This document serves as a guide for the users to explore OPTIGA™ Trust M features. It describes commonly used functionalities of the OPTIGA™ Trust M with graphical examples and a simple to follow step by step instructions.
This document is intended for the users who wish to explore the functionalities of the OPTIGA™ Trust M.
- 5.1 Metadata Protected Update
- 5.2 ECC Key Protected Update
- 5.3 AES Key Protected Update
- 5.4 RSA Key Protected Update
- 5.5 Data Protected Update
The OPTIGA™ Trust M GUI-based software is for users to evaluate Infineon OPTIGA™ Trust M with Infineon OPTIGA™ Trust M board connected to the Raspberry Pi running on Raspbian Linux.
Using this software customers can start evaluating the new benefits that the OPTIGA™ Trust M will bring to IoT applications such as smart home devices and network equipment.
For Installation and Setup, refer to the OPTIGA™ Trust M Setup Guide
To start the Trust M Explorer Application
Go to directory "optiga-trust-m-explorer/Python_TrustM_GUI" and type
./start_gui.sh
Displays Basic Information of the OPTIGA™ Trust M. To read out/write in data, metadata in data objects and certificates stored in the OPTIGA™ Trust M.
Displays Basic Information of the OPTIGA™ Trust M. Displays the Chip information, metadata and data of the data objects of the Trust M.
Function Descriptions of the General Tab
[^Figure 1]: OPTIGA™ Trust M General functions described
Displays the OPTIGA™ Trust M chip information.
To read out the OPTIGA™ Trust M chip info, select "OPTIGA™ Trust M chip info".
[^Figure 2]: OPTIGA™ Trust M chip info displayed
Displays the metadata for all data objects : 0xE0E0-0xE0E3, 0xE0E8-0xE0E9, 0xE0EF, 0xE120-0xE123, 0xE200, 0xE140, 0xF1D0-0xF1DB, 0xF1E0-0xF1E1
To read out metadata, select "Read Metadata For All Data Objects".
[^Figure 3]: Metadata for all data objects displayed
To Display the data for all data objects : 0xE0E0-0xE0E3, 0xE0E8-0xE0E9, 0xE0EF, 0xE120-0xE123, 0xE200, 0xE140, 0xF1D0-0xF1DB, 0xF1E0-0xF1E1
To read data, select "Read All Objects Data"
[^Figure 4]:Data of all data objects displayed
To Display the metadata for all private data objects : 0xE0F0-0xE0F3, 0xF1FC-0xE0FD
To read metadata for private key slot, select "Read Metadata For Private Key Objects"
[^Figure 5]:Metadata for private key data objects displayed
Displays the metadata status of common data objects : 0xE0C0-0xE0C6, 0xF1C0-0xF1C2
To read metadata status, select "Read Metadata For Common Data Objects".
[^Figure 6]:Metadata status for common data objects displayed
Displays the status of common data objects : 0xE0C0-0xE0C6, 0xF1C0-0xF1C2
To read data status, select "Read Data For Common Data Objects".
[^Figure 7]:Data Status of common data objects displayed
Generates configurations files to be imported to OPTIGA Trust Configurator tool from Infineon.
Note: OPTIGA Trust Configurator(OTC) is a tool which can be used to generate customer specific configurations for Infineon Secure Elements. The OTC files generated here can be imported into Infineon OPTIGA Trust Configurator to create custom security chip configurations. Please go to Infineon website to download OPTIGA Trust Configurator for final configuration.
To generate OTC Files, select "Generate OPTIGA Trust Configurator Files"
[^Figure 8]: Generate OPTIGA Trust Configurator Files Option
Select directory to save the generated OTC Files in the save file dialog. By default, the generated OTC files are compiled under OPTIGA_Trust_M_V3_SLS32AIA010ML_K_Infineon_Technologies/ directory
[^Figure 9]: OTC File save dialog
Note: OTC Files generation could take up to a minute
After finished, the screen will also show the directory of the generated OTC file
[^Figure 10]: OTC generation completed
This section shows you the Private Key and Certificate OID management of the OPTIGA™ Trust M. It is used to read metadata of the Private keys , read out Certificate metadata, Certificate Data and write Certificate's into data objects.
Private Key and Cert OID functions Description
[^Figure 11]:Private Key and Cert OID functions described
Reads out the Metadata of the selected Key Slot Data Object. Key Slot data objects :0xE0F0 - 0xE0F3, 0xE0FC-0xE0FD, 0xE200
Key Slot Data Objects are data objects used by the Cryptographic Application.
To read metadata of the key slot, select the Key Slot. Then select "Read Key Slot Metadata". In this example Key Slot data object : 0xE0F0
[^Figure 12]:Key slot metadata displayed
The Public Key Certificate data objects are used to store Certificates.
