Skip to content

Hardware update!

Hello!

I've updated the pcb-design,[1]

Now we have the revision 2.2!

Changes from rev 2.0 to rev 2.2 [2]
Add 100nF capacitor on the RESET line of the TPM for a better POR (Power On Reset) behavior..
Change pad 1 from octagon to square, for better identify pin 1.
Add tiny labels on every pin on the bottom side (without MISO/MOSI/CLK, no place for the labels on these pins)

I added a legend in the schematics, for better reference if you want to use the TPM on your own Hardware design.

Placement and the schematic you will find in the right column.


Bye for now

Paul

[1] two months ago
[2] Revision 2.1 was never produced.
Categories: TPM

Project presentation - Keylime.dev

Hello again,

in September this year I get mail from Luke Hinds, with some questions about the compatibility from LetsTrust-TPMs and RaspberryPis to check if will work for his project.

Now I proudly happy to link to this hilarious Project: keylime.dev

Quote from Keylime.dev:
“Keylime is about making TPM technology accessible for developers and users. It handles the complexity, you drive the use case!”

Thanks to Luke and all contributors of Keylime!

Bye for now,

Paul
Categories: TPM

vulnerability TPM-fail - LetsTrust-TPMs are not affected!

Welcome back!

no I´m not dead, \o/ ,
but the vulnerability ---TPM-fail--- need my highest attention today.

The good news: LetsTrust-TPMs are not affected!

But I'm not a friend of “hiding” information:

The SLB9670 that we used on our PCBs has the same certification levels on Common Criteria EAL4+ and FIPS 140-2 as the fTPM from Intel and the ST33 from STM.

If I get new information of the Chip on our LetsTrust-TPMs, I'll post an update here.

UPDATE: Quote from http://tpm.fail/tpmfail.pdf

Our analysis reveals that Intel fTPM and the dedicated TPM
manufactured by STMicroelectronics leak information about
the secret nonce in elliptic curve signature schemes, which
can lead to efficient recovery of the private key. As discussed
in Section 6, we also observe non-constant-time behavior by
the TPM manufactured by Infineon which does not appear
to expose an exploitable vulnerability.




Bye for now

Paul

UPDATE: Reference: tpm.fail

Reference: zdnet.com

CVE-2019-11090 and impacts Intel's Platform Trust Technology (PTT).
CVE-2019-16863 and impacts the ST33 TPM chip made by STMicroelectronics.
Categories: TPM

Mainline

Hello TPM friends,

after more than 18 months of work, compiling, testing, tears, blood...

MAINLINE! \o/
(On the RPi repository)
Now you find the dto in the newest raspbian image, per default.

To activate the TPM on your Raspberry Pi you need only these simple commands:

sudo apt-get update
sudo apt-get upgrade
sudo nano /boot/config.txt

// and activate SPI with uncomment
"dtparam=spi=on"

// and load the TPM device tree overlay with
"dtoverlay=tpm-slb9670"

// save the config.txt

sudo reboot

// after the reboot

ls /dev/tpm0

// if you own a LetsTrust-TPM and plug it in the right way, you will get /dev/tpm0 in yellow letters


Thanks to all supportes :-)

Bye for now!

Paul

Success!

Hello and welcome!

I´m really proud to introduce the new way to get your LetsTrust-TPM working with your Raspberry Pi!

Till the next Stretch update from the RasPi Foundation the way will be:

Step one:
Open a (whatever) term on your Pi.

Step two:
Run a "sudo rpi-update"

Step three:
Open the /boot/config.txt with "sudo nano /boot/config.txt"
and activate SPI with uncomment
"dtparam=spi=on"
and load the TPM device tree overlay with
"dtoverlay=tpm-slb9670"

Step four:
Plug your LetsTrust-TPM onto the right pins and reboot your Raspberry Pi

Step five:
Open a (whatever) term on your Pi and type "ls /dev/tpm0" and
/dev/tpm0 will appear in yellow letters!

Step six:
Be happy about your success!

Huge thanks to a friend of mine an ex colleague: Peter Hüwe.
He found this smart solution [1] for the Pull Request issues [2].

Thank you Phil Elwell for evaluation, identifying problems and finally merging the PR [3]


Bye for now!

Paul


[1] https://github.com/torvalds/linux/commit/2f7d8dbb11287cbe9da6380ca14ed5d38c9ed91f
[2] https://github.com/raspberrypi/linux/pull/2585#issue-195047458
[3] https://github.com/raspberrypi/linux/pull/2585#issuecomment-444077311
Categories: TPM

New Linux Image!

