Getting tpm2 probe to work on RPi 4B, Ubuntu 20.04.1 #2504
Comments
The TCTIs are how we communicate between the library stacks and the TPM. The Python Bindings have support for TCTILdr interface, which can take any shared object that implements the dynamic loader interface and load it through dlopen(3). However, the SPI TCTI doesn't support that interface :-(, so we would have to make direct bindings to Tss2_Tcti_Spi_Helper_Init and set up all the callbacks, but it's doable if you need it. |
|
Thank William, re: "However, the SPI TCTI doesn't support that interface :-(, so we would have to make direct bindings to Tss2_Tcti_Spi_Helper_Init and set up all the callbacks, but it's doable if you need it." Do you have any examples on how to do this? And what callbacks are needed? It appears to me that the kernel is probing spi0.0 and failing: "tpm_tis_spi: probe of spi0.0 failed with error -110" and therefore /dev/spi0.0 is not being loaded. Without recompiling the kernel (which is beyond me to get right without many errors), I can't see how to get around this. All in all, getting the SLB9670 to work is real difficult (at least for me); I am having real problems trying to understand the documentation as well. |
|
@kwmartin just to clarify, I may have misunderstood your needs. You stated that, Are you looking to use the spi-helper within the Python programming environment or looking for how to actually toggle all the right parts on the TPM from userspace? If it's the former I can help you, if it's the later, I have no input. |
|
I'm looking to access the spi from inside Python using using spi-helper. |
|
P.S. I would like to after boot up, access the TPM using Python to init it, and store and retrieve master passwords where the asymmetric secret key is only available inside the TPM, and do all this by accessing the spi directly, not through the kernel. I will contril the CSN and RSTN pins by directly programming the gpios. If I just had a simple example of initting the TPM using Python for any example GPIO pins, I could take it from there. So I need to make a "Main.py" that inits the TPM and maybe runs a simple command. |
Got it, will build out the bindings soon. I'll try and do them now. |
|
@kwmartin bindings PR is here: Can you try kicking the tires on that. FYI it looks like it requires the SPI transfer to be in full-duplex mode. Looking at the sample code in the tpm2-tss repo, the |
|
Thanks William I will give it a go. I'm not very experienced using branches in git; my guess is I do a new pull, and then switch to your branch which I'm guessing is https://github.com/williamcroberts/tpm2-pytss/tree/spi-tcti-helper ? |
Their is a few different ways to get to the same end result with git, but this is how I like to do it. The tpm2-pytss branch requires the PR from tpm2-tss as well, see PR: See #2517 To get the tpm2-pytss codegit remote add bill https://github.com/williamcroberts/tpm2-pytss.git
git fetch bill
git checkout spi-tcti-helperTo get the tpm2-tss PRThe easiest is to use the gh tool: gh pr checkout 2517
But you can also use the `git remote add` approach above and checkout branch `fix-tcti-spi-helper-issues`
|
I have a custom board (RFId reader) that includes an Infineon SLB9670 (plus a ds3232 rtc). I have MOSI: 10, MISO: 9, CLK: 11 (BCM pin numbers). The chip select is connected to BCM-14, and the RST is connected to BCM-4. I have verified the SPI works with the Sparkfun LSM9DS1 breakout board and jumpers. After a month, I can not get the SLB9670 to work. I can not get /dev/tpm0 no matter what I do. I have compiled (successfully) the most recent software stack from infineon. Not having /dev/tpm0 prevents (for example) installing tpm2-pytss. I see:
I also see in the Infineon software stack tpm2-tss/doc/tcti-spi-helper.md how to init the context for an ESP32 with pin definitions. I do not know where I would hook something similar in if I was to take this approach for the pi.
In /boot/firmware/config.txt (note Ubuntu not Raspian directory structure), having:
dtoverlay=spi0-2cs,cs0_pin=14,cs1_pin=5
boots up fine:
and I see:
If I comment out dtoverlay=spi0-2cs,cs0_pin=14,cs1_pin=5 and use
dtoverlay=tpm-soft-spi
where I have modified tpm-soft-spi to reflect my pins; for example:
and reboot, I get:
[ 1.193592] ima: No TPM chip found, activating TPM-bypass!
[ 8.760394] tpm_tis_spi: probe of spi0.0 failed with error -110
Also, /dev/spi0.0 and /dev/spi0.1 are missing. I also have, in this case:
I've tried many other overlay options, for example specifying pull-ups on BCM-14 and BCM-5, also tried a modified device-tree that specified BCM-4 as the reset pin. I do find the device tree syntax very difficult to follow through especially to how the parameter substitution works. I would be happy just not using the kernel driver and trying to access the SLB9670 if I knew how to hook into the stack.
I also purchased an STM4RasPi TPM module, but after receiving it and reading the documentation, it appears I have to re-compile the kernel, something I have never done, and think would be jumping from the fire into the pan? (or should I say cauldron? - I really dislike trying to understand and debug device trees and overlays - had do completely restore /boot/firmware, for example - restoring the complete OS is really time consuming - I have a lot of apps on it). My main intended use of the SLB9670 are: a) a Master key for encrypting and signing user keys, and b) to generate keys for a CA certificate.
I am currently at an impasse, after many many hours, so any suggestions are really appreciated. Thank you.
The text was updated successfully, but these errors were encountered: