OPTIGA™ TPM Forum Discussions
I am trying to an safety analysis for a product using the OPTIGA TPM SLI9670 A-TPM
I found the documentation on the FIT rate for the component but was curious if there was also a Failure Mode Distribution (FMD) available for it as well. This would help me complete my analysis.
Thanks in advance.
Show LessHi Team,
I'm working on SLB 9673 for security credential protection with tpm2-tools.
From Infineon github:
https://github.com/Infineon/optiga-tpm-cheatsheet#persistent-key-1
I see that we can use "tpm2_evictcontrol" to seal a object persistent in TPM.
I have some questions:
1. When I use "tpm2_evictcontrol", the object is saved to NV memory in TPM, right?
2. From Infineon-OPTIGA TPM SLB 9673 FW26-DataSheet-v01_02-EN.pdf, it says "Up to 7 loaded persistent Objects",
Is this mean only 7 persistent Objects can be saved in TPM?
Thanks
Vinson
Show Less
Hi all,
My system configuration:
- OS:
Fedora 36 - TPM related packages:
openssl.aarch64: 1:3.0.8-1.fc36
tpm2-tss.aarch64: 3.2.2-1.fc36
tpm2-tools.aarch64: 5.4-1.fc36
Description:
Many tpm2-tools commands return ErrorCode (0x00070001) EVP_PKEY_new_mac_key
[root@fedora ~]# ls /dev/tpm*
/dev/tpm0 /dev/tpmrm0
[root@fedora ~]# tpm2_nvdefine 0x1500016 -C o -s 32 -a 0x2000A
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:328:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) EVP_PKEY_new_mac_key
ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/esys_iutil.c:1241:iesys_compute_hmac() HMAC error ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/esys_iutil.c:1351:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:227:Esys_NV_DefineSpace_Async() Error in computation of auth values ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:99:Esys_NV_DefineSpace() Error in async function ErrorCode (0x00070001)
[root@fedora ~]# tpm2_clear
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:328:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) EVP_PKEY_new_mac_key
ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/esys_iutil.c:1241:iesys_compute_hmac() HMAC error ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/esys_iutil.c:1351:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_Clear.c:188:Esys_Clear_Async() Error in computation of auth values ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_Clear.c:74:Esys_Clear() Error in async function ErrorCode (0x00070001)
ERROR: Esys_Clear(0x70001) - esapi:Catch all for all errors not otherwise specified
[root@fedora ~]# tpm2_createprimary -C o -g sha256 -G ecc -c context.out
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:328:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) EVP_PKEY_new_mac_key
ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/esys_iutil.c:1241:iesys_compute_hmac() HMAC error ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/esys_iutil.c:1351:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:237:Esys_CreatePrimary_Async() Error in computation of auth values ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:110:Esys_CreatePrimary() Error in async function ErrorCode (0x00070001)
ERROR: Esys_CreatePrimary(0x70001) - esapi:Catch all for all errors not otherwise specified
ERROR: Unable to run tpm2_createprimary
Show Less
Dear How to check TPM error codes, such as: ERROR:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:102:Esys_RSA_Decrypt() Esys Finish ErrorCode (0x00000921), This 0x00000921 How should I check the meaning of this error code? Thanks!~
Show LessHi
The TPM2.0 SLB 9673 does not start correctly and I can't narrow down the origin of the error.
Upon startup, I see the following in the logs:
dmesg | grep tpm
[ 1.767615] tpm_tis_i2c 1-002e: 2.0 TPM (device-id 0x1C, rev-id 22)
[ 1.787326] tpm tpm0: A TPM error (256) occurred attempting the self test
[ 1.794173] tpm tpm0: starting up the TPM manually
[ 55.049963] tpm tpm0: Error left over data
[ 55.054389] tpm tpm0: tpm_transmit: tpm_recv: error -5
[ 55.061185] tpm_tis_i2c: probe of 1-002e failed with error -5
I use the following kernel:
uname -r
5.15.71+gitf094805
The following kernel patches are cherry-picked:
tpm: Remove read16/read32/write32 calls from tpm_tis_phy_ops
dt-bindings: trivial-devices: Add Infineon SLB9673 TPM
tpm: Add tpm_tis_verify_crc to the tpm_tis_phy_ops protocol layer
tpm: Add tpm_tis_i2c backend for tpm_tis_core
tpm: tis_i2c: Fix sanity check interrupt enable mask
tpm: Add flag to use default cancellation policy
dts is extended with the following:
&i2c1 {
#address-cells = <1>;
#size-cells = <0>;
clock-frequency = <100000>;
.....