UPDATE:
New RaspberryPi -> New Image!
All links are changed: Have fun!


Ein neuer RaspberryPi -> Ein neues Image!
Alle Links sind geändert: Viel spaß!


//German version below

Hello everybody,

months without new blog posts, please apoligize, I had so much to do the last months.

Now i´ved patched the last Raspbian-Image "Stretch" with the TPM-SPI-driver, you´ll find the Image on this LINK.
In this Image the eltt2 tool ist NOT pre compiled.

please use:

git clone https://github.com/Infineon/eltt2.git
cd eltt2
make
sudo ./eltt2 -g
sudo ./eltt2 -h


Have fun!

Bye for now!

Paul


// Deutsche Version

Hallo zusammen,

Monate ohne neue Blog-Postings, bitte entschuldigt, ich hatte einfach zu viel zu tun./

So, jetzt habe ich das letzte Raspbian-Image "Stretch" mit dem TPM-SPI-Treiber gepatcht, dieses findest du auf diesem LINK..

In diesem Image ist das eltt2-Tool NICHT vorkompiliert.

Um dies zu ändern:

git clone https://github.com/Infineon/eltt2.git
cd eltt2
make
sudo ./eltt2 -g
sudo ./eltt2 -h


Das wars für heute!

Paul


Categories: TPM

Updates!

//Germanversion below

Hello everybody,

currently there is a problem in the firmware of the TPM chip from Infineon which was installed on the LetsTrust TPM modules.

Information about the problem can be found at the following links:
https://www.infineon.com/TPM-update
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012
https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update

Not affected are firmware versions >= 7.62.3126 for TPM 2.0.
You can check this under Linux with the eltt2 and the command "sudo ./eltt2 -g".

Unfortunately, there is currently no update tool which I could link here.


Max of pi3g has assured that he will take care of the rapid exchange of the modules.

Please note that when exchanging your module, all keys generated in the TPM and, of course, the stored keys will also be lost. Please take appropriate measures, for example, endcrypt your backups ^ __ ^.

Bye for now!

//German Version

Hallo allerseits,

aktuell gibt es ein Problem in der Firmware des TPM-Chips von Infineon welcher auf den LetsTrust-TPM-Modulen verbaut wurde.

Informationen zu dem Problem findest du unter folgende Links:
https://www.infineon.com/TPM-update
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012
https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update

Nicht betroffen sind Firmwareversionen >= 7.62.3126 für TPM 2.0.
Prüfen kannst du dies unter Linux mit dem eltt2 und dem Befehl „sudo ./eltt2 –g“.

Leider gibt es aktuell noch kein Update-Tool welches ihr ich hier verlinken könnte.

Max von pi3g hat mit zugesichert, dass er sich um den zügigen Austausch der Module kümmern wird.

Bedenk bitte, dass bei dem Austausch deines Moduls alle im TPM generierten und natürlich auch die gespeicherten Keys verloren gehen. Treffe bitte entsprechende Maßnahmen entschlüssele zB deine Backups ^__^.

Bis bald!
Paul
Categories: TPM

Howto Enable TPM Support on a Raspberry PI (0, 0W, 1, 2, 3, 3b+) and make it work with the LetsTrust TPM

UPDATE: Works for Pi 3b+, too!

Due to the recent inclusion of the TPM_TIS_SPI patches to the mainline kernel
and the consequent backports to v4.9.x and 4.11.x it's now much easier to get
the support for the LetsTrust TPM up and running.
No more patching necessary!

tldr: Enable CONFIG_TCG_TIS_SPI in your Kernel Config, and modify your
device tree accordingly.

This tutorial will show you how to perform these steps for your Raspberry PI
(0, 0W, 1, 2, 3).

It is assumed that you are cross-compiling from your desktop PC (i.e. not
building the kernel on the raspberry itself) and create everything in your home directory (~).

For more details please also read the excellent guide from the Raspberry Pi
Foundation on howto compile your kernel.
https://www.raspberrypi.org/documentation/linux/kernel/building.md
https://www.raspberrypi.org/documentation/linux/kernel/configuring.md

On a Ubuntu system you should install the following packages
gcc-arm-linux-gnueabihf
gddrescue
git
libncurses5-dev
bc


First download the toolchain you need for cross compilation
$ git clone https://github.com/raspberrypi/tools
and add the tools to your executable search path
$ export PATH=$PATH:~/tools

Then grab the kernel sources
$ git clone --depth=1 https://github.com/raspberrypi/linux
and enter the directory
$ cd linux

Next step is to get the default kernel configuration:

