@@ -1933,6 +1933,15 @@ typedef int (*TPM2HalIoCb)(struct TPM2_CTX*, const BYTE* txBuf, BYTE* rxBuf,
19331933 UINT16 xferSz , void * userCtx );
19341934#endif
19351935
1936+ /* Use local wolfCrypt RNG for nonce generation by default.
1937+ * This is recommended because nonces generated via TPM2_GetRandom travel over
1938+ * the SPI/I2C bus unprotected (no session exists yet), making them vulnerable
1939+ * to physical bus tampering (e.g., an attacker driving MISO to force a known
1940+ * nonce value). A known or attacker-controlled nonceCaller in an unsalted
1941+ * session can undermine session security and enable active manipulation.
1942+ * Even with a salted session, it violates the TPM 2.0
1943+ * spec assumption that nonces are unpredictable (Part 1, Section 19.6).
1944+ * Only define WOLFTPM2_USE_HW_RNG if the bus is physically secure. */
19361945#if !defined(WOLFTPM2_NO_WOLFCRYPT ) && !defined(WC_NO_RNG ) && \
19371946 !defined(WOLFTPM2_USE_HW_RNG )
19381947 #define WOLFTPM2_USE_WOLF_RNG
@@ -3596,8 +3605,11 @@ WOLFTPM_API TPMI_ALG_HASH TPM2_GetTpmHashType(int hashType);
35963605 \ingroup TPM2_Proprietary
35973606 \brief Generate a fresh nonce of random numbers
35983607 \note Can use the TPM random number generator if WOLFTPM2_USE_HW_RNG is defined.
3599- To force use of the TPM's RNG use WOLFTPM2_USE_HW_RNG. Please make sure you
3600- have parameter encryption enabled to protect the RNG data over the bus.
3608+ WARNING: Using WOLFTPM2_USE_HW_RNG exposes nonces to physical bus tampering
3609+ (SPI/I2C). An attacker with bus access can force a known nonce, which
3610+ can significantly weaken session security, especially for unsalted
3611+ sessions. Use the default local wolfCrypt RNG unless the bus is
3612+ physically secure.
36013613
36023614 \return TPM_RC_SUCCESS: successful
36033615 \return TPM_RC_FAILURE: generic failure (TPM IO issue or wolfcrypt configuration)
0 commit comments