SLS32AIA020X2USON10XTMA4

Chip Card & Security OPTIGA™ Trust X Datasheet Key Features                 High-end security controller Turnkey solution Mutual authentication using ECDSA DTLS client IETF standard RFC 6347 Secure communication using DTLS Compliant with the USB Type-C™ Authentication standard I2C interface Up to 10 kB user memory Cryptographic support: ECC NIST P256 and P384, AES-128 (via DTLS client), SHA-256, TRNG, DRNG PG-USON-10-2 package (3 x 3 mm) Standard & extended temperature ranges Full system integration support with Host Software Library Common Criteria Certified EAL6+ (high) hardware Crypto ToolBox with ECC NIST P256, P384, SHA-256 (sign, verify, key generation, ECDH, key derivation) Device Security Monitor Lifetime for Industrial Automation and Infrastructure is 20 years and 15 years for other Application Profiles Benefits  Protection of IP and data  Protection of business case  Protection of corporate image  Safeguarding of quality and safety Applications  Industrial control and automation  Consumer electronics and Smart home  Medical devices About this document Scope and purpose This Datasheet provides information to enable integration of a security device, and includes package, connectivity and technical data. Intended audience This Datasheet is intended for device integrators and board manufacturers. Datasheet www.infineon.com Please read the Important Notice and Warnings at the end of this document 1 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Introduction About this document ............................................................................................................................1 1 Introduction ................................................................................................................................3 1.1 Broad range of benefits ...................................................................................................................... 3 1.2 Enhanced security .............................................................................................................................. 3 1.3 Fast and easy integration ................................................................................................................... 3 1.4 Applications ....................................................................................................................................... 3 1.5 Device Features .................................................................................................................................. 3 2 System Block Diagram ................................................................................................................ 6 3 Interface and Schematics ............................................................................................................. 8 3.1 System Integration Schematics ..........................................................................................................8 4 Description of packages ............................................................................................................... 9 4.1 PG-USON-10-2 ...................................................................................................................................9 4.2 Production sample marking pattern ................................................................................................. 10 5 Technical Data ........................................................................................................................... 12 5.1 I2C Interface Characteristics ............................................................................................................. 12 5.1.1 I2C Standard/Fast Mode Interface Characteristics ....................................................................... 12 5.1.2 I2C Fast Mode Plus Interface Characteristics ............................................................................... 13 5.1.3 Electrical Characteristics.............................................................................................................. 14 5.1.4 DC Electrical Characteristics ........................................................................................................ 14 5.1.5 AC Electrical Characteristics ........................................................................................................ 14 5.1.6 Start-Up of I2C Interface.............................................................................................................. 15 5.1.6.1 Startup after Power-On .......................................................................................................... 15 5.1.6.2 Startup for Warm Resets ........................................................................................................ 16 6 Connecting to Host .................................................................................................................... 18 6.1 OPTIGA™ Trust X Host Software Architecture ................................................................................. 18 6.2 Release Package Folder Structure .................................................................................................... 18 6.3 Host Software Folder Structure ........................................................................................................ 19 6.4 Porting Notes ................................................................................................................................... 21 6.5 Communication with OPTIGA™ Trust X ........................................................................................... 21 6.6 Reference code on XMC4500 for communicating with OPTIGA™ Trust X ........................................ 23 7 OPTIGA™ Trust X Commands ..................................................................................................... 26 8 Security Monitor ........................................................................................................................ 27 8.1 Security Events................................................................................................................................. 27 8.2 Security Policy .................................................................................................................................. 27 9 RoHS Compliance ......................................................................................................................28 10 Appendix A – Infineon I2C Protocol Registry Map .......................................................................... 