For educational purposes I want to demonstrate the communication with an Infineon OPTIGA TPM SLM 9670 TPM 2.0 on the SPI bus level. I have an FTDI C232HM-DDHSL-0 USB cable and FTDI's MPSSE-SPI library allows me to perform SPI read and write operations with the TPM.
But I cannot find any documentation about what bytes I actually have to send to the TPM in order to execute commands. Section 6.4.6 of the TPM Profile (PTP) Specification tells me that there are address bytes and data bytes. But what about the actual commands? E.g. what do I have to send to execute _TPM_Init and so on? The Trusted Platform Module Library only seems to talk about these functions on a higher level.
The online TPM-JS emulator shows what bytes it is using. But I don't understand how to apply this to my scenario.
Also there is the wolfTPM project which is apparently implementing the bitwise TPM communication by itself. But I would rather use the documentation they were using instead of digging into their source code.
Any hint would be appreciated!
The lowest level on top of SPI is the TIS layer (TPM Interface Specification). Basically, there are registers you can read from and write to. These registers addresses always start with D4, followed by two bytes.
One of those registers is the Data FIFO register (address ...). Basically you write the TPM command into that register. Then you tell the TPM to execute that command (by writing into another register) and then you wait (i.e. poll a register for a flag) until the TPM is done. The response can then be read from the Data FIFO register.
If I have the time, I'll edit this message and add example traffic.
The TPM commands and responses are specified in the Trusted Platform Module Library Spec, Part 3: Commands. They typically contain complex structures which are specified in Part 2: Structures.
Note that only the TPM commands and responses are shown in the TPM-JS emulator, not the TIS protocol bytes.
To be honest, the specifications are not beginner-friendly. I would advise to look at source code for the TPM commands and responses. My go-to resource is the TSS (TPM Software Stack).
Note that you can use the TSS or the tpm-tools and capture the TPM commands and responses using wireshark (either by using the TPM simulator which uses sockets or by using the --tcti "pcap:device:/dev/tpm0) option which dumps the traffic into a pcap file). Unfortunately wireshark cannot dissect all TPM commands down to the last byte (yet).
Here, you have an example of how a command looks like. This one starts with 80 02, i.e. a password session (that means you have a authorization area). Some commands do not need that and can be sent without any session (they start with 80 01).