Security & Smart Card Forum Discussions

Hi,

We are working on implementing secure boot process using the SLB9673 TPM2.0 in AM5748. We are able to communicate with tpm2 using the tss tools.

Following are the list of commands that we are able to access. Do you believe the current list is sufficient or do we need additional commands to better support our needs in future.

tpm2_activatecredential  tpm2_hash                tpm2_pcrextend
tpm2_certify             tpm2_hmac                tpm2_pcrlist
tpm2_create              tpm2_listpersistent      tpm2_quote
tpm2_createpolicy        tpm2_load                tpm2_rc_decode
tpm2_createprimary       tpm2_loadexternal        tpm2_readpublic
tpm2_dictionarylockout   tpm2_makecredential      tpm2_rsadecrypt
tpm2_encryptdecrypt      tpm2_nvdefine            tpm2_rsaencrypt
tpm2_evictcontrol        tpm2_nvlist              tpm2_send
tpm2_getcap              tpm2_nvread              tpm2_sign
tpm2_getmanufec          tpm2_nvreadlock          tpm2_startup
tpm2_getpubak            tpm2_nvrelease           tpm2_takeownership
tpm2_getpubek            tpm2_nvwrite             tpm2_unseal
tpm2_getrandom           tpm2_pcrevent            tpm2_verifysignature

Our first requirement is about configuring the secure boot using tpm2

Could you also help us with the detailed steps on how to configure the TPM2 for secure boot with the help of tpm2 commands.

Additionally, we've encountered an issue where we are unable to clear the DA Lockout (Dictionary Lockout) mode. Whenever we attempt to clear the lockout using tpm2_dictionarylockout, we're presented with the following error code - 0x921.

Thanks and regards,

Mythreyi U

I'm tryint to encrypt a string using TSS.Java. It goes well on Intel TPMs, but failed on Infineon TPMs. All my code borrows from TSS.Java samples and use EncryptDecrypt2() command. I tried 4 physical desktop with Intel TPM, 2 Azure VM, 2 physical laptops with Infineon. All of them are without problem but Infineon TPMs. I can't tell what the issue originate from, TSS.Java library or Infineon TPM? Any helps are appreciated.

PS: I executed the code with administrator(root), of course.

Hi All, 

Please let me know what is the issue here. 

I have SLI 9670 on my custom board. 

SLI 9670 is connected over SPI bus to S32G2 processor.

Linux kernel probe fails.

1. Reading of vendor id used to fail with below error.

tpm_tis_spi: probe of spi1.0 failed with error -110

Problem resolved by driving RST pin permanently high in device-tree pin-configuration.

+ gamma-tpm-9670-rst-hog {
+ gpio-hog;
+ gpios = <13 GPIO_OPEN_DRAIN>;
+ output-high;
+ line-name = "gamma-tpm-9670-rst";
+ };

2. Now this error is noticed.

vendor: 0x1000000 - Is the read vendor id correct? Please confirm.
wait_startup: returns -1
Returning error -ENODEV

drivers/char/tpm/tpm_tis_core.c:  

tpm_tis_core_init()

{

   if (wait_startup(chip, 0) != 0) {
   rc = -ENODEV;
   pr_err("Returning error -ENODEV\n");
   goto out_err;
}

/* Before we attempt to access the TPM we must see that the valid bit is set.
* The specification says that this bit is 0 at reset and remains 0 until the
* 'TPM has gone through its self test and initialization and has established
* correct values in the other bits.'
*/
static int wait_startup(struct tpm_chip *chip, int l)

{

......

      } while (time_before(jiffies, stop));
      pr_err("wait_startup: returns -1\n");
      return -1;

}

Thanks & Regards,

Gangadhar

@sneha_prahalad , @Sharath , @ataulmanan 

Hello everyone, I am using raspberry Pi 4 board along with bullseye OS and Infineon SLB9670 TPM. After booting the OS, I am reading the PCR values and it showing all Zeroes. At this time I am able to extend the PCR values. My query is that why PCR values are not extending during boot process or what should I do for PCR extension?

Hello Everyone, Is there any way/ command for TPM2.0 to find out the origin/locality of the command? I mean from where it is initiated. Or any function in ESAPI library? 

Hi All,

I have work with SLB9873, but when i di with Linux kernel V5.1 it got issue, not working,

so does Linux Kernel V5.1 support SLB9873? Does any one work done with Linux Kerner v5.1  before?

thank you,