29 10.1 IFX I2C Protocol Variations ............................................................................................................... 31 11 Appendix B – Power Management ............................................................................................... 33 11.1 Low Power Sleep Mode .................................................................................................................... 33 Revision history .................................................................................................................................. 34 Datasheet 2 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Introduction 1 Introduction As embedded systems (e.g. IoT devices) are increasingly gaining the attention of attackers, Infineon offers the OPTIGA™ Trust X as a turnkey security solution for industrial automation systems, smart homes, consumer devices and medical devices. This high-end security controller comes with full system integration support for easy and cost-effective deployment of high-end security for your assets. 1.1 Broad range of benefits Integrated into your device, the OPTIGA™ Trust X supports protection of your brand and business case, differentiates your product from your competitors, and adds value to your product, making it stronger against cyberattacks. 1.2 Enhanced security The OPTIGA™ Trust X is based on advanced security controller with built-in tamper proof NVM for secure storage and Symmetric/Asymmetric crypto engine to support ECC 256, AES-128 and SHA-256. This new security technology greatly enhances your overall system security. 1.3 Fast and easy integration The turnkey setup – with full system integration and all key/certificate material preprogrammed – reduces your efforts for design, integration and deployment to a minimum. As a turnkey solution, the OPTIGA™ Trust X comes with preprogrammed OS/Application code locked and with host-side modules to integrate with host micro controller software. The extended temperature range of −40°C to +105°C combined with a standardized I2C interface and the small PG-USON-10-2 footprint will facilitate onboarding in your existing ecosystem. Almost 30 years in a market-leading position with nearly 20 billion security controllers shipped worldwide are the result of Infineon's strong expertise and its commitment to make security a success factor for you. 1.4 Applications The OPTIGA™ Trust X covers a broad range of use cases necessary for many types of applications that include the following: a) Network node protection such as TLS or DTLS b) Protect the Authenticity, Integrity and Confidentiality of your product, data and IP c) Mutual Authentication d) Secure Communication e) Datastore Protection f) Lifecycle Management g) Platform Integrity Protection h) Secure Updates 1.5 Device Features The OPTIGA™ Trust X comes with upto 10kB user memory that can be used to store X.509 certificates. OPTIGA™ Trust X is based on Common Criteria Certified EAL6+ (high) hardware enabling it to prevent physical attacks on the device itself and providing high assurance that the keys or arbitrary data stored cannot be accessed by an unauthorized entity. OPTIGA™ Trust X supports a highspeed I2C communication interface of up to 1MHz (FM+). Datasheet 3 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Introduction Table 1 Products Type Description Temperature range Package OPTIGA™ Trust X SLS 32AIA020X4 Embedded security solution for connected devices −25°C to +85°C Standard Temperature Range (STR) PG-USON-10-2 OPTIGA™ Trust X SLS 32AIA020X2 Embedded security solution for connected devices −40°C to +105°C Extended Temperature Range (ETR) PG-USON-10-2 Evaluation Kit Includes host micro controller connected to OPTIGA™ Trust X with USB/Ethernet adapters to connect to external world which enables you to evaluate OPTIGA™ Trust X features and start the Design-In activity Board Infineon and its distribution partners offer a wide range of customization options (e.g. X.509 certificate generation and key provisioning) for the security chip. Table 2 Abbreviations Abbreviation Definition AES Advanced Encryption Standard API Application Programming Interface AUTH Authentication CA Certification Authority DTLS Datagram Transport Layer Security DRNG Deterministic Random Number Generator EAL Evaluation Assurance Level ECC Elliptic Curve Cryptography ECDH Elliptic Curve Diffie Hellman ECDSA Elliptic Curve Digital Signature Algorithm ETR Extended Temperature Range IETF Internet Engineering Task Force IOT Internet of Things IP Intellectual Property I2C Inter-Integrated Circuit NIST National Institute of Standards and Technology OCP OPTIGA™ Crypto and Protected Communication OS Operating System PAL Platform Abstraction Layer PKI Public Key Infrastructure RFC Request For Comments TLS Transport Layer Security Datasheet 4 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Introduction Abbreviation Definition TRNG True Random Number Generator SHA Secure Hash Algorithm SKU Stock Keeping Unit STR Standard Temperature Range USB Universal Synchronous Bus Datasheet 5 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet System Block Diagram 2 System Block Diagram The following figure depicts the system block diagram for OPTIGA™ Trust X. Figure 1 System Block Diagram The System Block Diagram is explained below for each layer. 1. Local Host o o Application – This is the target application which utilizes OPTIGA™ Trust X for its security needs DTLS – DTLS client aka. OCP Library provides APIs for performing Mutual Authentication and Encrypted Communication using OPTIGA™ Trust X o AUTH – Authentication aka. Integration Library provides APIs for performing One Way Authentication for Brand Protection and IP Protection using OPTIGA™ Trust X o Command Library – Provides APIs to send and receive commands to and from OPTIGA™ Trust X. Any TLS stack can be integrated to offload crypto operations to OPTIGA™ Trust X via this Command Library. o Crypto Lib Wrapper – Provides wrapper APIs for Third Party crypto library, mainly used in One Way Authentication o Crypto Library – External cryptographic software which is used for One Way Authentication o OPTIGA Comms – Provides wrapper APIs for communication with OPTIGA™ Trust X o Infineon I2C Protocol – Infineon protocol over I2C (IFX I2C) to communicate with OPTIGA™ Trust X o PAL – A layer that abstracts platform specific drivers (e.g. i2c, timer, gpio, sockets etc.) 2. OPTIGA™ Trust X o Arbitrary Data Objects – The target application can store upto 4.5kB (~4600 bytes) of data into OPTIGA™ Trust X o X.509 – Upto 4, X.509 based Certificates can be stored into OPTIGA™ Trust X o Keys – Upto 4, ECC based keys can be stored into OPTIGA™ Trust X o Mutual Authentication Trust Anchor – Customer PKI domain Trust Anchor for Mutual Authentication (TLS/DTLS) can be stored into OPTIGA™ Trust X Datasheet 6 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet System Block Diagram o o Note: Datasheet Firmware Update Trust Anchor – Customer PKI domain Trust Anchor for Firmware Updates can be stored into OPTIGA™ Trust X Crypto Functions - OPTIGA™ Trust X provides cryptographic functions and protocols that can be invoked via local host Unique ECC private keys and X.509 Certificates – During production at Infineon fab, unique asymmetric keys (private and public) are generated. The public key is signed by customer specific CA and resulting X.509 certificate issued is securely stored on OPTIGA™ Trust X. Special measures are taken to prevent leakage and modification of private key at the Common Criteria Certified production site 7 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Interface and Schematics 3 Interface and Schematics This section explains the schematics of the product and gives some recommendations as to how the controller should be externally connected. 3.1 System Integration Schematics Figure 1 illustrates how to integrate OPTIGA™ Trust X to your local host. Figure 2 System Integration Schematic Diagram Note: Value of the pullup resistors depends on the target application circuit and the targeted I2C frequency. Datasheet 8 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Description of packages 4 Description of packages This chapter provides information on the package types and how the interfaces of each product are assigned to the package pins. For further information on compliance of the packages with European Parliament Directives, see “RoHS Compliance” on Page 28. For details and recommendations regarding the assembly of packages on PCBs, please see the following: http://www.infineon.com/cms/en/product/technology/packages/ 4.1 PG-USON-10-2 The package dimensions (in mm) of the controller in PG-USON-10-2 packages are given below. Figure 3 PG-USON-10-2 Package Outline The following figure shows the footprint of the PG-USON-10-2 package: Figure 4 PG-USON-10-2 Package Footprint The figure below shows the PG-USON-10-2 in top view: Datasheet 9 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Description of packages Figure 5 PG-USON-10-2 top view 4.2 Production sample marking pattern The following figure describes the productive sample marking pattern on PG-USON-10-2. Figure 6 PG-USON-10-2 sample marking pattern The black dot indicates pin 01 for the chip. The following table describes the sample marking pattern: Table 3 Indicator LOT CODE ZZ H/E Datasheet Marking table for PG-USON-10-2 Packages Description Defined and inserted during fabrication Indicates the Certifying Authority Serial Number / SKU#, e.g. "00" would mean "SKU#0" H = "Halogen-free", E = "Engineering samples" This indicator is followed by "YYWW", where YY is the "Year" and WW is the "Work Week" of the production. This is inserted during fabrication. Engineering samples have "E YYWW" and productive samples have "H YYWW" 10 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Description of packages Indicator 12345 Description Convention: T&#$@ where:  The letter "T" indicates the OPTIGA Trust family  & indicates whether the product is a Trust X or Trust E controller  # indicates whether the controller is an ETR (E) or STR (S) variant  $ specifies the OPTIGA™ Trust X/E release version number  @ specifies the software version Example: "TXE10" means 'OPTIGA™ Trust X', 'ETR variant', 'release version 1', 'software version 0' The contacts and their functionality are given in the table below. Table 4 Pin Contact Definitions and Functions of PG-USON-10-2 Packages 01 Type GND Function Supply voltage (Ground) 02 NC Not connected 03 I/O Serial Data Line (SDA) 04 NC Not connected 05 NC Not connected 06 NC Not connected 07 NC Not connected 08 I/O Serial Clock Line (SCL) 09 IN Active Low Reset (RST) 10 PWR Supply voltage (VCC) Datasheet 11 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Technical Data 5 Technical Data This section summarizes the technical data of the product. It provides the operational characteristics as well as the electrical DC and AC characteristics. 5.1 I2C Interface Characteristics Table 5 I2C Operation Supply and Input Voltages Parameter Symbol Values Unit Note or Test Condition Supply voltage VCC_I2C Min. 1.62 Typ. – Max. 5.5 SDA, SCL input voltage VIN_I2C −0.3 – VCC_I2C + 0.5 or V 5.51 −0.3 – 5.5 V V VCC_I2C is in the operational supply range VCC_I2C is switched off 1) Whichever is lower 5.1.1 I2C Standard/Fast Mode Interface Characteristics For operation of the I2C interface, the electrical characteristics are compliant with the I 2C bus specification Rev. 4 for "standard-mode" (fSCL up to 100 kHz) and "fast-mode" (fSCL up to 400 kHz), with certain deviations as stated in the table below. Note: TA as given for the operating temperature range of the controller unless otherwise stated. Table 6 I2C Standard Mode Interface Characteristics Parameter Symbol Values Unit SCL clock frequency fSCL Min. 0 Input low-level VIL −0.3 – 0.3 * VCC_I2C V Low-level output voltage VOL1 0 – 0.4 V Low-level output current IOL 3 2 – – mA Output fall time from VIHmin to VILmax (at device pin) tOF – – 250 ns Capacitive load for each bus line Cb – – 400 200 pF Datasheet Typ. – Max. 100 kHz 12 Note or Test Condition Sink current 3 mA; VCC_I2C ≥ 2.7 V Sink current 2 mA; VCC_I2C < 2.7 V VOL = 0.4 V; VCC_I2C ≥ 2.7 V VOL = 0.4 V; VCC_I2C < 2.7 V Cb ≤ 400 pF; VCC_I2C ≥ 2.7 V Cb ≤ 200 pF; VCC_I2C < 2.7 V VCC_I2C ≥ 2.7 V VCC_I2C < 2.7 V Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Technical Data Table 7 I2C Fast Mode Interface Characteristics Parameter Symbol Values Unit SCL clock frequency fSCL Min. 0 Typ. – Max. 400 kHz Input low-level VIL −0.3 – 0.3 * VCC_I2C V Low-level output voltage VOL1 0 – 0.4 V Low-level output current IOL 3 2 – – mA Output fall time from VIHmin to VILmax (at device pin) tOF 20 * VCC_I2C / 5.5 V1 – 250 ns Capacitive load for each bus line Cb 152 – 400 200 pF Note or Test Condition Sink current 3 mA; VCC_I2C ≥ 2.7 V Sink current 2 mA; VCC_I2C < 2.7 V VOL = 0.4 V; VCC_I2C ≥ 2.7 V VOL = 0.4 V; VCC_I2C < 2.7 V Cb ≤ 400 pF; VCC_I2C ≥ 2.7 V Cb ≤ 200 pF; VCC_I2C < 2.7 V VCC_I2C ≥ 2.7 V VCC_I2C < 2.7 V 1) A min. capacitive load is necessary to reach tOF 2) A min. capacitive load is necessary to reach tfmin 5.1.2 I2C Fast Mode Plus Interface Characteristics For operation of the I2C interface, the electrical characteristics are compliant