LetsTrust

Hello und welcome back,

today i want to present my new product: LetsTrust-TPM2Go!

LetsTrust-TPM2Go is a USB 2.0 stick with built-in TPM. Plan to use it with your Mac, Linux PC or single board computers with USB-A ports.
Why did I design this thing? Simplify development of applications with TPM support if your embedded device is not ready yet OR you only have free USB-ports on your target device.




Features:


- Infineon Optiga™ SLB 9670 TPM 2.0
- TCG Spec 2.0 Rev. 01.38
- SLB9670 with FW: >=7.85, known from LetsTrust-TPM
- USB2.0 SPI Bridge based on CY7C65211
- libusb compatible
- Tested with https://github.com/tpm2-software/
- Planned TCTI-Driver in tpm2_tss for a "so-called" plug&play usage
- LetsTrust-TPM2Go was designed and manufactured in Bavaria, Germany.
- 2 LEDs user control possible, default "USB-RX action"/"valid config is loaded"
- transparend ABS housing for the PCB


Preorders are open now, you'll find the LetsTrust-TPM2Go here: https://buyzero.de/products/letstrust-tpm2go-usb-2-0?variant=37122157510836




Bye for now!


Paul

Hello and welcome,

today I'll want to introduce Johannes Holland, a really nice guy, MSc, and TPM addicted.
I know Johannes personally and he also tested and validated the first revision of the LetsTrust-Arduino adapter, for which I am very grateful to this day!

And you all know Peter Huewe? He was the driver behind this.

At the next Open Source Summit, Johannes and Peter will speak over the TSS FAPI and the abstract gives great hope for an informative session.

The abstract:

Nowadays, virtually all consumer PCs/laptops contain a TPM2.0 security chip, the Trusted Platform Module. Moreover, the TPM finds its way into more and more modern embedded devices. But what is the TPM and how can we use it on Linux? The TPM has the potential to enhance security in a variety of use cases ranging from SSH, VPN, disk encryption, and more. Since it is so powerful, it may be hard to use at times. But do not fret - the tpm2-software project, especially its new TPM Software Stack (TSS) Feature API (FAPI) library, enables anyone to use the TPM. This talk gives an introduction on how to use the TPM the easy way, using recent contributions to the TPM ecosystem like the TSS FAPI. After a brief overview of the involved hard- and software, this talk will dive into how to get started with the TPM and show how it can be used to perform fundamental security tasks. Afterwards, recent additions like the TPM PKCS11 middleware and the OpenSSL engine will be presented - enabling TPM integration, perhaps without writing a single line of code. In the end, the TPM open source ecosystem will be discussed, and how to become part of it. Want to start hacking? We got you.

Here you find the link to the session
https://osseu2020.sched.com/event/eCJc/using-the-tpm-its-not-rocket-science-anymore-johannes-holland-peter-huewe-infineon-technologies-ag


Bye for now!

Paul

Hello and welcome!

Today a hint to the tpm.dev miniConf (online)

Short facts:
2 Days
10 Speakers
7 am PDT / 17:00 EEST 21st of October
7 am PDT / 17:00 EEST 22st of October

The speakers come from: tpm.dev, IBM, embed, wolfSSL, Nokia Bell Labs, Google, Intel and RedHat!

The schedule:

Day 1 - 21st of October

7 am PDT / 17:00 EEST
Making Remote Attestation a mass practice
Dimitar Tomov, Founder of TPM.dev

8 am PDT / 18:00 EEST
TBC / Trusted Computing and UEFI
Ken Goldman, IBM

9 am PDT / 19:00 EEST
Trustworthy 2020 Platforms: Mighty Mini AMD for Digital Work, Play, and Currencies
Piotr Król, 3mdeb

10 am PDT / 20:00 EEST
(working title) Real-life examples of wolfTPM and wolfBoot
David Garske, wolfSSL

Day 2 - 22nd of October

7 am PDT / 17:00 EEST
Attestation meets Safety-Critical Systems
Ian Oliver, Nokia Bell Labs

8 am PDT / 18:00 EEST
Remote Attestation at Enterprise Scale
Mathew Garret, Google

9 am PDT / 19:00 EEST
TBC / What’s next for TSS2, FAPI and PKCS 11
William Roberts, Intel

10 am PDT / 20:00 EEST
The Secure Enclaves and Attestation
Ilhan Gurel

11 am PDT / 21:00 EEST
An introduction to Keylime’s Remote Attestation
Michael Peters, RedHat


https://developers.tpm.dev/events/day1-tpmdev-miniconf-2020?instance_index=20201021T140000Z

https://developers.tpm.dev/events/day2-tpmdev-miniconf-2020?instance_index=20201022T140000Z


I will join, and you?

Please, read the next recommendation for the end of October: https://letstrust.de/archives/34-A-recommendation!.html

Bye for now!

Paul

Hello and welcome,

I've got a link from a good friend of mine, and I want to share this with you:

https://github.com/drandreas/zephyr-tpm2-poc

Proof of Concept: Zepher TPM2 Software Stack
Overview

This repo tests the requirements (Code size and Memory size) for running tpm2-tss on Zephyr. The PoC is implemented on top of the Enhanced System API (ESAPI), since the Feature API (FAPI) adds additional dependencies to JSON-C and OpenSSL. Moreover, the tpm2-tools are also implemented on top of ESAPI, therefore the ESAPI should be sufficient.

