When do you support TrustM V3?

[yoshi-ohta]

Hi, We are developing with the TrustM V3 chip. I have a few questions.

1. This repository (cli-optiga-trustm) remains V1. I found a V3 development branch (dev_v3_linux_kernel), when will merge to the master branch?

2. I tried to incorporate dev_v3_linux_kernel as a reference, but I have a question. The key information is stored in OID = 0xE200 with trustm_symmetric_keygen, How can I retrieve this key information?

   The key information could not be retrieved with the following command. (ERROR: 0x8007) $ trustm_data -r 0xe200

3. The contents of the output file of the trustm_symmetric_dec command are output as encrypted data. The variable to be output to the file is incorrect.

[ayushev]

Hello,

for the trust m3 the most recent stable version is based on m1. The m3 has several new updates in the firmware, but all other common commands are supported in the master branch for both chips. If you would like still to use m3, please have a look on this development_m3 branch The linux kernel driver based branch (the one you have selected) is experimental and uses a private repository. If you need an early access to this repository please let me know, though keep in mind not all features here are supported (only ecdsa sign verify, ecc keypair genreation, random and tls prf kdf)

[yoshi-ohta]

Thank you for answering. We will check the development_m3 branch branch.

Also, please answer the first question 2. We want to use AES. If we want to use AES between terminals, I think we need to have keys with each other, do you understand me?

If my understanding is correct, I think there are the following use cases: (1) When creating a key with TrustM and sharing the key with the communication partner (2) When creating a key on the other side of the communication and storing the key in TrustM

In case of (1) When you create a key with the trustm_symmetric_keygen command, the key is stored at OID = 0xE200. How can I retrieve the key information stored in 0xE200?

In case of (2) How can I save the key created by the other party?

[ayushev]

@yoshi-ohta Sorry, I though this question isn't relevant now, but sure, I can asnwer it too. The AES key object is a Key Object in Trust M, and as with all key objects you can't read the content (this is why you had 0x8007 error). You can either generate a new, use this key for operations or write an external one using protected updated. Having AES key stored anywhere outside the security chip is a security risk. If you would like to have the same syymetric key on both machines it's better to have a key exchange algorithm at first (like ecdhe), then derive a secret (or several) out of it and use it as an AES key. Should I explain this in detail please let me know.

When you create a key with the trustm_symmetric_keygen command, the key is stored at OID = 0xE200. How can I retrieve the key information stored in 0xE200?

From optiga_crypt_symmetric_generate_key

/**
 * \brief Generates a symmetric key using OPTIGA.
 *
 * \details
 * Generates a symmetric key using OPTIGA for different key sizes.
 * - Invokes #optiga_cmd_gen_symkey API, based on input arguments.
 * - Symmetric key is generated based on the key type.<br>
 * - If export to host is requested, exports the symmetric key back to host otherwise stores it in the provided symmetric key OID.
 * - The callback registered with instance (#optiga_crypt_create) gets invoked, when the operation is asynchronously completed.
 *
 * \pre
 * - The application on OPTIGA must be opened using #optiga_util_open_application before using this API.
 *
 * \note
 * - For <b>protected I2C communication</b>, Refer #OPTIGA_CRYPT_SET_COMMS_PROTECTION_LEVEL
 * - Error codes from lower layers is returned as it is.
 *
 * \param[in]       me                                      Valid instance of #optiga_crypt_t created using #optiga_crypt_create.
 * \param[in]       key_type                                Key type of #optiga_symmetric_key_type_t.
 * \param[in]       key_usage                               Key usage defined in #optiga_key_usage_t.
 *                                                          - It is ignored if export_symmetric_key is TRUE (1) or Non-Zero.
 * \param[in]       export_symmetric_key                    TRUE (1) or Non-Zero value - Exports symmetric key to the host.<br>
 *                                                          FALSE (0) - Stores symmetric key in OPTIGA.
 * \param[in,out]   symmetric_key                           Pointer to buffer of symmetric key.
 *                                                          - If export_symmetric_key is TRUE or non-zero, assign pointer to a buffer to store symmetric key. 
 *                                                          - If export_symmetric_key is FALSE, assign pointer to variable of type #optiga_key_id_t.
 *                                                          - The size of the buffer must be sufficient enough to accommodate the key. 
 *
 * \retval          #OPTIGA_CRYPT_SUCCESS                   Successful invocation.
 * \retval          #OPTIGA_CRYPT_ERROR_INVALID_INPUT       Wrong Input arguments provided.
 * \retval          #OPTIGA_CRYPT_ERROR_INSTANCE_IN_USE     The previous operation with the same instance is not complete.
 * \retval          #OPTIGA_DEVICE_ERROR                    Command execution failure in OPTIGA and the LSB indicates the error code.
 *                                                          (Refer Solution Reference Manual)
 *
 * <b>Example</b><br>
 * example_optiga_crypt_symmetric_generate_key.c
 *
 */
LIBRARY_EXPORTS optiga_lib_status_t optiga_crypt_symmetric_generate_key(optiga_crypt_t * me,
                                                                        optiga_symmetric_key_type_t key_type,
                                                                        uint8_t key_usage,
                                                                        bool_t export_symmetric_key,
                                                                        void * symmetric_key);

To export the key, you should set the 'export_symmetric_key' to 1

How can I save the key created by the other party?

if this key is used for the communication, I would again propose you to revisit the flow you have. As it would be more secure not to inject the key generated by a third side, but rather generate the secret locally, yousing key negotiation and key dereviation algorithms, and don't use this simmetric key for long.

Answering your question, key injection is possible using protected key update mechanism. It is very simmilar to Data update explained here. I'm going to update this manual soon to reflect also the way how to update keys. Code snippet for this can be found here.

[yoshi-ohta]

@ayushev

Thank you for your answer. There seems to be a security problem with the method I envision. I would like to consider how to use AES.

And please tell me about the source of development_v3. I'm trying the ECC256 CLI with the development_v3 source. I would like to execute the following command on Linux with reference to the README.

$ trustm_ecc_keygen -g 0xe0f3 -t 0x13 -k 0x03 -o test_e0f3_pub.pem -s
$ echo "helloworld" >  helloworld.txt 
$ trustm_ecc_sign -k 0xe0f3 -o testsignature.bin -i helloworld.txt -H 
(*)
$ trustm_ecc_verify -i helloworld.txt -s testsignature.bin -k 0xe0e3 -H

(*) In preparation before executing trustm_ecc_verify, an error occurs when creating a certificate using the key of OID 0xE0E3 and it cannot be created. Is there a mistake in my procedure?

Generate CSR of ECC 256bit

$ openssl req -keyform engine -engine trustm_engine -key 0xe0f3:*:NEW:0x03:0x13 -new -out test_e0f3.csr -verify
engine "trustm_engine" set.
**Failed to write value! Erro code = 1, fd = 3**
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <Enter>
State or Province Name (full name) [Some-State]:xxx<Enter>
Locality Name (eg, city) []:<Enter>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xxx<Enter>
Organizational Unit Name (eg, section) []:xxx<Enter>
Common Name (e.g. server FQDN or YOUR name) []:<Enter>
Email Address []:<Enter>

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<Enter>
An optional company name []:<Enter>
**Failed to write value! Erro code = 1, fd = 3**
verify OK

$ ls
helloworld.txt  test_e0f3.csr  test_e0f3_pub.pem  test_signature_e0f3.bin

Created CSR file, and I executed the following command to create a certificate.

$ openssl x509 -req -days 3650 -signkey test_e0f3.key < test_e0f3.csr > test_e0f3.crt
Signature ok
subject=C = AU, ST = xxx, L = xxx, O = xxx
Getting Private key
Can't open test_e0f3.key for reading, No such file or directory
281473172436640:error:02001002:system library:fopen:No such file or
directory:../openssl-1.1.1d/crypto/bio/bss_file.c:69:fopen('test_e0f3.key','r')
281473172436640:error:2006D080:BIO routines:BIO_new_file:no such file:../openssl-1.1.1d/crypto/bio/bss_file.c:76:
unable to load Private key

Question: (1) Generate CSR of ECC 256bit The following log is output. "Failed to write value! Erro code = 1, fd = 3" This log looks like a log in trustm_lib/pal/linux/pal_gpio.c, is there a problem?

(2) What is the cause of the certificate creation failure? What are the steps to create a certificate using a TrustM key?

(3) I was looking into the source code and was curious about the following: https://github.com/Infineon/cli-optiga-trust-m/blob/development_v3/trustm_engine/trustm_engine_ec.c L.270 L.277 L.501 Is "+" correct?

[ying-css]

@yoshi-ohta

For Question(1)Generate CSR of ECC 256bit, the openssl command you are using should work. Please run "git submodule update -f" command under branch development_v3 to update trustm_lib to the latest library version and try again.

Please refer to our script for ECC256 sign and verify:

$ echo "---->Generate csr for ECC256 using trustm Engine"
$ openssl req -keyform engine -engine trustm_engine -key 0xe0f3:^:NEW:0x03:0x13 -new -out test_e0f3.csr -verify
$ echo "---->Generate certificate using trustm Engine"
$ openssl x509 -req -in test_e0f3.csr -CA OPTIGA_Trust_M_Infineon_Test_CA.pem -CAkey OPTIGA_Trust_M_Infineon_Test_CA_Key.pem -CAcreateserial -out test_e0f3.pem -days 365 -sha256 -extfile openssl.cnf -extensions cert_ext1
$ echo "---->Write certificate into 0xe0e3"
$ trustm_cert -w 0xe0e3 -i test_e0f3.pem

$ trustm_ecc_sign -k 0xe0f3 -o testsignature.bin -i helloworld.txt -H 
$ trustm_ecc_verify -i helloworld.txt -s testsignature.bin -k 0xe0e3 -H

Test CA we are using in the script can be found inside the folder /cli-optiga-trust-m/scripts/certificates

Please Let us know whether this script can work properly at your side. Thanks.

For Question(3), We will delete "+" from trustm_engine_ec.c.

[yoshi-ohta]

@ying-css

Thank you for answering!! I have confirmed the operation and have some questions (Q.1-5). please confirm.

For Question(1)Generate CSR of ECC 256bit, the openssl command you are using should work. Please run "git submodule update -f" command under branch development_v3 to update trustm_lib to the latest library version and try again.

I'm sorry I couldn't explain. In my environment, I replaced trustm_lib with a source based on the v3_v3.00.2490-ghr tag of optiga-trustm. The reason I replaced it was because I thought that the one with the v3_v3.00.2490-ghr tag was the latest library of v3.

