RIOT-OS
sys/shell: Update cryptoauthlib shell commands
Contribution description
The cryptoauthlib shell command was broken due to API changes. I updated the calls.
Additionally I made the output a bit prettier.
It is also possible to select a specific device, in case there's more than one.
Update 2024-05-17: Now also compatible with ATECC608A config zone.
Testing procedure
Connect an ATECC508 (or 608), and run an application with the shell and the cryptoauthlib package. The output should look like this (values differ depending on configuration, of course):
Usage
2024-05-16 08:54:07,871 # atca
2024-05-16 08:54:07,886 # * set_dev <number> - set and initialize an atca device (defaults to index 0)
2024-05-16 08:54:07,891 # * read - read Microchip CryptoAuth device's config zone
2024-05-16 08:54:07,896 # * read_bin - read config zone and print binary data
2024-05-16 08:54:07,904 # * lock_c - PERMANENTLY lock Microchip CryptoAuth device's config zone (cannot be undone!)
2024-05-16 08:54:07,911 # * lock_d - PERMANENTLY lock Microchip CryptoAuth device's data zone (cannot be undone!)
2024-05-16 08:54:07,917 # * check_lc - check if Microchip CryptoAuth device's config zone is locked
2024-05-16 08:54:07,923 # * check_ld - check if Microchip CryptoAuth device's data zone is locked
atca read (for ATECC608A)
2024-05-17 16:55:22,735 # atca read
2024-05-17 16:55:22,769 # Config Zone
2024-05-17 16:55:22,771 # Device Info (Read Only)
2024-05-17 16:55:22,775 # --------------------------------------------
2024-05-17 16:55:22,778 # Device Type | ATECC608
2024-05-17 16:55:22,781 # Serial No (Pt. 1) | 0x01 0x23 0x9b 0xb6
2024-05-17 16:55:22,786 # Revision No. | 0x00 0x00 0x60 0x02
2024-05-17 16:55:22,789 # Serial No (Pt. 2) | 0xc9 0xad 0xf1 0xd4 0xee
2024-05-17 16:55:22,792 # AES Enabled | True
2024-05-17 16:55:22,793 # I2C Enabled | True
2024-05-17 16:55:22,796 # Single Wire | False
2024-05-17 16:55:22,800 # --------------------------------------------
2024-05-17 16:55:22,800 #
2024-05-17 16:55:22,802 # Device Info (Writable)
2024-05-17 16:55:22,806 # ---------------------------------------------
2024-05-17 16:55:22,808 # I2C Address | 0xc0
2024-05-17 16:55:22,810 # Counter Match | Disabled
2024-05-17 16:55:22,811 # ChipMode:
2024-05-17 16:55:22,814 # I2C Address | Default address
2024-05-17 16:55:22,818 # TTLenable | Fixed input levels
2024-05-17 16:55:22,821 # Watchdog | 1.3 sec (recommended)
2024-05-17 16:55:22,824 # Clock Divider | 0x00
2024-05-17 16:55:22,824 #
2024-05-17 16:55:22,825 # Slot Config
2024-05-17 16:55:22,828 # ----------------------------------------
2024-05-17 16:55:22,831 # SlotID | Hex | Binary
2024-05-17 16:55:22,834 # | | 7 0 | 15 8
2024-05-17 16:55:22,837 # --------+--------+----------------------
2024-05-17 16:55:22,841 # 0 | 0x8720 | 00000001 | 00000001 |
2024-05-17 16:55:22,845 # 1 | 0x8720 | 10011011 | 10011011 |
2024-05-17 16:55:22,849 # 2 | 0x8720 | 00000000 | 00000000 |
