TPM Software on a Raspberry Pi 3 Model B+ with Infineon Optiga™ SLB 9670 TPM 2.0

Some quick notes on how I installed Optiga™ SLB 9670 TPM 2.0 chip and compiled the TPM 2.0 software suite to allow communication via the tss stack and resource manager / tools.

I first purchased the Infineon Optiga™ SLB 9670 TPM 2.0 from letstrust.de. Its a standard module that fits onto the GPIO (general-purpose input/output) pins along the top edge of the board.

letstrust.de Infineon Optiga™ SLB 9670 installed on GPIO

Once the board is in situ, its time to enable it within the Kernel

I used Raspbian Buster as the OS (work is underway to support Fedora IoT).

Open your /boot/config.txt and add / uncomment following overlays

dtparam=spi=on
dtoverlay=tpm-slb9670

Reboot and you should now see the TPM

root@raspberrypi:~# dmesg | grep -i tpm
[6.677452] tpm_tis_spi spi0.1: 2.0 TPM (device-id 0x1B, rev-id 22)

root@raspberrypi:~# ls /dev/tpm0 
/dev/tpm0

Install TPM2-software

First off, install build dependencies

apt-get install build-essential \
		autoconf \
		autoconf-archive \
		automake \
		libcmocka0 \
		libcmocka-dev \
		libcurl4-gnutls-dev \
		libgcrypt20-dev \
		procps python-yaml \
		iproute2 \
		git \
		pkg-config \
		gcc \
		libtool \
		automake \
		libssl-dev \
		uthash-dev \
		doxygen \
		libglib2.0-dev \
		libltdl-dev \
		libdbus-glib-1-dev \
		libgirepository1.0-dev \
                libglib2.0-dev

Compile required projects

Note 1: I install specific branches here, as the purpose for me using the stack was to work on porting Keylime to ARM

Note 2: I performed all this as root, as its for a development project.

You might possibly be able to work with a later release or even master.

A lot of the following I snagged from Peter Huewe

tpm2-tss

git clone https://github.com/tpm2-software/tpm2-tss
cd tpm2-tss
git checkout 2.0.x
./bootstrap
./configure --with-udevrulesdir=/etc/udev/rules.d --with-udevrulesprefix=70-
make -j4
make install
useradd --system --user-group tss
udevadm control --reload-rules && sudo udevadm trigger
ldconfig

tpm2-tools

git clone https://github.com/tpm2-software/tpm2-tools
cd tpm2-tools
git checkout 3.X
./bootstrap
./configure
make -j4
make install

tpm2-abrmd

useradd --system --user-group tss
git clone https://github.com/tpm2-software/tpm2-abrmd.git tpm2-abrmd
cd tpm2-abrmd
git checkout 2.0.3
./bootstrap
./configure --with-dbuspolicydir=/etc/dbus-1/system.d \
            --with-systemdsystemunitdir=/lib/systemd/system \
            --with-systemdpresetdir=/lib/systemd/system-preset \
            --datarootdir=/usr/share
make -j4
make install
ldconfig
pkill -HUP dbus-daemon
systemctl daemon-reload
systemctl enable tpm2-abrmd.service
systemctl start tpm2-abrmd.service
export TPM2TOOLS_TCTI="tabrmd:bus_name=com.intel.tss2.Tabrmd"

Lets try that out..