However, when I followed the steps I was taught, the version of trustm_lib became Ver 3.00.2484. (Checked in "trustm_lib / optiga / include / optiga / optiga_lib_version.h")

Q.1 Was my perception of the latest library wrong?

Q.2 I'm sorry, but I can't check it right away because I don't have the environment at hand. Should I check with library v3.00.2484? I'll check next week if necessary. By the way, I tried it with the latest source of optiga-trustm(tustm_m1_m3 branch), but it has the same behavior.

Please refer to our script for ECC256 sign and verify:

I was able to confirm that it can work with the script I was taught. Thank you.

I have some questions about the command.

Q.3

$ openssl req -keyform engine -engine trustm_engine -key 0xe0f3:^:NEW:0x03:0x13 -new -out test_e0f3.csr -verify

The "NEW" description in the Readme states that a key pair will be generated. Will the key created by trustm_ecc_keygen be updated? Also, is it always set with "NEW"?

Q.4

$ openssl x509 -req -in test_e0f3.csr -CA OPTIGA_Trust_M_Infineon_Test_CA.pem -CAkey OPTIGA_Trust_M_Infineon_Test_CA_Key.pem -CAcreateserial -out test_e0f3.pem -days 365 -sha256 -extfile openssl.cnf -extensions cert_ext1

Are the following options parameters that depend on the format of the CA certificate? "-sha256 -extfile openssl.cnf -extensions cert_ext1"

For Question(3), We will delete "+" from trustm_engine_ec.c. Thank you for confirmation.

Q.5 Please also check the very first question 3 in this thread.

https://github.com/Infineon/cli-optiga-trust-m/blob/development_v3/linux_example/trustm_symmetric_dec.c L.250 I think the following is correct. trustmwriteTo(message, messagelen, outFile);

[ying-css]

@yoshi-ohta For Q1, the latest library version is Ver 3.00.2490. If you run "git submodule update -f" command under branch development_v3 to update trustm_lib, the version of trustm_lib will be Ver 3.00.2484. Both libraries can work with our CLI. Before compiling the code, Please make sure the reset type is to use software reset as follow in the header file at "cli-optiga-trust-m/trustm_lib/optiga/include/optiga/"

optiga_lib_config_m_v3.h for OPTIGA™ Trust M3 or optiga_lib_config_m_v1.h for OPTIGA™ Trust M1

#define OPTIGA_COMMS_DEFAULT_RESET_TYPE (1U)

For Q3, Yes, If you run this openssl command, the key created by trustm_ecc_keygen will be updated. It is not always set as "NEW". If you want to use the key created before, can run the command below to generate CSR. openssl req -keyform engine -engine trustm_engine -key 0xe0f3:*::: -new -out test_e0f3.csr -subj /CN=trustm

For Q4, Yes. “-extfile openssl.cnf -extensions cert_ext1" are optional for custom extension. They are options that are depending on the format of the CA certificate. -sha256 is optional and used to add Hash function sha256 You can run openssl x509 -req –help to check all the options.

             -extfile infile       File with X509V3 extensions to add
             -extensions val       Section from config file to use 

For Q5, Thank you very much for spotting this. :) I already updated this part on github.

[yoshi-ohta]

@ying-css

For Q1, the latest library version is Ver 3.00.2490. If you run "git submodule update -f" command under branch development_v3 to update trustm_lib, the version of trustm_lib will be Ver 3.00.2484. Both libraries can work with our CLI. Before compiling the code, Please make sure the reset type is to use software reset as follow in the header file at "cli-optiga-trust-m/trustm_lib/optiga/include/optiga/"

optiga_lib_config_m_v3.h for OPTIGA™ Trust M3 or optiga_lib_config_m_v1.h for OPTIGA™ Trust M1

define OPTIGA_COMMS_DEFAULT_RESET_TYPE (1U)

I got it about library version. About changing the setting of OPTIGA_COMMS_DEFAULT_RESET_TYPE. I modified optiga_lib_config_m_v3.h as follows:

define OPTIGA_COMMS_DEFAULT_RESET_TYPE (1U)

I executed the trustm_* command, then error occures. openssl command, also. Therefore, I tought this setting is wrong.

$ trustm_chipinfo
3346: Error in trustm_helper / trustm_helper.c: 1076 trustm_Open: Fail: optiga_util_open_application

3346: Error [0x0102]: OPTIGA comms API failed

$ openssl req -keyform engine -engine trustm_engine -key 0xe0f3:^:NEW:0x03:0x13 -new -out test_e0f3.csr -verify
engine "trustm_engine" set.
Error in trustm_engine/trustm_engine.c:358 trustmEngine_App_Open: Fail : optiga_util_open_application

3348:Error [0x0102] : OPTIGA comms API failed

3348:Error [0x0202] : OPTIGA command API failed
cannot load Private Key from engine
281473600673440:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../openssl-1.1.1d/crypto/engine/eng_pkey.c:78:
unable to load Private Key

For Q3, Q4, Q5

Thank you! I got it.

[ying-css]

@yoshi-ohta For Q1, I think the trustm IC sample you have should be still V1, so please modify optiga_lib_config_m_v1.h as follows: #define OPTIGA_COMMS_DEFAULT_RESET_TYPE (1U) But even with the wrong config file, after compiling and installing, the command below is still able to be executed successfully $ ./bin/trustm_chipinfo Unfortunately, I cannot replicate your errors at our side. Is it possible for you to download the whole package again (following the instructions listed as below)

git clone --recurse-submodules https://github.com/Infineon/cli-optiga-trust-m.git
cd cli-optiga-trust-m/
git checkout development_v3
git submodule update –f

Change the setting for optiga_lib_config_m_v1.h and try again? Thank you very much.

[yoshi-ohta]

@ying-css

I am trying with TrustM IC (SLS 32AIA010MK) in our custom board. The result of trustm_chipinfo is as follows.

# trustm_chipinfo 
Read Chip Info [0xE0C2]: Success.
========================================================
CIM Identifier             [bCimIdentifer]: 0xcd
Platform Identifer   [bPlatformIdentifier]: 0x16
Model Identifer         [bModelIdentifier]: 0x33
ID of ROM mask                  [wROMCode]: 0x9401
Chip Type                    [rgbChipType]: 0x00 0x1c 0x00 0x01 0x00 0x00
Batch Number              [rgbBatchNumber]: 0x0a 0x09 0xa4 0x13 0x00 0x0b
X-coordinate              [wChipPositionX]: 0x0042
Y-coordinate              [wChipPositionY]: 0x0078
Firmware Identifier [dwFirmwareIdentifier]: 0x80101071
Build Number                 [rgbESWBuild]: 24 40

Chip software build: 
Unknown
========================================================

Is it V3 that the build number is 0x24, 0x40?

I checked the source and found that OPTIGA_LIB_EXTERNAL and OPTIGA_TRUST_M_V1 are not defined, so I think optiga_lib_config_m_v3.h is included. Regarding OPTIGA_COMMS_DEFAULT_RESET_TYPE, our custom board has RST GPIO. There is no GPIO for VDD. I'm sorry I couldn't explain. Therefore, I think that 2U is the correct setting value. correct?

The error log is only output when using trustm_engine called by openssl. If you are using trustm_helper such as trustm_chipinfo, there is no error log. Do you know anything about this difference?

I will try to recreate the git environment.

[ying-css]

@yoshi-ohta Yes, You are right. The sample you have is V3 since the build number is 0x24,0x40. Yes, you can use 2U in your case. :) So now trustm_chipinfo can work, but when you are using trustm_engine for openssl command, you will get this error: Error in trustm_engine/trustm_engine.c:358 trustmEngine_App_Open: Fail : optiga_util_open_application Am I right? Thanks.

[yoshi-ohta]

@ying-css

I understand that I'm using a V3 chip. Regarding OPTIGA_COMMS_DEFAULT_RESET_TYPE, I checked source code, and I thought that the behavior is same whether value is 0 or 2. Then GPIO PAL checked null of object. This is because GPIO processing (trustm_lib / pal / linux / pal_gpio.c) checks for NULL of GPIO objects. Is my understanding correct?

The problem is that I get an error log when using the openssl command. Failed to write value! Erro code = 1, fd = 3

The following example is when the CSR was created.

# openssl req -keyform engine -engine trustm_engine -key 0xe0f2:^:NEW:0
x03:0x13 -new -out test_e0f2.csr -verify
engine "trustm_engine" set.
Failed to write value! Erro code = 1, fd = 3                                <----- ERROR OCCURS
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Failed to write value! Erro code = 1, fd = 3                                <----- ERROR OCCURS
verify OK

From the error message, the error is as follows. trustm_lib/pal/linux/pal_gpio.c GPIOWrite()

This function is also called when executing commands such as trustm_chipinfo, but then no error occurs. However, when called from openssl, an error occurs.

[yoshi-ohta]

I am still expecting your response regarding this problem.

[ayushev]

Hello @yoshi-ohta

you might have such messages when the programm tries to trigger GPIO without required priveleges. Can you please output the result of the following commands:

1. $ groups

2. $ cd <path_to_the_repo>/linux_examples
   $ ls -al

[yoshi-ohta]

@ayushev

Thank you for your answer. This is the command execution result. In addition, the OS of our custom board is running out of time.

