OPTIGA™ TPM Forum Discussions

Hi,

Currently, we have 2 TPM chipsets on the 2 board variants (one variant with SLI9670 and another with SLB9672). The recommended TCG lib for SLI9670 is v1.38 while SLB9672 is v1.59.

Now, if the TCB Lib Spec is upgraded to v1.59 for both variants, will it have any impact on the variant running with SLI9670? 

Thanks

Hi, I'm looking for the Trusted Platform Module (TPM) c/w FW16 firmware version. But in the PC evaluation board...may I know if it's available to the market ( with FW16 )? Appreciated in advance. #https://www.infineon.com/cms/en/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-tpm/optiga-tpm-slb-9672-fw16/

We are using TPM SLB9665. We want to leverage on the TPM encrypt decrypt functionality using AES encryption. How ever when we try running "tpm2_getcap commands |grep 0x164" command we don't see the output saying encryptdecrypt option supported.

Could you please let us know is whether this feature can be enabled at run time if yes how? or is there a limitation on this chip that this option cannot be enabled?

Hi everybody. I am at the first testing steps of OPTIGA TPM SLB9673 with RPi Eval Board . Setup went smoothly, OPTIGA TPM 2.0 Explorer started up.
At first stage I want only to create a keypairs with RSA2048, RSA4096, ECC256, ECC384 and measure execution speeds. Simply stepping through GUI, I managed to accomplish all this. However, quite often I get an error message and then not even the HW reset button an RPi Eval board and tpm2_startup helps. For example: while repeating encrypt command cca 10 times:

tpm2_rsaencrypt -c 0x81000005 -o data_encrypted.txt datain.txt

I get error

ERROR:esys:src/tss2-esys/api/Esys_ReadPublic.c:324:Esys_ReadPublic_Finish() Received a non-TPM Error
ERROR:esys:src/tss2-esys/esys_tr.c:230:Esys_TR_FromTPMPublic_Finish() Error ReadPublic ErrorCode (0x000a000a)
ERROR:esys:src/tss2-esys/esys_tr.c:320:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x000a000a)
ERROR: Esys_TR_FromTPMPublic(0xA0007) - tcti:Function called in the wrong order
ERROR: Unable to run tpm2_rsaencrypt

As it is non-tpm error, more important might be dmesg:
[ 928.177971] tpm tpm0: Error left over data
[ 928.178305] tpm tpm0: tpm_transmit: tpm_recv: error -5

It is clear that the i2c communication is the problem.

:~ $ lsmod | grep tpm
tpm_tis_i2c  16384 0
crc_ccitt 16384 1 tpm_tis_i2c
tpm_tis_core  28672 1 tpm_tis_i2c
tpm 77824 2 tpm_tis_i2c,tpm_tis_core

:~ $ lsmod | grep i2c
tpm_tis_i2c 16384 0
crc_ccitt 16384 1 tpm_tis_i2c
tpm_tis_core 28672 1 tpm_tis_i2c
tpm 77824 2 tpm_tis_i2c,tpm_tis_core
i2c_brcmstb 16384 0
i2c_gpio 16384 0
i2c_algo_bit 16384 1 i2c_gpio
i2c_dev 20480 0

I must say that this error can occur randomly at almost any command .
The RPi was fresh clean system installed only for this task.

My system on raspberry 4B:
$ uname -a
Linux raspberrypi 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux

I found only one similar post: https://community.infineon.com/t5/OPTIGA-TPM/SLB9673-TPM-does-not-start-correctly/td-p/412271.

As I am using RPI instead of IMX8 and my kernel is 6.1.21 which allegedly has 8kB buffer for i2c, I suspect that buffer size might be not the cause of this issue.

It might be irrelevant to this issue, but for the whole picture, here are the series of commands I use for e.g ecc384 through console. When using console, GUI is not used.

tpm2_clear -c p
tpm2_changeauth -c owner owner123
tpm2_changeauth -c endorsement endorsement123
tpm2_nvread 0x1c00002 -C o -s 1429 --offset 0 -P owner123 -o ifx_rsa_cert.crt
tpm2_nvread 0x1c0000a -C o -s 846 --offset 0 -P owner123 -o ifx_ecc_cert.crt
tpm2_createprimary -C o -P owner123 -g sha256 -G ecc384 -c ECCprimary.ctx
tpm2_evictcontrol -C o -c ECCprimary.ctx -P owner123 0x81000006
tpm2_create -C 0x81000006 -p ECCleaf123 -g sha256 -G ecc384 -r ECCpri.key -u ECCpub.key
tpm2_load -C 0x81000006 -u ECCpub.key -r ECCpri.key -n ECCname.data -c ECCkeycontext.ctx
tpm2_evictcontrol -C o -c ECCkeycontext.ctx -P owner123 0x81000007
tpm2_sign -c 0x81000007 -p ECCleaf123 -g sha256 -o signature_data -f plain secret.data
tpm2_sign -c 0x81000007 -p ECCleaf123 -g sha256 -o signature_blob secret.data
rm ECCverifyleaf.ctx
tpm2_loadexternal -C o -u ECCpub.key -c ECCverifyleaf.ctx
tpm2_verifysignature -c ECCverifyleaf.ctx -g sha256 -m secret.data -s signature_blob

Did anyone got this issue ? Can perhaps anyone reproduce it ? Did I miss something?