10.2. Miscellaneous¶
10.2.1. Demos and examples supported on A71CH¶
Refer to DEMO List to see the list of demo applications supported on A71CH. Make the following changes when testing with A71CH.
Set the Applet to A71CH and SMCOM to SCI2C in the build configuration and rebuild the middleware.
To provision A71CH for cloud application, change the subsystem to a71ch in …/simw-top/pycli/src/Provision/Provision_config.py file.
SUBSYSTEM = "a71ch"
When testing cloud application on linux platform, set the OPENSSL_CONF to A71CH specific openssl config files - openssl_sss_a71ch.cnf (for openssl 1.0) / openssl11_sss_a71ch.cnf (for openssl 1.1).
10.2.2. OpenSSL Engine¶
The Plug&Trust MW comes with two OpenSSL Engine implementations, both implementations support OpenSSL 1.1.1:
SSS API based (A71CH SSS OpenSSL Engine)
A71CH Legacy API based (A71CH Legacy OpenSSL Engine)
The reference key format and the tools supporting the reference keys are different and incompatible.
The implementation using the SSS API is documented in Introduction on OpenSSL engine and resides in
.../sss/plugin/openssl
. The functionality of the engine is restricted to EC NIST P-256 keys.
The implementation using the A71CH Legacy API resides in .../hostlib/hostlib/embSeEngine
.
The reference key format used by the SSS OpenSSL Engine refers to the stored EC key by SSS Object
Identifier.
It relies upon the SSS Object Identifier to A71CH Internal storage mapping table
(A71CH and SSS API)
to locate the stored EC key in the attached A71CH.
The reference key format used by the A71CH Legacy OpenSSL Engine refers to the stored EC key by key class and key index. Both key class and index are specific to the A71CH secure element. The following provides an example of reference key format used by the A71CH Legacy OpenSSL Engine. The value reserved for the private key has been used to contain:
a pattern of
0x10..00
to fill up the datastructure MSB side to the desired key lengtha 64 bit magic number (always
0xA5A6B5B6A5A6B5B6
)a byte (0xkk) to contain the key class (
0x10
for key pair and0x20
for public key)a byte (0xii) to contain the key index (
0x00 to 0x03
for key pair and0x00 to 0x02
for public key)
Private-Key: (256 bit)
priv:
10:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
00:00:00:00:00:00:00:A5:A6:B5:B6:A5:A6:B5:B6:
kk:ii
pub:
04:1C:93:08:8B:26:27:BA:EA:03:D1:BE:DB:1B:DF:
8E:CC:87:EF:95:D2:9D:FC:FC:3A:82:6F:C6:E1:70:
A0:50:D4:B7:1F:F2:A3:EC:F8:92:17:41:60:48:74:
F2:DB:3D:B4:BC:2B:F8:FA:E8:54:72:F6:72:74:8C:
9E:5F:D3:D6:D4
ASN1 OID: prime256v1
10.2.3. A71CH and SCP03¶
Enabling SCP03 channel encryption on the A71CH is a two step process:
[Phase-0] First the SCP03 keys must be set on the A71CH. The SCP03 keys can only be set once!
[Phase-1] Once the SCP03 keys are set on the A71CH an SCP03 channel can be established between Host and A71CH. In case an SCP03 channel has been established successfully, the use of SCP03 becomes mandatory for all subsequent communication between Host and A71CH.
In the SSS API based example applications, two utility functions are used to support SCP03 channel encryption:
ex_a71ch_SetSeScp03Keys
is used to set the keys as required for [Phase-0]SCP_Authenticate
is used to establish the SCP03 channel [Phase-1]
The example code (sss/ex/inc/ex_sss_main_inc.h
) always combines these two steps and depends on the ‘Debug Reset’ command for this.
In a product deployment the two phases must be distinct.
[Phase-0] is only executed once. Ensure that the SCP03 keys are securely and persistently stored on the host.
To enable SCP03 in the SSS API examples one must set the following Cmake options:
-DA71CH_AUTH=SCP03
-DSCP=SCP03_HostCrypto
Please refer to CMake Options for more details and an overview of all available Cmake options.
Note
The Plug&Trust MW also contains example code illustrating the setting up of an SCP03 channel between Host and Secure Element
for applications based upon the A71CH API: please refer to hostlib/a71ch/ex/mainA71CH.c
10.2.4. A71CH on Raspberry Pi¶
When building the stack for A71CH on Raspberry Pi, set the following cmake options
cmake -DApplet=A71CH -DSMCOM=SCI2C .
The default i2c master of Raspberry Pi doesn’t support the SMBUS ‘block read’ feature required for the sci2c protocol. As a workaround a software implementation of an i2c master must be used.
Add the following line to /boot/config.txt
on the Raspberry Pi SD card and reboot:
dtoverlay=i2c-gpio,bus=4,i2c_gpio_delay_us=1,_i2c_gpio_sda=23,i2c_gpio_scl=24
This will create a /dev/i2c-4
i2c port on Raspberry Pi.
Modify .../simw-top/hostlib/hostLib/platform/linux/i2c_a7.c
for correct i2c port
static char* default_axSmDevice_name = "/dev/i2c-4";
The following table illustrates the connections to make between the Raspberry Pi Header and the A71CH.
Raspberry Pi Header |
A71CH |
---|---|
Pin# 1 |
Power |
Pin# 6 |
Ground |
Pin# 16 |
I2C Data |
Pin# 18 |
I2C Clock |