refactor: migrate atecc608a_ecdsa example to crypto authlib repository

- ESP32-WROOM-32SE has been discontinued and marked as NRND
- This change removes all references to ESP32-WROOM-32SE from IDF
- The example has been migrated to esp-cryptoauthlib repository and it
  can be used through the component manager
  (https://components.espressif.com/components/espressif/esp-cryptoauthlib)
This commit is contained in:
Mahavir Jain 2023-12-04 12:22:01 +05:30
parent d3afab15bd
commit 01f50ee7f5
No known key found for this signature in database
GPG Key ID: 99324EF4A00734E0
20 changed files with 20 additions and 376 deletions

View File

@ -21,7 +21,7 @@ menu "ESP-TLS"
select ATCA_MBEDTLS_ECDSA_VERIFY
help
Enable use of Secure Element for ESP-TLS, this enables internal support for
ATECC608A peripheral on ESPWROOM32SE, which can be used for TLS connection.
ATECC608A peripheral, which can be used for TLS connection.
config ESP_TLS_USE_DS_PERIPHERAL
bool "Use Digital Signature (DS) Peripheral with ESP-TLS"

View File

@ -170,7 +170,7 @@ typedef struct esp_tls_cfg {
blocking mode after tls session is established */
bool use_secure_element; /*!< Enable this option to use secure element or
atecc608a chip ( Integrated with ESP32-WROOM-32SE ) */
atecc608a chip */
int timeout_ms; /*!< Network timeout in milliseconds.
Note: If this value is not set, by default the timeout is
@ -303,7 +303,7 @@ typedef struct esp_tls_cfg_server {
uint8_t ecdsa_key_efuse_blk; /*!< The efuse block where ECDSA key is stored */
bool use_secure_element; /*!< Enable this option to use secure element or
atecc608a chip ( Integrated with ESP32-WROOM-32SE ) */
atecc608a chip */
#if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)

View File

@ -527,14 +527,14 @@ menu "mbedTLS"
default n
help
This option enables hardware acceleration for ECDSA sign function, only
when using ATECC608A cryptoauth chip (integrated with ESP32-WROOM-32SE)
when using ATECC608A cryptoauth chip.
config MBEDTLS_ATCA_HW_ECDSA_VERIFY
bool "Enable hardware ECDSA verify acceleration when using ATECC608A"
default n
help
This option enables hardware acceleration for ECDSA sign function, only
when using ATECC608A cryptoauth chip (integrated with ESP32-WROOM-32SE)
when using ATECC608A cryptoauth chip.
config MBEDTLS_HAVE_TIME
bool "Enable mbedtls time support"

View File

@ -166,7 +166,7 @@ void esp_transport_ssl_set_common_name(esp_transport_handle_t t, const char *com
/**
* @brief Set the ssl context to use secure element (atecc608a) for client(device) private key and certificate
*
* @note Recommended to be used with ESP32-WROOM-32SE (which has inbuilt ATECC608A a.k.a Secure Element)
* @note Recommended to be used with ESP32 interfaced to ATECC608A based secure element
*
* @param t ssl transport
*/

View File

@ -154,7 +154,6 @@ ESP32_DOCS = ['api-reference/system/himem.rst',
'api-guides/romconsole.rst',
'api-reference/system/ipc.rst',
'security/secure-boot-v1.rst',
'api-reference/peripherals/secure_element.rst',
'api-reference/peripherals/dac.rst',
'api-reference/peripherals/sd_pullup_requirements.rst',
'hw-reference/esp32/**',

View File

@ -73,7 +73,6 @@ api-reference/peripherals/dac.rst
api-reference/peripherals/touch_element.rst
api-reference/peripherals/lcd.rst
api-reference/peripherals/ana_cmpr.rst
api-reference/peripherals/secure_element.rst
api-reference/peripherals/temp_sensor.rst
api-reference/peripherals/sdio_slave.rst
api-reference/peripherals/clk_tree.rst

