Balena Fin + Optiga TPM

Hello!

We bought the Optiga TPM but the SLM variant instead… https://www.infineon.com/cms/en/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-tpm/slm-9670/

It seems like there is a device overlay available for the SLB variant --> https://github.com/balena-os/balena-raspberrypi/blob/master/layers/meta-balena-raspberrypi/conf/layer.conf#L123

From a hardware perspective, SLB and SLM are purely variants and functionality are the same (correct me if i am wrong)

How can we go about enabling the TPM for our use?

Hello @kennethlimcp, welcome to the balena forum : )

To test that your .dbto file works fine, once you boot your board, you could copy that file into /mnt/boot/overlays. Once you verify that it works fine, we appreciate if you could commit this new overlay into that repo you linked : )

Let us know how it goes.

Hmm.

  1. I copied tpm-slb9670.dtbo from the rapsberry pi repo to /mnt/boot/overlays
  2. Set the dtsoverlay variable in Dashboard
  3. Check whether /dev/tpm* exist but nothing

Seems like it’s not working… Maybe some rebuilding of OS is required?

Hi @kennethlimcp

  1. Good!
  2. The appropriate variable to set in the dashboard is RESIN_HOST_CONFIG_dtoverlay="tpm-slb9670" , as explained here. Is this what you did?

Then, reboot the device, and check in /mnt/boot/config.txt whether there is an entry dtoverlay=tpm-slb9670?

  1. At this point, /dev/tpm* should exist?

Please let us know if it works!

Kind regards
Alida

This was done and device rebooted with dtoverlay=tpm-slb9670 in /mnt/boot/config.txt but /dev/tpm* is still not available.

Any idea why the tpm-slb9670.dtbo file is not included by default though it’s defined here: https://github.com/balena-os/balena-raspberrypi/blob/master/layers/meta-balena-raspberrypi/conf/layer.conf#L123

Is it due to missing CONFIGS like https://github.com/balena-os/balena-intel/pull/221/files

Hi again @kennethlimcp

Thanks for your reply, we’ll get back to you with feedback as soon as we can.

Kind regards
Alida

Hi,

Having CONFIG_TCG_TIS activated in kernel is probably necessary for your TPM device to work.

You can do a build with this option activated and test if it works.

Got this error which building a custom OS:

ERROR: sd8887-mrvl-1.0-r0 do_fetch: Fetcher failure: Fetch command export PSEUDO_DISABLED=1; unset _PYTHON_SYSCONFIGDATA_NAME; export PATH="/home/build/shared/balena-raspberrypi/build/tmp/sysroots-uninative/x86_64-linux/usr/bin:/home/build/shared/balena-raspberrypi/layers/poky/scripts:/home/build/shared/balena-raspberrypi/build/tmp/work/fincm3-poky-linux-gnueabi/sd8887-mrvl/1.0-r0/recipe-sysroot-native/usr/bin/arm-poky-linux-gnueabi:/home/build/shared/balena-raspberrypi/build/tmp/work/fincm3-poky-linux-gnueabi/sd8887-mrvl/1.0-r0/recipe-sysroot/usr/bin/crossscripts:/home/build/shared/balena-raspberrypi/build/tmp/work/fincm3-poky-linux-gnueabi/sd8887-mrvl/1.0-r0/recipe-sysroot-native/usr/sbin:/home/build/shared/balena-raspberrypi/build/tmp/work/fincm3-poky-linux-gnueabi/sd8887-mrvl/1.0-r0/recipe-sysroot-native/usr/bin:/home/build/shared/balena-raspberrypi/build/tmp/work/fincm3-poky-linux-gnueabi/sd8887-mrvl/1.0-r0/recipe-sysroot-native/sbin:/home/build/shared/balena-raspberrypi/build/tmp/work/fincm3-poky-linux-gnueabi/sd8887-mrvl/1.0-r0/recipe-sysroot-native/bin:/home/build/shared/balena-raspberrypi/layers/poky/bitbake/bin:/home/build/shared/balena-raspberrypi/build/tmp/hosttools"; export HOME="/home/build"; git -c core.fsyncobjectfiles=0 ls-remote ssh://git@github.com/balena-io/sd8887-mrvl.git  failed with exit code 128, output:
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

ERROR: sd8887-mrvl-1.0-r0 do_fetch: 
ERROR: sd8887-mrvl-1.0-r0 do_fetch: Function failed: base_do_fetch
ERROR: Logfile of failure stored in: /home/build/shared/balena-raspberrypi/build/tmp/work/fincm3-poky-linux-gnueabi/sd8887-mrvl/1.0-r0/temp/log.do_fetch.73856
ERROR: Task (/home/build/shared/balena-raspberrypi/build/../layers/meta-balena-raspberrypi/recipes-kernel/sd8887-mrvl/sd8887-mrvl.bb:do_fetch) failed with exit code '1'

Seems to be related to: https://github.com/balena-os/balena-raspberrypi/issues/265#issuecomment-557100743

What’s the fix?

