Fix build for no-wolfcrypt and Infineon-only configs

   - Gate wolfTPM2_FirmwareUpgrade and wolfTPM2_FirmwareUpgradeWithLMS
     declarations with WOLFTPM2_NO_WOLFCRYPT (they use wc_Sha384Hash)
   - Fix unit tests to only call wolfcrypt-dependent firmware functions
     when wolfcrypt is enabled
   - Add unused parameter suppressions in FirmwareUpgradeHashWithLMS
     when ST33 is not enabled (fixes -Werror for SLB9672/SLB9673 builds)

Author: aidangarske

.github/workflows/cmake-build.yml

@@ -22,6 +22,9 @@ jobs:
             options: "-DWOLFTPM_INTERFACE=SPI -DWOLFTPM_MODULE=st33"
           - name: "Module ST33 I2C"
             options: "-DWOLFTPM_INTERFACE=I2C -DWOLFTPM_MODULE=st33"
+          # ST33 Firmware
+          - name: "Module ST33 Firmware"
+            options: "-DWOLFTPM_MODULE=st33 -DWOLFTPM_FIRMWARE=yes"
           # Other modules use SPI
           - name: "Module Microchip"
             options: "-DWOLFTPM_INTERFACE=SPI -DWOLFTPM_MODULE=microchip"

.github/workflows/make-test-swtpm.yml

@@ -66,6 +66,9 @@ jobs:
           # STMicro ST33KTPM2
           - name: st33ktpm2
             wolftpm_config: --enable-st33
+          # STMicro ST33KTPM2
+          - name: st33ktpm2 firmware
+            wolftpm_config: --enable-st33 --enable-firmware --enable-st
           # Microchip
           - name: microchip
             wolftpm_config: --enable-microchip

src/tpm2_wrap.c

@@ -8244,7 +8244,7 @@ static int tpm2_ifx_firmware_start(WOLFTPM2_DEV* dev, TPM_ALG_ID hashAlg,
         }
         if (rc == TPM_RC_SUCCESS) {
             /* delay to give the TPM time to switch modes */
-            XSLEEP_MS(300);
+            tpm2_firmware_sleep_ms(300);
             /* it is not required to release session handle,
              * since TPM reset into firmware upgrade mode */
 
@@ -8359,7 +8359,7 @@ static int tpm2_ifx_firmware_data(WOLFTPM2_DEV* dev,
 
     if (rc == TPM_RC_SUCCESS) {
         /* Give the TPM time to start the new firmware */
-        XSLEEP_MS(300);
+        tpm2_firmware_sleep_ms(300);
 
     #if !defined(WOLFTPM_LINUX_DEV) && !defined(WOLFTPM_SWTPM) && \
         !defined(WOLFTPM_WINAPI)
@@ -8415,13 +8415,6 @@ static int tpm2_st33_firmware_upgrade_hash(WOLFTPM2_DEV* dev, TPM_ALG_ID hashAlg
 static int tpm2_st33_firmware_cancel(WOLFTPM2_DEV* dev);
 #endif
 
-/* Forward declaration for LMS firmware upgrade hash function */
-int wolfTPM2_FirmwareUpgradeHashWithLMS(WOLFTPM2_DEV* dev, TPM_ALG_ID hashAlg,
-    uint8_t* manifest_hash, uint32_t manifest_hash_sz,
-    uint8_t* manifest, uint32_t manifest_sz,
-    wolfTPM2FwDataCb cb, void* cb_ctx,
-    uint8_t* lms_signature, uint32_t lms_signature_sz);
-
 int wolfTPM2_FirmwareUpgradeHash(WOLFTPM2_DEV* dev, TPM_ALG_ID hashAlg,
     uint8_t* manifest_hash, uint32_t manifest_hash_sz,
     uint8_t* manifest, uint32_t manifest_sz,
@@ -8521,6 +8514,15 @@ int wolfTPM2_FirmwareUpgradeHashWithLMS(WOLFTPM2_DEV* dev, TPM_ALG_ID hashAlg,
             cb, cb_ctx,
             lms_signature, lms_signature_sz);
     }
+#else
+    /* Suppress unused parameter warnings when ST33 is not enabled */
+    (void)hashAlg;
+    (void)manifest_hash;
+    (void)manifest_hash_sz;
+    (void)manifest;
+    (void)manifest_sz;
+    (void)cb;
+    (void)cb_ctx;
 #endif
 