To read out metadata of a selected Public key Certificate data object, select "Read Certificate Metadata". In this example, 0xE0E0 is selected
[^Figure 13]:Certificate Metadata displayed
Read the Certificate Data stored inside the selected data objects : 0xE0E0 - 0XE0E3, 0XE0F8 - 0XE0F9
To read out the certificate data stored inside, select the Public Key Certificate data object , from the options, then select "Read Certificate".
[^Figure 14]:Readout Certificate displayed
Write a Certificate into the selected data object : 0xE0E1 - 0xE0E3, 0xE0E8 - 0XE0E9
0xE0E0 is used to store the pre-provisioned certificate from Infineon. 0xE0E8 - 0xE0E9 is used to store the trust anchor.
To Write Certificate, Select the Certificate filename. In this example, the testE0E0.crt Certificate file is selected.
[^Figure 15]:Certificate file selection
Select the Destination OID to write the certificate data. The Destination OID data objects list: 0xE0E1 - 0xE0E3, 0xE0E8 - 0XE0E9 . In this example 0xE0E3 is selected.
[^Figure 16]:Write Certificate into destination OID
Select "Write Certificate" to write in certificate data into Destination OID.
[^Figure 17]:Certificate successfully written into destination OID
Write the Platform Binding Secret into the Platform Binding Secret Data Object : 0xE140
To Write Platform Binding Secret, Select the Secret file. In this example, platform_secret.dat is selected as the default one.
[^Figure 18]: Secret File Selection
Select "Write Secret" to write in the Platform Binding Secret into 0xE140.
[^Figure 19]: Secret Data successfully written into Platform binding secret data object
This section shows you the Application Data Objects management of the OPTIGA™ Trust M. It is used to read metadata, data of the Application Data Objects and write data into Application Data Objects
Application data objects are the data objects used by the Protected Update and Secure Storage Applications.
Application Data OID functions description
[^Figure 20]:Application Data OID functions described
Reads the Metadata of the selected Application Data Object. Data Objects ID : 0xF1D0 - 0xF1DB
To Read Metadata, select Data Objects ID . Then select "Read Metadata of Data Objects ID". In this Example Data Objects ID: 0xF1D0 is used.
[^Figure 21]:Metadata of data objects ID: 0xF1D0 displayed
Reads the Data stored inside the selected Application Data Object ID.
To Read Data, select Data Objects ID . Then select "Read Metadata of Data Objects ID". In this Example Data Objects ID: 0xF1D0 is used.
[^Figure 22]:Data inside data objects ID: 0xF1D0 is Read out
Write Data into the selected Data Object ID.
To Write Data, enter the Data input and select the Data Object ID to write to. Then click " Write Data into Data Objects ID". For this example 0xF1D0 is selected and the data input is "1234".
[^Figure 23]:Write Input Data into data object ID: 0xF1D0 successfully
This section shows you the Metadata management of the OPTIGA™ Trust M. It is used to read and write metadata to all Data Objects.
Data Objects available for Metadata write include Public and Private Keys, Certificates, System Data Objects, Counter Objects, Platform Binding Secrets and Application Data Objects.
Write metadata functions description
[^Figure 24]: Write Metadata functions described
Read Metadata from specified Object ID
To read metadata from an Object ID, select one Object ID from the six types of the Data Objects to read from, then click "Read Metdata". For this example 0xF1D0 is selected
[^Figure 25]: Read Metadata from Object ID 0xF1D0
Write Metadata to specified Object ID
To write metadata to an Object ID, select target OID from one of the lists, configure metadata tags then click Write Metadata button. In the example,
- Target OID 0xF1D5 is selected
- Lcs0 is Creation (0x01)
- Change is Lcs0<0x07
- Read is Lcs0<0x0F
- Exe is Lcs0<0x07
- data type is Bytestring (BTSR)
[^Figure 26]: Metadata update for OID 0xF1D5 successful
Note: To prevent Lcs0 values being irreversible, MUD Provision checkbox will be enabled by default when Lcs0 mode is Operational or Termination
To revert changes to Lcs0 tag, please see section 5.1 Metadata Protected Update
Reset Metadata Update Description (MUD) tag
To reset MUD, select target OID from one of the list, then click Reset MUD
In the example, OID 0xF1D5 has MUD tag MUD:Int-0xE0E8&&Conf-0xF1D4. After Reset MUD, the tag field is MUD:NEV
[^Figure 27]: MUD Reset Successful
Write metadata to target OID based on user's text file
To load custom metadata into target OID
- Select target OID from one of the lists
- Click the Custom Metadata text box to choose custom metadata file
- Double check the metadata contents to be written
- Click Write Custom Metadata
[^Figure 28]: custom metadata loaded and contents shown
[^Figure 29]: custom metadata write success
This section shows you the Test DAC Provisioning for Matter devices using the OPTIGA™ Trust M for Device Attestation. It involves reading a pre-provisioned certificate from the chip, extracting the public key, generating a new DAC certificate signed by a trusted Matter CA and writing the Test DAC certificate, Matter Test PAI and Test CD into the Object IDs.
