Using Raspberry Pi to send data (hexadecimal keys) into OPTIGA™ Trust X on S2GO SECURITY OPTIGA X

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
mrashford
Level 1
Level 1
10 replies posted 10 sign-ins 5 replies posted

My goal is to use Raspberry Pi 3 Model B+ (RPi) to write hexadecimal keys/numbers into OPTIGA™ Trust X on the Security Shield2Go board, through a Python program. The communication between RPi and Trust X is through the I2C interface.

May I know are there existing libraries to use? If yes, may I know the procedure to use the library and the procedure to complete the whole I2C setup?

Thanks!

0 Likes
1 Solution
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

Hi @mrashford,

Please refer to python-optiga-trust GitHub repo which contains the python libraries for OPTIGA Trust devices. You can find the setup and working details in the documentation link.

 

View solution in original post

0 Likes
20 Replies
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

Hi @mrashford,

Please refer to python-optiga-trust GitHub repo which contains the python libraries for OPTIGA Trust devices. You can find the setup and working details in the documentation link.

 

0 Likes

Hi @Karishma_S ,

May I know why the device address of Trust X is not detected?

mrashford_0-1669283652615.png

 

0 Likes
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

Can you please provide more details about your setup and what all steps you have performed? 

0 Likes

My setup involves connecting RPi with Trust X using this connection example:

Actual setup:

mrashford_3-1669437051591.png

(Blue Ethernet cable is connected to my laptop)

After cloning python-optiga-trust GitHub repo, I installed optigatrust package and ran the script in the Examples section:

mrashford_1-1669436390614.png

and received this output:

mrashford_2-1669436487086.png

I2C settings on RPi are enabled.

0 Likes
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

To detect the device address of Trust X, please use Infineon specific tools for i2c (link). Generic i2c commands are not supported without this library. 

 

Please confirm if your system is added as a user to the gpio group by using the command 'sudo adduser pi gpio' . If you're not added as a user, you will not have right to access the gpio.

0 Likes

I suppose I have to clone the library and follow Getting Started?

mrashford_0-1669686011524.png


Will I be able to use these tools if I'm coding in Python?

0 Likes
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

 


@mrashford wrote:

I suppose I have to clone the library and follow Getting Started


Yes, clone and compile the library. This is required to communicate with optiga trust devices via i2cdetect, i2cget, etc. 


@mrashford wrote:

Will I be able to use these tools if I'm coding in Python?


This is an independent tool, and it should not disturb the optiga-python library implementation.

 

NOTE: As mentioned in documentationadd your user to the gpio group (RPi3: via sudo adduser pi gpio). If you're not added as a user, you will not have right to access the gpio.

0 Likes

Suppose I have compiled the library correctly, does this count as communication with Trust X?

mrashford_0-1669813161695.png

If yes, what does "No register input!!" mean?

And how do I use i2cdetect and i2cget commands?

mrashford_1-1669813652728.png

 

0 Likes
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

@mrashford wrote:

Suppose I have compiled the library correctly, does this count as communication with Trust X?

If yes, what does "No register input!!" mean?


Can you please tell me when does this message appear after compilation or after i2cdetect? Looks like the code has complied successfully and some issue has occurred after that. 

 


@mrashford wrote:

And how do I use i2cdetect and i2cget commands?


Please use the trustx_scan command mentioned in usage. trustx_scan is the alternative for i2cdetect, and it is recommended to use the commands specified in usage.

0 Likes

The message appears together with the detected address and i2c bus number after I run trustx_reg on Geany

mrashford_0-1669907012646.png


Can you show me how to use the commands? I tried using the commands on Linux terminal in the following ways but I get "command not found":

mrashford_1-1669907173510.png

 

0 Likes
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

The trustx_reg command is used to read/write data into registers, so it should be used with one of the available options (-a, -b, -w etc). Refer to below image.

KarishmaShaik_0-1669970099330.png

NOTE: Execute all commands from bin directory as seen in image

If the trustx_scan command does not detect the i2c address, execute the trustx_w_addr command to set i2c address and then execute trustx_scan command. Refer to below image.

KarishmaShaik_1-1669970962591.png

 

0 Likes

Your directory is shown as i2c-utils-optiga-trust-master because you renamed the directory from i2c-utils-optiga-trust?

The following are my outputs after executing the commands:

mrashford_2-1670397665405.pngmrashford_3-1670397707522.pngmrashford_4-1670397755611.png

Why are the commands not working?

0 Likes
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

Can you confirm if the led on Trust X S2GO is activated (should be red), that is the S2GO is powered ON?  Can you use shorter cables or make sure that they have a good hardware connection.

0 Likes

Oh yes, now the commands are working.

How do I write data into Trust X?

0 Likes
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

Please refer to the documentation link for details about various objects, metadata and implementation of various functionalities like key pair generation, signature algorithms etc.

0 Likes

I need to write keys into Arbitrary Data Object memory slots. Do you know which internal register address they reside at? Or how do I write directly to the memory slot number?

Also, are you familiar with SetDataObject command?

mrashford_0-1671681422744.png

 

0 Likes
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

As mentioned in Table - 36 (page 94) of solution reference manual, the object IDs (OID) of Arbitrary Data Objects are 0xF1D0 to 0xF1DF and 0xF1E0 to 0xF1E1. 

Do you want to generate keys using OPTIGA and then store it in arbitrary data objects or do you want to store external keys in arbitrary data objects? 

If you want to store external keys, then refer to the example in the following link.

0 Likes

I want to store external keys.

mrashford_0-1671800752034.png

Can the secret be as long as what I require?
If I'm writing to F1D0 slot, is app_data.meta and mac variable necessary?
In app_data.meta, is 'type' the secret type and 'execute' the access condition?

0 Likes
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

Can the secret be as long as what I require?


The length of secret should be restricted based on the size of data object. As shown in the following link (also present in Solution reference manual table 29), the size of type 1 arbitrary data objects (0xF1D0 to 0xF1DF) is 100 B and size of type 2 arbitrary data objects (0xF1E0 to 0xF1E1) is 1500 B. You can store the keys in appropriate data objects based on their size. 

 

If I'm writing to F1D0 slot, is app_data.meta and mac variable necessary?

The app_data.meta is used to modify the metadata of the object. Refer to the following link for details regarding metadata.

The mac variable is just to show an example of HMAC generation, it is not required if you do not have HMAC use case.

 

In app_data.meta, is 'type' the secret type and 'execute' the access condition?

Yes, 'execute' is the access condition and 'type' is used to define the type of data you are storing in arbitrary data objects. As you are storing the secret key in arbitrary data object, you have to set the type to accordingly. Refer the following link for various type definitions.

 

0 Likes
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

Please let us know if your query was resolved.

We will wait for 3 days and then lock this thread. In case your problem is not resolved, please create a new thread and we will be happy to help. 

0 Likes