Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel6
outlinefalse
stylenone
typelist
printablefalse

1. Overview

This Application Note describes how to use the ST ST33KTPM2X Trusted Platform Module (TPM) with Emcraft Systems' Linux BSP for the STM32MP1 SoC.

...

The Emcraft Linux BSP for the STM32MP1 SoC has been enhanced with appropriate device drivers and configuration interfaces allowing seamless integration with the ST33KTPM2X device. This Application Note provides detailed instructions on the steps that are needed to enable software support for the STSAFE-TPM in Linux running on the STM32MP1 SoC.

2. Hardware Platform

The following hardware platform is used by Emcraft to support the ST STSAFE-TPM devices with the STM32MP1 SoC:

  • The Emcraft STM32MP1 SOM, available in the 800MHz and 650MHz variants. See: https://emcraft.com/products/1062#som .

  • The Emcraft STM32MP1-BSB Starter Kit, which provides, among other things, a standards-compliant interface to Click / mikroBUS boards. See https://emcraft.com/products/1062#starter-kit .

  • The Emcraft TPM-Click Module board, which is a compact Click / mikroBUS add-on board that hosts the ST ST33KTPM2X TPM 2.0-compliant module and provides the standard SPI / I2C interfaces to the host SoC. While Emcraft uses the Click board to illustrate integration with the STM32MP1 SoC, the board can be used with any embedded device that provides a standard Click / mikroBUS interface. See TPM-Click Module Hardware User’s Guide .

3. Software Platform

The following hardware platform is used by Emcraft to support the ST STSAFE-TPM devices with the STM32MP1 BSP (Board Support Package):

  • Kernel space device drivers. While the generic TPM2 support is enabled by CONFIG_TCG_TPM configuration parameter, Emcraft's TPM-Click Module board support is enabled by CONFIG_TCG_TIS_I2C configuration parameter (making the I2C bus the default transport to the host). These configuration parameters enable building of the TPM2 drivers in the Linux kernel and reside in the drivers/char/tpm directory in the kernel source tree. The aforementioned drivers are enabled in the Emcraft BSP by default.

  • User-space TPM stack including the cryptsetup utility in the systemd software suite, tpm2-tools set of utilities (version 5.5), and tpm2-tss shared library (version 4.0.1). The user space TPM stack is a part of the https://git.yoctoproject.org/git/meta-security Yocto layer.

4. Building STM32MP1 Images for STSAFE-TPM

Step through the following procedure to activate support for the STSAFE-TPM in the Emcraft BSP:

...

Code Block
[psl@sergmir build-openstlinuxweston-stm32mp157d-som]$ bitbake emcraft-rootfs
NOTE: Started PRServer with DBfile: /home/build/build-openstlinuxweston-stm32mp157d-som/cache/prserv.sqlite3, Address: 127.0.0.1:40257, PID: 173904
Loading cache: 100% |                                                                                                                                                                                                                                                     | ETA:  --:--:--
Loaded 0 entries from dependency cache.
NOTE: /home/build/layers/meta-st/meta-st-openstlinux/recipes-st/images/st-image-resize-initrd.bb: ENABLE_PARTITIONS_IMAGE not enabled#################################################################                                                                     | ETA:  0:00:06
Parsing recipes: 100% |####################################################################################################################################################################################################################################################| Time: 0:00:23
Parsing of 3152 .bb files complete (0 cached, 3152 parsed). 4978 targets, 577 skipped, 0 masked, 0 errors.
NOTE: Resolving any missing task queue dependencies

