search

Infineon / linux-optiga-trust-m

Linux tools and examples for OPTIGA™ Trust V1/V3 security solution
MIT License
22 stars 18 forks source link

Help. ECC key generation is no longer possible. #11

Closed yoshi-ohta closed 3 years ago

yoshi-ohta commented 3 years ago

Hi, I used the following command to generate an ECC key and changed the settings to initialize the metadata in the private key area, but I couldn't create the key. How can I recovery it?

$ trustm_ecc_keygen -g 0xE0F3 -t 0x13 -k 0x03 -o E0F3_pub.pem
========================================================
Generating Key to 0xE0F3
Output File Name : E0F3_pub.pem 

Error [0x8007] : OPTIGA device Access Condition Not Satisfied
========================================================

# trustm_metadata -r 0xE0F3
=======================================================
Device EC Privte Key x         [0xE0F3] [Size 0019] : 
    20 11 C0 01 0F D0 03 E1 FC 07 D3 01 00 E0 01 03 
    E1 01 13 
    LcsO:0x0F, C:LcsO<0x07, E:ALW, Algo:ECC256, Key:Auth/Enc/Sign, 
========================================================

Since OID = 0xE0F2 was unused, I tried to set it with reference to this metadata, but an error occurred.

# trustm_metadata -r 0xE0F2
========================================================
Device EC Privte Key x         [0xE0F2] [Size 0013] : 
    20 0B C0 01 01 D0 03 E1 FC 07 D3 01 00 
    LcsO:0x01, C:LcsO<0x07, E:ALW, 

========================================================

# echo -en "\x20\x0B\xC0\x01\x01\xD0\x03\xE1\xFC\x07\xD3\x01\x00" > data_ini.bin
# trustm_metadata -w 0xE0F3 -F data_ini.bin
========================================================
Device EC Privte Key x         [0xE0F3] 
    20 09 C0 01 01 D0 01 00 D3 01 00 
    LcsO:0x01, C:ALW, E:ALW, 

4202:Error [0x8005] : OPTIGA device Invalid Parameter In Data Field
========================================================
ayushev commented 3 years ago

Hello @yoshi-ohta

what you have here is the answer to your question.

# trustm_metadata -r 0xE0F3
=======================================================
Device EC Privte Key x         [0xE0F3] [Size 0019] : 
    20 11 C0 01 0F D0 03 E1 FC 07 D3 01 00 E0 01 03 
    E1 01 13 
    LcsO:0x0F, C:LcsO<0x07, E:ALW, Algo:ECC256, Key:Auth/Enc/Sign,

LcsO 0x0f means that the Lifecycle State of the Object is set to "termination" (Solution Reference Manual Section 5.3), which means under normal conditions the object isnot usable anymore (also for signing). Theoretically it can be reseted (if you have an Trust M3 sample) with the evalutaion kit and getstarted guide, there are examples on how to generate metadata package to update a specific object. From the other side, it seems that you still can use another key object 0xe0f2, it has still an creation state, an no specific metadata restrictions.

For better metadata management we are preoareing an intuitive tool (python library) to support human readble metadata assignemnt; e.g. like below

{
    "lcso": "creation",
    "change": [
        "lcso",
        "<",
        "operational"
    ],
    "execute": "always",
    "algorithm": "nistp384r1",
    "key_usage": "21"
}
yoshi-ohta commented 3 years ago

@ayushev

Thank you for answering. I understand why I can't write.

Please tell me a little more concretely how to recover. Is the evaluation kit something other than the TrustM IC you are using?

Where are the python tools? Is it below? https://github.com/Infineon/python-optiga-trust

yoshi-ohta commented 3 years ago

I am still expecting your response regarding my question.

ayushev commented 3 years ago

yes, and no https://github.com/Infineon/python-optiga-trust/tree/feature/trust_m3 I'm still working on it, and currently you can't unlock an object is its already locked, but it should come very soon. I'll update the status here once this is ready.

If you want to try it out (it's under development, so some parts might be missing or not working):

  1. You can give it a try by cloning the repository above.
  2. cd python-optiga-trust
  3. make sure you have python 3.7 or 3.8. You can check it if you type python --version or python3 --version
  4. if everything is ok follow the steps described here python-optiga-trust/docs/build/html/get_started.html. The repository is still not fully online, so you can download it on to you linux or windows machine and just open this file.
  5. Follow other section sof the documetnation or write an issue on python if some PAL isn't clear (some descirption is still missing, as the code is under development)
yoshi-ohta commented 3 years ago

@ayushev

Thank you for your answer.

I understand that it is being implemented.

Python version in my environment is 3.7.2. 

# python3 --version
Python 3.7.2

I tried to proceed according to get_started.html, but I can't build because cmake is not included in the OS of my board. If I can install cmake on my OS, I'll check it.

ayushev commented 3 years ago

Hi @yoshi-ohta https://github.com/infineon/python-optiga-trust and https://infineon.github.io/python-optiga-trust/ It also works under linux

But I have to disapoint you, I had a look into your metadata, it seems like the key can't be recovered, as the metadata states LcsO:0x0F, C:LcsO<0x07, E:ALW, Algo:ECC256, Key:Auth/Enc/Sign, Lifecycle State (LcsO) : 0x0f - termiantion Change is possible if: LcsO less than 0x07 (operational) Algorithm is ECC256 Key agreement: Authenticaiton + Encryption + Sinature generation

yoshi-ohta commented 3 years ago

@ayushev

Thank you for your answer. It's disappointing that it can't be recovered, but I understood that we can't be recovered. If Change Status is ALW, can LifecycleSate recover even with 0x0f?

ayushev commented 3 years ago

@yoshi-ohta

If Change Status is ALW, can LifecycleSate recover even with 0x0f?

correct