View File

@ -35,7 +35,6 @@ Peripherals API
spi_flash/index
spi_master
spi_slave
:esp32: secure_element
:SOC_SPI_SUPPORT_SLAVE_HD_VER2: spi_slave_hd
:SOC_TEMP_SENSOR_SUPPORTED: temp_sensor
:SOC_TOUCH_SENSOR_SUPPORTED: touch_pad

View File

@ -1,28 +0,0 @@
ESP32-WROOM-32SE (Secure Element)
=================================
:link_to_translation:`zh_CN:[中文]`
Overview
--------
ESP32-WROOM-32SE integrates Microchip's ATECC608A cryptoauth chip in the module. ATECC608A is a secure element, which would generate and store ECC private key in the hardware. The ECC private key can be used to enhance security to connect to IoT cloud services with the use of X.509-based mutual authentication.
The application example demonstrates ECDSA sign and verify functions using ECC private key stored in ATECC608A.
Application Example
-------------------
Secure Element ECDSA Sign/Verify example: :example:`peripherals/secure_element/atecc608_ecdsa`.
How to Configure and Provision ESP32-WROOM-32SE for TLS
-------------------------------------------------------
To configure and provision ATECC608A chip on ESP32-WROOM-32SE please visit `esp_cryptoauth_utility <https://github.com/espressif/esp-cryptoauthlib/blob/master/esp_cryptoauth_utility/README.md#esp_cryptoauth_utility>`_.
How to Use ATECC608A of ESP32-WROOM-32SE for TLS
------------------------------------------------
ATECC608A can be used for TLS connections using ESP-TLS.
To configure ESP-TLS for using a secure element, please refer to **ATECC608A (Secure Element) with ESP-TLS** in :doc:`../protocols/esp_tls`.

View File

@ -143,11 +143,11 @@ The following table shows a typical comparison between WolfSSL and MbedTLS when
ATECC608A (Secure Element) with ESP-TLS
--------------------------------------------------
ESP-TLS provides support for using ATECC608A cryptoauth chip with ESP32-WROOM-32SE. The use of ATECC608A is supported only when ESP-TLS is used with MbedTLS as its underlying SSL/TLS stack. ESP-TLS uses MbedTLS as its underlying TLS/SSL stack by default unless changed manually.
ESP-TLS provides support for using ATECC608A cryptoauth chip with ESP32 series of SoC's. The use of ATECC608A is supported only when ESP-TLS is used with MbedTLS as its underlying SSL/TLS stack. ESP-TLS uses MbedTLS as its underlying TLS/SSL stack by default unless changed manually.
.. note::
ATECC608A chip on ESP32-WROOM-32SE must be already configured, for details refer `esp_cryptoauth_utility <https://github.com/espressif/esp-cryptoauthlib/blob/master/esp_cryptoauth_utility/README.md#esp_cryptoauth_utility>`_.
ATECC608A chip interfaced to ESP32 must be already configured, for details refer `esp_cryptoauth_utility <https://github.com/espressif/esp-cryptoauthlib/blob/master/esp_cryptoauth_utility/README.md#esp_cryptoauth_utility>`_.
To enable the secure element support, and use it in your project for TLS connection, you have to follow the below steps:

View File

@ -145,7 +145,7 @@ It is possible to set authentication parameters through the :cpp:class:`authenti
* :cpp:member:`password <esp_mqtt_client_config_t::credentials_t::authentication_t::password>`: use a password by setting
* :cpp:member:`certificate <esp_mqtt_client_config_t::credentials_t::authentication_t::certificate>` and :cpp:member:`key <esp_mqtt_client_config_t::credentials_t::authentication_t::key>`: mutual authentication with TLS, and both can be provided in PEM or DER format
* :cpp:member:`use_secure_element <esp_mqtt_client_config_t::credentials_t::authentication_t::use_secure_element>`: use secure element available in ESP32-WROOM-32SE
* :cpp:member:`use_secure_element <esp_mqtt_client_config_t::credentials_t::authentication_t::use_secure_element>`: use secure element (ATECC608A) interfaced to ESP32
* :cpp:member:`ds_data <esp_mqtt_client_config_t::credentials_t::authentication_t::ds_data>`: use Digital Signature Peripheral available in some Espressif devices
Session