2024-05-17 16:55:22,852 # 3 | 0x8720 | 01100000 | 01100000 |
2024-05-17 16:55:22,856 # 4 | 0x8700 | 11001001 | 11001001 |
2024-05-17 16:55:22,860 # 5 | 0x8700 | 11110001 | 11110001 |
2024-05-17 16:55:22,864 # 6 | 0x8f20 | 11101110 | 11101110 |
2024-05-17 16:55:22,867 # 7 | 0x8720 | 01111001 | 01111001 |
2024-05-17 16:55:22,871 # 8 | 0x0000 | 11000000 | 11000000 |
2024-05-17 16:55:22,875 # 9 | 0x0000 | 00000000 | 00000000 |
2024-05-17 16:55:22,878 # 10 | 0x0000 | 10000111 | 10000111 |
2024-05-17 16:55:22,882 # 11 | 0x0000 | 10000111 | 10000111 |
2024-05-17 16:55:22,886 # 12 | 0x0000 | 10000111 | 10000111 |
2024-05-17 16:55:22,890 # 13 | 0x0000 | 10000111 | 10000111 |
2024-05-17 16:55:22,893 # 14 | 0x0000 | 10000111 | 10000111 |
2024-05-17 16:55:22,893 #
2024-05-17 16:55:22,897 # Counter 0 | 0x00 0x00 0x00 0x01
2024-05-17 16:55:22,900 # Counter 1 | 0x3f 0xff 0xff 0xff
2024-05-17 16:55:22,903 # UseLockEnable | False
2024-05-17 16:55:22,905 # VolatileKeyPermit | Disabled
2024-05-17 16:55:22,908 # SecureBootMode | Disabled
2024-05-17 16:55:22,910 # SecureBootPersist | Disabled
2024-05-17 16:55:22,915 # SecureBootNonce | Optional, controlled by SecureBootMode
2024-05-17 16:55:22,920 # Secure Boot Signature or Digest stored in slot 0
2024-05-17 16:55:22,923 # Secure Boot Public Key stored in slot 0
2024-05-17 16:55:22,925 # KDF IV Loc | 0
2024-05-17 16:55:22,927 # UserExtra | 0x00
2024-05-17 16:55:22,929 # UserExtraAdd (I2C)| 0xc1
2024-05-17 16:55:22,933 # LockValue | Data and OTP Locked
2024-05-17 16:55:22,936 # LockConfig | Config Zone Locked
2024-05-17 16:55:22,936 #
2024-05-17 16:55:22,940 # SlotLocked (X = locked, - = unlocked):
2024-05-17 16:55:22,945 # Slot | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
2024-05-17 16:55:22,950 # Locked | - - - - - - - - - - - - - - - -
2024-05-17 16:55:22,951 # Chip Options:
2024-05-17 16:55:22,953 # Power On Self Test| Disabled
2024-05-17 16:55:22,956 # IO Prot Key | Disabled
2024-05-17 16:55:22,959 # AES KDF | Disabled
2024-05-17 16:55:22,962 # ECDH | Clear Output on Bus OK
2024-05-17 16:55:22,966 # KDF | Clear Output on Bus OK
2024-05-17 16:55:22,969 # IO Protection Key stored in slot 0
2024-05-17 16:55:22,969 #
2024-05-17 16:55:22,970 # X509 Format:
2024-05-17 16:55:22,973 # PubKey 0 | No restrictions
2024-05-17 16:55:22,976 # PubKey 1 | No restrictions
2024-05-17 16:55:22,979 # PubKey 2 | No restrictions
2024-05-17 16:55:22,983 # PubKey 3 | No restrictions
2024-05-17 16:55:22,983 #
2024-05-17 16:55:22,984 # Key Config
2024-05-17 16:55:22,987 # ----------------------------------------
2024-05-17 16:55:22,989 # SlotID | Hex | Binary
2024-05-17 16:55:22,993 # | | 7 0 | 15 8
2024-05-17 16:55:22,996 # --------+--------+----------------------
2024-05-17 16:55:23,000 # 0 | 0x1300 | 00010011 | 00010011 |
2024-05-17 16:55:23,004 # 1 | 0x1300 | 00010011 | 00010011 |
2024-05-17 16:55:23,007 # 2 | 0x1300 | 00010011 | 00010011 |
