Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sys/shell: Update cryptoauthlib shell commands #20673

Merged
merged 8 commits into from
Jul 11, 2024
Merged

sys/shell: Update cryptoauthlib shell commands #20673

merged 8 commits into from
Jul 11, 2024

Conversation

Einhornhool
Copy link
Contributor

@Einhornhool Einhornhool commented May 16, 2024
edited
Loading

Contribution description

The cryptoauthlib shell command was broken due to API changes.
I updated the calls.

Additionally I made the output a bit prettier.

It is also possible to select a specific device, in case there's more than one.

Update 2024-05-17:
Now also compatible with ATECC608A config zone.

Testing procedure

Connect an ATECC508 (or 608), and run an application with the shell and the cryptoauthlib package.
The output should look like this (values differ depending on configuration, of course):

Usage

2024-05-16 08:54:07,871 # atca
2024-05-16 08:54:07,886 # * set_dev <number> - set and initialize an atca device (defaults to index 0)
2024-05-16 08:54:07,891 # * read - read Microchip CryptoAuth device's config zone
2024-05-16 08:54:07,896 # * read_bin - read config zone and print binary data
2024-05-16 08:54:07,904 # * lock_c - PERMANENTLY lock Microchip CryptoAuth device's config zone (cannot be undone!)
2024-05-16 08:54:07,911 # * lock_d - PERMANENTLY lock Microchip CryptoAuth device's data zone (cannot be undone!)
2024-05-16 08:54:07,917 # * check_lc - check if Microchip CryptoAuth device's config zone is locked
2024-05-16 08:54:07,923 # * check_ld - check if Microchip CryptoAuth device's data zone is locked

atca read (for ATECC608A)