View File

@ -3,6 +3,9 @@ Peripherals
:link_to_translation:`zh_CN:[中文]`
Drivers
-------
In order to control the dependence of other components on drivers at a smaller granularity, the original peripheral drivers under the `driver`` component were split into separate components:
- `esp_driver_gptimer` - Driver for general purpose timers
@ -41,3 +44,11 @@ Should be changed to:
archive: libesp_driver_gpio.a
entries:
gpio (noflash)
Secure Element
--------------
ATECC608A secure element interfacing example has been moved to `ESP Cryptoauthlib Repository <https://github.com/espressif/esp-cryptoauthlib/tree/master/examples/atecc608_ecdsa>`_ on GitHub.
This example is also part of the `esp-cryptoauthlib <https://components.espressif.com/component/espressif/esp-cryptoauthlib>`_ in the component manager registry.

View File

@ -35,7 +35,6 @@
spi_flash/index
spi_master
spi_slave
:esp32: secure_element
:SOC_SPI_SUPPORT_SLAVE_HD_VER2: spi_slave_hd
:SOC_TEMP_SENSOR_SUPPORTED: temp_sensor
:SOC_TOUCH_SENSOR_SUPPORTED: touch_pad

View File

@ -1,28 +0,0 @@
ESP32-WROOM-32SE安全元件
=================================
:link_to_translation:`en:[English]`
概述
--------
ESP32-WROOM-32SE 模组集成了 Microchip 的 ATECC608A 加密认证芯片。ATECC608A 安全元件可以在硬件中生成并存储 ECC 私钥。通过使用基于 X.509 的双向认证ECC 私钥可增强设备与物联网云服务连接的安全性。
有关如何使用存储在 ATECC608A 中的 ECC 私钥进行 ECDSA 签名和验证,请参阅以下应用示例。
应用示例
-------------------
请参阅安全元件 ECDSA 签名/验证示例 :example:`peripherals/secure_element/atecc608_ecdsa`
对 ESP32-WROOM-32SE 配置并配网以进行 TLS 连接
-------------------------------------------------------
要在 ESP32-WROOM-32SE 上配置 ATECC608A 芯片,并对其进行配网,请参阅 `esp_cryptoauth_utility <https://github.com/espressif/esp-cryptoauthlib/blob/master/esp_cryptoauth_utility/README.md#esp_cryptoauth_utility>`_
使用 ESP32-WROOM-32SE 的 ATECC608A 进行 TLS 连接
------------------------------------------------------
通过使用 ESP-TLSATECC608A 可实现 TLS 连接。
要配置 ESP-TLS 以使用安全元件,请参阅 :doc:`../protocols/esp_tls` 中的 **ESP-TLS 中的 ATECC608A安全元件** 一节。

View File

@ -287,12 +287,6 @@ examples/peripherals/sdio/slave:
depends_components:
- esp_driver_sdio
examples/peripherals/secure_element/atecc608_ecdsa:
enable:
- if: IDF_TARGET == "esp32"
temporary: true
reason: the other targets are not tested yet
examples/peripherals/sigma_delta:
disable:
- if: SOC_SDM_SUPPORTED != 1

View File

@ -1,6 +0,0 @@
# The following lines of boilerplate have to be in your project's CMakeLists
# in this exact order for cmake to work correctly
cmake_minimum_required(VERSION 3.16)
include($ENV{IDF_PATH}/tools/cmake/project.cmake)
project(atecc608a_ecdsa)

