OPTIGA™ TPM Forum Discussions
Hi,
Currently, we have 2 TPM chipsets on the 2 board variants (one variant with SLI9670 and another with SLB9672). The recommended TCG lib for SLI9670 is v1.38 while SLB9672 is v1.59.
Now, if the TCB Lib Spec is upgraded to v1.59 for both variants, will it have any impact on the variant running with SLI9670?
Thanks
Show LessHow does one field firmware upgrade / OTA the SLB9762 FW16.12?
We need to upgrade the SLB9762 FW16.12 to the latest (FW16.13??) in an ARM-based Linux environment.
Any pointers, sample code, examples, white papers, etc appreciated.
Show LessHi, I'm looking for the Trusted Platform Module (TPM) c/w FW16 firmware version. But in the PC evaluation board...may I know if it's available to the market ( with FW16 )? Appreciated in advance. #https://www.infineon.com/cms/en/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-tpm/optiga-tpm-slb-9672-fw16/
Show LessWe are using TPM SLB9665. We want to leverage on the TPM encrypt decrypt functionality using AES encryption. How ever when we try running "tpm2_getcap commands |grep 0x164" command we don't see the output saying encryptdecrypt option supported.
Could you please let us know is whether this feature can be enabled at run time if yes how? or is there a limitation on this chip that this option cannot be enabled?
Show LessI am using the driver of SLB 9672XU2.0 FW16.10, but I encounter some problems. When debugging SLB 9672XU2.0 FW16.10 with the same platform and SPI driver, I find that the communication cannot be normal. But when I used the SLB 9670VQ2.0 FW7.85 was able to correctly identify the TPM device node. I was able to confirm that the hardware was working because I tested it with the Raspberry Pi and it recognized the TPM device. I have printed the SPI log when loading TPM at startup, see the attachment. Can anyone help analyze the reason? Thank you very much! ~
PS:9672 board reads 128 bytes, then only read 64 bytes each time, after reading the first frame, read the second frame, the command sent to read 00 00 00 01, return error FF FF FF FF, the result is an error. The 9670 board is 255. The second, third, and fourth frames can return 00 00 00 00 01 as normal, reading the data normally and reporting no errors. What is the difference between fifo and what are the requirements
Show Less
Hi everybody. I am at the first testing steps of OPTIGA TPM SLB9673 with RPi Eval Board . Setup went smoothly, OPTIGA TPM 2.0 Explorer started up.
At first stage I want only to create a keypairs with RSA2048, RSA4096, ECC256, ECC384 and measure execution speeds. Simply stepping through GUI, I managed to accomplish all this. However, quite often I get an error message and then not even the HW reset button an RPi Eval board and tpm2_startup helps. For example: while repeating encrypt command cca 10 times:
tpm2_rsaencrypt -c 0x81000005 -o data_encrypted.txt datain.txt
I get error
ERROR:esys:src/tss2-esys/api/Esys_ReadPublic.c:324:Esys_ReadPublic_Finish() Received a non-TPM Error
ERROR:esys:src/tss2-esys/esys_tr.c:230:Esys_TR_FromTPMPublic_Finish() Error ReadPublic ErrorCode (0x000a000a)
ERROR:esys:src/tss2-esys/esys_tr.c:320:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x000a000a)
ERROR: Esys_TR_FromTPMPublic(0xA0007) - tcti:Function called in the wrong order
ERROR: Unable to run tpm2_rsaencrypt
As it is non-tpm error, more important might be dmesg:
[ 928.177971] tpm tpm0: Error left over data
[ 928.178305] tpm tpm0: tpm_transmit: tpm_recv: error -5
It is clear that the i2c communication is the problem.
:~ $ lsmod | grep tpm
tpm_tis_i2c 16384 0
crc_ccitt 16384 1 tpm_tis_i2c
tpm_tis_core 28672 1 tpm_tis_i2c
tpm 77824 2 tpm_tis_i2c,tpm_tis_core
:~ $ lsmod | grep i2c
tpm_tis_i2c 16384 0
crc_ccitt 16384 1 tpm_tis_i2c
tpm_tis_core 28672 1 tpm_tis_i2c
tpm 77824 2 tpm_tis_i2c,tpm_tis_core
i2c_brcmstb 16384 0
i2c_gpio 16384 0
i2c_algo_bit 16384 1 i2c_gpio
i2c_dev 20480 0
I must say that this error can occur randomly at almost any command .
The RPi was fresh clean system installed only for this task.
My system on raspberry 4B:
$ uname -a
Linux raspberrypi 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux
I found only one similar post: https://community.infineon.com/t5/OPTIGA-TPM/SLB9673-TPM-does-not-start-correctly/td-p/412271.
As I am using RPI instead of IMX8 and my kernel is 6.1.21 which allegedly has 8kB buffer for i2c, I suspect that buffer size might be not the cause of this issue.
It might be irrelevant to this issue, but for the whole picture, here are the series of commands I use for e.g ecc384 through console. When using console, GUI is not used.
tpm2_clear -c p
tpm2_changeauth -c owner owner123
tpm2_changeauth -c endorsement endorsement123
tpm2_nvread 0x1c00002 -C o -s 1429 --offset 0 -P owner123 -o ifx_rsa_cert.crt
tpm2_nvread 0x1c0000a -C o -s 846 --offset 0 -P owner123 -o ifx_ecc_cert.crt
tpm2_createprimary -C o -P owner123 -g sha256 -G ecc384 -c ECCprimary.ctx
tpm2_evictcontrol -C o -c ECCprimary.ctx -P owner123 0x81000006
tpm2_create -C 0x81000006 -p ECCleaf123 -g sha256 -G ecc384 -r ECCpri.key -u ECCpub.key
tpm2_load -C 0x81000006 -u ECCpub.key -r ECCpri.key -n ECCname.data -c ECCkeycontext.ctx
tpm2_evictcontrol -C o -c ECCkeycontext.ctx -P owner123 0x81000007
tpm2_sign -c 0x81000007 -p ECCleaf123 -g sha256 -o signature_data -f plain secret.data
tpm2_sign -c 0x81000007 -p ECCleaf123 -g sha256 -o signature_blob secret.data
rm ECCverifyleaf.ctx
tpm2_loadexternal -C o -u ECCpub.key -c ECCverifyleaf.ctx
tpm2_verifysignature -c ECCverifyleaf.ctx -g sha256 -m secret.data -s signature_blob
Did anyone got this issue ? Can perhaps anyone reproduce it ? Did I miss something?
Show Less