search

helium / gateway-rs

The Helium Gateway
Apache License 2.0
280 stars 110 forks source link

is it possible to use keys from customized ECC chip slot? #281

Closed Sheng2216 closed 2 years ago

Sheng2216 commented 2 years ago

Hi, I was playing with the on-board ECC608 crypto chip, I am just wondering if I can change the slot to use from 0 to other slots, and I tried to put keypair = "ecc://i2c-1:96?slot=4&network=mainnet" to the settings.toml file (so that I can use key stored in slot 4?), and then I started the helium-gateway service, but I got errors like this (I had the service deployed in a container running in privileged mode): image

then I run the the gateway_mfr test to see the differences. Firstly, I tested slot0:

$./gateway_mfr --device ecc://i2c-1:96?slot=0 test

{
  "result": "pass",
  "tests": {
    "ecdh(0)": {
      "checks": "ok",
      "result": "pass"
    },
    "key_config(0)": {
      "checks": {
        "auth_key": "0",
        "intrusion_disable": "false",
        "key_type": "ecc",
        "lockable": "true",
        "private": "true",
        "pub_info": "true",
        "req_auth": "false",
        "req_random": "false",
        "x509_index": "0"
      },
      "result": "pass"
    },
    "miner_key(0)": {
      "checks": "11MzPhiBX842ayMYS7wqKT1KGZJDQap73CFxztJFRkXXmLHtfBN",
      "result": "pass"
    },
    "sign(0)": {
      "checks": "ok",
      "result": "pass"
    },
    "slot_config(0)": {
      "checks": {
        "ecdh_operation": "true",
        "encrypt_read": "false",
        "external_signatures": "true",
        "internal_signatures": "true",
        "limited_use": "false",
        "secret": "true"
      },
      "result": "pass"
    },
    "zone_locked(config)": {
      "checks": "ok",
      "result": "pass"
    },
    "zone_locked(data)": {
      "checks": "ok",
      "result": "pass"
    }
  }
}

unsurprisingly the test failed for slot4:

$ ./gateway_mfr --device ecc://i2c-1:96?slot=4 test
{
  "result": "fail",
  "tests": {
    "ecdh(4)": {
      "error": "ecc608 error\n\nCaused by:\n    ecc error ExecError",
      "result": "fail"
    },
    "key_config(4)": {
      "checks": {
        "auth_key": "0",
        "intrusion_disable": "false",
        "key_type": "ecc",
        "lockable": "true",
        "private": "true",
        "pub_info": "true",
        "req_auth": "false",
        "req_random": "false",
        "x509_index": "0"
      },
      "result": "pass"
    },
    "miner_key(4)": {
      "error": "ecc608 error\n\nCaused by:\n    ecc error ExecError",
      "result": "fail"
    },
    "sign(4)": {
      "error": "ecc608 error\n\nCaused by:\n    ecc error ExecError",
      "result": "fail"
    },
    "slot_config(4)": {
      "checks": {
        "ecdh_operation": "true",
        "encrypt_read": "false",
        "external_signatures": "true",
        "internal_signatures": "true",
        "limited_use": "false",
        "secret": "true"
      },
      "result": "pass"
    },
    "zone_locked(config)": {
      "checks": "ok",
      "result": "pass"
    },
    "zone_locked(data)": {
      "checks": "ok",
      "result": "pass"
    }
  }
}

I assume it's because there is no key stored in slot4, so my question is how to generate this key and then store it in slot 4? Is it possible to retrieve the key saved in the chip to a file, just like the gateway_key.bin file? And, is it possible to, or what is the recommended approach to change the key saved in a specific slot? Any help would be appreciated!

madninja commented 2 years ago

use gateway-mfr-rs with the provision command to provision slot 4 using the same URL (the network tag is not needed for ecc provisioning)