View File

@ -1,54 +0,0 @@
| Supported Targets | ESP32 |
| ----------------- | ----- |
# ECDSA sign/verify Example with ESP32-WROOM-32SE
## Description
(See the README.md file in the upper level 'examples' directory for more information about examples.)
This example requires [ESP32-WROOM-32SE](https://www.espressif.com/sites/default/files/documentation/esp32-wroom-32se_datasheet_en.pdf) which has Microchip's [ATECC608A](https://www.microchip.com/wwwproducts/en/ATECC608A) (Secure Element) integrated on the module.
The example performs `ECDSA sign/verify` functions on sample data using hardware private key stored in ATECC608A chip. If you want to use bare `ATECC608A` chip (Secure Element) with `ESP32-WROOM-32` module by making external connections, please refer [this](https://github.com/espressif/esp-cryptoauthlib/blob/master/esp_cryptoauth_utility/README.md#using-atecc608a-with-esp32-wroom-32) for details.
## How to use example
Before project configuration and build, be sure to set the correct chip target using `idf.py set-target <chip_name>`.
### Hardware Required
To get started you will need a `ESP32-WROOM-32SE` development board which integrates Microchips ATECC608A CryptoAuth chip in the module.
* A development board with ESP32-WROOM-32SE SoC or an custom board with the `ATECC608A` IC.
* A USB cable for Power supply and programming
### Configure the project
ATECC608A chip on ESP32-WROOM-32SE should be configured to run the example, for details on configuration of ATECC608A chip, please refer [esp_cryptoauth_utility](https://github.com/espressif/esp-cryptoauthlib/blob/master/esp_cryptoauth_utility/README.md#esp_cryptoauth_utility)
Open the project configuration menu (`idf.py menuconfig`).
In the `Component config -> esp-cryptoauthlib` menu:
* Use `Choose the type of ATECC608A chip` to set the Crypto IC type [1].
* Use `Enable Hardware ECDSA keys for mbedTLS` Enable Hardware ECDSA.
* Set `Enable ATECC608A sign operations in mbedTLS` to use Hardware ECDSA sign.
* Set `Enable ATECC608A verify operations in mbedTLS` to use Hardware ECDSA verify.
* Set `I2C SDA pin used to communicate with the ATECC608A`.
* Set `I2C SCL pin used to communicate with the ATECC608A`.
[1]: for more details refer [Find ATECC608A chip type](https://github.com/espressif/esp-cryptoauthlib/blob/master/esp_cryptoauth_utility/README.md#find-type-of-atecc608a-chip-connected-to-esp32-wroom32-se).
### Build and Flash
Build the project and flash it to the board, then run the monitor tool to view the serial output:
Run `idf.py -p PORT flash monitor` to build, flash and monitor the project.
(To exit the serial monitor, type ``Ctrl-]``.)
See the [Getting Started Guide](https://docs.espressif.com/projects/esp-idf/en/latest/get-started/index.html) for all the steps to configure and use the ESP-IDF to build projects.
## Troubleshooting
For any technical queries, please open an [issue](https://github.com/espressif/esp-idf/issues) on GitHub. We will get back to you soon.

View File

@ -1,5 +0,0 @@
# Main component CMakeLists.txt
idf_component_register(
SRC_DIRS "."
INCLUDE_DIRS "."
)

