Infineon OPTIGA Trust X is a high-end security controller with a versatile set of features to secure devices.
See Trust X Datasheet for detailed information on the framework.
Trust X Software Framework
On a Nordic platform, there are two APIs to use the functions of Trust X:
- The OPTIGA™ backend, which operates on top of the native Trust X API.
- The native Trust X API, split into Crypt API and Util API.
While the backend API implementation is Nordic-specific, the native API is portable and also available on other host platforms. Furthermore, the native API exposes the complete function set of Trust X that is required for personalization. It includes, for example, functions for reading and writing data objects.
The OPTIGA Trust X software framework is composed of the following layers (top to bottom):
- Crypt API (Crypt API) and Util API (Util API), a set of high-level APIs to use Trust X services.
- OPTIGA Trust X Command Library, a lower-level API, documented in the Solution Reference manual Trust X Solution Reference Manual (SRM).
- Infineon I2C Protocol (Infineon I2C Protocol) implementation to exchange commands via I2C with the Trust X device.
- An implementation of the Platform Abstraction Layer (PAL) for the Nordic nRF5x platform: pal_gpio.c, pal_i2c.c, pal_ifx_i2c_config.c, pal_os.c and pal_os_lock.c.
External resources and documentation
More information can be found at:
- Infineon OPTIGA Trust X product page: OPTIGA Trust X product website
- Latest version of OPTIGA Trust X software framework: OPTIGA™ Trust X Software Framework on Github.com
- Latest version of OPTIGA Trust X documentation: OPTIGA™ Trust X Wiki on Github.com
- List of technical documents and specifications: List of OPTIGA™ Trust X Documents
- Note
- The Infineon OPTIGA Trust X hardware security module must be acquired separately, for example on a development board in Arduino-compatible form factor, and compatible with the Nordic development kit. For more information, see Trust X evaluation and development kits.
Important information
Read this section before you start the configuration process.
Supported Hardware Configurations
The nRF5x PAL supports the Nordic PCA10040 and PCA10056 boards with two different shields. It provides a set of pre-configured pin configurations in pal_pin_config.h.
To select a configuration, set one of the following defines to 1:
| Hardware Configuration | C Macro |
|---|---|
| My IoT adapter + Trust X Shield2Go in Slot 1 | OPTIGA_PIN_CONFIG_MYIOT_SLOT1 |
| My IoT adapter + Trust X Shield2Go in Slot 2/3 | OPTIGA_PIN_CONFIG_MYIOT_SLOT2_3 |
| Trust X Shield onboard OPTIGA | OPTIGA_PIN_CONFIG_TRUSTX_SHIELD |
| Trust X Shield + Trust X Shield2Go | OPTIGA_PIN_CONFIG_2GO |
My IoT adapter
My IoT Adapter (in Arduino form factor) supports three slots of 2Go form factor boards. A Trust X Shield2Go can be plugged into any of the three slots.
If the Trust X Shield2Go is plugged into slot 1, select OPTIGA_PIN_CONFIG_MYIOT_SLOT1; otherwise, use OPTIGA_PIN_CONFIG_MYIOT_SLOT2_3.
For more information about My IoT, visit the Shield2Go & My IoT page.
Trust X Shield
The Trust X Shield (in Arduino form factor) has an OPTIGA Trust X soldered directly on the board. It can select Trust X Shield2Go board plugged into the respective slot abd enable and disable VDD for each slot.
If you want to use the onboard OPTIGA Trust X, use OPTIGA_PIN_CONFIG_TRUSTX_SHIELD.
If you want to use a Trust X Shield2Go plugged into the OPTIGA slot, use OPTIGA_PIN_CONFIG_MYIOT_SLOT2_3.
Pin Conflict with Nordic PCA10040 and Trust X Shield
When using the Nordic PCA10040 board with the Trust X Shield, the LEDs BSP_BOARD_LED_1 and BSP_BOARD_LED_2 must not be used. These pins are needed for the correct operation of the OPTIGA Trust X.
Required configuration
Due to EasyDMA restrictions on nRF52832 devices, it is necessary to set a project-level define DL_MAX_FRAME_SIZE=250 to use the nRF5x Platform Abstraction Layer (PAL). This PAL is required by the Trust X host library, which is used by the OPTIGA backend implementation.
The OPTIGA software framework allocates memory on the heap. For proper operation, the heap should be equal to or larger than 8,192 Bytes.
Hardware compatibility
When using the Nordic PCA10040 board with the Trust X Shield the LEDs BSP_BOARD_LED_1 and BSP_BOARD_LED_2 must not be used. These pins are needed for the correct operation of the OPTIGA Trust X.
To use the PAL together with other I2C devices and be able to run it also on a BLE Shield2Go, define IFX_2GO_SUPPORT on project-level.
Trust X Crypt and Util API (native API)
Initialization
To use Infineon Trust X without the nrf_crypto API and backend implementation, it must be initialized. The following code snippet demonstrates how to do this:
Data objects and personalization
A major capability of Trust X is to safely store cryptographic material, such as private keys for authentication, or public-key certificates for verification.
These credentials are stored in highly-protected areas of Trust X. These areas are called data objects, and they can be protected from reading or writing. Typically, these data objects are initialized by the product manufacturer or system owner, for example during production. In order to properly initialize the data objects, the native Util API provides the functions:
- optiga_util_read_data()
- optiga_util_write_data()
- optiga_util_read_metadata()
- optiga_util_write_metadata()
A complete example demonstrating the personalization of Trust X data objects for Amazon AWS is located on Github: Trust X Personalization. A complete documentation for the API is available at Crypt API.
I2C Protocol Stack Library
The Infineon I2C Protocol Stack library enables communication with Infineon OPTIGA Trust X products. The protocol stack consists of three layers that relate to the ISO OSI (Open Systems Interconnection) model: transport, data link, and physical. Beneath is a host-specific platform abstraction layer (PAL), which interfaces to a host's I2C driver or I2C peripheral.
Please see Infineon I2C Protocol Stack Library for more details.