@@ -1933,6 +1933,14 @@ typedef int (*TPM2HalIoCb)(struct TPM2_CTX*, const BYTE* txBuf, BYTE* rxBuf,
19331933 UINT16 xferSz , void * userCtx );
19341934#endif
19351935
1936+ /* Use local wolfCrypt RNG for nonce generation by default.
1937+ * This is recommended because nonces generated via TPM2_GetRandom travel over
1938+ * the SPI/I2C bus unprotected (no session exists yet), making them vulnerable
1939+ * to physical bus tampering (e.g., an attacker driving MISO to force a known
1940+ * nonce value). A known nonceCaller combined with an unsalted session allows
1941+ * full session compromise. Even with a salted session, it violates the TPM 2.0
1942+ * spec assumption that nonces are unpredictable (Part 1, Section 19.6).
1943+ * Only define WOLFTPM2_USE_HW_RNG if the bus is physically secure. */
19361944#if !defined(WOLFTPM2_NO_WOLFCRYPT ) && !defined(WC_NO_RNG ) && \
19371945 !defined(WOLFTPM2_USE_HW_RNG )
19381946 #define WOLFTPM2_USE_WOLF_RNG
@@ -3596,8 +3604,10 @@ WOLFTPM_API TPMI_ALG_HASH TPM2_GetTpmHashType(int hashType);
35963604 \ingroup TPM2_Proprietary
35973605 \brief Generate a fresh nonce of random numbers
35983606 \note Can use the TPM random number generator if WOLFTPM2_USE_HW_RNG is defined.
3599- To force use of the TPM's RNG use WOLFTPM2_USE_HW_RNG. Please make sure you
3600- have parameter encryption enabled to protect the RNG data over the bus.
3607+ WARNING: Using WOLFTPM2_USE_HW_RNG exposes nonces to physical bus tampering
3608+ (SPI/I2C). An attacker with bus access can force a known nonce, which
3609+ combined with an unsalted session enables full session compromise. Use the
3610+ default local wolfCrypt RNG unless the bus is physically secure.
36013611
36023612 \return TPM_RC_SUCCESS: successful
36033613 \return TPM_RC_FAILURE: generic failure (TPM IO issue or wolfcrypt configuration)
0 commit comments