Security & Smart Card Forum Discussions
Browse the Community
OPTIGA™ Trust
High-end easy to use security solutions that provide an anchor of trust for your application, connecting IoT devices to the cloud, giving billons of device its own unique identity, pre-personalized turnkey solutions, zero-touch onboarding, high performance, ... We did not meet your expectations? Let us know!
OPTIGA™ TPM
OPTIGA™ TPM (Trusted Platform Module) offers a broad portfolio of standardized security controllers to protect the integrity and authenticity of embedded devices and systems. With a secured key store and support for a variety of encryption algorithms, OPTIGA™ TPM security chips provide robust protection for critical data and processes through their rich functionality. OPTIGA™ TPM security controllers are ideal for platforms running both Windows and Linux and its derivatives (SLB 9645 product versions for Chrome OS available). Based on Trusted Computing Group (TCG) standards, they support the TPM 1.2 or the latest innovative TPM 2.0 standard.
SECORA™ Blockchain
SECORA™ Blockchain is a fast, easy-to-use Java Card™ solution supporting best-in-class security for block chain system implementations. By providing a safe “vault” for user credentials, SECORA™ Blockchain can reduce the final user’s commercial risk and helps to increase trust in the block chain system.
CIPURSE™
Open, international standards such as CIPURSE™ are the best way to ensure interoperability across secured, cost-effective and flexible multi-applications schemes supporting fare collection. Infineon is the world’s first supplier of a complete CIPURSE™ certified product portfolio.
OPTIGA™ Connect
OPTIGA™ Connect is a family of turnkey eSIM security solutions for easy, flexible and secured cellular connectivity. They are optimized for specific requirements of industrial and IoT applications as well as those of consumer devices.<br> NOTE: We currently support only <b>OPTIGA™ Connect IoT</b> on this forum. For queries on OPTIGA™ Connect Consumer, please create a case at <a href="https://mycases.infineon.com/">https://mycases.infineon.com/</a>.
Featured Discussions
Summary
On average 1 in every 256 ECDSA signatures on the NIST P256 curve produced by the CalcSign command in OPTIGA Trust M V3 has an invalid DER encoding. The invalid signatures violate the encoding rules for integers specified in Rec. ITU-T X.690, section 8.3.2, which state that the bits of the first octet and bit 8 of the second octet shall not all be zero.
Clients have to reencode the invalid signatures, otherwise the signatures will be rejected by applications. However, this bug is not documented in the OPTIGA Trust M Solution reference manual. It came as a very unpleasant surprise for us, discovered in production.
Details
It appears that in case of ECDSA signatures on the NIST P256 curve OPTIGA Trust M always makes the contents octets of the integers at least 32 octets long. So, for example, it will produce this invalid DER encoding of an integer:
02 20 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
which should be correctly encoded as
02 1f 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
The likelihood of the bits of the 32nd least significant octet and bit 8 of the 31st least significant octet being zero by chance is approximately 1 in 512. The probability of this happening in at least one of the two integers that make up a signature is approximately 1 in 256.
I have not tested other curves, but there is no reason not to assume that the bug is present for other curves as well, although the probability of occurring may differ for some of them.
Show LessI am using the driver of SLB 9672XU2.0 FW16.10, but I encounter some problems. When debugging SLB 9672XU2.0 FW16.10 with the same platform and SPI driver, I find that the communication cannot be normal. But when I used the SLB 9670VQ2.0 FW7.85 was able to correctly identify the TPM device node. I was able to confirm that the hardware was working because I tested it with the Raspberry Pi and it recognized the TPM device. I have printed the SPI log when loading TPM at startup, see the attachment. Can anyone help analyze the reason? Thank you very much! ~
PS:9672 board reads 128 bytes, then only read 64 bytes each time, after reading the first frame, read the second frame, the command sent to read 00 00 00 01, return error FF FF FF FF, the result is an error. The 9670 board is 255. The second, third, and fourth frames can return 00 00 00 00 01 as normal, reading the data normally and reporting no errors. What is the difference between fifo and what are the requirements
Show Less
Hi
(a) How is "lifetime" defined - is this starting from date of manufacture? The 10 year figure is lower than I would have guessed.
