Security & Smart Card Forum Discussions
Browse the Community
OPTIGA™ Trust
High-end easy to use security solutions that provide an anchor of trust for your application, connecting IoT devices to the cloud, giving billons of device its own unique identity, pre-personalized turnkey solutions, zero-touch onboarding, high performance, ... We did not meet your expectations? Let us know!
OPTIGA™ TPM
OPTIGA™ TPM (Trusted Platform Module) offers a broad portfolio of standardized security controllers to protect the integrity and authenticity of embedded devices and systems. With a secured key store and support for a variety of encryption algorithms, OPTIGA™ TPM security chips provide robust protection for critical data and processes through their rich functionality. OPTIGA™ TPM security controllers are ideal for platforms running both Windows and Linux and its derivatives (SLB 9645 product versions for Chrome OS available). Based on Trusted Computing Group (TCG) standards, they support the TPM 1.2 or the latest innovative TPM 2.0 standard.
SECORA™ Blockchain
SECORA™ Blockchain is a fast, easy-to-use Java Card™ solution supporting best-in-class security for block chain system implementations. By providing a safe “vault” for user credentials, SECORA™ Blockchain can reduce the final user’s commercial risk and helps to increase trust in the block chain system.
CIPURSE™
Open, international standards such as CIPURSE™ are the best way to ensure interoperability across secured, cost-effective and flexible multi-applications schemes supporting fare collection. Infineon is the world’s first supplier of a complete CIPURSE™ certified product portfolio.
OPTIGA™ Connect
OPTIGA™ Connect is a family of turnkey eSIM security solutions for easy, flexible and secured cellular connectivity. They are optimized for specific requirements of industrial and IoT applications as well as those of consumer devices.<br> NOTE: We currently support only <b>OPTIGA™ Connect IoT</b> on this forum. For queries on OPTIGA™ Connect Consumer, please create a case at <a href="https://mycases.infineon.com/">https://mycases.infineon.com/</a>.
Featured Discussions
Hi everybody. I am at the first testing steps of OPTIGA TPM SLB9673 with RPi Eval Board . Setup went smoothly, OPTIGA TPM 2.0 Explorer started up.
At first stage I want only to create a keypairs with RSA2048, RSA4096, ECC256, ECC384 and measure execution speeds. Simply stepping through GUI, I managed to accomplish all this. However, quite often I get an error message and then not even the HW reset button an RPi Eval board and tpm2_startup helps. For example: while repeating encrypt command cca 10 times:
tpm2_rsaencrypt -c 0x81000005 -o data_encrypted.txt datain.txt
I get error
ERROR:esys:src/tss2-esys/api/Esys_ReadPublic.c:324:Esys_ReadPublic_Finish() Received a non-TPM Error
ERROR:esys:src/tss2-esys/esys_tr.c:230:Esys_TR_FromTPMPublic_Finish() Error ReadPublic ErrorCode (0x000a000a)
ERROR:esys:src/tss2-esys/esys_tr.c:320:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x000a000a)
ERROR: Esys_TR_FromTPMPublic(0xA0007) - tcti:Function called in the wrong order
ERROR: Unable to run tpm2_rsaencrypt
As it is non-tpm error, more important might be dmesg:
[ 928.177971] tpm tpm0: Error left over data
[ 928.178305] tpm tpm0: tpm_transmit: tpm_recv: error -5
It is clear that the i2c communication is the problem.
:~ $ lsmod | grep tpm
tpm_tis_i2c 16384 0
crc_ccitt 16384 1 tpm_tis_i2c
tpm_tis_core 28672 1 tpm_tis_i2c
tpm 77824 2 tpm_tis_i2c,tpm_tis_core
:~ $ lsmod | grep i2c
tpm_tis_i2c 16384 0
crc_ccitt 16384 1 tpm_tis_i2c
tpm_tis_core 28672 1 tpm_tis_i2c
tpm 77824 2 tpm_tis_i2c,tpm_tis_core
i2c_brcmstb 16384 0
i2c_gpio 16384 0
i2c_algo_bit 16384 1 i2c_gpio
i2c_dev 20480 0
I must say that this error can occur randomly at almost any command .
The RPi was fresh clean system installed only for this task.
My system on raspberry 4B:
$ uname -a
Linux raspberrypi 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux
I found only one similar post: https://community.infineon.com/t5/OPTIGA-TPM/SLB9673-TPM-does-not-start-correctly/td-p/412271.
As I am using RPI instead of IMX8 and my kernel is 6.1.21 which allegedly has 8kB buffer for i2c, I suspect that buffer size might be not the cause of this issue.
