Cryptochip

Note This section contains Linux BSP documentation for kernel v4.1. Click here for v4.9 BSP documentation.

The ConnectCore 6UL SoM integrates an Atmel ATECC508A cryptochip that offers the following features:

Cryptographic accelerator with secure hardware-based key storage
Performs high-speed public key (PKI) algorithms
- ECDSA: FIPS186-3 Elliptic Curve Digital Signature Algorithm
- ECDH: FIPS SP800-56A Elliptic Curve Diffie-Hellman Algorithm
NIST standard P256 elliptic curve support
SHA-256 hash algorithm with HMAC option
Internal high-quality FIPS random number generator (RNG)
10Kb EEPROM memory for keys, certificates, and data
- Storage for up to 16 keys
- Guaranteed-unique 72-bit serial number
Two high-endurance monotonic counters
Multiple options for consumption logging and one-time write information
Intrusion latch for external tamper switch or power-on chip enablement

The cryptochip is connected to the i.MX6UL CPU through the I2C1 port.

Note There is no kernel driver and no device tree entries for this hardware element, as it is managed directly from userspace.

Userspace usage

CryptoAuthLib is a software library written in C that supports several Atmel CryptoAuthentication devices. It is a portable, extensible, powerful, and easy-to-use library for working with the ATSHA and ATECC family of devices.

Example application

Digi Embedded Yocto includes an example using this library: https://github.com/digi-embedded/dey-examples/tree/dey-2.2/maint/cryptochip-get-random. This application obtains random numbers from the ATECC508A and outputs them to the standard output stream:

root@ccimx6ulstarter:~# ./cryptochip-gen-random | hexdump
0000000 6239 ddd4 b378 693f 14ed bfa1 447b cff1
0000010 275e fd14 e392 2b4a c2ff ac93 0f5e cbab
0000020 16c1 e6b7 a458 c5ea c96f 59c9 776a 41c5
0000030 a656 ffa8 2076 6917 f18a e9ad 9ea1 7915
0000040 b677 aec3 a0a2 c7b6 c8ce 2a1f aa6c d9fc
0000050 f75c 3b57 eea4 051b 3a5f 7bd9 523f 4544
0000060 cb1a 388c b655 e8ca d6eb e459 8a43 cd2f
(...)

The output of the application matches what you would read from a standard random number generator, like /dev/random. For example, you can also store the random data—checking the speed at which it is produced—and then run an entropy test on it:

root@ccimx6ulstarter:~# ./cryptochip-gen-random | pv --rate > data.bin
[ 912 B/s]
root@ccimx6ulstarter:~# ent data.bin 
Entropy = 7.998261 bits per byte.
 
Optimum compression would reduce the size
of this 291808 byte file by 0 percent.
 
Chi square distribution for 291808 samples is 706.41, and randomly
would exceed this value less than 0.01 percent of the times.
 
Arithmetic mean value of data bytes is 127.0582 (127.5 = random).
Monte Carlo value for Pi is 3.149895135 (error 0.26 percent).
Serial correlation coefficient is 0.000944 (totally uncorrelated = 0.0).

Note The ent utility is not included in Digi Embedded Yocto by default. You can transfer the random data file to your host computer and analyze it there.

Building applications

Follow these steps to compile an application that uses the cryptochip:

Include the cryptoauthlib header:

#include <cryptoauthlib.h>

Use the I2C default configuration to initialize the library:

atcab_init(&cfg_ateccx08a_i2c_default);

Note The cfg_ateccx08a_i2c_default variable is provided by the library and it is already configured for the ConnectCore 6UL SOM.

Add the following lines to the Makefile so that the applications are linked against the library:

CFLAGS += $(shell pkg-config --cflags cryptoauthlib)
LDLIBS += $(shell pkg-config --libs --static cryptoauthlib)

Note For more information about the use of this library, see the Atmel Application Note 8984 - Cryptoauthlib. The library is already integrated for the ConnectCore 6UL SOM, so you can skip the Porting guide section of the Atmel application note.