# Infineon OPTIGA-TPM-SLB9670-TPM2.0 for Raspberry Pi 4 ###### tags: `SLB9670` `TPM2.0` `Pi4` `Raspberry Pi` ## Raspberry Pi 4 Initialize - Disable SWAP ```bash= sudo dphys-swapfile swapoff && \ sudo dphys-swapfile uninstall && \ sudo systemctl disable dphys-swapfile ``` - Kernel panic reboot ```bash= sudo echo "kernel.panic = 5" > /etc/sysctl.conf: ``` - htop with CPU clock / temperature - https://github.com/wbenny/htop ```bash= wget https://github.com/wbenny/htop/files/573914/htop_2.0.2-2_armhf.deb.zip unzip htop_2.0.2-2_armhf.deb.zip # You can install this package over old version. sudo dpkg -i htop_2.0.2-2_armhf.deb # In case you want create new default config file: rm -rf ~/.config/htop/htoprc ``` - ArgonOneV2 fan control (Optional) ```bash= curl https://download.argon40.com/argon1.sh | bash ``` - Open SPI to communicate with Infineon SLB9670-TPM-2.0 - https://www.infineon.com/dgdl/Infineon-OPTIGA_SLx_9670_TPM_2.0_Pi_4-ApplicationNotes-v07_19-EN.pdf?fileId=5546d4626c1f3dc3016c3d19f43972eb ```bash= sudo vi /boot/config.txt # Add dtparam=spi=on dtoverlay=tpm-slb9670 # Reboot sudo reboot now ``` - Other ```bash= sudo apt update sudo apt install -y tmux vim git ``` # TPM2 Installation ## eltt2 https://github.com/Infineon/eltt2 ```bash= git clone https://github.com/Infineon/eltt2.git cd eltt2 make # Test sudo ./eltt2 -g sudo ./eltt2 -gc # Move to $PATH sudo mv ./eltt2 /usr/local/bin ``` ## tpm2-tss https://github.com/tpm2-software/tpm2-tss - Install ```bash= git clone https://github.com/tpm2-software/tpm2-tss.git cd tpm2-tss git checkout 2.4.6 sudo apt update sudo apt -y install \ autoconf-archive \ libcmocka0 \ libcmocka-dev \ procps \ iproute2 \ build-essential \ git \ pkg-config \ gcc \ libtool \ automake \ libssl-dev \ uthash-dev \ autoconf \ doxygen \ libjson-c-dev \ libini-config-dev \ libcurl4-openssl-dev \ libgcrypt20-dev \ acl # ===== Config ===== ./bootstrap sudo ./configure --with-device=/dev/tpm0 sudo make -j$(nproc) # ===== Install ===== sudo make install ``` ## tpm2-tools https://tpm2-tools.readthedocs.io/en/latest/INSTALL/ ```bash= sudo apt install -y uuid-dev git clone https://github.com/tpm2-software/tpm2-tools cd tpm2-tools git checkout 4.3.2 sudo apt install -y autoconf automake libtool pkg-config gcc \ libssl-dev libcurl4-gnutls-dev python-yaml ./bootstrap ./configure make -j$(nproc) sudo make install ``` - Check ```bash= # Show all support commands sudo tpm2_getcap commands # Show all support algorithms sudo tpm2_getcap algorithms # Get random sudo tpm2_getrandom 5 | od -A n -t x1 ``` ## tpm2-openssl (Optional) - Install OpenSSL 3.0 https://linuxhint.com/install-openssl-3-from-source/ - tpm2-openssl https://github.com/tpm2-software/tpm2-openssl --- # Infineon SLB9670-TPM-2.0 Commands - RSA Encrypt and Decrypt - https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_rsaencrypt.1.md ```bash= sudo tpm2_clear sudo tpm2_createprimary -c primary.ctx sudo tpm2_create -C primary.ctx -Grsa2048 -u key.pub -r key.priv sudo tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx # Encrypt echo "my message" > msg.dat sudo tpm2_rsaencrypt -c key.ctx -o msg.enc msg.dat # Decrypt sudo tpm2_rsadecrypt -c key.ctx -o msg.ptext msg.enc cat msg.ptext # my message ``` ```bash= pi@pi-lab:~/test $ sudo rm -rf ./* pi@pi-lab:~/test $ ls pi@pi-lab:~/test $ sudo tpm2_clear pi@pi-lab:~/test $ sudo tpm2_createprimary -c primary.ctx name-alg: value: sha256 raw: 0xb attributes: value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt raw: 0x30072 type: value: rsa raw: 0x1 exponent: 0x0 bits: 2048 scheme: value: null raw: 0x10 scheme-halg: value: (null) raw: 0x0 sym-alg: value: aes raw: 0x6 sym-mode: value: cfb raw: 0x43 sym-keybits: 128 rsa: c48f7ad951f9e50a0f775ae77aa48fa1d5b96b2e584792f594af257515ac8c11ca04be30dc57de58d493fe3ee697d9b22a3bb64a85f02c9ab2d099fea9cd1c9b722331afd1ec01719854acdb20876048cefdccd82b2076bd6ea6464f5f4e6ef130b9220f85e35bfb06828a6d9c69aa44b37ac15b837ba119ec7f72934121e2ea19732f05c4960dfbdf876cef57cd70137cd817e8ef86c77706a9643dba945c5e7750dee272f683d9ef9c6813202a0ce82e3ea0f7e781d77a8ed84c9a7d9d6ec91b8aced281756edf5e24c235d88acb5fda4d75396d28496648c9068d512743399caa48ec8bf854176d799df03697083506df749cbeade2bb2ef4caa308bafe6f pi@pi-lab:~/test $ ls primary.ctx # ========================================== pi@pi-lab:~/test $ sudo tpm2_create -C primary.ctx -Grsa2048 -u key.pub -r key.priv name-alg: value: sha256 raw: 0xb attributes: value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign raw: 0x60072 type: value: rsa raw: 0x1 exponent: 0x0 bits: 2048 scheme: value: null raw: 0x10 scheme-halg: value: (null) raw: 0x0 sym-alg: value: null raw: 0x10 sym-mode: value: (null) raw: 0x0 sym-keybits: 0 rsa: f0cfda008e920c12cd52f6a9c410437102c9668df92b60e226d5a98ff7a402e06bc4f271a8d238839b683e20b4fb17084b8a44f7cd60d9353c288740ac8a15158dc1c827239366327c57f1b8dc32b0bfc1e038798c20ba367fbe5715742215798ef3e1b7dd9ab72984f80f10f92e3c64d927ce49d61a53ba5af79b943b2be3a7adf4b7bbef0912dd172134935bba2a00a76f0160a629aa7f0fe93bb29fcce5d1502112dbd7307de0cd37272c606bc469d2dbc8c2bd117a5750f008ec41084a5c9a8369af9a382801a93f8872a9e9e83f4fba544dcd8dd85861c767f92b10586e75d23f4fb0ae6ae187465f08a801636b580d07255d24319f2aaeab2a7a2bf2ed pi@pi-lab:~/test $ ls key.priv key.pub primary.ctx # ========================================== pi@pi-lab:~/test $ sudo tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx name: 000b7fcd541787abfb7fb9c3012ec5234c2693b02f4cccfc57afb5e1275227eec1cb # ========================================== pi@pi-lab:~/test $ echo "my message" > msg.dat pi@pi-lab:~/test $ ls key.ctx key.priv key.pub msg.dat primary.ctx pi@pi-lab:~/test $ xxd msg.dat 00000000: 6d79 206d 6573 7361 6765 0a my message. # ========================================== pi@pi-lab:~/test $ sudo tpm2_rsaencrypt -c key.ctx -o msg.enc msg.dat pi@pi-lab:~/test $ ls key.ctx key.priv key.pub msg.dat msg.enc primary.ctx pi@pi-lab:~/test $ xxd msg.enc 00000000: bc44 9a6d c0a0 392f ed42 c196 65bd 61d8 .D.m..9/.B..e.a. 00000010: 5604 6f8f 6cb3 a859 30d0 3007 5901 4c35 V.o.l..Y0.0.Y.L5 00000020: e786 27a4 c5f7 573c cd13 3562 770d dccd ..'