Security & Smart Card Forum Discussions
Browse the Community
OPTIGA™ Trust
High-end easy to use security solutions that provide an anchor of trust for your application, connecting IoT devices to the cloud, giving billons of device its own unique identity, pre-personalized turnkey solutions, zero-touch onboarding, high performance, ... We did not meet your expectations? Let us know!
OPTIGA™ TPM
OPTIGA™ TPM (Trusted Platform Module) offers a broad portfolio of standardized security controllers to protect the integrity and authenticity of embedded devices and systems. With a secured key store and support for a variety of encryption algorithms, OPTIGA™ TPM security chips provide robust protection for critical data and processes through their rich functionality. OPTIGA™ TPM security controllers are ideal for platforms running both Windows and Linux and its derivatives (SLB 9645 product versions for Chrome OS available). Based on Trusted Computing Group (TCG) standards, they support the TPM 1.2 or the latest innovative TPM 2.0 standard.
SECORA™ Blockchain
SECORA™ Blockchain is a fast, easy-to-use Java Card™ solution supporting best-in-class security for block chain system implementations. By providing a safe “vault” for user credentials, SECORA™ Blockchain can reduce the final user’s commercial risk and helps to increase trust in the block chain system.
CIPURSE™
Open, international standards such as CIPURSE™ are the best way to ensure interoperability across secured, cost-effective and flexible multi-applications schemes supporting fare collection. Infineon is the world’s first supplier of a complete CIPURSE™ certified product portfolio.
OPTIGA™ Connect
OPTIGA™ Connect is a family of turnkey eSIM security solutions for easy, flexible and secured cellular connectivity. They are optimized for specific requirements of industrial and IoT applications as well as those of consumer devices.<br> NOTE: We currently support only <b>OPTIGA™ Connect IoT</b> on this forum. For queries on OPTIGA™ Connect Consumer, please create a case at <a href="https://mycases.infineon.com/">https://mycases.infineon.com/</a>.
Featured Discussions
Hi, I'm looking for the Trusted Platform Module (TPM) c/w FW16 firmware version. But in the PC evaluation board...may I know if it's available to the market ( with FW16 )? Appreciated in advance. #https://www.infineon.com/cms/en/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-tpm/optiga-tpm-slb-9672-fw16/
Show LessWe are using TPM SLB9665. We want to leverage on the TPM encrypt decrypt functionality using AES encryption. How ever when we try running "tpm2_getcap commands |grep 0x164" command we don't see the output saying encryptdecrypt option supported.
Could you please let us know is whether this feature can be enabled at run time if yes how? or is there a limitation on this chip that this option cannot be enabled?
Show LessThere is a "fatal error: DAVE.h: No such file or directory" at the time of compilation when adding optiga-trust-m library to empty-app example.
Steps followed:
1. Choose Board Support Package: CYSBSYSKIT-DEV-01
2. Select Application Template: Empty App
3. Selected optiga-trust-m = 3.1.4 release from library manager
4. Compilation error: mtb_shared/optiga-trust-m/release-v3.1.4/examples/optiga_shell.c:38:10: fatal error: DAVE.h: No such file or directory
Show Less
Summary
On average 1 in every 256 ECDSA signatures on the NIST P256 curve produced by the CalcSign command in OPTIGA Trust M V3 has an invalid DER encoding. The invalid signatures violate the encoding rules for integers specified in Rec. ITU-T X.690, section 8.3.2, which state that the bits of the first octet and bit 8 of the second octet shall not all be zero.
Clients have to reencode the invalid signatures, otherwise the signatures will be rejected by applications. However, this bug is not documented in the OPTIGA Trust M Solution reference manual. It came as a very unpleasant surprise for us, discovered in production.
Details
It appears that in case of ECDSA signatures on the NIST P256 curve OPTIGA Trust M always makes the contents octets of the integers at least 32 octets long. So, for example, it will produce this invalid DER encoding of an integer:
02 20 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
which should be correctly encoded as
02 1f 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
The likelihood of the bits of the 32nd least significant octet and bit 8 of the 31st least significant octet being zero by chance is approximately 1 in 512. The probability of this happening in at least one of the two integers that make up a signature is approximately 1 in 256.
I have not tested other curves, but there is no reason not to assume that the bug is present for other curves as well, although the probability of occurring may differ for some of them.
Show LessI am using the driver of SLB 9672XU2.0 FW16.10, but I encounter some problems. When debugging SLB 9672XU2.0 FW16.10 with the same platform and SPI driver, I find that the communication cannot be normal. But when I used the SLB 9670VQ2.0 FW7.85 was able to correctly identify the TPM device node. I was able to confirm that the hardware was working because I tested it with the Raspberry Pi and it recognized the TPM device. I have printed the SPI log when loading TPM at startup, see the attachment. Can anyone help analyze the reason? Thank you very much! ~
PS:9672 board reads 128 bytes, then only read 64 bytes each time, after reading the first frame, read the second frame, the command sent to read 00 00 00 01, return error FF FF FF FF, the result is an error. The 9670 board is 255. The second, third, and fourth frames can return 00 00 00 00 01 as normal, reading the data normally and reporting no errors. What is the difference between fifo and what are the requirements
Show Less
Hi everybody. I am at the first testing steps of OPTIGA TPM SLB9673 with RPi Eval Board . Setup went smoothly, OPTIGA TPM 2.0 Explorer started up.
