Add Support for External TPM 2.0 Module (Adafruit Breakout)

[mbz4]

Add Support for External TPM 2.0 Module (Adafruit Breakout)

Summary:
Consider integrating a hardware TPM (Trusted Platform Module) into the Robot Study Companion (RSC) project for enhanced security and future-proofing.

---

What is a TPM?

A TPM (Trusted Platform Module) is a specialised chip that provides hardware-based security by:

• Securely storing encryption keys, passwords, and certificates.
• Providing integrity checks (e.g., measured boot).
• Protecting against tampering and unauthorized firmware changes.
• Enabling secure authentication and data encryption.

---

Why Add a TPM to the RSC?

Potential benefits:

• Secure storage of sensitive data (e.g., authentication tokens, certificates, student data).
• Verify firmware integrity at boot time.
• Protect remote communication (e.g., robot-server, robot-student apps).
• Enable secure firmware updates.
• Provide a foundation for future research into secure educational robotics.

---

Notes on Current Hardware

• The Raspberry Pi 4B currently used in the RSC does not include a built-in TPM.
• TPM functionality can be added using an external SPI TPM module.
• Adafruit's TPM 2.0 Breakout Board (Infineon SLB 9670) is a suitable candidate.

---

Integration Plan (Future Work)

• Connect the TPM breakout to the Raspberry Pi 4B via the SPI bus.
• Implement basic TPM interaction libraries in Python (e.g., using tpm2-pytss or direct SPI communication).
• Define use cases (e.g., key storage, secure messaging).
• Test and document TPM initialisation and key management for the RSC platform.

---

References

• [Adafruit TPM 2.0 SPI Breakout - Infineon SLB 9670](https://www.adafruit.com/product/4987)
• [Trusted Platform Module (Wikipedia)](https://en.wikipedia.org/wiki/Trusted_Platform_Module)
• [tpm2-software project (GitHub)](https://github.com/tpm2-software)

[mbz4]

Quick Wiring Guide (RPi 4B → Adafruit TPM 2.0 Breakout)

TPM Breakout Pin	Connect to Raspberry Pi 4B Pin
VDD	3.3V (Pin 1)
GND	Ground (Pin 6)
CLK	SPI0 SCLK (Pin 23)
MISO	SPI0 MISO (Pin 21)
MOSI	SPI0 MOSI (Pin 19)
#CS	SPI0 CE0 (Pin 24)
RESET (optional)	Any GPIO, or leave unconnected
IRQ (optional)	Any GPIO, or leave unconnected

⚡ Important:

• SPI must be enabled on the Raspberry Pi:

  sudo raspi-config
  # Interfaces → Enable SPI
  

• After enabling, reboot the Raspberry Pi.

---

Basic Test Script

Install dependencies first:

sudo apt update
sudo apt install tpm2-tools

Check if TPM is responding:

# Initialize SPI device
sudo modprobe spi-dev
Scan for TPM device
ls /dev/tpm*

You should see something like /dev/tpm0.

Now perform a basic TPM self-test:

# Run a simple TPM self-test
tpm2_selftest

If successful, you'll see no errors!

(Optional deeper test):

# Get random bytes from TPM
tpm2_getrandom 8

This asks the TPM to generate 8 random bytes securely.

---

Future Extensions

• Use Python libraries like tpm2-pytss to manage keys, sessions, and attestation.

• Implement sealed storage for private keys.

• Implement verified boot or attestation services for RSC.

---

[mbz4]

Tiny Python Test Example (Fetch Random Bytes from TPM)

First, install the Python TPM library:

sudo apt install python3-pip
pip3 install tpm2-pytss

Then, a simple test script:

# simple_tpm_random.py

from tpm2_pytss import *
from tpm2_pytss.util.simulator import Simulator

def main():
    # Create ESAPI context (Enhanced System API)
    with ESAPI() as ctx:
        # Ask for 16 random bytes
        random_bytes = ctx.GetRandom(16)
        print("Random bytes from TPM:", random_bytes.buffer.hex())

if __name__ == "__main__":
    main()

Run it:

python3 simple_tpm_random.py

If everything is wired and configured correctly, you should see a hex string of truly random data generated by the TPM hardware!

---

Notes

• Context Manager (with ESAPI() as ctx): Handles the TPM connection cleanly.
• GetRandom: A basic TPM 2.0 command, super useful for getting strong random numbers.
• Permissions: You might need to run as sudo depending on how /dev/tpm0 is permissioned.

---

✅ This tiny script is a good sanity check that your Pi and the breakout are talking securely!
✅ You can build more advanced features like key generation, attestation, or sealed storage after this basic check!