Learn about Thistle’s verified boot solution for embedded Linux devices
TThistle Verified Boot (TVB) protects the boot sequence of embedded devices. We integrated this solution around two elements: U-Boot as a bootloader, and the Infineon OPTIGA Trust M as a root of trust. Our TVB solution offers a Cloud Signing facility that is baked by the Google Cloud Platform and their Cloud Key Management Service (KMS). This solution is designed to be easy to integrate and secure by design.
To enable the Cloud KMS solution to your project, head onto your Thistle account, and head on to the Settings > Access section. You can create your key pair by clicking on “Create Key”. You can then copy the public key on your clipboard.
Now that the keypair has been generated, you need to write the public key to your Infineon OPTIGA Trust M device. As the chip is operated via I2C, there are multiple ways to perform this operation.For all the platforms we support, we provide the tooling to write the public key to the Trust M. It either comes directly in the provided image (Raspberry Pi 4, Beagle Bone Black), or as a separate binary to download.First, you need to connect the Trust M to your platform. See the platform page to lear about the expected pinout. See the example above for an example on a Raspberry Pi 4.We will now transform the public key to a format that the Trust M can understand. This is done by converting the public key using openssl.
Copy
Ask AI
# fetch the public key from the Thistle UIraspberrypi4-64-thistle:~$ vim pk.pem # paste the public key here# convert the public key to Trust M formatraspberrypi4-64-thistle:~$ openssl ec -pubin -in pk.pem -outform DER 2> /dev/null | xxd -i -s 27 | xxd -r -p > pk
We can now test the connectivity to the Trust M and write the public key to it.
Copy
Ask AI
raspberrypi4-64-thistle:~$ sudo trustm_chipinfoRead Chip Info [0xE0C2]: Success.========================================================CIM Identifier [bCimIdentifer]: 0xcdPlatform Identifer [bPlatformIdentifier]: 0x16Model Identifer [bModelIdentifier]: 0x33ID of ROM mask [wROMCode]: 0x8401Chip Type [rgbChipType]: 0x00 0x1c 0x00 0x01 0x00 0x00Batch Number [rgbBatchNumber]: 0x0a 0x09 0x1b 0x5c 0x00 0x0bX-coordinate [wChipPositionX]: 0x002cY-coordinate [wChipPositionY]: 0x0055Firmware Identifier [dwFirmwareIdentifier]: 0x80101071Build Number [rgbESWBuild]: 08 09Chip software build:OPTIGA Trust M rev.1; Firmware Version: 1.30.809========================================================# write the public key to the Trust Mraspberrypi4-64-thistle:~$ sudo trustm_data -X -e -w 0xe0e8 -i pkRoot CA Public Key Cert1 [0xE0E8][...]OPTIGA execution time: 0.0526 sec.Write Success.========================================================# make the public key read-only - note that this will make this object on the Trust M read-only !raspberrypi4-64-thistle:~$ sudo trustm_metadata -X -C n -w 0xe0e8Root CA Public Key Cert1 [0xE0E8][...]OPTIGA execution time: 0.0463 sec.Write Success.========================================================
You now have an Infineon OPTIGA Trust M with the public key written on it, and you can now proceed with the integration of the Thistle Verified Boot solution on your device.