~# groups root

~/TrustM/linux_example# ls -l total 1120 -rwxr-xr-x 1 root root 19136 Nov 12 07:33 simpleTest_Client -rw-rw-r-- 1 1000 tracing 5281 Nov 12 07:33 simpleTest_Client.c -rw-r--r-- 1 root root 8312 Nov 12 07:33 simpleTest_Client.o -rwxr-xr-x 1 root root 24312 Nov 12 07:33 simpleTest_Server -rw-rw-r-- 1 1000 tracing 8076 Nov 12 07:33 simpleTest_Server.c -rw-r--r-- 1 root root 13488 Nov 12 07:33 simpleTest_Server.o -rwxr-xr-x 1 root root 18256 Nov 12 07:33 trustm_cert -rw-rw-r-- 1 1000 tracing 12727 Nov 12 07:33 trustm_cert.c -rw-r--r-- 1 root root 9680 Nov 12 07:33 trustm_cert.o -rwxr-xr-x 1 root root 17640 Nov 12 07:33 trustm_chipinfo -rw-rw-r-- 1 1000 tracing 5784 Nov 12 07:33 trustm_chipinfo.c -rw-r--r-- 1 root root 5776 Nov 12 07:33 trustm_chipinfo.o -rwxr-xr-x 1 root root 18272 Nov 12 07:33 trustm_data -rw-rw-r-- 1 1000 tracing 10548 Nov 12 07:33 trustm_data.c -rw-r--r-- 1 root root 9224 Nov 12 07:33 trustm_data.o -rwxr-xr-x 1 root root 22400 Nov 12 07:33 trustm_ecc_keygen -rw-rw-r-- 1 1000 tracing 15377 Nov 12 07:33 trustm_ecc_keygen.c -rw-r--r-- 1 root root 10976 Nov 12 07:33 trustm_ecc_keygen.o -rwxr-xr-x 1 root root 18632 Nov 12 07:33 trustm_ecc_sign -rw-rw-r-- 1 1000 tracing 11344 Nov 12 07:33 trustm_ecc_sign.c -rw-r--r-- 1 root root 9128 Nov 12 07:33 trustm_ecc_sign.o -rwxr-xr-x 1 root root 22600 Nov 12 07:33 trustm_ecc_verify -rw-rw-r-- 1 1000 tracing 17096 Nov 12 07:33 trustm_ecc_verify.c -rw-r--r-- 1 root root 13160 Nov 12 07:33 trustm_ecc_verify.o -rwxr-xr-x 1 root root 13152 Nov 12 07:33 trustm_errorcode -rw-rw-r-- 1 1000 tracing 692 Nov 12 07:33 trustm_errorcode.c -rw-r--r-- 1 root root 1928 Nov 12 07:33 trustm_errorcode.o -rwxr-xr-x 1 root root 18168 Nov 12 07:33 trustm_hkdf -rw-rw-r-- 1 1000 tracing 10101 Nov 12 07:33 trustm_hkdf.c -rw-r--r-- 1 root root 8920 Nov 12 07:33 trustm_hkdf.o -rwxr-xr-x 1 root root 18168 Nov 12 07:33 trustm_hmac -rw-rw-r-- 1 1000 tracing 8745 Nov 12 07:33 trustm_hmac.c -rw-r--r-- 1 root root 8152 Nov 12 07:33 trustm_hmac.o -rwxr-xr-x 1 root root 22704 Nov 12 07:33 trustm_metadata -rw-rw-r-- 1 1000 tracing 20936 Nov 12 07:33 trustm_metadata.c -rw-r--r-- 1 root root 15960 Nov 12 07:33 trustm_metadata.o -rwxr-xr-x 1 root root 18200 Nov 12 07:33 trustm_monotonic_counter -rw-rw-r-- 1 1000 tracing 12707 Nov 12 07:33 trustm_monotonic_counter.c -rw-r--r-- 1 root root 9224 Nov 12 07:33 trustm_monotonic_counter.o -rwxr-xr-x 1 root root 18040 Nov 12 07:33 trustm_read_data -rw-rw-r-- 1 1000 tracing 6449 Nov 12 07:33 trustm_read_data.c -rw-r--r-- 1 root root 4944 Nov 12 07:33 trustm_read_data.o -rwxr-xr-x 1 root root 18040 Nov 12 07:33 trustm_read_status -rw-rw-r-- 1 1000 tracing 6147 Nov 12 07:33 trustm_read_status.c -rw-r--r-- 1 root root 4960 Nov 12 07:33 trustm_read_status.o -rwxr-xr-x 1 root root 18112 Nov 12 07:33 trustm_readmetadata_data -rw-rw-r-- 1 1000 tracing 6348 Nov 12 07:33 trustm_readmetadata_data.c -rw-r--r-- 1 root root 5160 Nov 12 07:33 trustm_readmetadata_data.o -rwxr-xr-x 1 root root 18120 Nov 12 07:33 trustm_readmetadata_private -rw-rw-r-- 1 1000 tracing 6076 Nov 12 07:33 trustm_readmetadata_private.c -rw-r--r-- 1 root root 5048 Nov 12 07:33 trustm_readmetadata_private.o -rwxr-xr-x 1 root root 18120 Nov 12 07:33 trustm_readmetadata_status -rw-rw-r-- 1 1000 tracing 6568 Nov 12 07:33 trustm_readmetadata_status.c -rw-r--r-- 1 root root 5064 Nov 12 07:33 trustm_readmetadata_status.o -rwxr-xr-x 1 root root 18192 Nov 12 07:33 trustm_rsa_dec -rw-rw-r-- 1 1000 tracing 8167 Nov 12 07:33 trustm_rsa_dec.c -rw-r--r-- 1 root root 6904 Nov 12 07:33 trustm_rsa_dec.o -rwxr-xr-x 1 root root 18288 Nov 12 07:33 trustm_rsa_enc -rw-rw-r-- 1 1000 tracing 12219 Nov 12 07:33 trustm_rsa_enc.c -rw-r--r-- 1 root root 9648 Nov 12 07:33 trustm_rsa_enc.o -rwxr-xr-x 1 root root 18304 Nov 12 07:33 trustm_rsa_keygen -rw-rw-r-- 1 1000 tracing 11635 Nov 12 07:33 trustm_rsa_keygen.c -rw-r--r-- 1 root root 9408 Nov 12 07:33 trustm_rsa_keygen.o -rwxr-xr-x 1 root root 18456 Nov 12 07:33 trustm_rsa_sign -rw-rw-r-- 1 1000 tracing 13360 Nov 12 07:33 trustm_rsa_sign.c -rw-r--r-- 1 root root 10168 Nov 12 07:33 trustm_rsa_sign.o -rwxr-xr-x 1 root root 22600 Nov 12 07:33 trustm_rsa_verify -rw-rw-r-- 1 1000 tracing 16424 Nov 12 07:33 trustm_rsa_verify.c -rw-r--r-- 1 root root 12952 Nov 12 07:33 trustm_rsa_verify.o -rwxr-xr-x 1 root root 18192 Nov 12 07:33 trustm_symmetric_dec -rw-rw-r-- 1 1000 tracing 9999 Nov 12 07:33 trustm_symmetric_dec.c -rw-r--r-- 1 root root 7896 Nov 12 07:33 trustm_symmetric_dec.o -rwxr-xr-x 1 root root 18192 Nov 12 07:33 trustm_symmetric_enc -rw-rw-r-- 1 1000 tracing 9913 Nov 12 07:33 trustm_symmetric_enc.c -rw-r--r-- 1 root root 8024 Nov 12 07:33 trustm_symmetric_enc.o -rwxr-xr-x 1 root root 18008 Nov 12 07:33 trustm_symmetric_keygen -rw-rw-r-- 1 1000 tracing 7350 Nov 12 07:33 trustm_symmetric_keygen.c -rw-r--r-- 1 root root 6144 Nov 12 07:33 trustm_symmetric_keygen.o

Is it working correctly even if you get this error? Also, I have collected the log when the debug log of trustm_engine and trustm_lib is enabled, so I will attach it. Can you confirm it?

