10.2. Miscellaneous

10.2.1. Demos and examples supported on A71CH

Refer to DEMO List to see the list of demo applications supported on A71CH. Make the following changes when testing with A71CH.

  1. Set the Applet to A71CH and SMCOM to SCI2C in the build configuration and rebuild the middleware.

  2. To provision A71CH for cloud application, change the subsystem to a71ch in …/simw-top/pycli/src/Provision/Provision_config.py file.

    SUBSYSTEM = "a71ch"
    
  3. When testing cloud application on linux platform, set the OPENSSL_CONF to A71CH specific openssl config files - openssl_sss_a71ch.cnf (for openssl 1.0) / openssl11_sss_a71ch.cnf (for openssl 1.1).

10.2.2. OpenSSL Engine

The Plug&Trust MW comes with two OpenSSL Engine implementations, both implementations support OpenSSL 1.1.1:

  • SSS API based (A71CH SSS OpenSSL Engine)

  • A71CH Legacy API based (A71CH Legacy OpenSSL Engine)

The reference key format and the tools supporting the reference keys are different and incompatible.

The implementation using the SSS API is documented in Introduction on OpenSSL engine and resides in .../sss/plugin/openssl. The functionality of the engine is restricted to EC NIST P-256 keys.

The implementation using the A71CH Legacy API resides in .../hostlib/hostlib/embSeEngine.

The reference key format used by the SSS OpenSSL Engine refers to the stored EC key by SSS Object Identifier. It relies upon the SSS Object Identifier to A71CH Internal storage mapping table (A71CH and SSS API) to locate the stored EC key in the attached A71CH.

The reference key format used by the A71CH Legacy OpenSSL Engine refers to the stored EC key by key class and key index. Both key class and index are specific to the A71CH secure element. The following provides an example of reference key format used by the A71CH Legacy OpenSSL Engine. The value reserved for the private key has been used to contain:

  • a pattern of 0x10..00 to fill up the datastructure MSB side to the desired key length

  • a 64 bit magic number (always 0xA5A6B5B6A5A6B5B6)

  • a byte (0xkk) to contain the key class (0x10 for key pair and 0x20 for public key)

  • a byte (0xii) to contain the key index (0x00 to 0x03 for key pair and 0x00 to 0x02 for public key)

Private-Key: (256 bit)
priv:
    10:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
    00:00:00:00:00:00:00:A5:A6:B5:B6:A5:A6:B5:B6:
    kk:ii
pub:
    04:1C:93:08:8B:26:27:BA:EA:03:D1:BE:DB:1B:DF:
    8E:CC:87:EF:95:D2:9D:FC:FC:3A:82:6F:C6:E1:70:
    A0:50:D4:B7:1F:F2:A3:EC:F8:92:17:41:60:48:74:
    F2:DB:3D:B4:BC:2B:F8:FA:E8:54:72:F6:72:74:8C:
    9E:5F:D3:D6:D4
ASN1 OID: prime256v1

10.2.3. A71CH and SCP03

Enabling SCP03 channel encryption on the A71CH is a two step process:

  • [Phase-0] First the SCP03 keys must be set on the A71CH. The SCP03 keys can only be set once!

  • [Phase-1] Once the SCP03 keys are set on the A71CH an SCP03 channel can be established between Host and A71CH. In case an SCP03 channel has been established successfully, the use of SCP03 becomes mandatory for all subsequent communication between Host and A71CH.

In the SSS API based example applications, two utility functions are used to support SCP03 channel encryption:

  • ex_a71ch_SetSeScp03Keys is used to set the keys as required for [Phase-0]

  • SCP_Authenticate is used to establish the SCP03 channel [Phase-1]

The example code (sss/ex/inc/ex_sss_main_inc.h) always combines these two steps and depends on the ‘Debug Reset’ command for this. In a product deployment the two phases must be distinct. [Phase-0] is only executed once. Ensure that the SCP03 keys are securely and persistently stored on the host.

To enable SCP03 in the SSS API examples one must set the following Cmake options:

-DA71CH_AUTH=SCP03
-DSCP=SCP03_HostCrypto

Please refer to CMake Options for more details and an overview of all available Cmake options.

Note

The Plug&Trust MW also contains example code illustrating the setting up of an SCP03 channel between Host and Secure Element for applications based upon the A71CH API: please refer to hostlib/a71ch/ex/mainA71CH.c

10.2.4. A71CH on Raspberry Pi

When building the stack for A71CH on Raspberry Pi, set the following cmake options

cmake -DApplet=A71CH -DSMCOM=SCI2C .

The default i2c master of Raspberry Pi doesn’t support the SMBUS ‘block read’ feature required for the sci2c protocol. As a workaround a software implementation of an i2c master must be used.

Add the following line to /boot/config.txt on the Raspberry Pi SD card and reboot:

dtoverlay=i2c-gpio,bus=4,i2c_gpio_delay_us=1,_i2c_gpio_sda=23,i2c_gpio_scl=24

This will create a /dev/i2c-4 i2c port on Raspberry Pi.

Modify .../simw-top/hostlib/hostLib/platform/linux/i2c_a7.c for correct i2c port

static char* default_axSmDevice_name = "/dev/i2c-4";

The following table illustrates the connections to make between the Raspberry Pi Header and the A71CH.

A71CH pin connections

Raspberry Pi Header

A71CH

Pin# 1

Power

Pin# 6

Ground

Pin# 16

I2C Data

Pin# 18

I2C Clock