[^Figure 30]: Matter DAC Provisioning functions described
Reads IFX pre-provisioned certificate from OID 0xE0E0
To read the IFX pre-provisioned certificate, select "Read IFX Pre-Provisioned Cert".
[^Figure 31]: Displays information about the pre-provisioned certificate
Extracts the public key from the certificate and saves it to a file named pubkey_e0e0.pem.
To extract the public key from the certificate, select "Extract Public Key From Cert".
[^Figure 32]: Displays the public key extracted from the certificate
Generates a Certificate Signing Request(CSR) using the public key.
To generate the CSR, select "Generate DAC CSR Using Public Key".
[^Figure 33]: CSR generated from the public key
Generates a new DAC certificate by signing the CSR with the Matter Test PAI certificate.
To generate the certificate, select "Generate DAC Cert Using Public Key".
[^Figure 34]: DAC certificate generated from the public key
Writes the new DAC certificate to OID 0xE0E0.
To write the new DAC certificate into 0xE0E0, select "Write Test DAC".
[^Figure 35]: Displays information of the new DAC certificate
Writes the Matter Test PAI certificate to OID 0xE0E8.
To write the Matter Test PAI into 0xE0E8, select "Write Matter Test PAI".
[^Figure 36]: Matter Test PAI written to 0xE0E8.
Writes the Test CD to OID 0xF1E0.
To write Test CD into 0xF1E0, select "Write Test CD".
[^Figure 37]: Test CD written to 0xF1E0.
This section shows you the Cryptographic Functions of the OPTIGA™ Trust M. It can be used to generate keys , encrypt/decrypt and sign/verify using Trust M library.
This section shows the use of the OPTIGA™ Trust M ECC Cryptographic functions such as ECC key generation, ECC sign and verify.
Select "ECC"
[^Figure 38]: Cryptographic Functions ECC menu screen
ECC function Description
[^Figure 39]: ECC cryptographic functions described
Generates OPTIGA™ Trust M ECC key pair.
ECC type is the ECC Key type to be generated. Key slot is the OID that will be used to store the private key . Once key slot is selected, the public key OID will be displayed. The public key OID will be used to store the public key of the ECC keypair after it is generated.
ECC Types : ECC 256, ECC 384, ECC 521, Brainpool 256, Brainpool 384 ,Brainpool 512 , Key Slot : 0xE0F0 - 0xE0F3
To generate ECC key pair, select the ECC type, Key slot and Key_usage. Then select "Generate Key" In this Example, "ECC type: 256" ,"Key slot: E0F1" and "key_usage:Auth/Sign" are used. The public Key will be stored into corresponding OID which has been displayed in the GUI.
[^Figure 40]: ECC256 key inside 0xE0F1 generated successfully
Hashes and signs the input using the OPTIGA™ Trust M ECC keypair
To Sign the data using ECC , select ECC type and key slot then click "ECC Sign" . In this Example, "ECC type: 256" and "Key slot: E0F1" are used.
[^Figure 41]: ECC 256 key signed successfully
To verify the signature using the public key generated, select the ECC type and key slot to verify. In this Example, "ECC type: 256" and "Key slot: E0F1" are used.
[^Figure 42]: ECC verification done successfully
The following error messages will be displayed if the verification failed.
[^Figure 43]: ECC verification failure
This section shows RSA1024/2048 Key Generation, Data Encryption and Decryption using RSA key generated by OPTIGA™ Trust M.
Open the "Cryptographic Functions" Tab
Select 'RSA'
[^Figure 44]: RSA cryptographic function menu screen
RSA Functions Description
[^Figure 45]: RSA cryptographic functions described
Generates OPTIGA™ Trust M RSA key pair
RSA Algo is the RSA Key algorithm to be used to generate the keypair. Key slot is the OID that will be used to store the private key after key generation.
RSA Algo : RSA 1024, RSA 2048 . Key Slot : 0xE0FC, 0xE0FD
To generate RSA keypair, select the RSA Algo, Key slot and Key_usage. Then select "Generate RSA keypair" . In this example RSA Algo: RSA 1024, key slot: 0xE0FC and key_usage:Auth/Enc/Sign are used.The public Key will be stored into corresponding OID which has been displayed in the GUI.
[^Figure 46]:RSA key generated successfully in key slot:0xE0FC (RSA 1024)
Encryption using OPTIGA™ Trust M RSA Public key
To Encrypt the input data using RSA, enter the data in "Data Input". Then select "RSA Encrypt " to encrypt the message.
