Skip to content

Commit 53d8179

Browse files
philljjphilljj
authored
Merge pull request #339 from dgarske/infineon_slb_fw
Support for Infineon SLB9672/SLB9673 Firmware upgrade
2 parents 2cde410 + 062cfe9 commit 53d8179

24 files changed

+1487
-45
lines changed

.cyignore

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
# wolfTPM folders
2+
$(SEARCH_wolftpm)/IDE
3+
$(SEARCH_wolftpm)/examples
4+
$(SEARCH_wolftpm)/tests

.gitignore

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,8 @@ examples/attestation/activate_credential
7777
examples/boot/secure_rot
7878
examples/boot/secret_seal
7979
examples/boot/secret_unseal
80+
examples/firmware/ifx_fw_extract
81+
examples/firmware/ifx_fw_update
8082

8183
# Generated Cert Files
8284
certs/ca-*.pem

Makefile.am

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@ include wrapper/include.am
4343
include hal/include.am
4444
include cmake/include.am
4545

46+
EXTRA_DIST+= .cyignore
4647
EXTRA_DIST+= README.md
4748
EXTRA_DIST+= ChangeLog.md
4849
EXTRA_DIST+= LICENSE

configure.ac

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -408,6 +408,18 @@ then
408408
fi
409409

410410

411+
# Built-in TPM firmware upgrade support
412+
AC_ARG_ENABLE([firmware],
413+
[AS_HELP_STRING([--enable-firmware],[Enable support for TPM firmware upgrades (default: enabled)])],
414+
[ ENABLED_FIRMWARE=$enableval ],
415+
[ ENABLED_FIRMWARE=yes ]
416+
)
417+
if test "x$ENABLED_FIRMWARE" = "xyes"
418+
then
419+
AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_FIRMWARE_UPGRADE"
420+
fi
421+
422+
411423
# HARDEN FLAGS
412424
AX_HARDEN_CC_COMPILER_FLAGS
413425

@@ -431,6 +443,7 @@ AM_CONDITIONAL([BUILD_WINAPI], [test "x$ENABLED_WINAPI" = "xyes"])
431443
AM_CONDITIONAL([BUILD_NUVOTON], [test "x$ENABLED_NUVOTON" = "xyes"])
432444
AM_CONDITIONAL([BUILD_CHECKWAITSTATE], [test "x$ENABLED_CHECKWAITSTATE" = "xyes"])
433445
AM_CONDITIONAL([BUILD_AUTODETECT], [test "x$ENABLED_AUTODETECT" = "xyes"])
446+
AM_CONDITIONAL([BUILD_FIRMWARE], [test "x$ENABLED_FIRMWARE" = "xyes"])
434447
AM_CONDITIONAL([BUILD_HAL], [test "x$ENABLED_EXAMPLE_HAL" = "xyes" || test "x$ENABLED_MMIO" = "xyes"])
435448

436449

@@ -556,3 +569,4 @@ echo " * Microchip ATTPM20: $ENABLED_MICROCHIP"
556569
echo " * Nuvoton NPCT75x: $ENABLED_NUVOTON"
557570

558571
echo " * Runtime Module Detection: $ENABLED_AUTODETECT"
572+
echo " * Firmware Upgrade Support: $ENABLED_FIRMWARE"

examples/boot/include.am

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
# vim:ft=automake
22
# All paths should be given relative to the root
33

4+
EXTRA_DIST += examples/boot/README.md
5+
46
if BUILD_EXAMPLES
57
noinst_HEADERS += examples/boot/boot.h
68

examples/firmware/Makefile

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
CC=gcc
2+
CFLAGS=-Wall -Werror -Wextra -g
3+
LIBS=
4+
5+
all: clean ifx_fw_extract
6+
7+
ifx_fw_extract: ifx_fw_extract.o
8+
$(CC) -o $@ $^ $(CFLAGS) $(LIBS)
9+
10+
.PHONY: clean
11+
12+
clean:
13+
rm -f *.o ifx_fw_extract

