wolfSSL · aidangarske · May 11, 2026 · May 8, 2026
diff --git a/examples/wrap/caps.c b/examples/wrap/caps.c
@@ -115,9 +115,11 @@ int TPM2_Wrapper_CapsArgs(void* userCtx, int argc, char *argv[])
     if (rc != 0) goto exit;
 
     printf("Mfg %s (%d), Vendor %s, Fw %u.%u (0x%x), "
-        "FIPS 140-2 %d, CC-EAL4 %d\n",
+        "FIPS %s, CC-EAL4 %d\n",
         caps.mfgStr, caps.mfg, caps.vendorStr, caps.fwVerMajor,
-        caps.fwVerMinor, caps.fwVerVendor, caps.fips140_2, caps.cc_eal4);
+        caps.fwVerMinor, caps.fwVerVendor,
+        TPM2_GetCapsFipsStr(caps.fips140_3, caps.fips140_2),
+        caps.cc_eal4);
 #if defined(WOLFTPM_SLB9672) || defined(WOLFTPM_SLB9673)
     printf("\tKeyGroupId 0x%x, Operational Mode 0x%x, FwCounter %d (%d same)\n",
         caps.keyGroupId, caps.opMode, caps.fwCounter, caps.fwCounterSame);

diff --git a/examples/wrap/wrap_test.c b/examples/wrap/wrap_test.c
@@ -191,9 +191,11 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
     if (rc != 0) goto exit;
 
     printf("Mfg %s (%d), Vendor %s, Fw %u.%u (0x%x), "
-        "FIPS 140-2 %d, CC-EAL4 %d\n",
+        "FIPS %s, CC-EAL4 %d\n",
         caps.mfgStr, caps.mfg, caps.vendorStr, caps.fwVerMajor,
-        caps.fwVerMinor, caps.fwVerVendor, caps.fips140_2, caps.cc_eal4);
+        caps.fwVerMinor, caps.fwVerVendor,
+        TPM2_GetCapsFipsStr(caps.fips140_3, caps.fips140_2),
+        caps.cc_eal4);
 #if defined(WOLFTPM_SLB9672) || defined(WOLFTPM_SLB9673)
     printf("\tKeyGroupId 0x%x, Operational Mode 0x%x, FwCounter %d (%d same)\n",
         caps.keyGroupId, caps.opMode, caps.fwCounter, caps.fwCounterSame);

diff --git a/src/fwtpm/fwtpm_command.c b/src/fwtpm/fwtpm_command.c
@@ -1097,7 +1097,23 @@ static TPM_RC FwCmd_GetCapability(FWTPM_CTX* ctx, TPM2_Packet* cmd,
                 { TPM_PT_MAX_DIGEST,        TPM_SHA256_DIGEST_SIZE },
             #endif
                 { TPM_PT_TOTAL_COMMANDS,    0 }, /* patched to FwGetCmdCount() at emission */
-                { TPM_PT_MODES,             0 },
+                /* TPMA_MODES (TPM_PT_MODES): bit 0 = FIPS_140_2 (spec
+                 * v1.38+), bit 1 = FIPS_140_3 (spec v1.83+). Mirror the
+                 * underlying wolfCrypt module's FIPS status so callers
+                 * (tpm2-tools, examples/wrap/caps) see the same level
+                 * the crypto provider is validated at. wolfCrypt FIPS
+                 * v6.x targets 140-3; earlier HAVE_FIPS revisions are
+                 * 140-2. Non-FIPS builds leave both bits clear. */
+                { TPM_PT_MODES,
+            #if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
+                (HAVE_FIPS_VERSION >= 6)
+                    TPMA_MODES_FIPS_140_3
+            #elif defined(HAVE_FIPS)
+                    TPMA_MODES_FIPS_140_2
+            #else
+                    0
+            #endif
+                },
             #ifdef WOLFTPM_V185
                 /* v1.85 Part 2 Sec.8.13 TPMA_ML_PARAMETER_SET: bits 0-5 for
                  * MLKEM-512/768/1024 and MLDSA-44/65/87. Each bit is gated

diff --git a/src/tpm2_util.c b/src/tpm2_util.c
@@ -194,3 +194,12 @@ void TPM2_PrintAuth(const TPMS_AUTH_COMMAND* authCmd)
     TPM2_PrintBin(authCmd->hmac.buffer, authCmd->hmac.size);
 }
 #endif /* DEBUG_WOLFTPM */
+
+const char* TPM2_GetCapsFipsStr(int fips140_3, int fips140_2)
+{
+    if (fips140_3)
+        return "140-3";
+    if (fips140_2)
+        return "140-2";
+    return "none";
+}
diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
@@ -792,7 +792,8 @@ int wolfTPM2_SelfTest(WOLFTPM2_DEV* dev)
  *      Byte  1: reserved.
  *      Bytes 2-3: build num = 11CB,
  *      Byte  4: 0x00 (TPM CC), 0x02 (no CC)
- *  TPM_PT_MODES = Bit 0 = FIPS_140_2
+ *  TPM_PT_MODES = Bit 0 = FIPS_140_2 (spec v1.38+)
+ *                 Bit 1 = FIPS_140_3 (spec v1.83+)
  */
 
