Security & Smart Card Forum Discussions
Browse the Community
OPTIGA™ Trust
High-end easy to use security solutions that provide an anchor of trust for your application, connecting IoT devices to the cloud, giving billons of device its own unique identity, pre-personalized turnkey solutions, zero-touch onboarding, high performance, ... We did not meet your expectations? Let us know!
OPTIGA™ TPM
OPTIGA™ TPM (Trusted Platform Module) offers a broad portfolio of standardized security controllers to protect the integrity and authenticity of embedded devices and systems. With a secured key store and support for a variety of encryption algorithms, OPTIGA™ TPM security chips provide robust protection for critical data and processes through their rich functionality. OPTIGA™ TPM security controllers are ideal for platforms running both Windows and Linux and its derivatives (SLB 9645 product versions for Chrome OS available). Based on Trusted Computing Group (TCG) standards, they support the TPM 1.2 or the latest innovative TPM 2.0 standard.
SECORA™ Blockchain
SECORA™ Blockchain is a fast, easy-to-use Java Card™ solution supporting best-in-class security for block chain system implementations. By providing a safe “vault” for user credentials, SECORA™ Blockchain can reduce the final user’s commercial risk and helps to increase trust in the block chain system.
CIPURSE™
Open, international standards such as CIPURSE™ are the best way to ensure interoperability across secured, cost-effective and flexible multi-applications schemes supporting fare collection. Infineon is the world’s first supplier of a complete CIPURSE™ certified product portfolio.
OPTIGA™ Connect
OPTIGA™ Connect is a family of turnkey eSIM security solutions for easy, flexible and secured cellular connectivity. They are optimized for specific requirements of industrial and IoT applications as well as those of consumer devices.<br> NOTE: We currently support only <b>OPTIGA™ Connect IoT</b> on this forum. For queries on OPTIGA™ Connect Consumer, please create a case at <a href="https://mycases.infineon.com/">https://mycases.infineon.com/</a>.
Featured Discussions
Hi all,
My system configuration:
- OS:
Fedora 36 - TPM related packages:
openssl.aarch64: 1:3.0.8-1.fc36
tpm2-tss.aarch64: 3.2.2-1.fc36
tpm2-tools.aarch64: 5.4-1.fc36
Description:
Many tpm2-tools commands return ErrorCode (0x00070001) EVP_PKEY_new_mac_key
[root@fedora ~]# ls /dev/tpm*
/dev/tpm0 /dev/tpmrm0
[root@fedora ~]# tpm2_nvdefine 0x1500016 -C o -s 32 -a 0x2000A
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:328:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) EVP_PKEY_new_mac_key
ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/esys_iutil.c:1241:iesys_compute_hmac() HMAC error ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/esys_iutil.c:1351:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:227:Esys_NV_DefineSpace_Async() Error in computation of auth values ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_NV_DefineSpace.c:99:Esys_NV_DefineSpace() Error in async function ErrorCode (0x00070001)
[root@fedora ~]# tpm2_clear
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:328:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) EVP_PKEY_new_mac_key
ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/esys_iutil.c:1241:iesys_compute_hmac() HMAC error ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/esys_iutil.c:1351:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_Clear.c:188:Esys_Clear_Async() Error in computation of auth values ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_Clear.c:74:Esys_Clear() Error in async function ErrorCode (0x00070001)
ERROR: Esys_Clear(0x70001) - esapi:Catch all for all errors not otherwise specified
[root@fedora ~]# tpm2_createprimary -C o -g sha256 -G ecc -c context.out
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:328:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) EVP_PKEY_new_mac_key
ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/esys_iutil.c:1241:iesys_compute_hmac() HMAC error ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/esys_iutil.c:1351:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:237:Esys_CreatePrimary_Async() Error in computation of auth values ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:110:Esys_CreatePrimary() Error in async function ErrorCode (0x00070001)
ERROR: Esys_CreatePrimary(0x70001) - esapi:Catch all for all errors not otherwise specified
ERROR: Unable to run tpm2_createprimary
Show Less
Dear How to check TPM error codes, such as: ERROR:esys:src/tss2-esys/api/Esys_RSA_Decrypt.c:102:Esys_RSA_Decrypt() Esys Finish ErrorCode (0x00000921), This 0x00000921 How should I check the meaning of this error code? Thanks!~
Show LessHi
The TPM2.0 SLB 9673 does not start correctly and I can't narrow down the origin of the error.
Upon startup, I see the following in the logs:
dmesg | grep tpm
[ 1.767615] tpm_tis_i2c 1-002e: 2.0 TPM (device-id 0x1C, rev-id 22)
[ 1.787326] tpm tpm0: A TPM error (256) occurred attempting the self test
[ 1.794173] tpm tpm0: starting up the TPM manually
[ 55.049963] tpm tpm0: Error left over data
[ 55.054389] tpm tpm0: tpm_transmit: tpm_recv: error -5
[ 55.061185] tpm_tis_i2c: probe of 1-002e failed with error -5
I use the following kernel:
uname -r
5.15.71+gitf094805
The following kernel patches are cherry-picked:
tpm: Remove read16/read32/write32 calls from tpm_tis_phy_ops
dt-bindings: trivial-devices: Add Infineon SLB9673 TPM
tpm: Add tpm_tis_verify_crc to the tpm_tis_phy_ops protocol layer
tpm: Add tpm_tis_i2c backend for tpm_tis_core
tpm: tis_i2c: Fix sanity check interrupt enable mask
tpm: Add flag to use default cancellation policy
dts is extended with the following:
&i2c1 {
#address-cells = <1>;
#size-cells = <0>;
clock-frequency = <100000>;
.....
