Hi,
We want to connect an ATECC608 based on a Raspberry Compute Module 4 and our own base board. As final goal we want to use the ATECC608B PKCS11 URI in mender conf like this
{
"Security": {
"AuthPrivateKey": "pkcs11:object=my_key;type=private;pin-value=0000"
}
}
The operating system is a yocto-linux release version scarthgap.
I’m currently having problems configuring PKCS11 and Openssl correctly. I followed the steps in the cryptoauthlib wiki (PKCS11 TNGTLS · MicrochipTech/cryptoauthlib Wiki · GitHub)
We checked the basic function using the cryptoauth_test tool, cryptoauth_test sernum -d ecc608 -i i2c 10 -a 0x6A provides a sensible answer.
I therefore assume that everything is OK and working on the hardware side.
The following was also configured
- cryptoauthlib.conf and slot config created
- p11-kit proxy configured
- gnutls-bin included in the image
Access with p11tool works
root@pi4-64:~# p11tool --list-tokens
Token 0:
URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=23C08DD569DAF401;token=MCHP
Label: MCHP
Type: Hardware token, Trust module
Flags: RNG, uPIN uninitialized
Manufacturer: Microchip Technology Inc
Model: ATECC608A
Serial: 23C08DD569DAF401
Module: /usr/lib/libcryptoauth.so.3
root@pi4-64:~# p11tool --export-pubkey "pkcs11:token=MCHP;object=device;type=private"
warning: --login was not specified and it may be required for this operation.
warning: no --outfile was specified and the public key will be printed on screen.
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyOiCWyN2fQzJjjM9nPM68q4lx5ks
nGc5Pm/ZcoqNp78Sp1jZdhgxDDwtI/vTIloC43h0DzcA/rqt8/FFKaWhnw==
-----END PUBLIC KEY-----
Now comes the part where errors occur:
root@pi4-64:~# openssl ec -engine pkcs11 -in "pkcs11:token=MCHP;object=device;type=private" -inform engine -pubin -noout -text
Engine "pkcs11" set.
read EC key
*** stack smashing detected ***: terminated
Aborted (core dumped)
After some debugging (printf and -DPKCS11_DEBUG_ENABLE=ON) I was able to narrow down the error location:
root@pi4-64:~# openssl ec -engine pkcs11 -in "pkcs11:token=MCHP;object=device;type=private" -inform engine -pubin -noout -text
Engine "pkcs11" set.
read EC key
17421:17421:C_Initialize:141:
17421:17421:pkcs11_config_load_objects:1270:Opening Configuration: /var/lib/cryptoauthlib/0.conf
17421:17421:pkcs11_config_load_objects:1315:Load conf file status [0] slot_id [-2147483646]
17421:17421:pkcs11_slot_fill_list:392:Slot Id: 0
17421:17421:C_Initialize:142:CKR_OK(0)
17421:17421:C_GetSlotList:184:
17421:17421:C_GetSlotList:185:CKR_OK(0)
17421:17421:C_GetSlotList:184:
17421:1742 1:C_GetSlotList:185:CKR_OK(0)
17421:17421:C_GetSlotList:184:
17421:17421:C_GetSlotList:185:CKR_OK(0)
17421:17421:C_GetSlotList:184:
17421:17421:C_GetSlot List:185:CKR_OK(0)
17421:17421:C_GetSlotList:184:
17421:17421:C_GetSlotList:185:CKR_OK(0)
17421:17421:C_GetSlotList:184:
17421:17421:C_GetSlotList:185:CK R_OK(0)
17421:17421:C_GetSlotInfo:193:
17421:17421:C_GetSlotInfo:194:CKR_OK(0)
17421:17421:C_GetTokenInfo:202:
17421:17421:pkcs11_token_get_info:518:Token Info: 2
17421:17421:pkcs11_token_get_info:569:Token Locked
17421:17421:C_GetTokenInfo:203:CKR_OK(0)
17421:17421:C_OpenSession:271:
17421:17421:C_OpenSession:272:CKR_OK(0)
17421:17421:C_FindObjectsInit:434:
17421:17421:CKA_CLASS(0):8:CKO_PUBLIC_KEY(2)
17421:17421:C_FindObjectsInit:435:CKR_OK(0)
17421:1742 1:C_FindObjects:443:
17421:17421:C_FindObjects:444:CKR_OK(0)
17421:17421:C_GetAttributeValue:412:
17421:17421:CKA_CLASS(0):8:(ffffffff)
17421:17421:C_GetAttributeValue:413:CKR_OK(0)
17421:17421:C_GetAttributeValue:412:
17421:17421:CKA_KEY_TYPE(100):8:FF FF FF FF FF FF FF FF :
17421:17421:C_GetAttributeValue:413:CKR_OK(0)
17421:17421:C_GetAttributeValue:412:
17421:17421:CKA_ID(102):255:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00:
*** stack smashing detected ***: terminated
Aborted (core dumped)
The error comes from exactly this line cryptoauthlib/lib/pkcs11/pkcs11_find.c at main · MicrochipTech/cryptoauthlib · GitHub. This line of code is run through several times, problems only occur with CKA_ID.
As a last attempt, I built the cryptoauthlib with the compiler flag -fno-stack-protector. This gives me the following result (DPKCS11_DEBUG_ENABLE=OFF)
root@pi4-64:~# openssl ec -engine pkcs11 -in "pkcs11:token=MCHP;object=device;type=private" -inform engine -pubin -noout -text
Engine "pkcs11" set.
read EC key
unable to enable public key encoding
200065857F000000:error:030000A3:digital envelope routines:EVP_PKEY_set_params:invalid key:/usr/src/debug/openssl/3.2.2/crypto/evp/p_lib.c:2394:
Following questions:
- Do you see another configuration problem or could that be the cause of the problems?
- Does anyone have experience with integrating the ATECC608B into mender under scarthgap?
I hope I was able to explain the problem in a reasonably understandable way. If you need further information, please feel free to contact me.
Thanks in advance and best regards
Ruben