2024-05-17 16:55:23,011 # 3 | 0x1300 | 00010011 | 00010011 |
2024-05-17 16:55:23,015 # 4 | 0x1800 | 00011000 | 00011000 |
2024-05-17 16:55:23,019 # 5 | 0x1800 | 00011000 | 00011000 |
2024-05-17 16:55:23,022 # 6 | 0x1300 | 00010011 | 00010011 |
2024-05-17 16:55:23,026 # 7 | 0x1f00 | 00011111 | 00011111 |
2024-05-17 16:55:23,030 # 8 | 0x1c00 | 00011100 | 00011100 |
2024-05-17 16:55:23,034 # 9 | 0x1000 | 00010000 | 00010000 |
2024-05-17 16:55:23,037 # 10 | 0x1000 | 00010000 | 00010000 |
2024-05-17 16:55:23,041 # 11 | 0x1000 | 00010000 | 00010000 |
2024-05-17 16:55:23,045 # 12 | 0x1000 | 00010000 | 00010000 |
2024-05-17 16:55:23,048 # 13 | 0x1000 | 00010000 | 00010000 |
2024-05-17 16:55:23,052 # 14 | 0x1c00 | 00011100 | 00011100 |
atca read_bin
2024-05-16 08:55:58,145 # atca read_bin
2024-05-16 08:55:58,188 # ConfigZone Binary Data:
2024-05-16 08:55:58,192 # ---------------------------------------------------
2024-05-16 08:55:58,196 # Bytes \ Bits | 7 0 7 0 7 0 7 0
2024-05-16 08:55:58,201 # -------------+-------------------------------------
2024-05-16 08:55:58,207 # 000:003 | 00000001 00100011 10011011 10110110 SN0 SN1 SN2 SN3
2024-05-16 08:55:58,213 # 004:007 | 00000000 00000000 01100000 00000010 RN0 RN1 RN2 RN3
2024-05-16 08:55:58,219 # 008:011 | 11001001 10101101 11110001 11010100 SN4 SN5 SN6 SN7
2024-05-16 08:55:58,225 # 012:015 | 11101110 00000001 01111001 00000000 SN8 RSVD I2CE RSVD
2024-05-16 08:55:58,231 # 016:019 | 11000000 00000000 00000000 00000000 I2CA RSVD OTPM CM
2024-05-16 08:55:58,231 #
2024-05-16 08:55:58,232 # Slot Config
2024-05-16 08:55:58,237 # ---------------------------------------------------
2024-05-16 08:55:58,241 # Bytes \ Bits | 7 0 15 8 7 0 15 8
2024-05-16 08:55:58,245 # -------------+-------------------------------------
2024-05-16 08:55:58,251 # 020:023 | 10000111 00100000 10000111 00100000 SC0 SC0 SC1 SC1
2024-05-16 08:55:58,257 # 024:027 | 10000111 00100000 10000111 00100000 SC2 SC2 SC3 SC3
2024-05-16 08:55:58,263 # 028:031 | 10000111 00000000 10000111 00000000 SC4 SC4 SC5 SC5
2024-05-16 08:55:58,269 # 032:035 | 10001111 00100000 10000111 00100000 SC6 SC6 SC7 SC7
2024-05-16 08:55:58,275 # 036:039 | 00000000 00000000 00000000 00000000 SC8 SC8 SC9 SC9
2024-05-16 08:55:58,282 # 040:043 | 00000000 00000000 00000000 00000000 SC10 SC10 SC11 SC11
2024-05-16 08:55:58,288 # 044:047 | 00000000 00000000 00000000 00000000 SC12 SC12 SC13 SC13
2024-05-16 08:55:58,294 # 048:051 | 00000000 00000000 00000000 00000000 SC14 SC14 SC15 SC15
2024-05-16 08:55:58,300 # 052:055 | 00000000 00000000 00000000 00000001 CNT0 CNT0 CNT0 CNT0
2024-05-16 08:55:58,307 # 056:059 | 00000000 00000000 00000000 00000000 CNT0 CNT0 CNT0 CNT0
2024-05-16 08:55:58,313 # 060:063 | 00111111 11111111 11111111 11111111 CNT1 CNT1 CNT1 CNT1
2024-05-16 08:55:58,319 # 064:067 | 00000000 00000000 00000000 00000000 CNT1 CNT1 CNT1 CNT1
2024-05-16 08:55:58,326 # 068:071 | 00000000 00000000 00000000 00000000 LKU0 LKU1 LKU2 LKU3