     /* Unsupported manufacturer or LMS not supported */
@@ -8648,6 +8650,12 @@ int wolfTPM2_FirmwareUpgradeCancel(WOLFTPM2_DEV* dev)
 
 /* ST33 uses password auth (TPM_RS_PW) for firmware update, not policy */
 
+/* Helper function to avoid -Wpedantic warning from XSLEEP_MS statement expression */
+static void tpm2_firmware_sleep_ms(uint32_t ms)
+{
+    XSLEEP_MS(ms);
+}
+
 /* Start firmware upgrade (non-LMS): sends manifest (blob0=177 bytes) 
  * via FieldUpgradeStart */
 static int tpm2_st33_firmware_start(WOLFTPM2_DEV* dev,
@@ -8663,7 +8671,7 @@ static int tpm2_st33_firmware_start(WOLFTPM2_DEV* dev,
 
     if (rc == TPM_RC_SUCCESS) {
         /* delay to give the TPM time to switch modes */
-        XSLEEP_MS(300);
+        tpm2_firmware_sleep_ms(300);
 
     #if !defined(WOLFTPM_LINUX_DEV) && !defined(WOLFTPM_SWTPM) && \
         !defined(WOLFTPM_WINAPI)
@@ -8695,7 +8703,7 @@ static int tpm2_st33_firmware_start_lms(WOLFTPM2_DEV* dev,
 
     if (rc == TPM_RC_SUCCESS) {
         /* delay to give the TPM time to switch modes */
-        XSLEEP_MS(300);
+        tpm2_firmware_sleep_ms(300);
 
     #if !defined(WOLFTPM_LINUX_DEV) && !defined(WOLFTPM_SWTPM) && \
         !defined(WOLFTPM_WINAPI)
@@ -8814,7 +8822,7 @@ static int tpm2_st33_firmware_data(WOLFTPM2_DEV* dev,
 
     if (rc == TPM_RC_SUCCESS) {
         /* Give the TPM time to process */
-        XSLEEP_MS(300);
+        tpm2_firmware_sleep_ms(300);
 
     #if !defined(WOLFTPM_LINUX_DEV) && !defined(WOLFTPM_SWTPM) && \
         !defined(WOLFTPM_WINAPI)

tests/unit_tests.c

@@ -226,6 +226,8 @@ static void test_wolfTPM2_ST33_FirmwareUpgrade(void)
     WOLFTPM2_DEV dev;
     WOLFTPM2_CAPS caps;
     int lms_state = 0; /* 0=non-LMS (< 512), 1=LMS required (>= 512) */
+    uint8_t dummy_manifest[10] = {0};
+    uint8_t dummy_sig[1] = {0};
 
     /* Initialize TPM */
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, NULL);
@@ -249,30 +251,98 @@ static void test_wolfTPM2_ST33_FirmwareUpgrade(void)
     #endif
     }
 
-    /* Test NULL parameter handling */
+    /* ===== Test NULL dev parameter handling ===== */
+
+    /* wolfTPM2_FirmwareUpgradeCancel - NULL dev */
     rc = wolfTPM2_FirmwareUpgradeCancel(NULL);
     AssertIntNE(rc, 0);
 
-    rc = wolfTPM2_FirmwareUpgradeHash(NULL, TPM_ALG_SHA256, NULL, 0, NULL,
+    /* wolfTPM2_FirmwareUpgradeHash - NULL dev */
+    rc = wolfTPM2_FirmwareUpgradeHash(NULL, TPM_ALG_SHA384, NULL, 0, NULL,
         0, NULL, NULL);
     AssertIntNE(rc, 0);
 
-    rc = wolfTPM2_FirmwareUpgradeWithLMS(NULL, NULL, 0, NULL, NULL, NULL, 0);
+    /* wolfTPM2_FirmwareUpgradeHashWithLMS - NULL dev */
+    rc = wolfTPM2_FirmwareUpgradeHashWithLMS(NULL, TPM_ALG_SHA384, NULL, 0,
+        NULL, 0, NULL, NULL, NULL, 0);
+    AssertIntNE(rc, 0);
+
+    /* wolfTPM2_FirmwareUpgradeRecover - NULL dev */
+    rc = wolfTPM2_FirmwareUpgradeRecover(NULL, NULL, 0, NULL, NULL);
     AssertIntNE(rc, 0);
 
 #ifndef WOLFTPM2_NO_WOLFCRYPT
+    /* wolfTPM2_FirmwareUpgrade - NULL dev */
     rc = wolfTPM2_FirmwareUpgrade(NULL, NULL, 0, NULL, NULL);
     AssertIntNE(rc, 0);
 
