The ConnectCore 8X SOM integrates an Atmel ATECC508A cryptochip that offers the following features:
Cryptographic accelerator with secure hardware-based key storage
Performs high-speed public key (PKI) algorithms
ECDSA: FIPS186-3 Elliptic Curve Digital Signature Algorithm
ECDH: FIPS SP800-56A Elliptic Curve Diffie-Hellman Algorithm
NIST standard P256 elliptic curve support
SHA-256 hash algorithm with HMAC option
Internal high-quality FIPS random number generator (RNG)
10Kb EEPROM memory for keys, certificates, and data
Storage for up to 16 keys
Guaranteed-unique 72-bit serial number
Two high-endurance monotonic counters
Multiple options for consumption logging and one-time write information
Intrusion latch for external tamper switch or power-on chip enablement
The cryptochip is connected to the i.MX8QXP CPU through the I2C0 port.
|There is no kernel driver and no device tree entries for this hardware element, as it is managed directly from userspace.|
CryptoAuthLib is a software library written in C that supports several Atmel CryptoAuthentication devices. It is a portable, extensible, powerful, and easy-to-use library for working with the ATSHA and ATECC family of devices.
|Before you can use the chip’s functionality for testing, you must run the cryptoauth_test application and execute the "all" command inside the application. This tests most of the chip’s capabilities and applies a default configuration. Note that the configuration is irreversible and should be used for testing purposes only.|
Digi Embedded Yocto includes an example using this library: https://github.com/digi-embedded/dey-examples/tree/dey-2.6/maint/cryptochip-get-random. This application obtains random numbers from the ATECC508A and outputs them to the standard output stream:
~# ./cryptochip-gen-random | hexdump 0000000 6239 ddd4 b378 693f 14ed bfa1 447b cff1 0000010 275e fd14 e392 2b4a c2ff ac93 0f5e cbab 0000020 16c1 e6b7 a458 c5ea c96f 59c9 776a 41c5 0000030 a656 ffa8 2076 6917 f18a e9ad 9ea1 7915 0000040 b677 aec3 a0a2 c7b6 c8ce 2a1f aa6c d9fc 0000050 f75c 3b57 eea4 051b 3a5f 7bd9 523f 4544 0000060 cb1a 388c b655 e8ca d6eb e459 8a43 cd2f (...)
The output of the application matches what you would read from a standard random number generator, like /dev/random. For example, you can also store the random data—checking the speed at which it is produced—and then run an entropy test on it:
~# ./cryptochip-gen-random | pv --rate > data.bin [ 912 B/s] ~# ent data.bin Entropy = 7.998261 bits per byte. Optimum compression would reduce the size of this 291808 byte file by 0 percent. Chi square distribution for 291808 samples is 706.41, and randomly would exceed this value less than 0.01 percent of the times. Arithmetic mean value of data bytes is 127.0582 (127.5 = random). Monte Carlo value for Pi is 3.149895135 (error 0.26 percent). Serial correlation coefficient is 0.000944 (totally uncorrelated = 0.0).
|The ent utility is not included in Digi Embedded Yocto by default. You can transfer the random data file to your host computer and analyze it there.|
Follow these steps to compile an application that uses the cryptochip:
Include the cryptoauthlib header:
Use the I2C default configuration to initialize the library:
The cfg_ateccx08a_i2c_default variable is provided by the library and it is already configured for the ConnectCore 8X.
Add the following lines to the Makefile so that the applications are linked against the library:
CFLAGS += $(shell pkg-config --cflags cryptoauthlib) LDLIBS += $(shell pkg-config --libs cryptoauthlib)
The library can interface with OpenSSL via a PKCS11 API to exchange cryptographic tokens. For example, using the cryptochip’s default test configuration, you can create a CSR for the private key generated in said configuration.
~# openssl req -engine pkcs11 -key "pkcs11:token=0123EE;object=device;type=private" -keyform engine -new -out new_device.csr -subj "/CN=NEW CSR EXAMPLE"
Once the CSR has been created, verify that its signature is correct with the following OpenSSL command:
~# openssl req -in new_device.csr -verify -text -noout verify OK Certificate Request: Data: Version: 1 (0x0) Subject: CN = NEW CSR EXAMPLE Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:f7:0c:d4:ab:51:14:02:83:6b:1b:4d:6b:5d:88: cd:77:7e:66:c4:ab:80:3a:3c:3f:92:52:2b:34:40: 5c:89:22:cb:39:32:e3:b3:f8:2f:15:2e:cd:f0:01: 57:0c:ad:7c:be:9c:71:bb:ac:a4:cc:5d:8b:45:de: d1:63:cc:84:17 ASN1 OID: prime256v1 NIST CURVE: P-256 Attributes: a0:00 Signature Algorithm: ecdsa-with-SHA256 30:46:02:21:00:d4:3d:e2:df:3d:c3:b0:b5:9c:58:24:36:17: 3d:d9:76:52:1a:51:79:59:fa:90:ad:a5:28:20:97:e9:bc:8c: f1:02:21:00:87:ea:7e:78:20:b5:c0:a2:5b:6d:71:2c:0c:da: 6e:bf:00:e2:61:f2:7c:82:10:d6:87:d8:06:0f:10:3b:d8:d9
See the Github Cryptoauthlib wiki for more information. The Digi Embedded Yocto rootfs has the PKCS11 feature ready to use out of the box with the cryptochip’s default test configuration.
|For more information about the use of this library, see the Atmel Application Note 8984 - Cryptoauthlib. The library is already integrated for the ConnectCore 8X, so you can skip the porting section of the Atmel application note.|