 #if defined(WOLFTPM_SLB9672) || defined(WOLFTPM_SLB9673)
@@ -874,7 +875,8 @@ static int wolfTPM2_ParseCapabilities(WOLFTPM2_CAPS* caps,
                 }
                 break;
             case TPM_PT_MODES:
-                caps->fips140_2 = (val & 0x00000001) ? 1: 0;
+                caps->fips140_2 = (val & TPMA_MODES_FIPS_140_2) ? 1 : 0;
+                caps->fips140_3 = (val & TPMA_MODES_FIPS_140_3) ? 1 : 0;
                 break;
             default:
                 break;

diff --git a/tests/unit_tests.c b/tests/unit_tests.c
@@ -206,9 +206,11 @@ static void test_wolfTPM2_GetCapabilities(void)
     AssertIntEQ(rc, 0);
 
 #ifdef DEBUG_WOLFTPM
-    printf("Mfg %s (%d), Vendor %s, Fw %u.%u (%u), FIPS 140-2 %d, CC-EAL4 %d\n",
+    printf("Mfg %s (%d), Vendor %s, Fw %u.%u (%u), FIPS %s, CC-EAL4 %d\n",
         caps.mfgStr, caps.mfg, caps.vendorStr, caps.fwVerMajor,
-        caps.fwVerMinor, caps.fwVerVendor, caps.fips140_2, caps.cc_eal4);
+        caps.fwVerMinor, caps.fwVerVendor,
+        TPM2_GetCapsFipsStr(caps.fips140_3, caps.fips140_2),
+        caps.cc_eal4);
 #endif
 
     wolfTPM2_Cleanup(&dev);

diff --git a/wolftpm/tpm2.h b/wolftpm/tpm2.h
@@ -933,8 +933,20 @@ enum TPMA_CC_mask {
     TPMA_CC_V            = 0x20000000,
 };
 
+/* TPM 2.0 Library Spec Part 2: bitfield returned from
+ * TPM2_GetCapability(TPM_CAP_TPM_PROPERTIES, TPM_PT_MODES)
+ * indicating FIPS compliance level. Bit 0 (FIPS_140_2) is defined
+ * since v1.38; bit 1 (FIPS_140_3) was added in v1.83. Bits 2..31
+ * are reserved. Decoded unconditionally so any host build can
+ * interpret either flag from any TPM. */
+typedef UINT32 TPMA_MODES;
+enum TPMA_MODES_mask {
+    TPMA_MODES_FIPS_140_2 = 0x00000001,
+    TPMA_MODES_FIPS_140_3 = 0x00000002,
+};
+
 #ifdef WOLFTPM_V185
-/* v185 rc4 Part 2 Sec.8.13 Table 46 — bitfield returned from
+/* v185 rc4 Part 2 Sec.8.13 Table 46 - bitfield returned from
  * TPM2_GetCapability(TPM_CAP_TPM_PROPERTIES, TPM_PT_ML_PARAMETER_SETS)
  * indicating which ML-KEM/ML-DSA parameter sets the TPM supports. */
 typedef UINT32 TPMA_ML_PARAMETER_SET;
@@ -4329,6 +4341,18 @@ typedef enum {
 WOLFTPM_API UINT16 TPM2_GetVendorID(void);
 
 
+/*!
+    \brief Returns a human-readable FIPS mode string from FIPS capability
+        bits: "140-3" when fips140_3 is set, "140-2" when fips140_2 is set,
+        otherwise "none". Used for capability reporting in examples and
+        tools.
+    \return Non-NULL pointer to a static string. Never NULL.
+    \param fips140_3 non-zero if the TPM reports FIPS 140-3 mode
+    \param fips140_2 non-zero if the TPM reports FIPS 140-2 mode
+*/
+WOLFTPM_API const char* TPM2_GetCapsFipsStr(int fips140_3, int fips140_2);
+
+
 /*!
     \ingroup TPM2_Proprietary
     \brief Forcefully zero a memory region. Unlike memset, this call is not

diff --git a/wolftpm/tpm2_wrap.h b/wolftpm/tpm2_wrap.h
@@ -167,9 +167,10 @@ typedef struct WOLFTPM2_CAPS {
 #endif
 
     /* bits */
-    word16 fips140_2 : 1; /* using FIPS mode */
+    word16 fips140_2 : 1; /* FIPS 140-2 mode (TPMA_MODES bit 0) */
     word16 cc_eal4   : 1; /* Common Criteria EAL4+ */
     word16 req_wait_state : 1; /* requires SPI wait state */
+    word16 fips140_3 : 1; /* FIPS 140-3 mode (TPMA_MODES bit 1, spec v1.83+) */
 #ifdef WOLFTPM_SPDM
     word32 acHandleCount;  /* Number of AC handles discovered */
     TPM_HANDLE acHandles[MAX_AC_HANDLES];  /* AC handles */