View File

@ -1,230 +0,0 @@
/*
* atecc608a_ecdsa example
*
* SPDX-FileCopyrightText: 2006-2016 ARM Limited, All Rights Reserved
*
* SPDX-License-Identifier: Apache-2.0
*
* SPDX-FileContributor: 2015-2023 Espressif Systems (Shanghai) CO LTD
*/
/* This is mbedtls boilerplate for library configuration */
#include "mbedtls/mbedtls_config.h"
/* System Includes*/
#include <stdio.h>
#include "freertos/FreeRTOS.h"
#include "freertos/task.h"
#include "esp_system.h"
#include "spi_flash_mmap.h"
#include "esp_log.h"
/* Cryptoauthlib includes */
#include "cryptoauthlib.h"
#include "mbedtls/atca_mbedtls_wrap.h"
/* mbedTLS includes */
#include "mbedtls/platform.h"
#include "mbedtls/debug.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/pk.h"
static const char *TAG = "atecc_example";
/* globals for mbedtls RNG */
static mbedtls_entropy_context entropy;
static mbedtls_ctr_drbg_context ctr_drbg;
static int configure_mbedtls_rng(void)
{
int ret;
const char * seed = "some random seed string";
mbedtls_ctr_drbg_init(&ctr_drbg);
ESP_LOGI(TAG, "Seeding the random number generator...");
mbedtls_entropy_init(&entropy);
ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *)seed, strlen(seed));
if (ret != 0) {
ESP_LOGI(TAG, " failed ! mbedtls_ctr_drbg_seed returned %d", ret);
} else {
ESP_LOGI(TAG, " ok");
}
return ret;
}
static void close_mbedtls_rng(void)
{
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
}
/* An example hash */
static unsigned char hash[32] = {
0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23,
0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad
};
static const uint8_t public_key_x509_header[] = {
0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A,
0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04
};
static void print_public_key(uint8_t *pubkey)
{
uint8_t buf[128];
uint8_t * tmp;
size_t buf_len = sizeof(buf);
/* Calculate where the raw data will fit into the buffer */
tmp = buf + sizeof(buf) - ATCA_PUB_KEY_SIZE - sizeof(public_key_x509_header);
/* Copy the header */
memcpy(tmp, public_key_x509_header, sizeof(public_key_x509_header));
/* Copy the key bytes */
memcpy(tmp + sizeof(public_key_x509_header), pubkey, ATCA_PUB_KEY_SIZE);
/* Convert to base 64 */
(void)atcab_base64encode(tmp, ATCA_PUB_KEY_SIZE + sizeof(public_key_x509_header), (char*)buf, &buf_len);
/* Add a null terminator */
buf[buf_len] = '\0';
/* Print out the key */
ESP_LOGI(TAG, "\r\n-----BEGIN PUBLIC KEY-----\r\n%s\r\n-----END PUBLIC KEY-----", buf);
}
static int atca_ecdsa_test(void)
{
mbedtls_pk_context pkey;
int ret;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
size_t olen = 0;
/* ECDSA Sign/Verify */
#ifdef MBEDTLS_ECDSA_SIGN_ALT
/* Convert to an mbedtls key */
ESP_LOGI(TAG, " Using a hardware private key ...");
ret = atca_mbedtls_pk_init(&pkey, 0);
if (ret != 0) {
ESP_LOGI(TAG, " failed ! atca_mbedtls_pk_init returned %02x", ret);
goto exit;
}
ESP_LOGI(TAG, " ok");
#else
ESP_LOGI(TAG, " Generating a software private key ...");
mbedtls_pk_init(&pkey);
ret = mbedtls_pk_setup(&pkey,
mbedtls_pk_info_from_type(MBEDTLS_PK_ECDSA));
