TPM hardware components
目录
Article purpose
TPM is an international standard for a secure cryptoprocessor[1] designed to secure hardware through integrated cryptographic keys.
TPM includes a high security level and a security certification, that is graduated with the evaluation assurance level (EAL)[1].
The purpose of this article is to:
- give an example of a TPM hardware component that might be connected to the different boards
- link these components to the corresponding software framework(s)
- point to the component datasheets
- explain, when necessary, how to configure these components.
Software frameworks
Domain | Peripheral | Software frameworks | Comment | ||
---|---|---|---|---|---|
Cortex-A7 secure (OP-TEE) |
Cortex-A7 non-secure (Linux) |
Cortex-M4 (STM32Cube) |
|||
Security | TPM | TPM Software Stack[2] |
STPM4RasPI
Description
The STPM4RasPI[3] is an extension board on which one of ST33TPM12 devices is soldered (see list of possible devices below in this chapter). It could be directly connected on an STM32MP157C-DK2 board.
The ST33TPM12 is based on a 32-bit ARM® reduced instruction set computing (RISC) processor which provides high cryptographic and general performances. A NESCRYPT crypto-processor is also provided to efficiently support all public key cryptographic algorithms.
With ST33TPM12 devices, ST provides an EAL4+ certified solution embedding a secure cryptoprocessor with dedicated hardware accelerators that improve the global platform security.
Multiples services are available using TPM (mostly in PC and mobile devices):
- Cryptographic keys generation, protection, management and utilization
- Cryptographic device identity
- Secure logging, log-reporting and attestation
- Secure non volatile storage
- Other functions including hashing, random number generator and secure clock
Several use cases are available:
- Platform integrity: the boot process relies on TPM for software integrity and authentication during each boot stage
- Disk encryption: encrypt and decrypt drive using TPM crypto core
- Password protection, ...
The STM33TPM12 is provided with different hardware interfaces:
Support in Linux Kernel
TPM is ready to be used with OpenSTLinux distribution.
The TPM drivers (I2C and SPI) are part of the following kernel driver bindings:
-
Documentation/devicetree/bindings/security/tpm/st33zp24-i2c.txt| |}} Documentation/devicetree/bindings/security/tpm/st33zp24-i2c.txt
-
Documentation/devicetree/bindings/security/tpm/st33zp24-spi.txt| |}} Documentation/devicetree/bindings/security/tpm/st33zp24-spi.txt
Source code:
-
drivers/char/tpm/st33zp24/i2c.c| |}} drivers/char/tpm/st33zp24/i2c.c
-
drivers/char/tpm/st33zp24/spi.c| |}} drivers/char/tpm/st33zp24/spi.c
TPM support relies on a TCG[1] open source TPM2 Software Stack (TSS)[2].
Support in U-BOOT
TPM is supported with existing uclass of the 'Driver Model'.
References
- ↑ 1.01.11.2 Trusted Computing Group
- ↑ 2.02.1 https://github.com/tpm2-software/tpm2-tss
- ↑ https://www.st.com/en/evaluation-tools/stpm4raspi.html#overview
- ↑ https://www.st.com/content/st_com/en/products/secure-mcus/authentication-secure-iot/trusted-computing-solutions/st33tpm12i2c.html
- ↑ https://www.st.com/content/st_com/en/products/secure-mcus/authentication-secure-iot/trusted-computing-solutions/st33tpm12spi.html
- ↑ https://www.st.com/content/st_com/en/products/secure-mcus/authentication-secure-iot/trusted-computing-solutions/st33tpm12lpc.html
<securetransclude src="ProtectedTemplate:ArticleBasedOnModel" params="Hardware components article model"></securetransclude>
<securetransclude src="ProtectedTemplate:PublicationRequestId" params="10092 | 2018-12-18 | BrunoB"></securetransclude>