Infineon OPTIGA Trust X is a high-end security controller with a versatile set of features to secure devices.
See Trust X Datasheet for detailed information on the framework.
On a Nordic platform, there are two APIs to use the functions of Trust X:
While the backend API implementation is Nordic-specific, the native API is portable and also available on other host platforms. Furthermore, the native API exposes the complete function set of Trust X that is required for personalization. It includes, for example, functions for reading and writing data objects.
The OPTIGA Trust X software framework is composed of the following layers (top to bottom):
More information can be found at:
Read this section before you start the configuration process.
The nRF5x PAL supports the Nordic PCA10040 and PCA10056 boards with two different shields. It provides a set of pre-configured pin configurations in pal_pin_config.h
.
To select a configuration, set one of the following defines to 1
:
Hardware Configuration | C Macro |
---|---|
My IoT adapter + Trust X Shield2Go in Slot 1 | OPTIGA_PIN_CONFIG_MYIOT_SLOT1 |
My IoT adapter + Trust X Shield2Go in Slot 2/3 | OPTIGA_PIN_CONFIG_MYIOT_SLOT2_3 |
Trust X Shield onboard OPTIGA | OPTIGA_PIN_CONFIG_TRUSTX_SHIELD |
Trust X Shield + Trust X Shield2Go | OPTIGA_PIN_CONFIG_2GO |
My IoT Adapter (in Arduino form factor) supports three slots of 2Go form factor boards. A Trust X Shield2Go can be plugged into any of the three slots.
If the Trust X Shield2Go is plugged into slot 1, select OPTIGA_PIN_CONFIG_MYIOT_SLOT1
; otherwise, use OPTIGA_PIN_CONFIG_MYIOT_SLOT2_3
.
For more information about My IoT, visit the Shield2Go & My IoT page.
The Trust X Shield (in Arduino form factor) has an OPTIGA Trust X soldered directly on the board. It can select Trust X Shield2Go board plugged into the respective slot abd enable and disable VDD
for each slot.
If you want to use the onboard OPTIGA Trust X, use OPTIGA_PIN_CONFIG_TRUSTX_SHIELD
.
If you want to use a Trust X Shield2Go plugged into the OPTIGA
slot, use OPTIGA_PIN_CONFIG_MYIOT_SLOT2_3
.
When using the Nordic PCA10040 board with the Trust X Shield, the LEDs BSP_BOARD_LED_1 and BSP_BOARD_LED_2 must not be used. These pins are needed for the correct operation of the OPTIGA Trust X.
Due to EasyDMA restrictions on nRF52832 devices, it is necessary to set a project-level define DL_MAX_FRAME_SIZE=250
to use the nRF5x Platform Abstraction Layer (PAL). This PAL is required by the Trust X host library, which is used by the OPTIGA backend implementation.
The OPTIGA software framework allocates memory on the heap. For proper operation, the heap should be equal to or larger than 8,192 Bytes.
When using the Nordic PCA10040 board with the Trust X Shield the LEDs BSP_BOARD_LED_1
and BSP_BOARD_LED_2
must not be used. These pins are needed for the correct operation of the OPTIGA Trust X.
To use the PAL together with other I2C devices and be able to run it also on a BLE Shield2Go, define IFX_2GO_SUPPORT
on project-level.
To use Infineon Trust X without the nrf_crypto API and backend implementation, it must be initialized. The following code snippet demonstrates how to do this:
A major capability of Trust X is to safely store cryptographic material, such as private keys for authentication, or public-key certificates for verification.
These credentials are stored in highly-protected areas of Trust X. These areas are called data objects, and they can be protected from reading or writing. Typically, these data objects are initialized by the product manufacturer or system owner, for example during production. In order to properly initialize the data objects, the native Util API provides the functions:
A complete example demonstrating the personalization of Trust X data objects for Amazon AWS is located on Github: Trust X Personalization. A complete documentation for the API is available at Crypt API.
The Infineon I2C Protocol Stack library enables communication with Infineon OPTIGA Trust X products. The protocol stack consists of three layers that relate to the ISO OSI (Open Systems Interconnection) model: transport, data link, and physical. Beneath is a host-specific platform abstraction layer (PAL), which interfaces to a host's I2C driver or I2C peripheral.
Please see Infineon I2C Protocol Stack Library for more details.