SLB 9665TT2.0 SHA256 Linux support

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
mveplus
Level 1
Level 1
First reply posted First like given First question asked

Hello, Infineon community, 

I'm trying to find out more about SLB 9665TT2.0 SHA256 and Linux support, hope you can provide some clarity. According to the datasheet, this TPM chip supports 2.0 standards, but there is an issue when using it to create/store/seal  FDE hashes. Detailed background info is logged here.  TL;DR Linux kernel does not recognize SHA256 - although it's there and it thinks only SHA1 is available.  The FW is 5.62, provided by Intel for the NUC5 platform. 

  • Does this chip SLB 9665TT2.0 provides SHA256[not a hardware limitation]?
  • Which Linux kernel supports it?
  • Is there a way to disable SHA1 in favour of SHA256 [ hardware or software ]? 
  • Does it need a newer FW 5.63? Where I can find it? 

Any thoughts or experience with this will be much appreciated! 

Kind regards, 

Martin 

  

 

0 Likes
1 Solution
Sneha_P
Moderator
Moderator
Moderator
250 replies posted 250 sign-ins First comment on blog

Hi @mveplus ,

You can bring up TPM driver under Linux environment and use tpm2_tools to allocate the PCR bank (application note).

Command reference: https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_pcrallocate.1.md
Note: This command requires platform authorization

We also have an Infineon tool with UEFI support to perform the PCR allocation, but this tool access is provided only to users with an NDA.

Hope this helps!

Thanks,

Sneha

View solution in original post

0 Likes
4 Replies
Sneha_P
Moderator
Moderator
Moderator
250 replies posted 250 sign-ins First comment on blog

Hi @mveplus ,

SLB 9665TT2.0 has 1 PCR bank supporting SHA1 or SHA256. You can execute a new "allocate" function (TPM2_PCR_Allocate) to change the PCR bank configurations. Please refer to section 22.5 for more details.
The change will be active after a system restart.
For FWs and the upgrade tool, please login to myICP (requires NDA). 

 

Thanks,

Sneha

 Good morning @Sneha_P

Much appreciate your insights on this silicon's capabilities! 

Is this something that can be done from the OS level or must be done in UEFI firmware?

Can a UEFI executable perform the (TPM2_PCR_Allocate) to change the PCR bank configurations before switching to Secure Boot [unsigned EFI binary ]?

 

N.B. Intel NUC support will not help with any UEFi firmware modifications as per their comment here

Kind regards, 

Martin 

0 Likes
Sneha_P
Moderator
Moderator
Moderator
250 replies posted 250 sign-ins First comment on blog

Hi @mveplus ,

You can bring up TPM driver under Linux environment and use tpm2_tools to allocate the PCR bank (application note).

Command reference: https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_pcrallocate.1.md
Note: This command requires platform authorization

We also have an Infineon tool with UEFI support to perform the PCR allocation, but this tool access is provided only to users with an NDA.

Hope this helps!

Thanks,

Sneha

0 Likes
Sneha_P
Moderator
Moderator
Moderator
250 replies posted 250 sign-ins First comment on blog

Please let us know if your query was resolved. We will lock the thread in 2 days. In case your issue is not resolved, please create a new thread and we will be happy to help.

0 Likes