And I'm really proud to see the first public-project that used the "new" Arduino2LetsTrust-Header. (I'll introduce the ArduinoAdapter in the next few days).


Bye for now!

Paul

Hello and welcome back!

Today I'm really happy and proud to introduce a new community around TPMs:

https://tpm.dev/

Tpm.dev was founded by Dimitar Tomov is a smart guy and he wants the same thing as I: Secure the world, a little more.

tpm.dev wants to be a platform:
To discuss security toppings. (mostly TPM related)
For help if you stuck on your project. (offside an old school mailing list)
Collect more useful stuff around TPMs and OpenSourceSoftware for that.

And between Lockdown there is a funny little meetup every wednesday over MS-Teams. Really interesting people are there (some of them are customers of LetsTrust-TPMs ^__^)


So feel free to join the community!

Bye for now!

Paul

Welcome back!

A few weeks ago Mr. M.P. write me an email with the question: May it possible to drive two TPMs on one Pi (4)?

Mr. M., want to drive one native TPM for the Pi and a second TPM as a remote vTPM for a client application.

So i've tested the Hardware Setting for Mr. M., after a few Minutes and combine this two posts:
1) https://letstrust.de/archives/23-Move-LetsTrust-TPMs-to-CS0.html
2) https://letstrust.de/archives/20-Mainline.html

Here the results:

Electrical- and mechanical-setting:


Hardware configuration of the two TPMs:

and you'll need 2 TPMs, with one 0Ohm Resistor on position CS0. [1]


Linux log



I hope this will be helpful for you, too.


Bye for now!

Paul


[1]
References:
https://letstrust.de/archives/24-Hardware-update!.html
https://letstrust.de/uploads/letstrust-v2.2.placement.cs0.pdf
https://letstrust.de/uploads/letstrust-v2.2.placement.cs1.pdf

Hello and welcome back!

Today I'll introduce you to a new TPM project.

Pierre Fontaine combines a Raspberry Pi, Yocto and a TPM.
He invested a lot of time on his project and I'll appreciate his work with a blogpost here, here is a qoute from his website:

The Raspberry, Yocto Project and The TPM!

Overview
In the cybersecurity field we need to play with crypto primitives. It allows us to authenticate for services (ssh, vpn ...), encrypt files for confidentiality, sign mail for proving your identity to the recipient, and even securing the boot of a complex device ...

So you do need to store keys and use crypto algorithms such as RSA, ECDH, AES compliant with some criteria (industry, military, medical ...).

[1]

Thank you Pierre to share you knowledge!

Here is the Link:
Raspberry Pi, Yocto and a TPM


By for now!

Paul



[1] © Copyright 2019. Jerome Blanchard, Romain Brenaget and Pierre Fontaine

Welcome to the November of posts,

Today: Using a Trusted Platform Module for endpoint device security in AWS IoT Greengrass!

The credits goes to:
The Infineon guys for build an example for use a TPM and pkcs11 in an AWS IoT greengrass environment and share it on github[1].
And Krishnan Ganapathy from amazon web services writes a blog article about it[2].


Thanks for the great work!

Bye for now!

Paul

[1] https://github.com/Infineon/amazon-greengrass-hsi-optiga-tpm
[2]https://aws.amazon.com/de/blogs/iot/using-a-trusted-platform-module-for-endpoint-device-security-in-aws-iot-greengrass/

Welcome!

The last time i get some questions about the chipselect configs for the module.

How you could move the default config from the LT-TPM CS1 to CS0.

If you want to use the TPM with CS0 you must change (resolder) the position of the 0Ohm Resistor to the open pads.

You'll see the difference if you open both pdfs:
letstrust-v2.2.placement.cs1.pdf
letstrust-v2.2.placement.cs0.pdf

If you don’t want to compile your device-tree-overlay by yourself, copy the tpm-slb9670-cs0.dtbo [1] to /boot/overlays/ and load the dtbo in the /boot/config.txt
over the setting dtoverlay=tpm-slb9670-cs0


If you want to decompile change and recompile the devicetree for the slb9670 for yourself:

1) sudo apt-get install device-tree-compiler
2) dtc -I dtb -O dts -o /mnt/boot/overlays/tpm-slb9670.dts /mnt/boot/overlays/tpm-slb9670.dtbo
3) cp mnt/boot/overlays/tpm-slb9670.dts /mnt/boot/overlays/tpm-slb9670-cs0.dts
4) dtc -I dts -O dtb -o /mnt/boot/overlays/tpm-slb9670-cs0.dtbo /mnt/boot/overlays/tpm-slb9670-cs0.dts
[2][3]


Bye for now!

Paul

[1]tpm-slb9670-cs0.dtbo
[2]tpm-slb9670.dts
[3]tpm-slb9670-cs0.dts

PS: this will only work on the Raspberry Pis 0-4

Hello!

I've updated the pcb-design,[1]

Now we have the revision 2.2!

Changes from rev 2.0 to rev 2.2 [2]
Add 100nF capacitor on the RESET line of the TPM for a better POR (Power On Reset) behavior..
Change pad 1 from octagon to square, for better identify pin 1.
Add tiny labels on every pin on the bottom side (without MISO/MOSI/CLK, no place for the labels on these pins)

I added a legend in the schematics, for better reference if you want to use the TPM on your own Hardware design.

Placement and the schematic you will find in the right column.


Bye for now

Paul

[1] two months ago
[2] Revision 2.1 was never produced.