edit

Secure Chip

Neutis features tamper-resistant dedicated crypto chip (ATECC508A) for storing cryptographic keys, unique ID, random number generation and more. The ATECC508A can generate high-quality FIPS random numbers, each of them is guaranteed to be essentially unique from all numbers ever generated on this or any other device.

This examples demonstrates how to generate random numbers.

Package building and installation

The first step is to build a package with CryptoAuthLib support and random_number application. If you have not yet build any images or packages with Yocto, visit this page. If you have already set up build host, then navigate to neutis-image directory.

Open meta-layers/meta-emlid-neutis-examples/recipes-core/images/neutis-image.bbappend and uncomment the following line:

IMAGE_INSTALL_append += "secure-chip-example"

Build the secure-chip-example package:

bitbake secure-chip-example

Find the package:

find tmp/deploy/ipk/ -name "*secure-chip*.ipk"

You should find secure-chip-example_0.1-r0_aarch64.ipk.

Copy ipk file to Neutis:

rsync -avz secure-chip-example_0.1-r0_aarch64.ipk root@192.168.2.15:/home/root

where 192.168.2.15 is Neutis IP address.

Copy ipk file with rsync or scp to Neutis and install with the following command:

ls secure-chip*.ipk | xargs opkg install

Testing

Execute random_number and you should get the random 32 byte number:

56 df cd 39 5f e1 da f1
80 fa 0c e9 b1 3f 45 a6
e2 64 8e c7 4d 0d 59 a0
15 48 ca 35 83 1b eb b0

The program explained

The random_number is actually the following compiled C program:

#include <stdio.h>
#include <cryptoauthlib.h>

ATCAIfaceCfg g_iface_config = {
    .iface_type        = ATCA_I2C_IFACE,
    .devtype           = ATECC508A,
    .atcai2c           = {
        .slave_address = 0xC0,
        .bus           = 0,
        .baud          = 400000,
    },
    .wake_delay        = 1500,
    .rx_retries        = 20
};

int read_atecc_random_number(uint8_t* random_number)
{
    ATCA_STATUS status = atcab_init(&g_iface_config);

    if (status != ATCA_SUCCESS) {
        printf("atcab_init() failed with ret=0x%08d\r\n", status);
        return -1;
    }

    status = atcab_random(random_number);;
    atcab_release();

    if (status != ATCA_SUCCESS) {
        printf("atcab_random() failed with ret=0x%08d\r\n", status);
        return -1;
    }

    return 0;
}

int main(void)
{
    uint8_t random_number[32];

    if (read_atecc_random_number(&random_number) != 0)
        return -1;

    for (int i = 0; i < 4; i++){
        for(int j = 0; j < 8; j++){
             printf("%02x ", random_number[i * 8 + j]);
        }
        printf("\n");
    }
    return 0;
}

1) Include the cryptoauthlib.h header file to get access to CryptoAuthLib API.

2) Call atcab_init() with a pointer for a configuration for an ATECC508A I2C interface.

3) Call atcab_random() passing a pointer to uint8_t array to receive the 32 byte random number.

4) Print the generated number.

Where to go next

The complete ATECC508A data sheet and CryptoAuthLib API can be found here. Beware of some functions and read carefully the documentation as you may lock some data slots so as you cannot use them anymore.