Configuration and data zones locking - DurandA/atca-ecdhe GitHub Wiki
In order to use cryptographic operations, the ATECC608A should lock its configuration first. The crypto chip contains an EEPROM divided into three zones: data zone, configuration zone and OTP zone. We will lock configuration and data zones using a very permissive configuration.
Note: these changes are irreversible: once locked, zones cannot be unlocked anymore.
Secret keys and certificates are stored in the data zone which is divided into slots. Table 2-3 summarizes slots addressing and usage. Private keys used for ECDSA or ECDH can be stored on slots 0-7, which are configured from the configuration zone. We can use atcab_read_bytes_zone() to read configuration. The following snipped demonstrates how to read slot configuration:
uint16_t slot_config[32] = {0};
status = atcab_read_bytes_zone(ATCA_ZONE_CONFIG, 0, 20, slot_config, 32);
for (int i=0; i<8; i++)
printf("Slot[%i] config: %04x\n", i, slot_config[i]);
Configuration Zone
The 128 bytes in the configuration zone contain the manufacturing identification data, general device and system configuration information, and access policy control values for the slots within the Data zone.
Default slots 0-7 configuration is shown on the following table:
| 508A | 608A | atca_test_config.yaml | |
|---|---|---|---|
| slot[0] | 0x2083 | 0x2083 | 0x6487 |
| slot[1] | 0x2087 | 0x2087 | 0x6487 |
| slot[2] | 0x208F | 0x208F | 0x6487 |
| slot[3] | 0x8FC4 | 0x8FC4 | 0x6487 |
| slot[4] | 0x8F8F | 0x8F8F | 0x0F80 |
| slot[5] | 0x8F8F | 0x8F8F | 0x8F8F |
| slot[6] | 0x8F8F | 0x8F9F | 0x8F9F |
| slot[7] | 0x8FAF | 0x8FAF | 0x2082 |
Locking configuration and data zones
We could write the EEPROM or keep default configuration and then use atcab_lock_config_zone() and atcab_lock_data_zone(). This is however not very convenient as we have to go through the data sheet to figure out the meaning of each bit and write some prone to error code.
A better solution is to use Mongoose OS mos tool which has native support for ATTEC508A. This requires a dev board with Mongoose OS support such as ESP8266 or ESP32. Before jumping to the setup guide, you should create an empty project and enable i2c, atca and rpc-service-atca in to mos.yml:
config_schema:
- ["i2c.enable", true]
- ["sys.atca.enable", true]
libs:
- origin: https://github.com/mongoose-os-libs/rpc-service-config
- origin: https://github.com/mongoose-os-libs/rpc-uart
- origin: https://github.com/mongoose-os-libs/atca
- origin: https://github.com/mongoose-os-libs/rpc-service-atca
Optionally, if you are using an ESP32, you can overwrite the default i2c pins and/or disable i2c bit banging (use hardware bus of ESP32):
build_vars:
MGOS_ENABLE_I2C_GPIO: 0
config_schema:
- ["i2c.sda_gpio", 21]
- ["i2c.scl_gpio", 22]
It is not necessary to initialize atca in mgos_app_init() as it is done automatically when enabling atca. After flashing and rebooting your board, the device logs should output a call to mgos_atca_init():
mgos_atca_init ATECC508 @ 0x60: rev 0x5000 S/N 0x123c439cf60fabeee, zone lock status: yes, yes; ECDH slots: 0x0c
Using atca-test-config.yaml, you can write this configuration to the device using:
mos -X atca-set-config atca-aws-test.yaml --dry-run=false
mos -X atca-lock-zone config --dry-run=false
mos -X atca-lock-zone data --dry-run=false
Troubleshooting
| no lock | config zone | config+data zone | note | |
|---|---|---|---|---|
| atcab_random | :x: return 0xFFFF0000... | :heavy_check_mark: | :heavy_check_mark: | |
| atcab_sha | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
| atcab_genkey | ||||
| atcab_sign | :x: | :heavy_check_mark: | :heavy_check_mark: | |
| atcab_ecdh | :x: | :x: ATCA_EXECUTION_ERROR | :heavy_check_mark: | ATCA_PARSE_ERROR if bit 2 of SlotConfig is 0 |