...W<..5bw... 00000030: c4c2 3eb9 4727 32cc 71e8 2a76 3976 8f9e ..>.G'2.q.*v9v.. 00000040: b3bd 52bf 62ad 1c6e b831 ca8d 0460 129a ..R.b..n.1...`.. 00000050: 386f 3a90 9dbb dadf b7f0 f3cd 5b44 81fc 8o:.........[D.. 00000060: 44ef 8b73 99ab 05d1 364e 0338 956c 5e56 D..s....6N.8.l^V 00000070: 3da6 bc89 d93e 7a2f ba1d 316b 46ec f608 =....>z/..1kF... 00000080: 9974 095f 257a 778e 1bd2 6d73 cafd da2a .t._%zw...ms...* 00000090: 126a 7377 41aa 5fb1 630e c639 fe8f ea19 .jswA._.c..9.... 000000a0: 80b2 4043 69b6 e853 141d a3ca fa6e 4ae9 ..@Ci..S.....nJ. 000000b0: 7edc 55c1 1831 df59 aef6 49d9 bce6 bc47 ~.U..1.Y..I....G 000000c0: 34d2 de02 d0ba e93c 579a 0b8c 13b8 1975 4......<W......u 000000d0: 2889 44ee 15cc 7427 7b91 1aab 4829 41a3 (.D...t'{...H)A. 000000e0: d960 7db8 fe6b c80b bc63 1553 4f7c 5d1d .`}..k...c.SO|]. 000000f0: 7051 ec21 0334 2210 9e78 703f 681e 00eb pQ.!.4"..xp?h... # ========================================== pi@pi-lab:~/test $ sudo tpm2_rsadecrypt -c key.ctx -o msg.ptext msg.enc pi@pi-lab:~/test $ ls key.ctx key.priv key.pub msg.dat msg.enc msg.ptext primary.ctx # ========================================== pi@pi-lab:~/test $ xxd msg.ptext 00000000: 6d79 206d 6573 7361 6765 0a my message. ``` - GetTime: ```bash= sudo tpm2_clear sudo tpm2_createprimary -C e -c primary.ctx sudo tpm2_create -G rsa -u rsa.pub -r rsa.priv -C primary.ctx sudo tpm2_load -C primary.ctx -u rsa.pub -r rsa.priv -c rsa.ctx sudo tpm2_gettime -c rsa.ctx -o attest.sig --attestation attest.data ``` # Appendix ## Supported Commands ``` TPM2_CC_NV_UndefineSpaceSpecial TPM2_CC_EvictControl TPM2_CC_HierarchyControl TPM2_CC_NV_UndefineSpace TPM2_CC_ChangeEPS TPM2_CC_ChangePPS TPM2_CC_Clear TPM2_CC_ClearControl TPM2_CC_ClockSet TPM2_CC_HierarchyChangeAuth TPM2_CC_NV_DefineSpace TPM2_CC_PCR_Allocate TPM2_CC_SetPrimaryPolicy TPM2_CC_ClockRateAdjust TPM2_CC_CreatePrimary TPM2_CC_NV_Increment TPM2_CC_NV_SetBits TPM2_CC_NV_Extend TPM2_CC_NV_Write TPM2_CC_NV_WriteLock TPM2_CC_DictionaryAttackLockReset TPM2_CC_DictionaryAttackParameters TPM2_CC_NV_ChangeAuth TPM2_CC_PCR_Event TPM2_CC_PCR_Reset TPM2_CC_SequenceComplete TPM2_CC_IncrementalSelfTest TPM2_CC_SelfTest TPM2_CC_Startup TPM2_CC_Shutdown TPM2_CC_StirRandom TPM2_CC_ActivateCredential TPM2_CC_Certify TPM2_CC_PolicyNV TPM2_CC_CertifyCreation TPM2_CC_Duplicate TPM2_CC_GetTime TPM2_CC_GetSessionAuditDigest TPM2_CC_NV_Read TPM2_CC_NV_ReadLock TPM2_CC_ObjectChangeAuth TPM2_CC_PolicySecret TPM2_CC_Create TPM2_CC_ECDH_ZGen TPM2_CC_HMAC TPM2_CC_Import TPM2_CC_Load TPM2_CC_Quote TPM2_CC_RSA_Decrypt TPM2_CC_HMAC_Start TPM2_CC_SequenceUpdate TPM2_CC_Sign TPM2_CC_Unseal TPM2_CC_PolicySigned TPM2_CC_ContextLoad TPM2_CC_ContextSave TPM2_CC_ECDH_KeyGen TPM2_CC_FlushContext TPM2_CC_LoadExternal TPM2_CC_MakeCredential TPM2_CC_NV_ReadPublic TPM2_CC_PolicyAuthorize TPM2_CC_PolicyAuthValue TPM2_CC_PolicyCommandCode TPM2_CC_PolicyCounterTimer TPM2_CC_PolicyCpHash TPM2_CC_PolicyLocality TPM2_CC_PolicyNameHash