wolfSSL · dgarske · Jan 28, 2026 · Jan 27, 2026
diff --git a/.github/workflows/cmake-build.yml b/.github/workflows/cmake-build.yml
@@ -22,6 +22,9 @@ jobs:
             options: "-DWOLFTPM_INTERFACE=SPI -DWOLFTPM_MODULE=st33"
           - name: "Module ST33 I2C"
             options: "-DWOLFTPM_INTERFACE=I2C -DWOLFTPM_MODULE=st33"
+          # ST33 Firmware
+          - name: "Module ST33 Firmware"
+            options: "-DWOLFTPM_MODULE=st33 -DWOLFTPM_FIRMWARE=yes"
           # Other modules use SPI
           - name: "Module Microchip"
             options: "-DWOLFTPM_INTERFACE=SPI -DWOLFTPM_MODULE=microchip"

diff --git a/.github/workflows/make-test-swtpm.yml b/.github/workflows/make-test-swtpm.yml
@@ -66,6 +66,9 @@ jobs:
           # STMicro ST33KTPM2
           - name: st33ktpm2
             wolftpm_config: --enable-st33
+          # STMicro ST33KTPM2
+          - name: st33ktpm2 firmware
+            wolftpm_config: --enable-st33 --enable-firmware
           # Microchip
           - name: microchip
             wolftpm_config: --enable-microchip

diff --git a/.gitignore b/.gitignore
@@ -84,6 +84,7 @@ examples/boot/secret_seal
 examples/boot/secret_unseal
 examples/firmware/ifx_fw_extract
 examples/firmware/ifx_fw_update
+examples/firmware/st33_fw_update
 examples/endorsement/get_ek_certs
 examples/endorsement/verify_ek_cert
 
@@ -151,6 +152,10 @@ UpgradeLog.htm
 *.VC.db
 *.filters
 
+# macOS files
+._.DS_Store
+.DS_Store
+
 # Backup and old files
 /**/*.bak
 /**/*.old
@@ -170,3 +175,11 @@ UpgradeLog.htm
 # we won't track the actual working sdkconfig files
 /IDE/Espressif/**/sdkconfig
 /IDE/Espressif/**/sdkconfig.old
+
+# Firmware files
+examples/firmware/*.fi
+examples/firmware/*.BIN
+examples/firmware/*.DATA
+examples/firmware/*.MANIFEST
+examples/firmware/*.MANIFESTHASH
+
diff --git a/README.md b/README.md
@@ -189,6 +189,7 @@ make install
 --enable-checkwaitstate Enable TIS / SPI Check Wait State support (default: depends on chip) - WOLFTPM_CHECK_WAIT_STATE
 --enable-smallstack     Enable options to reduce stack usage
 --enable-tislock        Enable Linux Named Semaphore for locking access to SPI device for concurrent access between processes - WOLFTPM_TIS_LOCK
+--enable-firmware       Enable firmware upgrade support for Infineon SLB9672/SLB9673 and ST ST33 (default: disabled) - WOLFTPM_FIRMWARE_UPGRADE
 
 --enable-autodetect     Enable Runtime Module Detection (default: enable - when no module specified) - WOLFTPM_AUTODETECT
 --enable-infineon       Enable Infineon SLB9670/SLB9672/SLB9673 TPM Support (default: disabled) - WOLFTPM_SLB9670 / WOLFTPM_SLB9672
@@ -234,10 +235,12 @@ Build wolfTPM:
 
 ```bash
 ./autogen.sh
-./configure --enable-st33 [--enable-i2c]
+./configure --enable-st33 [--enable-i2c] [--enable-firmware]
 make
 ```
 
+Note: The `--enable-firmware` option enables firmware upgrade support for ST33 TPMs. This adds the `st33_fw_update` example tool for performing firmware updates.
+
 ### Building Microchip ATTPM20
 