-    rc = wolfTPM2_FirmwareUpgradeRecover(NULL, NULL, 0, NULL, NULL);
+    /* wolfTPM2_FirmwareUpgradeWithLMS - NULL dev */
+    rc = wolfTPM2_FirmwareUpgradeWithLMS(NULL, NULL, 0, NULL, NULL, NULL, 0);
     AssertIntNE(rc, 0);
-#endif
+#endif /* !WOLFTPM2_NO_WOLFCRYPT */
+
+    /* ===== Test NULL/invalid parameter combinations ===== */
+
+    /* wolfTPM2_FirmwareUpgradeHash - valid dev, NULL manifest */
+    rc = wolfTPM2_FirmwareUpgradeHash(&dev, TPM_ALG_SHA384, NULL, 0, NULL,
+        0, NULL, NULL);
+    AssertIntNE(rc, 0);
+
+    /* wolfTPM2_FirmwareUpgradeHashWithLMS - valid dev, NULL lms_signature */
+    rc = wolfTPM2_FirmwareUpgradeHashWithLMS(&dev, TPM_ALG_SHA384, NULL, 0,
+        NULL, 0, NULL, NULL, NULL, 0);
+    AssertIntNE(rc, 0);
+
+    /* wolfTPM2_FirmwareUpgradeHashWithLMS - valid dev, zero-length lms_signature */
+    rc = wolfTPM2_FirmwareUpgradeHashWithLMS(&dev, TPM_ALG_SHA384, NULL, 0,
+        NULL, 0, NULL, NULL, dummy_sig, 0);
+    AssertIntNE(rc, 0);
+
+    /* wolfTPM2_FirmwareUpgradeRecover - valid dev, NULL manifest */
+    rc = wolfTPM2_FirmwareUpgradeRecover(&dev, NULL, 0, NULL, NULL);
+    AssertIntNE(rc, 0);
+
+    /* wolfTPM2_FirmwareUpgradeCancel - valid dev (may succeed or fail 
+     * depending on TPM state) */
+    rc = wolfTPM2_FirmwareUpgradeCancel(&dev);
+    /* Note: This may return success or error depending on TPM state - 
+     * just verify it doesn't crash */
+    (void)rc;
 
+#ifndef WOLFTPM2_NO_WOLFCRYPT
+    /* wolfTPM2_FirmwareUpgrade - valid dev, NULL manifest */
+    rc = wolfTPM2_FirmwareUpgrade(&dev, NULL, 0, NULL, NULL);
+    AssertIntNE(rc, 0);
+
+    /* wolfTPM2_FirmwareUpgrade - valid dev, NULL callback */
+    rc = wolfTPM2_FirmwareUpgrade(&dev, dummy_manifest, sizeof(dummy_manifest),
+        NULL, NULL);
+    AssertIntNE(rc, 0);
+
+    /* wolfTPM2_FirmwareUpgradeWithLMS - valid dev, NULL lms_signature */
+    rc = wolfTPM2_FirmwareUpgradeWithLMS(&dev, NULL, 0, NULL, NULL, NULL, 0);
+    AssertIntNE(rc, 0);
+
+    /* wolfTPM2_FirmwareUpgradeWithLMS - valid dev, zero-length lms_signature */
+    rc = wolfTPM2_FirmwareUpgradeWithLMS(&dev, NULL, 0, NULL, NULL,
+        dummy_sig, 0);
+    AssertIntNE(rc, 0);
+
+    /* Test ST33-specific path if we have an ST33 TPM */
     if (caps.mfg == TPM_MFG_STM) {
-        rc = wolfTPM2_FirmwareUpgradeWithLMS(&dev, NULL, 0, NULL, NULL, 
-            NULL, 0);
+        /* wolfTPM2_FirmwareUpgradeWithLMS - valid dev with dummy signature 
+         * but NULL manifest */
+        rc = wolfTPM2_FirmwareUpgradeWithLMS(&dev, NULL, 0, NULL, NULL,
+            dummy_sig, sizeof(dummy_sig));
+        AssertIntNE(rc, 0);
+
+        /* wolfTPM2_FirmwareUpgradeWithLMS - valid dev with dummy signature 
+         * but NULL callback */
+        rc = wolfTPM2_FirmwareUpgradeWithLMS(&dev, dummy_manifest,
+            sizeof(dummy_manifest), NULL, NULL, dummy_sig, sizeof(dummy_sig));
         AssertIntNE(rc, 0);
     }
+#endif /* !WOLFTPM2_NO_WOLFCRYPT */
 
