This repository aims to give an overview & documentation on the OPTIGA™ Trust M Product Family.
It will link to various other repositories, which will handle the Get-Started Guides, Host Libraries or Example Applications.
- Quick Overview
- Product Information
- Host Software
- Evaluation and development kits
- Documentation
- Board assembly recommendations
The OPTIGA™ Trust M is a high-end security controller based on Common Criteria EAL 6+ (high) certified hardware. It keeps your data secured and accelerates cryptographic operations on embedded plattforms.
For more information, visit the Product Webpage or skip to the Product Information section.
The following link will help getting started with the OPTIGA™ Trust M on one of our Evaluation Plattforms:
A list of supported Evaluation Kits can be found below.
To interface with any chip of the OPTIGA™ Trust M family, you will need to port and use the OPTIGA™ Trust M Host Library for C on your (embedded) plattform.
The OPTIGA™ Trust M Host Library for C is available here:
OPTIGA™ Trust M Host Library for C
Multiple example applications exist, demonstrating the integration and usage of the OPTIGA™ Trust M Host Library for C.
- High-end security controller
- Based on Common Criteria EAL6+ (high) certified hardware
- PSA Level 3 certified (SLS 32AIA010MK)
- Turnkey solution
- Up to 10kB user memory
- PG-USON-10 package (3 x 3 mm)
- Temperature range (−40°C to +105°C)
- I2C interface with Shielded Connection (encrypted communication)
- Cryptographic support:
- ECC : NIST curves up to P-521, Brainpool r1 curve up to 512,
- RSA® up to 2048
- AES key up to 256 , HMAC up to SHA512
- TLS v1.2 PRF and HKDF up to SHA512
- Crypto ToolBox commands for SHA-256, ECC and RSA® Feature, AES, HMAC and Key derivation
- Configurable device security monitor, 4 Monotonic up counters
- Protected (integrity and confidentiality) update of data, key and metadata objects
- Hibernate for zero power consumption
- Lifetime for Industrial Automation and Infrastructure is 20 years and 15 years for other Application Profiles
| Features | Supported Curve/Algorithm | V1 | V3 |
|---|---|---|---|
| ECC | ECC NIST P256/384 | ✓ | ✓ |
| ECC NIST P521, ECC Brainpool P256/384/512 r1 | ✓ | ||
| RSA | RSA® 1024/2048 | ✓ | ✓ |
| TLS Support | v1.2 / v1.3 | ✓ | ✓ |
| Key Derivation based on | TLS v1.2 PRF SHA 256 | ✓ | ✓ |
| TLS v1.2 PRF SHA 384/512 | ✓ | ||
| HKDF SHA-256/384/512 | ✓ | ||
| AES | Key size - 128/192/256 (ECB, CBC, CBC-MAC, CMAC) | ✓ | |
| Random Generation | TRNG, DRNG, Pre-Master secret for RSA® Key exchange | ✓ | ✓ |
| HMAC | HMAC with SHA256/384/512 | ✓ | |
| Hash | SHA256 | ✓ | ✓ |
| Protected data (object) update (Integrity) | ECC NIST P256/384 RSA® 1024/2048 Signature scheme as ECDSA FIPS 186-3/RSA SSA PKCS#1 v1.5 without hashing |
✓ | ✓ |
| ECC NIST P521, ECC Brainpool P256/384/512 r1 Signature scheme as ECDSA FIPS 186-3/RSA SSA PKCS#1 v1.5 without hashing |
✓ | ||
| Protected Data/key/metadata update (Integrity and/or confidentiality) | ECC NIST P256/384/521 ECC Brainpool P256/384/512 r1 RSA® 1024/2048 Signature scheme as ECDSA FIPS 186-3/RSA SSA PKCS#1 v1.5 without hashing |
✓ |
There are three main provisioning options/configurations available:
ℹ Please Note
OPTIGA™ Trust M V1 and OPTIGA™ Trust M V3 differ in the supported features (see Table above). OPTIGA™ Trust M Fit configurations can be built on either V1 or V3.
The provisioning configurations OPTIGA™ Trust M Express and OPTIGA™ Trust M MTR are based on the features of the OPTIGA™ Trust M V3.
All configuration options (V1/V3/Fit/Express/MTR) have the same package and electrical characteristics. The API & hostcode can be used to work with all solutions.
A provisioning configuration which comes as a standard for all shipped devices. Unless mentioned differently all OPTIGA™ Trust M chips on the market have this configuration.
- Product Webpage
- Evaluation Shield (Shield2Go)
- Evaluation Shield (mikroBUS compatible)
- Sample OPTIGA™ Trust M V1 Open Objects Dump
- Sample OPTIGA™ Trust M V3 Open Objects Dump
A custom provisioning option done on demand upon reaching a MoQ. Fully customisable solution including Security Monitor Configuration.
- Use the OPTIGA™ Trust Configurator to customize your OPTIGA™ Trust M solution.
- Please get in touch with your local Infineon Sales Representative to get more information and to submit your configuration.