[^Figure 47]: Encrypted using RSA public key
Decryption using OPTIGA™ Trust M RSA Private key
To Decrypt the message, Select "RSA Decrypt" to decrypt and display the decrypted message.
[^Figure 48]: Decrypted using private key
Hashes and signs the input using the OPTIGA™ Trust M RSA keypair
To Sign the input data using RSA , select RSA Algo and key slot to sign. In this Example, "RSA Algo: 1024" and "Key slot: E0FC" are used.
[^Figure 49]:Data input signed using RSA key
Verifies the signature using the public key generated.
To verify using RSA, select the RSA Algo and key slot to verify. In this Example, "RSA Algo: 1024" and "Key slot: E0FC" are used.
[^Figure 50]:Signature verified
This section shows the use OPTIGA Trust M Symmetric Key Gen Functions as well the AES Encryption and Decryption for the Symmetric key.
Open the "Cryptographic Functions" Tab
Select 'AES'
AES Functions Description
[^Figure 51]: AES cryptographic functions described
Generates OPTIGA™ Trust M AES symmetric key.
AES Key is to select the AES key type to be generated. Supported AES Key: AES 128, AES 192, AES 256 Key_usage is to select the usage for the generated AES key.
To generate AES symmetric key, Select the AES Key and Key_usage. then select "Generate AES key".
[^Figure 52]: AES 128 symmetric key generated
Encryption of the input data using AES Key generated by OPTIGA™ Trust M
To Encrypt the input text data using AES key, first de-select the "Use Data File Input" checkbox, then enter the data in "Data Input". Click "IV File" text box to select desired Initialization file. Then select "AES Encrypt " to encrypt the message. The AES CBC mode is using here for AES Encryption and Decryption.
[^Figure 53]: Text data input encrypted using AES key
To Encrypt the input custom data using AES key, first select the "Use Data File Input" checkbox, then click "Custom Data File" textbox to select data file to encrypt. Click "IV File" text box to select desired Initialization file. Then select "AES Encrypt " to encrypt the data file.
[^Figure 54]: Custom data input encrypted using AES CBC Mode
Decryption of the input data using AES key generated by OPTIGA™ Trust M
To Decrypt the message, Select "AES Decrypt" to decrypt and display the decrypted message. The decrypted message is also available at working_space/mydata.txt.dec
[^Figure 55]: Data Input decrypted using AES CBC Mode
This section shows you the OpenSSL-Provider functions of the OPTIGA™ Trust M . The OpenSSL-Provider can be used to create RSA(Client/Server) and can also be used for random number generation.
The ECC(CLient/ Server) is a demonstration to show the use of the Trust M Provider for secure communications between client and server
Select "ECC (Client/Server)"
[^Figure 56]: OpenSSL-Provider ECC (Client/Server) Menu Screen
ECC (Client/Server) Functions described
[^Figure 57]: OpenSSL-Provider ECC (Client/Server) Function Description part 1
[^Figure 58]: OpenSSL-Provider ECC (Client/Server) Function Description part 2
Generate private key and CSR for server.
Select "Create Server Private Key and CSR"
[^Figure 59]: OpenSSL-Provider ECC (Client/Server) Create Private Key (For Server)
[^Figure 60]: OpenSSL-Provider ECC (Client/Server) Create Certificate Signing Request (For Server)
Generate Server Certificate using Certificate Authority
Select "Create Server Cert"
[^Figure 61]: OpenSSL-Provider ECC (Client/Server) Create Server Cert (For Server)
Generate ECC Key and CSR for client.
Select "Create Client ECC Key and CSR"
[^Figure 62]: OpenSSL-Provider ECC (Client/Server) Create Certificate Signing Request (For Client)
[^Figure 63]: OpenSSL-Provider ECC (Client/Server) Extract Public Key (For Client)
Generate Client Certificate using Certificate Authority
Select "Create Client Cert"
[^Figure 64]: OpenSSL-Provider ECC (Client/Server) Create Client Certificate (For Client)
Starting an OpenSSL server
Start an OpenSSL S_Server instance by selecting "Start/Stop Server"
[^Figure 65]: OpenSSL-Provider ECC (Client/Server) Start/Stop Server
Start an OpenSSL Client
Start an OpenSSL Client and connect with OpenSSL Server by selecting "Start/Stop Client"
[^Figure 66]: OpenSSL-Provider ECC (Client/Server) Start/Stop Client
Messages can be sent from Server to Client as well as Client to Server by entering input in the boxes below and selecting "Write to Client" or "Write to Server". The message "Hello from Server" and "Hello from Client" has been successfully sent
[^Figure 67]: OpenSSL-Provider ECC (Client/Server) Data Exchange
The RSA(Client/Server) is a demonstration to show the use of the Trust M for secure communications between client and server.