Hey @kennethlimcp,

We will provide to you a build with those kernel configs activated.

Also we are working on fixing the access rights of pulling the WiFi firmware for the regular user.

@spanceac, do you mean the full image that can be burned into the FIN?

I am still working through other issues with the build process.

$ cat /home/build/shared/balena-raspberrypi/build/tmp/work/fincm3-poky-linux-gnueabi/resin-image-initramfs/1.0-r0/temp/log.do_rootfs.548

NOTE: > Executing update_icon_cache intercept ...
NOTE: Exit code 127. Output:
/home/build/shared/balena-raspberrypi/build/tmp/work/fincm3-poky-linux-gnueabi/resin-image-initramfs/1.0-r0/intercept_scripts-d041fde2ab5716c55c746504c951bccf68ee94ad7475645a5b4b3b21a3efe714/update_icon_cache: 9: /home/build/shared/balena-raspberrypi/build/tmp/work/fincm3-poky-linux-gnueabi/resin-image-initramfs/1.0-r0/intercept_scripts-d041fde2ab5716c55c746504c951bccf68ee94ad7475645a5b4b3b21a3efe714/update_icon_cache: /home/build/shared/balena-raspberrypi/build/tmp/work/fincm3-poky-linux-gnueabi/resin-image-initramfs/1.0-r0/recipe-sysroot-native//gdk-pixbuf-2.0/gdk-pixbuf-query-loaders: not found

@kennethlimcp, yes, the full image

1 Like

Thanks! Hope it works…

Hey @kennethlimcp,

Can you try this image and see if it works? https://misc1.dev.balena.io/~spanceac/fin-tpm-dev.img

hmm…

  1. dont see anything for ls /dev/tpm*
  2. Not sure if i am verifying the compile flags correctly…
root@balena:~# cat /proc/config.gz | grep CONFIG_TIS   

empty

@kennethlimcp, you should check the /proc/config.gz with zcat instead of cat.

Also, it seems that the module that is loaded for slb9670 is named tpm_tis_spi.

Can you check with lsmod if that module loads?

root@balena:~# lsmod | grep tpm
tpm_tis_spi            16384  0
tpm_tis                16384  0
tpm_tis_core           20480  2 tpm_tis,tpm_tis_spi
tpm                    57344  3 tpm_tis,tpm_tis_spi,tpm_tis_core

Looks ok… However the userspace tool like tpm2 is not available so i cannot verify if the FIN can communicate with TPM with the base OS

Also, since /dev/tpm* is not available… i cannot deploy an app to verify the TPM as well.

@spanceac any idea what flags were set during build?

This is what i tried:

Hi @kennethlimcp,

These are the activated configs:

CONFIG_TCG_TPM=m
CONFIG_HW_RANDOM_TPM=y
CONFIG_TCG_TPM=m
CONFIG_TCG_TIS_CORE=m
CONFIG_TCG_TIS=m
CONFIG_TCG_TIS_SPI=m
# CONFIG_TCG_TIS_I2C_ATMEL is not set
# CONFIG_TCG_TIS_I2C_INFINEON is not set
# CONFIG_TCG_TIS_I2C_NUVOTON is not set
# CONFIG_TCG_ATMEL is not set
# CONFIG_TCG_VTPM_PROXY is not set
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set

You can also check on your board with zcat /proc/config.gz.

I found a document on interfacing RPi3 with your TPM module:

From the document, I understand that the necessary kernel config option CONFIG_TCG_TIS_SPI=m is activated.

Another thing to check in your config.txt is the presence of the field dtparam=spi=on.

Hmm… wondering what’s missing…

root@balena:~# cat /mnt/boot/config.txt 
disable_splash=1
dtoverlay=balena-fin,tpm-slb9670
dtoverlay=balena-fin
dtparam=i2c_arm=on
dtparam=spi=on
dtparam=audio=on
enable_uart=1
gpu_mem=16

root@balena:~# zcat /proc/config.gz | grep CONFIG_TCG_
CONFIG_TCG_TPM=m
CONFIG_TCG_TIS_CORE=m
CONFIG_TCG_TIS=m
CONFIG_TCG_TIS_SPI=m
# CONFIG_TCG_TIS_I2C_ATMEL is not set
# CONFIG_TCG_TIS_I2C_INFINEON is not set
# CONFIG_TCG_TIS_I2C_NUVOTON is not set
# CONFIG_TCG_ATMEL is not set
# CONFIG_TCG_VTPM_PROXY is not set
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set

Do we need the other flags too?

As well as: https://git.yoctoproject.org/cgit/cgit.cgi/meta-security

Hi,
Above in the thread you state that you can see the modules loaded:

root@balena:~# lsmod | grep tpm
tpm_tis_spi            16384  0
tpm_tis                16384  0
tpm_tis_core           20480  2 tpm_tis,tpm_tis_spi
tpm                    57344  3 tpm_tis,tpm_tis_spi,tpm_tis_core

Do you also see TPM related messages in dmesg?

dmesg | grep -i TPM

Thanks,

dmesg | grep -i TPM

had no output