wolfTPM on U-Boot for Raspberry Pi 4

This guide provides instructions for running wolfTPM on U-Boot with a Raspberry Pi 4 and Infineon SLB9670/SLB9672 TPM 2.0 module.

Overview

What this provides:

• TPM 2.0 support in U-Boot bootloader (before Linux boots)
• Hardware SPI communication with Infineon TPM modules
• Full wolfTPM command suite including firmware update capability
• Measured boot and PCR operations at boot time

Why use wolfTPM in U-Boot?

• Establish root of trust before OS loads
• Extend PCRs with boot measurements
• Verify firmware integrity at earliest boot stage
• Update TPM firmware without a running OS

Hardware Requirements

Component	Description
Raspberry Pi 4	Model B (any RAM size)
TPM Module	Infineon SLB9670 or SLB9672 HAT
MicroSD Card	8GB+ recommended
Power Supply	Official RPi 5V/3A USB-C
Serial Adapter	USB-to-TTL 3.3V (recommended for debugging)

Tested TPM HATs:

• LetsTrust TPM (SLB9670/SLB9672)
• Infineon OPTIGA TPM SLB9670 Evaluation Board
• Infineon IRIDIUM9670 TPM2.0

Pin Mapping (SPI0 CE1):

Signal	GPIO	Pin
SCLK	GPIO11	23
MOSI	GPIO10	19
MISO	GPIO9	21
CE1	GPIO7	26

Quick Start

1. Clone and Build U-Boot

# Clone the U-Boot fork with wolfTPM support
git clone https://github.com/aidangarske/u-boot.git
cd u-boot
git checkout rpi4-wolftpm-uboot

# Initialize wolfTPM submodule
git submodule update --init lib/wolftpm

# Set up cross-compiler (install aarch64-elf- toolchain first)
export CROSS_COMPILE=aarch64-elf-
export ARCH=arm64

# Build for Raspberry Pi 4
make rpi_4_defconfig
make -j$(nproc)

2. Prepare SD Card

# Mount your RPi SD card (adjust path as needed)
# macOS example:
cp u-boot.bin /Volumes/bootfs/

# Linux example:
sudo cp u-boot.bin /boot/firmware/

3. Configure Boot

Edit /boot/firmware/config.txt (or copy from configs/config.txt):

# Enable UART for serial console
enable_uart=1

# Boot U-Boot instead of Linux
kernel=u-boot.bin

# 64-bit mode
arm_64bit=1

# Enable SPI for TPM
dtparam=spi=on

# TPM overlay (SPI0 CE1)
dtoverlay=tpm-slb9670

4. Configure Graphical Desktop Boot (Optional)

By default, U-Boot uses a Device Tree Blob (DTB) that doesn't include the VC4 graphics driver needed for the graphical desktop. To boot into the Raspberry Pi OS desktop (GUI), you need to use a DTB with VC4 support.

Option A: Use Pre-built VC4 DTB (Recommended)

Copy the provided files to your SD card:

# Copy the VC4-enabled DTB
sudo cp boot/bcm2711-rpi-4-b-vc4.dtb /boot/firmware/

# Create extlinux directory and copy config
sudo mkdir -p /boot/firmware/extlinux
sudo cp boot/extlinux/extlinux.conf /boot/firmware/extlinux/

The extlinux.conf tells U-Boot to use the VC4 DTB:

TIMEOUT 30
DEFAULT linux
MENU TITLE Raspberry Pi 4 Boot Menu

LABEL linux
    MENU LABEL Raspberry Pi OS
    KERNEL /kernel8.img
    FDT /bcm2711-rpi-4-b-vc4.dtb
    APPEND console=serial0,115200 console=tty1 root=PARTUUID=<your-partuuid> rootfstype=ext4 fsck.repair=yes rootwait

Note: Update the PARTUUID to match your SD card. Find it with:

sudo blkid | grep mmcblk0p2

Option B: Create VC4 DTB Yourself

If you prefer to create the DTB yourself, use fdtoverlay to merge the VC4 overlay with the base DTB:

# Install device tree compiler if needed
sudo apt-get install device-tree-compiler

# Create the VC4-enabled DTB by merging the overlay
sudo fdtoverlay -i /boot/firmware/bcm2711-rpi-4-b.dtb \
    -o /boot/firmware/bcm2711-rpi-4-b-vc4.dtb \
    /boot/firmware/overlays/vc4-kms-v3d.dtbo

# Then create extlinux.conf as shown above

Why is this needed?

When U-Boot boots Linux, it passes the Device Tree to the kernel. The standard bcm2711-rpi-4-b.dtb doesn't include the VC4 KMS (Kernel Mode Setting) driver configuration that Raspberry Pi OS expects for graphical output. Without it, the system boots to a command line only.

