diff --git a/LICENSE b/LICENSE index a09c1598..d7289dd8 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ -The MIT License +MIT License -Copyright (c) 2018 Infineon Technologies AG +Copyright (c) 2018-2024 Infineon Technologies AG Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index 9919911e..d7a100bb 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,14 @@ # Infineon OPTIGA™ Trust M +[View this ReadMe online](https://github.com/Infineon/optiga-trust-m/blob/develop/README.md) + ## Quick navigation 1. [Security Solution](#security-solution) * [Description](#description) * [Key Features and benefits](#key-features-and-benefits) * [Features table](#features-table) - * [Provisioning Options (V1, V3, Express)](#provisioning-options-v1-v3-express) + * [Provisioning Options (V1, V3, Express, MTR)](#provisioning-options-v1-v3-express-mtr) 2. [Get Started](#get-started) * [Boards](#boards) * [Examples](#examples) @@ -25,9 +27,12 @@ -This repository contains a target-agnostic Software Framework for the [OPTIGA™ Trust M](https://www.infineon.com/optiga-trust) security solution. It is a base for other application notes. **Be aware that this software comes without any security claims and shall be used for evaluation purpose.** +This repository contains a target-agnostic Software Framework for the [OPTIGA™ Trust M](https://www.infineon.com/optiga-trust) security solution. It is a base for other application notes. + +**Be aware that this software comes without any security claims and shall be used for evaluation purpose.** ### Key Features and Benefits + * High-end security controller * Common Criteria Certified EAL6+ (high) hardware * Turnkey solution @@ -35,7 +40,7 @@ This repository contains a target-agnostic Software Framework for the [OPTIGA™ * PG-USON-10 package (3 x 3 mm) * Temperature range (−40°C to +105°C) * I2C interface with Shielded Connection (encrypted communication) -* Cryptographic support: +* Cryptographic support: * ECC : NIST curves up to P-521, Brainpool r1 curve up to 512, * RSA® up to 2048 * AES key up to 256 , HMAC up to SHA512 @@ -131,20 +136,26 @@ This repository contains a target-agnostic Software Framework for the [OPTIGA™ -### Provisioning Options (V1, V3, Express) +### Provisioning Options (V1, V3, Express, MTR) -#### Confgiurations +#### Configurations There are three main provisioning options/confgiurations availble: **Note: All three configuration options have no effect on the corresponding features. For example, OPTIGA™ Trust M Express has the same features as OPTIGA™ Trust M V3, also the same API and hostcode can be used to work with all three solutions.** -1. **OPTIGA™ Trust M V1/V3** - a provisioning configuration which comes as a standard for all shipped devices. Unless mentioned differently all OPTIGA Trust M chips on the market have this configuration. +1. **OPTIGA™ Trust M V1/V3** - a provisioning configuration which comes as a standard for all shipped devices. Unless mentioned differently all OPTIGA™Trust M chips on the market have this configuration. * [Sample OPTIGA™ Trust M V1 Open Objects Dump](https://github.com/Infineon/optiga-trust-m/files/9281936/trust_m1_json.txt) * [Sample OPTIGA™ Trust M V3 Open Objects Dump](https://github.com/Infineon/optiga-trust-m/files/9281926/trust_m3_json.txt) -2. **OPTIGA™ Trust M Custom** - a custom provisioning option done on demand upon reaching a MoQ. Fully customisable solution including Security Monitor Configuration -3. **OPTIGA™ Trust M Express** - a provisioning configuration which can be ordered standalone. This variant comes with three certfiicates/private keys pre-provisioned by Infineon. Certificates and communication secrets data can be downloaded through the CIRRENT™ Cloud ID - * [Sample OPTIGA Trust M Express Open Objects Dump](https://github.com/Infineon/optiga-trust-m/files/9281778/trust_express_sample2_json.txt) + * [Product Webpage](https://www.infineon.com/cms/en/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-trust/optiga-trust-m-sls32aia/) +2. **OPTIGA™ Trust M Custom** - a custom provisioning option done on demand upon reaching a MoQ. Fully customisable solution including Security