OPTIGA™ TPM Forum Discussions
Hi everyone,
I am quite new to the topic of TPMs and I have a question regarding the SLB 9665. I am wondering about the maximum lifetime of the TPM module SLB 9665 and the Endoresement Key.
When using the "Get-TpmEndorsementKeyInfo" command on my development system I get the response that the "ManufacturerCertificates" is valid until the date specified in the field "Not After" is reached. Which is somewhere in the middle of the 2030s.
So what happens afterwards? Will the system not be able to boot as soon as the certificate expires when using something like Bitlocker and/or Secure Boot? Is there a way to "extend" the lifetime of the certificate to a desired date?
I found the following discussion on this forum: SLB 9673 "Useful lifetime" - Infineon Developer Community which is somehow related to my question I guess.
Regards,
bsdev
Hello, I have an OPTIGA TPM 2.0 SLI9670 and I want to sign a file, I want to create a public-private keypair, keep the private key persistent inside the TPM, sign the file I need and also export the public key to verify the signed file on another computer. Is that possible? What's the best way to accomplish that.
Show LessHello,
In security Target "OPTIGA Trusted Platform Module SLB9672_2.0 v16 SLB9673_2.0 v26" I see that the command TPM2_SetCapabilityVendor enables the command TPM2_EncryptDecrypt2.
I don't see any documentation about the command TPM2_SetCapabilityVendor. Where can I find the description?
Is this command available for all users ?
In optiga TPM families (9670, 9672, 9673, ...) is the command TPM2_EncryptDecrypt2 available by default ?
Regards
Show LessHi,
https://github.com/tpm2-software/tpm2-tss/releases?page=3
Is ver 2.2.2 of tpm2-tss listed in the above URL compatible with SLB9672FW16?
Show LessHi,
If the HOST CPU uses the TPM2.0 rev1.38 Library and I replace the HW with SLB9672 (TPM2.0 rev1.59), do I also need to update the TPM Library on the HOST side from 1.38 to 1.59?
BR
Show LessI'm tryint to encrypt a string using TSS.Java. It goes well on Intel TPMs, but failed on Infineon TPMs. All my code borrows from TSS.Java samples and use EncryptDecrypt2()
command. I tried 4 physical desktop with Intel TPM, 2 Azure VM, 2 physical laptops with Infineon. All of them are without problem but Infineon TPMs. I can't tell what the issue originate from, TSS.Java library or Infineon TPM? Any helps are appreciated.
PS: I executed the code with administrator(root), of course.
Show LessHi All,
Please let me know what is the issue here.
I have SLI 9670 on my custom board.
SLI 9670 is connected over SPI bus to S32G2 processor.
Linux kernel probe fails.
1. Reading of vendor id used to fail with below error.
tpm_tis_spi: probe of spi1.0 failed with error -110
Problem resolved by driving RST pin permanently high in device-tree pin-configuration.
+ gamma-tpm-9670-rst-hog {
+ gpio-hog;
+ gpios = <13 GPIO_OPEN_DRAIN>;
+ output-high;
+ line-name = "gamma-tpm-9670-rst";
+ };
2. Now this error is noticed.
vendor: 0x1000000 - Is the read vendor id correct? Please confirm.
wait_startup: returns -1
Returning error -ENODEV
drivers/char/tpm/tpm_tis_core.c:
tpm_tis_core_init()
{
if (wait_startup(chip, 0) != 0) {
rc = -ENODEV;
pr_err("Returning error -ENODEV\n");
goto out_err;
}
/* Before we attempt to access the TPM we must see that the valid bit is set.
* The specification says that this bit is 0 at reset and remains 0 until the
* 'TPM has gone through its self test and initialization and has established
* correct values in the other bits.'
*/
static int wait_startup(struct tpm_chip *chip, int l)
{
......
} while (time_before(jiffies, stop));
pr_err("wait_startup: returns -1\n");
return -1;
}
Thanks & Regards,
Gangadhar
@Sneha_P , @Sharath_V , @ataulmanan
Show Less
Hi,
We are working on implementing secure boot process using the SLB9673 TPM2.0 in AM5748. We are able to communicate with tpm2 using the tss tools.
Following are the list of commands that we are able to access. Do you believe the current list is sufficient or do we need additional commands to better support our needs in future.
tpm2_activatecredential tpm2_hash tpm2_pcrextend
tpm2_certify tpm2_hmac tpm2_pcrlist
tpm2_create tpm2_listpersistent tpm2_quote
tpm2_createpolicy tpm2_load tpm2_rc_decode
tpm2_createprimary tpm2_loadexternal tpm2_readpublic
tpm2_dictionarylockout tpm2_makecredential tpm2_rsadecrypt
tpm2_encryptdecrypt tpm2_nvdefine tpm2_rsaencrypt
tpm2_evictcontrol tpm2_nvlist tpm2_send
tpm2_getcap tpm2_nvread tpm2_sign
tpm2_getmanufec tpm2_nvreadlock tpm2_startup
tpm2_getpubak tpm2_nvrelease tpm2_takeownership
tpm2_getpubek tpm2_nvwrite tpm2_unseal
tpm2_getrandom tpm2_pcrevent tpm2_verifysignature
Our first requirement is about configuring the secure boot using tpm2
Could you also help us with the detailed steps on how to configure the TPM2 for secure boot with the help of tpm2 commands.
Additionally, we've encountered an issue where we are unable to clear the DA Lockout (Dictionary Lockout) mode. Whenever we attempt to clear the lockout using tpm2_dictionarylockout, we're presented with the following error code - 0x921.
Thanks and regards,
Mythreyi U
Show LessHello everyone, I am using raspberry Pi 4 board along with bullseye OS and Infineon SLB9670 TPM. After booting the OS, I am reading the PCR values and it showing all Zeroes. At this time I am able to extend the PCR values. My query is that why PCR values are not extending during boot process or what should I do for PCR extension?
Show Less安装tpm2-tools,在安装依赖项执行以下命令时:
sudo apt -y install autoconf automake libtool pkg-config \
gcc libssl-dev libcurl4-gnutls-dev pandoc python-yaml expect
报E: Package 'python-yaml' has no installation candidate 错误
Raspberry PI 3 model B V1.2,内核版本为:Linux raspberrypi 5.15.76-v7+ #1597 SMP Fri Nov 4 12:13:17 GMT 2022 armv7l GNU/Linux。
Show Less