with the I 2C bus specification Rev. 4 for "fast mode plus" (fSCL up to 1 MHz), with certain deviations as stated in the table below. Note: TA as given for the operating temperature range of the controller unless otherwise stated. Table 8 I2C Fast Mode Plus Interface Characteristics Parameter Symbol Values Unit SCL clock frequency fSCL Min. 0 Input low-level VIL −0.3 – 0.3 * VCC_I2C V Low-level output voltage VOL1 0 – 0.4 V Low-level output current IOL 3 2 – – mA Output fall time from VIHmin to VILmax (at device pin) tOF 20 * VCC_I2C / 5.5 V1 – 120 ns Datasheet Typ. – Max. 1000 kHz 13 Note or Test Condition Sink current 3 mA; VCC_I2C ≥ 2.7 V Sink current 2 mA; VCC_I2C < 2.7 V VOL = 0.4 V; VCC_I2C ≥ 2.7 V VOL = 0.4 V; VCC_I2C < 2.7 V Cb ≤ 150 pF Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Technical Data Parameter Symbol Capacitive load for each bus line Cb Values Min. 151 Unit Typ. Max. – 150 Note or Test Condition pF 1) A min. capacitive load is necessary to reach tOF 5.1.3 Electrical Characteristics Note: TA as given for the operating temperature range of the controller unless otherwise stated. All currents flowing into the controller are considered positive. 5.1.4 DC Electrical Characteristics TA as given for the controller’s operating ambient temperature range unless otherwise stated. All currents flowing into the controller are considered positive. Table 9 Electrical Characteristics Parameter Symbol Values Unit Note or Test Condition Overall functional range Supply voltage range for operation of I2C While running a typical authentication profile TA = 25°C; VCC = 5.0 V TA = 25°C; VCC_I2C = 3.3 V; I2C ready for operation (no bus activity), all other inputs at VCC, no other interface activity IIL = −50 μA to +20 μA IIL = −50 μA to +20 μA Supply voltage VCC VCC_I2C Min. 1.62 1.62 Typ. – – Max. 5.5 5.5 V V Supply current1 ICCAVG – 20.0 – mA Supply current, in sleep ICCS3 mode – 70 100 A RST input low voltage VIL RST input high voltage VIH −0.3 0.7 * VCC – – 0.2 * VCC VCC + 0.3 V V 1) Supply current can be limited from 6mA to 15mA by software commands. 5.1.5 AC Electrical Characteristics TA as given for the controller’s operating ambient temperature range unless otherwise stated. All currents flowing into the controller are considered positive. Table 10 AC Characteristics Parameter VCC rampup time Datasheet Symbol tVCCR Values Min. 1 Typ. – Max. 1000 14 Unit Note or Test Condition s 400 mV to 90% of VCC target voltage ramp Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Technical Data The VCC ramp is depicted in Figure 7. 90% of the target supply voltage must be reached within tVCCR after it has exceeded 400 mV. Moreover, its variation must be kept within a ±10% range. VCC 110% target supply voltage range 90% 400 mV t tVCCR Figure 7 Vcc Rampup 5.1.6 Start-Up of I2C Interface There are 2 variants possible for performing the startup procedure:  Startup after power-on  Startup for warm resets 5.1.6.1 Startup after Power-On The activation of the I2C interface after power-on needs the following reset procedure.  VCC is powered up and the state of the SDA and SCL line are set to high level during power-up  The first transmission may start at the earliest tSTARTUP after power-up of the device The following figure shows the startup timing of the I2C interface for this case. Datasheet 15 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Technical Data tVCCR VCC 0.4 V tSTARTUP SCL RST trans- SDA Power-up Startup of I2C Interface after Power-On Table 11 Startup of I2C Interface After Power-On Startup time 5.1.6.2 Symbol tSTARTUP Values Min. 10 trans- mission n Bus-Idle Start-up Figure 8 Parameter mission 1 Typ. Unit Note or Test Condition Max. ms Startup for Warm Resets When using the reset signal for triggering a warm reset after power-on, the activation of the I2C interface needs the following reset procedure  VCC remains powered up.  The terminal stops I2C communication. SDA and SCL lines are set to high level before RST is set to low level.  After its falling edge, RST has to be kept at low level for at least t1. At the latest t2 after the falling edge of RST, the terminal must set RST to high level.  The first transmission may start at the earliest tSTARTUP after the rising edge of RST The following figure shows the timing for this startup case. Datasheet 16 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Technical Data Figure 9 Startup of I2C Interface for Warm Resets Note: If NVM programming was requested prior to the reset, tSTARTUP will be extended from a typical value of 10 ms to a maximum of 12 ms. Table 12 Startup of I2C Interface for Warm Resets1 Parameter Symbol Startup time Rise time tSTARTUP tR Fall time tF Reset detection Reset low t1 Values Min. 10 Typ. Unit Note or Test Condition Max. 10 10 1 ms s 1 s 2500 s s From 10% to 90% of signal amplitude From 10% to 90% of signal amplitude 1) Reset triggered by software (without power off/on cycle) Datasheet 17 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Connecting to Host 6 Connecting to Host 6.1 OPTIGA™ Trust X Host Software Architecture In Figure 1 the System Block Diagram was explained which covered the OPTIGA™ Trust X Host Library layers. In following sections, we will cover how to communicate with OPTIGA™ Trust X using I2C. Figure 10 OPTIGA™ Trust X Host Software Architecture 6.2 Release Package Folder Structure The following figure shows the release package structure when OPTIGA™ Trust X is installed/extracted on PC. Figure 11 Datasheet Release Package Folder Structure 18 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Connecting to Host 1. is the root directory to which the release contents are installed or extracted. The 2. 3. 4. 5. 6. 7. content of each subdirectory under installed directory is explained below. CACertificates This directory contains OPTIGA™ Trust X Test and Productive Trust-Anchor/CA certificates. DemoUI This directory contains binaries and Demo UI Application for OPTIGA™ Trust X. Documentation This directory contains all common OPTIGA™ Trust X documentation. Host This directory contains source files, header files, binaries, documents, API as compiled help (CHM) and sample application for OPTIGA™ Trust X Host Software. PC This directory contains source files, header files, binaries and sample application for OPTIGA™ Trust X PC Software. TestServer This directory contains Sample Test Server Application and Test certificates required for DTLS client feature demonstration 6.3 Host Software Folder Structure The following figure shows the Host Software folder structure when OPTIGA™ Trust X is installed on PC. Figure 12 Host Software Folder Structure 1. Bin This directory contains prebuilt binaries for Eval Kit based on XMC4500 Relax Kit v1 that communicates with OPTIGA™ Trust X. 2. Documentation Datasheet 19 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Connecting to Host This directory contains documentation outlining software for Eval Kit based on XMC4500 Relax Kit v1. 