wolftpm-sys 0.2.0

Auto-generated Rust FFI bindings to wolfTPM
docs.rs failed to build wolftpm-sys-0.2.0
Please check the build logs for more information.
See Builds for ideas on how to fix a failed build, or Metadata for how to configure docs.rs builds.
If you believe this is docs.rs' fault, open an issue.

wolftpm-sys

Raw Rust FFI bindings to wolfTPM, auto-generated by bindgen at build time.

Most users should depend on the higher-level wolftpm crate instead. Use wolftpm-sys directly only if you need access to wolfTPM C API symbols that are not yet wrapped by wolftpm.

What

wolftpm-sys exposes the wolfTPM C API directly as unsafe Rust functions and types. The bindings cover:

  • Core TPM2 structuresTPM2B_*, TPMA_*, TPMS_*, TPMT_*, TPML_*, TPMU_*, and the full set of TPM 2.0 algorithm and command constants from the TCG specification
  • wolfTPM2 wrapper typesWOLFTPM2_DEV, WOLFTPM2_KEY, WOLFTPM2_HASH, WOLFTPM2_NV, WOLFTPM2_SESSION, WOLFTPM2_CAPS
  • wolfTPM2 wrapper functions — the complete wolfTPM2_* high-level API (init, key generation, signing, ECDH, PCR, NV storage, sessions, attestation, sealing, firmware upgrade, and more)
  • Low-level TPM2 command APITPM2_* functions for direct command construction when the wrapper doesn't cover a use case

The wolfSSL key-import/export helpers (wolfTPM2_RsaKey_To_Device etc.) are excluded from the current bindings (WOLFTPM2_NO_WOLFCRYPT). They will be added in a future version once the safe Rust wrapper in wolftpm exposes them.

Why

wolftpm-sys separates the generated FFI from the safe wrapper so that:

  • The bindgen output can be regenerated (by bumping wolftpm-src) without a breaking-change version bump on wolftpm.
  • Downstream crates with unusual requirements can use the raw bindings without pulling in the opinionated safe API.
  • The links = "wolftpm_sys" key prevents multiple copies of the wolfTPM static archive from being linked into the same binary.

How it works

build.rs performs three steps:

  1. Read build metadata — reads DEP_WOLFCRYPT_SYS_* from wolfcrypt-sys (wolfSSL include paths, vendored flag, lib dirs) and DEP_WOLFTPM_SRC_* from wolftpm-src (wolfTPM include path and compiled library location).
  2. Emit link directives — instructs rustc to search for libwolftpm.a in the wolftpm-src output directory and to link it, followed by the wolfSSL library.
  3. Run bindgen — generates bindings.rs in OUT_DIR from wrapper.h, which includes <wolftpm/tpm2.h> and <wolftpm/tpm2_wrap.h>. The allowlist captures wolfTPM2_* functions and WOLFTPM2_* / TPM2_* / TPM* types and constants; wolfSSL internals are excluded via -DWOLFTPM2_NO_WOLFCRYPT.

lib.rs simply include!s the generated bindings.rs with the standard set of #[allow] attributes for bindgen output.

How to use

[dependencies]
wolftpm-sys = "0.1"

use wolftpm_sys::*;

unsafe {
    let mut dev: WOLFTPM2_DEV = core::mem::zeroed();
    let rc = wolfTPM2_Init(&mut dev, None, core::ptr::null_mut());
    assert_eq!(rc, 0);
    wolfTPM2_Cleanup(&mut dev);
}

All functions are unsafe. For a safe API see the wolftpm crate.

Build requirements

  • The wolftpm-src crate must be a direct [dependency] (not [build-dependency]) so Cargo propagates its DEP_WOLFTPM_SRC_* metadata to this crate's build script. wolftpm-sys declares this dependency automatically — you do not need to add wolftpm-src to your own Cargo.toml.
  • wolfTPM source: set WOLFTPM_SRC or initialise the bundled submodule.
  • wolfSSL headers: set WOLFSSL_DIR or WOLFSSL_INCLUDE_DIR.

See wolftpm-src for full configuration details.

Features

Feature Description
linux-dev Linux /dev/tpm0 kernel driver transport — propagates to wolftpm-src
swtpm Software TPM socket transport — propagates to wolftpm-src

References

Copyright

Copyright (C) 2006-2026 wolfSSL Inc.

wolfTPM is copyright wolfSSL Inc. and its contributors.

License

GPL-3.0-only OR LicenseRef-wolfSSL-commercial

Available under the GNU General Public License v3.0. For proprietary or commercial use, a commercial license is available from wolfSSL Inc.