Monitor Configuration + * Please get in touch with your local Infineon Sales Representative to get more information +3. **OPTIGA™ Trust M Express** - a provisioning configuration which can be ordered standalone. This variant comes with three certificates/private keys pre-provisioned by Infineon. Certificates and communication secrets data can be downloaded through the CIRRENT™ Cloud ID + * [Sample OPTIGA™Trust M Express Open Objects Dump](https://github.com/Infineon/optiga-trust-m/files/9281778/trust_express_sample2_json.txt) + * [Product Webpage](https://www.infineon.com/cms/en/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-trust/optiga-trust-m-express/) +4. **OPTIGA™ Trust M MTR** - a provisioning configuration which can be ordered standalone. This variant comes with three certificates/private keys pre-provisioned by Infineon. The first certificate and key are meant to be used for Matter Device Attestation. Certificates and communication secrets data can be downloaded through Kudelski keySTREAM. + * [Sample OPTIGA™Trust M MTR Open Objects Dump](https://github.com/Infineon/optiga-trust-m/files/14259804/optiga_trust_m_mtr_object_dump.txt) + * [Product Webpage](https://www.infineon.com/cms/en/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-trust/optiga-trust-m-mtr) #### Comparison Table @@ -155,6 +166,7 @@ There are three main provisioning options/confgiurations availble: V1 V3 Express + MTR³ @@ -162,7 +174,8 @@ There are three main provisioning options/confgiurations availble: Certificate -
Private Key Certificate -
Private Key - Certificate* - Private Key + Certificate¹ - Private Key + Certificate¹ - Private Key Object IDs @@ -171,6 +184,9 @@ There are three main provisioning options/confgiurations availble: E0E0 - E0F0 E0E1 - E0F1 E0E2 - E0FC + E0E0 - E0F0 + E0E1 - E0F1 + E0E2 - E0FC PKI Top Level @@ -179,6 +195,9 @@ There are three main provisioning options/confgiurations availble: ECC Root CA2 ECC Root CA2 RSA Root CA2 + ECC Root CA2 + ECC Root CA2 + RSA Root CA2 PKI Intermediate Level @@ -187,6 +206,9 @@ There are three main provisioning options/confgiurations availble: Int. CA 306 Int. CA 306 Int. CA 309 + Int. CA 306 + Int. CA 306 + Int. CA 309 PKI Bottom Level: Key Algorithm @@ -195,22 +217,31 @@ There are three main provisioning options/confgiurations availble: NIST P-256 NIST P-256 RSA2048 + NIST P-256 + NIST P-256 + RSA2048 Possible to Readout Yes Yes Yes - With PBS* + With PBS¹ + Yes + Yes + Yes Yes Possible to Update Only Certificate Only Certificate - Only Certificate with PBS* and Auth.Ref.* - Only Certificate with PBS* and Auth.Ref.* - Only Certificate with PBS* and Auth.Ref.* + Only Certificate with PBS¹ and Auth.Ref.¹ + Only Certificate with PBS¹ and Auth.Ref.¹ + Only Certificate with PBS¹ and Auth.Ref.¹ + Only Certificate: Always, if LcsO < Op, else with PBS¹ and Auth.Ref.¹ + Only Certificate with PBS¹ and Auth.Ref.¹ + Only Certificate with PBS¹ and Auth.Ref.¹ Default Lifecycle State @@ -219,27 +250,44 @@ There are three main provisioning options/confgiurations availble: Operational Operational Operational + Initialization + Operational + Operational + + + Common Name² + Static + Static + Unique + Unique + Unique + Unique + Unique + Unique -\* Certificate, Platform Binding Secret (PBS) and the Authorization Reference (Auth.Ref.) can be downloaded from CIRRENT™ Cloud ID by claiming a Reel QR Code +¹ *Certificate, Platform Binding Secret (PBS) and the Authorization Reference (Auth.Ref.) can be downloaded from CIRRENT™ Cloud ID (Express) or Kudelski keySTREAM (MTR) by claiming a Reel QR- or Bar- Code* +² *End Device Certificate Common Name has either the same value across all devices (Static), or has a chip-unique value (Unique)* -In addition to the certificates and private keys each OPTIGA™ Trust M Express comes with a chip unique Platform Binding Secret* and an Authorization Reference*. The latter are two unique per chip 64 bytes long data objects which serve the following purposes: -- Platform Binding Secret (PBS) used to establish a Shielded Connection between a Host MCU and OPTIGA™ Trust M. Should be transfered from CIRRENT™ Cloud ID to the respective