3. Projects This directory contains project files for Eval Kit based on XMC4500 Relax Kit v1. 4. Source This directory contains all source files for OPTIGA™ Trust X Host Software Library. Further the following figure elaborates the Host Software source folder structure. Figure 13 Host Source Folder Structure 1. auth – This folder contains sources for One Way Authentication which are platform independent. The layer is 2. 3. 4. 5. 6. also known as Integration Library. cmd – This folder contains sources for all OPTIGA™ Trust X commands which are platform independent. common – This folder contains sources that are common for all functionality (e.g. utilities). cryptolib – This folder contains binaries for crypto library wrapper which is platform independent. dtls – This folder contains sources for Mutual Authentication and Encrypted Communication using DTLS client, which are platform independent. The layer is also known as OCP Library. ifx_i2c – This folder contains sources for Infineon protocol over I2C (aka IFX I2C). Datasheet 20 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Connecting to Host 7. include – This folder contains header files for all Host Software. 8. pal – This folder contains all the platform dependent code. 9. transparent_channel – This folder contains transparent channel communication mainly used for Eval Kit. 6.4 Porting Notes The Platform Abstraction Layer (PAL) APIs have to be updated to integrate the OPTIGA™ Trust X host libraries in the local host target platform. The PAL reference code for the XMC4500 Relax kit is provided as part of package which can be used. The implementation can be referred in “/Host/Source/pal/xmc4500” and the header files are available in “/Host/Source/Include” with the required APIs used by upper layers. The header files are platform agnostic and would not require any change. 6.5 Communication with OPTIGA™ Trust X The hardware/platform resource configuration with respect to I2C master and GPIOs (Vdd and Reset) are to be updated in pal_ifx_i2c_config.c. These configurations are used by the IFX I2C implementation to communicate with OPTIGA™ Trust X. 1. Update I2C master platform specific context[e.g. (void*)&i2c_master_0] 001 /** 002 * \brief PAL I2C configuration for OPTIGA 003 */ 004 005 006 007 008 009 010 011 012 013 014 pal_i2c_t optiga_pal_i2c_context_0 = { /// Pointer to I2C master platform specific context (void*)&i2c_master_0, /// Slave address 0x30, /// Upper layer context NULL, /// Callback event handler NULL }; 2. Update platform specific context for GPIOs (Vdd and Reset) [e.g. (void*)&pin_3_4] 001 /** 002 * \brief Vdd pin configuration for OPTIGA 003 */ 004 pal_gpio_t optiga_vdd_0 = 005 { 006 // Platform specific GPIO context for the pin used to toggle Vdd 007 (void*)&pin_3_4 008 }; 009 010 /** 011 * \brief Reset pin configuration for OPTIGA 012 */ 013 pal_gpio_t optiga_reset_0 = 014 { 015 // Platform specific GPIO context for the pin used to toggle Reset 016 (void*)&pin_3_3 017 }; 3. Update PAL I2C APIs [pal_i2c.c] to communicate with OPTIGA™ Trust X Datasheet 21 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Connecting to Host The pal_i2c is expected to provide the APIs for I2C driver initialization, de-initialization, read, write and set bitrate kind of operations a) pal_i2c_init b) pal_i2c_deinit c) pal_i2c_read d) pal_i2c_write e) pal_i2c_set_bitrate In few target platforms, the I2C master driver initialization (pal_i2c_init) is done during the platform start up. In such an environment, there is no need to implement pal_i2c_init and pal_i2c_deinit functions. Otherwise, these (pal_i2c_init & pal_i2c_deinit) functions must be implemented as per the upper layer expectations based on the need. The details of these expectations are available in the Host library API documentation (chm). The reference implementation of PAL I2C based on XMC4500 Relax kit does not need to have the platform I2C driver initialization explicitly done as part of pal_i2c_init as it is taken care by the DAVE library initialization. Hence pal_i2c_init & pal_i2c_deinit are not implemented. In addition to the above specified APIs, the PAL I2C must handle the events from the low level I2C driver and invoke the upper layer handlers registered with PAL I2C context for the respective transaction as shown in the below example. 001 002 003 004 005 006 //I2C driver callback function when the transmit is completed successfully void i2c_master_end_of_transmit_callback(void) { invoke_upper_layer_callback(gp_pal_i2c_current_ctx, (uint8_t)PAL_I2C_EVENT_TX_SUCCESS); } In above example the I2C driver callback, when transmit is successful invokes the handler to inform the result. 4. Update PAL GPIO [pal_gpio.c] to power on and reset the OPTIGA™ Trust X a) pal_gpio_set_high b) pal_gpio_set_low 5. Update PAL Timer [pal_os_timer.c] to enable timer a) pal_os_timer_get_time_in_milliseconds b) pal_os_timer_delay_in_milliseconds 6. Update Event management for the asynchronous interactions for IFX I2C [pal_os_event.c] a) pal_os_event_register_callback_oneshot b) scheduler_timer_isr The pal_os_event_register_callback_oneshot function is expected to register the handler and context provided as part of input parameters and triggers the timer for the requested time. 001 002 003 004 005 006 007 008 009 010 011 Datasheet void pal_os_event_register_callback_oneshot( register_callback callback, void* callback_args, uint32_t time_us) { callback_registered = callback; callback_ctx = callback_args; //lint --e{534} suppress "Return value is not required to be checked" TIMER_SetTimeInterval(&scheduler_timer , (time_us*100)); 22 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Connecting to Host 012 013 TIMER_Start(&scheduler_timer); } And the handler registered must be invoked once the timer is elapsed as shown in scheduler_timer_isr 001 002 003 004 005 006 007 008 009 010 011 012 6.6 001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 Datasheet void scheduler_timer_isr(void) { TIMER_ClearEvent(&scheduler_timer); //lint --e{534} suppress "Return value is not required to be checked" TIMER_Stop(&scheduler_timer); TIMER_Clear(&scheduler_timer); if (callback_registered) { callback_registered((void*)callback_ctx); } } Reference code on XMC4500 for communicating with OPTIGA™ Trust X static volatile uint32_t optiga_pal_event_status; extern void ifx_i2c_pl_pal_event_handler( void *p_ctx,uint8_t event); void optiga_pal_i2c_event_handler ( void* upper_layer_ctx, uint8_t event); pal_i2c_t optiga_pal_i2c_context_0 = { /// Pointer to I2C master context (void*)&i2c_master_0, /// Slave address 0x30, /// Upper layer context NULL, /// Callback event handler pal_i2c_slave_1_event_handler }; // Pal optiga slave 1 event handler void optiga_pal_i2c_event_handler( void* upper_layer_ctx, uint8_t event) { optiga_pal_event_status = event; } /* Function to verify I2C communication*/ pal_status_t test_optiga_communication(void) { pal_status_t pal_return_status; uint8_t data_buffer[10] = {0x82}; uint16_t data_length =1; // Set callback handler for i2c optiga_pal_i2c_context_0.upper_layer_event_handler 23 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Connecting to Host 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 Datasheet = optiga_pal_i2c_event_handler; // Send 0x82 command to slave to check the state optiga_pal_event_status = PAL_I2C_EVENT_BUSY; do { pal_return_status = pal_i2c_write(&optiga_pal_i2c_context_0, data_buffer, data_length); if (pal_return_status == PAL_STATUS_FAILURE) { break; } // Wait until slave completes write operation } while (optiga_pal_event_status != PAL_I2C_EVENT_TX_SUCCESS); optiga_pal_event_status = PAL_I2C_EVENT_BUSY; data_length = 4; // Read the response for 0x82 command do { pal_return_status = pal_i2c_read(&optiga_pal_i2c_context_0 , data_buffer , data_length); if (pal_return_status == PAL_STATUS_FAILURE) { break; } // Wait until slave completes read operation } while (optiga_pal_event_status != PAL_I2C_EVENT_RX_SUCCESS); return pal_return_status; } /*************************************************************** * Main Function *************************************************************/ /** * This function is the entry point of sample. * * \retval * 0 on success * 1 on failure */ int32_t main(Void) { DAVE_STATUS_t status; 24 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Connecting to Host 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 Datasheet pal_status_t pal_return_status; // Initialize your host code here (e.g. timers etc) // Initialisation of DAVE Apps for XMC4500 status = DAVE_Init(); // Stop if DAVE init fails if (status == DAVE_STATUS_FAILURE) { while (1U) {;} } pal_return_status = test_optiga_communication(); return pal_return_status; } 25 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet OPTIGA™ Trust X Commands 7 OPTIGA™ Trust X Commands This section provides short description of OPTIGA™ Trust X commands and mapping of these commands w.r.t Use Cases. Table 13 OPTIGA™ Trust X command table Command Name GetDataObject SetDataObject GetRandom SetAuthScheme GetAuthMsg SetAuthMsg ProcUpLinkMsg ProcDownLinkMsg CalcHash CalcSign VerifySign CalcSSec DeriveKey GenKeyPair OpenApplication Table 14 Mapping of OPTIGA™ Trust X command with Use cases Use Case Mutual Authentication using DTLS One Way Authentication Crypto Toolbox Read General Purpose Data Write General Purpose Data Datasheet Description Command to get (read) a data object Command to set (write) a data object Command to generate a random stream Command to set the authentication scheme which gets used subsequently Command to get (receive from OPTIGA™ Trust X) an authentication message Command to set (send to OPTIGA™ Trust X) an authentication message Command to process an up-link message for DTLS(receive from OPTIGA™ Trust X) Command to process a down-link message for DTLS (send to OPTIGA™ Trust X) Command to calculate a Hash Command to calculate a signature Command to verify a signature Command to execute a Diffie-Hellmann key agreement Command to derive keys Command to generate public/private key pairs Command to launch an application OPTIGA™ Trust X commands used SetAuthScheme, ProcUpLinkMsg & ProcDownLinkMsg GetRandom, GetDataObject, SetAuthScheme, SetAuthMsg & GetAuthMsg GetRandom, SetAuthScheme, SetAuthMsg, GetAuthMsg, CalcHash, CalcSign, VerifySign, CalcSSec, DeriveKey, GenKeyPair GetDataObject SetDataObject 26 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Security Monitor 8 Security Monitor The Security Monitor is a central component which enforces the security policy of the OPTIGA™ Trust X. It consumes security events sent by security aware parts of the OPTIGA™ Trust X embedded SW and takes actions accordingly 8.1 Security Events The following table provides the definition of not permitted security events considered by the OPTIGA™ Trust X implementation. Table 15 Security Events Event Description Decryption Failure This event occurs in case a decryption and/ or integrity check of provided data lead to an integrity failure. Private Key Use This event occurs in case the internal services are going to use an OPTIGA™ Trust X hosted private key. Suspect System Behavior This event occurs in case the embedded software detects inconsistencies with the expected behavior of the system. Those inconsistencies might be redundant information which doesn’t fit to their counterpart. 8.2 Security Policy Security Monitor judges the notified security events regarding the number of occurrence over time and in case those violate the permitted usage profile of the system takes actions to throttle down the performance and thus the possible frequency of attacks. The permitted usage profile is defined as: 1. One protected operation (refer to Table 15) events per tmax period. 2. A Suspect System Behavior event is never permitted and will cause setting the SEC to its maximum. 3. tmax is set to 5 seconds (± 5%). With other words it must not allow more than one out of the protected operations per tmax period (worst case, ref to bullet 1. above). This condition must be stable, at least after 500 uninterrupted executions of protected operations. For more information, please refer to Solution Reference Manual document available as part of the package. Datasheet 27 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet RoHS Compliance 9 RoHS Compliance On January 27, 2003 the European Parliament and the council adopted the directives:  2002/95/EC on the Restriction of the use of certain Hazardous Substances in electrical and electronic equipment ("RoHS")  2002/96/EC on Waste Electrical and Electrical and Electronic Equipment ("WEEE") Some of these restricted (lead) or recycling-relevant (brominated flame retardants) substances are currently found in the terminations (e.g. lead finish, bumps, balls) and substrate materials or mold compounds. The European Union has finalized the Directives. It is the member states' task