ATECC608A Trust Platform reading and seamless integration using PKCS11 library in AWS IOT device SDK

[vishalSpintly]

Hello, We have an IoT device running Linux. Currently, the certificates are stored on file system and use the AWS IOT Core C library to connect and authenticate with the AWS servers.

We are evaluating on our device, a ATECC608A Trust Platform ( see: http://www.microchip.com/ATECC608A) connected over an I2C interface to store the keys. So far, using resources available on the internet, we are able to configure the PKCS11 interface and able to communicate with the Trust Platform device (https://github.com/MicrochipTech/cryptoauthlib/wiki/PKCS11-Linux-Setup).

My area of exploration next is how do I use the open source PKCS11 infrastructure in conjunction with the AWS IOT Core ( C) library to connect and authenticate with the AWS servers seamlessly.

Is this supported? How do I enable the same to function on my linux board.

Please do guide. Pointers are appreciated.

[pvyawaha]

Hello @vishalSpintly ,

You can refer to the PKCS11 layer for ESS608A here - https://github.com/aws/amazon-freertos/blob/main/libraries/abstractions/pkcs11/ecc608a/core_pkcs11_secure_element.c

And here is my example for key provisioning - https://github.com/aws/amazon-freertos/tree/main/demos/dev_mode_key_provisioning

[abhidixi11]

Hello @vishalSpintly does information above answer your questions ?

[johnrhen]

Hello @vishalSpintly,

You might find the mbedtls_pkcs11_posix.h and mbedtls_pkcs11_posix.c files in this repository to be helpful. They contain an implementation for the transport interface using a mutually authenticated TLS connection with MbedTLS for TLS and corePKCS11 for secure credential management. You can view a demonstration of MbedTLS and corePKCS11 working together to connect to IoT Core in the Fleet Provisioning demo. While our example uses the corePKCS11 library, you should be able to modify it to work with your configured PKCS11 infrastructure. Let us know if this information is helpful to you, and feel free to ask more questions.

Thank you, John

[vishalSpintly]

Hello John,

This looks promising. Let me study this and get back to you with further questions.

regards, Vishal

[vishalSpintly]

Hello John,

In our case, having configured the PKCS11 Library support in the cryptoauth library from Microchip, we go on to install the library (PKCS11 provider) at "/usr/lib/libcryptoauth.so" The PKCS11 slot to be used to access the private key & certificates onboard the ATECC608A would be for example "pkcs11:slot-id=1".

Considering that AWS corePKCS11 library implements the standard PKCS11 interfaces, is there any place where the AWS IOT Core library can be configured (or added to the makefiles) to use the said provider & slot in Code OR configuration file. I know IOT Greengrass allows you to do this.

Or, is there a need to replace the corePKCS11 Library and associated function calls within AWS IoT Core, with the corresponding references into cryptoauth PKCS11 library - which seems unnecessary & circuitous in my understanding.

Let me know you thoughts. Microchip seems to have been already accomplished this integration at their end - based on the buggy resources i have listed in my previous comments.

[paulbartell]

@vishalSpintly: We have had a few requests for a similar feature in the past. The simplest way to accomplish this is to use a combination of cryptoauthlib built as a pkcs11 module and openssl with libp11.

You will first need to decide if you plan on using p11-kit to proxy access to your pkcs11 module. p11-kit allows concurrent access to a pkcs11 module(libcryptoauth.so in your case) and some other common linux desktop oriented features. If concurrent access is not necessary, you can use libp11 to access your pkcs11 module (libcryptoauth.so) directly when initializing a tls connection with openssl.

In addition to the documentation you linked to earlier, I would like to call your attention to this page with a bit more openssl specific info..

When building the aws-iot c-sdk, make sure to use openssl as your tls library. I've staged some changes that add pkcs11 support to openssl_posix.c in a branch on my fork over here. I have not had a chance to test it with an ECC608A or SoftHSM2 yet, but I plan on doing so sometime next week.