Select "RSA (Client/Server)"
[^Figure 68]: OpenSSL-Provider RSA (Client/Server) Menu Screen
RSA (Client/Server) Functions described
[^Figure 69]: OpenSSL-Provider RSA (Client/Server) Function Description part 1
[^Figure 70]: OpenSSL-Provider RSA (Client/Server) Function Description part 2
Generate private key and CSR for server.
Select "Create Server Private Key and CSR"
[^Figure 71]: OpenSSL-Provider RSA (Client/Server) Create Private Key and Certificate Signing Request (For Server)
Generate Server Certificate using Certificate Authority
Select "Create Server Cert"
[^Figure 72]: OpenSSL-Provider RSA (Client/Server) Create Server Cert (For Server)
Generate RSA Key and CSR for client.
Select "Create Client RSA Key and CSR"
[^Figure 73]: OpenSSL-Provider RSA (Client/Server) Create Client RSA key and CSR (For Client)
Generate Client Certificate using Certificate Authority
Select "Create Client Cert"
[^Figure 74]: OpenSSL-Provider RSA (Client/Server) Create Client Certificate (For Client)
Starting an OpenSSL server
Start an OpenSSL S_Server instance by selecting "Start/Stop Server"
[^Figure 75]: OpenSSL-Provider RSA (Client/Server) Start Server
Start an OpenSSL Client
Start an OpenSSL Client and connect with OpenSSL Server by selecting "Start/Stop Client"
[^Figure 76]: OpenSSL-Provider RSA (Client/Server) Start Client
Messages can be sent from Server to Client as well as Client to Server by entering input in the boxes below and selecting "Write to Client" or "Write to Server". The message "Hello from Server" and "Hello from Client" has been successfully sent as shown in Figure 71
[^ Figure 77]: OpenSSL-Provider RSA (Client/Server) Data Exchange
This section shows to use OpenSSL libraries to generate random number based on Encoding type hex or base64 with indicated number of bytes to be generated.
Open the OpenSSL-Provider In Main
Select "RNG".
[^Figure 78]: OpenSSL RNG Menu Screen
To change the bytes generated, enter the input in "No. of bytes to be generated".
To generate random number, enter the "No. of bytes to be generated" and select the encoding type. Then select "Generate RNG" to generate random number.
[^Figure 79]: Generate RNG
In this example, the numbers generated are 1024 bytes in base64 encoding.
[^Figure 80]: RNG generated
This section shows the use of the OPTIGA™ Trust M Integrity and Confidentially Protected Update for metadata of target OID and ECC/AES/RSA Key of target key OID by using the Trust Anchor and Secret installed in the OPTIGA™ Trust M
[^Figure 81]: OPTIGA Trust M Explorer Application: Protected Update Selection
This section shows the use of the OPTIGA™ Trust M Integrity and Confidentially Protected Update for metadata of target OID by using the Trust Anchor and Secret installed in the OPTIGA™ Trust M.
- Select "Protected Update"
- Overview of the "Metadata Update" tab.
[^Figure 82]: Overview of "Metadata Update" Screen
Description of the Steps to do a successful Protected Update of Trust M objects
For Step 1, There are two options, Wipe target data and Keep Target data. For Wipe target data, the target OID Lcs0 will be set to Initialization mode (0x03) and the reset type will be set to 0x11 (SETCRE/FLUSH). For Keep target data, the target OID Lcs0 will be set to Initialization mode (0x03) and the reset type will be set to 0x01 (SETCRE).
For both options, the "Trust anchor OID" is used to store the trust anchor and the data object type is set to Trust Anchor. The Protected Update Secret is written to the data object of "Secret OID " and the Data type will be set to UPDATESEC . The metadata of target OID will be set according during Provisioning.
Trust Anchor OID options: 0xE0E8 - 0xE0E9, 0xE0EF , Target OID options: 0xE0E1 - 0xE0E3, 0xF1D0 - 0xF1DB,0xE0F1 - 0xE0F3,0xE0FC - 0xE0FD, 0xF1E0-0xF1E1
Secret OID options: 0xF1D0, 0xF1D4 - 0xF1DB
In this example we will Provision for all OIDs (Wipe TargetData). Select "Step1: Set Lcso=0x03(Init) ResetType=0x01(Keep TargetData)" and also the OIDs for "Trust anchor OID", "Target OID" and "Secret OID".
Choose the trust_anchor_cert which will be stored inside the "Trust anchor OID" and also the secret file which will be stored inside the "Secret OID"
To Provision, Select "Step1: Provisioning for All OIDs".
[^Figure 83]: Provision Data Objects (for Keep TargetData)
After provisioning, we can press "Read Objects Metadata" button to read out the the metadata for all the OIDs involved.