/* TPM */
tpm: tpm@2e {
compatible = "infineon,slb9673", "tcg,tpm-tis-i2c";
reg = <0x2e>;
};
I have added the following to defconfig:
CONFIG_TCG_TPM=y
CONFIG_TCG_TIS=y
CONFIG_TCG_TIS_I2C=y
CONFIG_TCG_TIS_I2C_INFINEON=y
The wiring seems to be correct:
i2cdetect -y 1
0 1 2 3 4 5 6 7 8 9 a b c d e f
00: -- -- -- -- -- -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- 2e --
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --
HW:
OPTIGA TPM 9673 RPI EVAL
NXP IMX8
Does anyone have an idea where the problem is?
We are considering OPTIGA TRUST M SLS32AIA for a new project. The customer requires an active CC EAL4+ certification.
The product page https://www.infineon.com/cms/de/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-trust/optiga-trust-m-sls32aia/ says "High-end security controller with CC EAL6+ (high) certification".
However, I don't find an entry for this product in the common criteria database on https://www.commoncriteriaportal.org/products/ or https://seccerts.org/cc/
Where and how do I get the documents that prove the EAL6+ certification with expiry date?
Show Less
Hi Everyone,
We are presently using TPM 1.2 ( SLB9645) and we are looking for elliptic curve cryptography support which is not available in TPM 1.2 it seems,
Is TPM 2.0 support elliptic curve cryptography and is there a drop-in replacement of the present SLB9645 available for TPM 2.0?
Regards,
Snehal Patel
Show Less
Hi,
There is a tpm device SLM9670 connected to NXP CPU with SPI bus on my board. The running linux version is 4.14. spi mode is 0.
From tpm_tis_core driver tpm startup, SPI master send 0x80-0xd4-0x0-0x0 to SLM9670, SLM9670 responses 0x0-0x0-0x0-0x1 at first transaction, then TPM ACCESS VALID(0x80) at second transaction.
But on my board, SLM9670 response 0x0-0x0-0x0-0x1. then 0x0. Could you please tell me why SLM9670 cannot response TPM ACCESS VALID? thanks.
Please see the SPI bus waves captured by probe.
red: SCK
yellow: MOSI
blue: MISO
Show LessHi, I have integrated the TPM 2.0 Iridium SLB 9670 together with the i.MX8MP processor to implement remote attestation using the IMA Linux kernel module. Sometimes I get strange this error "tpm tpm0: invalid TPM_STS.x 0xa8 " that I cannot find a solution online. As I understand it I should get 0xff in case there are transmission calls to tpm that are not protected by the tpm_try_get_ops command. Checking the Linux kernel however it is indeed called and in fact, the value is not 0xff but is variable. On a couple of other occasions, however, it has failed to even establish the initial connection ('2.0 TPM (device-id 0x1B, rev-id 22') and some debugging showed that the tpm spi driver was stuck in an infinite loop waiting for the TPM locality. The wiring is correct, in fact, if the tpm connects without errors, the tpm2tools commands work. The device tree is correct because I asked for confirmation on the NXP forum. I also tried replacing the tpm but got the same result. I currently I'm using Linux kernel 5.15.60 but I get the same error using the i.MX6UL board which has kernel 5.10.60. What caused this error?
The output of dmesg | grep -i tpm
[ 2.077539] tpm_tis_spi spi1.0: 2.0 TPM (device-id 0x1B, rev-id 22)
[ 2.088911] tpm tpm0: A TPM error (256) occurred attempting the self test
[ 2.095719] tpm tpm0: starting up the TPM manually
[ 12.489312] tpm tpm0: tpm_try_transmit: send(): error -5
[ 38.235405] tpm tpm0: tpm_transmit: tpm_recv: error -52
[ 38.284794] tpm tpm0: invalid TPM_STS.x 0x85, dumping stack for forensics
[ 38.284861] tpm_tis_status+0xc8/0xe4
[ 38.284869] wait_for_tpm_stat+0x54/0x224
[ 38.284878] tpm_tis_send_data+0x220/0x28c
[ 38.284886] tpm_tis_send_main+0x34/0x110
[ 38.284893] tpm_tis_send+0x44/0x110
[ 38.284901] tpm_transmit+0xc8/0x340
[ 38.284908] tpm_transmit_cmd+0x30/0xc0
[ 38.284914] tpm2_pcr_extend+0x25c/0x300
[ 38.284921] tpm_pcr_extend+0xc4/0xd4
Show LessHi
We'd like to run the SLS 32AIA010MH chip over '1-wire' (using 1-Wire/I2C drivers eg. DS28E18), so there is limited current available.
(1) Does the SLS 32AIA010MH implement
'RSASSA-PSS signature operation defined by RFC 8017 performed with the RSA-2048 bit IDR private key and the SHA-256 hash algorithm' ?
(2) How does this series of chips differ from TPM - do we still effectively have a kind of 'root of trust' feature?
(We were looking at the SLB9673, but the 35mA is too much for 1-wire).
(3) Supply current is shown as 14mA (typ) 'running a typical authentication profile'
(i) What is 'worst-case' supply current - is it possible to estimate?
(ii) How is the 14mA defined, is this an average over the time taken to complete authentication? or Peak instanaeous?
(iii) Are there available typical authentication timings?
(iv) Re: "Supply current can be limited from 6mA to 15mA by software commands" - Is there more information on reduced current modes? Presumuably authentication is slower at 6mA?
(v) Can we start/stop authentication i.e. do the process in "bursts"?
Regards
Stephen