For Pi 1, Pi 0, Pi 0 W, or Compute Module:
$ KERNEL=kernel
$ make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- bcmrpi_defconfig


For Pi 2, Pi 3, or Compute Module 3:
$ KERNEL=kernel7
$ make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- bcm2709_defconfig


Then we have to enable the TPM Support in the Kernel via make menuconfig
$ make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- menuconfig
In this gui navigate to
Device Drivers
---> Character devices
---> TPM Hardware Support

and press M (for Module) or Y (for build-in support)
Then press enter to get into the subdirectory and select
---> TPM Interface Specification 1.3 Interface / TPM 2.0 FIFO Interface - (SPI)
also again either via M or Y

If you want to use the TPM's HardwareNumberGenerator feature, please select
---> Hardware Random Number Generator Core support
---> TPM HW Random Number Generator support

Save and exit the menuconfig.

If this is too much hassle for you, you can also edit your .config file and
add these 5 lines to it.
CONFIG_HW_RANDOM_TPM=m
CONFIG_TCG_TPM=m
CONFIG_TCG_TIS_CORE=m
CONFIG_TCG_TIS_SPI=m
CONFIG_SECURITYFS=y


Next step is to add our DeviceTree Overlay to our kernel sources.
Simply download letstrust-tpm-overlay.dts and copy it to arch/arm/boot/dts/overlays/letstrust-tpm-overlay.dts
$ wget http://letstrust.de/uploads/letstrust-tpm-overlay.dts -O arch/arm/boot/dts/overlays/letstrust-tpm-overlay.dts

Now build your kernel and device tree blob
$ make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- zImage modules dtbs overlays/letstrust-tpm.dtbo -j8
please note the additional overlays/letstrust-tpm.dtbo

Now deploy your kernel and modules (standard rpi way, see howto above)
$ mkdir mnt/fat32
$ mkdir mnt/ext4
$ sudo mount /dev/sdb1 mnt/fat32
$ sudo mount /dev/sdb2 mnt/ext4
$ sudo make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- INSTALL_MOD_PATH=mnt/ext4 modules_install
$ sudo cp mnt/fat32/$KERNEL.img mnt/fat32/$KERNEL-backup.img
$ sudo cp arch/arm/boot/zImage mnt/fat32/$KERNEL.img
$ sudo cp arch/arm/boot/dts/*.dtb mnt/fat32/
$ sudo cp arch/arm/boot/dts/overlays/*.dtb* mnt/fat32/overlays/
$ sudo cp arch/arm/boot/dts/overlays/README mnt/fat32/overlays/


Before you unmount your RPI SD Card, open mnt/fat32/config.txt
and ensure the line dtparam=spi=on isn't commented out (so no # at the beginning of the line)
and add
dtoverlay=letstrust-tpm
just beneath it.

More Details:
https://www.raspberrypi.org/documentation/configuration/device-tree.md
https://www.raspberrypi.org/documentation/hardware/raspberrypi/spi/README.md
Of course we uploaded a reference config.txt for you

Unmount your SD card,
$ sudo umount mnt/fat32
$ sudo umount mnt/ext4

Put it into your PI and boot your raspberry pi.

After booting, on a shell do
sudo modprobe tpm_tis_spi and /dev/tpm0 should be visible.
(We are looking into it why it does not autoload)

You can tryout the functionality of your TPM with
https://github.com/Infineon/eltt2


Happy Hacking



p.s.: If you just want to try it out without compiling:
Download boot-v4.9.33.tpm.tar.bz2 (kernel, dtb, overlays) + modules-v4.9.33.tpm.tar.bz2

Extract the boot-v4.9.33.tpm.tar.bz2 into the boot partition of your rpi (e.g. sdb1) and the modules-v4.9.33.tpm.tar.bz2 into the second partition.(e.g. sdb2)

$ wget http://www.letstrust.de/uploads/boot-v4.9.33.tpm.tar.bz2 -O /tmp/boot-v4.9.33.tpm.tar.bz2
$ wget http://www.letstrust.de/uploads/modules-v4.9.33.tpm.tar.bz2 -O /tmp/modules-v4.9.33.tpm.tar.bz2
$ sudo mount /dev/sdb1 mnt/fat32
$ sudo mount /dev/sdb2 mnt/ext4
$ cd mnt/fat32
$ sudo tar -xvf /tmp/boot-v4.9.33.tpm.tar.bz2
$ cd ../ext4
$ sudo tar -xvf /tmp/modules-v4.9.33.tpm.tar.bz2
$ cd ..
$ sudo umount /dev/sdb1
$ sudo umount /dev/sdb2


Categories: TPM