to convert these Directives into national laws. Most national laws are available, some member states have extended timelines for implementation. The laws arising from these Directives have come into force in 2006 or 2007. The electro and electronic industry has to eliminate lead and other hazardous materials from their products. In addition, discussions are on-going with regard to the separate recycling of ceratin materials, e.g. plastic containing brominated flame retardants. Infineon Technologies is fully committed to giving its customers maximum support in their efforts to convert to lead-free and halogen-free1 products. For this reason, Infineon Technologies’ "Green Products" are ROHS-compliant. Since all hazardous substances have been removed, Infineon Technologies calls its lead-free and halogen-free semiconductor packages "green." Details on Infineon Technologies’ definition and upper limits for the restricted materials can be found here. The assembly process of our high-technology semiconductor chips is an integral part of our quality strategy. Accordingly, we will accurately evaluate and test alternative materials in order to replace lead and halogen so that we end up with the same or higher quality standards for our products. The use of lead-free solders for board assembly results in higher process temperatures and increased requirements for the heat resistivity of semiconductor packages. This issue is addressed by Infineon Technologies by a new classification of the Moisture Sensitivity Level (MSL). In a first step the existing products have been classified according to the new requirements. 1 Any material used by Infineon Technologies is PBB and PBDE-free. Plastic containing brominated flame retardants, as mentioned in the WEEE directive, will be replaced if technically/economically beneficial. Datasheet 28 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Appendix A – Infineon I2C Protocol Registry Map 10 Appendix A – Infineon I2C Protocol Registry Map OPTIGA™ Trust X supports IFX I2C v1.65 and is implemented as I2C slave, which uses different address locations for status, control and data communication registers. These registers with description are outlined below in the following table. Table 16 Register Address IFX I2C Registry Map Table Name Size in Bytes Description Master Access 0x80 DATA DATA_REG_LE N This is the location where data shall be read from or written to the I2C slave Read / Write 0x81 DATA_REG_LEN 2 This register holds the maximum data register (Addr 0x80) length. The allowed values are 0x0010 up to 0xFFFF. After writing the new data register length it becomes effective with the next I2C master access. However, in case the slave could not accept the new length it indicates its maximum possible length within this register. Therefore it is recommended to read the value back after writing it to be sure the I2C slave did accept the new value. Read / Write Note: the value of MAX_PACKET_SIZE is derived from this value or vice versa (MAX_PACKET_SIZE= DATA_REG_LEN-5) 0x82 I2C_STATE 4 Bits 31:24 of this register provides the I2C state in regards to the supported features (e.g. clock stretching …) and whether the device is busy executing a command and/or ready to return a response etc. Read only Bits 15:0 defining the length of the response data block at the physical layer. 0x83 BASE_ADDR 2 This register holds the I2C base address as specified by Table 17. If not differently defined by a particular project the default value at reset is 0x20. After writing a different address the new address become effective with the next I2C master access. In case the bit 15 is set in addition to the new address (bit 6:0) it becomes the new default address at reset (persistent storage). Write only 0x84 MAX_SCL_FREQU 4 This register holds the maximum clock frequency in KHz supported by the I2C slave. The value gets adjusted to the register I2C_Mode setting. Fast Mode (Fm): The allowed values are 50 up to 400. Fast Mode (Fm+): The allowed values are 50 up to 1000. Read 0x85 GUARD_TIME 4 For details refer to Table 20 Read only 4 For details refer to Table 20 Read only 0x86 1 1 TRANS_TIMEOUT 1 In case the register returns 0xFFFFFFFF the register is not supported and the default values specified in Table ‘List of protocol variations’ shall be applied. Datasheet 29 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Appendix A – Infineon I2C Protocol Registry Map Register Address Name Size in Bytes Description Master Access 0x88 SOFT_RESET 2 Writing to this register will cause a device reset. This feature is optional Write only 0x89 I2C_MODE 2 This register holds the current I2C Mode as defined by Table 18. The default mode is SM & FM (011B). Read / Write Table 17 Definition of BASE_ADDR Fields Bits Value Description DEF_ADDR 15 0 1 Volatile address setting by bit 6:0, lost after reset. Persistent address setting by bit 6:0, becoming default after reset. BASE_ADDR 6:0 0x00-0x7F I²C base address specified by Table 16 15 14 13 12 11 DEF_ADDR 7 5 4 3 RFU 8 2 1 0 10 9 8 2 1 0 BASE_ADDR 14 13 12 11 DEF_MODE 7 9 RFU 6 15 10 RFU 6 5 4 3 RFU Table 18 Fields DEF_MODE MODE 1 2 2 Mode Definition of I2C_MODE Bits Value Description 15 0 1 Volatile mode setting by bit 2:0, lost after reset. Persistent mode setting by bit 2:0, becoming default after reset. This bit is always read as 0. 2:0 001 010 011 100 other values Sm Fm SM & Fm (fab out default) Fm+ not valid; writing will be ignored In case the register returns 0xFFFFFFFF the register and its functionality is not supported This mode defines the adherence of the bus signals to the electrical characteristics according standard I2C bus specification Datasheet 30 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Appendix A – Infineon I2C Protocol Registry Map 31 30 BUSY RESP_RDY 23 22 29 28 RFU 21 27 26 25 24 SOFT_RESET CONT_READ REP_START CLK_STRETCHING 19 18 17 16 20 RFU 15-0 Length of data block to be read Table 19 Definition of I2C_STATE Field Bit(s) Value Description BUSY 31 0 1 Device is not busy Device is busy executing a command RESP_RDY 30 0 1 Device is not ready to return a response Device is ready to return a response SOFT_RESET 27 0 1 SOFT_RESET not supported SOFT_RESET supported CONT_READ 26 0 1 Continue Read not supported Continue Read supported REP_START 25 0 1 Repeated start not supported Repeated start supported CLK_STRETCHING 24 0 1 Clock stretching not supported Clock stretching supported 10.1 IFX I2C Protocol Variations To fit best to application specific requirements the protocol might be tailored by specifying a couple of parameters which is described in the following