MCU to run a protected I2C connection; e.g. readout a protected Certificate located in the 0xE0E1 Object ID (see table above). For more details about Shielded Connection read [here](https://github.com/Infineon/optiga-trust-m/wiki/Shielded-Connection-101). -- Authorization Reference (Auth. Ref.). Used to update/change Certificate, PBS and the Authorization Reference itself. Similar to the PBS shall be tranfered to the Host MCU to be used. Find more details in the [Solution Reference Manual](documents/OPTIGA™%20Trust%20M%20Solution%20Reference%20Manual.md) +³ *It is expected from the Customer to perform "late-stage provisioning" on the OPTIGA™ Trust M MTR chips, i.e. to download the Matter Certificates (DAC/PAI) from Kudelski keySTREAM and inject into dedicated slots on the OPTIGA™ Trust M* +In addition to the certificates and private keys each OPTIGA™ Trust M Express and OPTIGA™ Trust M MTR comes with a chip unique Platform Binding Secret¹ and an Authorization Reference¹. The latter are two unique per chip 64 bytes long data objects which serve the following purposes: + +- Platform Binding Secret (PBS) used to establish a Shielded Connection between a Host MCU and OPTIGA™ Trust M. Should be transfered from the Cloud Service to the respective MCU to run a protected I2C connection; e.g. readout a protected Certificate located in the 0xE0E1 Object ID (see table above). For more details about Shielded Connection read [here](https://github.com/Infineon/optiga-trust-m/wiki/Shielded-Connection-101). +- Authorization Reference (Auth. Ref.). Used to update/change Certificate, PBS and the Authorization Reference itself. Similar to the PBS shall be tranfered to the Host MCU to be used. Find more details in the [Solution Reference Manual](documents/OPTIGA™%20Trust%20M%20Solution%20Reference%20Manual.md) ## Get Started ### Boards -| [OPTIGA™ Trust M Evaluation Kit](https://github.com/Infineon/getstarted-optiga-trust-m/tree/main/xmc4800_evaluation_kit) | [OPTIGA™ Trust IoT Security Development Kit](https://github.com/Infineon/getstarted-optiga-trust-m/tree/main/psoc62_secure_development_kit) | -| :---: | :---: | -| | | +| [OPTIGA™ Trust M Evaluation Kit](https://github.com/Infineon/getstarted-optiga-trust-m/tree/main/xmc4800_evaluation_kit) | [OPTIGA™ Trust IoT Security Development Kit](https://github.com/Infineon/getstarted-optiga-trust-m/tree/main/psoc62_secure_development_kit) | [OPTIGA™ Trust M Shields in Combination with PSoC™ 62S2 Wi-Fi BT Pioneer Kit](https://github.com/Infineon/getstarted-optiga-trust-m/tree/main/psoc62_cy8ckit_mikrobus) +| :---: | :---: | :---: | +| | | | -Get started with the [OPTIGA™ Trust M evaluation kit](https://www.infineon.com/cms/en/product/evaluation-boards/optiga-trust-m-eval-kit/) or with the [OPTIGA™ Trust IoT Security Development kit](https://www.infineon.com/cms/en/product/evaluation-boards/optiga-trust-m-iot-kit/) using [this](https://github.com/Infineon/getstarted-optiga-trust-m) Application Note +Get started with the [OPTIGA™ Trust M evaluation kit](https://www.infineon.com/cms/en/product/evaluation-boards/optiga-trust-m-eval-kit/), with the [OPTIGA™ Trust IoT Security Development kit](https://www.infineon.com/cms/en/product/evaluation-boards/optiga-trust-m-iot-kit/) or with any one of the available OPTIGA™ Trust M Shields ([Shield2Go](https://www.infineon.com/cms/en/product/evaluation-boards/s2go-security-optiga-m/), [Express Shield](https://www.infineon.com/optiga-trust-m-express-shield), [MTR Shield](https://www.infineon.com/cms/en/product/evaluation-boards/trust-m-mtr-shield/)) in combination with the [PSoC™ 62S2 Wi-Fi BT Pioneer Kit](https://www.infineon.com/cms/en/product/evaluation-boards/cy8ckit-062s2-43012/) using [this](https://github.com/Infineon/getstarted-optiga-trust-m) Application Note. ### Examples @@ -262,10 +310,10 @@ Get started with the [OPTIGA™ Trust M evaluation kit](https://www.infineon.com ### Software Framework overview -![](https://github.com/Infineon/Assets/raw/master/Pictures/optiga_trust_m_system_block_diagram_v3.png) +![](https://github.com/Infineon/Assets/raw/master/Pictures/optiga_trust_m_system_block_diagram_v4.png) 1. See [Trust