[2021-02-06 01:15:03.131] root@imx8mmevk:~/TrustM# openssl req -keyform engine -engine trustm_engine -key 0xe0f2:^:NEW:0x03:0x13 -new -outt test_e0f2.csr -verify [2021-02-06 01:15:07.699] 5353:trustm_engine/trustm_engine.c:1033 bind: > [2021-02-06 01:15:07.699] 5353:trustm_engine/trustm_engine.c:962 engine_init: > Engine 0x268cb5e0 init [2021-02-06 01:15:07.703] 5353:trustm_engine/trustm_engine.c:965 engine_init: Initializing [2021-02-06 01:15:07.703] 5353:trustm_engine/trustm_engine.c:235 trustmEngine_Open: > [2021-02-06 01:15:07.897] 5353:trustm_engine/trustm_engine.c:250 trustmEngine_Open: TrustM util instance created. [2021-02-06 01:15:07.899] [2021-02-06 01:15:07.899] 5353:trustm_engine/trustm_engine.c:260 trustmEngine_Open: TrustM crypt instance created. [2021-02-06 01:15:07.899] [2021-02-06 01:15:07.899] 5353:trustm_engine/trustm_engine.c:261 trustmEngine_Open: TrustM Open. [2021-02-06 01:15:07.899] [2021-02-06 01:15:07.899] 5353:trustm_engine/trustm_engine.c:265 trustmEngine_Open: < [2021-02-06 01:15:07.902] 5353:trustm_engine/trustm_engine_rand.c:68 trustmEngine_init_rand: > [2021-02-06 01:15:07.902] 5353:trustm_engine/trustm_engine_rand.c:72 trustmEngine_init_rand: < [2021-02-06 01:15:07.902] 5353:trustm_engine/trustm_engine_rsa.c:653 trustmEngine_init_rsa: > [2021-02-06 01:15:07.902] 5353:trustm_engine/trustm_engine_rsa.c:682 trustmEngine_init_rsa: < [2021-02-06 01:15:07.902] 5353:trustm_engine/trustm_engine_ec.c:583 trustmEngine_init_ec: > [2021-02-06 01:15:07.902] 5353:trustm_engine/trustm_engine_ec.c:605 trustmEngine_init_ec: < [2021-02-06 01:15:07.902] 5353:trustm_engine/trustm_engine.c:1025 engine_init: < [2021-02-06 01:15:07.902] 5353:trustm_engine/trustm_engine.c:1087 bind: < [2021-02-06 01:15:07.906] engine "trustm_engine" set. [2021-02-06 01:15:07.906] 5353:trustm_engine/trustm_engine.c:817 engine_load_privkey: > key_id : 0xe0f2:^:NEW:0x03:0x13 [2021-02-06 01:15:07.907] 5353:trustm_engine/trustm_engine.c:540 parseKeyParams: > [2021-02-06 01:15:07.907] 5353:trustm_engine/trustm_engine.c:279 trustmEngine_App_Open: > [2021-02-06 01:15:07.910] 5353:trustm_engine/trustm_engine.c:143 __trustmEngine_ipcInit: Shared memory segment exists - opening as client [2021-02-06 01:15:07.915] 5353:trustm_engine/trustm_engine.c:296 trustmEngine_App_Open: Check if TrustM Open:queue 0:current:5353:Delay 10 [2021-02-06 01:15:07.917] 5353:trustm_engine/trustm_engine.c:300 trustmEngine_App_Open: Resource seized by 5353 [2021-02-06 01:15:07.917] 5353:trustm_engine/trustm_engine.c:324 trustmEngine_App_Open: Lock queue 5353 [2021-02-06 01:15:07.917] 5353:trustm_engine/trustm_engine.c:340 trustmEngine_App_Open: No hibernate ctx found. Skip restore [2021-02-06 01:15:07.917] [2021-02-06 01:15:07.917] pal_loger_write : [optiga util] : optiga_util_open_application [2021-02-06 01:15:07.917] pal_loger_write : [2021-02-06 01:15:07.917] [2021-02-06 01:15:07.918] pal_loger_write : [optiga cmd] : optiga_cmd_open_application [2021-02-06 01:15:07.918] pal_loger_write : [2021-02-06 01:15:07.920] [2021-02-06 01:15:07.920] 5353:trustm_engine/trustm_engine.c:350 trustmEngine_App_Open: waiting... [2021-02-06 01:15:07.935] pal_loger_write : [optiga cmd] : Sending open app command... [2021-02-06 01:15:07.935] pal_loger_write : [2021-02-06 01:15:07.937] [2021-02-06 01:15:07.937] pal_loger_write : [optiga comms] : >>>> [2021-02-06 01:15:07.937] pal_loger_write : [2021-02-06 01:15:07.937] [2021-02-06 01:15:07.937] pal_loger_write : Length of data - 0x001B [2021-02-06 01:15:07.937] pal_loger_write : [2021-02-06 01:15:07.937] [2021-02-06 01:15:07.937] pal_loger_write : 03 00 16 08 20 F0 00 00 10 D2 76 00 00 04 47 65 6E 41 75 74 68 41 70 70 6C BE 40 [2021-02-06 01:15:07.937] [2021-02-06 01:15:07.959] pal_loger_write : [optiga comms] : <<<< [2021-02-06 01:15:07.960] pal_loger_write : [2021-02-06 01:15:07.960] [2021-02-06 01:15:07.960] pal_loger_write : Length of data - 0x000B [2021-02-06 01:15:07.960] pal_loger_write : [2021-02-06 01:15:07.960] [2021-02-06 01:15:07.962] pal_loger_write : 00 00 06 08 20 00 00 00 00 19 04 [2021-02-06 01:15:07.962] [2021-02-06 01:15:07.962] pal_loger_write : [optiga cmd] : Processing response for open app command... [2021-02-06 01:15:07.962] pal_loger_write : [2021-02-06 01:15:07.966] [2021-02-06 01:15:07.966] pal_loger_write : [optiga cmd] : Response of open app command is processed... [2021-02-06 01:15:07.966] pal_loger_write : [2021-02-06 01:15:07.966] [2021-02-06 01:15:07.966] 5353:trustm_engine/trustm_engine.c:353 ++done. [2021-02-06 01:15:07.966] [2021-02-06 01:15:07.966] 5353:trustm_engine/trustm_engine.c:397 trustmEngine_App_Open: Success : optiga_util_open_application [2021-02-06 01:15:07.966] [2021-02-06 01:15:07.972] 5353:trustm_engine/trustm_engine.c:400 trustmEngine_App_Open: < [2021-02-06 01:15:07.972] 5353:trustm_engine/trustm_engine.c:582 parseKeyParams: ---> token [0] = 0xe0f2 [2021-02-06 01:15:07.972] pal_loger_write : [optiga util] : optiga_util_read_metadata [2021-02-06 01:15:07.972] pal_loger_write : [2021-02-06 01:15:07.972] [2021-02-06 01:15:07.972] pal_loger_write : [optiga cmd] : optiga_cmd_get_data_object [2021-02-06 01:15:07.972] pal_loger_write : [2021-02-06 01:15:07.972] [2021-02-06 01:15:07.972] pal_loger_write : [optiga cmd] : Sending read data command... [2021-02-06 01:15:07.972] pal_loger_write : [2021-02-06 01:15:07.972] [2021-02-06 01:15:07.972] pal_loger_write : [optiga comms] : >>>> [2021-02-06 01:15:07.983] pal_loger_write : [2021-02-06 01:15:07.983] [2021-02-06 01:15:07.983] pal_loger_write : Length of data - 0x000D [2021-02-06 01:15:07.983] pal_loger_write : [2021-02-06 01:15:07.983] [2021-02-06 01:15:07.983] pal_loger_write : 04 00 08 08 20 81 01 00 02 E0 F2 ED D1 [2021-02-06 01:15:07.983] [2021-02-06 01:15:07.983] pal_loger_write : [optiga comms] : <<<< [2021-02-06 01:15:07.983] pal_loger_write : [2021-02-06 01:15:07.983] [2021-02-06 01:15:07.983] pal_loger_write : Length of data - 0x001E [2021-02-06 01:15:07.983] pal_loger_write : [2021-02-06 01:15:07.983] [2021-02-06 01:15:07.983] pal_loger_write : 05 00 19 08 20 00 00 00 13 20 11 C0 01 01 D0 03 E1 FC 07 D3 01 00 E0 01 03 E1 01 13 91 E4 [2021-02-06 01:15:07.983] [2021-02-06 01:15:07.983] pal_loger_write : [optiga cmd] : Processing response for read data command... [2021-02-06 01:15:07.983] pal_loger_write : [2021-02-06 01:15:07.983] [2021-02-06 01:15:07.983] pal_loger_write : [optiga cmd] : Response of read data command is processed... [2021-02-06 01:15:07.983] pal_loger_write : [2021-02-06 01:15:07.983] [2021-02-06 01:15:07.983] 5353:trustm_engine/trustm_engine.c:737 parseKeyParams: found NEW [2021-02-06 01:15:07.983] [2021-02-06 01:15:07.983] pal_loger_write : [optiga util] : optiga_util_close_application [2021-02-06 01:15:07.983] pal_loger_write : [2021-02-06 01:15:07.983] [2021-02-06 01:15:07.983] pal_loger_write : [optiga cmd] : optiga_cmd_close_application [2021-02-06 01:15:07.983] pal_loger_write : [2021-02-06 01:15:07.988] [2021-02-06 01:15:07.988] pal_loger_write : [optiga cmd] : Sending close app command.. [2021-02-06 01:15:07.988] pal_loger_write : [2021-02-06 01:15:07.988] [2021-02-06 01:15:07.988] pal_loger_write : [optiga comms] : >>>> [2021-02-06 01:15:07.988] pal_loger_write : [2021-02-06 01:15:07.988] [2021-02-06 01:15:07.988] pal_loger_write : Length of data - 0x000B [2021-02-06 01:15:07.988] pal_loger_write : [2021-02-06 01:15:07.988] [2021-02-06 01:15:07.988] pal_loger_write : 09 00 06 08 20 F1 00 00 00 40 A3 [2021-02-06 01:15:07.988] [2021-02-06 01:15:07.995] pal_loger_write : [optiga comms] : <<<< [2021-02-06 01:15:07.995] pal_loger_write : [2021-02-06 01:15:07.995] [2021-02-06 01:15:07.995] pal_loger_write : Length of data - 0x000B [2021-02-06 01:15:07.995] pal_loger_write : [2021-02-06 01:15:07.995] [2021-02-06 01:15:07.995] pal_loger_write : 0A 00 06 08 20 00 00 00 00 FD 34 [2021-02-06 01:15:07.995] [2021-02-06 01:15:07.995] pal_loger_write : [optiga cmd] : Processing response for close app command... [2021-02-06 01:15:07.995] pal_loger_write : [2021-02-06 01:15:07.995] [2021-02-06 01:15:07.995] pal_loger_write : [optiga cmd] : Response of close app command is processed... [2021-02-06 01:15:07.995] pal_loger_write : [2021-02-06 01:15:07.995] [2021-02-06 01:15:07.995] 5353:trustm_engine/trustm_engine.c:502 trustmEngine_App_Close: Success : optiga_util_close_application [2021-02-06 01:15:07.997] [2021-02-06 01:15:08.023] 5353:trustm_engine/trustm_engine.c:513 trustmEngine_App_Close: < [2021-02-06 01:15:08.025] 5353:trustm_engine/trustm_engine.c:756 parseKeyParams: < [2021-02-06 01:15:08.025] 5353:trustm_engine/trustm_engine.c:827 engine_load_privkey: KEY_OID : 0xe0f2 [2021-02-06 01:15:08.025] 5353:trustm_engine/trustm_engine.c:828 engine_load_privkey: Pubkey : [2021-02-06 01:15:08.025] 5353:trustm_engine/trustm_engine.c:829 engine_load_privkey: PubkeyLen : 0 [2021-02-06 01:15:08.025] 5353:trustm_engine/trustm_engine.c:830 engine_load_privkey: PubkeyHeader : 0 [2021-02-06 01:15:08.025] 5353:trustm_engine/trustm_engine.c:831 engine_load_privkey: PubkeyStore : 0xF1D2 [2021-02-06 01:15:08.025] 5353:trustm_engine/trustm_engine.c:833 engine_load_privkey: RSA key type : 0x00 [2021-02-06 01:15:08.025] 5353:trustm_engine/trustm_engine.c:834 engine_load_privkey: RSA key usage : 0x00 [2021-02-06 01:15:08.025] 5353:trustm_engine/trustm_engine.c:835 engine_load_privkey: RSA key flag : 0x02 [2021-02-06 01:15:08.027] 5353:trustm_engine/trustm_engine.c:837 engine_load_privkey: EC key type : 0x03 [2021-02-06 01:15:08.027] 5353:trustm_engine/trustm_engine.c:838 engine_load_privkey: EC key usage : 0x13 [2021-02-06 01:15:08.027] 5353:trustm_engine/trustm_engine.c:839 engine_load_privkey: EC key flag : 0x03 [2021-02-06 01:15:08.027] 5353:trustm_engine/trustm_engine_ec.c:408 trustm_ec_loadkey: > [2021-02-06 01:15:08.029] 5353:trustm_engine/trustm_engine_ec.c:189 trustm_ec_generatekey: > [2021-02-06 01:15:08.029] 5353:trustm_engine/trustm_engine.c:279 trustmEngine_App_Open: > [2021-02-06 01:15:08.043] 5353:trustm_engine/trustm_engine.c:296 trustmEngine_App_Open: Check if TrustM Open:queue 0:current:5353:Delay 10 [2021-02-06 01:15:08.051] 5353:trustm_engine/trustm_engine.c:300 trustmEngine_App_Open: Resource seized by 5353 [2021-02-06 01:15:08.051] 5353:trustm_engine/trustm_engine.c:324 trustmEngine_App_Open: Lock queue 5353 [2021-02-06 01:15:08.051] 5353:trustm_engine/trustm_engine.c:340 trustmEngine_App_Open: No hibernate ctx found. Skip restore [2021-02-06 01:15:08.051] [2021-02-06 01:15:08.051] pal_loger_write : [optiga util] : optiga_util_open_application [2021-02-06 01:15:08.051] pal_loger_write : [2021-02-06 01:15:08.051] [2021-02-06 01:15:08.051] pal_loger_write : [optiga cmd] : optiga_cmd_open_application [2021-02-06 01:15:08.051] pal_loger_write : [2021-02-06 01:15:08.051] [2021-02-06 01:15:08.051] 5353:trustm_engine/trustm_engine.c:350 trustmEngine_App_Open: waiting... [2021-02-06 01:15:08.051] Failed to write value! Erro code = 1, fd = 3 [2021-02-06 01:15:08.063] pal_loger_write : [optiga cmd] : Sending open app command... [2021-02-06 01:15:08.063] pal_loger_write : [2021-02-06 01:15:08.063] [2021-02-06 01:15:08.063] pal_loger_write : [optiga comms] : >>>> [2021-02-06 01:15:08.063] pal_loger_write : [2021-02-06 01:15:08.063] [2021-02-06 01:15:08.063] pal_loger_write : Length of data - 0x001B [2021-02-06 01:15:08.063] pal_loger_write : [2021-02-06 01:15:08.063] [2021-02-06 01:15:08.063] pal_loger_write : 03 00 16 08 20 F0 00 00 10 D2 76 00 00 04 47 65 6E 41 75 74 68 41 70 70 6C BE 40 [2021-02-06 01:15:08.063] [2021-02-06 01:15:08.084] pal_loger_write : [optiga comms] : <<<< [2021-02-06 01:15:08.086] pal_loger_write : [2021-02-06 01:15:08.086] [2021-02-06 01:15:08.086] pal_loger_write : Length of data - 0x000B [2021-02-06 01:15:08.086] pal_loger_write : [2021-02-06 01:15:08.086] [2021-02-06 01:15:08.091] pal_loger_write : 00 00 06 08 20 00 00 00 00 19 04 [2021-02-06 01:15:08.091] [2021-02-06 01:15:08.091] pal_loger_write : [optiga cmd] : Processing response for open app command... [2021-02-06 01:15:08.091] pal_loger_write : [2021-02-06 01:15:08.098] [2021-02-06 01:15:08.098] pal_loger_write : [optiga cmd] : Response of open app command is processed... [2021-02-06 01:15:08.098] pal_loger_write : [2021-02-06 01:15:08.098] [2021-02-06 01:15:08.098] 5353:trustm_engine/trustm_engine.c:353 ++done. [2021-02-06 01:15:08.098] [2021-02-06 01:15:08.098] 5353:trustm_engine/trustm_engine.c:397 trustmEngine_App_Open: Success : optiga_util_open_application [2021-02-06 01:15:08.098] [2021-02-06 01:15:08.098] 5353:trustm_engine/trustm_engine.c:400 trustmEngine_App_Open: < [2021-02-06 01:15:08.098] pal_loger_write : [optiga crypt] : optiga_crypt_ecc_generate_keypair [2021-02-06 01:15:08.098] pal_loger_write : [2021-02-06 01:15:08.098] [2021-02-06 01:15:08.098] pal_loger_write : [optiga cmd] : optiga_cmd_gen_keypair [2021-02-06 01:15:08.098] pal_loger_write : [2021-02-06 01:15:08.098] [2021-02-06 01:15:08.098] pal_loger_write : [optiga cmd] : Sending generate keypair command.. [2021-02-06 01:15:08.098] pal_loger_write : [2021-02-06 01:15:08.098] [2021-02-06 01:15:08.098] pal_loger_write : [optiga comms] : >>>> [2021-02-06 01:15:08.098] pal_loger_write : [2021-02-06 01:15:08.098] [2021-02-06 01:15:08.098] pal_loger_write : Length of data - 0x0014 [2021-02-06 01:15:08.098] pal_loger_write : [2021-02-06 01:15:08.098] [2021-02-06 01:15:08.098] pal_loger_write : 04 00 0F 08 20 B8 03 00 09 01 00 02 E0 F2 02 00 01 13 58 70 [2021-02-06 01:15:08.098] [2021-02-06 01:15:08.230] pal_loger_write : [optiga comms] : <<<< [2021-02-06 01:15:08.241] pal_loger_write : [2021-02-06 01:15:08.241] [2021-02-06 01:15:08.241] pal_loger_write : Length of data - 0x0052 [2021-02-06 01:15:08.241] pal_loger_write : [2021-02-06 01:15:08.241] [2021-02-06 01:15:08.241] pal_loger_write : 05 00 4D 08 20 00 00 00 47 02 00 44 03 42 00 04 77 A8 FA 83 60 B0 42 52 29 D7 23 CF 22 BC 57 98 [2021-02-06 01:15:08.241] [2021-02-06 01:15:08.241] pal_loger_write : 2E D0 DC 9B F8 A0 03 2A 81 49 82 2E D6 E9 F3 66 E3 2D 93 28 FA 3D 23 43 01 EA B9 D4 85 A1 68 62 [2021-02-06 01:15:08.241] [2021-02-06 01:15:08.241] pal_loger_write : 63 AE E6 E8 03 67 44 5E AC FD FC A0 53 F7 42 D2 F6 A5 [2021-02-06 01:15:08.241] [2021-02-06 01:15:08.241] pal_loger_write : [optiga cmd] : Processing response for generate keypair command... [2021-02-06 01:15:08.241] pal_loger_write : [2021-02-06 01:15:08.241] [2021-02-06 01:15:08.241] pal_loger_write : [optiga cmd] : Response of generate keypair command is processed... [2021-02-06 01:15:08.241] pal_loger_write : [2021-02-06 01:15:08.263] [2021-02-06 01:15:08.263] 5353:trustm_engine/trustm_engine_ec.c:271 trustm_ec_generatekey: Save Pubkey to : 0xF1D2 [2021-02-06 01:15:08.263] pal_loger_write : [optiga util] : optiga_util_write_data [2021-02-06 01:15:08.263] pal_loger_write : [2021-02-06 01:15:08.263] [2021-02-06 01:15:08.263] pal_loger_write : [optiga cmd] : optiga_cmd_set_data_object [2021-02-06 01:15:08.263] pal_loger_write : [2021-02-06 01:15:08.263] [2021-02-06 01:15:08.263] pal_loger_write : [optiga cmd] : Sending set data command... [2021-02-06 01:15:08.263] pal_loger_write : [2021-02-06 01:15:08.263] [2021-02-06 01:15:08.263] pal_loger_write : [optiga comms] : >>>> [2021-02-06 01:15:08.263] pal_loger_write : [2021-02-06 01:15:08.263] [2021-02-06 01:15:08.263] pal_loger_write : Length of data - 0x006A [2021-02-06 01:15:08.263] pal_loger_write : [2021-02-06 01:15:08.263] [2021-02-06 01:15:08.263] pal_loger_write : 09 00 65 08 20 82 40 00 5F F1 D2 00 00 30 59 30 13 06 07 2A 86 48 CE 3D 02 01 06 08 2A 86 48 CE [2021-02-06 01:15:08.263] [2021-02-06 01:15:08.263] pal_loger_write : 3D 03 01 07 03 42 00 04 77 A8 FA 83 60 B0 42 52 29 D7 23 CF 22 BC 57 98 2E D0 DC 9B F8 A0 03 2A [2021-02-06 01:15:08.263] [2021-02-06 01:15:08.263] pal_loger_write : 81 49 82 2E D6 E9 F3 66 E3 2D 93 28 FA 3D 23 43 01 EA B9 D4 85 A1 68 62 63 AE E6 E8 03 67 44 5E [2021-02-06 01:15:08.263] [2021-02-06 01:15:08.263] pal_loger_write : AC FD FC A0 53 F7 42 D2 91 34 [2021-02-06 01:15:08.265] [2021-02-06 01:15:08.274] pal_loger_write : [optiga comms] : <<<< [2021-02-06 01:15:08.274] pal_loger_write : [2021-02-06 01:15:08.275] [2021-02-06 01:15:08.275] pal_loger_write : Length of data - 0x000B [2021-02-06 01:15:08.275] pal_loger_write : [2021-02-06 01:15:08.275] [2021-02-06 01:15:08.275] pal_loger_write : 0A 00 06 08 20 00 00 00 00 FD 34 [2021-02-06 01:15:08.280] [2021-02-06 01:15:08.280] pal_loger_write : [optiga cmd] : Processing response for set data command... [2021-02-06 01:15:08.280] pal_loger_write : [2021-02-06 01:15:08.280] [2021-02-06 01:15:08.280] pal_loger_write : [optiga cmd] : Response of set data command is processed... [2021-02-06 01:15:08.280] pal_loger_write : [2021-02-06 01:15:08.280] [2021-02-06 01:15:08.280] 5353:trustm_engine/trustm_engine_ec.c:298 trustm_ec_generatekey: Write Success [2021-02-06 01:15:08.280] [2021-02-06 01:15:08.280] pal_loger_write : [optiga util] : optiga_util_close_application [2021-02-06 01:15:08.280] pal_loger_write : [2021-02-06 01:15:08.280] [2021-02-06 01:15:08.280] pal_loger_write : [optiga cmd] : optiga_cmd_close_application [2021-02-06 01:15:08.280] pal_loger_write : [2021-02-06 01:15:08.280] [2021-02-06 01:15:08.280] pal_loger_write : [optiga cmd] : Sending close app command.. [2021-02-06 01:15:08.280] pal_loger_write : [2021-02-06 01:15:08.282] [2021-02-06 01:15:08.282] pal_loger_write : [optiga comms] : >>>> [2021-02-06 01:15:08.282] pal_loger_write : [2021-02-06 01:15:08.282] [2021-02-06 01:15:08.282] pal_loger_write : Length of data - 0x000B [2021-02-06 01:15:08.282] pal_loger_write : [2021-02-06 01:15:08.282] [2021-02-06 01:15:08.282] pal_loger_write : 0E 00 06 08 20 F1 00 00 00 A9 41 [2021-02-06 01:15:08.282] [2021-02-06 01:15:08.289] pal_loger_write : [optiga comms] : <<<< [2021-02-06 01:15:08.289] pal_loger_write : [2021-02-06 01:15:08.289] [2021-02-06 01:15:08.289] pal_loger_write : Length of data - 0x000B [2021-02-06 01:15:08.289] pal_loger_write : [2021-02-06 01:15:08.289] [2021-02-06 01:15:08.293] pal_loger_write : 0F 00 06 08 20 00 00 00 00 8F 2C [2021-02-06 01:15:08.293] [2021-02-06 01:15:08.293] pal_loger_write : [optiga cmd] : Processing response for close app command... [2021-02-06 01:15:08.293] pal_loger_write : [2021-02-06 01:15:08.293] [2021-02-06 01:15:08.293] pal_loger_write : [optiga cmd] : Response of close app command is processed... [2021-02-06 01:15:08.293] pal_loger_write : [2021-02-06 01:15:08.293] [2021-02-06 01:15:08.293] 5353:trustm_engine/trustm_engine.c:502 trustmEngine_App_Close: Success : optiga_util_close_application [2021-02-06 01:15:08.293] [2021-02-06 01:15:08.319] 5353:trustm_engine/trustm_engine.c:513 trustmEngine_App_Close: < [2021-02-06 