search

mongoose-os-libs / atca

Other
7 stars 3 forks source link

atcab_kdf returns ATCAB_EXECUTION_ERROR #3

Open phanikarthik opened 4 years ago

phanikarthik commented 4 years ago

Hi On 608A, Iam calling atcab_kdf in this way

uint8_t data_input_16[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f };

uint8_t nonce[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f };

status = atcab_nonce(nonce);// This is success

    status = atcab_kdf(
KDF_MODE_ALG_AES|KDF_MODE_SOURCE_TEMPKEY|KDF_MODE_TARGET_OUTPUT_ENC,
0x0,
0, 
data_input_16,
out_kdf_aes_encrypted,
nonce);

I get the status vaue as 0xf4 (ATCAB_EXECUTION_ERROR).

Also Config zone is locked. Data/OTP zones are not yet locked.

Any pointers on how to resolve this would be of great help.

Thanks Phani

rojer commented 4 years ago

0xf4 usually means that the state of the device is incorrect, i.e. that something is locked that shouldn't be or vice versa. maybe you need to lock the data zone?

phanikarthik commented 4 years ago

Thank you For your Reply!

I see that the test cases for atcab_kdf check if the data zone is locked. But such a prerequisite is not mentioned in the document for the KDF command. So I was not sure whether whether DATA ZONE should be locked before executing KDF.

rojer commented 4 years ago

i haven't used the KDF so i don't know either, sorry. just a guess.

phanikarthik commented 4 years ago

Thanks Rojer. yours were valid inputs. Request from anyone who can confirm the datazone locking prerequisite.

DurandA commented 4 years ago

I did not test HKDF with unlocked zones but made a table for other operations: https://github.com/DurandA/atca-ecdhe/wiki/Configuration-and-data-zones-locking. As you can see, ECDH does not work with unlocked DATA ZONE so this is probably the cause of your issue.

You can also try aead.c to test if KDF works as expected as the code works with locked zone. I am using TEMPKEY, I don't remember if KDF can be used on other slots.

phanikarthik commented 4 years ago

NOw Even the secureboot Command gives the execution error. But Document hasn't mentioned that Data zone should be locked for Secureboot (or KDF)

phanikarthik commented 4 years ago

Thank you all above Data zone needs to be locked! KDF workes now. So provisioning like these steps 1) Write and lock the config zone 2) Load the unlocable slots (if any) with data as appropriate. Load OTP also with values. 3) Lock Data/OTP zone. (Individual slot locking of data zone not necessary). 4) If KDF is configured for encrypted output, then make sure to load the IO protection key in the configured slot. 5) Then try KDF

The thing is the document does not clearly list out point 3 as a prerequisite for such commands to run :(

Havnt tried with secureboot yet. Will update and close this thread