examples/firmware/README.md

Lines changed: 104 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,104 @@
1+
# TPM Firmware Update Support
2+
3+
Currently wolfTPM supports firmware update capability for the Infineon SLB9672 (SPI) and SLB9673 (I2C) TPM 2.0 modules. Infineon has open sourced their firmware update.
4+
5+
## Infineon Firmware
6+
7+
### Extracting the firmware
8+
9+
Infineon releases firmware as a .bin file (example: TPM20_15.23.17664.0_R1.BIN).
10+
11+
The .bin contains a 16-byte GUID header, at least one manifest based on key group and the firmware. A typical manifest is 3KB and firmware is 920KB.
12+
13+
We have included a host side tool `ifx_fw_extract` for extracting the manifest and firmware data file required for a TPM upgrade.
14+
15+
Example usage:
16+
17+
```sh
18+
# Build host tool
19+
make
20+
21+
# Help
22+
./ifx_fw_extract --help
23+
Usage:
24+
ifx_fw_extract <fw-file>
25+
ifx_fw_extract <fw-file> <keygroup_id> <manifest-file> <data-file>
26+
27+
# Find key groups in .bin
28+
./ifx_fw_extract TPM20_26.13.17770.0_R1.BIN
29+
Reading TPM20_26.13.17770.0_R1.BIN
30+
Found group 00000007
31+
32+
# Extract manifest and firmware data files for key group
33+
./ifx_fw_extract TPM20_26.13.17770.0_R1.BIN 7 TPM20_26.13.17770.0_R1.MANIFEST TPM20_26.13.17770.0_R1.DATA
34+
Reading TPM20_26.13.17770.0_R1.BIN
35+
Found group 00000007
36+
Chosen group found: 00000007
37+
Manifest size is 3224
38+
Data size is 934693
39+
Writing TPM20_26.13.17770.0_R1.MANIFEST
40+
Writing TPM20_26.13.17770.0_R1.DATA
41+
```
42+
43+
### Updating the firmware
44+
45+
The `ifx_fw_update` tool uses the manifest (header) and firmware data file.
46+
47+
The TPM has a vendor capability for getting the key group id. This is populated in the `WOLFTPM2_CAPS.keyGroupId` when `wolfTPM2_GetCapabilities` is called. This value should match the firmware extract tool `keygroup_id`.
48+
49+
```sh
50+
# Help
51+
./ifx_fw_update --help
52+
Infineon Firmware Update Usage:
53+
./ifx_fw_update (get info)
54+
./ifx_fw_update --abandon (cancel)
55+
./ifx_fw_update <manifest_file> <firmware_file>
56+
57+
# Run without arguments to display the current firmware information including key group id and operational mode
58+
./ifx_fw_update
59+
Infineon Firmware Update Tool
60+
TPM2: Caps 0x1ae00082, Did 0x001c, Vid 0x15d1, Rid 0x16
61+
TPM2_Startup pass
62+
Mfg IFX (1), Vendor SLB9673, Fw 26.13 (0x456a)
63+
Operational mode: Normal TPM operational mode (0x0)
64+
KeyGroupId 0x7, FwCounter 1254 (255 same)
65+
66+
# Run with manifest and firmware files
67+
./ifx_fw_update TPM20_26.13.17770.0_R1.MANIFEST TPM20_26.13.17770.0_R1.DATA
68+
Infineon Firmware Update Tool
69+
Manifest File: TPM20_26.13.17770.0_R1.MANIFEST
70+
Firmware File: TPM20_26.13.17770.0_R1.DATA
71+
TPM2: Caps 0x1ae00082, Did 0x001c, Vid 0x15d1, Rid 0x16
72+
TPM2_Startup pass
73+
Mfg IFX (1), Vendor SLB9673, Fw 26.13 (0x456a)
74+
Operational mode: Normal TPM operational mode (0x0)
75+
KeyGroupId 0x7, FwCounter 1254 (255 same)
76+
TPM2_StartAuthSession: handle 0x3000000, algorithm NULL
77+
TPM2_FlushContext: Closed handle 0x3000000
78+
TPM2_StartAuthSession: handle 0x3000000, algorithm NULL
79+
Firmware manifest chunk 1024 offset (0 / 3224), state 1
80+
Firmware manifest chunk 1024 offset (1024 / 3224), state 2
81+
Firmware manifest chunk 1024 offset (2048 / 3224), state 2
82+
Firmware manifest chunk 152 offset (3072 / 3224), state 0
83+
Firmware data chunk offset 0
84+
Firmware data chunk offset 1024
85+
Firmware data chunk offset 2048
86+
Firmware data chunk offset 3072
87+
...
88+
Firmware data chunk offset 932864
89+
Firmware data chunk offset 933888
90+
Firmware data done
91+
Mfg IFX (1), Vendor , Fw 0.0 (0x0)
92+
Operational mode: After finalize or abandon, reboot required (0x4)
93+
KeyGroupId 0x7, FwCounter 1253 (254 same)
94+
TPM2_Shutdown failed 304: Unknown
95+
96+
# Reset or power cycle TPM
97+
./ifx_fw_update
98+
Infineon Firmware Update Tool
99+
TPM2: Caps 0x1ae00082, Did 0x001c, Vid 0x15d1, Rid 0x16
100+
TPM2_Startup pass
101+
Mfg IFX (1), Vendor SLB9673, Fw 26.13 (0x456a)
102+
Operational mode: Normal TPM operational mode (0x0)
103+
KeyGroupId 0x7, FwCounter 1253 (254 same)
104+
```

0 commit comments

Comments
 (0)