/* TPM */
tpm: tpm@2e {
compatible = "infineon,slb9673", "tcg,tpm-tis-i2c";
reg = <0x2e>;
};
I have added the following to defconfig:
CONFIG_TCG_TPM=y
CONFIG_TCG_TIS=y
CONFIG_TCG_TIS_I2C=y
CONFIG_TCG_TIS_I2C_INFINEON=y
The wiring seems to be correct:
i2cdetect -y 1
0 1 2 3 4 5 6 7 8 9 a b c d e f
00: -- -- -- -- -- -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- 2e --
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --
HW:
OPTIGA TPM 9673 RPI EVAL
NXP IMX8
Does anyone have an idea where the problem is?
Hi Everyone,
We are presently using TPM 1.2 ( SLB9645) and we are looking for elliptic curve cryptography support which is not available in TPM 1.2 it seems,
Is TPM 2.0 support elliptic curve cryptography and is there a drop-in replacement of the present SLB9645 available for TPM 2.0?
Regards,
Snehal Patel
Show Less
Hi,
There is a tpm device SLM9670 connected to NXP CPU with SPI bus on my board. The running linux version is 4.14. spi mode is 0.
From tpm_tis_core driver tpm startup, SPI master send 0x80-0xd4-0x0-0x0 to SLM9670, SLM9670 responses 0x0-0x0-0x0-0x1 at first transaction, then TPM ACCESS VALID(0x80) at second transaction.
But on my board, SLM9670 response 0x0-0x0-0x0-0x1. then 0x0. Could you please tell me why SLM9670 cannot response TPM ACCESS VALID? thanks.
Please see the SPI bus waves captured by probe.
red: SCK
yellow: MOSI
blue: MISO
Show LessHi, I have integrated the TPM 2.0 Iridium SLB 9670 together with the i.MX8MP processor to implement remote attestation using the IMA Linux kernel module. Sometimes I get strange this error "tpm tpm0: invalid TPM_STS.x 0xa8 " that I cannot find a solution online. As I understand it I should get 0xff in case there are transmission calls to tpm that are not protected by the tpm_try_get_ops command. Checking the Linux kernel however it is indeed called and in fact, the value is not 0xff but is variable. On a couple of other occasions, however, it has failed to even establish the initial connection ('2.0 TPM (device-id 0x1B, rev-id 22') and some debugging showed that the tpm spi driver was stuck in an infinite loop waiting for the TPM locality. The wiring is correct, in fact, if the tpm connects without errors, the tpm2tools commands work. The device tree is correct because I asked for confirmation on the NXP forum. I also tried replacing the tpm but got the same result. I currently I'm using Linux kernel 5.15.60 but I get the same error using the i.MX6UL board which has kernel 5.10.60. What caused this error?
The output of dmesg | grep -i tpm
[ 2.077539] tpm_tis_spi spi1.0: 2.0 TPM (device-id 0x1B, rev-id 22)
[ 2.088911] tpm tpm0: A TPM error (256) occurred attempting the self test
[ 2.095719] tpm tpm0: starting up the TPM manually
[ 12.489312] tpm tpm0: tpm_try_transmit: send(): error -5
[ 38.235405] tpm tpm0: tpm_transmit: tpm_recv: error -52
[ 38.284794] tpm tpm0: invalid TPM_STS.x 0x85, dumping stack for forensics
[ 38.284861] tpm_tis_status+0xc8/0xe4
[ 38.284869] wait_for_tpm_stat+0x54/0x224
[ 38.284878] tpm_tis_send_data+0x220/0x28c
[ 38.284886] tpm_tis_send_main+0x34/0x110
[ 38.284893] tpm_tis_send+0x44/0x110
[ 38.284901] tpm_transmit+0xc8/0x340
[ 38.284908] tpm_transmit_cmd+0x30/0xc0
[ 38.284914] tpm2_pcr_extend+0x25c/0x300
[ 38.284921] tpm_pcr_extend+0xc4/0xd4
Show LessProduct: Infineon Optiga TPM SLB9670
Version: 7.85.4555.0
Spec: 2.0
Installed in: HP ProBook 450 G6
Processor: Intel Core i3-8145U
OS: Windows 11 Pro 22H2 (10.0.22621.1485)
Issue: Pre-provisioning through Intune / Autopilot and the pre-provisioning fails with the error: "Something happened, and TPM attestation timed out."