2024-05-17 16:55:22,735 # atca read
2024-05-17 16:55:22,769 # Config Zone
2024-05-17 16:55:22,771 # Device Info (Read Only)
2024-05-17 16:55:22,775 # --------------------------------------------
2024-05-17 16:55:22,778 # Device Type       | ATECC608
2024-05-17 16:55:22,781 # Serial No (Pt. 1) | 0x01 0x23 0x9b 0xb6 
2024-05-17 16:55:22,786 # Revision No.      | 0x00 0x00 0x60 0x02 
2024-05-17 16:55:22,789 # Serial No (Pt. 2) | 0xc9 0xad 0xf1 0xd4 0xee 
2024-05-17 16:55:22,792 # AES Enabled       | True
2024-05-17 16:55:22,793 # I2C Enabled       | True
2024-05-17 16:55:22,796 # Single Wire       | False
2024-05-17 16:55:22,800 # --------------------------------------------
2024-05-17 16:55:22,800 # 
2024-05-17 16:55:22,802 # Device Info (Writable)
2024-05-17 16:55:22,806 # ---------------------------------------------
2024-05-17 16:55:22,808 # I2C Address       | 0xc0
2024-05-17 16:55:22,810 # Counter Match     | Disabled
2024-05-17 16:55:22,811 # ChipMode:
2024-05-17 16:55:22,814 # I2C Address       | Default address
2024-05-17 16:55:22,818 # TTLenable         | Fixed input levels
2024-05-17 16:55:22,821 # Watchdog          | 1.3 sec (recommended)
2024-05-17 16:55:22,824 # Clock Divider     | 0x00
2024-05-17 16:55:22,824 # 
2024-05-17 16:55:22,825 # Slot Config
2024-05-17 16:55:22,828 # ----------------------------------------
2024-05-17 16:55:22,831 # SlotID  | Hex    | Binary
2024-05-17 16:55:22,834 #         |        | 7      0 | 15     8
2024-05-17 16:55:22,837 # --------+--------+----------------------
2024-05-17 16:55:22,841 # 0       | 0x8720 | 00000001 | 00000001 | 
2024-05-17 16:55:22,845 # 1       | 0x8720 | 10011011 | 10011011 | 
2024-05-17 16:55:22,849 # 2       | 0x8720 | 00000000 | 00000000 | 
2024-05-17 16:55:22,852 # 3       | 0x8720 | 01100000 | 01100000 | 
2024-05-17 16:55:22,856 # 4       | 0x8700 | 11001001 | 11001001 | 
2024-05-17 16:55:22,860 # 5       | 0x8700 | 11110001 | 11110001 | 
2024-05-17 16:55:22,864 # 6       | 0x8f20 | 11101110 | 11101110 | 
2024-05-17 16:55:22,867 # 7       | 0x8720 | 01111001 | 01111001 | 
2024-05-17 16:55:22,871 # 8       | 0x0000 | 11000000 | 11000000 | 
2024-05-17 16:55:22,875 # 9       | 0x0000 | 00000000 | 00000000 | 
2024-05-17 16:55:22,878 # 10      | 0x0000 | 10000111 | 10000111 | 
2024-05-17 16:55:22,882 # 11      | 0x0000 | 10000111 | 10000111 | 
2024-05-17 16:55:22,886 # 12      | 0x0000 | 10000111 | 10000111 | 
2024-05-17 16:55:22,890 # 13      | 0x0000 | 10000111 | 10000111 | 
2024-05-17 16:55:22,893 # 14      | 0x0000 | 10000111 | 10000111 | 
2024-05-17 16:55:22,893 # 
2024-05-17 16:55:22,897 # Counter 0         | 0x00 0x00 0x00 0x01
2024-05-17 16:55:22,900 # Counter 1         | 0x3f 0xff 0xff 0xff
2024-05-17 16:55:22,903 # UseLockEnable     | False
2024-05-17 16:55:22,905 # VolatileKeyPermit | Disabled
2024-05-17 16:55:22,908 # SecureBootMode    | Disabled
2024-05-17 16:55:22,910 # SecureBootPersist | Disabled
2024-05-17 16:55:22,915 # SecureBootNonce   | Optional, controlled by SecureBootMode
2024-05-17 16:55:22,920 # Secure Boot Signature or Digest stored in slot 0
2024-05-17 16:55:22,923 # Secure Boot Public Key stored in slot 0
2024-05-17 16:55:22,925 # KDF IV Loc        | 0
2024-05-17 16:55:22,927 # UserExtra         | 0x00
2024-05-17 16:55:22,929 # UserExtraAdd (I2C)| 0xc1
2024-05-17 16:55:22,933 # LockValue         | Data and OTP Locked
2024-05-17 16:55:22,936 # LockConfig        | Config Zone Locked
2024-05-17 16:55:22,936 # 
2024-05-17 16:55:22,940 # SlotLocked (X = locked, - = unlocked):
2024-05-17 16:55:22,945 # Slot   |  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15
2024-05-17 16:55:22,950 # Locked |  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  - 
2024-05-17 16:55:22,951 # Chip Options:
2024-05-17 16:55:22,953 # Power On Self Test| Disabled
2024-05-17 16:55:22,956 # IO Prot Key       | Disabled
2024-05-17 16:55:22,959 # AES KDF           | Disabled
2024-05-17 16:55:22,962 # ECDH              | Clear Output on Bus OK
2024-05-17 16:55:22,966 # KDF               | Clear Output on Bus OK
2024-05-17 16:55:22,969 # IO Protection Key stored in slot 0
2024-05-17 16:55:22,969 # 
2024-05-17 16:55:22,970 # X509 Format:
2024-05-17 16:55:22,973 # PubKey 0         | No restrictions
2024-05-17 16:55:22,976 # PubKey 1         | No restrictions
2024-05-17 16:55:22,979 # PubKey 2         | No restrictions
2024-05-17 16:55:22,983 # PubKey 3         | No restrictions
2024-05-17 16:55:22,983 # 
2024-05-17 16:55:22,984 # Key Config
2024-05-17 16:55:22,987 # ----------------------------------------
2024-05-17 16:55:22,989 # SlotID  | Hex    | Binary
2024-05-17 16:55:22,993 #         |        | 7      0 | 15     8
2024-05-17 16:55:22,996 # --------+--------+----------------------
2024-05-17 16:55:23,000 # 0       | 0x1300 | 00010011 | 00010011 | 
2024-05-17 16:55:23,004 # 1       | 0x1300 | 00010011 | 00010011 | 
2024-05-17 16:55:23,007 # 2       | 0x1300 | 00010011 | 00010011 | 
2024-05-17 16:55:23,011 # 3       | 0x1300 | 00010011 | 00010011 | 
2024-05-17 16:55:23,015 # 4       | 0x1800 | 00011000 | 00011000 | 
2024-05-17 16:55:23,019 # 5       | 0x1800 | 00011000 | 00011000 | 
2024-05-17 16:55:23,022 # 6       | 0x1300 | 00010011 | 00010011 | 
2024-05-17 16:55:23,026 # 7       | 0x1f00 | 00011111 | 00011111 | 
2024-05-17 16:55:23,030 # 8       | 0x1c00 | 00011100 | 00011100 | 
2024-05-17 16:55:23,034 # 9       | 0x1000 | 00010000 | 00010000 | 
2024-05-17 16:55:23,037 # 10      | 0x1000 | 00010000 | 00010000 | 
2024-05-17 16:55:23,041 # 11      | 0x1000 | 00010000 | 00010000 | 
2024-05-17 16:55:23,045 # 12      | 0x1000 | 00010000 | 00010000 | 
2024-05-17 16:55:23,048 # 13      | 0x1000 | 00010000 | 00010000 | 
2024-05-17 16:55:23,052 # 14      | 0x1c00 | 00011100 | 00011100 |