2024-05-16 08:55:58,332 # 072:075 | 00000000 00000000 00000000 00000000 LKU4 LKU5 LKU6 LKU7
2024-05-16 08:55:58,338 # 076:079 | 00000000 00000000 00000000 00000000 LKU8 LKU9 LKU10 LKU11
2024-05-16 08:55:58,345 # 080:083 | 00000000 00000000 00000000 00000000 LKU12 LKU13 LKU14 LKU15
2024-05-16 08:55:58,351 # 084:087 | 00000000 11000001 00000000 00000000 UE SEL LV LC
2024-05-16 08:55:58,357 # 088:091 | 11111111 11111111 00000000 00000000 SL0 SL1 RFU0 RFU1
2024-05-16 08:55:58,364 # 092:095 | 00000000 00000000 00000000 00000000 X509-0 X509-1 X509-2 X509-3
2024-05-16 08:55:58,364 #
2024-05-16 08:55:58,365 # Key Config
2024-05-16 08:55:58,369 # ---------------------------------------------------
2024-05-16 08:55:58,374 # Bytes \ Bits | 7 0 15 8 7 0 15 8
2024-05-16 08:55:58,378 # -------------+-------------------------------------
2024-05-16 08:55:58,384 # 096:099 | 00010011 00000000 00010011 00000000 KC0 KC0 KC1 KC1
2024-05-16 08:55:58,390 # 100:103 | 00010011 00000000 00010011 00000000 KC2 KC2 KC3 KC3
2024-05-16 08:55:58,396 # 104:107 | 00011000 00000000 00011000 00000000 KC4 KC4 KC5 KC5
2024-05-16 08:55:58,402 # 108:111 | 00010011 00000000 00011111 00000000 KC6 KC6 KC7 KC7
2024-05-16 08:55:58,408 # 112:115 | 00011100 00000000 00010000 00000000 KC8 KC8 KC9 KC9
2024-05-16 08:55:58,414 # 116:119 | 00010000 00000000 00010000 00000000 KC10 KC10 KC11 KC11
2024-05-16 08:55:58,421 # 120:123 | 00010000 00000000 00010000 00000000 KC12 KC12 KC13 KC13
2024-05-16 08:55:58,427 # 124:127 | 00011100 00000000 00011100 00000000 KC14 KC14 KC15 KC15
Murdock results
:heavy_check_mark: PASSED
272d48db6382e09ab5ac5919aa044f61df2259cf pkg/cryptoauthlib: Address static test fails
| Success | Failures | Total | Runtime |
|---|---|---|---|
| 10178 | 0 | 10178 | 15m:27s |
Artifacts
I've tested it with a ATECC608C with success! Although my output looks a bit different, especially the part on which slots data/keys are stored:
Counter 0 | 0xff 0xff 0xff 0xff
Counter 1 | 0xff 0xff 0xff 0xff
UseLockEnable | False
VolatileKeyPermit | Disabled
SecureBootMode | Disabled
SecureBootPersist | Disabled
SecureBootNonce | Optional, controlled by SecureBootMode
Secure Boot Signature or Digest stored in slot 7
Secure Boot Public Key stored in slot 240
Slot 7 seems ok but slot 240 doesn't. In this other example it shows another kind of random number:
Chip Options:
Power On Self Test| Disabled
IO Prot Key | Enabled
AES KDF | Enabled
ECDH | Clear Output on Bus OK
KDF | Clear Output on Bus OK
IO Protection Key stored in slot 96
I don't mind much that output since the device and key config are what is expected from the configuration which was originally flashed into the device by the manufacturer. I think after the comments by the automatic review are addressed this PR could be ready for merge.
Why did this PR got stuck? What do you need to move this forward @Einhornhool ?
Why did this PR got stuck? What do you need to move this forward @Einhornhool ?
I did not get a notification that it has been reviewed and forgot about it. Will take a closer look tomorrow :)
@kYc0o Thank you for testing this! Those numbers do look weird, but they're probably caused by the device configuration rather than the shell application. I've used this with four or five different devices now and they were all fine. Maybe @mguetschow can also try it, now that he has an ATECC-device ;)
Yeah of course is some configuration thing, but I was probably expecting that the tool can read standard configuration regardless of the device. Are all your devices with the same config or do they have different? I know for certain that the configuration is valid since it was validated by microchip, but I can check afterwards myself what can cause the mismatch
Yeah of course is some configuration thing, but I was probably expecting that the tool can read standard configuration regardless of the device. Are all your devices with the same config or do they have different? I know for certain that the configuration is valid since it was validated by microchip, but I can check afterwards myself what can cause the mismatch
Hmm, internally it just uses the calib_read_config_zone command, writes all the bytes into a data buffer and then interprets them. So if it works correctly, it did get those numbers from the device config zone.
Can you check the read_bin command and see what's written in bytes 70-71 and 90-91?
The devices I tested were configured and unconfigured, but the configured ones all had the same configuration.
@kYc0o Thank you for testing this! Those numbers do look weird, but they're probably caused by the device configuration rather than the shell application. I've used this with four or five different devices now and they were all fine. Maybe @mguetschow can also try it, now that he has an ATECC-device ;)
Can do, but only next week :)
Yeah of course is some configuration thing, but I was probably expecting that the tool can read standard configuration regardless of the device. Are all your devices with the same config or do they have different? I know for certain that the configuration is valid since it was validated by microchip, but I can check afterwards myself what can cause the mismatch
Hmm, internally it just uses the
calib_read_config_zonecommand, writes all the bytes into a data buffer and then interprets them. So if it works correctly, it did get those numbers from the device config zone. Can you check theread_bincommand and see what's written in bytes 70-71 and 90-91?The devices I tested were configured and unconfigured, but the configured ones all had the same configuration.
Sure! This is what I get from the read_bin command:
Slot Config
---------------------------------------------------
Bytes \ Bits | 7 0 15 8 7 0 15 8
-------------+-------------------------------------
068:071 | 00000000 00000000 00000011 11110111 LKU0 LKU1 LKU2 LKU3
072:075 | 00000000 01101001 01110110 00000000 LKU4 LKU5 LKU6 LKU7
076:079 | 00000000 00000000 00000000 00000000 LKU8 LKU9 LKU10 LKU11
080:083 | 00000000 00000000 00000000 00000000 LKU12 LKU13 LKU14 LKU15
084:087 | 00000000 00000000 00000000 00000000 UE SEL LV LC
088:091 | 11111111 11111111 00001110 01100000 SL0 SL1 RFU0 RFU1
btw I also changed the slot count to 16:
diff --git a/sys/shell/cmds/cryptoauthlib.c b/sys/shell/cmds/cryptoauthlib.c
index 93728e44fe..0480a3d6fb 100644
--- a/sys/shell/cmds/cryptoauthlib.c
+++ b/sys/shell/cmds/cryptoauthlib.c
@@ -27,7 +27,7 @@
#include "shell.h"
#define ATCA_CONFIG_READ_ONLY_BYTES (15)
-#define ATCA_KEY_SLOT_COUNT (15)
+#define ATCA_KEY_SLOT_COUNT (16)
#define ATCA_X509_KEY_COUNT (4)
#define SERIAL_NO_START_01 (0)
Finally took the time for testing this here with a locked ATECC608A, and I get a very similar output to @Einhornhool's initial post. The only difference seems to be the counter value which is all 0xFF for me.
In particular, the three reported slot numbers are all zero and atca read_bin also contains zeros as follows:
068:071 | 00000000 00000000 00000000 00000000 LKU0 LKU1 LKU2 LKU3
072:075 | 00000000 00000000 00000000 00000000 LKU4 LKU5 LKU6 LKU7
076:079 | 00000000 00000000 00000000 00000000 LKU8 LKU9 LKU10 LKU11
080:083 | 00000000 00000000 00000000 00000000 LKU12 LKU13 LKU14 LKU15
084:087 | 00000000 00000000 00000000 00000000 UE SEL LV LC
088:091 | 11111111 11111111 00000000 00000000 SL0 SL1 RFU0 RFU1
I'd say the differences in the output are caused by different device configurations.
I now updated the slot count and fixed the issues with the static tests.