 Build wolfTPM:
@@ -903,6 +906,34 @@ Connection: close
 </html>
 ```
 
+### ST33 Firmware Update Example
+
+The firmware update example allows updating firmware on STMicro ST33 TPMs. Build with `--enable-st33 --enable-firmware` to enable this example.
+
+LMS (Leighton-Micali Signature) support is based on firmware version:
+- **Firmware < 512**: Legacy firmware - Non-LMS format required
+- **Firmware >= 512**: Modern firmware - LMS format required
+
+```bash
+# Display firmware information
+./examples/firmware/st33_fw_update
+
+# Cancel any in-progress firmware update
+./examples/firmware/st33_fw_update --abandon
+
+# Perform firmware update (format auto-detected from TPM firmware version)
+./examples/firmware/st33_fw_update <firmware.fi>
+```
+
+Example output:
+```
+ST33 Firmware Update Tool
+Mfg STM  (2), Vendor ST33KTPM2X, Fw 9.512 (0x0)
+Firmware version details: Major=9, Minor=512, Vendor=0x0
+Hardware: ST33K (modern firmware, Generation 2)
+Firmware update: LMS format required
+```
+
 ## Device Identity and Attestation Keys
 
 The TCG published a specification for TPM manufacture guidance on setting up keys that can be used for device identiy and attestation.

diff --git a/configure.ac b/configure.ac
@@ -482,6 +482,7 @@ AM_CONDITIONAL([HAVE_LIBWOLFSSL], [test "x$ENABLED_WOLFCRYPT" = "xyes"])
 AM_CONDITIONAL([BUILD_I2C], [test "x$ENABLED_I2C" = "xyes"])
 AM_CONDITIONAL([BUILD_ADVIO], [test "x$ENABLED_ADVIO" = "xyes"])
 AM_CONDITIONAL([BUILD_ST], [test "x$ENABLED_ST" = "xyes"])
+AM_CONDITIONAL([BUILD_ST33], [test "x$ENABLED_ST33" = "xyes"])
 AM_CONDITIONAL([BUILD_MICROCHIP], [test "x$ENABLED_MICROCHIP" = "xyes"])
 AM_CONDITIONAL([BUILD_INFINEON], [test "x$ENABLED_INFINEON" != "xno"])
 AM_CONDITIONAL([BUILD_DEVTPM], [test "x$ENABLED_DEVTPM" = "xyes"])

diff --git a/examples/firmware/README.md b/examples/firmware/README.md
@@ -1,6 +1,8 @@
 # TPM Firmware Update Support
 
-Currently wolfTPM supports firmware update capability for the Infineon SLB9672 (SPI) and SLB9673 (I2C) TPM 2.0 modules. Infineon has open sourced their firmware update.
+Currently wolfTPM supports firmware update capability for:
+- Infineon SLB9672 (SPI) and SLB9673 (I2C) TPM 2.0 modules. Infineon has open sourced their firmware update.
+- STMicroelectronics ST33KTPM TPM 2.0 modules. Support includes both Generation 1 firmware versions (< 512, without LMS signature) and Generation 2 firmware versions (>= 512, with LMS signature requirement).
 
 ## Infineon Firmware
 
@@ -102,3 +104,98 @@ Mfg IFX (1), Vendor SLB9673, Fw 26.13 (0x456a)
 Operational mode: Normal TPM operational mode (0x0)
 KeyGroupId 0x7, FwCounter 1253 (254 same)
 ```
+
+## ST33 Firmware Update
+
+### Firmware Format Auto-Detection
+
+ST33KTPM firmware update automatically detects the required format based on TPM firmware version:
+
+- **Legacy firmware (< 512, e.g., 9.257)**: Non-LMS format
+  - Manifest size: 177 bytes
+  - Generation 1 firmware (ECC-only)
+
+- **Modern firmware (>= 512, e.g., 9.512)**: LMS format
+  - Manifest size: 2697 bytes (includes embedded LMS signature)
+  - Generation 2 firmware (LMS mandatory)
+
+The firmware version is automatically detected from `fwVerMinor` in TPM capabilities. The correct manifest size is determined automatically - no manual format selection is needed.
+
+### Updating the firmware
+
+The `st33_fw_update` tool automatically detects the firmware format.
+
+```sh
+# Help
+./st33_fw_update --help
+ST33 Firmware Update Usage:
+	./st33_fw_update (get info)
+	./st33_fw_update --abandon (cancel)
+	./st33_fw_update <firmware.fi>
+
+Firmware format is auto-detected from TPM firmware version:
+      - Firmware < 512: Non-LMS format (177 byte manifest)
+      - Firmware >= 512: LMS format (2697 byte manifest with embedded signature)
+
+# Run without arguments to display the current firmware information
+./st33_fw_update
+ST33 Firmware Update Tool
+TPM2: Caps 0x30000415, Did 0x0003, Vid 0x104a, Rid 0x 1
+TPM2_Startup pass
+Mfg STM (2), Vendor ST33KTPM2X, Fw 9.257 (0x0)
+Firmware version details: Major=9, Minor=257, Vendor=0x0
+Hardware: ST33K (legacy firmware, Generation 1)
+Firmware update: Non-LMS format required
+
+# Run with firmware file (format auto-detected from TPM version)
+./st33_fw_update TPM_ST33KTPM2X_00090200_V1.fi
+ST33 Firmware Update Tool
+	Firmware File: TPM_ST33KTPM2X_00090200_V1.fi
+TPM2: Caps 0x30000415, Did 0x0003, Vid 0x104a, Rid 0x 1
+TPM2_Startup pass
+Mfg STM (2), Vendor ST33KTPM2X, Fw 9.257 (0x0)
+Firmware version details: Major=9, Minor=257, Vendor=0x0
+Hardware: ST33K (legacy firmware, Generation 1)
+Firmware update: Non-LMS format required
+	Format: Non-LMS (from TPM firmware version)
+Firmware Update:
+	Total file size: 364290 bytes
+	Manifest (blob0): 177 bytes
+	Firmware data: 364113 bytes
+...
+Firmware update completed successfully.
+Please reset or power cycle the TPM.
+
+# Example with LMS firmware (Generation 2 TPM, firmware >= 512)
+./st33_fw_update ST33KTPM2X_FAC_00090200_V2.fi
+ST33 Firmware Update Tool
+	Firmware File: ST33KTPM2X_FAC_00090200_V2.fi
+TPM2: Caps 0x30000415, Did 0x0003, Vid 0x104a, Rid 0x 3
+TPM2_Startup pass
+Mfg STM (2), Vendor ST33KTPM2X, Fw 9.512 (0x0)
+Firmware version details: Major=9, Minor=512, Vendor=0x0
+Hardware: ST33K (modern firmware, Generation 2)
+Firmware update: LMS format required
+	Format: LMS (from TPM firmware version)
+Firmware Update:
+	Total file size: 360092 bytes
+	Manifest (blob0): 2697 bytes
+	Firmware data: 357395 bytes
+...
+Firmware update completed successfully.
+Please reset or power cycle the TPM.
+
+# Cancel an ongoing firmware update
+./st33_fw_update --abandon
+ST33 Firmware Update Tool
+TPM2: Caps 0x30000415, Did 0x0003, Vid 0x104a, Rid 0x 1
+TPM2_Startup pass
+Mfg STM (2), Vendor ST33KTPM2X, Fw 9.257 (0x0)
+Firmware version details: Major=9, Minor=257, Vendor=0x0
+Hardware: ST33K (legacy firmware, Generation 1)
+Firmware update: Non-LMS format required
+Firmware Update Abandon:
+Success: Please reset or power cycle TPM
+```
+
+**Note**: Firmware files cannot be made public and must be obtained separately from STMicroelectronics.
diff --git a/examples/firmware/include.am b/examples/firmware/include.am
@@ -8,6 +8,8 @@ EXTRA_DIST += examples/firmware/Makefile
 EXTRA_DIST += examples/firmware/ifx_fw_extract.c
 
