The ConnectCore 6 Plus SOM integrates an Atmel ATECC508A cryptochip that offers the following features:

  • Cryptographic accelerator with secure hardware-based key storage

  • Performs high-speed public key (PKI) algorithms

    • ECDSA: FIPS186-3 Elliptic Curve Digital Signature Algorithm

    • ECDH: FIPS SP800-56A Elliptic Curve Diffie-Hellman Algorithm

  • NIST standard P256 elliptic curve support

  • SHA-256 hash algorithm with HMAC option

  • Internal high-quality FIPS random number generator (RNG)

  • 10Kb EEPROM memory for keys, certificates, and data

    • Storage for up to 16 keys

    • Guaranteed-unique 72-bit serial number

  • Two high-endurance monotonic counters

  • Multiple options for consumption logging and one-time write information

  • Intrusion latch for external tamper switch or power-on chip enablement

The cryptochip is connected to the {cpu-family} CPU through the I2C1 port.

There is no kernel driver and no device tree entries for this hardware element, as it is managed directly from userspace.

Userspace usage

You can use the cryptochip via the CryptoAuthLib, which is a software library written in C that supports ATSHA and ATECC family of Atmel CryptoAuthentication devices.

Before you can use the chip’s functionality, you must program and lock the configuration zone. The configuration zone is a set of 128 bytes that configure the cryptochip for a specific use case.

Microchip provides information about the configuration zone under NDA.

The CryptoAuthLib library provides a test application called cryptoauth_test. You can use this application to program and lock the configuration zone with default test values.

Locking the configuration zone is an irreversible operation. If you are going to use cryptoauth_test to program and lock the default configuration, you should only use the cryptochip for testing purposes and not for production.

To program and lock the configuration zone with default test values, run the cryptoauth_test application and then run the lockcfg command:

# cryptoauth_test
$ lockcfg

Locking with test configuration, which is suitable only for unit tests...
Confirm by typing Y
Contact Microchip for information on appropriate data to write to your configuration zone depending on your use case.

Example application

Digi Embedded Yocto includes an example that makes use of the CryptoAuthLib library: This application obtains random numbers from the ATECC508A and outputs them to the standard output stream:

# ./cryptochip-gen-random | hexdump
0000000 6239 ddd4 b378 693f 14ed bfa1 447b cff1
0000010 275e fd14 e392 2b4a c2ff ac93 0f5e cbab
0000020 16c1 e6b7 a458 c5ea c96f 59c9 776a 41c5
0000030 a656 ffa8 2076 6917 f18a e9ad 9ea1 7915
0000040 b677 aec3 a0a2 c7b6 c8ce 2a1f aa6c d9fc
0000050 f75c 3b57 eea4 051b 3a5f 7bd9 523f 4544
0000060 cb1a 388c b655 e8ca d6eb e459 8a43 cd2f

The output of the application matches what you would read from a standard random number generator, like /dev/random. For example, you can also store the random data—checking the speed at which it is produced—and then run an entropy test on it:

# ./cryptochip-gen-random | pv --rate > data.bin
[ 912 B/s]
# ent data.bin
Entropy = 7.998261 bits per byte.

Optimum compression would reduce the size
of this 291808 byte file by 0 percent.

Chi square distribution for 291808 samples is 706.41, and randomly
would exceed this value less than 0.01 percent of the times.

Arithmetic mean value of data bytes is 127.0582 (127.5 = random).
Monte Carlo value for Pi is 3.149895135 (error 0.26 percent).
Serial correlation coefficient is 0.000944 (totally uncorrelated = 0.0).
The ent utility is not included in Digi Embedded Yocto by default. You can transfer the random data file to your host computer and analyze it there.

Building applications

Follow these steps to compile an application that uses the cryptochip:

  1. Include the cryptoauthlib header:

    #include <cryptoauthlib.h>
  2. Use the I2C default configuration to initialize the library:

    The cfg_ateccx08a_i2c_default variable is provided by the library and it is already configured for the ConnectCore 6 Plus.
  3. Add the following lines to the Makefile so that the applications are linked against the library:

    CFLAGS += $(shell pkg-config --cflags cryptoauthlib)
    LDLIBS += $(shell pkg-config --libs cryptoauthlib)

PKCS11 interface

The library can interface with OpenSSL via a PKCS11 API to exchange cryptographic tokens. For example, using the cryptochip’s default test configuration, you can create a CSR for the private key generated in said configuration.

# openssl req -engine pkcs11 -key "pkcs11:token=0123EE;object=device;type=private" -keyform engine -new -out new_device.csr -subj "/CN=NEW CSR EXAMPLE"

Once the CSR has been created, verify that its signature is correct with the following OpenSSL command:

# openssl req -in new_device.csr -verify -text -noout
verify OK
Certificate Request:
        Version: 1 (0x0)
        Subject: CN = NEW CSR EXAMPLE
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                ASN1 OID: prime256v1
                NIST CURVE: P-256
    Signature Algorithm: ecdsa-with-SHA256

See the Github Cryptoauthlib wiki for more information. The Digi Embedded Yocto rootfs has the PKCS11 feature ready to use out of the box with the cryptochip’s default test configuration.

For more information about the use of this library, see the Atmel Application Note 8984 - Cryptoauthlib. The library is already integrated for the ConnectCore 6 Plus, so you can skip the porting section of the Atmel application note.