OPTIGA™ TPM Forum Discussions

Hi Team,

We are working on secure boot implementation in AM5748 using slb9673 TPM2.0.

We are able to detect the tpm2.0 chip in U-boot and we can able to test using commands, But we need more information on enabling secure boot at U-boot stage, And do we need to add TSS  to U-boot?

Can you please provide us a detailed procedure to implement secure boot at u-boot stage using SLB9673 TPM2.0.

Thanks and regards

Yashwanth T L

Hello,

for our project we want to use an SLB9670 TPM chip and I didn't get it to work up to now.

Hardware: i.MX8QM -  Variscite Module
Software: Linux 5.4.142

The image is modified for the tpm support:

zgrep --ignore-case tpm /proc/config.gz
CONFIG_TCG_TPM=y
CONFIG_HW_RANDOM_TPM=y
# CONFIG_TCG_VTPM_PROXY is not set
# CONFIG_TCG_FTPM_TEE is not set
# CONFIG_MFD_STPMIC1 is not set
# CONFIG_PWM_IMX_TPM is not set

zgrep --ignore-case TIS_SPI /proc/config.gz
CONFIG_TCG_TIS_SPI=m

The tcg_tpm_tis overlay is applied for lpspi0.

In the iomux section:

pinctrl_lpspi0: pinctrl_spigrpgio {
fsl,pins = <
IMX8QM_SPI0_SCK_DMA_SPI0_SCK 0x06000040
  IMX8QM_SPI0_SDO_DMA_SPI0_SDO 0x06000060
   IMX8QM_SPI0_SDI_DMA_SPI0_SDI 0x06000060
  >;
};

pinctrl_lpspi0_cs: lpspics0grp {
  fsl,pins = <
   IMX8QM_SPI0_CS0_LSIO_GPIO3_IO05 0x06000020
  >;
};

&lpspi0 {
#address-cells = <1>;
#size-cells = <0>;
fsl,spi-num-chipselects = <2>;
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_lpspi0 &pinctrl_lpspi0_cs>;
cs-gpios = <&lsio_gpio3 5 GPIO_ACTIVE_LOW>;
status = "okay";
assigned-clock-rates = <60000000>;
slb9670@0 {
compatible = "var,spidev";
spi-max-frequency = <500000>;
reg = <0>;
};
};

During the start up the spi is working and try to read the vendor id. This communication looks like:

SPI - COM Startup

After 4 bytes, the cs signal get high. This behaviour looks not so good.

When I call the spidev_test function to get the vendor ID, I can see the answer of 0x15D1.

SPI Test fct - Read Vendor ID

Do you have any idea to get the communication working?

Best regards,

Chris

I am wondering if 2 CVEs published by US-CERT against the TPM 2.0 Module library (CVE-2023-1017 and CVE-2023-1018) affect the SLM9670AQ20FW1311XTMA1 ?

If the product is affected is there any work around or firmware update ?

Thanks in advance

Hi,

「Board Description OPTIGA™ TPM SLB 9672 RPI evaluation board」 "2.1 Schematic" shows the schematic, but the PIRQ# pull-up resistor is n.p.
Is this correct that the customer needs to add a pull-up resistor?

https://www.infineon.com/dgdl/Infineon-OPTIGA%20TPM%20SLB%209672%20FW15-DataSheet-v01_00-EN.pdf?fileId=8ac78c8c850f4bee01852eeaeb200bc8

Best Regards

Hi all,

My system configuration:

• TPM device: SLB9672
• Fedora 35
• tpm2 dependencies:
  • openssl.aarch64: 1.1.1n-1.fc32
  • tpm2-tss.aarch64: 3.2.2-1.fc35
  • tpm2-tools.aarch64: 5.4-1.fc35

Description:

I got errors while executing tpm2_nvundefine

Specifically, this is my command sequences:

