Craton HSM

Infineon TPM Backend

Infineon TPM Backend

The craton-hsm-infineon crate implements the CryptoBackend trait on top of the TCG TSS ESAPI (libtss2-esys), targeting Infineon's SLB 9670 / 9672 discrete TPM 2.0 chips and firmware TPM variants. All cryptographic operations are dispatched to the TPM; no key material leaves the chip.

  • Crate: craton-hsm-infineon
  • Backend type: InfineonTpmBackend
  • License: BSL 1.1
  • MSRV: Rust 1.75
  • Status: pre-release (stub build is stable; hw path has been exercised against swtpm and a limited set of discrete parts; firmware TPM coverage is partial)

Hardware Support

  • Infineon SLB 9670 — discrete TPM 2.0
  • Infineon SLB 9672 — firmware TPM
  • Infineon OPTIGA Trust M — embedded security controller

Infineon SLB 9665 (TPM 1.2) is unsupported — TPM 1.2 is out of scope for this crate.

Feature Flag

FlagDefaultEffect
hwoffEnable real TPM hardware calls via libtss2-esys.

Stub vs. Hardware Modes

Without the hw feature (the default build) this backend is a stub. Every CryptoBackend method returns HsmError::FunctionNotSupported, except the ed25519_* methods which return HsmError::MechanismInvalid because TPM 2.0 does not define Ed25519 even with hardware present. The constructor emits a tracing::warn! on first use; InfineonTpmBackend::is_stub() reports the build mode.

The default stub behaviour prevents silent software fallback when a deployment forgets to enable hw.

use craton_hsm_infineon::InfineonTpmBackend;
use craton_hsm::crypto::backend::CryptoBackend;

// Default build — stub.
let backend = InfineonTpmBackend::new();
assert!(InfineonTpmBackend::is_stub());

// With --features hw, operations are dispatched to the TPM through
// the ESAPI FFI layer.

TPM2 Primitives (under hw)

  • TPM2_Create / TPM2_Load for transient RSA and ECC keys.
  • TPM2_Sign / TPM2_VerifySignature for RSA (PKCS#1 v1.5, PSS) and ECDSA (P-256).
  • TPM2_EncryptDecrypt2 for symmetric AES (CBC / CTR).
  • TPM2_GetRandom for hardware RNG.
  • TPM2_Hash / TPM2_HashSequenceStart for SHA-2 digests.
  • TPM2_RSA_Encrypt / TPM2_RSA_Decrypt for OAEP.

PCR-based sealing is available once the hw path is fully wired up.

Hardware Build

Add the feature to your Cargo.toml:

[dependencies]
craton-hsm-infineon = { path = "../craton-hsm-infineon", features = ["hw"] }

Install the tpm2-tss development package for your distribution:

# Debian / Ubuntu
sudo apt-get install -y libtss2-dev libtss2-esys-3.0.2-0

# Build with the hw feature
cargo build -p craton-hsm-infineon --features hw

Requirements:

  • tpm2-tss 4.0+ (libtss2-esys, libtss2-tcti-*) and its development headers.
  • A TPM 2.0 chip visible at /dev/tpmrm0 (or an accessible TCTI) and a user with read/write permission on the resource manager device.
  • Linux is the primary supported platform. Windows support via the Windows TBS (TPM Base Services) TCTI is on the roadmap but not currently wired up.

Safety

The default stub build is #![deny(unsafe_code)] at the crate root — there is no unsafe in the stub path at all. Under --features hw, unsafe is scoped to the ffi submodule that binds to libtss2-esys. All marshalling uses the validate_tpm2b_size() bounds-check helper on TPM2B buffers before crossing the FFI boundary.

Security Considerations

  • Under hw, no key material leaves the TPM; all crypto is TPM-dispatched.
  • The default stub build is intentionally non-functional so deployments that forget to enable hw fail loudly rather than falling back to software crypto.

Error Reporting

Failures surface through craton_hsm::error::HsmError. InfineonTpmBackend::is_stub() distinguishes the build mode at runtime.

Limitations

  • Pre-release. The hw path has been exercised against swtpm and a limited set of discrete Infineon parts. Firmware TPM coverage is partial.
  • No Ed25519. TPM 2.0 does not define Ed25519 and Infineon parts do not expose it. Calls return HsmError::MechanismInvalid regardless of feature flags.
  • Policy customisation not yet exposed. Hierarchy, sessions, and auth policies are managed internally; fine-grained policy customisation is not available through this crate's API.
  • Windows TPM support is on the roadmap. Use Linux for production deployments of this crate in the 0.1.x series.

Related Documents