Notes: I'm connected to internet and can ping well-known DNS servers.
Ran MDMDiagnosticsTool.exe -area Autopilot;TPM -cab c:\autopilot.cab and pulled diagnostic logs.
---
Contents of CertReq_enrollaik_Output:
v2.0
TPM-Version:2.0 -Level:0-Revision:1.38-VendorID:'IFX '-Firmware:458837.1166080
IFX-KeyId-0d9969519b979d32ee4b803165664e9cc86f9d0d
CN=Infineon OPTIGA(TM) TPM 2.0 RSA CA 039, OU=OPTIGA(TM), O=Infineon Technologies AG, C=DE
Directory Address: TPMVersion=id:0753 TPMModel=SLB 9670 TPM2.0 TPMManufacturer=id:49465800 (IFX)
https://IFX-KeyId-0d9969519b979d32ee4b803165664e9cc86f9d0d.microsoftaik.azure.net/templates/Aik/scep
x-ms-client-request-id = 68222705-49b2-45d4-9854-9c8b29897ab8
SHA256
AES128
SubmitDone
Submit(Request): Bad Request
{"Message":"No valid TPM EK/Platform certificate provided in the TPM identity request message."}
HTTP/1.1 400 Bad Request
Date: Tue, 04 Apr 2023 14:48:02 GMT
Content-Length: 96
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000;includeSubDomains
x-ms-request-id: f13ef8ac-a377-465b-8333-4fdf3ec65db7
EnrollStage = 220
GetCACert = 187ms
GetCACaps = 219ms
CreateRequest = 1172ms
SubmitRequest = 234ms
ProcessResponse1 = 0ms
SubmitChallengeAnswer = 0ms
ProcessResponse2 = 0ms
Enroll = 1406ms
Total = 4829ms
Certificate Request Processor: Bad request (400). 0x80190190 (-2145844848 HTTP_E_STATUS_BAD_REQUEST)
---
Contents of TpmHliInfo_Output:
2023-04-04T14:47:57
TpmHLI GetVersion result: 0x00000000
TpmHLI Version: 2.0
Manufacturer: Infineon
VendorId: SLB9670
Uefi Is Present: Yes
TpmHLI IsReady for Storage result: 0x00000000
Ready: True
Bits: 0x0000000000000000
TpmHLI IsReady for Attestation result: 0x00000000
Ready: True
Bits: 0x0000000000000000
---
Comments:
- I've already updated Windows 11 Pro to the latest version as of this posting (22H2, 10.22621) and also updated the BIOS from HP to the most recent version as well (HP R71 Ver. 1.23.00, 12/8/2022) and reset Windows several times.
- I've removed the hardware id hash from Intune, re-exported it with MDMDiagnostic, and re-imported it several times as well.
- I've cleared the TPM several times.
- Other types of systems on our network are not experiencing this particular error when pre-provisioned.
- When I enter the URL of the AIK request, the site displays this message:
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
<Message>No HTTP resource was found that matches the request URI 'https://prod-wus-1-issuingservice-a.cacore.azure.net/templates/Aik/scep '.</Message>
</Error>
- I know that this is probably due to not having the required info in the http request sent by the browser, so I'm just including this for informational purposes.
- I noticed in tpm.msc module, that the Prepare TPM option is greyed out.
I suspect the Bad Request is to blame, but I'm not sure if this is due to something blocked on the client side or something absent on the server side.
Please advise.
Show Less