atca read_bin

2024-05-16 08:55:58,145 # atca read_bin
2024-05-16 08:55:58,188 # ConfigZone Binary Data:
2024-05-16 08:55:58,192 # ---------------------------------------------------
2024-05-16 08:55:58,196 # Bytes \ Bits | 7      0 7      0 7      0 7      0
2024-05-16 08:55:58,201 # -------------+-------------------------------------
2024-05-16 08:55:58,207 # 000:003      | 00000001 00100011 10011011 10110110 SN0 SN1 SN2 SN3
2024-05-16 08:55:58,213 # 004:007      | 00000000 00000000 01100000 00000010 RN0 RN1 RN2 RN3
2024-05-16 08:55:58,219 # 008:011      | 11001001 10101101 11110001 11010100 SN4 SN5 SN6 SN7
2024-05-16 08:55:58,225 # 012:015      | 11101110 00000001 01111001 00000000 SN8 RSVD I2CE RSVD
2024-05-16 08:55:58,231 # 016:019      | 11000000 00000000 00000000 00000000 I2CA RSVD OTPM CM
2024-05-16 08:55:58,231 # 
2024-05-16 08:55:58,232 # Slot Config
2024-05-16 08:55:58,237 # ---------------------------------------------------
2024-05-16 08:55:58,241 # Bytes \ Bits | 7      0 15     8 7      0 15     8
2024-05-16 08:55:58,245 # -------------+-------------------------------------
2024-05-16 08:55:58,251 # 020:023      | 10000111 00100000 10000111 00100000 SC0 SC0 SC1 SC1
2024-05-16 08:55:58,257 # 024:027      | 10000111 00100000 10000111 00100000 SC2 SC2 SC3 SC3
2024-05-16 08:55:58,263 # 028:031      | 10000111 00000000 10000111 00000000 SC4 SC4 SC5 SC5
2024-05-16 08:55:58,269 # 032:035      | 10001111 00100000 10000111 00100000 SC6 SC6 SC7 SC7
2024-05-16 08:55:58,275 # 036:039      | 00000000 00000000 00000000 00000000 SC8 SC8 SC9 SC9
2024-05-16 08:55:58,282 # 040:043      | 00000000 00000000 00000000 00000000 SC10 SC10 SC11 SC11
2024-05-16 08:55:58,288 # 044:047      | 00000000 00000000 00000000 00000000 SC12 SC12 SC13 SC13
2024-05-16 08:55:58,294 # 048:051      | 00000000 00000000 00000000 00000000 SC14 SC14 SC15 SC15
2024-05-16 08:55:58,300 # 052:055      | 00000000 00000000 00000000 00000001 CNT0 CNT0 CNT0 CNT0
2024-05-16 08:55:58,307 # 056:059      | 00000000 00000000 00000000 00000000 CNT0 CNT0 CNT0 CNT0
2024-05-16 08:55:58,313 # 060:063      | 00111111 11111111 11111111 11111111 CNT1 CNT1 CNT1 CNT1
2024-05-16 08:55:58,319 # 064:067      | 00000000 00000000 00000000 00000000 CNT1 CNT1 CNT1 CNT1
2024-05-16 08:55:58,326 # 068:071      | 00000000 00000000 00000000 00000000 LKU0 LKU1 LKU2 LKU3
2024-05-16 08:55:58,332 # 072:075      | 00000000 00000000 00000000 00000000 LKU4 LKU5 LKU6 LKU7
2024-05-16 08:55:58,338 # 076:079      | 00000000 00000000 00000000 00000000 LKU8 LKU9 LKU10 LKU11
2024-05-16 08:55:58,345 # 080:083      | 00000000 00000000 00000000 00000000 LKU12 LKU13 LKU14 LKU15
2024-05-16 08:55:58,351 # 084:087      | 00000000 11000001 00000000 00000000 UE SEL LV LC
2024-05-16 08:55:58,357 # 088:091      | 11111111 11111111 00000000 00000000 SL0 SL1 RFU0 RFU1
2024-05-16 08:55:58,364 # 092:095      | 00000000 00000000 00000000 00000000 X509-0 X509-1 X509-2 X509-3
2024-05-16 08:55:58,364 # 
2024-05-16 08:55:58,365 # Key Config
2024-05-16 08:55:58,369 # ---------------------------------------------------
2024-05-16 08:55:58,374 # Bytes \ Bits | 7      0 15     8 7      0 15     8
2024-05-16 08:55:58,378 # -------------+-------------------------------------
2024-05-16 08:55:58,384 # 096:099      | 00010011 00000000 00010011 00000000 KC0 KC0 KC1 KC1
2024-05-16 08:55:58,390 # 100:103      | 00010011 00000000 00010011 00000000 KC2 KC2 KC3 KC3
2024-05-16 08:55:58,396 # 104:107      | 00011000 00000000 00011000 00000000 KC4 KC4 KC5 KC5
2024-05-16 08:55:58,402 # 108:111      | 00010011 00000000 00011111 00000000 KC6 KC6 KC7 KC7
2024-05-16 08:55:58,408 # 112:115      | 00011100 00000000 00010000 00000000 KC8 KC8 KC9 KC9
2024-05-16 08:55:58,414 # 116:119      | 00010000 00000000 00010000 00000000 KC10 KC10 KC11 KC11
2024-05-16 08:55:58,421 # 120:123      | 00010000 00000000 00010000 00000000 KC12 KC12 KC13 KC13
2024-05-16 08:55:58,427 # 124:127      | 00011100 00000000 00011100 00000000 KC14 KC14 KC15 KC15

@github-actions github-actions bot added the Area: sys Area: System label May 16, 2024
@maribu maribu requested review from kYc0o and mguetschow May 20, 2024 08:59
@kYc0o kYc0o self-assigned this May 20, 2024
@mguetschow mguetschow added the CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR label May 21, 2024
@riot-ci
Copy link

riot-ci commented May 21, 2024
edited
Loading

Murdock results

✔️ PASSED

272d48d pkg/cryptoauthlib: Address static test fails

Success Failures Total Runtime
10178 0 10178 15m:27s

Artifacts

@kYc0o
Copy link
Contributor

kYc0o commented May 27, 2024

I've tested it with a ATECC608C with success! Although my output looks a bit different, especially the part on which slots data/keys are stored:

