OPTIGA™ TPM Forum Discussions
Hi Team,
We are working on secure boot implementation in AM5748 using slb9673 TPM2.0.
We are able to detect the tpm2.0 chip in U-boot and we can able to test using commands, But we need more information on enabling secure boot at U-boot stage, And do we need to add TSS to U-boot?
Can you please provide us a detailed procedure to implement secure boot at u-boot stage using SLB9673 TPM2.0.
Thanks and regards
Yashwanth T L
Show LessHello,
for our project we want to use an SLB9670 TPM chip and I didn't get it to work up to now.
Hardware: i.MX8QM - Variscite Module
Software: Linux 5.4.142
The image is modified for the tpm support:
zgrep --ignore-case tpm /proc/config.gz
CONFIG_TCG_TPM=y
CONFIG_HW_RANDOM_TPM=y
# CONFIG_TCG_VTPM_PROXY is not set
# CONFIG_TCG_FTPM_TEE is not set
# CONFIG_MFD_STPMIC1 is not set
# CONFIG_PWM_IMX_TPM is not set
zgrep --ignore-case TIS_SPI /proc/config.gz
CONFIG_TCG_TIS_SPI=m
The tcg_tpm_tis overlay is applied for lpspi0.
In the iomux section:
pinctrl_lpspi0: pinctrl_spigrpgio {
fsl,pins = <
IMX8QM_SPI0_SCK_DMA_SPI0_SCK 0x06000040
IMX8QM_SPI0_SDO_DMA_SPI0_SDO 0x06000060
IMX8QM_SPI0_SDI_DMA_SPI0_SDI 0x06000060
>;
};
pinctrl_lpspi0_cs: lpspics0grp {
fsl,pins = <
IMX8QM_SPI0_CS0_LSIO_GPIO3_IO05 0x06000020
>;
};
&lpspi0 {
#address-cells = <1>;
#size-cells = <0>;
fsl,spi-num-chipselects = <2>;
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_lpspi0 &pinctrl_lpspi0_cs>;
cs-gpios = <&lsio_gpio3 5 GPIO_ACTIVE_LOW>;
status = "okay";
assigned-clock-rates = <60000000>;
slb9670@0 {
compatible = "var,spidev";
spi-max-frequency = <500000>;
reg = <0>;
};
};
During the start up the spi is working and try to read the vendor id. This communication looks like:
After 4 bytes, the cs signal get high. This behaviour looks not so good.
When I call the spidev_test function to get the vendor ID, I can see the answer of 0x15D1.
Do you have any idea to get the communication working?
Best regards,
Chris
Show LessI am wondering if 2 CVEs published by US-CERT against the TPM 2.0 Module library (CVE-2023-1017 and CVE-2023-1018) affect the SLM9670AQ20FW1311XTMA1 ?
If the product is affected is there any work around or firmware update ?
Thanks in advance
Show LessHi,
「Board Description OPTIGA™ TPM SLB 9672 RPI evaluation board」 "2.1 Schematic" shows the schematic, but the PIRQ# pull-up resistor is n.p.
Is this correct that the customer needs to add a pull-up resistor?
Hi all,
My system configuration:
- TPM device: SLB9672
- Fedora 35
- tpm2 dependencies:
- openssl.aarch64: 1.1.1n-1.fc32
- tpm2-tss.aarch64: 3.2.2-1.fc35
- tpm2-tools.aarch64: 5.4-1.fc35
Description:
I got errors while executing tpm2_nvundefine
Specifically, this is my command sequences:
$ echo "please123abc" >nv.test_w
$ echo "Allocate NV memory at 0x1500018"
$ tpm2_nvdefine -Q 0x1500018 -C o -s 32 -a "ownerread|policywrite|ownerwrite"
$ echo "Writing data to NV memory at 0x1500018"
$ tpm2_nvwrite -Q 0x1500018 -C o -i nv.test_w
$ cat nv.test_w
$ echo "Reading data from NV memory at 0x1500018"
$ tpm2 nvread -Q 0x1500018 -C o -s 32 -o nv.test_w_out
$ cat nv.test_w_out
$ echo "Display the total available NV memory after allocation "
$ tpm2_nvreadpublic
$ echo "Deallocate NV memory at 0x1500018 "
$ tpm2_nvundefine -Q 0x1500018
And this is the terminal output
Allocate NV memory at 0x1500018
Writing data to NV memory at 0x1500018
please123abc
Reading data from NV memory at 0x1500018
please123abc
Display the total available NV memory after allocation
0x1500018:
name: 000be2f8083260af321548a6b21123e36c90729bd625b89c42fe7dfd41a940ac914c
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly: ownerwrite|policywrite|ownerread|written
value: 0x2002000A
size: 32
0x1c00002:
name: 000b27f802855e9cf3fd408f515724ea495bec5613d130f325e16c3b33e0a9fd45e8
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
value: 0x62072001
size: 1171
0x1c0000a:
name: 000bb80c6ab6dbc90dcee5b6b7c2a426afcca4efea21e35e0bed824bb3701d25e3bc
hash algorithm:
friendly: sha256
value: 0xB
attributes:
friendly: ppwrite|writedefine|ppread|ownerread|authread|no_da|written|platformcreate
value: 0x62072001
size: 775
Deallocate NV memory at 0x1500018
[ 294.609187] tpm tpm0: Operation Timed out
ERROR:tcti:src/tss2-tcti/tcti-device.c:198:tcti_device_receive() Failed to get response size fd 3, got errno 62: Timer expired
ERROR:esys:src/tss2-esys/api/Esys_NV_UndefineSpace.c:309:Esys_NV_UndefineSpace_Finish() Received a non-TPM Error
ERROR:esys:src/tss2-esys/api/Esys_NV_UndefineSpace.c:108:Esys_NV_UndefineSpace() Esys Finish ErrorCode (0x000a000a)
ERROR: Failed to release NV area at index 0x1500018
ERROR: Esys_NV_UndefineSpace(0xA000A) - tcti:IO failure
ERROR:esys:src/tss2-esys/esys_iutil.c:1145:iesys_check_sequence_async() Esys called in bad sequence.
ERROR:esys:src/tss2-esys/api/Esys_FlushContext.c:66:Esys_FlushContext() Error in async function ErrorCode (0x00070007)
ERROR: Esys_FlushContext(0x70007) - esapi:Function called in the wrong order
ERROR: Unable to run tpm2_nvundefine
Show Less
Hi Team,
We are using. u-boot-2018.01 and trying to interface slb9673 with TI- AM5748 processor through i2c in u-boot stage.
We enabled DM-I2C and TPM related thing in U-boot and added tpm Node in device tree source also.
But when we do tpm info
Getting below error,
Could not find TPM (ret=-19)
Can you please share me slb9673 u-boot driver code and please give some instruction to add in uboot source?
Thanks and Regards
Yashwanth T L
Show LessHello Again...
So, I had to port the Linux v6 drivers into my release of Linux 5.15 to get communication with chip working. I was able to test this kernel build with ported drivers on my development board with the OPTIGA TPM 9673 RPI EVAL board connected to it. Everything seems to be working on that hardware environment.
My issue is when i move this same kernel build on my target device, I get this kernel message:
[ 0.302465] tpm_tis_i2c: probe of 002e failed with error -11
I am able to communicate with the TPM that on my target device. I am able to read the vendor and device ID's.
What am I missing to get these TPM chip operational on these embedded devices?
Show LessI want to download latest firmware for my SLB9660 TPM chip. It is surprisingly hard to find! Can anyone help me?
Thanks.