Keeping Your Pi Safe

The Raspberry Pi has a wide range of IoT applications in personal and industrial domains. Remote access to such devices makes them vulnerable to security risks that can affect their credibility and operation. Meeting international security standards such as Common Criteria, FIPS, ISO, and IEC requires hardening the software and the hardware of such devices to eliminate potential risks. In Part 1 of a two-part article series, Gamal shares his experience applying the Infineon-based TPM9670 encryption module to make Pi security easier and more effective.

Security processors are regular components of modern computers. Modern laptops include a processor called a “Trusted Platform Module” or “TPM” that adds a security layer based on encryption. This TPM can encrypt data on local storage and while it is being sent and received via the Internet. It also ensures secure booting of the computer against loading malicious software. Fortunately, TPMs are not confined to end-user computing facilities, and they can be found in standalone versions suitable for single-board computers (SBCs).

I found that an Infineon TPM9670 breakout board can add significant security to a Raspberry Pi 4. I deployed the board with the help of manufacturer documentation, Raspberry Pi Forums, and ChatGPT.

In the first article on this security solution, I present the basic encryption functions that can be executed in a command shell for the Embedded Linux TPM Toolbox 2 (ELTT2). I also demonstrate the TPM Software Stack (TSS) capabilities that may be embedded in user applications for signing and verifying data, and file and disk encryption.

In the second article, I will discuss the role of TPM in establishing secure booting and long-term identity keys for SSL/TLS communication.