Counter 0         | 0xff 0xff 0xff 0xff
Counter 1         | 0xff 0xff 0xff 0xff
UseLockEnable     | False
VolatileKeyPermit | Disabled
SecureBootMode    | Disabled
SecureBootPersist | Disabled
SecureBootNonce   | Optional, controlled by SecureBootMode
Secure Boot Signature or Digest stored in slot 7
Secure Boot Public Key stored in slot 240

Slot 7 seems ok but slot 240 doesn't.
In this other example it shows another kind of random number:

Chip Options:
Power On Self Test| Disabled
IO Prot Key       | Enabled
AES KDF           | Enabled
ECDH              | Clear Output on Bus OK
KDF               | Clear Output on Bus OK
IO Protection Key stored in slot 96

I don't mind much that output since the device and key config are what is expected from the configuration which was originally flashed into the device by the manufacturer.
I think after the comments by the automatic review are addressed this PR could be ready for merge.

@github-actions github-actions bot added the Area: pkg Area: External package ports label May 31, 2024
@Teufelchen1
Copy link
Contributor

Why did this PR got stuck? What do you need to move this forward @Einhornhool ?

@Einhornhool
Copy link
Contributor Author

Why did this PR got stuck? What do you need to move this forward @Einhornhool ?

I did not get a notification that it has been reviewed and forgot about it. Will take a closer look tomorrow :)

@Einhornhool
Copy link
Contributor Author

@kYc0o Thank you for testing this!
Those numbers do look weird, but they're probably caused by the device configuration rather than the shell application.
I've used this with four or five different devices now and they were all fine. Maybe @mguetschow can also try it, now that he has an ATECC-device ;)

@kYc0o
Copy link
Contributor

kYc0o commented Jun 19, 2024

Yeah of course is some configuration thing, but I was probably expecting that the tool can read standard configuration regardless of the device. Are all your devices with the same config or do they have different? I know for certain that the configuration is valid since it was validated by microchip, but I can check afterwards myself what can cause the mismatch

@Einhornhool
Copy link
Contributor Author

Yeah of course is some configuration thing, but I was probably expecting that the tool can read standard configuration regardless of the device. Are all your devices with the same config or do they have different? I know for certain that the configuration is valid since it was validated by microchip, but I can check afterwards myself what can cause the mismatch

Hmm, internally it just uses the calib_read_config_zone command, writes all the bytes into a data buffer and then interprets them. So if it works correctly, it did get those numbers from the device config zone.
Can you check the read_bin command and see what's written in bytes 70-71 and 90-91?

The devices I tested were configured and unconfigured, but the configured ones all had the same configuration.

@mguetschow
Copy link
Contributor

@kYc0o Thank you for testing this! Those numbers do look weird, but they're probably caused by the device configuration rather than the shell application. I've used this with four or five different devices now and they were all fine. Maybe @mguetschow can also try it, now that he has an ATECC-device ;)

Can do, but only next week :)

@kYc0o
Copy link
Contributor

kYc0o commented Jun 20, 2024

Yeah of course is some configuration thing, but I was probably expecting that the tool can read standard configuration regardless of the device. Are all your devices with the same config or do they have different? I know for certain that the configuration is valid since it was validated by microchip, but I can check afterwards myself what can cause the mismatch

Hmm, internally it just uses the calib_read_config_zone command, writes all the bytes into a data buffer and then interprets them. So if it works correctly, it did get those numbers from the device config zone. Can you check the read_bin command and see what's written in bytes 70-71 and 90-91?

