LetsTrust

Hello Everybody,

here is the short and simple starting guide for the new LetsTrust-TPM2Go USB Stick, (LTT2Go).

1. As before: You need the Hardware itself, actually buyable here:
https://buyzero.de/products/letstrust-tpm2go
(The list will be updated with every new distributor that we can find)

2. Installation of the TSS and the TCTI-device driver
The simple way to archive a running stack with functional LTT2Go is to install the TSS. Like the LetsTrust-TPM for Raspberry Pi, you could easily use the tpm2_install.sh from https://github.com/PaulKissinger/LetsTrust
This script installs all necessary dependencies for the TSS and the tcti-driver for the LTT2Go, also the abrmd and the tpm2-tools will be installed.

3. Test the function of the LTT2Go:

Follow this https://github.com/tpm2-software/tpm2-tss/blob/master/doc/tcti-spi-ltt2go.md short guide and your LTT2Go should working!

4. Reset the LetsTrust-TPM2Go
https://github.com/PaulKissinger/LetsTrust-TPM2Go Here you'll find a short CLI tool to reset the TPM Chip on the LTT2Go. Use this tool for reboots of the host system or during the development phase. Normally there is no reason to reset a TPM while it is booted up.


That was everything for the short starting guide, and probably also for a long version '^__^.

Bye for now!

Paul

Hello Everybody,

here is the short and simple starting guide for the new LetsTrust-TPM2Go USB Stick, (LTT2Go).

1. As before: You need the Hardware itself, actually buyable here:
https://buyzero.de/products/letstrust-tpm2go
(The list will be updated with every new distributor that we can find)

2. Installation of the TSS and the TCTI-device driver
The simple way to archive a running stack with functional LTT2Go is to install the TSS. Like the LetsTrust-TPM for Raspberry Pi, you could easily use the tpm2_install.sh from https://github.com/PaulKissinger/LetsTrust
This script installs all necessary dependencies for the TSS and the tcti-driver for the LTT2Go, also the abrmd and the tpm2-tools will be installed.

3. Test the function of the LTT2Go:

Follow this https://github.com/tpm2-software/tpm2-tss/blob/master/doc/tcti-spi-ltt2go.md short guide and your LTT2Go should working!

4. Reset the LetsTrust-TPM2Go
https://github.com/PaulKissinger/LetsTrust-TPM2Go Here you'll find a short CLI tool to reset the TPM Chip on the LTT2Go. Use this tool for reboots of the host system or during the development phase. Normally there is no reason to reset a TPM while it is booted up.


That was everything for the short starting guide, and probably also for a long version '^__^.

Bye for now!

Paul

2023 August 8th,

Finally shipped to the stock \o/.
I hope you will find this usefull for your development!

Bye,

Paul

2023 August 2nd,

Update:
Shippment will start next week! \o/

Hello and welcome back,

Today, I would like to introduce my new product: LetsTrust-TPM2Go!

LetsTrust-TPM2Go is a USB 2.0 stick with a built-in TPM. It is designed to be compatible with Linux PCs or single-board computers that have USB-A ports (probably macOS but I could not test it). This product's main purpose is to simplify application development with TPM support. It can also be used if your embedded device is not ready or only has free USB ports on your target device.

Windows 11: LetsTrust-TPM2Go USB Stick is NOT compatible with Microsoft Windows 11 TPM 2.0 requirement!
Windows 10: LetsTrust-TPM2Go is not compatible [1].

Features:
- Infineon Optiga™ SLB 9672 TPM 2.0 FW15.23
- TCG Spec 2.0 Rev. 01.51
- USB 2.0 to SPI Bridge based on CY7C65211A
- Compatible with libusb
- Own USB VendorID/ProductID
- Tested with https://github.com/tpm2-software/
- available TCTI-Driver in tpm2_tss for plug & play usage [2]
- 2 LEDs, one for "USB-RX/TX action" and one connected to a TPM-GPIO for user feedback
- Transparent ABS housing for the PCB
- LetsTrust-TPM2Go was designed, manufactured, and tested in Bavaria, Germany.

Preorders are now open, and you can find LetsTrust-TPM2Go here: https://buyzero.de/products/letstrust-tpm2go

With the promo code TPMDEV2023, you'll get a 7€ discount on the first stick. This code is active till the end of August.


