The ConnectCore 8X SOM integrates an Atmel ATECC508A cryptochip that offers the following features:

  • Cryptographic accelerator with secure hardware-based key storage

  • Performs high-speed public key (PKI) algorithms

    • ECDSA: FIPS186-3 Elliptic Curve Digital Signature Algorithm

    • ECDH: FIPS SP800-56A Elliptic Curve Diffie-Hellman Algorithm

  • NIST standard P256 elliptic curve support

  • SHA-256 hash algorithm with HMAC option

  • Internal high-quality FIPS random number generator (RNG)

  • 10Kb EEPROM memory for keys, certificates, and data

    • Storage for up to 16 keys

    • Guaranteed-unique 72-bit serial number

  • Two high-endurance monotonic counters

  • Multiple options for consumption logging and one-time write information

  • Intrusion latch for external tamper switch or power-on chip enablement

The cryptochip is connected to the i.MX8QXP CPU through the I2C0 port.

There is no kernel driver and no device tree entries for this hardware element, as it is managed directly from userspace.

Userspace usage

CryptoAuthLibis a software library written in C that supports several Atmel CryptoAuthentication devices. It is a portable, extensible, powerful, and easy-to-use library for working with the ATSHA and ATECC family of devices.

Example application

Digi Embedded Yocto includes an example using this library: https://github.com/digi-embedded/dey-examples/tree/dey-2.6/maint/cryptochip-get-random. This application obtains random numbers from the ATECC508A and outputs them to the standard output stream:

~# ./cryptochip-gen-random | hexdump
0000000 6239 ddd4 b378 693f 14ed bfa1 447b cff1
0000010 275e fd14 e392 2b4a c2ff ac93 0f5e cbab
0000020 16c1 e6b7 a458 c5ea c96f 59c9 776a 41c5
0000030 a656 ffa8 2076 6917 f18a e9ad 9ea1 7915
0000040 b677 aec3 a0a2 c7b6 c8ce 2a1f aa6c d9fc
0000050 f75c 3b57 eea4 051b 3a5f 7bd9 523f 4544
0000060 cb1a 388c b655 e8ca d6eb e459 8a43 cd2f
(...)

The output of the application matches what you would read from a standard random number generator, like /dev/random. For example, you can also store the random data—checking the speed at which it is produced—and then run an entropy test on it:

~# ./cryptochip-gen-random | pv --rate > data.bin
[ 912 B/s]
~# ent data.bin
Entropy = 7.998261 bits per byte.
 
Optimum compression would reduce the size
of this 291808 byte file by 0 percent.
 
Chi square distribution for 291808 samples is 706.41, and randomly
would exceed this value less than 0.01 percent of the times.
 
Arithmetic mean value of data bytes is 127.0582 (127.5 = random).
Monte Carlo value for Pi is 3.149895135 (error 0.26 percent).
Serial correlation coefficient is 0.000944 (totally uncorrelated = 0.0).
The ent utility is not included in Digi Embedded Yocto by default. You can transfer the random data file to your host computer and analyze it there.

Building applications

Before you can use the chip’s functionality, you must run the ecc-test-main application. This application tests the chip’s TLS capabilities and applies a default configuration.

Follow these steps to compile an application that uses the cryptochip:

  1. Include the cryptoauthlib header:

  2. Use the I2C default configuration to initialize the library:

    The cfg_ateccx08a_i2c_default variable is provided by the library and it is already configured for the ConnectCore 8X.
  3. Add the following lines to the Makefile so that the applications are linked against the library:

    CFLAGS += $(shell pkg-config --cflags cryptoauthlib)
    LDLIBS += $(shell pkg-config --libs --static cryptoauthlib)
For more information about the use of this library, see the Atmel Application Note 8984 - Cryptoauthlib. The library is already integrated for the ConnectCore 8X, so you can skip the Porting guide section of the Atmel application note.