01:15:08.320] 5353:trustm_engine/trustm_engine_ec.c:319 trustm_ec_generatekey: < [2021-02-06 01:15:08.326] 5353:trustm_engine/trustm_engine_ec.c:463 trustm_ec_loadkey: < [2021-02-06 01:15:08.326] 5353:trustm_engine/trustm_engine.c:870 engine_load_privkey: < [2021-02-06 01:15:08.326] You are about to be asked to enter information that will be incorporated [2021-02-06 01:15:08.328] into your certificate request. [2021-02-06 01:15:08.328] What you are about to enter is what is called a Distinguished Name or a DN. [2021-02-06 01:15:08.328] There are quite a few fields but you can leave some blank [2021-02-06 01:15:08.328] For some fields there will be a default value, [2021-02-06 01:15:08.328] If you enter '.', the field will be left blank. [2021-02-06 01:15:08.328] ----- [2021-02-06 01:15:08.328] Country Name (2 letter code) [AU]: [2021-02-06 01:15:11.375] State or Province Name (full name) [Some-State]: [2021-02-06 01:15:11.835] Locality Name (eg, city) []: [2021-02-06 01:15:12.261] Organization Name (eg, company) [Internet Widgits Pty Ltd]: [2021-02-06 01:15:12.726] Organizational Unit Name (eg, section) []: [2021-02-06 01:15:13.176] Common Name (e.g. server FQDN or YOUR name) []: [2021-02-06 01:15:13.605] Email Address []: [2021-02-06 01:15:14.042] [2021-02-06 01:15:14.042] Please enter the following 'extra' attributes [2021-02-06 01:15:14.042] to be sent with your certificate request [2021-02-06 01:15:14.042] A challenge password []: [2021-02-06 01:15:15.014] An optional company name []: [2021-02-06 01:15:15.482] 5353:trustm_engine/trustm_engine_ec.c:482 trustm_ecdsa_sign: > [2021-02-06 01:15:15.482] 5353:trustm_engine/trustm_engine_ec.c:483 trustm_ecdsa_sign: oid : 0xe0f2 [2021-02-06 01:15:15.482] 5353:trustm_engine/trustm_engine_ec.c:484 trustm_ecdsa_sign: dgst len : 32 [2021-02-06 01:15:15.482] 5353:trustm_engine/trustm_engine.c:279 trustmEngine_App_Open: > [2021-02-06 01:15:15.495] 5353:trustm_engine/trustm_engine.c:296 trustmEngine_App_Open: Check if TrustM Open:queue 0:current:5353:Delay 10 [2021-02-06 01:15:15.495] 5353:trustm_engine/trustm_engine.c:300 trustmEngine_App_Open: Resource seized by 5353 [2021-02-06 01:15:15.495] 5353:trustm_engine/trustm_engine.c:324 trustmEngine_App_Open: Lock queue 5353 [2021-02-06 01:15:15.495] 5353:trustm_engine/trustm_engine.c:340 trustmEngine_App_Open: No hibernate ctx found. Skip restore [2021-02-06 01:15:15.495] [2021-02-06 01:15:15.495] pal_loger_write : [optiga util] : optiga_util_open_application [2021-02-06 01:15:15.495] pal_loger_write : [2021-02-06 01:15:15.495] [2021-02-06 01:15:15.495] pal_loger_write : [optiga cmd] : optiga_cmd_open_application [2021-02-06 01:15:15.495] pal_loger_write : [2021-02-06 01:15:15.495] [2021-02-06 01:15:15.495] 5353:trustm_engine/trustm_engine.c:350 trustmEngine_App_Open: waiting... [2021-02-06 01:15:15.495] Failed to write value! Erro code = 1, fd = 3 [2021-02-06 01:15:15.509] pal_loger_write : [optiga cmd] : Sending open app command... [2021-02-06 01:15:15.511] pal_loger_write : [2021-02-06 01:15:15.511] [2021-02-06 01:15:15.511] pal_loger_write : [optiga comms] : >>>> [2021-02-06 01:15:15.511] pal_loger_write : [2021-02-06 01:15:15.511] [2021-02-06 01:15:15.512] pal_loger_write : Length of data - 0x001B [2021-02-06 01:15:15.512] pal_loger_write : [2021-02-06 01:15:15.512] [2021-02-06 01:15:15.512] pal_loger_write : 03 00 16 08 20 F0 00 00 10 D2 76 00 00 04 47 65 6E 41 75 74 68 41 70 70 6C BE 40 [2021-02-06 01:15:15.512] [2021-02-06 01:15:15.532] pal_loger_write : [optiga comms] : <<<< [2021-02-06 01:15:15.534] pal_loger_write : [2021-02-06 01:15:15.534] [2021-02-06 01:15:15.534] pal_loger_write : Length of data - 0x000B [2021-02-06 01:15:15.534] pal_loger_write : [2021-02-06 01:15:15.534] [2021-02-06 01:15:15.535] pal_loger_write : 00 00 06 08 20 00 00 00 00 19 04 [2021-02-06 01:15:15.535] [2021-02-06 01:15:15.539] pal_loger_write : [optiga cmd] : Processing response for open app command... [2021-02-06 01:15:15.539] pal_loger_write : [2021-02-06 01:15:15.539] [2021-02-06 01:15:15.539] pal_loger_write : [optiga cmd] : Response of open app command is processed... [2021-02-06 01:15:15.539] pal_loger_write : [2021-02-06 01:15:15.539] [2021-02-06 01:15:15.546] 5353:trustm_engine/trustm_engine.c:353 ++done. [2021-02-06 01:15:15.546] [2021-02-06 01:15:15.546] 5353:trustm_engine/trustm_engine.c:397 trustmEngine_App_Open: Success : optiga_util_open_application [2021-02-06 01:15:15.546] [2021-02-06 01:15:15.546] 5353:trustm_engine/trustm_engine.c:400 trustmEngine_App_Open: < [2021-02-06 01:15:15.546] pal_loger_write : [optiga crypt] : optiga_crypt_ecdsa_sign [2021-02-06 01:15:15.546] pal_loger_write : [2021-02-06 01:15:15.546] [2021-02-06 01:15:15.546] pal_loger_write : [optiga cmd] : optiga_cmd_calc_sign [2021-02-06 01:15:15.546] pal_loger_write : [2021-02-06 01:15:15.546] [2021-02-06 01:15:15.546] pal_loger_write : [optiga cmd] : Sending calculate sign command.. [2021-02-06 01:15:15.546] pal_loger_write : [2021-02-06 01:15:15.546] [2021-02-06 01:15:15.546] pal_loger_write : [optiga comms] : >>>> [2021-02-06 01:15:15.546] pal_loger_write : [2021-02-06 01:15:15.546] [2021-02-06 01:15:15.546] pal_loger_write : Length of data - 0x0033 [2021-02-06 01:15:15.546] pal_loger_write : [2021-02-06 01:15:15.548] [2021-02-06 01:15:15.548] pal_loger_write : 04 00 2E 08 20 B1 11 00 28 01 00 20 EF C6 5D 0D 64 52 3E A4 85 87 DF 09 8D 8D 45 56 03 14 D7 82 [2021-02-06 01:15:15.548] [2021-02-06 01:15:15.548] pal_loger_write : DD 3B F4 D3 1C 75 AD 5F FB 42 4F 37 03 00 02 E0 F2 0A AB [2021-02-06 01:15:15.548] [2021-02-06 01:15:15.674] pal_loger_write : [optiga comms] : <<<< [2021-02-06 01:15:15.677] pal_loger_write : [2021-02-06 01:15:15.677] [2021-02-06 01:15:15.677] pal_loger_write : Length of data - 0x0050 [2021-02-06 01:15:15.677] pal_loger_write : [2021-02-06 01:15:15.677] [2021-02-06 01:15:15.677] pal_loger_write : 05 00 4B 08 20 00 00 00 45 02 21 00 E5 E6 45 BF 17 24 98 E3 B6 89 50 59 81 A8 9A 13 1F E6 5F 20 [2021-02-06 01:15:15.677] [2021-02-06 01:15:15.677] pal_loger_write : 19 7F 8A A4 62 A5 AF 44 07 12 F7 07 02 20 30 D4 8C EC B1 30 6B EC 3A 6F 57 3E E0 AB 9E 42 78 5D [2021-02-06 01:15:15.678] [2021-02-06 01:15:15.678] pal_loger_write : A6 CD 9A 3C 4B 28 33 99 FD 54 C5 95 37 D1 B1 CB [2021-02-06 01:15:15.678] [2021-02-06 01:15:15.678] pal_loger_write : [optiga cmd] : Processing response for calculate sign command... [2021-02-06 01:15:15.678] pal_loger_write : [2021-02-06 01:15:15.678] [2021-02-06 01:15:15.678] pal_loger_write : [optiga cmd] : Response of calculate sign command is processed... [2021-02-06 01:15:15.678] pal_loger_write : [2021-02-06 01:15:15.684] [2021-02-06 01:15:15.684] 5353:trustm_engine/trustm_engine_ec.c:545 trustm_ecdsa_sign: Signature received : sig+2=d5c935b2, sig_len=0x45=69 [2021-02-06 01:15:15.684] pal_loger_write : [optiga util] : optiga_util_close_application [2021-02-06 01:15:15.684] pal_loger_write : [2021-02-06 01:15:15.684] [2021-02-06 01:15:15.684] pal_loger_write : [optiga cmd] : optiga_cmd_close_application [2021-02-06 01:15:15.684] pal_loger_write : [2021-02-06 01:15:15.684] [2021-02-06 01:15:15.684] pal_loger_write : [optiga cmd] : Sending close app command.. [2021-02-06 01:15:15.684] pal_loger_write : [2021-02-06 01:15:15.684] [2021-02-06 01:15:15.684] pal_loger_write : [optiga comms] : >>>> [2021-02-06 01:15:15.688] pal_loger_write : [2021-02-06 01:15:15.688] [2021-02-06 01:15:15.688] pal_loger_write : Length of data - 0x000B [2021-02-06 01:15:15.688] pal_loger_write : [2021-02-06 01:15:15.688] [2021-02-06 01:15:15.688] pal_loger_write : 09 00 06 08 20 F1 00 00 00 40 A3 [2021-02-06 01:15:15.688] [2021-02-06 01:15:15.688] pal_loger_write : [optiga comms] : <<<< [2021-02-06 01:15:15.688] pal_loger_write : [2021-02-06 01:15:15.688] [2021-02-06 01:15:15.688] pal_loger_write : Length of data - 0x000B [2021-02-06 01:15:15.697] pal_loger_write : [2021-02-06 01:15:15.697] [2021-02-06 01:15:15.697] pal_loger_write : 0A 00 06 08 20 00 00 00 00 FD 34 [2021-02-06 01:15:15.697] [2021-02-06 01:15:15.697] pal_loger_write : [optiga cmd] : Processing response for close app command... [2021-02-06 01:15:15.697] pal_loger_write : [2021-02-06 01:15:15.697] [2021-02-06 01:15:15.697] pal_loger_write : [optiga cmd] : Response of close app command is processed... [2021-02-06 01:15:15.697] pal_loger_write : [2021-02-06 01:15:15.697] [2021-02-06 01:15:15.697] 5353:trustm_engine/trustm_engine.c:502 trustmEngine_App_Close: Success : optiga_util_close_application [2021-02-06 01:15:15.697] [2021-02-06 01:15:15.723] 5353:trustm_engine/trustm_engine.c:513 trustmEngine_App_Close: < [2021-02-06 01:15:15.724] 5353:trustm_engine/trustm_engine_ec.c:561 trustm_ecdsa_sign: < [2021-02-06 01:15:15.725] verify OK [2021-02-06 01:15:15.727] 5353:trustm_engine/trustm_engine.c:800 engine_finish: > Engine 0x268cb5e0 finish (releasing functional reference) [2021-02-06 01:15:15.729] 5353:trustm_engine/trustm_engine.c:801 engine_finish: < [2021-02-06 01:15:15.729] 5353:trustm_engine/trustm_engine.c:765 engine_destroy: > Engine 0x268cb5e0 destroy [2021-02-06 01:15:15.729] 5353:trustm_engine/trustm_engine.c:430 trustmEngine_Close: TrustM Closed. [2021-02-06 01:15:15.729] [2021-02-06 01:15:15.729] 5353:trustm_engine/trustm_engine.c:431 trustmEngine_Close: < [2021-02-06 01:15:15.729] 5353:trustm_engine/trustm_engine.c:794 engine_destroy: <