The first batch is manufactured, updated and tested.

The estimated shipment date is latest the end of July/beginning of August.
(We are waiting for the updated Vendor ID list on www.usb.org/developers, as this final lists Pi3g as a vendor with the given number, I could finalize the sticks (I want to avoid to scrapping several 1000€s for a potential typo))

usb.org updated the list:
https://usb.org/sites/default/files/usb_vids_080223.pdf

Shippment will start next week! \o/

Bye for now!

Paul


[1] I could interact with these sticks over WSL2 on Windows 10, but without an d-bus and the abrmd only simple commands are functional .

[2] https://github.com/tpm2-software/tpm2-tss/blob/master/doc/tcti-spi-ltt2go.md

Continue reading "More Hardware: LetsTrust-TPM2Go "

Hello everyone,

this year the tpm.dev conference will happen on the 15th and 16th May.
Direkt link tot he conference you’ll finde here: https://developers.tpm.dev/spaces/10622294/event-page
****
Update:
The recordings you could find here:
https://developers.tpm.dev/spaces/10622294/page
****
Be a part of a nice online conf, I’ll be there!

Bye for now,

Paul

Welcome, everyone!

A colleague mentioned last week that you could find three useful tools in the Microsoft Store.




- TPM PCR Calculator 
- TPM 2.0 Parser,
- TPM Return Code Decoder, as well as my personal favourite.

If you are using Windows 10 or 11, you may find this useful:)

Farewell for now!

Paul

Hello everybody,

TLDR:
LetsTrust-TPMs are NOT effected.

Long Story Long:

on 28.02.2023 the CVE-2023-1017 and CVE-2023-1018 came out https://kb.cert.org/vuls/id/782720.

The SLB9670 from Infineon is soldered on LetsTrust-TPMs:
And here is Infineon's statement:

https://kb.cert.org/vuls/id/782720#Infineon%20Technologies%20AG

Bye for now!

Paul

Hello and welcome back,

I'm really happy to announce the TPM.dev 2022 MiniConf 13. October this year!

You have to register here to get the conference link!


The schedule:

7:00 am Pacific Time / 4:00 pm CEST
The latest and greatest from OPTIGA™️ TPM, SLB9672 and SLB9673, Andreas Fuchs and Paul Kissinger from Infineon Technologies
7:30 am Pacific Time / 4:30 pm CEST
Disk integrity using microkernels and TPM, Sid Hussmann, CTO of Gapfruit, and Stefan Thöni
8:30 am Pacific Time / 5:30 pm CEST
Remote enrollment using sealed keys for Remote Attestation Ernesto Gomez Marin, Researcher at Infineon
9:30 am Pacific Time / 6:30 pm CEST
Remote Attestation of the UEFI Event log using Keylime, Thore Sommer, maintainer of Keylime
10:30 am Pacific Time / 7:30 pm CEST
Maintaining anchors of trust, Michael Richardson known from his RATS work at IETF and other workgroups
11:30 am Pacific Time / 8:30 pm CEST
How OpenSecurityTraining2 will help spread TPM and Trusted Computing awareness, Xeno Kovah, Founder of Open Security Training

I'll be there and you?

Bye for now!

Paul

Hello Again,

Puhh... over one year no updates on this site... I'm not sooooo Happy about that, but I'm alive!

What has happened in the last 13 months?!

Private:
I quit my main job in February 2022 and this brings some new opportunities to my family and myself and the TPM community.
Why is this important for the TPM community? You'll see this in the near future
Covid:
Official i was four times vaccinated (with: Biontec, Biontec, Moderna, Biontec)
And after that, I got covid and recovered from that shit… I don't want to figure out where I was without the vaccinations.


For LetsTrust:
I could announce that more shops listed the LT-TPM!
With Max, the owner of http://pi3g.com and his shop http://buyzero.de we could manage that five additional shops listed LetsTrust-TPMs. (I'll add some Links in the step list).
So if your SAP/Salesforce/ect. integration don't support buyzero.de, you could use one of this links:

https://www.berrybase.de/
https://www.reichelt.de
https://www.conrad.de
https://www.pollin.de/
https://www.voelkner.de/




And now?
New Chips, other interfaces, completely new ideas around TPMs (Thanks to the http://tpm.dev community for these ideas!)