table. Table 20 List of Protocol Variations Parameter MAX_PACKET_SIZE Default Value 0x110 WIN_SIZE 1 MAX_NET_CHAN 1 CHAINING TRUE TRANS_TIMEOUT 10 ms Datasheet Description Maximum packet size accepted by the receiver. The protocol limits this value to 0xFFFF, but there might be project specific requirements to reduce the transport buffers size for the sake of less RAM footprint in the communication stack. If shortened, it could be statically defined or negotiated at the physical layer. Window size of the sliding windows algorithm. The value could be 1 up to 2. Maximum number of network channels. The value could be 1 up to 16. One indicates the OSI Layer 3 is not used and the CHAN field of the PCTR must be set to 0000. Chaining on the transport layer is supported (TRUE) or not (FALSE) (Re) transmission timeout specifies the number of milliseconds to be elapsed until the transmitter considers a frame transmission is lost and retransmits the non-acknowledged frame. The Timer gets started as soon as the complete frame is 31 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Appendix A – Infineon I2C Protocol Registry Map Parameter Default Value TRANS_REPEAT 3 BASE_ADDR 0x30 MAX_SCL_FREQU GUARD_TIME 1000 kHz 50 µs SOFT_RESET Datasheet Description transmitted. The value could be 1 up to 1000. However, as higher the number as longer does it take to recover from a frame transmission error. Note: The acknowledge timeout on the receiver side must be shorter than the retransmission timeout to avoid unnecessary frame repetitions. Number of transmissions to be repeated until the transmitter considers the connection is lost and starts a re-synchronization with the receiver. The value could be 1 up to 4. I2C (base) address. This address could be statically defined or dynamically negotiated by the physical layer. If not different specified the default value is 0x30. Maximum SCL clock frequency in kHz. Minimum time to be elapsed at the I2C master measured from read data (STOP condition) until the next write data (Start condition) is allowed to happen. Note 1: For two consecutive accesses on the same device GUARD_TIME re-specifies the value of tBUF as specified by [I2Cbus]. Note 2: Even if another I2C address is accessed in between GUARD_TIME has to be respected for two consecutive accesses on the same device. Any write attempt to the SOFT_RESET register will trigger a warm reset (reset w/o power cycle). This register is optional and its presence is indicated by the I2C_STATE register’s “SOFT_RESET” flag. 32 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Appendix B – Power Management 11 Appendix B – Power Management When operating, the power consumption of OPTIGA™ Trust X is limited to meet the requirements regarding the power limitation set by the Host. The power limitation is implemented by utilizing the current limitation feature of the underlying hardware device in steps of 1mA from 6mA to 15 mA with a precision of ±5%. 11.1 Low Power Sleep Mode The OPTIGA™ Trust X automatically enters a low-power mode after a configurable delay. Once it has entered Sleep mode, the OPTIGA™ Trust X resumes normal operation as soon as its address is detected on the I2C bus. In case no command is sent to the OPTIGA™ Trust X it behaves as shown in Figure 14. 1. As soon as the OPTIGA™ Trust X is idle it starts to count down the “delay to sleep” time (tSDY). 2. In case this time elapses the device enters the “go to sleep” procedure. 3. The “go to sleep” procedure waits until all idle tasks are finished (e.g. counting down the SEC). In case all idle tasks are finished and no command is pending, the OPTIGA™ Trust X enters sleep mode. tSDY VCC 1 IO 2 3 operational Power State Figure 14 Datasheet undefined idle sleep Go-to-Sleep Diagram 33 Revision 2.6 2019.02.08 OPTIGA™ Trust X Datasheet Revision history Revision history Document version Date of release Description of changes 2.6 08.02.2019 Updated PG-USON10-2 foot print 2.5 31.01.2018 Feedback incorporation from all internal regions 2.4 11.01.2018 Feedback incorporation from all internal regions 2.3 01.01.2018 Feedback incorporation from all internal regions 2.2 12.12.2017 Feedback from all internal regions 2.1 23.06.2017 Updated Key features and Enhanced Security 2.0 08.06.2017 Updated Key features and Enhanced Security 1.4 22.02.2017 First version release 1.3 Internal review 1.2 Internal review 1.1 Internal review 1.0 Internal review Datasheet 34 Revision 2.6 2019.02.08 Trademarks All referenced product or service names and trademarks are the property of their respective owners. Edition 2019.02.08 Published by Infineon Technologies AG 81726 Munich, Germany © 2019 Infineon Technologies AG. All Rights Reserved. Do you have a question about this document? Email: security.chipcard.ics@infineon.com Document reference IMPORTANT NOTICE The information given in this document shall in no event be regarded as a guarantee of conditions or characteristics (“Beschaffenheitsgarantie”) . For further information on the product, technology, delivery terms and conditions and prices please contact your nearest Infineon Technologies office (www.infineon.com). With respect to any examples, hints or any typical values stated herein and/or any information regarding the application of the product, Infineon Technologies hereby disclaims any and all warranties and liabilities of any kind, including without limitation warranties of non-infringement of intellectual property rights of any third party. WARNINGS Due to technical requirements products may contain dangerous substances. For information on the types in question please contact your nearest Infineon Technologies office. In addition, any information given in this document is subject to customer’s compliance with its obligations stated in this document and any applicable legal requirements, norms and standards concerning customer’s products and any use of the product of Infineon Technologies in customer’s applications. Except as otherwise explicitly approved by Infineon Technologies in a written document signed by authorized representatives of Infineon Technologies, Infineon Technologies’ products may not be used in any applications where a failure of the product or any consequences of the use thereof can reasonably be expected to result in personal injury. The data contained in this document is exclusively intended for technically trained staff. It is the responsibility of customer’s technical departments to evaluate the suitability of the product for the intended application and the completeness of the product information given in this document with respect to such application.