Hi everybody. I am at the first testing steps of OPTIGA TPM SLB9673 with RPi Eval Board . Setup went smoothly, OPTIGA TPM 2.0 Explorer started up.
At first stage I want only to create a keypairs with RSA2048, RSA4096, ECC256, ECC384 and measure execution speeds. Simply stepping through GUI, I managed to accomplish all this. However, quite often I get an error message and then not even the HW reset button an RPi Eval board and tpm2_startup helps. For example: while repeating encrypt command cca 10 times:

tpm2_rsaencrypt -c 0x81000005 -o data_encrypted.txt datain.txt

I get error

ERROR:esys:src/tss2-esys/api/Esys_ReadPublic.c:324:Esys_ReadPublic_Finish() Received a non-TPM Error
ERROR:esys:src/tss2-esys/esys_tr.c:230:Esys_TR_FromTPMPublic_Finish() Error ReadPublic ErrorCode (0x000a000a)
ERROR:esys:src/tss2-esys/esys_tr.c:320:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x000a000a)
ERROR: Esys_TR_FromTPMPublic(0xA0007) - tcti:Function called in the wrong order
ERROR: Unable to run tpm2_rsaencrypt

As it is non-tpm error, more important might be dmesg:
[ 928.177971] tpm tpm0: Error left over data
[ 928.178305] tpm tpm0: tpm_transmit: tpm_recv: error -5

It is clear that the i2c communication is the problem.

:~ $ lsmod | grep tpm
tpm_tis_i2c  16384 0
crc_ccitt 16384 1 tpm_tis_i2c
tpm_tis_core  28672 1 tpm_tis_i2c
tpm 77824 2 tpm_tis_i2c,tpm_tis_core

:~ $ lsmod | grep i2c
tpm_tis_i2c 16384 0
crc_ccitt 16384 1 tpm_tis_i2c
tpm_tis_core 28672 1 tpm_tis_i2c
tpm 77824 2 tpm_tis_i2c,tpm_tis_core
i2c_brcmstb 16384 0
i2c_gpio 16384 0
i2c_algo_bit 16384 1 i2c_gpio
i2c_dev 20480 0

I must say that this error can occur randomly at almost any command .
The RPi was fresh clean system installed only for this task.

My system on raspberry 4B:
$ uname -a
Linux raspberrypi 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux

I found only one similar post: https://community.infineon.com/t5/OPTIGA-TPM/SLB9673-TPM-does-not-start-correctly/td-p/412271.

As I am using RPI instead of IMX8 and my kernel is 6.1.21 which allegedly has 8kB buffer for i2c, I suspect that buffer size might be not the cause of this issue.

It might be irrelevant to this issue, but for the whole picture, here are the series of commands I use for e.g ecc384 through console. When using console, GUI is not used.

tpm2_clear -c p
tpm2_changeauth -c owner owner123
tpm2_changeauth -c endorsement endorsement123
tpm2_nvread 0x1c00002 -C o -s 1429 --offset 0 -P owner123 -o ifx_rsa_cert.crt
tpm2_nvread 0x1c0000a -C o -s 846 --offset 0 -P owner123 -o ifx_ecc_cert.crt
tpm2_createprimary -C o -P owner123 -g sha256 -G ecc384 -c ECCprimary.ctx
tpm2_evictcontrol -C o -c ECCprimary.ctx -P owner123 0x81000006
tpm2_create -C 0x81000006 -p ECCleaf123 -g sha256 -G ecc384 -r ECCpri.key -u ECCpub.key
tpm2_load -C 0x81000006 -u ECCpub.key -r ECCpri.key -n ECCname.data -c ECCkeycontext.ctx
tpm2_evictcontrol -C o -c ECCkeycontext.ctx -P owner123 0x81000007
tpm2_sign -c 0x81000007 -p ECCleaf123 -g sha256 -o signature_data -f plain secret.data
tpm2_sign -c 0x81000007 -p ECCleaf123 -g sha256 -o signature_blob secret.data
rm ECCverifyleaf.ctx
tpm2_loadexternal -C o -u ECCpub.key -c ECCverifyleaf.ctx
tpm2_verifysignature -c ECCverifyleaf.ctx -g sha256 -m secret.data -s signature_blob

Did anyone got this issue ? Can perhaps anyone reproduce it ? Did I miss something?

Hello,

I want to use the OPTIGATM TPM SLB 9670VQ2.0 (TPM 70 2.0 XENONBOARD ) within a setup with a PC. Does anyone have any recommendation for which motherboard to use? I have used in the past the TPM 2.0 with the SPI interface in a setup with Raspberry PI 3 and I am familiar with the software stack. I guess the same software stack available on GitHub can be used for the TPM SLB 9672 PC as well.

Later edit: I have noticed that this TPM is communicating through SPI so now I am unsure if I can connected somehow to a PC motherboard. Did anyone use it in a similar setup?

Hi I have a GA-Z175-SLI-CF gigabyte motherboard that needs to be fitted with a TPM 2.0. The mb has a 20 pin connector with one pin missing. Is there a specific module for this mb?

Hello,

We are also considering a multiple SPI configuration of TPM (SLB9670) and SPI Flash as shown in the thread below.

https://community.infineon.com/t5/OPTIGA-TPM/Multiple-SPI-devices-together-with-TPM/td-p/354692

In this thread, SCLK, MISO, and MOSI are described as don't care when CS# is disabled (High).

In our usage, the SCLK frequency is switched on the Host side as shown below.

- SCLK operates at 50MHz when CS# of SPI FLASH is enabled

- SCLK operates at 14MHz when CS# of SLB9670VQ20 is enabled

In other words, when CS# of SLB9670 is disabled, Closk with a frequency of 50MHz is input to SCLK.

On the data sheet, the maximum frequency is 43MHz under all conditions, so a clock with a frequency higher than the data sheet will be input.

Is it safe to assume that this condition is not a problem?

Is it a don't care as per the thread above?

Thanks.

Hi, 

How is SLB9670's endurance defined?

I would like to know the guaranteed value.

For example, I would be happy if you could tell me how to express it like 10kcycles.

Regards,

Hi everyone, 

I am quite new to the topic of TPMs and I have a question regarding the SLB 9665. I am wondering about the maximum lifetime of the TPM module SLB 9665 and the Endoresement Key. 

When using the "Get-TpmEndorsementKeyInfo" command on my development system I get the response that the "ManufacturerCertificates" is valid until the date specified in the field "Not After" is reached. Which is somewhere in the middle of the 2030s.

So what happens afterwards? Will the system not be able to boot as soon as the certificate expires when using something like Bitlocker and/or Secure Boot? Is there a way to "extend" the lifetime of the certificate to a desired date?

I found the following discussion on this forum: SLB 9673 "Useful lifetime" - Infineon Developer Community which is somehow related to my question I guess.

Regards,
bsdev

Hello, I have an OPTIGA TPM 2.0 SLI9670 and I want to sign a file, I want to create a public-private keypair, keep the private key persistent inside the TPM, sign the file I need and also export the public key to verify the signed file on another computer. Is that possible? What's the best way to accomplish that.