 if BUILD_EXAMPLES
+if BUILD_FIRMWARE
+
 if BUILD_INFINEON
 noinst_PROGRAMS += examples/firmware/ifx_fw_update
 noinst_HEADERS  += examples/firmware/ifx_fw_update.h
@@ -16,9 +18,21 @@ examples_firmware_ifx_fw_update_SOURCES      = examples/firmware/ifx_fw_update.c
 examples_firmware_ifx_fw_update_LDADD        = src/libwolftpm.la $(LIB_STATIC_ADD)
 examples_firmware_ifx_fw_update_DEPENDENCIES = src/libwolftpm.la
 endif
+
+if BUILD_ST33
+noinst_PROGRAMS += examples/firmware/st33_fw_update
+examples_firmware_st33_fw_update_SOURCES     = examples/firmware/st33_fw_update.c \
+                                               examples/tpm_test_keys.c
+examples_firmware_st33_fw_update_LDADD       = src/libwolftpm.la $(LIB_STATIC_ADD)
+examples_firmware_st33_fw_update_DEPENDENCIES = src/libwolftpm.la
+
+endif
+endif
 endif
 
 example_firmwaredir = $(exampledir)/firmware
-dist_example_firmware_DATA = examples/firmware/ifx_fw_update.c
+dist_example_firmware_DATA = examples/firmware/ifx_fw_update.c \
+                             examples/firmware/st33_fw_update.c
 
-DISTCLEANFILES+= examples/firmware/.libs/ifx_fw_update
+DISTCLEANFILES+= examples/firmware/.libs/ifx_fw_update \
+                 examples/firmware/.libs/st33_fw_update