Inquiry About Using External TPM with Verdin iMX8MM Mini 1GB WB on Torizon OS

Dear Toradex Support Team,

I am currently working on a project using the Verdin iMX8MM Mini 1GB WB module (on Verdin Evaluation Board, Torizon OS and my application running in a docker container) and I am seeking guidance on implementing a secure solution for managing keys and certificates.

For the Secure Boot process, I plan to follow your guide and utilize the onboard eFUSE and CAAM features of the iMX8MM. However, I also need to manage application-specific keys and certificates securely, particularly for Docker container authentication and other cryptographic operations.

To achieve this separation, I am considering adding an external TPM module. Could you please advise:

1. Whether adding an external TPM is recommended for this use case?
2. If so, which TPM models are supported and compatible with Torizon OS (e.g., via SPI or I²C)?
3. Any best practices for integrating an external TPM with your Verdin iMX8MM module, especially in terms of software and hardware configuration?

Thank you for your support, and I look forward to your guidance.

Best regards,

Hi, I’m the Toradex AI Assistant. The Toradex Support team will follow up with you shortly!

Did you like my answer?

Hello,

Thank you for reaching out with your inquiry about using an external TPM with the Verdin iMX8MM Mini 1GB WB module on Torizon OS. Integrating an external TPM can indeed enhance the security of your application-specific keys and certificates, especially for Docker container authentication and cryptographic operations.

1. Recommendation for External TPM:

   • Adding an external TPM is advisable if you require additional security features beyond the onboard eFUSE and CAAM, particularly for managing keys and certificates securely.

2. Compatible TPM Models:

   • The OPTIGA™ TPM SLM 9670 is a recommended model, as it is compatible with the Verdin family and supports SPI communication, which works well with Torizon OS. Ensure that any TPM you consider supports the necessary interfaces (SPI or I²C) and is compatible with Linux-based systems.

3. Integration Best Practices:

   • Hardware: Reference the Mallow Carrier Board schematics for integrating a TPM, as it includes the OPTIGA™ TPM SLM 9670. Ensure proper connections to the SPI or I²C interfaces on your carrier board, and verify compatibility with the Verdin iMX8MM module.
   • Software: Torizon OS supports TPMs, and you can utilize the Linux TPM device driver. Ensure the TPM driver is enabled in your kernel configuration. Use tools like tpm2-tools to interact with the TPM from within Docker containers, and consider using Docker’s device mapping features to expose the TPM device to your containers.

By following these guidelines, you can effectively integrate an external TPM with your Verdin iMX8MM module to enhance the security of your applications on Torizon OS.

Best regards,
Toradex AI Assistant

Please, also check if these links can help you solve your problem:

Usage of Trusted Platform Module (TPM) with verdin imx8m-mini.

I am using the Verdin iMX8M Mini 1GB WB with TorizonCore 6.7.0 and kernel version 5.15.148-6.7.0. I would like to integrate an external TPM for key and certificate management.

1. Is the TPM driver included in the default TorizonCore image, or do I need to enable it manually?
2. How can I create a device tree overlay to enable the TPM on my system?

Thank you for your assistance.

Best regards,

Greetings @VLengineering,

Whether adding an external TPM is recommended for this use case?

On the surface a TPM doesn’t sound like a bad idea for this use-case. Could you perhaps elaborate more on your use-case if you can. For example for the keys and certificates, do you just need a method to securely store them or is it more complicated than that?

Also how do you plane to do the Docker authentication?

If so, which TPM models are supported and compatible with Torizon OS

We don’t have an official list of TPMs that are supported. Currently these are the TPM related kernel configurations we have enabled in Torizon OS: toradex-kernel-cache/features/tpm/tpm.cfg at kirkstone-6.x.y · toradex/toradex-kernel-cache · GitHub

This means any TPMs that uses these config options should work out of the box (you’ll still need to modify the device tree of course for your specific TPM). That said if you have a TPM that requires additional configurations not already enabeld you could request us to enable these and we will see what we can do.

Any best practices for integrating an external TPM with your Verdin iMX8MM module, especially in terms of software and hardware configuration?

We don’t have an explicit guide on the software side since it’s fairly standard and documented in the Linux kernel how to enable a TPM from enabling the respective kernel config to making the appropriate device tree changes.

For hardware references I would recommend you refer to the following page here: TPM Reference Design | Toradex Developer Center

Best Regards,
Jeremias

Perhaps this helps: we have also verdin iMX8M mini with TorizonCore 6.7.0 with TPM module SLB 9672.
Device tree with SPI Bus:

&ecspi2 {
status = “okay”;

slb9672:slb9672@0 {
//compatible = “infineon,slb9670”;
compatible = “infineon, slb9672”,“infineon,slb9670”,“tcg,tpm_tis_spi”;
reg = <0>;
spi-max-frequency = <33000000>;
status = “okay”;
};
};

Kernel brings following TPM error (but you can ignore, this known, TPM works)
[ 5.987084] tpm tpm0: A TPM error (256) occurred attempting the self test

Br.

Thanks for your suggestion.

Luca

Hi @VLengineering,

Did you have any further questions on this topic or is that all for now?

Best Regards,
Jeremias