Build Configuration:
BB_VERSION           = "2.4.0"
BUILD_SYS            = "x86_64-linux"
NATIVELSBSTRING      = "universal"
TARGET_SYS           = "arm-ostl-linux-gnueabi"
MACHINE              = "stm32mp157d-som"
DISTRO               = "openstlinux-weston"
DISTRO_VERSION       = "4.2.1-snapshot-20240124"
TUNE_FEATURES        = "arm vfp cortexa7 neon vfpv4 thumb callconvention-hard"
TARGET_FPU           = "hard"
DISTRO_CODENAME      = "mickledore"
GCCVERSION           = "12.%"
PREFERRED_PROVIDER_virtual/kernel = "linux-stm32mp"
meta-emcraft         = "linux-stm32mp1-4.1.0:53460accc3c8c88ed91a7b2f9bf034300d12b705"
meta-python          
meta-oe              
meta-gnome           
meta-initramfs       
meta-multimedia      
meta-networking      
meta-webserver       
meta-filesystems     
meta-perl            = "HEAD:c032fd0b1a9d444711103c2703dfa8e2964a3865"
meta-st-stm32mp      = "HEAD:931b3f5be2c00f55d114c8f9122082a9d229b776"
meta-qt5             = "HEAD:cf6ffcbad5275a3428f6046468a0c9d572e813d1"
meta-security        
meta-tpm             = "mickledore:d7db0a3bd1a8639df7570483f003ce00cbe274a2"
meta-st-openstlinux  = "HEAD:8c780facff81d3c3878c5fdcd18bdd24fc36478d"
meta                 = "HEAD:20cd64812d286c920bd766145ab1cd968e72667e"
...

5. Verifying Support for STSAFE-TPM

5.1. Verifying STSAFE-TPM Configuration

Follow the step-wise procedure below to verify that the TPM module has been recognised and correctly configured on the target:

  1. In the Linux boot-up messages, verify that the TPM driver has probed the TPM device:

    Code Block
    root@stm32mp157d-som:~# dmesg | grep -i tpm
    [    7.641100] systemd[1]: systemd 253.1^ running in system mode (+PAM -AUDIT -SELINUX -APPARMOR +IMA -SMACK -SECCOMP -GCRYPT -GNUTLS -OPENSSL -ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE +TPM2 -BZIP2 -LZ4 -XZ -ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=hybrid)
    [   17.236238] tpm_tis_i2c 1-002e: 2.0 TPM (device-id 0x3, rev-id 1)
    [   17.282843] tpm tpm0: A TPM error (256) occurred attempting the self test
    [   17.293537] tpm tpm0: starting up the TPM manually
  2. Check the TPM version:

    Code Block
    root@stm32mp157d-som:~# cat /sys/class/tpm/tpm*/tpm_version_major
    2
  3. Check the TPM capabilities:

    Code Block
    root@stm32mp157d-som:~# tpm2_getcap pcrs
    selected-pcrs:
      - sha1: [ ]
      - sha256: [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
      - sha384: [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
      - sha3_256: [ ]
      - sha3_384: [ ]
    Code Block
    root@stm32mp157d-som:~# tpm2_getcap algorithms
    rsa:
      value:      0x1
      asymmetric: 1
      symmetric:  0
      hash:       0
      object:     1
      reserved:   0x0
      signing:    0
      encrypting: 0
      method:     0
    sha1:
      value:      0x4
      asymmetric: 0
      symmetric:  0
      hash:       1
      object:     0
      reserved:   0x0
      signing:    0
      encrypting: 0
      method:     0
    ...
    Code Block
    root@stm32mp157d-som:~# tpm2_getcap ecc-curves
    TPM2_ECC_NIST_P256: 0x3
    TPM2_ECC_NIST_P384: 0x4
    TPM2_ECC_BN_P256: 0x10
    Code Block
    root@stm32mp157d-som:~# tpm2_getcap commands
    TPM2_CC_NV_UndefineSpaceSpecial:
      value: 0x440011F
      commandIndex: 0x11f
      reserved1:    0x0
      nv:           1
      extensive:    0
      flushed:      0
      cHandles:     0x2
      rHandle:      0
      V:            0
      Res:          0x0
    TPM2_CC_EvictControl:
      value: 0x4400120
      commandIndex: 0x120
      reserved1:    0x0
      nv:           1
      extensive:    0
      flushed:      0
      cHandles:     0x2
      rHandle:      0
      V:            0
      Res:          0x0
    TPM2_CC_HierarchyControl:
      value: 0x2C00121
      commandIndex: 0x121
      reserved1:    0x0
      nv:           1
      extensive:    1
      flushed:      0
      cHandles:     0x1
      rHandle:      0
      V:            0
      Res:          0x0
    TPM2_CC_NV_UndefineSpace:
      value: 0x4400122
      commandIndex: 0x122
      reserved1:    0x0
      nv:           1
      extensive:    0
      flushed:      0
      cHandles:     0x2
      rHandle:      0
      V:            0
      Res:          0x0
    ...

