm.c:1421-1426 - [Info] [review-security] Default MFG identity mode change: builds relying on the sample master now fail TPM auth until provisioned —
src/tpm.c:1363-1387
Skipped findings
- [Low]
Derive mode embeds a reel-wide shared master secret in firmware (enabled by the new example config)
Review generated by Skoll
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ZD#21988