Infineon OPTIGA™ Trust X Software Framework

nRF5 SDK v16.0.0

Infineon OPTIGA Trust X is a high-end security controller with a versatile set of features to secure devices.

See Trust X Datasheet for detailed information on the framework.

Trust X Software Framework

On a Nordic platform, there are two APIs to use the functions of Trust X:

  1. The OPTIGA™ backend , which operates on top of the native Trust X API.
  2. The native Trust X API, split into Crypt API and Util API.

While the backend API implementation is Nordic-specific, the native API is portable and also available on other host platforms. Furthermore, the native API exposes the complete function set of Trust X that is required for personalization. It includes, for example, functions for reading and writing data objects.

optiga_trust_x_stack_generic.jpg
Trust X Software Framework

The OPTIGA Trust X software framework is composed of the following layers (top to bottom):

  • Crypt API ( Crypt API ) and Util API ( Util API ), a set of high-level APIs to use Trust X services.
  • OPTIGA Trust X Command Library, a lower-level API, documented in the Solution Reference manual Trust X Solution Reference Manual (SRM) .
  • Infineon I2C Protocol ( Infineon I2C Protocol ) implementation to exchange commands via I2C with the Trust X device.
  • An implementation of the Platform Abstraction Layer (PAL) for the Nordic nRF5x platform: pal_gpio.c, pal_i2c.c, pal_ifx_i2c_config.c, pal_os.c and pal_os_lock.c.

External resources and documentation

More information can be found at:

Note
The Infineon OPTIGA Trust X hardware security module must be acquired separately, for example on a development board in Arduino-compatible form factor, and compatible with the Nordic development kit. For more information, see Trust X evaluation and development kits .

Important information

Read this section before you start the configuration process.

Supported Hardware Configurations

The nRF5x PAL supports the Nordic PCA10040 and PCA10056 boards with two different shields. It provides a set of pre-configured pin configurations in pal_pin_config.h .

To select a configuration, set one of the following defines to 1 :

Hardware Configuration C Macro
My IoT adapter + Trust X Shield2Go in Slot 1 OPTIGA_PIN_CONFIG_MYIOT_SLOT1
My IoT adapter + Trust X Shield2Go in Slot 2/3 OPTIGA_PIN_CONFIG_MYIOT_SLOT2_3
Trust X Shield onboard OPTIGA OPTIGA_PIN_CONFIG_TRUSTX_SHIELD
Trust X Shield + Trust X Shield2Go OPTIGA_PIN_CONFIG_2GO

My IoT adapter

My IoT Adapter (in Arduino form factor) supports three slots of 2Go form factor boards. A Trust X Shield2Go can be plugged into any of the three slots.

If the Trust X Shield2Go is plugged into slot 1, select OPTIGA_PIN_CONFIG_MYIOT_SLOT1 ; otherwise, use OPTIGA_PIN_CONFIG_MYIOT_SLOT2_3 .

For more information about My IoT, visit the Shield2Go & My IoT page.

Trust X Shield

The Trust X Shield (in Arduino form factor) has an OPTIGA Trust X soldered directly on the board. It can select Trust X Shield2Go board plugged into the respective slot abd enable and disable VDD for each slot.

If you want to use the onboard OPTIGA Trust X, use OPTIGA_PIN_CONFIG_TRUSTX_SHIELD .

If you want to use a Trust X Shield2Go plugged into the OPTIGA slot, use OPTIGA_PIN_CONFIG_MYIOT_SLOT2_3 .

Pin Conflict with Nordic PCA10040 and Trust X Shield

When using the Nordic PCA10040 board with the Trust X Shield, the LEDs BSP_BOARD_LED_1 and BSP_BOARD_LED_2 must not be used. These pins are needed for the correct operation of the OPTIGA Trust X.

Required configuration

Due to EasyDMA restrictions on nRF52832 devices, it is necessary to set a project-level define DL_MAX_FRAME_SIZE=250 to use the nRF5x Platform Abstraction Layer (PAL). This PAL is required by the Trust X host library, which is used by the OPTIGA backend implementation.

The OPTIGA software framework allocates memory on the heap. For proper operation, the heap should be equal to or larger than 8,192 Bytes.

Hardware compatibility

When using the Nordic PCA10040 board with the Trust X Shield the LEDs BSP_BOARD_LED_1 and BSP_BOARD_LED_2 must not be used. These pins are needed for the correct operation of the OPTIGA Trust X.

To use the PAL together with other I2C devices and be able to run it also on a BLE Shield2Go, define IFX_2GO_SUPPORT on project-level.

Trust X Crypt and Util API (native API)

Initialization

To use Infineon Trust X without the nrf_crypto API and backend implementation, it must be initialized. The following code snippet demonstrates how to do this:

int32_t status = (int32_t) OPTIGA_LIB_ERROR;
// Initialize PAL
pal_gpio_init();
pal_os_event_init();
status = optiga_util_open_application (& optiga_comms );
if (OPTIGA_LIB_SUCCESS != status)
{
NRF_LOG_INFO ( "Failure: CmdLib_OpenApplication(): 0x%04X" , status);
}
NRF_LOG_INFO ( "Success: CmdLib_OpenApplication(): 0x%04X" , status);

Data objects and personalization

A major capability of Trust X is to safely store cryptographic material, such as private keys for authentication, or public-key certificates for verification.

These credentials are stored in highly-protected areas of Trust X. These areas are called data objects , and they can be protected from reading or writing. Typically, these data objects are initialized by the product manufacturer or system owner, for example during production. In order to properly initialize the data objects, the native Util API provides the functions:

A complete example demonstrating the personalization of Trust X data objects for Amazon AWS is located on Github: Trust X Personalization . A complete documentation for the API is available at Crypt API .

I2C Protocol Stack Library

The Infineon I2C Protocol Stack library enables communication with Infineon OPTIGA Trust X products. The protocol stack consists of three layers that relate to the ISO OSI (Open Systems Interconnection) model: transport, data link, and physical. Beneath is a host-specific platform abstraction layer (PAL), which interfaces to a host's I2C driver or I2C peripheral.

Please see Infineon I2C Protocol Stack Library for more details.