TThistle Verified Boot (TVB) protects the boot sequence of embedded devices. We integrated this solution around two elements: U-Boot as a bootloader, and the Infineon OPTIGA Trust M as a root of trust. Our TVB solution offers a Cloud Signing facility that is baked by the Google Cloud Platform and their Cloud Key Management Service (KMS). This solution is designed to be easy to integrate and secure by design.

Features

To enable the Cloud KMS solution to your project, head onto your Thistle account, and head on to the Settings > Access section. You can create your key pair by clicking on “Create Key”. You can then copy the public key on your clipboard.

Public key writing procedure

Now that the keypair has been generated, you need to write the public key to your Infineon OPTIGA Trust M device. As the chip is operated via I2C, there are multiple ways to perform this operation.

For all the platforms we support, we provide the tooling to write the public key to the Trust M. It either comes directly in the provided image (Raspberry Pi 4, Beagle Bone Black), or as a separate binary to download.

First, you need to connect the Trust M to your platform. See the platform page to lear about the expected pinout. See the example above for an example on a Raspberry Pi 4.

We will now transform the public key to a format that the Trust M can understand. This is done by converting the public key using openssl.

# fetch the public key from the Thistle UI
raspberrypi4-64-thistle:~$ vim pk.pem # paste the public key here

# convert the public key to Trust M format
raspberrypi4-64-thistle:~$ openssl ec -pubin -in pk.pem -outform DER  2> /dev/null | xxd -i -s 27 | xxd -r -p > pk

We can now test the connectivity to the Trust M and write the public key to it.

raspberrypi4-64-thistle:~$ sudo trustm_chipinfo
Read Chip Info [0xE0C2]: Success.
========================================================
CIM Identifier             [bCimIdentifer]: 0xcd
Platform Identifer   [bPlatformIdentifier]: 0x16
Model Identifer         [bModelIdentifier]: 0x33
ID of ROM mask                  [wROMCode]: 0x8401
Chip Type                    [rgbChipType]: 0x00 0x1c 0x00 0x01 0x00 0x00
Batch Number              [rgbBatchNumber]: 0x0a 0x09 0x1b 0x5c 0x00 0x0b
X-coordinate              [wChipPositionX]: 0x002c
Y-coordinate              [wChipPositionY]: 0x0055
Firmware Identifier [dwFirmwareIdentifier]: 0x80101071
Build Number                 [rgbESWBuild]: 08 09
Chip software build:
OPTIGA Trust M rev.1; Firmware Version: 1.30.809
========================================================

# write the public key to the Trust M
raspberrypi4-64-thistle:~$ sudo trustm_data -X -e -w 0xe0e8 -i pk
Root CA Public Key Cert1    [0xE0E8]
[...]
OPTIGA execution time: 0.0526 sec.
Write Success.
========================================================

# make the public key read-only - note that this will make this object on the Trust M read-only !
raspberrypi4-64-thistle:~$ sudo trustm_metadata -X -C n -w 0xe0e8
Root CA Public Key Cert1    [0xE0E8]
[...]
OPTIGA execution time: 0.0463 sec.
Write Success.
========================================================

Next Steps

You now have an Infineon OPTIGA Trust M with the public key written on it, and you can now proceed with the integration of the Thistle Verified Boot solution on your device.