Zynq 7000 SoC-TPM Interface
XAPP1309 (v1.0) March 7, 2017 11
www.xilinx.com
Zynq 7000 SoC-TPM Interface
The Zynq-7000 SoC-TPM interface provides the communication between the Zynq-7000 device
and the Infineon OPTIGA SLB9670 TPM. The interface uses commands from a tpm_toolbox. The
tpm_toolbox supports the following categories of commands:
•PCR reset
• Physical presence
• Get capability
• TPM startup/activate/physical enable
• PCR read/PCR extend
There are multiple commands in each category. A subset of the commands is used in the
reference design. The Zynq-7000 AP SoC connects to the SLB9670 TPM using the SPI bus. The
Zynq-7000 AP SoC contains a hardened SPI IP in the PS and a soft AXI SPI IP in the
programmable logic (PL). The PS SPI is used in the reference design because it saves PL
resources.
Figure 9 shows SPI-TPM functions implemented in the FSBL for the reference design.
In the measured boot reference design, the FSBL is modified to calculate the SHA-1 of the
BootROM and the FSBL, and then extend the SHA-1 digests into the TPM’s PCRs. The SHA-1
values are calculated in sha1.c. Code to take ownership and activate the TPM is in
slb9670_tpm_s pi.c. The PCRs are extended in slb9670_spi _tpm.c. Other files added to
fsbl/src include tpm_t ools.h, tpm_tools.c, tpm_spi.c, tpm_spi_tis.c , and tpm.h.
Because BootROM code is not accessible by the FSBL, the SHA-1 calculated for the BootROM is
calculated on the cyclic redundancy check (CRC) written by the BootROM code.
The FSBL TPM driver can be encrypted when stored in NVM and then decrypted and run from
OCM. The reason for the FSBL extending the TPM PCRs with early load measurements is to limit
the malicious attacker’s time to change the code.
In the Avnet Starter IIoT board, the PS SPI interfaces to the SLB9670 Pmod using an MIO
connection. To drive the pin reset of the TPM, the Zynq-7000 AP SoC hardware design includes
a PS GPIO which is used to drive the TPM reset pin. The ResetTPM function is in main.c.
X-Ref Target - Figure 9
Figure 9: FSBL TPM SPI Driver Functional Diagram
Calculate
SHA-1
BootROM
CRC
Calculate
SHA-1
FSBL
Extend PCR0
SHA-1
BootROM
CRC
Extend
PCR4
SHA-1
FSBL
TPM
Take
Ownership
TPM
Activate
TPM
Startup
X18733-020317
To Next Page
Loading...
Need help?
General