The bcm2711-rpi-4-b-vc4.dtb includes the VC4 graphics driver, enabling:

• HDMI display output
• Desktop environment (LXDE/Wayland)
• Hardware-accelerated graphics

5. Boot and Test

Connect serial console (115200 baud) and power on:

U-Boot> tpm2 autostart
TPM2: Caps 0x30000697
TPM2_Startup pass
TPM2_SelfTest pass

U-Boot> tpm2 caps
Mfg IFX (1), Vendor SLB9672, Fw 16.13 (0x4545), FIPS 140-2 1, CC-EAL4 1

Building the Cross-Compiler

macOS (via Homebrew)

brew install --cask gcc-aarch64-embedded
# or
brew tap ArmMbed/homebrew-formulae
brew install aarch64-none-elf-gcc

Ubuntu/Debian

sudo apt-get install gcc-aarch64-linux-gnu
export CROSS_COMPILE=aarch64-linux-gnu-

From ARM Website

Download from ARM Developer:

• AArch64 ELF bare-metal target (aarch64-none-elf)

wolfTPM Commands

Basic Operations

# Initialize and start TPM
tpm2 autostart

# Show TPM information
tpm2 info
tpm2 caps

# Run self-test
tpm2 self_test full

PCR Operations

# Read PCR 0 (SHA256)
tpm2 pcr_read 0 0x1000000 SHA256

# Extend PCR with measurement
tpm2 pcr_extend 0 0x1000000 SHA256

# Print all PCR values
tpm2 pcr_print

Security Management

# Clear TPM (requires LOCKOUT auth)
tpm2 clear TPM2_RH_LOCKOUT

# Reset Dictionary Attack counter
tpm2 dam_reset

# Set DAM parameters
tpm2 dam_parameters 3 10 0

Firmware Update (Infineon Only)

See Firmware Update Guide for detailed instructions.

# Load manifest and firmware from SD card
fatload mmc 0:1 0x10000000 manifest.bin
fatload mmc 0:1 0x10100000 firmware.bin

# Perform update (CAUTION!)
tpm2 firmware_update 0x10000000 0xC9D 0x10100000 0xE1F63

Serial Console Setup

For debugging, connect a USB-to-TTL serial adapter:

Adapter	RPi Pin	GPIO
TX	Pin 10	GPIO15 (RXD)
RX	Pin 8	GPIO14 (TXD)
GND	Pin 6	GND

Terminal settings: 115200 baud, 8N1

macOS:

screen /dev/tty.usbserial-* 115200

Linux:

screen /dev/ttyUSB0 115200
# or
minicom -D /dev/ttyUSB0 -b 115200

Unit Tests

Run the built-in unit tests to verify functionality:

U-Boot> ut cmd wolftpm
# Runs all wolfTPM command tests

Individual tests:

U-Boot> ut cmd cmd_test_wolftpm_autostart
U-Boot> ut cmd cmd_test_wolftpm_caps
U-Boot> ut cmd cmd_test_wolftpm_pcr_read

Troubleshooting

See TROUBLESHOOTING.md for common issues.

Quick checks:

• Verify TPM HAT is properly seated
• Check dtoverlay=tpm-slb9670 in config.txt
• Ensure dtparam=spi=on is set
• Try tpm2 info to check SPI communication

Project Structure

rpi4-wolftpm-uboot/
├── README.md                 # This file
├── LICENSE                   # Apache 2.0
├── boot/
│   ├── bcm2711-rpi-4-b-vc4.dtb  # DTB with VC4 graphics for GUI boot
│   └── extlinux/
│       └── extlinux.conf    # U-Boot boot configuration
├── configs/
│   ├── config.txt           # Boot config for /boot/firmware/
│   └── rpi_4_defconfig      # Reference U-Boot defconfig
├── overlays/
│   └── tpm-slb9670.dts      # Device tree overlay source
├── firmware/
│   └── README.md            # Firmware file information
└── docs/
    ├── TROUBLESHOOTING.md   # Common issues and solutions
    ├── TESTING.md           # Test procedures
    └── FIRMWARE_UPDATE.md   # Firmware update guide

Related Links

• U-Boot Fork - Source code with wolfTPM support
• wolfTPM - wolfTPM library
• wolfSSL - wolfSSL Inc.
• LetsTrust TPM - TPM HAT vendor

License

This guide is licensed under Apache 2.0. See LICENSE for details.

The U-Boot fork maintains U-Boot's original GPL-2.0 license. wolfTPM is licensed under GPL-2.0.

Contributing

Contributions welcome! Please open issues or pull requests on:

• This guide repo: rpi4-wolftpm-uboot
• U-Boot fork: u-boot