Note: The ATECC608 does not implement the TCG TPM api, so using the term TPM to describe could be a bit confusing. There is an open source project that implements a TPM->pkcs11 shim which could be useful as a reference: tpm2-pkcs11.

[vishalSpintly]

@paulbartell

Thanks !!

The functionality being targeted will run on a Linux IOT gateway device ( which delicately brokers the message exchange between the AWS cloud and the individual IOT devices). Let me remind you that my objective here is to establish a connection using a aws iot device sdk based program, with the AWS IOT Core service using secure credentials ( private key data) off the ATECC608A - It does not matter how or which library is used to achieve this. I need to establish the connection seamlessly. I am looking for guidance on how this can be achieved in the best way possible. All suggestions to achieve this efficiently are welcome.

Coming to your reply: I believe libp11 should suffice as there is no concurrent access required.

When building the aws-iot c-sdk, make sure to use openssl as your tls library. I've staged some changes that add pkcs11 >support to openssl_posix.c in a branch on my fork over here. I have not had a chance to test it with an ECC608A or SoftHSM2 >yet, but I plan on doing so sometime next week.

I will check the above on my end. Hopefully i get the configurations right. Do let me know your test findings. I will be keen to know the results.

Note: The ATECC608 does not implement the TCG TPM api, so using the term TPM to describe could be a bit confusing.

Noted and updated.

[vishalSpintly]

When building the aws-iot c-sdk, make sure to use openssl as your tls library.

i have your repository cloned. Can you tell me where & how I need to specify openssl as tls library during the build of aws-iot-c-sdk ?

[abhidixi11]

Hello @vishalSpintly we have the instruction in Readme about OpenSSL version supported Linux platforms: https://github.com/aws/aws-iot-device-sdk-embedded-C#build-dependencies https://github.com/aws/aws-iot-device-sdk-embedded-C#building-and-running-demos Thanks.

[vishalSpintly]

@abhidixi11 If your comment is in response to my query "where & how I need to specify openssl as tls library during the build of aws-iot-c-sdk", I have not received the answer yet.

For example, there could be some flag that needs to be set during cmake on the aws-iot-c-sdk build to indicate the preference for openssl over other options avaialble. If yes, what is that flag.

[abhidixi11]

@vishalSpintly At this time, this repository has the code which works with openSSL for TLS connection. You can replace transport interface yourself if you want to make use of any other TLS library.

[vishalSpintly]

@abhidixi11 I am not particular about the TLS library.

My clear intent is to get the aws-iot-c-sdk based connection to AWS service using the ATECC608A working seamlessly. If this is done using openssl, or any other library there will be no reason to complain as long as it works by using the credentials off the ATECC608A.

I can only try your suggestions at this moment. So, I will give this fork a fresh evaluation with an assumption that no additional configurations are required to specifically use openssl as was explicitly stated in the post by @paulbartell .

Based on the marketing literature put out it was my understanding that this functionality is available and should be working out of the box.

[paulbartell]

@vishalSpintly : Regarding the marketing literature: amazon-freertos does indeed support the ATECC608. That implementation is targeted to a bare-metal / FreeRTOS environment and is not particularly well suited for use in a linux environment. It's certainly possible to use that implementation on linux, but it is not consistent with how pkcs11 is typically used in a linux environment.

Re: Selecting a TLS library. It's expected that you may use a different build system to compile the portions of the sdk that are necessary for your application. This involves selecting which libraries and transport implementation that is best for your particular application. Openssl is the default option when using the included cmake build files.

[paulbartell]

@vishalSpintly : I've updated the feature branch with some bug fixes and documentation. Please let me know if you have any questions about the setup.

[vishalSpintly]

Hi @paulbartell I could not check on this as i had to focus on another critical task that came up. I am now back to working on this. My plan is to start afresh, by generating a fresh test setup with the Linux OS and support tools on our development environment first. I will document my steps and post my queries on this thread in my subsequent posts.

Look forward to your support.

[paulbartell]

@vishalSpintly I'm going to close this issue for now. Feel free to reopen it when you have some time to take a look.