A hardware and Linux software look into a Trusted Platform Module authentication example for Linux.

Side story for Connect to AVNET iotconnect.io with Node-RED - part 10: Trusted Platform Module (TPM) Security.

• check the schematics
• run integration tests on the actual device, on Linux.

image source: TPM on Avnet SmartEdge, taken by me with a tablet and a magnifying glass

The TPM IC that I'm reviewing is the Infineon SLB 9670SLB 9670 (datasheet).

It is built into Avnet's SmartEdge IIoT Gateway. The SmartEdge is an industrial design based on A Raspberry Pi 3 Compute module.

For standard Raspberry and Compute boards, there is an evaluation board from Infineon, with the same device (software instructions here).

image source: Infineon Evaluation Board for OPTIGA Trusted Platform Module documentation

I haven't buzzed out the connections on the SmartEdge yet. It definitely doesn't have the Reset jumper and the related button.

On the Infineon evaluation board, the pins are broken out like this:

image source: Infineon Evaluation Board for OPTIGA Trusted Platform Module documentation

The layout is not complex. The SPI lines, power, reset and interrupt.

The footprint isn't difficult either.

Linux Device

Although the IC is a SPI device, you do not talk to it directly on Linux.

When installed correctly, the 9670 driver (part of core Linux) uses a character device to interact:

Low level direct interaction is possible:

When you want to check the higher level API,s check the source of the test suite in the next section.

Hardware test suite to test standard compliance

I have used the TPM module in a real scenario, using Avnet's IoTConnect SDK (the Python and Node-RED flavours).

There is also a test suite available on GitHub. As part of my review, I've cloned the repository, and executed the mandatory tests.

In order to complete the exercise, I had to update the AutoConfig version from within the tpm2-tss directory (instructions), and install these packages:

sudo apt install acl
sudo apt-get install libjson-c-dev
sudo apt-get install -y uthash-dev

Although not used, I had to download software TPM simulator, make it and add the location of the binary to my path.

export PATH="/home/avnet/develop/tpm/ibmtpm1661/src:$PATH"

Then, I set up the sources, configured for testing the actual hardware device, and executed the tests:

./bootstrap
# prepare and run software - simulation test
./configure --enable-unit --enable-integration --enable-self-generated-certificate
make -j$(nproc) check
# prepare and run hardware test
./configure --with-device=/dev/tpm0 --with-devicetests="mandatory,optional"
sudo make check-device

image source: starting to run the "mandatory" TPM test suite on my actual hardware

Result of Mandatory and Optional tests on the Infineon hardware:

image source: starting to run the "mandatory" TPM test suite on my actual hardware

Results of the test with the software simulation, using the IBM TPM simulator:

image source: executing the "mandatory" TPM test suite with software simulator

This software emulator is not something to use in production. But a great tool to develop TPM software solutions on generic hardware.

One of the test logs:

The "failed to stop ..." line is normal. Because we use a hardware TPM IC and not a software simulation daemon, there is no process related to the simulator running.

Infineon Utilities

Infineon has an evaluation project on GitHub.

git clone https://github.com/Infineon/eltt2.git
cd eltt2
make