TPM2_CC_PolicyOR TPM2_CC_PolicyTicket TPM2_CC_ReadPublic TPM2_CC_RSA_Encrypt TPM2_CC_StartAuthSession TPM2_CC_VerifySignature TPM2_CC_ECC_Parameters TPM2_CC_GetCapability TPM2_CC_GetRandom TPM2_CC_GetTestResult TPM2_CC_Hash TPM2_CC_PCR_Read TPM2_CC_PolicyPCR TPM2_CC_PolicyRestart TPM2_CC_ReadClock TPM2_CC_PCR_Extend TPM2_CC_NV_Certify TPM2_CC_EventSequenceComplete TPM2_CC_HashSequenceStart TPM2_CC_PolicyDuplicationSelect TPM2_CC_PolicyGetDigest TPM2_CC_TestParms TPM2_CC_Commit TPM2_CC_PolicyPassword TPM2_CC_PolicyNvWritten TPM2_CC_PolicyTemplate TPM2_CC_CreateLoaded TPM2_CC_PolicyAuthorizeNV TPM2_CC_FieldUpgradeStart ``` ## Cannot Use AES Encryption Independently * https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_encryptdecrypt.1.md ```bash= sudo rm -rf ./* sudo tpm2_clear sudo tpm2_createprimary -c primary.ctx sudo tpm2_create -C primary.ctx -Gaes128 -u key.pub -r key.priv sudo tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx echo "my secret" > secret.dat sudo tpm2_encryptdecrypt -c key.ctx -o secret.enc secret.dat sudo tpm2_encryptdecrypt -d -c key.ctx -o secret.dec secret.enc cat secret.dec ``` :::danger ERROR: Unable to run tpm2_encryptdecrypt ::: ```bash= pi@pi-lab:~/test $ sudo rm -rf ./* pi@pi-lab:~/test $ sudo tpm2_clear pi@pi-lab:~/test $ sudo tpm2_createprimary -c primary.ctx name-alg: value: sha256 raw: 0xb attributes: value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt raw: 0x30072 type: value: rsa raw: 0x1 exponent: 0x0 bits: 2048 scheme: value: null raw: 0x10 scheme-halg: value: (null) raw: 0x0 sym-alg: value: aes raw: 0x6 sym-mode: value: cfb raw: 0x43 sym-keybits: 128 rsa: a301dd19cd85156451c6aec0c1f99550aecef9ff5212c33b0d1df84c302a26cf0e0f2d2da9578f3a57675cb463c1c27aed4624766ec0596c1b157141c15e4519c40a6c4636b3e33a8ba87fc0fd2256fd1181d300bcbc6df72985490acdce9fb13b7ccb8ad21fa6c3061a35de997065159b47ae7e11654b356f2df2ed6e8fef158c20da5dac02510be0d4d0d2f3b2be17b540a3ee25f0ade86c95705e6889ea4b5a5c47491107340c6d727d2e601a164fd8c4637e75789351d7af4ed4e5fafdc69cb5181a7b001ba500f5ca020d8e1915309f027596425fb951a6642470a296a3ccfac3ab0ece85c274ac4980fb462010e146e7127ce3ffea6e022266c5b44d33 pi@pi-lab:~/test $ sudo tpm2_create -C primary.ctx -Gaes128 -u key.pub -r key.priv name-alg: value: sha256 raw: 0xb attributes: value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign raw: 0x60072 type: value: symcipher raw: 0x25 sym-alg: value: aes raw: 0x6 sym-mode: value: null raw: 0x10 sym-keybits: 128 symcipher: e3df325bd4af5afc0e4f8388354f73215d6a0babfa9a46698a0dc6640a06a42e # ================================= pi@pi-lab:~/test $ sudo tpm2_load -C primary.ctx -u key.pub -r key.priv -c key.ctx name: 000b0d862804747e4b62f9372c3024ee50634c5cfd6a336071350c96490245bb5dbe pi@pi-lab:~/test $ echo "my secret" > secret.dat pi@pi-lab:~/test $ ls key.ctx key.priv key.pub primary.ctx secret.dat pi@pi-lab:~/test $ cat secret.dat my secret pi@pi-lab:~/test $ sudo tpm2_encryptdecrypt -c key.ctx -o secret.enc secret.dat WARN: Using a weak IV, try