Skip to content

SecEdge SEC-TPM firmware based TPM

SEC-TPM

TPM (Trusted Platform Module) functionality is typically associated with dedicated hardware, but it can also be provided by firmware running in a trusted execution environment, leveraging Arm® TrustZone™ technology built into the CPU. This approach is known as fTPM (firmware TPM). SEC-TPM is an fTPM solution provided by Variscite's partner SecEdge.

SEC-TPM is a firmware TPM 2.0 implementation based on the Trusted Computing Group (TCG) specification. It runs in the OP-TEE secure world using Arm TrustZone and supports device provisioning through SecEdge services.

SEC-TPM operates in the OP-TEE secure world and is only available after the Linux kernel has booted.

This guide walks through the installation and setup of SEC-TPM on Variscite's SoMs.

Download SecEdge SEC-TPM Development Kit

SecEdge provides a SEC-TPM Development Kit, which includes all files required to start a 90-day free trial.

The Development Kit can be downloaded at: https://www.secedge.com/sec-tpm-kits

Use the following configuration to ensure compatibility with Variscite hardware: 

 - Select Kit: SEC-TPM
 - Select Platform: NXP
 - Select Device Family: e.g., i.MX 8/9
 - Select Version: e.g., NXP BSP 6.6.52 / 2.2.0

After downloading and extracting the archive, the directory structure should look like this: 

devkit_SECTPM-NXP-IMX89-NXPBSP6652220_xxxxxxxxxxxxx
├── dev-kit
│   ├── CHANGELOG
│   ├── meta-seftpm-optee
│   ├── README
│   └── secedge-ftpm-setup.sh
└── license
    └── secedge-ftpm-license-xxxxxxxxxxxxxxxx

Install the Development Kit

This guide assumes familiarity with building Yocto images from source.

Copy meta-seftpm-optee (located inside dev-kit) into your Yocto sources directory and add the layer: 

$ bitbake-layers add-layer ../sources/meta-seftpm-optee/

Rename the Linux .bbappend file to match the Variscite kernel recipe: 

$ mv sources/meta-seftpm-optee/recipes-kernel/linux/linux-imx_%.bbappend sources/meta-seftpm-optee/recipes-kernel/linux/linux-variscite%.bbappend

Add the following configuration to conf/local.conf: 

# Add the fTPM helper app and startup scripts
DISTRO_FEATURES:append = " systemd usrmerge"
DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
VIRTUAL-RUNTIME_init_manager = "systemd"
VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"

IMAGE_INSTALL:append = " python3 activation-init activation-app"

# Enable and install  OPTEE
MACHINE_FEATURES:append = " optee"
DISTRO_FEATURES:append = " optee"
IMAGE_INSTALL:append = " optee-os"

Then build the image: 

$ bitbake fsl-image-gui

Setup SEC-TPM on your rootfs

After building the image as described above, all prerequisites required to run SEC-TPM will already be installed in the root filesystem.

However, you must still manually copy the license file provided in the Development Kit.

The device must contain either:

  • a license file, or
  • a Day-0 bundle downloaded from the Self-Service UI Portal.

When using the SEC-TPM dev-kit, a license file is provided. Day-0 bundles are available only to registered customers.

Copy the license file to the device: 

$ scp license/secedge-ftpm-license-xxxxxxxxxxxxxxxx root@<board_ip_address>:/etc/sectpm/secedge-ftpm-license

Reboot the device so the initialization script can:

  1. Load the license
  2. Activate SEC-TPM

Notes:

  • SEC-TPM operates in the OP-TEE secure world and is only available after the Linux kernel has booted.
  • The dev-kit activation recipes assume a systemd-based system with Python support. Adapt them if your platform uses a different init system or runtime environment.
  • SEC-TPM activation requires an active internet connection.
  • Each license file is valid for a single device. A new license is required for each additional device.

Manual SEC-TPM Activation

Although activation is normally performed automatically during boot, it can also be executed manually.

There are two possible scenarios:

  1. A license file is copied directly to the device.
  2. A Day-0 bundle is copied to the device and the license is downloaded from the server.

The SEC-TPM dev-kit uses scenario 1.

Unload ftpm tee module: 

# rmmod tpm_ftpm_tee

Copy the license file to the target: 

$ scp license/secedge-ftpm-license-xxxxxxxxxxxxxxxx root@<ip_address>:/etc/sectpm/secedge-ftpm-license

Load the license: 

# seftpm-helper-app -L /etc/sectpm/secedge-ftpm-license

Start the activation process: 

# seftpm-helper-app -u

Load the kernel module: 

# modprobe tpm_ftpm_tee

Verify that the fTPM device is available: 

# ls /dev | grep tpm (/dev/tpmX and /dev/tpmrmX devices inserted)

SEC-TPM activation status

The activation status can be queried using the helper application: 

# seftpm-helper-app -s

A status of -1 means that the license needs to be loaded using the "-L" option. Once loaded, the license is saved to the persistent store and would only need to be loaded again if the store is wiped.

A status of 0 means that the license is loaded, but the fTPM needs to be activated using the "-u" option.

A status of 1 means that the fTPM is activated and is accessible to the tpm_ftpm_tee module.

A status of -2 means that the helper TA could not open a session to the fTPM. This is usually because the tpm_ftpm_tee module has already been loaded and has opened a session itself to the fTPM (the fTPM only allows one session at a time). This is the expected status when the fTPM is activated and ready to be accessed via the /dev/tpm* interfaces.

SEC-TPM EK certificates

The RSA and EC EK certificates can be extracted from the loaded license using the "-a" and "-b" options of the helper app, respectively. 

# seftpm-helper-app -a ek_rsa.crt
# seftpm-helper-app -b ek_ec.crt

Additional documentation

For details on SEC-TPM, refer to the SecEdge documentation.

For TPM integration specifics on Variscite platforms, see the Variscite TPM Integration Guide.