     rc = 0;
 

wolftpm/tpm2_types.h

@@ -202,6 +202,35 @@ typedef int64_t  INT64;
         #endif
     #endif
 
+    /* Fallback pragma macros when wolfSSL is not available */
+    #ifndef PRAGMA_GCC_DIAG_PUSH
+        #ifdef __clang__
+            #define PRAGMA_GCC_DIAG_PUSH _Pragma("clang diagnostic push")
+        #elif defined(__GNUC__)
+            #define PRAGMA_GCC_DIAG_PUSH _Pragma("GCC diagnostic push")
+        #else
+            #define PRAGMA_GCC_DIAG_PUSH
+        #endif
+    #endif
+    #ifndef PRAGMA_GCC
+        #ifdef __clang__
+            #define PRAGMA_GCC(str) _Pragma(str)
+        #elif defined(__GNUC__)
+            #define PRAGMA_GCC(str) _Pragma(str)
+        #else
+            #define PRAGMA_GCC(str)
+        #endif
+    #endif
+    #ifndef PRAGMA_GCC_DIAG_POP
+        #ifdef __clang__
+            #define PRAGMA_GCC_DIAG_POP _Pragma("clang diagnostic pop")
+        #elif defined(__GNUC__)
+            #define PRAGMA_GCC_DIAG_POP _Pragma("GCC diagnostic pop")
+        #else
+            #define PRAGMA_GCC_DIAG_POP
+        #endif
+    #endif
+
 #if !defined(WOLFTPM_CUSTOM_STDIO) && !defined(NO_FILESYSTEM)
     /* stdio, default case */
     #define XFILE      FILE*

wolftpm/tpm2_wrap.h

@@ -4154,6 +4154,38 @@ WOLFTPM_API int wolfTPM2_FirmwareUpgradeHash(WOLFTPM2_DEV* dev,
     uint8_t* manifest, uint32_t manifest_sz,
     wolfTPM2FwDataCb cb, void* cb_ctx);
 
+/*!
+    \ingroup wolfTPM2_Wrappers
+    \brief Perform TPM firmware upgrade with pre-computed hash and LMS signature
+    \note For ST33KTPM devices with firmware version >= 512, LMS signature required
+    \note This function accepts pre-computed manifest hash (no wolfCrypt needed)
+
+    \return TPM_RC_SUCCESS: successful
+    \return TPM_RC_FAILURE: generic failure (check TPM IO and TPM return code)
+    \return BAD_FUNC_ARG: check the provided arguments
+
+    \param dev pointer to a TPM2_DEV struct
+    \param hashAlg hash algorithm used (TPM_ALG_SHA384 or TPM_ALG_SHA512)
+    \param manifest_hash pre-computed manifest hash
+    \param manifest_hash_sz size of manifest hash
+    \param manifest pointer to firmware manifest data
+    \param manifest_sz size of firmware manifest
+    \param cb callback function for firmware data access
+    \param cb_ctx context pointer passed to callback
+    \param lms_signature pointer to LMS signature data
+    \param lms_signature_sz size of LMS signature
+
+    \sa wolfTPM2_FirmwareUpgradeHash
+    \sa wolfTPM2_FirmwareUpgradeWithLMS
+*/
+WOLFTPM_API int wolfTPM2_FirmwareUpgradeHashWithLMS(WOLFTPM2_DEV* dev,
+    TPM_ALG_ID hashAlg,
+    uint8_t* manifest_hash, uint32_t manifest_hash_sz,
+    uint8_t* manifest, uint32_t manifest_sz,
+    wolfTPM2FwDataCb cb, void* cb_ctx,
+    uint8_t* lms_signature, uint32_t lms_signature_sz);
+
+#ifndef WOLFTPM2_NO_WOLFCRYPT
 /*!
     \ingroup wolfTPM2_Wrappers
     \brief Perform TPM firmware upgrade
@@ -4202,6 +4234,7 @@ WOLFTPM_API int wolfTPM2_FirmwareUpgradeWithLMS(WOLFTPM2_DEV* dev,
     uint8_t* manifest, uint32_t manifest_sz,
     wolfTPM2FwDataCb cb, void* cb_ctx,
     uint8_t* lms_signature, uint32_t lms_signature_sz);
+#endif /* !WOLFTPM2_NO_WOLFCRYPT */
 
 /*!
     \ingroup wolfTPM2_Wrappers