[^ Figure 84]: Read objects Metadata after provisioning
In this example, the MUD for target OID should be int-0xE0E8&&Conf-0xF1D4 after provisioning.
Generate the manifest and fragment for the metadata Protected Update.
To generate the Manifest and fragment, Enter the "payload version"
Note: the number for payload version must be larger than the current version number.
Choose the trust_anchor_privkey (Corresponding to trust_anchor_cert)and also the secret file (same with the secret stored inside "Secret OID")
Select the "Step2 : Generate Manifest" button. In this example the "payload version" is set to 1 and metadata used is the metadata.txt file.
The Manifest and Fragment Generation are based on all the input inside the red box. For more information for this part, refer to protected update data set .
[^Figure 85]: Manifest and Fragment generated
Protected Updates for the metadata of the target OID
To Update the metadata of the target OID, Select "Step3: Update Trust M Objects".
[^Figure 86]: Metadata protected update
Displays the metadata of the "Trust Anchor OID", "Target OID" and "Secret OID".
To read out metadata , select "Read Objects Metadata".
[^Figure 87]: Objects metadata displayed
After successful metadata protected update, the Lcs0 will be brought back to 0x01, and version will be increased to 0001 from 0000.
Reset the Access Condition of the Target OID to MUD:NEV so that the Target OID is able to be back to initial MUD state for use in other features after a successful Protected Update and not locked.
[^Figure 88]: Target OID access condition reset successfully
This section shows the use of the OPTIGA™ Trust M Integrity and Confidentially Protected Update for ECC Key OIDs by using the Trust Anchor and Secret installed in the OPTIGA™ Trust M.
- Select "ECC Key Update"
- Overview of the "ECC Key Update" tab.
[^Figure 89]: ECC key Protected Update Screen
Description of the Steps to do a successful Protected Update of OPTIGA™ Trust M ECC Key Data Objects.
For Step 1, the "Trust anchor OID" is used to store the trust anchor and the data object type is set to Trust Anchor. The Protected Update Secret is written to the data object of "Secret OID " and the Data type will be set to UPDATESEC . The metadata of target OID will be set according during Provisioning.
Trust Anchor OID options: 0xE0E8 - 0XE0E9 , Target OID options: 0xE0F1 - 0xE0F3,
Secret OID options: 0xF1D0, 0xF1D4 - 0xF1DB
In this example we will Provision for all OIDs. Select the "Trust anchor OID", "Target OID", "Secret OID". Then select the secret file to be used to store into the Secret OID and the Trust anchor Cert file to be used to store into trust anchor OID by clicking the respective textboxes.
[^Figure 90]:Selection of Trust Anchor Certificate and Input Secret file
To Provision, Select "Step1: Provisioning for All OIDs".
[^Figure 91]:Provisioning for ECC key Protected Update
In this example, after provisioning, the access condition change of target OID should be set to Int-0xE0E8&&Conf-0xF1D4
Generate the manifest and fragment for the ECC key Protected Update.
To generate the Manifest and fragment, Enter the "payload version" and select the "privkey_data" and "pubkey_data" file you want to store into OPTIGA™ Trust M.
Choose the trust_anchor_privkey (Corresponding to trust_anchor_cert)and also the secret file (same with the secret stored inside "Secret OID")
Select the "Step2 : Generate Manifest" button.
In this example the "payload version" is set to 1 and the payload_type is key. The private key data used is the ecc256test_priv.pem file and the corresponding public key data is stored in the ecc256test_pub.der file. The private key used is sample_ec_256_priv.pem file and the secret used is secret.txt file.
The Manifest and Fragment Generation are based on all the input inside the box. For more information for this part, refer to protected update data set
[^Figure 92]: ECC Key Manifest and Fragment generated
Protected Updates the ECC key data into the target OID
To Update the ECC key into target OID, Select "Step3: Update Trust M Objects".
[^Figure 93]:ECC Key Protected Update successfully
Displays the metadata of the "Trust Anchor OID", "Target OID" and "Secret OID".
To read out metadata , select "Read Objects Metadata".
[^Figure 94]:Read out object metadata
Resets the Access Condition of the Target OID Change to LCS <0x07 so that the Target OID will be accessible for use in other features after a successful Protected Update and not locked.
[^Figure 95]:ECC Key OID access condition reset successfully
This section shows the use of the OPTIGA™ Trust M Integrity and Confidentially Protected Update for AES Key OIDs by using the Trust Anchor and Secret installed in the OPTIGA™ Trust M.
-
Select "AES Key Update"
-
Overview of the "AES Key Update" tab.
[^Figure 96]:AES Key Protected Update Screen
Description of the Steps to do a successful Protected Update of OPTIGA™ Trust M AES Key Objects.
