Skip to content

feat: add TPM2 provider and WIT runtime for hardware crypto #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
avrabe wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat: add TPM2 provider and WIT runtime for hardware crypto #36

avrabe wants to merge 7 commits into from

Conversation

@avrabe
Copy link
Contributor

@avrabe avrabe commented Jan 24, 2026

Summary

  • Add Tpm2Provider for hardware-backed ECDSA P-256 signing via TPM 2.0
  • Add WIT runtime (wsc:crypto) for hosting WASM components with hardware crypto
  • Add CI workflow for TPM2 tests with swtpm simulator

TPM2 Provider

  • Platform-gated: Linux and Windows only (macOS excluded - no TPM2 hardware)
  • Uses tss-esapi crate (v7) for TSS2 API
  • Auto-detects TCTI: /dev/tpmrm0, /dev/tpm0, Windows TBS, or TPM2_TCTI env var
  • ECDSA P-256 with proper DER signature encoding
  • Tests require swtpm simulator (run automatically in CI)

WIT Runtime

  • wsc:crypto/hardware-signing WIT interface for opaque key handle operations
  • CryptoHostState<P> bridges WIT to any SecureKeyProvider implementation
  • WscRuntime<P> for loading and running WASM components
  • Enables WASM components to use hardware crypto without exposing keys

Test plan

  • Builds on macOS (TPM2 module excluded)
  • Builds on Linux/Windows with --features tpm2
  • TPM2 tests pass with swtpm (CI will verify)
  • WIT runtime tests pass
  • Existing tests still pass

avrabe and others added 7 commits January 24, 2026 13:20
@avrabe @claude
feat: add TPM2 provider and WIT runtime for hardware crypto
e58b66d 
TPM2 Provider (Linux/Windows):
- Implement Tpm2Provider with ECDSA P-256 signing
- Auto-detect TCTI (device, resource manager, TBS, swtpm)
- Platform-gated compilation (excluded on macOS)
- DER signature encoding for p256 crate compatibility
- Comprehensive tests (require swtpm simulator)

WIT Runtime (wasmtime integration):
- Add wsc:crypto WIT interface for hardware signing
- Implement CryptoHostState bridging WIT to SecureKeyProvider
- WscRuntime for hosting WASM components with hardware crypto
- Support for key generation, signing, verification via opaque handles

CI:
- Add GitHub Actions workflow for TPM2 tests with swtpm
- Compile checks for macOS and Windows

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@avrabe
fix: simplify swtpm startup in CI workflow
f071b6a
@avrabe
fix: add missing http module
bde517d
@avrabe @claude
fix: correct tss-esapi v7 API usage in TPM2 provider
7a5d5f7 
- Replace WSError::HardwareNotAvailable with WSError::HardwareError
- Use NetworkTPMConfig instead of SwtpmConfig for swtpm connection
- Use PublicKey::try_from for ECC public key extraction instead of
  matching on PublicKeyUnion
- Implement load_key method (returns KeyNotFound for now)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@avrabe @claude
fix: more tss-esapi v7.6 API corrections for TPM2 provider
f9d8313 
- Replace as_bytes() with value() for EccParameter
- Replace WSError::InvalidSignature with InvalidKeyHandle/VerificationError
- Use ctx.hash() to get Digest and HashcheckTicket for signing
- Remove unused sha2::Digest import
- Import MaxBuffer for hash data buffer

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@avrabe @claude
fix: add proper session handling for TPM2 operations
64af4c8 
Wrap TPM operations with execute_with_nullauth_session to provide
necessary authorization context for:
- create_primary (key generation)
- hash and sign operations

This fixes the "Not enough sessions provided for the command"
error (0x0007000b) when running with swtpm simulator.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@avrabe @claude
fix: make TPM2 Linux-only (tss-esapi lacks Windows bindings)
c54699f 
The tss-esapi crate doesn't have pre-generated bindings for Windows
x86_64, causing CI failure. Windows TPM support would require a
different implementation using the TBS (TPM Base Services) API.

Changes:
- Update Cargo.toml target to cfg(target_os = "linux") only
- Update platform/mod.rs cfg guards to Linux-only
- Update platform/tpm2.rs documentation
- Update CI workflow with explanatory comments

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@avrabe