EP-0149: Difference between revisions

From 52Pi Wiki
Jump to navigation Jump to search
Line 65: Line 65:
* Check if `/dev/tpm0` is available.
* Check if `/dev/tpm0` is available.
[[File:Tpm9670device.png|left|320px]]
[[File:Tpm9670device.png|left|320px]]
<br style="clear:both;">
* A detailed verification can also be done by running a small utility, eltt2, provided by Infineon Technologies AG and available on GitHub. All of the following setup packages are created and built under the infineon-tpm directory.
<pre>
mkdir infineon-tpm
cd infineon-tpm/
git clone https://github.com/infineon/eltt2
cd eltt2
make
sudo ./eltt2 -g
cd ..
</pre>
[[File:Tpm9670eltt2result.png|left|800px]]
<br style="clear:both;">
<br style="clear:both;">



Revision as of 13:44, 30 August 2021

TPM9670 Module for Raspberry Pi

Descriptions

TPM is an add-on GPIO TPM module for the Raspberry Pi platform based on an Infineon Optiga™ SLB 9670 TPM 2.0 . It is compatible with all Raspberry Pi models including the Raspberry Pi 4. Device tree overlay support with Raspbian Kernel >= 4.14.85 We offer customization services / custom designs starting at just 100 units. The module is compatible with Windows 10 IoT (on Pi 2 / 3). It is shipped with firmware versions >= 7.85 for TPM 2.0.

A TPM is a cryptographic processor present on most commercial PCs and servers. Ubiquitous in nature, it can be used for a wide variety of use cases, such as storing keys for VPN access and encryption keys for hard disks, or preventing dictionary attacks to retrieve private keys. While a typical TPM provides several cryptographic capabilities, three key features are relevant for this post:

  • Establishing a root of trust
  • Secure boot
  • Device identification

Secure boot

A secured boot builds on the underlying notion of a root of trust to protect the boot process from being compromised on the device. This whole process by which the trustworthiness of a device is established right from the chip is called a “Secure Boot”. In case a chain of trust is broken, the boot process is aborted and the device attempts to go back to its last known good state. An extension to secured boot process is a measured boot – where the device does not halt the boot process. Instead, it records the identity of each component that participates in the boot process so that these component identities can be verified later against a list of approved component identities for that device. This is called a measured boot. These two processes are illustrated in the following diagram.

Secured boot and measured boot.png


Typical sequence of a measured boot

A typical sequence of a measured boot is as follows:

  • The boot ROM acts as the root of trust.
  • Upon a device reset, each image that forms part of the boot sequence is validated (measured) before execution.
  • The measurements are stored in a TPM.
  • Each measurement serves as the proxy for the root of trust for the subsequent step in the boot sequence.
  • Normally, only critical and security-sensitive process and configuration files are considered for the measurement.
  • After the security-sensitive processes are completed, the device enters the unmeasured boot stage before entering normal system operation state.

Device identification

In IoT solution deployments, it is important to check the identity of the device that is communicating with the messaging gateway. The usual method is to generate key pairs for the devices, which are then used to authenticate and encrypt the traffic. However, key pairs residing on the disk are susceptible to tampering. The TPM steps in here by storing the keys in tamper-resistant hardware. The keys are generated inside the TPM itself and are thereby protected from being retrieved by external programs. In fact, even without harnessing the capabilities of a hardware root of trust and secure boot, the TPM is also valuable just as a hardware key store. The private keys are protected by the hardware and offer far better protection than a software key.

Features

  • Easy to install
  • Infineon Optiga™ SLB 9670 TPM 2.0
  • Compliant with TPM Specification 2.0 Rev. 01.38
  • Firmware >= 7.85
  • TRNG (Real Random Number Generator) - True Hardware Random Number Generator.
  • Storing keys for VPN access
  • Encryption keys for hard disks
  • Preventing dictionary attacks to retrieve private keys

Package Includes

  • 1 x TPM9670 Module for Raspberry Pi

How to use

This integration requires the following components:

  • A Raspberry Pi running Raspbian Stretch.(Raspberry Pi 4B will be better.)
  • Infineon TPM9670 module(SLB 9670)
  • OS info: Raspbian GNU/Linux 10 (buster)
  • Kernel Version: 5.10.17-v7l+ #1421
  • Device info: Raspberry Pi 4B 4GB

Getting Start

  • The Infineon OPTIGA TPM uses the SPI interface to connect to the Pi on the GPIO Pins. Once the OPTIGA™ TPM is plugged into the PI, it should look as follows:

[[ ]]

  • Go through the following steps to validate the initial setup of the TPM and to check if the Raspberry Pi is able to recognize the TPM on reboot, Reboot your Raspberry Pi and check that /dev/tpm0 is available.
  • Update your system with the following command:
sudo apt update && sudo apt upgrade
  • Install latest kernel using the following command:
sudo rpi-update
  • Edit /boot/config.txt and add the following line:
dtoverlay=tpm-slb9670
  • Enable SPI via using `raspi-config` tool, navigate to `Interface Options` -> `SPI` -> `Enable` -> `YES`:
 sudo raspi-config 
  • Reboot Raspberry Pi after configuring.
 sudo reboot 
  • Check if `/dev/tpm0` is available.
Tpm9670device.png


  • A detailed verification can also be done by running a small utility, eltt2, provided by Infineon Technologies AG and available on GitHub. All of the following setup packages are created and built under the infineon-tpm directory.
mkdir infineon-tpm
cd infineon-tpm/
git clone https://github.com/infineon/eltt2
cd eltt2
make
sudo ./eltt2 -g
cd ..
Tpm9670eltt2result.png


Documentations

Keywords

  • TPM9670 Module, Trusted Platform module, Raspberry Pi, SLB 9670, SLI 9670 and SLM 9670