At first stage I want only to create a keypairs with RSA2048, RSA4096, ECC256, ECC384 and measure execution speeds. Simply stepping through GUI, I managed to accomplish all this. However, quite often I get an error message and then not even the HW reset button an RPi Eval board and tpm2_startup helps. For example: while repeating encrypt command cca 10 times:
tpm2_rsaencrypt -c 0x81000005 -o data_encrypted.txt datain.txt
I get error
ERROR:esys:src/tss2-esys/api/Esys_ReadPublic.c:324:Esys_ReadPublic_Finish() Received a non-TPM Error
ERROR:esys:src/tss2-esys/esys_tr.c:230:Esys_TR_FromTPMPublic_Finish() Error ReadPublic ErrorCode (0x000a000a)
ERROR:esys:src/tss2-esys/esys_tr.c:320:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x000a000a)
ERROR: Esys_TR_FromTPMPublic(0xA0007) - tcti:Function called in the wrong order
ERROR: Unable to run tpm2_rsaencrypt
As it is non-tpm error, more important might be dmesg:
[ 928.177971] tpm tpm0: Error left over data
[ 928.178305] tpm tpm0: tpm_transmit: tpm_recv: error -5
It is clear that the i2c communication is the problem.
:~ $ lsmod | grep tpm
tpm_tis_i2c 16384 0
crc_ccitt 16384 1 tpm_tis_i2c
tpm_tis_core 28672 1 tpm_tis_i2c
tpm 77824 2 tpm_tis_i2c,tpm_tis_core
:~ $ lsmod | grep i2c
tpm_tis_i2c 16384 0
crc_ccitt 16384 1 tpm_tis_i2c
tpm_tis_core 28672 1 tpm_tis_i2c
tpm 77824 2 tpm_tis_i2c,tpm_tis_core
i2c_brcmstb 16384 0
i2c_gpio 16384 0
i2c_algo_bit 16384 1 i2c_gpio
i2c_dev 20480 0
I must say that this error can occur randomly at almost any command .
The RPi was fresh clean system installed only for this task.
My system on raspberry 4B:
$ uname -a
Linux raspberrypi 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux
I found only one similar post: https://community.infineon.com/t5/OPTIGA-TPM/SLB9673-TPM-does-not-start-correctly/td-p/412271.
As I am using RPI instead of IMX8 and my kernel is 6.1.21 which allegedly has 8kB buffer for i2c, I suspect that buffer size might be not the cause of this issue.
It might be irrelevant to this issue, but for the whole picture, here are the series of commands I use for e.g ecc384 through console. When using console, GUI is not used.
tpm2_clear -c p
tpm2_changeauth -c owner owner123
tpm2_changeauth -c endorsement endorsement123
tpm2_nvread 0x1c00002 -C o -s 1429 --offset 0 -P owner123 -o ifx_rsa_cert.crt
tpm2_nvread 0x1c0000a -C o -s 846 --offset 0 -P owner123 -o ifx_ecc_cert.crt
tpm2_createprimary -C o -P owner123 -g sha256 -G ecc384 -c ECCprimary.ctx
tpm2_evictcontrol -C o -c ECCprimary.ctx -P owner123 0x81000006
tpm2_create -C 0x81000006 -p ECCleaf123 -g sha256 -G ecc384 -r ECCpri.key -u ECCpub.key
tpm2_load -C 0x81000006 -u ECCpub.key -r ECCpri.key -n ECCname.data -c ECCkeycontext.ctx
tpm2_evictcontrol -C o -c ECCkeycontext.ctx -P owner123 0x81000007
tpm2_sign -c 0x81000007 -p ECCleaf123 -g sha256 -o signature_data -f plain secret.data
tpm2_sign -c 0x81000007 -p ECCleaf123 -g sha256 -o signature_blob secret.data
rm ECCverifyleaf.ctx
tpm2_loadexternal -C o -u ECCpub.key -c ECCverifyleaf.ctx
tpm2_verifysignature -c ECCverifyleaf.ctx -g sha256 -m secret.data -s signature_blob
Did anyone got this issue ? Can perhaps anyone reproduce it ? Did I miss something?
Show LessHello,
I want to use the OPTIGATM TPM SLB 9670VQ2.0 (TPM 70 2.0 XENONBOARD ) within a setup with a PC. Does anyone have any recommendation for which motherboard to use? I have used in the past the TPM 2.0 with the SPI interface in a setup with Raspberry PI 3 and I am familiar with the software stack. I guess the same software stack available on GitHub can be used for the TPM SLB 9672 PC as well.
Later edit: I have noticed that this TPM is communicating through SPI so now I am unsure if I can connected somehow to a PC motherboard. Did anyone use it in a similar setup?
Show Less