For Step 1, the "Trust anchor OID" is used to store the trust anchor and the data object type is set to Trust Anchor. The Protected Update Secret is written to the data object of "Secret OID " and the Data type will be set to UPDATESEC . The metadata of target OID will be set according during Provisioning.
Trust Anchor OID options: 0xE0E8 - 0XE0E9 , Target OID options: 0xE200
Secret OID options: 0xF1D0, 0xF1D4 - 0xF1DB
In this example we will Provision for all OIDs. Select the "Trust anchor OID", "Target OID", "Secret OID". Then select the secret file to be used to store into the Secret OID and the Trust anchor Cert file to be used to store into Trust anchor OID by clicking the respective textboxes.
[^Figure 97]:Selection of Trust Anchor Certificate and Input Secret file
To Provision, Select "Step1: Provisioning for All OIDs".
[^Figure 98]:Provisioning for AES key Protected Update
In this example, after provisioning, the access condition change of target OID should be set to Int-0xE0E8&&Conf-0xF1D4
Generate the manifest and fragment for the AES key Protected Update.
To generate the Manifest and fragment, Enter the "payload version" and select the "key_data" you want to update into AES key slot.
Choose the trust_anchor_privkey (Corresponding to trust_anchor_cert)and also the secret file (same with the secret stored inside "Secret OID")
Select the "Step2 : Generate Manifest" button. In this example the "payload version" is set to 1 and the payload_type is key and key data used is the aes_128_test.txt file and the secret used is secret.txt file.
The Manifest and Fragment Generation are based on all the input inside the red box. For more information for this part, refer to protected update data set
[^Figure 99]: AES Manifest and Fragment generated
Updates the AES key for the AES Key OID
To Update the AES key for the target OID, Select "Step3: Update Trust M Objects".
[^Figure 100]:AES Key Protected Update successfully
Displays the metadata of the "Trust Anchor OID", "Target OID" and "Secret OID".
To read out metadata , select "Read Objects Metadata".
[^Figure 101]:Read out objects metadata
Resets the Access Condition Change of the Target OID to LCS <0x07 so that the Target OID will be accessible for use in other features after a successful Protected Update and not locked.
[^Figure 102]:AES Target OID access condition reset successfully
This section shows the use of the OPTIGA™ Trust M Integrity and Confidential Protected Update for RSA Key OIDs by using the Trust Anchor and Secret installed in the OPTIGA™ Trust M.
- Select "RSA Key Update"
- Overview of the "RSA Key Update" tab.
[^Figure 103]:RSA Key Protected Update screen
Description of the Steps to do a successful Protected Update of OPTIGA™ Trust M RSA Key Objects.
For Step 1, the "Trust anchor OID" is used to store the trust anchor and the data object type is set to Trust Anchor. The Protected Update Secret is written to the data object of "Secret OID " and the Data type will be set to UPDATESEC . The metadata of target OID will be set according during Provisioning.
Trust Anchor OID options: 0xE0E8 - 0XE0E9 , Target OID options: 0xE0FC - 0xE0FD,
Secret OID options: 0xF1D0, 0xF1D4 - 0xF1DB
In this example we will Provision for all OIDs. Select the "Trust anchor OID", "Target OID", "Secret OID". Then select the secret file to be used to provision the Secret OID and the Trust anchor Cert file to be used by clicking the respective textboxes.
[^Figure 104]:Selection of Trust Anchor Certificate and Input Secret file
To Provision, Select "Step1: Provisioning for All OIDs".
[^Figure 105]:Provisioning for RSA Key Protected Update
In this example, after provisioning, the access condition change of target OID should be set to Int-0xE0E8&&Conf-0xF1D4
Generate the manifest and fragment for the RSA key Protected Update.
To generate the Manifest and fragment, Enter the "payload version" and select the "privkey_data" and "pubkey_data" you want to import into OPTIGA™ Trust M
Choose the trust_anchor_privkey (Corresponding to trust_anchor_cert)and also the secret file (same with the secret stored inside "Secret OID")
Select the "Step2 : Generate Manifest" button. In this example the "payload version" is set to 1 and the payload_type is set to key. The private key data used is the rsa2048test_priv.pem file and the corresponding public key data is stored in the rsa2048test_pub.der file.The secret used is secret.txt file.
The Manifest and Fragment Generation are based on all the input inside the red box. For more information for this part, refer to protected update data set
[^Figure 106]: RSA Manifest generated
Updates the RSA key for the target OID
To Update the metadata of the target OID, Select "Step3: Update Trust M Objects".
[^Figure 107]:RSA Key Protected Update successful
Displays the metadata of the "Trust Anchor OID", "Target OID" and "Secret OID".
To read out metadata , select "Read Objects Metadata".
