[tpm2] Re: Infineon SLB 9670 lifetime

[tpm2] Re: Infineon SLB 9670 lifetime

[Florian.Schreiner]

[-- Attachment #1: Type: text/plain, Size: 1543 bytes --]

Hello Tom,

thanks for your interest and to bring up the topics. I would like to provide some additional information on that.
The document you mention is a datasheet, which only contains basic information. Some sections in particular to the integrated firmware is not included in the datasheet, because it is described in the full Databook document. You can get the databook via your distributor, who will grant you access on an Infineon portal for the distribution of such documents. There you will find also more recent documents from 2019.


1.1   Power management

In chapter 4.3 of the document you can find another sleep mode, which is activated when CS# pin is inactive. This is an explicit power-down or standby mode that can be activated by the user. The very low current consumption shows, that in this mode almost everything inside the TPM is deactivated to reduce the power consumption to a very low value.



4.2   Functional Operational Range

The SLB 9670 is the consumer variant of TPM, so therefore the lifetime is similar to consumer devices, which also have a much more limited lifetime (e.g. PC, workstation, tablet). There are other TPM variants for industrial -  SLM 9670 - and for automotive - SLI 9670 -. The industrial SLM 9670 has a lifetime for 20 years, see https://www.infineon.com/cms/de/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-tpm/slm-9670/ The datasheet is in the top right corner.

I hope this helps to clarify these topics.

Best regards,
Florian


[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 8289 bytes --]

[tpm2] Re: Infineon SLB 9670 lifetime

[Florian.Schreiner]

[-- Attachment #1: Type: text/plain, Size: 1286 bytes --]

The TPM usage is not related to any attack, because it refers to usage of the TPM cryptography in the system. In PCs and notebooks/tablets the usage is lower, because there is typically only one main user. There are also servers in the consumer domain, which are used by multiple users ins parallel. Server manufacturer estimate the TPM usage with 5%.
Given the attacks on security software (e.g. heartbleed), it’s probably an even worse idea to use software (with the basic hw accelerator of the CPU) to generate data. The question is if there is a better alternative.

Best,
Florian


From: Steven Clark <davolfman(a)gmail.com>
Sent: Freitag, 21. Februar 2020 18:19
To: Tomasz Przybysz <tomasz.przybysz(a)mikronika.com.pl>
Cc: tpm2 <tpm2(a)lists.01.org>
Subject: [tpm2] Re: Infineon SLB 9670 lifetime

Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe<http://iweb.infineon.com/en-US/Support/security/CDC/pse/Pages/pce.aspx>.


5% usage is honestly a crazy amount.  Given recent timing attack research it's probably not a good idea to be generating that much data about a TPM.  For lighter use, it could easily be 2 seconds a day (on recent kernels) instead of 2 minutes an hour.

[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 5103 bytes --]

[tpm2] Re: Infineon SLB 9670 lifetime

[Tomasz Przybysz]

[-- Attachment #1: Type: text/plain, Size: 896 bytes --]

Thank you,

This resolves our problem.

Best regards,
Tom

W dniu 2020-02-21 o 14:52, Alexander Steffen pisze:
On 20.02.2020 11:53, Tomasz Przybysz wrote:
Is it true? This is disqualification. Industrial equipment should work much longer, 15-20 years. It's not suitable for industrial equipment.
It's good for ink toner cartridge.

If those are your requirements, simply choose the SLM 9670 which is designed for up to 20 years in industrial applications :)

https://www.infineon.com/cms/en/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-tpm/slm-9670/

Kind regards
Alexander
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org<mailto:tpm2(a)lists.01.org>
To unsubscribe send an email to tpm2-leave(a)lists.01.org<mailto:tpm2-leave(a)lists.01.org>
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s


[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 1645 bytes --]

[tpm2] Re: Infineon SLB 9670 lifetime

[Steven Clark]

[-- Attachment #1: Type: text/plain, Size: 255 bytes --]

5% usage is honestly a crazy amount.  Given recent timing attack research
it's probably not a good idea to be generating that much data about a TPM.
For lighter use, it could easily be 2 seconds a day (on recent kernels)
instead of 2 minutes an hour.