As long as your resource manager is running, you should now be able to talk to the TPM.

root@raspberrypi:~# tpm2_getrandom 8
0xE5 0xCD 0x97 0x20 0xD1 0x86 0x95 0x4A

root@raspberrypi:~# tpm2_pcrlist 
sha1 :
  0  : 0000000000000000000000000000000000000000
  1  : 0000000000000000000000000000000000000000
  2  : 0000000000000000000000000000000000000000
  3  : 0000000000000000000000000000000000000000
  4  : 0000000000000000000000000000000000000000
  5  : 0000000000000000000000000000000000000000
  6  : 0000000000000000000000000000000000000000
  7  : 0000000000000000000000000000000000000000
  8  : 0000000000000000000000000000000000000000
  9  : 0000000000000000000000000000000000000000
  10 : 0000000000000000000000000000000000000000
  11 : 0000000000000000000000000000000000000000
  12 : 0000000000000000000000000000000000000000
  13 : 0000000000000000000000000000000000000000
  14 : 0000000000000000000000000000000000000000
  15 : 0000000000000000000000000000000000000000
  16 : 0000000000000000000000000000000000000000
  17 : ffffffffffffffffffffffffffffffffffffffff
  18 : ffffffffffffffffffffffffffffffffffffffff
  19 : ffffffffffffffffffffffffffffffffffffffff
  20 : ffffffffffffffffffffffffffffffffffffffff
  21 : ffffffffffffffffffffffffffffffffffffffff
  22 : ffffffffffffffffffffffffffffffffffffffff
  23 : 0000000000000000000000000000000000000000
sha256 :
  0  : 0000000000000000000000000000000000000000000000000000000000000000
  1  : 0000000000000000000000000000000000000000000000000000000000000000
  2  : 0000000000000000000000000000000000000000000000000000000000000000
  3  : 0000000000000000000000000000000000000000000000000000000000000000
  4  : 0000000000000000000000000000000000000000000000000000000000000000
  5  : 0000000000000000000000000000000000000000000000000000000000000000
  6  : 0000000000000000000000000000000000000000000000000000000000000000
  7  : 0000000000000000000000000000000000000000000000000000000000000000
  8  : 0000000000000000000000000000000000000000000000000000000000000000
  9  : 0000000000000000000000000000000000000000000000000000000000000000
  10 : 0000000000000000000000000000000000000000000000000000000000000000
  11 : 0000000000000000000000000000000000000000000000000000000000000000
  12 : 0000000000000000000000000000000000000000000000000000000000000000
  13 : 0000000000000000000000000000000000000000000000000000000000000000
  14 : 0000000000000000000000000000000000000000000000000000000000000000
  15 : 0000000000000000000000000000000000000000000000000000000000000000
  16 : 5b98acb307b7e78e5d5791151c7d34a02fe9fd448a5ce43ee1b8bd8c886b01cf
  17 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
  18 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
  19 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
  20 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
  21 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
  22 : ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
  23 : 0000000000000000000000000000000000000000000000000000000000000000

6 thoughts on “TPM Software on a Raspberry Pi 3 Model B+ with Infineon Optiga™ SLB 9670 TPM 2.0

  1. Thanks for this post. Been trying myself for few days (using rpi 3, stretch), had a issue with TPM enabling after cross-compiling to run on Pi (resolved). Also have ongoing nigging issue of all integration tests failing for abrmd. Btw, Keyline seems interesting to try. Do you know similar open source to try binding, sealing, OTA updates ?

    Like

    1. Hi Sanat, There is a lack of open source projects harnessing a TPM, i think most implementations are proprietary. Not sure if this is what your looking for, but Keylime will deliver a secure payload. It will first measure whatever PCRs you set and will then do the same for IMA runtime (all using tpm2_quote) – if these pass, it will allow the node to unlock a payload. The payload could be some ssh keys, certs, configs containing secrets etc. I was about to post a video some guys did recently on this at a CentOS dojo, but will put it here as well. https://www.youtube.com/watch?v=2T2dq6EMJ5s

      Like

      1. Hi Luks, thanks for remarks. Sorry for delayed reply. We are trying to integrate TPM on EDGE devices like TPUs, accelerators/IOT devices so as to bring in TPM services; as in binding data/models to host platform, attestation, OTA updates, auditing etc. Some issues with TSS stack install with Mendel Linux etc, lead to experiment first with ‘stabler’ Raspi. Secure payload is definite, will try to use Keylime now.

        Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: