LetsTrust

Move LetsTrust-TPMs to CS0

Geschrieben von Paul Kissinger am Montag, 18. November 2019

Welcome!

The last time i get some questions about the chipselect configs for the module.

How you could move the default config from the LT-TPM CS1 to CS0.

If you want to use the TPM with CS0 you must change (resolder) the position of the 0Ohm Resistor to the open pads.

You'll see the difference if you open both pdfs:
letstrust-v2.2.placement.cs1.pdf
letstrust-v2.2.placement.cs0.pdf

If you don’t want to compile your device-tree-overlay by yourself, copy the tpm-slb9670-cs0.dtbo [1] to /boot/overlays/ and load the dtbo in the /boot/config.txt
over the setting dtoverlay=tpm-slb9670-cs0

If you want to decompile change and recompile the devicetree for the slb9670 for yourself:

1) sudo apt-get install device-tree-compiler
2) dtc -I dtb -O dts -o /mnt/boot/overlays/tpm-slb9670.dts /mnt/boot/overlays/tpm-slb9670.dtbo
3) cp mnt/boot/overlays/tpm-slb9670.dts /mnt/boot/overlays/tpm-slb9670-cs0.dts
4) dtc -I dts -O dtb -o /mnt/boot/overlays/tpm-slb9670-cs0.dtbo /mnt/boot/overlays/tpm-slb9670-cs0.dts
[2][3]

Bye for now!

Paul

[1]tpm-slb9670-cs0.dtbo
[2]tpm-slb9670.dts
[3]tpm-slb9670-cs0.dts

PS: this will only work on the Raspberry Pis 0-4

Hardware update!

Geschrieben von Paul Kissinger am Sonntag, 17. November 2019

Hello!

I've updated the pcb-design,[1]

Now we have the revision 2.2!

Changes from rev 2.0 to rev 2.2 [2]
Add 100nF capacitor on the RESET line of the TPM for a better POR (Power On Reset) behavior..
Change pad 1 from octagon to square, for better identify pin 1.
Add tiny labels on every pin on the bottom side (without MISO/MOSI/CLK, no place for the labels on these pins)

I added a legend in the schematics, for better reference if you want to use the TPM on your own Hardware design.

Placement and the schematic you will find in the right column.

Bye for now

Paul

[1] two months ago
[2] Revision 2.1 was never produced.

Project presentation - Keylime.dev

Geschrieben von Paul Kissinger am Samstag, 16. November 2019

Hello again,

in September this year I get mail from Luke Hinds, with some questions about the compatibility from LetsTrust-TPMs and RaspberryPis to check if will work for his project.

Now I proudly happy to link to this hilarious Project: keylime.dev

Quote from Keylime.dev:
“Keylime is about making TPM technology accessible for developers and users. It handles the complexity, you drive the use case!”

Thanks to Luke and all contributors of Keylime!

Bye for now,

Paul

vulnerability TPM-fail - LetsTrust-TPMs are not affected!

Geschrieben von Paul Kissinger am Donnerstag, 14. November 2019

Welcome back!

no I´m not dead, \o/ ,
but the vulnerability ---TPM-fail--- need my highest attention today.

The good news: LetsTrust-TPMs are not affected!

But I'm not a friend of “hiding” information:

The SLB9670 that we used on our PCBs has the same certification levels on Common Criteria EAL4+ and FIPS 140-2 as the fTPM from Intel and the ST33 from STM.

If I get new information of the Chip on our LetsTrust-TPMs, I'll post an update here.

UPDATE: Quote from http://tpm.fail/tpmfail.pdf

Our analysis reveals that Intel fTPM and the dedicated TPM
manufactured by STMicroelectronics leak information about
the secret nonce in elliptic curve signature schemes, which
can lead to efficient recovery of the private key. As discussed
in Section 6, we also observe non-constant-time behavior by
the TPM manufactured by Infineon which does not appear
to expose an exploitable vulnerability.

Bye for now

Paul

UPDATE: Reference: tpm.fail

Reference: zdnet.com

CVE-2019-11090 and impacts Intel's Platform Trust Technology (PTT).
CVE-2019-16863 and impacts the ST33 TPM chip made by STMicroelectronics.

Mainline

Geschrieben von Paul Kissinger am Sonntag, 14. April 2019

Hello TPM friends,

after more than 18 months of work, compiling, testing, tears, blood...

MAINLINE! \o/
(On the RPi repository)
Now you find the dto in the newest raspbian image, per default.

To activate the TPM on your Raspberry Pi you need only these simple commands:

sudo apt-get update
sudo apt-get upgrade
sudo nano /boot/config.txt

// and activate SPI with uncomment
"dtparam=spi=on"

// and load the TPM device tree overlay with
"dtoverlay=tpm-slb9670"

// save the config.txt

sudo reboot

// after the reboot

ls /dev/tpm0

// if you own a LetsTrust-TPM and plug it in the right way, you will get /dev/tpm0 in yellow letters

Thanks to all supportes

Bye for now!

Paul

Background of these blog

Geschrieben von Paul Kissinger am Freitag, 1. Februar 2019

Hello and Welcome!

I forgot these old post, the initial date in the database: 2017-05-10 01:00

Now, you may have fun with my old thoughts about the TPM market and the beginning of LetsTrust xD

(Expand to read the rest of this post)

"Background of these blog" vollständig lesen

Success!

Geschrieben von Paul Kissinger am Donnerstag, 6. Dezember 2018

Hello and welcome!

I´m really proud to introduce the new way to get your LetsTrust-TPM working with your Raspberry Pi!

Till the next Stretch update from the RasPi Foundation the way will be:

Step one:
Open a (whatever) term on your Pi.

Step two:
Run a "sudo rpi-update"

Step three:
Open the /boot/config.txt with "sudo nano /boot/config.txt"
and activate SPI with uncomment
"dtparam=spi=on"
and load the TPM device tree overlay with
"dtoverlay=tpm-slb9670"

Step four:
Plug your LetsTrust-TPM onto the right pins and reboot your Raspberry Pi

Step five:
Open a (whatever) term on your Pi and type "ls /dev/tpm0" and
/dev/tpm0 will appear in yellow letters!

Step six:
Be happy about your success!

Huge thanks to a friend of mine an ex colleague: Peter Hüwe.
He found this smart solution [1] for the Pull Request issues [2].

Thank you Phil Elwell for evaluation, identifying problems and finally merging the PR [3]

Bye for now!

Paul

[1] https://github.com/torvalds/linux/commit/2f7d8dbb11287cbe9da6380ca14ed5d38c9ed91f
[2] https://github.com/raspberrypi/linux/pull/2585#issue-195047458
[3] https://github.com/raspberrypi/linux/pull/2585#issuecomment-444077311

New Kernel 4.14.81

Geschrieben von Paul Kissinger am Donnerstag, 15. November 2018

Hello!
I´ve pached again, the new Raspbian Stretch image with Kernel 4.14.81 ~~.71~~/~~.49~~/~~.56~~/~~.66~~ and TPM support \o/

This Image is tested on:
- RaspiPi 0W
~~- RaspiPi 2b~~
~~- RaspiPi 3b~~
- RaspiPi 3b+

Some Links:
~~Image (~1.04 GB)~~(~1.7 GB)~~~~
~~Checksum md5~~
~~Checksum SHA256~~
~~Checksum SHA512~~

Have fun!

Bye for now!

Paul

Today: Stretch lite on this blog!

Geschrieben von Paul Kissinger am Donnerstag, 15. November 2018

UPDATE
Hello!
I´ve pached again, this time its a Raspbian Stretch LITE image with Kernel 4.14.81 ~~.71~~/~~.49~~/~~.56~~/~~.66~~ and TPM support \o/

This Image is tested on:
- RaspiPi 0W
- RaspiPi 3b+

The links with checksums:
Image (~403 MB)
Checksum md5
Checksum SHA256
Checksum SHA512

Have fun!

Bye for now!

Paul

New Linux Image!

Geschrieben von Paul Kissinger am Dienstag, 12. Juni 2018

UPDATE:
New RaspberryPi -> New Image!
All links are changed: Have fun!

Ein neuer RaspberryPi -> Ein neues Image!
Alle Links sind geändert: Viel spaß!

//German version below

Hello everybody,

months without new blog posts, please apoligize, I had so much to do the last months.

Now i´ved patched the last Raspbian-Image "Stretch" with the TPM-SPI-driver, you´ll find the Image on this LINK.
In this Image the eltt2 tool ist NOT pre compiled.

please use:

git clone https://github.com/Infineon/eltt2.git
cd eltt2
make
sudo ./eltt2 -g
sudo ./eltt2 -h

Have fun!

Bye for now!

Paul

// Deutsche Version

Hallo zusammen,

Monate ohne neue Blog-Postings, bitte entschuldigt, ich hatte einfach zu viel zu tun./

So, jetzt habe ich das letzte Raspbian-Image "Stretch" mit dem TPM-SPI-Treiber gepatcht, dieses findest du auf diesem LINK..

In diesem Image ist das eltt2-Tool NICHT vorkompiliert.

Um dies zu ändern:

git clone https://github.com/Infineon/eltt2.git
cd eltt2
make
sudo ./eltt2 -g
sudo ./eltt2 -h

Das wars für heute!

Paul