It might be irrelevant to this issue, but for the whole picture, here are the series of commands I use for e.g ecc384 through console. When using console, GUI is not used.
tpm2_clear -c p
tpm2_changeauth -c owner owner123
tpm2_changeauth -c endorsement endorsement123
tpm2_nvread 0x1c00002 -C o -s 1429 --offset 0 -P owner123 -o ifx_rsa_cert.crt
tpm2_nvread 0x1c0000a -C o -s 846 --offset 0 -P owner123 -o ifx_ecc_cert.crt
tpm2_createprimary -C o -P owner123 -g sha256 -G ecc384 -c ECCprimary.ctx
tpm2_evictcontrol -C o -c ECCprimary.ctx -P owner123 0x81000006
tpm2_create -C 0x81000006 -p ECCleaf123 -g sha256 -G ecc384 -r ECCpri.key -u ECCpub.key
tpm2_load -C 0x81000006 -u ECCpub.key -r ECCpri.key -n ECCname.data -c ECCkeycontext.ctx
tpm2_evictcontrol -C o -c ECCkeycontext.ctx -P owner123 0x81000007
tpm2_sign -c 0x81000007 -p ECCleaf123 -g sha256 -o signature_data -f plain secret.data
tpm2_sign -c 0x81000007 -p ECCleaf123 -g sha256 -o signature_blob secret.data
rm ECCverifyleaf.ctx
tpm2_loadexternal -C o -u ECCpub.key -c ECCverifyleaf.ctx
tpm2_verifysignature -c ECCverifyleaf.ctx -g sha256 -m secret.data -s signature_blob
Did anyone got this issue ? Can perhaps anyone reproduce it ? Did I miss something?
Show LessHello,
I want to use the OPTIGATM TPM SLB 9670VQ2.0 (TPM 70 2.0 XENONBOARD ) within a setup with a PC. Does anyone have any recommendation for which motherboard to use? I have used in the past the TPM 2.0 with the SPI interface in a setup with Raspberry PI 3 and I am familiar with the software stack. I guess the same software stack available on GitHub can be used for the TPM SLB 9672 PC as well.
Later edit: I have noticed that this TPM is communicating through SPI so now I am unsure if I can connected somehow to a PC motherboard. Did anyone use it in a similar setup?
Show LessHi I have a GA-Z175-SLI-CF gigabyte motherboard that needs to be fitted with a TPM 2.0. The mb has a 20 pin connector with one pin missing. Is there a specific module for this mb?
Show LessHi,
I am trying to port optiga-trust-m library for STM32 (freeRTOS). Are there any ready samples available within the community or by infineon.
Show LessPlease share the IBIS model for SLB9672XU20FW1613XTMA1 and Package model for the same.
Thank you,
Srividhya Mitran
Hi,
I am trying to communicate with the Optiga Trust X over i2c. I read the documentation and the power up cycle, however I get NACKs from the device. I have the ability to toggle the reset signal.
I have done repeated reads from the device because it goes in lower power mode but no luck with getting an acknowledgment.
Here is the waveform:
More information can be provided.
Thanks for your help.
Show Less
Hello, I want to use an OPTIGA Trust M (SLS 32AIA010ML) for CBC encryption, following the example provided by Infineon, I found that the process is divided into three phases (basic chaining) and surprisingly, each block is encrypted/decrypted on its own, also, no XOR of previous cipher text to the next plain text, which, from what I know, contradicts with the logic of CBC encryption. Does anyone have an idea why the provided example is like that, or if possible share a more "correct" CBC example? Thanks,
PS: this is the example from Infineon:
/**
* The below example demonstrates the symmetric encryption and decryption for CBC mode using OPTIGA.
*
* Example for
* #optiga_crypt_symmetric_encrypt_start,
* #optiga_crypt_symmetric_encrypt_continue and
* #optiga_crypt_symmetric_encrypt_final for symmetric encryption.
* #optiga_crypt_symmetric_decrypt_start,
* #optiga_crypt_symmetric_decrypt_continue and
* #optiga_crypt_symmetric_decrypt_final for symmetric decryption.