[^Figure 108]:Read Out object metadata
Resets the Access Condition of the Target OID Change to LCS <0x07 so that the Target OID will be accessible for use in other features after a successful Protected Update and not locked.
[^Figure 109]:RSA key Target OID access condition is reset successfully
This section shows the use of the OPTIGA™ Trust M Integrity and Confidential Protected Update for data of OIDs by using the Trust Anchor and Secret installed in the OPTIGA™ Trust M.
- Select "Data Update"
- Overview of the "Data Update" tab.
[^Figure 110]:Data Protected Update screen
Description of the Steps to do a successful Protected Update of OPTIGA™ Trust M Data Objects.
For Step 1, the "Trust anchor OID" is used to store the trust anchor and the data object type is set to Trust Anchor. The Protected Update Secret is written to the data object of "Secret OID " and the Data type will be set to UPDATESEC . The metadata of target OID will be set accordingly during Provisioning.
Trust Anchor OID options: 0xE0E8 - 0xE0E9, 0xE0EF, Target OID options: 0xF1D0 - 0xF1DB, 0xF1E0 - 0xF1E1, 0xE0E1 - 0xE0E3
Secret OID options: 0xF1D0, 0xF1D4 - 0xF1DB
In this example we will Provision for all OIDs. Select the "Trust anchor OID", "Target OID", "Secret OID". Then select the secret file to be used to provision the Secret OID and the Trust anchor Cert file to be used by clicking the respective textboxes.
[^Figure 111]:Selection of Trust Anchor Certificate and Input Secret file
To Provision, Select "Step1: Provisioning for All OIDs".
[^Figure 112]:Provisioning for Data Protected Update
In this example, after provisioning, the access condition change of target OID should be set to Int-0xE0E8&&Conf-0xF1D4
Generate the manifest and fragment for the Data Protected Update.
To generate the Manifest and fragment, Enter the "payload version" and select the "data" file you want to import into OPTIGA™ Trust M
Choose the trust_anchor_key (Corresponding to trust_anchor_cert) and also the secret file (same with the secret stored inside "Secret OID")
Choose the correct data type representation in data type box
For data file containing hex value strings, choose data type to be hex, and for data file containing ASCII strings, choose data type to be ascii
Select the "Step2 : Generate Manifest" button. In this example the "payload version" is set to 1 and the payload_type is set to data and data used is the type3_data,txt file and the secret used is secret.txt file.
The Manifest and Fragment Generation are based on all the input inside the red box. For more information for this part, refer to protected update data set
[^Figure 113]: Data and Manifest generated
Updates the Data for the target OID
To Update the data of the target OID, Select "Step3: Update Trust M Objects".
[^Figure 114]:Data Protected Update successful
Displays the metadata of the "Trust Anchor OID", "Target OID" and "Secret OID".
To read out metadata , select "Read Objects Metadata".
[^Figure 115]:Read Out object metadata
Resets the Access Condition of the Target OID Change to LCS <0x07 so that the Target OID will be accessible for use in other features after a successful Protected Update and not locked.
[^Figure 116]:Target OID access condition is reset successfully
Secure Storage Functions Description
[^Figure 117]: Secure Storage functions described
To do provision for the initial data, metadata and shared secret for HMAC authenticated secure storage.
The Secret Input will be provisioned into the "Secret OID", and the Data Type of "Secret OID"will be set to AUTHREF.
The data only can be read out/write in when HMAC Authentication successful since the access condition has been set to Change: Auto-0xSecret OID, Read: Auto-Secret OID.
Target OID options: 0xF1D7 - 0xF1DB, 0xF1E0 - 0xF1E1 , Secret OID options: 0xF1D7 - 0xF1D9
To Provision , Select the "Target OID" and "Secret OID". Then select "Provision HMAC Auth Storage".
[^Figure 118]: Provisioning HMAC authentication storage
To write data into Target OID after HMAC verify successfully
The secret entered will be verified against the secret provisioned into the "Secret OID". HMAC verification will be successful if they match.
To write the data into the "Target OID" , Select the "Target OID" and "Secret OID", then select "Verify and Write to Target OID". In this example the Target OID is "0xF1D9" and the Secret OID is "0xF1D7".
[^Figure 119]: Verify and Write to Target OID
To read out data stored in Target OID after HMAC verify successfully
The secret entered will be verified against the secret provisioned into the "Secret OID". HMAC verification will be successful if they match.
To readout the data in the Target OID, Select the "Target OID" and "Secret OID", then select "Verify and Read Target OID" . In this example the Target OID is "F1D9" and the Secret OID is "F1D7".
[^Figure 120]: Verify and read Target OID
Displays the metadata of the "Target OID" and "Secret OID".
To read out metadata , select "Read Object Metadata".
[^Figure 121]: Read Objects metadata displayed