The ConnectCore 8X SOM integrates an Atmel ATECC508A cryptochip that offers the following features:
Cryptographic accelerator with secure hardware-based key storage
Performs high-speed public key (PKI) algorithms
ECDSA: FIPS186-3 Elliptic Curve Digital Signature Algorithm
ECDH: FIPS SP800-56A Elliptic Curve Diffie-Hellman Algorithm
NIST standard P256 elliptic curve support
SHA-256 hash algorithm with HMAC option
Internal high-quality FIPS random number generator (RNG)
10Kb EEPROM memory for keys, certificates, and data
Storage for up to 16 keys
Guaranteed-unique 72-bit serial number
Two high-endurance monotonic counters
Multiple options for consumption logging and one-time write information
Intrusion latch for external tamper switch or power-on chip enablement
The cryptochip is connected to the i.MX8QXP CPU through the I2C0 port.
|There is no kernel driver and no device tree entries for this hardware element, as it is managed directly from userspace.|
You can use the cryptochip via the CryptoAuthLib, which is a software library written in C that supports ATSHA and ATECC family of Atmel CryptoAuthentication devices.
Before you can use the chip’s functionality, you must program and lock the configuration zone. The configuration zone is a set of 128 bytes that configure the cryptochip for a specific use case.
|Microchip provides information about the configuration zone under NDA.|
The CryptoAuthLib library provides a test application called
You can use this application to program and lock the configuration zone with default test values.
Locking the configuration zone is an irreversible operation.
If you are going to use
To program and lock the configuration zone with default test values, run the
cryptoauth_test application and then run the
# cryptoauth_test $ lockcfg Locking with test configuration, which is suitable only for unit tests... Confirm by typing Y
|Contact Microchip for information on appropriate data to write to your configuration zone depending on your use case.|
Digi Embedded Yocto includes an example that makes use of the CryptoAuthLib library: https://github.com/digi-embedded/dey-examples/tree/dey-3.2/maint/cryptochip-get-random. This application obtains random numbers from the ATECC508A and outputs them to the standard output stream:
# ./cryptochip-gen-random | hexdump 0000000 6239 ddd4 b378 693f 14ed bfa1 447b cff1 0000010 275e fd14 e392 2b4a c2ff ac93 0f5e cbab 0000020 16c1 e6b7 a458 c5ea c96f 59c9 776a 41c5 0000030 a656 ffa8 2076 6917 f18a e9ad 9ea1 7915 0000040 b677 aec3 a0a2 c7b6 c8ce 2a1f aa6c d9fc 0000050 f75c 3b57 eea4 051b 3a5f 7bd9 523f 4544 0000060 cb1a 388c b655 e8ca d6eb e459 8a43 cd2f (...)
The output of the application matches what you would read from a standard random number generator, like
For example, you can also store the random data—checking the speed at which it is produced—and then run an entropy test on it:
# ./cryptochip-gen-random | pv --rate > data.bin [ 912 B/s] # ent data.bin Entropy = 7.998261 bits per byte. Optimum compression would reduce the size of this 291808 byte file by 0 percent. Chi square distribution for 291808 samples is 706.41, and randomly would exceed this value less than 0.01 percent of the times. Arithmetic mean value of data bytes is 127.0582 (127.5 = random). Monte Carlo value for Pi is 3.149895135 (error 0.26 percent). Serial correlation coefficient is 0.000944 (totally uncorrelated = 0.0).
|The ent utility is not included in Digi Embedded Yocto by default. You can transfer the random data file to your host computer and analyze it there.|
Follow these steps to compile an application that uses the cryptochip:
Use the I2C default configuration to initialize the library:
cfg_ateccx08a_i2c_defaultvariable is provided by the library and it is already configured for the ConnectCore 8X.
Add the following lines to the Makefile so that the applications are linked against the library:
CFLAGS += $(shell pkg-config --cflags cryptoauthlib) LDLIBS += $(shell pkg-config --libs cryptoauthlib)
The library can interface with OpenSSL via a PKCS11 API to exchange cryptographic tokens. For example, using the cryptochip’s default test configuration, you can create a CSR for the private key generated in said configuration.
# openssl req -engine pkcs11 -key "pkcs11:token=0123EE;object=device;type=private" -keyform engine -new -out new_device.csr -subj "/CN=NEW CSR EXAMPLE"
Once the CSR has been created, verify that its signature is correct with the following OpenSSL command:
# openssl req -in new_device.csr -verify -text -noout verify OK Certificate Request: Data: Version: 1 (0x0) Subject: CN = NEW CSR EXAMPLE Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:f7:0c:d4:ab:51:14:02:83:6b:1b:4d:6b:5d:88: cd:77:7e:66:c4:ab:80:3a:3c:3f:92:52:2b:34:40: 5c:89:22:cb:39:32:e3:b3:f8:2f:15:2e:cd:f0:01: 57:0c:ad:7c:be:9c:71:bb:ac:a4:cc:5d:8b:45:de: d1:63:cc:84:17 ASN1 OID: prime256v1 NIST CURVE: P-256 Attributes: a0:00 Signature Algorithm: ecdsa-with-SHA256 30:46:02:21:00:d4:3d:e2:df:3d:c3:b0:b5:9c:58:24:36:17: 3d:d9:76:52:1a:51:79:59:fa:90:ad:a5:28:20:97:e9:bc:8c: f1:02:21:00:87:ea:7e:78:20:b5:c0:a2:5b:6d:71:2c:0c:da: 6e:bf:00:e2:61:f2:7c:82:10:d6:87:d8:06:0f:10:3b:d8:d9
See the Github Cryptoauthlib wiki for more information. The Digi Embedded Yocto rootfs has the PKCS11 feature ready to use out of the box with the cryptochip’s default test configuration.
|For more information about the use of this library, see the Atmel Application Note 8984 - Cryptoauthlib. The library is already integrated for the ConnectCore 8X, so you can skip the porting section of the Atmel application note.|