$ echo "please123abc" >nv.test_w
$ echo "Allocate NV memory at 0x1500018"
$ tpm2_nvdefine -Q 0x1500018 -C o -s 32 -a "ownerread|policywrite|ownerwrite"
$ echo "Writing data to NV memory at 0x1500018"
$ tpm2_nvwrite -Q 0x1500018 -C o -i nv.test_w
$ cat nv.test_w
$ echo "Reading data from NV memory at 0x1500018"
$ tpm2 nvread -Q 0x1500018 -C o -s 32 -o nv.test_w_out
$ cat nv.test_w_out
$ echo "Display the total available NV memory after allocation "
$ tpm2_nvreadpublic
$ echo "Deallocate NV memory at 0x1500018 "
$ tpm2_nvundefine -Q 0x1500018

And this is the terminal output

Allocate NV memory at 0x1500018
Writing data to NV memory at 0x1500018
please123abc
Reading data from NV memory at 0x1500018
please123abc
Display the total available NV memory after allocation 
0x1500018:
  name: 000be2f8083260af321548a6b21123e36c90729bd625b89c42fe7dfd41a940ac914c
  hash algorithm:
    friendly: sha256
    value: 0xB
  attributes:
    friendly: ownerwrite|policywrite|ownerread|written
    value: 0x2002000A
  size: 32

0x1c00002:
  name: 000b27f802855e9cf3fd408f515724ea495bec5613d130f325e16c3b33e0a9fd45e8
  hash algorithm:
    friendly: sha256
    value: 0xB
  attributes:
    friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
    value: 0x62072001
  size: 1171

0x1c0000a:
  name: 000bb80c6ab6dbc90dcee5b6b7c2a426afcca4efea21e35e0bed824bb3701d25e3bc
  hash algorithm:
    friendly: sha256
    value: 0xB
  attributes:
    friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
    value: 0x62072001
  size: 775

Deallocate NV memory at 0x1500018 
[  294.609187] tpm tpm0: Operation Timed out
ERROR:tcti:src/tss2-tcti/tcti-device.c:198:tcti_device_receive() Failed to get response size fd 3, got errno 62: Timer expired 
ERROR:esys:src/tss2-esys/api/Esys_NV_UndefineSpace.c:309:Esys_NV_UndefineSpace_Finish() Received a non-TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_NV_UndefineSpace.c:108:Esys_NV_UndefineSpace() Esys Finish ErrorCode (0x000a000a) 
ERROR: Failed to release NV area at index 0x1500018
ERROR: Esys_NV_UndefineSpace(0xA000A) - tcti:IO failure
ERROR:esys:src/tss2-esys/esys_iutil.c:1145:iesys_check_sequence_async() Esys called in bad sequence. 
ERROR:esys:src/tss2-esys/api/Esys_FlushContext.c:66:Esys_FlushContext() Error in async function ErrorCode (0x00070007) 
ERROR: Esys_FlushContext(0x70007) - esapi:Function called in the wrong order
ERROR: Unable to run tpm2_nvundefine

Hi Team,

We are using. u-boot-2018.01 and  trying to interface slb9673  with TI- AM5748 processor through i2c in u-boot stage.

We enabled DM-I2C and TPM related thing in U-boot and added tpm Node in device tree source also.

But when we do  tpm info

Getting below error,
Could not find TPM (ret=-19)

Can you please share me slb9673 u-boot driver code and please give some instruction to add in uboot source?

Thanks and Regards

Yashwanth T L

Hello Again...

So, I had to port the Linux v6 drivers into my release of Linux 5.15 to get communication with chip working.  I was able to test this kernel build with ported drivers on my development board with the OPTIGA TPM 9673 RPI EVAL board connected to it.  Everything seems to be working on that hardware environment. 

My issue is when i move this same kernel build on my target device, I get this kernel message:

[    0.302465] tpm_tis_i2c: probe of 002e failed with error -11

I am able to communicate with the TPM that on my target device. I am able to read the vendor and device ID's. 

What am I missing to get these TPM chip operational on these embedded devices?