[ying-css]

Hi @yoshi-ohta, sorry for the late reply. Since you are using GPIO for RST, but no GPIO for VDD, did you rem off the gpio setting in trustmEngine_Open? Please refer to the code listed as below:

 optiga_lib_status_t trustmEngine_Open(void)
{
    optiga_lib_status_t return_status;

    TRUSTM_ENGINE_DBGFN(">");

    do
    {
        pal_gpio_init(&optiga_reset_0);
        //pal_gpio_init(&optiga_vdd_0);

If you rem off this line, you will encounter this kind of error. Could you kindly let us know how you set the GPIO for VDD at your platform? From the log you attached, it seems trustm is working properly. Thanks.

[yoshi-ohta]

@ying-css

Thank you for your answer. The following was valid, so I commented it out and tried it.

pal_gpio_init(&optiga_vdd_0);

But the behavior is same. I attach the log below.

# openssl req -keyform engine -engine trustm_engine -key 0xe0f2:^:NEW:0x03:0x13 -new -out test_e0f2.csr -verify
5033:trustm_engine/trustm_engine.c:1033 bind: >
5033:trustm_engine/trustm_engine.c:962 engine_init: > Engine 0x30c905e0 init
5033:trustm_engine/trustm_engine.c:965 engine_init: Initializing
5033:trustm_engine/trustm_engine.c:235 trustmEngine_Open: >
5033:trustm_engine/trustm_engine.c:250 trustmEngine_Open: TrustM util instance created.

5033:trustm_engine/trustm_engine.c:260 trustmEngine_Open: TrustM crypt instance created.

5033:trustm_engine/trustm_engine.c:261 trustmEngine_Open: TrustM Open.

5033:trustm_engine/trustm_engine.c:265 trustmEngine_Open: <
5033:trustm_engine/trustm_engine_rand.c:68 trustmEngine_init_rand: >
5033:trustm_engine/trustm_engine_rand.c:72 trustmEngine_init_rand: <
5033:trustm_engine/trustm_engine_rsa.c:653 trustmEngine_init_rsa: >
5033:trustm_engine/trustm_engine_rsa.c:682 trustmEngine_init_rsa: <
5033:trustm_engine/trustm_engine_ec.c:583 trustmEngine_init_ec: >
5033:trustm_engine/trustm_engine_ec.c:605 trustmEngine_init_ec: <
5033:trustm_engine/trustm_engine.c:1025 engine_init: <
5033:trustm_engine/trustm_engine.c:1087 bind: <
engine "trustm_engine" set.
5033:trustm_engine/trustm_engine.c:817 engine_load_privkey: > key_id : 0xe0f2:^:NEW:0x03:0x13
5033:trustm_engine/trustm_engine.c:540 parseKeyParams: >
5033:trustm_engine/trustm_engine.c:279 trustmEngine_App_Open: >
5033:trustm_engine/trustm_engine.c:143 __trustmEngine_ipcInit: Shared memory segment exists - opening as client
5033:trustm_engine/trustm_engine.c:296 trustmEngine_App_Open: Check if TrustM Open:queue 0:current:5033:Delay 10
5033:trustm_engine/trustm_engine.c:300 trustmEngine_App_Open: Resource seized by 5033
5033:trustm_engine/trustm_engine.c:324 trustmEngine_App_Open: Lock queue 5033
5033:trustm_engine/trustm_engine.c:340 trustmEngine_App_Open: No hibernate ctx found. Skip restore

5033:trustm_engine/trustm_engine.c:350 trustmEngine_App_Open: waiting...
5033:trustm_engine/trustm_engine.c:353 ++done.

5033:trustm_engine/trustm_engine.c:397 trustmEngine_App_Open: Success : optiga_util_open_application

5033:trustm_engine/trustm_engine.c:400 trustmEngine_App_Open: <
5033:trustm_engine/trustm_engine.c:582 parseKeyParams: ---> token [0] = 0xe0f2
5033:trustm_engine/trustm_engine.c:737 parseKeyParams: found NEW

5033:trustm_engine/trustm_engine.c:502 trustmEngine_App_Close: Success : optiga_util_close_application

5033:trustm_engine/trustm_engine.c:513 trustmEngine_App_Close: <
5033:trustm_engine/trustm_engine.c:756 parseKeyParams: <
5033:trustm_engine/trustm_engine.c:827 engine_load_privkey: KEY_OID       : 0xe0f2
5033:trustm_engine/trustm_engine.c:828 engine_load_privkey: Pubkey        :
5033:trustm_engine/trustm_engine.c:829 engine_load_privkey: PubkeyLen     : 0
5033:trustm_engine/trustm_engine.c:830 engine_load_privkey: PubkeyHeader  : 0
5033:trustm_engine/trustm_engine.c:831 engine_load_privkey: PubkeyStore   : 0xF1D2
5033:trustm_engine/trustm_engine.c:833 engine_load_privkey: RSA key type  : 0x00
5033:trustm_engine/trustm_engine.c:834 engine_load_privkey: RSA key usage : 0x00
5033:trustm_engine/trustm_engine.c:835 engine_load_privkey: RSA key flag  : 0x02
5033:trustm_engine/trustm_engine.c:837 engine_load_privkey: EC key type   : 0x03
5033:trustm_engine/trustm_engine.c:838 engine_load_privkey: EC key usage  : 0x13
5033:trustm_engine/trustm_engine.c:839 engine_load_privkey: EC key flag   : 0x03
5033:trustm_engine/trustm_engine_ec.c:408 trustm_ec_loadkey: >
5033:trustm_engine/trustm_engine_ec.c:189 trustm_ec_generatekey: >
5033:trustm_engine/trustm_engine.c:279 trustmEngine_App_Open: >
5033:trustm_engine/trustm_engine.c:296 trustmEngine_App_Open: Check if TrustM Open:queue 0:current:5033:Delay 10
5033:trustm_engine/trustm_engine.c:300 trustmEngine_App_Open: Resource seized by 5033
5033:trustm_engine/trustm_engine.c:324 trustmEngine_App_Open: Lock queue 5033
5033:trustm_engine/trustm_engine.c:340 trustmEngine_App_Open: No hibernate ctx found. Skip restore

5033:trustm_engine/trustm_engine.c:350 trustmEngine_App_Open: waiting...
Failed to write value! Erro code = 1, fd = 3                                  ----------(Error)
5033:trustm_engine/trustm_engine.c:353 ++done.

5033:trustm_engine/trustm_engine.c:397 trustmEngine_App_Open: Success : optiga_util_open_application

5033:trustm_engine/trustm_engine.c:400 trustmEngine_App_Open: <
5033:trustm_engine/trustm_engine_ec.c:271 trustm_ec_generatekey: Save Pubkey to : 0xF1D2
5033:trustm_engine/trustm_engine_ec.c:298 trustm_ec_generatekey: Write Success

5033:trustm_engine/trustm_engine.c:502 trustmEngine_App_Close: Success : optiga_util_close_application

5033:trustm_engine/trustm_engine.c:513 trustmEngine_App_Close: <
5033:trustm_engine/trustm_engine_ec.c:319 trustm_ec_generatekey: <
5033:trustm_engine/trustm_engine_ec.c:463 trustm_ec_loadkey: <
5033:trustm_engine/trustm_engine.c:870 engine_load_privkey: <
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:^C

[ying-css]

Hi @yoshi-ohta, Can you modify the API optiga_vdd_0() in pal_ifx_i2c_config.c to below:

pal_gpio_t optiga_vdd_0 =
{
    // Platform specific GPIO context for the pin used to toggle Vdd.
    //(void*)&pin_vdd
    (void*)NULL 
};

and don't comment out pal_gpio_init(&optiga_vdd_0); like shown as below:

optiga_lib_status_t trustmEngine_Open(void)
{
  optiga_lib_status_t return_status;

  TRUSTM_ENGINE_DBGFN(">");

  do
  {
      pal_gpio_init(&optiga_reset_0);
      pal_gpio_init(&optiga_vdd_0);

Please try again and let me know whether this error is still there. Thanks.