(b) How should the 10 year lifetime figure be used in practice? For instance, suppose we wish to protect an asset for 20 years then should we swap-out at (for example) 7 years, 14 years?
(c) Are there expected failure modes? I'm wondering if these relate to non-volatile memory?
(d) How confident can we be that a unit of age
9 years < AGE < 10 years
will not fail - is there some distribution curve?
(e) How can we detect failure in the field?
(f) What is the distinction between "Useful lifetime" and "Operating lifetime" (Data Sheet, pg11)
Many thanks for any advice
Regards
Stephen
I'm tryint to encrypt a string using TSS.Java. It goes well on Intel TPMs, but failed on Infineon TPMs. All my code borrows from TSS.Java samples and use EncryptDecrypt2()
command. I tried 4 physical desktop with Intel TPM, 2 Azure VM, 2 physical laptops with Infineon. All of them are without problem but Infineon TPMs. I can't tell what the issue originate from, TSS.Java library or Infineon TPM? Any helps are appreciated.
PS: I executed the code with administrator(root), of course.
Show Less需要推荐一款包含通讯,通过国际标准CCC、ICCE之类的汽车相关认证的用于数字钥匙的加密芯片。(还听到的关键词有:节点SE芯片,master那块)。而官网上security&smart card solutions下的系列很多,不知如何选型,希望能提供一些支持,不胜感激。
I hope this post finds you all well. Today, I would like to address a specific topic that has been causing some challenges for users of Red Hat systems who are working with Infineon devices. We have identified certain issues with kernel modules and drivers for Infineon devices, and I would like to open up a discussion to gather insights, experiences, and possible solutions from the community.
Here are some of the key points related to this topic:
-
Identification of the Issue: Users have reported difficulties in properly configuring and utilizing Infineon devices on Red Hat systems due to problems with kernel modules and drivers. These issues have resulted in limited functionality, poor performance, or even complete failure to recognize the devices.
-
Affected Infineon Devices: While the issue is not limited to a specific device, it has been observed across various Infineon hardware components such as security controllers, TPMs (Trusted Platform Modules), smart card readers, and other related devices.
-
Red Hat System Versions: The issues have been reported on different versions of Red Hat systems, including both the Enterprise Linux (RHEL) distribution and the community-driven Fedora project. It is important to note that these problems may not be exclusive to Red Hat, but it is the focus of this discussion.
-
Possible Causes: The problems may stem from compatibility issues between Infineon device firmware, kernel versions, and associated drivers. It is also plausible that some configuration settings or dependencies need to be properly addressed to ensure seamless integration.
Given the importance of Infineon devices in various fields such as security, encryption, and authentication, it is crucial to establish a robust and reliable solution for Red Hat users. Therefore, I invite all community members who have encountered or have insights on these issues to participate in this discussion.
Show LessI want porting TPM SLB9672 on my custom board through the SPI, I have been porting SLB9670 on my custom board,It's work,but SLB9672 can not work when using the same step.I know SLB9670 and SLB9672 used the same driver,but I can not get any information from TPM, What should I do?
Show LessHi, I am using below TPM Module
TPM Device
Vendor ID: IFX
Specification Version: 2.0
Firmware Revision: 13.11
Description: INFINEON
Characteristics:
Family configurable via platform software support
OEM-specific Information: 0x00000000
I want to add support IMA in my kernel 5.10. After enabled the below config flags:
CONFIG_INTEGRITY=y CONFIG_IMA=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_LSM_RULES=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_IMA_APPRAISE=y
I can see only one entry in PCR 10.
root@nikhil:~# cat /sys/kernel/security/ima/ascii_runtime_measurements
10 c1091b621b64546f90b059727f0ab1a08a257a71 ima-ng sha1:d5fbd75caeed26c1662f08139ee831cf807af34c boot_aggregate
root@nikhil:~#
Also I am not sure apart from these config flags what things i need to do to get all the IMA functionality.
Can someone please suggest me what wrong here.
Thanks,
Nikhil
Show Less