5.2. Using STSAFE-TPM for Hardware-Bound Data Encryption

This command sequence showcases how to utilise the STSAFE-TPM to create a hardware-bound encrypted disk. Once the disk has been encrypted, the passphrase to unlock the disk is stored in the TPM’s NV storage, so the unlocking and decryption of the disk is only possible with the specific TPM chip being present on the embedded target.

5.2.1. Phase 1: Disk Creation

This phase creates the disk. Follow the step-wise procedure below:

  1. Create an empty disk image:

    Code Block
    root@stm32mp157d-som:~# truncate -s 20M disk.bin
  2. Create a TPM-stored sealed key.

    Code Block
    root@stm32mp157d-som:~# tpm2_createprimary -Q -C o -c prim.ctx -P ownerauth
    root@stm32mp157d-som:~# dd if=/dev/urandom bs=1 count=32 status=none | tpm2_create -Q -g sha256 -u seal.pub -r seal.priv -i- -C prim.ctx
    root@stm32mp157d-som:~# tpm2_load -Q -C prim.ctx -u seal.pub -r seal.priv -n seal.name -c seal.ctx
    root@stm32mp157d-som:~# tpm2_evictcontrol -C o -c seal.ctx 0x81010001 -P ownerauth
    persistent-handle: 0x81010001
    action: persisted
    root@stm32mp157d-som:~# rm seal.ctx seal.name seal.priv seal.pub 
  3. Create the loop device for the disk image:

    Code Block
    root@stm32mp157d-som:~# loopdev=$(losetup --show -f disk.bin)
    [ 1303.491018] loop0: detected capacity change from 0 to 40960
    root@stm32mp157d-som:~# echo $loopdev
    /dev/loop0
  4. Create a LUKS2-encrypted disk:

    Code Block
    root@stm32mp157d-som:~# tpm2_unseal -Q -c 0x81010001 | cryptsetup luksFormat --type luks2 $loopdev
  5. Unlock the created disk:

    Code Block
    root@stm32mp157d-som:~# tpm2_unseal -Q -c 0x81010001 | cryptsetup open --type luks $loopdev mytest
    [ 1497.756506] device-mapper: ioctl: 4.47.0-ioctl (2022-07-28) initialised: dm-devel@redhat.com
    [ 1501.572598] cryptd: max_cpu_qlen set to 1000
  6. Create the ext4 file system on the disk.

    Code Block
    root@stm32mp157d-som:~# mkfs.ext4 /dev/mapper/mytest 
    mke2fs 1.47.0 (5-Feb-2023)
    Creating filesystem with 4096 1k blocks and 1024 inodes
    
    Allocating group tables: done                            
    Writing inode tables: done                            
    Creating journal (1024 blocks): done
    Writing superblocks and filesystem accounting information: done
  7. Mount the ext4 file system:

    Code Block
    root@stm32mp157d-som:~# mount /dev/mapper/mytest /mnt/
    [ 1649.709534] EXT4-fs (dm-0): mounted filesystem with ordered data mode. Quota mode: disabled.

5.2.2. Phase 2: Verifying Disk Encryption

Now that the encrypted disk is created and the file system is mounted, we can create a file on it and verify if the data is indeed encrypted. Follow the step-wise procedure below:

  1. Create a plain file with some text:

    Code Block
    root@stm32mp157d-som:~# echo "LALALA, the data is encrypted!" > /mnt/test.txt
    Code Block
    root@stm32mp157d-som:~# ls /mnt/
    lost+found  test.txt
  2. Unmount the file system:

    Code Block
    root@stm32mp157d-som:~# umount /mnt/
    [ 2720.199493] EXT4-fs (dm-0): unmounting filesystem.
  3. Close the encrypted disk and unbind the loop device:

    Code Block
    root@stm32mp157d-som:~# cryptsetup close mytest
    Code Block
    root@stm32mp157d-som:~# losetup -d $loopdev
  4. Search the disk image for the encrypted data. It will not be found:

    Code Block
    root@stm32mp157d-som:~# grep LALALA disk.bin 
    root@stm32mp157d-som:~# echo $?
    1

5.2.3. Phase 3: Disk Unlocking

Once the disk has been created, the sequence to unlock it and mount is as follows:

...