M Crypt API](https://github.com/Infineon/optiga-trust-m/wiki/Trust-M-Crypt-API) and [Trust M Util API](https://github.com/Infineon/optiga-trust-m/wiki/Trust-M-Util-API) to know more about CRYPT and UTIL modules -2. Information about the OPTIGA™ Trust M Command Library (CMD) can be found in the [Solution Reference Manual](documents/OPTIGA_Trust_M_Solution_Reference_Manual_v3.50.pdf) +2. Information about the OPTIGA™ Trust M Command Library (CMD) can be found in the [Solution Reference Manual](documents/OPTIGA_Trust_M_Solution_Reference_Manual_v3.60.pdf) In the same document you can find explanation of all Object IDs (OIDs) available for users as well as detailed technical explanation for all features and envisioned use cases. 3. Infineon I2C Protocol implementation details can be found [here](documents/Infineon_I2C_Protocol_v2.03.pdf) 4. Platform Abstraction Layer (PAL) overview and Porting Guide are presented in the [Wiki](https://github.com/Infineon/optiga-trust-m/wiki/Porting-Guide) @@ -275,51 +323,73 @@ For more information please refer to the [Wiki page](https://github.com/Infineon ### Evaluation and developement kits External links, open in the same tab. + * [OPTIGA™ Trust M evaluation kit](https://www.infineon.com/cms/en/product/evaluation-boards/optiga-trust-m-eval-kit/) * [OPTIGA™ Trust M Shield2Go](https://www.infineon.com/cms/en/product/evaluation-boards/s2go-security-optiga-m/) - Notes to the S2Go Security OPTIGA M: - * Supply voltage VCC is max. 5.5 V, please refer to the OPTIGA™ Trust M datasheet for more details about maximum ratings - * Ensure that no voltage applied to any of the pins exceeds the absolute maximum rating of VCC + 0.3 V - * Pin out on top (head) is directly connected to the pins of the OPTIGA™ Trust M - * If head is broken off, only one capacitor is connected to the OPTIGA™ Trust M + +#### Notes to the S2Go Security OPTIGA™Trust M + +* Supply voltage VCC is max. 5.5 V, please refer to the OPTIGA™ Trust M datasheet for more details about maximum ratings +* Ensure that no voltage applied to any of the pins exceeds the absolute maximum rating of VCC + 0.3 V +* Pin out on top (head) is directly connected to the pins of the OPTIGA™ Trust M +* If head is broken off, only one capacitor is connected to the OPTIGA™ Trust M
- S2Go Security OPTIGA M Pinout + S2Go Security OPTIGA™ M Pinout drawing
- S2Go Security OPTIGA M Schematic + S2Go Security OPTIGA™ M Schematic drawing
+#### Notes to the OPTIGA™Trust M [Variant] Shields + +* The product variant can be identified through the configuration LED. +* The design of the Shield is for 3V3 VCC +* Absolute max. rating of VCC is 5.5 V, please refer to the OPTIGA™ Trust M datasheet for more details about maximum ratings +* Ensure that no voltage applied to any of the pins exceeds the absolute maximum rating of VCC + 0.3 V +* Pin out of the shield is directly connected to the pins of the OPTIGA™ Trust M + +
+ OPTIGA™ Trust M [Variant] Shield Pinout + drawing +
+ +
+ OPTIGA™ Trust M [Variant] Shield Schematic + drawing +
+ ## Documentation ### Usefull articles - * [Initialisation hints (Wiki)](https://github.com/Infineon/optiga-trust-m/wiki/Initialisation-hints) - * [Porting guide (Wiki)](https://github.com/Infineon/optiga-trust-m/wiki/Porting-Guide) - * [Crypto performance (Wiki)](https://github.com/Infineon/optiga-trust-m/wiki/Crypto-Performance) - * [In which form does OPTIGA return keys and signatures? (Wiki)](https://github.com/Infineon/optiga-trust-m/wiki/Data-format-examples) - * [Code Footprint (Wiki)](https://github.com/Infineon/optiga-trust-m/wiki/Code-Footprint) - * [Device Error Codes (Wiki)](https://github.com/Infineon/optiga-trust-m/wiki/Device-Error-Codes) - * [Protected Update for Data Objects](https://github.com/Infineon/optiga-trust-m/wiki/Protected-Update-for-Data-Objects) - * [Shielded Connection (Wiki)](https://github.com/Infineon/optiga-trust-m/wiki/Shielded-Connection-101) - * **User API** - * [Crypt API (Wiki)](https://github.com/Infineon/optiga-trust-m/wiki/Trust-M-Crypt-API) - * [Util API (Wiki)](https://github.com/Infineon/optiga-trust-m/wiki/Trust-M-Util-API) - - * [Hardware-Security: "Einfach (und) Sicher" (external link, opens in the same tab)](https://vimeo.com/279839814) in German, [Slides](https://github.com/Infineon/Assets/blob/master/PDFs/2018-06-04_Building-IoT_HW-Sec_Lesjak_vFinal.pdf) in English +* [Initialisation hints (Wiki)](https://github.com/Infineon/optiga-trust-m/wiki/Initialisation-hints) +* [Porting guide (Wiki)](https://github.com/Infineon/optiga-trust-m/wiki/Porting-Guide) +* [Crypto performance (Wiki)](https://github.com/Infineon/optiga-trust-m/wiki/Crypto-Performance) +* [In which form does OPTIGA™return keys and signatures? (Wiki)](https://github.com/Infineon/optiga-trust-m/wiki/Data-format-examples) +* [Code Footprint (Wiki)](https://github.com/Infineon/optiga-trust-m/wiki/Code-Footprint) +* [Device Error Codes (Wiki)](https://github.com/Infineon/optiga-trust-m/wiki/Device-Error-Codes) +* [Protected Update for Data Objects](https://github.com/Infineon/optiga-trust-m/wiki/Protected-Update-for-Data-Objects) +* [Shielded Connection (Wiki)](https://github.com/Infineon/optiga-trust-m/wiki/Shielded-Connection-101) +* **User API** + * [Crypt API (Wiki)](https://github.com/Infineon/optiga-trust-m/wiki/Trust-M-Crypt-API) + * [Util API (Wiki)](https://github.com/Infineon/optiga-trust-m/wiki/Trust-M-Util-API) +* [Hardware-Security: "Einfach (und) Sicher" (external link, opens in the same tab)](https://vimeo.com/279839814) in German, [Slides](https://github.com/Infineon/Assets/blob/master/PDFs/2018-06-04_Building-IoT_HW-Sec_Lesjak_vFinal.pdf) in English ### Datasheet and Co. For high level description and some important excerpts from the documentation please refer to [Wiki page](https://github.com/Infineon/optiga-trust-m/wiki) Other downloadable PDF documents can be found below: -1. [OPTIGA™ Trust M Datasheet v3.40](documents/OPTIGA_Trust_M_Datasheet_v3.40.pdf) (PDF) -2. [OPTIGA™ Trust M Solution Reference Manual v3.50](documents/OPTIGA_Trust_M_Solution_Reference_Manual_v3.50.pdf) (PDF) + +1. [OPTIGA™ Trust M Datasheet v3.61](documents/OPTIGA_Trust_M_Datasheet_v3.61.pdf) (PDF) +2. [OPTIGA™ Trust M Solution Reference Manual v3.60](documents/OPTIGA_Trust_M_Solution_Reference_Manual_v3.60.pdf) (PDF) 3. [OPTIGA™ Trust M Keys and Certificates v3.10](documents/OPTIGA_Trust_M_Keys_And_Certificates_v3.10.pdf) (PDF) -4. [Infineon I2C protocol specification v2.03](documents/Infineon_I2C_Protocol_v2.03.pdf) (PDF) +4. [OPTIGA™ Trust Config Guide v2.20](documents/OPTIGA_Trust_M_ConfigGuide_v2.2.pdf) (PDF) +5. [Infineon I2C protocol specification v2.03](documents/Infineon_I2C_Protocol_v2.03.pdf) (PDF) ### Board assembly recommendations diff --git a/documents/OPTIGA_Trust_M_ConfigGuide_2022-11-09-Rev1-2.pdf b/documents/OPTIGA_Trust_M_ConfigGuide_2022-11-09-Rev1-2.pdf deleted file mode 100644 index fa80d8c9..00000000 Binary files a/documents/OPTIGA_Trust_M_ConfigGuide_2022-11-09-Rev1-2.pdf and /dev/null differ diff --git a/documents/OPTIGA_Trust_M_ConfigGuide_v2.2.pdf b/documents/OPTIGA_Trust_M_ConfigGuide_v2.2.pdf new file mode 100644 index 00000000..941334ac Binary files /dev/null and b/documents/OPTIGA_Trust_M_ConfigGuide_v2.2.pdf differ diff --git a/documents/OPTIGA_Trust_M_Datasheet_v3.40.pdf b/documents/OPTIGA_Trust_M_Datasheet_v3.40.pdf deleted file mode 100644 index 83326bc5..00000000 Binary files a/documents/OPTIGA_Trust_M_Datasheet_v3.40.pdf and /dev/null differ diff --git a/documents/OPTIGA_Trust_M_Datasheet_v3.61.pdf b/documents/OPTIGA_Trust_M_Datasheet_v3.61.pdf new file mode 100644 index 00000000..7204cdb1 Binary files /dev/null and b/documents/OPTIGA_Trust_M_Datasheet_v3.61.pdf differ diff --git a/documents/OPTIGA_Trust_M_Solution_Reference_Manual_v3.50.pdf b/documents/OPTIGA_Trust_M_Solution_Reference_Manual_v3.60.pdf similarity index 82% rename from documents/OPTIGA_Trust_M_Solution_Reference_Manual_v3.50.pdf rename to documents/OPTIGA_Trust_M_Solution_Reference_Manual_v3.60.pdf index de5cff2d..3c51be4e 100644 Binary files a/documents/OPTIGA_Trust_M_Solution_Reference_Manual_v3.50.pdf and b/documents/OPTIGA_Trust_M_Solution_Reference_Manual_v3.60.pdf differ diff --git "a/documents/OPTIGA\342\204\242 Trust M Solution Reference Manual.md" "b/documents/OPTIGA\342\204\242 Trust M Solution Reference Manual.md" index 131dc6fb..ea739a94 100644 --- "a/documents/OPTIGA\342\204\242 Trust M Solution Reference Manual.md" +++ "b/documents/OPTIGA\342\204\242 Trust M Solution Reference Manual.md" @@ -469,7 +469,7 @@ like to integrate the OPTIGA™ with their solution. ## Architecture Decomposition The architecture components contained in the shown solution architecture -view (OPTIGA Trust Communication Protection - toolbox - View) are listed +view (OPTIGA™Trust Communication Protection - toolbox - View) are listed and briefly described in the table below. 