The devices I tested were configured and unconfigured, but the configured ones all had the same configuration.

Sure! This is what I get from the read_bin command:

Slot Config
---------------------------------------------------
Bytes \ Bits | 7      0 15     8 7      0 15     8
-------------+-------------------------------------
068:071      | 00000000 00000000 00000011 11110111 LKU0 LKU1 LKU2 LKU3
072:075      | 00000000 01101001 01110110 00000000 LKU4 LKU5 LKU6 LKU7
076:079      | 00000000 00000000 00000000 00000000 LKU8 LKU9 LKU10 LKU11
080:083      | 00000000 00000000 00000000 00000000 LKU12 LKU13 LKU14 LKU15
084:087      | 00000000 00000000 00000000 00000000 UE SEL LV LC
088:091      | 11111111 11111111 00001110 01100000 SL0 SL1 RFU0 RFU1

@kYc0o
Copy link
Contributor

kYc0o commented Jun 20, 2024

btw I also changed the slot count to 16:

diff --git a/sys/shell/cmds/cryptoauthlib.c b/sys/shell/cmds/cryptoauthlib.c
index 93728e44fe..0480a3d6fb 100644
--- a/sys/shell/cmds/cryptoauthlib.c
+++ b/sys/shell/cmds/cryptoauthlib.c
@@ -27,7 +27,7 @@
 #include "shell.h"
 
 #define ATCA_CONFIG_READ_ONLY_BYTES (15)
-#define ATCA_KEY_SLOT_COUNT         (15)
+#define ATCA_KEY_SLOT_COUNT         (16)
 #define ATCA_X509_KEY_COUNT         (4)
 
 #define SERIAL_NO_START_01          (0)

@mguetschow
Copy link
Contributor

Finally took the time for testing this here with a locked ATECC608A, and I get a very similar output to @Einhornhool's initial post. The only difference seems to be the counter value which is all 0xFF for me.

In particular, the three reported slot numbers are all zero and atca read_bin also contains zeros as follows:

068:071      | 00000000 00000000 00000000 00000000 LKU0 LKU1 LKU2 LKU3
072:075      | 00000000 00000000 00000000 00000000 LKU4 LKU5 LKU6 LKU7
076:079      | 00000000 00000000 00000000 00000000 LKU8 LKU9 LKU10 LKU11
080:083      | 00000000 00000000 00000000 00000000 LKU12 LKU13 LKU14 LKU15
084:087      | 00000000 00000000 00000000 00000000 UE SEL LV LC
088:091      | 11111111 11111111 00000000 00000000 SL0 SL1 RFU0 RFU1

@Einhornhool
Copy link
Contributor Author

I'd say the differences in the output are caused by different device configurations.

I now updated the slot count and fixed the issues with the static tests.

mguetschow
mguetschow approved these changes Jul 10, 2024
View reviewed changes
Copy link
Contributor

@mguetschow mguetschow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, LGTM! 🚀

@mguetschow mguetschow enabled auto-merge July 10, 2024 13:01
@mguetschow mguetschow added this pull request to the merge queue Jul 10, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jul 10, 2024
@mguetschow mguetschow added this pull request to the merge queue Jul 11, 2024
Merged via the queue into RIOT-OS:master with commit 3e712a5 Jul 11, 2024
26 checks passed
@mguetschow mguetschow added this to the Release 2024.07 milestone Jul 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mguetschow mguetschow mguetschow approved these changes

@kYc0o kYc0o Awaiting requested review from kYc0o

@PeterKietzmann PeterKietzmann Awaiting requested review from PeterKietzmann PeterKietzmann is a code owner

Assignees

@kYc0o kYc0o

Labels
Area: pkg Area: External package ports Area: sys Area: System CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR
Projects
None yet
Milestone
Release 2024.07
Development

Successfully merging this pull request may close these issues.
5 participants
@Einhornhool @riot-ci @kYc0o @Teufelchen1 @mguetschow