OPTIGA™ TPM Forum Discussions

I created a AES Key and make it persistent handles-persistent(0x81010020)

but I can't use the handle  value, even It dosen't work tpm2_evictcont -c 0x81010020

I think.. slb9672 chip(my chip) can't find the handle value which linked context file..

(mysymmetrickey.ctx is WORK!)

The problem only occurs on one chip and not on the other.

It didn't happen at first and it does happen at some point

Esys_TR_GetTpmHandle() is work, but only tpm2_tools command not work..

tpm2_clear command erase the handles, but the problem occur continuously..

# tpm2_getcap handles-persistent
- 0x81010020

# tpm2_evictcontrol -c 0x81010020
ERROR: Invalid serialized ESYS_TR size, got: 0
ERROR:esys:/usr/src/debug/tpm2-tss/3.2.0-r0/src/tss2-esys/esys_tr.c:356:Esys_TR_Close() Error: Esys handle does not exist (70018).
ERROR: Esys_TR_Close(0x70018) - esapi:The ESYS_TR resource object is bad
ERROR: Unable to run tpm2_evictcontrol

# tpm2_encryptdecrypt -c 0x81010020 -o mysecret.enc mysecret
WARN: Using a weak IV, try specifying an IV
ERROR: Invalid serialized ESYS_TR size, got: 0
ERROR: Invalid object key authorization
ERROR: Unable to run tpm2_encryptdecrypt

Hello,

Does Infineon have any TPM 2.0 chips in their portfolio that is targeting FIPS 140-3 certification?

The were none back in July 2022 according to the following thread, but wondering if plans have changed in the past ~2 years: Solved: TPM Module FIPS 140-3 Compliant - Infineon Developer Community

Thanks,
John

Hi,

We were trying to run tpm commands to create Attestation key using Google-attestation opensource package on freebsd. However, it fails with the error:   warning code 0x2 : out of memory for object contexts

Can you please help us with following:

1) Is Optiga tpm2 supported on FreeBSD

    i) If not, are there any other software pkgs that can be used.

2) Do you have an SDK to interact with the TPM2 device. Please share the relevant documentation. 

Regards

Shashi

Good afternoon, I'm looking for some assistance with an Intune pre-provisioning issue.

Installed in: HP ZBook Fury G9 Mobile Workstation
Processor: Intel Core i7-12800HX
OS: Windows 11 Pro 23H2 (OS Build 22631.3155)
Intune Enrollment - Hybrid - Whiteglove enroll. 

Issue: "Something happened, and TPM attestation timed out."

TPM Present: True
TPM Version: 2.0
TPM Manufacturer ID: IFX
TPM Manufacturer Full Name: Infineon
TPM Manufacturer Version: 15.22.16832.0
PPI Version: 1.3
Is Initialized: True
Ready for Storage: True
Ready for Attestation: True
Is Capable For Attestation: True
Clear Needed to Recover: False
Clear Possible: True
TPM Has Vulnerable Firmware: False
Bitlocker PCR7 Binding State: Binding Possible
Maintenance Task Complete: True
TPM Spec Version: 1.59
TPM Errata Date: Thursday, June 18, 2020
PC Client Version: 1.05
Lockout Information:
     -Is Locked Out: False
     -Lockout Counter: 0
     -Max Auth Fail: 31
     -Lockout Interval: 600s
     -Lockout Recovery: 86400s

Contents of CertReq_enrollaik_Output:

v2.0
TPM-Version:2.0 -Level:0-Revision:1.59-VendorID:'IFX '-Firmware: 983062.4308992
GetEKCertInfo
EnrollStage = 30
GetCACert = 0ms
GetCACaps = 0ms
CreateRequest = 0ms
SubmitRequest = 0ms
ProcessResponse1 = 0ms
SubmitChallengeAnswer = 0ms
ProcessResponse2 = 0ms
Enroll = 0ms
Total = 578ms

Certificate Request Processor: Element not found. 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND)

Additional Info: I'm connected to internet and can ping well-known DNS servers.

Contents of TpmHliInfo_Output:

2024-02-23T20:16:30
TpmHLI GetVersion result: 0x00000000
TpmHLI Version: 2.0
Manufacturer: Infineon
VendorId: SLB9672
Uefi Is Present: Yes
TpmHLI IsReady for Storage result: 0x00000000
Ready: True
Bits: 0x0000000000000000
TpmHLI IsReady for Attestation result: 0x00000000
Ready: True
Bits: 0x0000000000000000

Additional Troubleshooting Steps:

• I've already updated Windows 11 Pro to the current version and installed all security updates via powershell, BIOS from HP is updated to most recently version. I've re-imaged with a factory image using an USB Stick, I've reset the device as well.
• Removed the device and hardware id has from Intune, re-exported using the Get-AutopilotInfo script and imported it back into Intune via the portal.
• Cleared the TPM twice now.
• Other models HP ZBook Fury G8 (Prior model) and HP ZBook Fury G10 (Current model) have had absolutely no issues whatsoever pre-provisioning.

Please advise.

I have been testing my Raspberry Pi 4 with SWTPM with TPM9670 raspberry pi dev board plugged in (never removed), and after that I've been trying to retrieve the MFG CA number. However, after following the process shown in link with fresh installed OS, and following the process in link (section: NVM and Certificate Management), it somehow shows it's from IBM and titled IBM's SW TPM (image below). Method shown in link doesn't help as well. SLM 9670 

Since it is not supported to upload .der, .crt, and .pem filetypes, I've zipped generated "ekcert.der", "ifx_rsa_cert.crt", and "ifx_rsa_cert.pem" in attached zip file.

While at the same time, executing "Setup/Get TPM capability (fixed)" does return I believe correct info as shown in the following image.

I have tried resetting the TPM board, reinstall OS, but this result persists. Is there any method to either fully reset to factory state, or is there any fix possible?

I'm selecting a TPM for my application, likely SLB 9672. Where can I go to confirm the commands which this TPM supports?

The OPTIGA TPM SLB 9672 datasheet says it is based on the following specification: 

“TCG PC Client Platform TPM Profile (PTP) Specification”, Family 2.0, Level 00, Rev. 01.05 v14,
September 4, 2020, TCG

Table 8 of this specification lists which commands are mandatory/optional. For those that are optional, which do the various OPTIGA TPMs support?

In other words, what would be the result of the TPM2_GetCapability command (inspecting TPM_CAP_COMMANDS)? 

Hello guys,

I tried to use the infineon TPM utility to test TPM ( https://github.com/Infineon/eltt2?tab=readme-ov-file ),

based on Ubuntu: 22.04, kernel: 6.2.0-36-generic, but the test result is failed as below:

and I already checked kernel 5.15 is PASS, so could anybody know what's the problem on kernel 6.2 ?

smartconx_target@Q!w2e3r4t5y6u7i8o9p0||/t5/OPTIGA-TPM/Module-TPM-2-0-SLB-9670-XQ-2-0-used-the-infineon-TPM-utility-to-test-TPM-failed/td-p/706081