[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 280 bytes --]

[tpm2] Re: Infineon SLB 9670 lifetime

[Alexander Steffen]

[-- Attachment #1: Type: text/plain, Size: 516 bytes --]

On 20.02.2020 11:53, Tomasz Przybysz wrote:
> Is it true? This is disqualification. Industrial equipment should work 
> much longer, 15-20 years. It's not suitable for industrial equipment.
> It's good for ink toner cartridge.

If those are your requirements, simply choose the SLM 9670 which is 
designed for up to 20 years in industrial applications :)

https://www.infineon.com/cms/en/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-tpm/slm-9670/

Kind regards
Alexander

[tpm2] Re: Infineon SLB 9670 lifetime

[Emmanuel Deloget]

[-- Attachment #1: Type: text/plain, Size: 864 bytes --]

Hello Luke,

On Fri, Feb 21, 2020 at 8:34 AM Luke Hinds <lhinds(a)redhat.com> wrote:
>
> Not an expert legal, but I believe "useful lifetime" is for accounting purposes, its not a statement on how long a device is expected to remain in working order, its used to define when its value depreciates as an asset.

It seems that in this particular datasheet [1] the "useful lifetime"
is indeed the time during which you can use the device - which seems
weird. In this particular version of the DS, it's listed in (5.2 -
Functional Operating Range) as having a max of 10 years and the same
value is given for the operational lifetime.

I have yet to find another TPM2 that list such a value in its DS.

BR,

-- Emmanuel Deloget

[1] https://www.infineon.com/dgdl/Infineon-SLB%209670VQ2.0-DataSheet-v01_00-EN.pdf?fileId=5546d4626fc1ce0b016fc78270350cd6

[tpm2] Re: Infineon SLB 9670 lifetime

[Luke Hinds]

[-- Attachment #1: Type: text/plain, Size: 1944 bytes --]

Not an expert legal, but I believe "useful lifetime" is for accounting
purposes, its not a statement on how long a device is expected to remain in
working order, its used to define when its value depreciates as an asset.

Cars, fax machines, computers etc all appear to have the standard 5 years

https://www.investopedia.com/ask/answers/051215/how-do-you-determine-tangible-assets-useful-life.asp

On Thu, 20 Feb 2020, 10:55 Tomasz Przybysz, <
tomasz.przybysz(a)mikronika.com.pl> wrote:

> Hi,
>
> Do you know ?
>
>
>
> From data sheet:
>
> SLB 9670 TPM2.0
> SLB 9670 TCG Family 2 Level 00 Rev. 01.16 Data Sheet, Revision 1.0,
> 2015-11-05:
>
>
> 1.1 Power Management
> In the SLB 9670, power management is handled internally; no explicit
> power-down or standby mode is
> available. The device automatically enters a low-power state after each
> successful command/response
> transaction. If a transaction is started on the SPI bus from the host
> platform, the device will wake immediately
> and will return to the low-power mode after the transaction has been
> finished.
>
>
> 4.2 Functional Operating Range
>
> 1) *The useful lifetime of the device is 5 (five) years with a duty cycle
> (that means, a power-on time) of 100%. A useful*
> *lifetime of 7 (seven) years can be guaranteed for a duty cycle of 70%.
> For both scenarios, it is assumed that the device*
> *will be used for calculations for approximately 5% of the maximum useful
> lifetime.*
>
> Is it true? This is disqualification. Industrial equipment should work
> much longer, 15-20 years. It's not suitable for industrial equipment.
> It's good for ink toner cartridge.
>
>
> Best regards,
> Tom
>
>
>
>
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 3138 bytes --]

[tpm2] Re: Infineon SLB 9670 lifetime

[nicolasoliver03]

[-- Attachment #1: Type: text/plain, Size: 622 bytes --]

Good information Tomasz!

In the Nuvoton NPCT42x specs, there is no indication of expected useful lifetime.

https://media.digikey.com/pdf/Data%20Sheets/Nuvoton%20PDFs/NPCT42x_Preliminary_Rev1.1.pdf

But I also found that there is a TCG subgroup dedicated to the Industrial space, with representation from Infineon

https://trustedcomputinggroup.org/work-groups/industrial/

And they are recommending the use of TPMs to protect industrial IoT equipments apparently:

https://trustedcomputinggroup.org/resource/standards-securing-industrial-equipment/
https://www.iiconsortium.org/pdf/IIC_PUB_G4_V1.00_PB-3.pdf