if (ret != 0) {
ESP_LOGI(TAG, " failed ! mbedtls_pk_setup returned -0x%04x", -ret);
goto exit;
}
ret = mbedtls_ecp_gen_key(MBEDTLS_ECP_DP_SECP256R1,
mbedtls_pk_ec(pkey),
mbedtls_ctr_drbg_random, &ctr_drbg);
if (ret != 0) {
ESP_LOGI(TAG, " failed ! mbedtls_ecp_gen_key returned -0x%04x", -ret);
goto exit;
}
ESP_LOGI(TAG, " ok");
#endif
ESP_LOGI(TAG, " Generating ECDSA Signature...");
ret = mbedtls_pk_sign(&pkey, MBEDTLS_MD_SHA256, hash, 0, buf, MBEDTLS_MPI_MAX_SIZE, &olen,
mbedtls_ctr_drbg_random, &ctr_drbg);
if (ret != 0) {
ESP_LOGI(TAG, " failed ! mbedtls_pk_sign returned -0x%04x", -ret);
goto exit;
}
ESP_LOGI(TAG, " ok");
ESP_LOGI(TAG, " Verifying ECDSA Signature...");
ret = mbedtls_pk_verify(&pkey, MBEDTLS_MD_SHA256, hash, 0,
buf, olen);
if (ret != 0) {
ESP_LOGI(TAG, " failed ! mbedtls_pk_verify returned -0x%04x", -ret);
goto exit;
}
ESP_LOGI(TAG, " ok");
exit:
fflush(stdout);
return ret;
}
void app_main(void)
{
int ret = 0;
bool lock;
uint8_t buf[ATCA_ECC_CONFIG_SIZE];
uint8_t pubkey[ATCA_PUB_KEY_SIZE];
/* Initialize the mbedtls library */
ret = configure_mbedtls_rng();
#ifdef CONFIG_ATECC608A_TNG
ESP_LOGI(TAG, " . Initialize the ATECC interface for Trust & GO ...");
cfg_ateccx08a_i2c_default.atcai2c.address = 0x6A;
#elif CONFIG_ATECC608A_TFLEX /* CONFIG_ATECC608A_TNGO */
ESP_LOGI(TAG, " . Initialize the ATECC interface for TrustFlex ...");
cfg_ateccx08a_i2c_default.atcai2c.address = 0x6C;
#elif CONFIG_ATECC608A_TCUSTOM /* CONFIG_ATECC608A_TFLEX */
ESP_LOGI(TAG, " . Initialize the ATECC interface for TrustCustom ...");
/* Default slave address is same as that of TCUSTOM ATECC608A chips */
#endif /* CONFIG_ATECC608A_TCUSTOM */
ret = atcab_init(&cfg_ateccx08a_i2c_default);
if (ret != 0) {
ESP_LOGI(TAG, " failed ! atcab_init returned %02x", ret);
goto exit;
}
ESP_LOGI(TAG, " ok");
lock = 0;
ESP_LOGI(TAG, " Check the data zone lock status...");
ret = atcab_is_locked(LOCK_ZONE_DATA, &lock);
if (ret != 0) {
ESP_LOGI(TAG, " failed\n ! atcab_is_locked returned %02x", ret);
goto exit;
}
if (lock) {
ESP_LOGI(TAG, " ok: locked");
} else {
ESP_LOGE(TAG, "unlocked, please lock(configure) the ATECC608A chip with help of esp_cryptoauth_utility and try again");
goto exit;
}
ESP_LOGI(TAG, " Get the device info (type)...");
ret = atcab_info(buf);
if (ret != 0) {
ESP_LOGI(TAG, " failed\n ! atcab_info returned %02x", ret);
goto exit;
}
ESP_LOGI(TAG, " ok: %02x %02x", buf[2], buf[3]);
ESP_LOGI(TAG, " Get the public key...");
ret = atcab_get_pubkey(0, pubkey);
if (ret != 0) {
ESP_LOGI(TAG, " failed\n ! atcab_get_pubkey returned %02x", ret);
goto exit;
}
ESP_LOGI(TAG, " ok");
print_public_key(pubkey);
/* Perform a Sign/Verify Test */
ret = atca_ecdsa_test();
if (ret != 0) {
ESP_LOGE(TAG, " ECDSA sign/verify failed");
goto exit;
}
exit:
fflush(stdout);
close_mbedtls_rng();
}

View File

@ -1,3 +0,0 @@
## IDF Component Manager Manifest File
dependencies:
espressif/esp-cryptoauthlib: "^3.3.1"

View File

@ -1,3 +0,0 @@
CONFIG_ATCA_MBEDTLS_ECDSA=y
CONFIG_ATCA_MBEDTLS_ECDSA_SIGN=y
CONFIG_ATCA_MBEDTLS_ECDSA_VERIFY=y