4. Architecture components @@ -544,7 +544,7 @@ and briefly described in the table below. -The class diagram OPTIGA Trust Communication Protection - toolbox - View +The class diagram OPTIGA™Trust Communication Protection - toolbox - View shows the Communication Protection Solution Architecture in case the local host is invoking a third\_party\_crypto library (e.g. WolfSSL, OpenSSL, mbedTLS, ...) containing its main functional blocks. The @@ -568,7 +568,7 @@ is: | ------------------------------------ | | ![728,6](https://github.com/Infineon/Assets/raw/master/Pictures/OPTIGA_Trust_M/SRM/image4.tmp) | -Figure 1 - OPTIGA Trust Communication Protection - toolbox - View +Figure 1 - OPTIGA™Trust Communication Protection - toolbox - View ### Host code size @@ -1143,7 +1143,7 @@ enabler components, which gets provided by the OPTIGA™ solution. The target platforms for those enabler components are embedded systems, Linux and Windows. -The class diagram OPTIGA Trust Enabler Software Overview shows host side +The class diagram OPTIGA™Trust Enabler Software Overview shows host side library architecture and it’s main functional blocks. The color coding provides information of whether the function blocks are @@ -6377,7 +6377,12 @@ conditions. - If the shared secret gets updated on field either by protected update (integrity and confidentiality) or shielded connection, the regarded usage counter must be updated accordingly to allow the - usage of shared secret further for the required number of times. + usage of shared secret further for the required number of times + + - Without the use of an Integrity and Confidentiality Protected Update, + OPTIGA™ cannot support use cases based on PRESSEC that require more + restrictive access rights for READ than for CHANGE + ### Auto states diff --git a/documents/README.md b/documents/README.md index 23dee55a..6e3de4f9 100644 --- a/documents/README.md +++ b/documents/README.md @@ -2,9 +2,9 @@ * **Infineon_I2C_Protocol_vX.XX.pdf** - Infineon I2C protocol specification. In this document you can find all information related to the communication protocol between a Host MCU and the Secure Element, for instance how shielded connection works. * **License.pdf** - MIT License -* **OPTIGA_Trust_M_Cloud_ID_UserGuide.pdf** - A guidance on how to register a reel on the CIRRENT™ Cloud ID service -* **OPTIGA_Trust_M_ConfigGuide.pdf** - A comparison guidance between available provisioning options (M ver. 1/M ver.3/Express) -* **OPTIGA_Trust_M_Datasheet_vX.XX.pdf** - Datasheet for the OPTIGA Trust M revision 1 product. This is a high level description of the hardware side of the product. You can find there the following information, though not limited to +* **OPTIGA_Trust_M_Cloud_ID_UserGuide.pdf** - A guidance on how to register a reel on the CIRRENT™ Cloud ID service. +* **OPTIGA_Trust_M_ConfigGuide_vX.XX.pdf** - A comparison guidance between available provisioning options (M ver. 1/M ver.3/Express/MTR) +* **OPTIGA_Trust_M_Datasheet_vX.XX.pdf** - Datasheet for the OPTIGA™Trust M product. This is a high level description of the hardware side of the product. You can find there the following information, though not limited to * Electrical Characteristics * Crypto Performance * Hardware integration guide including a reference schematics @@ -12,7 +12,7 @@ * Test Vectors for the security chip (on I2C level) * Compliance infomration * **OPTIGA_Trust_M_Host_Library_Documentation.chm** - A Windows Help file with the API description -* **OPTIGA_Trust_M_Keys_And_Certificates_vX.XX.pdf** - A document which describes