A provisioning configuration which can be ordered standalone. This variant comes with three certificates/private keys pre-provisioned by Infineon. Certificates and communication secrets data can be downloaded through CIRRENT™ Cloud ID.
- Product Webpage
- Evaluation Shield
- Sample OPTIGA™ Trust M Express Open Objects Dump
- CIRRENT™ Cloud-ID to claim certificates
A provisioning configuration which can be ordered standalone. This variant comes with three certificates/private keys pre-provisioned by Infineon. The first certificate and key are meant to be used for Matter Device Attestation. Certificates and communication secrets data can be downloaded through Infineon OSTS.
- Product Webpage
- Evaluation Shield
- Sample OPTIGA™ Trust M MTR Open Objects Dump
- Infineon OSTS to claim certificates
| V1 | V3 | Express | MTR³ | |||||
|---|---|---|---|---|---|---|---|---|
| Certificate - Private Key |
Certificate - Private Key |
Certificate¹ - Private Key | Certificate¹ - Private Key | |||||
| Object IDs | E0E0 - E0F0 | E0E0 - E0F0 | E0E0 - E0F0 | E0E1 - E0F1 | E0E2 - E0FC | E0E0 - E0F0 | E0E1 - E0F1 | E0E2 - E0FC |
| PKI Top Level | ECC Root CA1 | ECC Root CA2 | ECC Root CA2 | ECC Root CA2 | RSA Root CA2 | ECC Root CA2 | ECC Root CA2 | RSA Root CA2 |
| PKI Intermediate Level | Int. CA 101 | Int. CA 300 | Int. CA 306 | Int. CA 306 | Int. CA 309 | Int. CA 306 | Int. CA 306 | Int. CA 309 |
| PKI Bottom Level: Key Algorithm | NIST P-256 | NIST P-256 | NIST P-256 | NIST P-256 | RSA2048 | NIST P-256 | NIST P-256 | RSA2048 |
| Possible to Readout | Yes | Yes | Yes | With PBS¹ | Yes | Yes | Yes | Yes |
| Possible to Update | Only Certificate | Only Certificate | Only Certificate with PBS¹ and Auth.Ref.¹ | Only Certificate with PBS¹ and Auth.Ref.¹ | Only Certificate with PBS¹ and Auth.Ref.¹ | Only Certificate: Always, if LcsO < Op, else with PBS¹ and Auth.Ref.¹ | Only Certificate with PBS¹ and Auth.Ref.¹ | Only Certificate with PBS¹ and Auth.Ref.¹ |
| Default Lifecycle State | Creation | Creation | Operational | Operational | Operational | Initialization | Operational | Operational |
| Common Name² | Static | Static | Unique | Unique | Unique | Unique | Unique | Unique |
¹ Certificate, Platform Binding Secret (PBS) and the Authorization Reference (Auth.Ref.) can be downloaded from CIRRENT™ Cloud ID (Express) or Kudelski keySTREAM (MTR) by claiming a Reel QR- or Bar- Code
² End Device Certificate Common Name has either the same value across all devices (Static), or has a chip-unique value (Unique)
³ It is expected from the Customer to perform "late-stage provisioning" on the OPTIGA™ Trust M MTR chips, i.e. to download the Matter Certificates (DAC/PAI) from Kudelski keySTREAM and inject into dedicated slots on the OPTIGA™ Trust M MTR
In addition to the certificates and private keys each OPTIGA™ Trust M Express and OPTIGA™ Trust M MTR comes with a chip unique Platform Binding Secret¹ and an Authorization Reference¹. The latter are two unique per chip 64 bytes long data objects which serve the following purposes:
- Platform Binding Secret (PBS) is used to establish a Shielded Connection between a Host MCU and OPTIGA™ Trust M. It should be transferred from the Cloud Service to the respective MCU to run a protected I2C connection; e.g. readout a protected Certificate located in the 0xE0E1 Object ID (see table above). For more details about Shielded Connection read here.
- Authorization Reference (Auth. Ref.). Used to update/change Certificate, PBS and the Authorization Reference itself. Similar to the PBS shall be transferred to the Host MCU to be used. Find more details in the Solution Reference Manual
The OPTIGA™ Trust M is supported by an extensive offering of host libraries, host applications and integration guides.
The OPTIGA™ Trust M Host Library for C is the core of any application. The source code is in itself platform agnostic, but the "Platform Abstraction Layer" (PAL) needs to be ported to the specific MCU/MPU, as the hostlibrary needs to know, how to use the platform specific APIs for I2C, Timers etc.
In this section, you will find examples how to use the OPTIGA™ Trust M Host Library for C on various platforms and operating systems.
Currently tested are: (this will link to the respective PAL implementations. For example applications, see below.)