specifying an IV WARNING:esys:src/tss2-esys/api/Esys_EncryptDecrypt2.c:322:Esys_EncryptDecrypt2_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_EncryptDecrypt2.c:107:Esys_EncryptDecrypt2() Esys Finish ErrorCode (0x000b0143) WARNING:esys:src/tss2-esys/api/Esys_EncryptDecrypt.c:328:Esys_EncryptDecrypt_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_EncryptDecrypt.c:110:Esys_EncryptDecrypt() Esys Finish ErrorCode (0x000b0143) ERROR: Esys_EncryptDecrypt(0xB0143) - rmt:error(2.0): command code not supported ERROR: Unable to run tpm2_encryptdecrypt ``` ## My Device - Raspberry Pi 4 ```bash= pi@pi-lab:~ $ cat /proc/cpuinfo processor : 0 model name : ARMv7 Processor rev 3 (v7l) BogoMIPS : 108.00 Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32 CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x0 CPU part : 0xd08 CPU revision : 3 processor : 1 model name : ARMv7 Processor rev 3 (v7l) BogoMIPS : 108.00 Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32 CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x0 CPU part : 0xd08 CPU revision : 3 processor : 2 model name : ARMv7 Processor rev 3 (v7l) BogoMIPS : 108.00 Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32 CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x0 CPU part : 0xd08 CPU revision : 3 processor : 3 model name : ARMv7 Processor rev 3 (v7l) BogoMIPS : 108.00 Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32 CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x0 CPU part : 0xd08 CPU revision : 3 Hardware : BCM2711 Revision : d03114 Serial : 10000000ff64bdd3 Model : Raspberry Pi 4 Model B Rev 1.4 ``` ```bash= pi@pi-lab:~ $ cat /etc/os-release PRETTY_NAME="Raspbian GNU/Linux 10 (buster)" NAME="Raspbian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=raspbian ID_LIKE=debian HOME_URL="http://www.raspbian.org/" SUPPORT_URL="http://www.raspbian.org/RaspbianForums" BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs" ``` - TPM ```bash= pi@pi-lab:~ $ sudo eltt2 -gc TPM capability information of fixed properties: ========================================================= TPM_PT_FAMILY_INDICATOR: 2.0 TPM_PT_LEVEL: 0 TPM_PT_REVISION: 138 TPM_PT_DAY_OF_YEAR: 8 TPM_PT_YEAR: 2018 TPM_PT_MANUFACTURER: IFX TPM_PT_VENDOR_STRING: SLB9670 TPM_PT_VENDOR_TPM_TYPE: 0 TPM_PT_FIRMWARE_VERSION: 7.85.4555.0 TPM_PT_MEMORY: ========================================================= Shared RAM: 0 CLEAR Shared NV: 1 SET Object Copied To Ram: 1 SET TPM_PT_PERMANENT: ========================================================= Owner Auth Set: 0 CLEAR Sendorsement Auth Set: 0 CLEAR Lockout Auth Set: 0 CLEAR Disable Clear: 0 CLEAR In Lockout: 0 CLEAR TPM Generated EPS: 0 CLEAR Clock info: ========================================================= Time since the last TPM_Init: 8375913 ms = 0 y, 0 d, 2 h, 19 min, 35 s, 913 ms Time during which the TPM has been powered: 1185236 ms = 0 y, 0 d, 0 h, 19 min, 45 s, 236 ms TPM Reset since the last TPM2_Clear: 0 Number of times that TPM2_Shutdown: 0 Safe: 1 = Yes ```