Additional:
A second website will be come up to collect all other hardware projects, beside of LetsTrust.
(hopefully... I love Hardware too much... so.. I should love my domains and websites a little more ...).

With this new site, some other designs from me get a platform/blog. Not all of my designs are security related so LetsTrust.de is the wrong Place for this. Some of these designs you are able to buy, and some are on my desk and ready to test.



So, now you are up2date,

Bye for now!

Paul

Hello and welcome back,

Dimitar from tpm.dev shared a new project:" EnactTrust, Attestation as a Service"

Dimitar allowed me to copy the article and share it with you

The article was copied from tpm.dev, Author Dimitar Tomov, https://developers.tpm.dev/posts/enacttrust)

#####
Hello everyone,

Today, I want to share with our community something that a small group of us have built to help raise the adoption of some of TPM's advanced features:

Attestation as a Service

Mitko Vasilev who helped figure out the building blocks gives this overview:

EnactTrust is Remote Attestation as a Service for Linux and Windows systems with TPM chips.

You can use the TPM hardware root of trust for reporting to verify the integrity of any file or application on the system.

Svetlozar Kalchev who helped build our cloud infrastructure, backend, and frontend, is eager to welcome early adopters and asked me to share just this line:

We are excited to announce that signups for the EnactTrust beta are now open!

You can sign-up for our beta here.



Now, let's get down to the nitty-gritty details of how our beta works:

- Using our open-source agent app you can attest up to three nodes. The number of nodes can be unlimited. We are starting with up to three nodes just for the beta.
- EnactTrust agent app currently has two flavors - C and Golang.
- EnactTrust agent app generates Attestation Keys under the Owner Hierarchy of the TPM.
- EnactTrust agent app does not use the TPM's EK public key. We want to preserve the privacy of the user's TPM and user's node that will be attested because we expect most will first test on personal computers.
- EnactTrust backend for the public beta is cloud-based, although it could also be run on-premise. We want to offer something easy to try that does not depend on centralized servers. This is a major difference between EnactTrust and Microsoft AzureSphere or Intel's SGX.
- Every user has his own dashboard that is web-based. It is written in React.
- After you sign up for the beta, we will send you a unique user ID. Using this user ID you could log in to your EnactTrust dashboard.
- At the first launch of the EnacTrust agent on a new node, you have to enter your unique user ID and your node will be automatically added to your dashboard.
- Everyone who signups for our beta will be contacted when we launch EnactTrust.

I will pause with details for now and ask for feedback and questions. To join our beta sign-up here.

#####

You could join the beta phase here: https://enacttrust.com

I'll try EnactTrust on the Pi with one LetsTrust-TPM,


Bye for now!

Paul

Hello and welcome,

today I'll want to introduce Johannes Holland, a really nice guy, MSc, and TPM addicted.
I know Johannes personally and he also tested and validated the first revision of the LetsTrust-Arduino adapter, for which I am very grateful to this day!

And you all know Peter Huewe? He was the driver behind this.

At the next Open Source Summit, Johannes and Peter will speak over the TSS FAPI and the abstract gives great hope for an informative session.

The abstract:

Nowadays, virtually all consumer PCs/laptops contain a TPM2.0 security chip, the Trusted Platform Module. Moreover, the TPM finds its way into more and more modern embedded devices. But what is the TPM and how can we use it on Linux? The TPM has the potential to enhance security in a variety of use cases ranging from SSH, VPN, disk encryption, and more. Since it is so powerful, it may be hard to use at times. But do not fret - the tpm2-software project, especially its new TPM Software Stack (TSS) Feature API (FAPI) library, enables anyone to use the TPM. This talk gives an introduction on how to use the TPM the easy way, using recent contributions to the TPM ecosystem like the TSS FAPI. After a brief overview of the involved hard- and software, this talk will dive into how to get started with the TPM and show how it can be used to perform fundamental security tasks. Afterwards, recent additions like the TPM PKCS11 middleware and the OpenSSL engine will be presented - enabling TPM integration, perhaps without writing a single line of code. In the end, the TPM open source ecosystem will be discussed, and how to become part of it. Want to start hacking? We got you.

Here you find the link to the session
https://osseu2020.sched.com/event/eCJc/using-the-tpm-its-not-rocket-science-anymore-johannes-holland-peter-huewe-infineon-technologies-ag


Bye for now!

Paul