- Bare Metal (Native) applications on Infineon's XMC 4800 and PSoC 62 microcontrollers
- FreeRTOS applications with multi-threading support (PSoC 62, ESP32, XMC4800)
- Zephyr on any supported platform
- Linux applications on Raspberry Pi
| Host library | Platform | Status |
|---|---|---|
| OPTIGA™ Trust M Host Library for C | C | Active |
| OPTIGA™ Trust M Host Library for Python | Python | Active |
| OPTIGA™ Trust M Host Library for Arduino | Arduino | Archived |
| Host application | Operating System | Status |
|---|---|---|
| OPTIGA™ Trust M Cryptography | Native | Active |
| OPTIGA™ Trust M Power management | Native | Active |
| OPTIGA™ Trust M Data management | Native | Active |
| OPTIGA™ Trust M TLS with mbedTLS | Native | Active |
| OPTIGA™ Trust M MQTT Client | FreeRTOS | Active |
| OPTIGA™ Trust M Matter integration | FreeRTOS | Active |
| OPTIGA™ Trust M AWS FreeRTOS | FreeRTOS | Active |
| OPTIGA™ Trust M Microsoft Azure IoT | FreeRTOS | Active |
| OPTIGA™ Trust M PKCS#11 interface | Linux | Active |
| OPTIGA™ Trust M Linux Command Line Interface incl. OpenSSL Provider | Linux | Active |
| OPTIGA™ Trust M Zephyr Application | Zephyr | Active |
| Tool | Platform | Status |
|---|---|---|
| OPTIGA™ Trust M Explorer | Python | Active |
| OPTIGA™ Trust M Sample Personalizer | Python | Active |
| OPTIGA™ Trust M I2C Utilities | Linux | Archived |
| OPTIGA™ Trust M Shields in Combination with PSoC™ 62S2 Wi-Fi BT Pioneer Kit | OPTIGA™ Trust M Evaluation Kit | OPTIGA™ Trust IoT Security Development Kit |
|---|---|---|
 |
 |
 |
| Active and Preferred | Not Recommended for New Designs | Not Recommended for New Designs |
The preferred evaluation kit for the OPTIGA™ Trust M with a dedicated Getting Started Guide consists of the following components:
- PSoC™ 62S2 Wi-Fi BT Pioneer Kit (CY8CKIT-062S2-43012)
- OPTIGA™ Trust Adapter
- Any one of the OPTIGA™ Trust M Shields (Shield2Go, OPTIGA™ Trust M Shield, OPTIGA™ Trust M Express Shield, OPTIGA™ Trust M MTR Shield)
You will need to order the 3 pieces separately, depending on your chosen configuration.
Alternatively, get started with the OPTIGA™ Trust M evaluation kit (XMC) or with the OPTIGA™ Trust IoT Security Development kit.
Description and notes to the Shield2Go Security OPTIGA™ Trust M
-
Supply voltage VCC is max. 5.5 V, please refer to the OPTIGA™ Trust M datasheet for more details about maximum ratings
-
Ensure that no voltage applied to any of the pins exceeds the absolute maximum rating of VCC + 0.3 V
-
Pin out on top (head) is directly connected to the pins of the OPTIGA™ Trust M
-
If head is broken off, only one capacitor is connected to the OPTIGA™ Trust M
Shield2Go Security OPTIGA™ M Pinout
Shield2Go Security OPTIGA™ M Schematic
Description and notes to the OPTIGA™ Trust M [Variant] Shields
-
The product variant can be identified through the configuration LED.
-
The design of the Shield is for 3V3 VCC
-
Absolute max. rating of VCC is 5.5 V, please refer to the OPTIGA™ Trust M datasheet for more details about maximum ratings
-
Ensure that no voltage applied to any of the pins exceeds the absolute maximum rating of VCC + 0.3 V
-
Pin out of the shield is directly connected to the pins of the OPTIGA™ Trust M
-
Hybernation Control is only available for Shields with HW-Revision ≥ 3.1
- The CTL Pin enables the hibernation control of the OPTIGA™ Trust M. By pulling the pin to "low", the chip gets disabled.
OPTIGA™ Trust M [Variant] Shield Pinout
OPTIGA™ Trust M [Variant] Shield Schematic
For high level description and some important excerpts from the documentation please refer to Wiki page
Other downloadable PDF documents can be found below:
- OPTIGA™ Trust M Datasheet v3.70 (PDF)
- OPTIGA™ Trust M Solution Reference Manual v3.70 (PDF)
- OPTIGA™ Trust M Keys and Certificates v3.10 (PDF)
- OPTIGA™ Trust Config Guide v2.20 (PDF)
- Infineon I2C protocol specification v2.03 (PDF)
- Wiki
- Porting guide
- Crypto performance (Wiki)
- In which form does OPTIGA™ return keys and signatures? (Wiki)
- Code Footprint (Wiki)
- Device Error Codes (Wiki)
- Protected Update for Data Objects (Wiki)
- Shielded Connection (Wiki)
- User API
- Hardware-Security: "Einfach (und) Sicher" (external link, opens in the same tab) in German, Slides in English
- The OPTIGA™ Trust M Protocol Stack (KBA)
- OPTIGA™ Trust M Metadata (KBA)
If you are planning to integrate OPTIGA™ Trust M in your PCB design have a look at the recommendations found here (external, opens in the same tab).