default PKI infrustructure, in which worm and what exactly do we store on chip in regards to Private Keys and Certificates. You might find the [Personalize OPTIGA™ Trust](https://github.com/Infineon/personalize-optiga-trust) Application Note usefull as well +* **OPTIGA_Trust_M_Keys_And_Certificates_vX.XX.pdf** - A document which describes default PKI infrustructure, in which way and what exactly do we store on chip in regards to Private Keys and Certificates. You might find the [Personalize OPTIGA™ Trust](https://github.com/Infineon/personalize-optiga-trust) Application Note usefull as well * **OPTIGA_Trust_M_Solution_Reference_Manual_vX.XX.md** - A document which describes in more details: * Features and properties of the security chip in more details * Use cases diff --git a/examples/README.md b/examples/README.md index 927acef5..7692fd31 100644 --- a/examples/README.md +++ b/examples/README.md @@ -5,27 +5,27 @@ This folders are used to demonstrate basic functionality of the security chip. The list of available Application Notes and Examples is following: 1. [Get started guide](https://github.com/Infineon/getstarted-optiga-trust-m) -1. ModusToolbox™ Code Examples +2. ModusToolbox™ Code Examples - [OPTIGA™ Trust M: Cryptography](https://github.com/Infineon/mtb-example-optiga-crypto) - [OPTIGA™ Trust M: MQTT Client](https://github.com/Infineon/mtb-example-optiga-mqtt-client) - [OPTIGA™ Trust M: Power management](https://github.com/Infineon/mtb-example-optiga-power-management) - [OPTIGA™ Trust M: Data management](https://github.com/Infineon/mtb-example-optiga-data-management) -1. [Off-Chip TLS example (mbedTLS)](https://github.com/Infineon/mbedtls-optiga-trust-m) -1. [Linux Command Line Interface](https://github.com/Infineon/linux-optiga-trust-m) -1. Cloud: +3. [Off-Chip TLS example (mbedTLS)](https://github.com/Infineon/mbedtls-optiga-trust-m) +4. [Linux Command Line Interface](https://github.com/Infineon/linux-optiga-trust-m) +5. Cloud: 1. [AWS FreeRTOS example](https://github.com/Infineon/amazon-freertos-optiga-trust) - 1. [Microsoft Azure IoT example](https://github.com/Infineon/azure-optiga-trust-m) -1. [Zephyr OS driver](https://github.com/Infineon/zephyr) -1. [Arduino library](https://github.com/Infineon/arduino-optiga-trust-m) -1. [Personalize OPTIGA™ Trust](https://github.com/Infineon/personalize-optiga-trust) -1. [Python package](https://github.com/Infineon/python-optiga-trust) -1. [I2C Utilities](https://github.com/Infineon/i2c-utils-optiga-trust) + 2. [Microsoft Azure IoT example](https://github.com/Infineon/azure-optiga-trust-m) +6. [Zephyr OS driver](https://github.com/Infineon/zephyr) +7. [Arduino library](https://github.com/Infineon/arduino-optiga-trust-m) +8. [Personalize OPTIGA™ Trust](https://github.com/Infineon/personalize-optiga-trust) +9. [Python package](https://github.com/Infineon/python-optiga-trust) +10. [I2C Utilities](https://github.com/Infineon/i2c-utils-optiga-trust) # Troubleshooting ## 0x107 (handshake error) -Some of the examples, for instance [`example_optiga_util_read_data`](https://github.com/Infineon/optiga-trust-m/blob/master/examples/optiga/example_optiga_util_read_data.c#L61) calls +Some of the examples, for instance [`example_optiga_util_read_data`](https://github.com/Infineon/optiga-trust-m/blob/master/examples/optiga/example_optiga_util_read_data.c#L61) calls ``` // OPTIGA Comms Shielded connection settings to enable the protection OPTIGA_UTIL_SET_COMMS_PROTOCOL_VERSION(me, OPTIGA_COMMS_PROTOCOL_VERSION_PRE_SHARED_SECRET); diff --git a/examples/tools/protected_update_data_set/README.md b/examples/tools/protected_update_data_set/README.md index 33302fbf..a8070471 100644 --- a/examples/tools/protected_update_data_set/README.md +++ b/examples/tools/protected_update_data_set/README.md @@ -61,7 +61,7 @@ Usage : <.exe> input1= input2= .. note : Input is a hexadecimal string.E.g. E3 : The values in "options" can be bitwise ORED and provided ( Refer SRM ) key_algo default : - options : ECC-NIST-P-256 (3) , ECC-NIST-P-384 (4), ECC-NIST-P-521 (5), ECC-BRAINPOOL-P-256-R1 (19) , ECC-BRAINPOOL-P-384-R1 (21), ECC-BRAINPOOL-P-512-R1 (22), RSA-1024-Exp (65) , RSA-2048-Exp (66), AES-128 (129), AES-192 (129), AES-256 (131) + options : ECC-NIST-P-256 (3) , ECC-NIST-P-384 (4), ECC-NIST-P-521 (5), ECC-BRAINPOOL-P-256-R1 (19) , ECC-BRAINPOOL-P-384-R1 (21), ECC-BRAINPOOL-P-512-R1 (22), RSA-1024-Exp (65) , RSA-2048-Exp (66), AES-128 (129), AES-192 (130), AES-256 (131) note : Input is a decimal string.E.g. 129 key_data default : (null) options : ECC / RSA key in .pem format or AES key in txt file as hexadecimal string diff --git a/examples/tools/protected_update_data_set/include/protected_update_data_set.h b/examples/tools/protected_update_data_set/include/protected_update_data_set.h index b0865673..53521e13 100644 --- a/examples/tools/protected_update_data_set/include/protected_update_data_set.h +++ b/examples/tools/protected_update_data_set/include/protected_update_data_set.h @@ -78,6 +78,8 @@ typedef enum key_algorithm eRSA_1024_EXP = 0x41, eRSA_2048_EXP = 0x42, eAES_128 = 0x81, + eAES_192 = 0x82, + eAES_256 = 0x83, } key_algorithm_t; typedef enum key_usage diff --git a/examples/tools/protected_update_data_set/src/user_input_parser.c b/examples/tools/protected_update_data_set/src/user_input_parser.c index 6fe894fd..c56fc85a 100644 --- a/examples/tools/protected_update_data_set/src/user_input_parser.c +++ b/examples/tools/protected_update_data_set/src/user_input_parser.c @@ -249,7 +249,7 @@ opt_prop_t option_table[] = // PAYLOAD : KEYS { "Details", DETAIL_KEY_OBJ, NULL, "", 0, "", "" }, { DESC_KEY_USAGE, SHORT_NAME_KEY_USAGE, &opt.key_usage, DEFAULT_KEY_USAGE, 0, "AUTH (0x01) , ENC (0x02) , SIGN (0x10) , KEY_AGREE (0x20)", "Input is a hexadecimal string.E.g. E3"_NEXT_"The values in \"options\" can be bitwise ORED and provided ( Refer SRM )" }, - { DESC_KEY_ALGO, SHORT_NAME_KEY_ALGO, &opt.key_algo, DEFAULT_KEY_ALGO, 0, "ECC-NIST-P-256 (3) , ECC-NIST-P-384 (4), ECC-NIST-P-521 (5), ECC-BRAINPOOL-P-256-R1 (19) , ECC-BRAINPOOL-P-384-R1 (21), ECC-BRAINPOOL-P-512-R1 (22), RSA-1024-Exp (65) , RSA-2048-Exp (66), AES-128 (129), AES-192 (129), AES-256 (131)", "Input is a decimal string.E.g. 129" }, + { DESC_KEY_ALGO, SHORT_NAME_KEY_ALGO, &opt.key_algo, DEFAULT_KEY_ALGO, 0, "ECC-NIST-P-256 (3) , ECC-NIST-P-384 (4), ECC-NIST-P-521 (5), ECC-BRAINPOOL-P-256-R1 (19) , ECC-BRAINPOOL-P-384-R1 (21), ECC-BRAINPOOL-P-512-R1 (22), RSA-1024-Exp (65) , RSA-2048-Exp (66), AES-128 (129), AES-192 (130), AES-256 (131)", "Input is a decimal string.E.g. 129" }, { DESC_PAYLOAD_KEY, SHORT_NAME_PAYLOAD_KEY, &opt.key_data, DEFAULT_PAYLOAD_KEY, 0, "ECC / RSA key in .pem format or AES key in txt file as hexadecimal string", "Refer : samples/payload/key/sample_ec_256_priv.pem for ECC or RSA key"_NEXT_"Refer : samples/payload/key/aes_key.txt for AES key" }, // PAYLOAD : METADATA diff --git a/pal/README.md b/pal/README.md index 73f7d98e..0e1db8fb 100644 --- a/pal/README.md +++ b/pal/README.md @@ -12,13 +12,15 @@ The Crypto PAL helps a Host MCU to perfrom shielded communication (protected Inf If you don't use shielded connection you can skip this module Currently three Crypto PALs are supported via third-party libraries (should be provided at compilation/linking time) + 1. mbed TLS Crypto Library -1. OpenSSL Crypto Library -1. WolfSSL Crypto Library +2. OpenSSL Crypto Library +3. WolfSSL Crypto Library There are three functions required to be implemented by the Crypto PAL, these are: -1. `pal_crypt_tls_prf_sha256` -
Test Vectors + +1. `pal_crypt_tls_prf_sha256` +
Test Vectors ```c ********************************************************************************************** @@ -102,7 +104,7 @@ There are three functions required to be implemented by the Crypto PAL, these ar
1. `pal_crypt_encrypt_aes128_ccm` -
Test Vectors +
Test Vectors ```c /* key */ @@ -149,9 +151,9 @@ There are three functions required to be implemented by the Crypto PAL, these ar ```
- + 1. `pal_crypt_decrypt_aes128_ccm` -
Test Vectors +
Test Vectors ```c /* key */ @@ -198,8 +200,7 @@ There are three functions required to be implemented by the Crypto PAL, these ar ```
- - + A simple test suite can look like following
Simple Test suite @@ -390,4 +391,5 @@ static int32_t testAES128CCMDecrypt(void) return ret; } ``` +