*/
void example_optiga_crypt_symmetric_encrypt_decrypt_cbc(void)
{
const uint8_t plain_data_buffer_start[] = {0x6b, 0xc1, 0xbe, 0xe2,
0x2e, 0x40, 0x9f, 0x96,
0xe9, 0x3d, 0x7e, 0x11,
0x73, 0x93, 0x17, 0x2a};
const uint8_t plain_data_buffer_continue[] = {0x7c,0xd2,0xcf,0xf3,
0x3f,0x51,0xa0,0xa7,
0xf0,0x4e,0x8f,0x22,
0x84,0xa4,0x28,0x3b};
const uint8_t plain_data_buffer_final[] = {0x5a,0xb0,0xad,0xd1,
0x1d,0x3f,0x8e,0x85,
0xd8,0x2c,0x6d,0xf1,
0x62,0x82,0x06,0x19};
uint8_t encrypted_data_buffer_start[32] = {0};
uint32_t encrypted_data_length_start = sizeof(encrypted_data_buffer_start);
uint8_t encrypted_data_buffer_continue[32] = {0};
uint32_t encrypted_data_length_continue = sizeof(encrypted_data_buffer_continue);
uint8_t encrypted_data_buffer_final[32] = {0};
uint32_t encrypted_data_length_final = sizeof(encrypted_data_buffer_final);
uint8_t decrypted_data_buffer_start[32] = {0};
uint32_t decrypted_data_length_start = sizeof(decrypted_data_buffer_start);
uint8_t decrypted_data_buffer_continue[32] = {0};
uint32_t decrypted_data_length_continue = sizeof(decrypted_data_buffer_continue);
uint8_t decrypted_data_buffer_final[32] = {0};
uint32_t decrypted_data_length_final = sizeof(decrypted_data_buffer_final);
optiga_crypt_t * me = NULL;
uint32_t time_taken = 0;
optiga_lib_status_t return_status = !OPTIGA_LIB_SUCCESS;
do
{
#ifndef OPTIGA_INIT_DEINIT_DONE_EXCLUSIVELY
/**
* Open the application on OPTIGA which is a precondition to perform any other operations
* using optiga_util_open_application
*/
example_optiga_init();
#endif //OPTIGA_INIT_DEINIT_DONE_EXCLUSIVELY
OPTIGA_EXAMPLE_LOG_MESSAGE(__FUNCTION__);
/**
* 1. Create OPTIGA Crypt Instance
*
*/
me = optiga_crypt_create(0, optiga_util_crypt_callback, NULL);
if (NULL == me)
{
break;
}
/**
* 2. Update AES 128 symmetric key using secure key update
*
*/
OPTIGA_EXAMPLE_LOG_MESSAGE("Symmetric key generation");
return_status = generate_symmetric_key();
if(OPTIGA_LIB_SUCCESS != return_status)
{
break;
}
/**
* 3. Start encryption sequence and encrypt the plain data
*/
optiga_lib_status = OPTIGA_LIB_BUSY;
START_PERFORMANCE_MEASUREMENT(time_taken);
return_status = optiga_crypt_symmetric_encrypt_start(me,
OPTIGA_SYMMETRIC_CBC,
OPTIGA_KEY_ID_SECRET_BASED,
plain_data_buffer_start,
sizeof(plain_data_buffer_start),
NULL,
0,
NULL,
0,
0,
encrypted_data_buffer_start,
&encrypted_data_length_start);
WAIT_AND_CHECK_STATUS(return_status, optiga_lib_status);
if (encrypted_data_length_start != sizeof(plain_data_buffer_start))
{
//Encrypted data length is incorrect
return_status = !OPTIGA_LIB_SUCCESS;
break;
}
/**
* 4. Continue encrypting the plain data
*/
optiga_lib_status = OPTIGA_LIB_BUSY;
return_status = optiga_crypt_symmetric_encrypt_continue(me,
plain_data_buffer_continue,
sizeof(plain_data_buffer_continue),
encrypted_data_buffer_continue,
&encrypted_data_length_continue);
WAIT_AND_CHECK_STATUS(return_status, optiga_lib_status);
if (encrypted_data_length_continue != sizeof(plain_data_buffer_continue))
{
//Encrypted data length is incorrect
return_status = !OPTIGA_LIB_SUCCESS;
break;
}
/**
* 5. End encryption sequence and encrypt plain data
*/
optiga_lib_status = OPTIGA_LIB_BUSY;
return_status = optiga_crypt_symmetric_encrypt_final(me,
plain_data_buffer_final,
sizeof(plain_data_buffer_final),
encrypted_data_buffer_final,
&encrypted_data_length_final);
WAIT_AND_CHECK_STATUS(return_status, optiga_lib_status);
if (encrypted_data_length_final != sizeof(plain_data_buffer_final))
{
//Encrypted data length is incorrect
return_status = !OPTIGA_LIB_SUCCESS;
break;
}
/**
* 6. Start decryption sequence and decrypt the encrypted data from step 3
*/
optiga_lib_status = OPTIGA_LIB_BUSY;
return_status = optiga_crypt_symmetric_decrypt_start(me,
OPTIGA_SYMMETRIC_CBC,
OPTIGA_KEY_ID_SECRET_BASED,
encrypted_data_buffer_start,
encrypted_data_length_start,
NULL,
0,
NULL,
0,
0,
decrypted_data_buffer_start,
&decrypted_data_length_start);
WAIT_AND_CHECK_STATUS(return_status, optiga_lib_status);
// Compare the decrypted data with plain data
if( OPTIGA_LIB_SUCCESS != memcmp(plain_data_buffer_start, decrypted_data_buffer_start, decrypted_data_length_start))
{
return_status = !OPTIGA_LIB_SUCCESS;
break;
}
if (decrypted_data_length_start != sizeof(plain_data_buffer_start))
{
//Decrypted data length is incorrect
return_status = !OPTIGA_LIB_SUCCESS;
break;
}
/**
* 7. Continue to decrypt the encrypted data from step 4
*/
optiga_lib_status = OPTIGA_LIB_BUSY;
return_status = optiga_crypt_symmetric_decrypt_continue(me,
encrypted_data_buffer_continue,
encrypted_data_length_continue,
decrypted_data_buffer_continue,
&decrypted_data_length_continue);
WAIT_AND_CHECK_STATUS(return_status, optiga_lib_status);
// Compare the decrypted data with plain data
if( OPTIGA_LIB_SUCCESS != memcmp(plain_data_buffer_continue, decrypted_data_buffer_continue, decrypted_data_length_continue))
{
return_status = !OPTIGA_LIB_SUCCESS;
break;
}
if (sizeof(plain_data_buffer_continue) != decrypted_data_length_continue)
{
//Decrypted data length is incorrect
return_status = !OPTIGA_LIB_SUCCESS;
break;
}
/**
* 8. End decryption sequence and decrypt encrypted data from step 5
*/
optiga_lib_status = OPTIGA_LIB_BUSY;
return_status = optiga_crypt_symmetric_decrypt_final(me,
encrypted_data_buffer_final,
encrypted_data_length_final,
decrypted_data_buffer_final,
&decrypted_data_length_final);
WAIT_AND_CHECK_STATUS(return_status, optiga_lib_status);
READ_PERFORMANCE_MEASUREMENT(time_taken);
// Compare the decrypted data with plain data
if( OPTIGA_LIB_SUCCESS != memcmp(plain_data_buffer_final, decrypted_data_buffer_final, decrypted_data_length_final))
{
return_status = !OPTIGA_LIB_SUCCESS;
break;
}
if (sizeof(plain_data_buffer_final) != decrypted_data_length_final)
{
//Decrypted data length is incorrect
return_status = !OPTIGA_LIB_SUCCESS;
break;
}
return_status = OPTIGA_LIB_SUCCESS;
} while (FALSE);
OPTIGA_EXAMPLE_LOG_STATUS(return_status);
#ifndef OPTIGA_INIT_DEINIT_DONE_EXCLUSIVELY
/**
* Close the application on OPTIGA after all the operations are executed
* using optiga_util_close_application
*/
example_optiga_deinit();
#endif //OPTIGA_INIT_DEINIT_DONE_EXCLUSIVELY
OPTIGA_EXAMPLE_LOG_PERFORMANCE_VALUE(time_taken, return_status);
if (me)
{
//Destroy the instance after the completion of usecase if not required.
return_status = optiga_crypt_destroy(me);
if(OPTIGA_LIB_SUCCESS != return_status)
{
//lint --e{774} suppress This is a generic macro
OPTIGA_EXAMPLE_LOG_STATUS(return_status);
}
}
}
Show Less
Hello,
We are also considering a multiple SPI configuration of TPM (SLB9670) and SPI Flash as shown in the thread below.
https://community.infineon.com/t5/OPTIGA-TPM/Multiple-SPI-devices-together-with-TPM/td-p/354692
In this thread, SCLK, MISO, and MOSI are described as don't care when CS# is disabled (High).
In our usage, the SCLK frequency is switched on the Host side as shown below.
- SCLK operates at 50MHz when CS# of SPI FLASH is enabled
- SCLK operates at 14MHz when CS# of SLB9670VQ20 is enabled
In other words, when CS# of SLB9670 is disabled, Closk with a frequency of 50MHz is input to SCLK.
On the data sheet, the maximum frequency is 43MHz under all conditions, so a clock with a frequency higher than the data sheet will be input.
Is it safe to assume that this condition is not a problem?
Is it a don't care as per the thread above?
Thanks.
Show Less
We received a batch of chips, the part number is SLE95250-0025, its label has the Infineon logo, but the marking is ST logo. Is it normal?
Hi,
How is SLB9670's endurance defined?
I would like to know the guaranteed value.
For example, I would be happy if you could tell me how to express it like 10kcycles.
Regards,
Show Less