Open-Source Software Stack for TPM 2.0 Simplifies Integration of Security
Infineon Technologies AG has enabled a new open source software stack. It makes work easier for developers who want to use the Trusted Platform Module (TPM) 2.0 – a standardized hardware-based security solution for securing industrial, automotive and other applications such as network equipment.
This is the first open source TPM middleware that complies with the Software Stack (TSS) Enhanced System API (ESAPI) specification of the Trusted Computing Group (TCG), providing significant value to the open source community.
“The ease of integration on Linux and other embedded platforms that comes with the release of the TPM 2.0 ESAPI stack speeds up the adoption of TPM 2.0 in embedded systems such as network equipment and industrial systems,” said Gordon Muehl, Global CTO Security at Huawei. “This takes IoT security to the next level.”
“We are currently seeing great interest in enhancing the security of IoT, IIoT, Industry 4.0 and automotive applications,” said Michael Roeder, Manager Technology Engineering and Services at Avnet Silica. “The availability of the open source TSS ESAPI layer simplifies the integration of TPM 2.0 in all kinds of applications and is well aligned to our own open source approach to security.”
Making the TSS ESAPI layer available to everyone is part of Infineon´s commitment to ease the integration and wide adoption of strong security. This is further supported by security experts and industry leaders of the Infineon Security Partner Network (ISPN). The ISPN offers a wide variety of software libraries meeting the requirements of different applications and target platforms.
Infineon funded the development of the ESAPI by Fraunhofer Institute for Secure Information Technology SIT, a long-term partner of Infineon in this field. The Infineon-funded ESAPI layer is based on the SAPI layer developed by Intel Corporation. It includes a new layer of API functions to simplify the use and integration of the TPM. It facilitates establishing a connection with the TPM through an application, secured communication between the host CPU and the TPM, and authorization using message authentication codes (HMAC).
Based on the ESAPI layer, the stack includes support for OpenSSL. It can use the Infineon OPTIGA™ TPM to protect device communication secured with SSL/TLS via a standardized interface by deploying TPM 2.0 as a secured key store for OpenSSL. It thus protects the keys from vulnerabilities like the famous Heartbleed bug.
The TSS stack and ESAPI layer are published under the permissive 2-clause BSD license, which provides high flexibility and increases adoption. The ESAPI has been designed and validated by a wide community to achieve a high level of quality and stability, as is required in modern embedded and IoT systems.
With industrial and automotive customers in mind, the code was developed using industry standards, continuous integration and testing, a thorough two-person review process, and static code analyzers like clang and Coverity™.
In addition, the stack was tested and evaluated on Infineon OPTIGA™ TPM SLB 9670 with the latest TPM specifications. Future enhancements will include support for Cryptsetup/LUKS disk encryption and a version featuring ESAPI support for TPM tools.
“With the release of the TSS, we have reached a milestone for providing enhanced protection of embedded systems in areas such as industry, automotive, or smart home using the TPM 2.0,” said Andreas Fuchs, project leader at Fraunhofer SIT.
Application developers can use the OPTIGA™ TPM SLB 9670 Iridium boards offered by Infineon and download the TSS code via Github to get started right away. Source code packages for the Infineon AURIX™ as well as for Arduino microcontrollers will be released in due course.