[yoshi-ohta]

@ying-css

Hi, The source you commented on has the following settings from the beginning. There is an error with this setting. If you need a log to check something, please contact me.

trustm_lib/pal/linux/target/xxxxxxx/pal_ifx_i2c_config.c

//static struct pal_linux_gpio pin_vdd = {GPIO_PIN_VDD, -1};

/**
* \brief PAL vdd pin configuration for OPTIGA.
 */
pal_gpio_t optiga_vdd_0 =
{
    // Platform specific GPIO context for the pin used to toggle Vdd.
    (void*)NULL
};

trustm_engine/trustm_engine.c

optiga_lib_status_t trustmEngine_Open(void)
{
    optiga_lib_status_t return_status;

    TRUSTM_ENGINE_DBGFN(">");

    do
    {
        pal_gpio_init(&optiga_reset_0);
        pal_gpio_init(&optiga_vdd_0);

[ying-css]

@yoshi-ohta Is it possible that the GPIO pin for Reset is defined as input only? We did some investigation to replicate your error: Failed to write value! Erro code = 1, fd = 3 ----------(Error) and believe this means "Operation not permitted"

If we change the GPIO direction(from OUT to IN) inside pal_gpio_init in pal_gpio.c

pal_status_t pal_gpio_init(const pal_gpio_t * p_gpio_context)
{
#define VALUE_MAX 30
    char path[VALUE_MAX] = {0};

    if (p_gpio_context->p_gpio_hw != NULL)
    {
        pal_linux_gpio_t* gpio = p_gpio_context->p_gpio_hw;
        int res_pin = gpio->pin_nr;

        /*
         * Enable GPIO pins
         */
        if (-1 == GPIOExport(res_pin))
            return(1);

        /*
         * Set GPIO directions
         */
        //if (-1 == GPIODirection(res_pin, OUT))
        if (-1 == GPIODirection(res_pin, IN))       -------This is the part we changed
            return(2);

We will exactly have the same error like you. Could you kindly check whether this is the root cause for your error message? Thanks.

[yoshi-ohta]

@ying-css

I haven't changed pal_gpio_init (). Therefore, GPIO is set to OUT. However, our custom board sets the Direction to IN instead of lowering the GPIO RST.

Based on your research results, I set the log in the place related to GPIODirection () ("#####" part), and it seems that an error has occurred when Direction is in the IN state.

# openssl req -keyform engine -engine trustm_engine -key 0xe0f2:^:NEW:0x03:0x13 -new -out test_e0f2.csr -verify
5987:trustm_engine/trustm_engine.c:1022 bind: >
5987:trustm_engine/trustm_engine.c:951 engine_init: > Engine 0x17f6c5e0 init
5987:trustm_engine/trustm_engine.c:954 engine_init: Initializing
5987:trustm_engine/trustm_engine.c:235 trustmEngine_Open: >
##### pal_gpio_init() call GPIODirection(OUT)
##### Pin=84 Direction=1(OUT)
5987:trustm_engine/trustm_engine.c:250 trustmEngine_Open: TrustM util instance created.

5987:trustm_engine/trustm_engine.c:260 trustmEngine_Open: TrustM crypt instance created.

5987:trustm_engine/trustm_engine.c:261 trustmEngine_Open: TrustM Open.

5987:trustm_engine/trustm_engine.c:265 trustmEngine_Open: <
5987:trustm_engine/trustm_engine_rand.c:68 trustmEngine_init_rand: >
5987:trustm_engine/trustm_engine_rand.c:72 trustmEngine_init_rand: <
5987:trustm_engine/trustm_engine_rsa.c:653 trustmEngine_init_rsa: >
5987:trustm_engine/trustm_engine_rsa.c:682 trustmEngine_init_rsa: <
5987:trustm_engine/trustm_engine_ec.c:392 trustmEngine_init_ec: >
5987:trustm_engine/trustm_engine_ec.c:414 trustmEngine_init_ec: <
5987:trustm_engine/trustm_engine.c:1014 engine_init: <
5987:trustm_engine/trustm_engine.c:1076 bind: <
engine "trustm_engine" set.
5987:trustm_engine/trustm_engine.c:806 engine_load_privkey: > key_id : 0xe0f2:^:NEW:0x03:0x13
5987:trustm_engine/trustm_engine.c:540 parseKeyParams: >
5987:trustm_engine/trustm_engine.c:279 trustmEngine_App_Open: >
5987:trustm_engine/trustm_engine.c:143 __trustmEngine_ipcInit: Shared memory segment exists - opening as client
5987:trustm_engine/trustm_engine.c:296 trustmEngine_App_Open: Check if TrustM Open:queue 0:current:5987:Delay 4
5987:trustm_engine/trustm_engine.c:300 trustmEngine_App_Open: Resource seized by 5987
5987:trustm_engine/trustm_engine.c:324 trustmEngine_App_Open: Lock queue 5987
5987:trustm_engine/trustm_engine.c:340 trustmEngine_App_Open: No hibernate ctx found. Skip restore

5987:trustm_engine/trustm_engine.c:350 trustmEngine_App_Open: waiting...
##### pal_gpio_set_low() call GPIODirection(IN)
##### Pin=84 Direction=0(IN)
##### pal_gpio_set_high() call GPIODirection(OUT)
##### Pin=84 Direction=1(OUT)
5987:trustm_engine/trustm_engine.c:353 ++done.

5987:trustm_engine/trustm_engine.c:397 trustmEngine_App_Open: Success : optiga_util_open_application

5987:trustm_engine/trustm_engine.c:400 trustmEngine_App_Open: <
5987:trustm_engine/trustm_engine.c:582 parseKeyParams: ---> token [0] = 0xe0f2
5987:trustm_engine/trustm_engine.c:726 parseKeyParams: found NEW

##### pal_gpio_set_low() call GPIODirection(IN)
##### Pin=84 Direction=0(IN)
5987:trustm_engine/trustm_engine.c:502 trustmEngine_App_Close: Success : optiga_util_close_application

5987:trustm_engine/trustm_engine.c:513 trustmEngine_App_Close: <
5987:trustm_engine/trustm_engine.c:745 parseKeyParams: <
5987:trustm_engine/trustm_engine.c:816 engine_load_privkey: KEY_OID       : 0xe0f2
5987:trustm_engine/trustm_engine.c:817 engine_load_privkey: Pubkey        :
5987:trustm_engine/trustm_engine.c:818 engine_load_privkey: PubkeyLen     : 0
5987:trustm_engine/trustm_engine.c:819 engine_load_privkey: PubkeyHeader  : 0
5987:trustm_engine/trustm_engine.c:820 engine_load_privkey: PubkeyStore   : 0xF1D2
5987:trustm_engine/trustm_engine.c:822 engine_load_privkey: RSA key type  : 0x00
5987:trustm_engine/trustm_engine.c:823 engine_load_privkey: RSA key usage : 0x00
5987:trustm_engine/trustm_engine.c:824 engine_load_privkey: RSA key flag  : 0x02
5987:trustm_engine/trustm_engine.c:826 engine_load_privkey: EC key type   : 0x03
5987:trustm_engine/trustm_engine.c:827 engine_load_privkey: EC key usage  : 0x13
5987:trustm_engine/trustm_engine.c:828 engine_load_privkey: EC key flag   : 0x03
5987:trustm_engine/trustm_engine_ec.c:268 trustm_ec_loadkey: >
5987:trustm_engine/trustm_engine_ec.c:92 trustm_ec_generatekey: >
5987:trustm_engine/trustm_engine.c:279 trustmEngine_App_Open: >
5987:trustm_engine/trustm_engine.c:296 trustmEngine_App_Open: Check if TrustM Open:queue 0:current:5987:Delay 4
5987:trustm_engine/trustm_engine.c:300 trustmEngine_App_Open: Resource seized by 5987
5987:trustm_engine/trustm_engine.c:324 trustmEngine_App_Open: Lock queue 5987
5987:trustm_engine/trustm_engine.c:340 trustmEngine_App_Open: No hibernate ctx found. Skip restore

5987:trustm_engine/trustm_engine.c:350 trustmEngine_App_Open: waiting...
Failed to write value! Erro code = 1, fd = 3                                                    --------- ERROR
##### pal_gpio_set_low() call GPIODirection(IN)
##### Pin=84 Direction=0(IN)
##### pal_gpio_set_high() call GPIODirection(OUT)
##### Pin=84 Direction=1(OUT)
5987:trustm_engine/trustm_engine.c:353 ++done.

5987:trustm_engine/trustm_engine.c:397 trustmEngine_App_Open: Success : optiga_util_open_application

5987:trustm_engine/trustm_engine.c:400 trustmEngine_App_Open: <
5987:trustm_engine/trustm_engine_ec.c:140 trustm_ec_generatekey: Save Pubkey to : 0xF1D2
5987:trustm_engine/trustm_engine_ec.c:158 trustm_ec_generatekey: Write Success

##### pal_gpio_set_low() call GPIODirection(IN)
##### Pin=84 Direction=0(IN)
5987:trustm_engine/trustm_engine.c:502 trustmEngine_App_Close: Success : optiga_util_close_application

5987:trustm_engine/trustm_engine.c:513 trustmEngine_App_Close: <
5987:trustm_engine/trustm_engine_ec.c:179 trustm_ec_generatekey: <
5987:trustm_engine/trustm_engine_ec.c:303 trustm_ec_loadkey: <
5987:trustm_engine/trustm_engine.c:859 engine_load_privkey: <
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:

Is the GPIO control of trustm_engine correct? Thanks.

[yoshi-ohta]

@ying-css

trustm_lib/pal/linux/pal_gpio.c pal_gpio_set_low()

In this function, I modified the GPIO value set to Low and Direction to IN. When this function is called from trustm_engine, GPIO Low setting is done twice in a row. Therefore, when setting Low for the second time, an error occurred because Write was performed with Direction = IN.

There is no problem without this Write process, so when I deleted the Write process, the error no longer occurred.

Is it okay to think that setting Low twice in a row by trustm_engine is okay?

[ying-css]

@yoshi-ohta Supposedly, the direction for GPIO should be always OUT whatever set to high or low for RST pin. We also added the log for GPIO direction to try to replicate your issue on our platform, but it is always set to OUT, so no error was observed on our platform. Will you consider to skip this part and not use the GPIO (use e.g. software reset) to processed on your platform first? Thanks.

[yoshi-ohta]

@ying-css Thank you for your reply. I understand that in general, Direction should always be OUT. However, our custom board requires Direction to be IN instead of setting RST GPIO Low due to hardware limitations. Therefore, it is necessary to leave the process of setting Direction to IN as it is. The problem was solved by not setting Low when setting Direction to IN. Therefore, please close this issue. Thank you for your support.