PKCS11/HSM Support for authentication/authorization and signature verification

We have put significant resource into narrowing the attack surface of our device fleets, including the implementation of HSM type security/crypto modules to manage device secrets and PKI duties.
The mender client is the sole component of our stack unable to leverage these security resources, where, as the highest risk vector for attacking our fleet, the OTA updating service should actually provide features supporting the highest level risk mitigation.
Is there any intention to include HSM support in the client roadmap?

Hi @SuicidalLabRat, we do not have short-term plans to add HSM support on the client.

With that said, it is a feature we are aware and it is a matter of priorities and demand. One can always take a look at speeding up features based on our profession services offerings or if something like this would come as a community contribution that would also (obviously :)) speed it up.

I am curious what type of HMS are you using? Is it something like this,

https://www.microchip.com/wwwproducts/en/ATECC608A

Indeed. That is the exact chip we use. It enables all our mutual authentication, signing and secure boot functionality.
Can you point me at the code currently handling menders auth and signature validation? Assuming its contained/modular enough to be reviewed with relative ease.

A good place to start is probably here,

Just wanted to put my +1 here for this feature. We (like I’m sure many) are moving to using PKCS11 hardware to secure our AWS private keys. Usually, we use the same private key for both AWS and mender. It would be nice once we make this transition to have mender also move to make use of the PCKS11 hardware as well so that we don’t have to maintain two sets of keys (one secured in hw, one on the filesystem for mender). Much like @SuicidalLabRat said, it would be odd if our application is going to be more secure than the mechanism that updates the entire system image.

Thank you for the feedback, it is very valuable to us when planing new development.

Also @drewwestrick, which hardware are you using? Is it the same from Microchip mentioned above?

I have little experience working with HMS, and would be happy if you can share any information how you are using these hardware modules, what software stack to access them and how you incorporate them in your application.

Yes, @mirzak, we are planning on using the ATECC608A as well. To use the device, we will need to integrate the device driver, cryptoauthlib, which makes use of PKCS11 as an interface. It will also make sense to install gnutls on the debug device to test things out. Below are a few relevant yocto layers I plan on using:

The wiki from Microchip also gives some additional information on the device and driver installation. To test the hardware, I’m planning on getting a secure4click module for my SOM1 development kit.

Finally, I do know that AWS Greengrass does have support for PKCS11 URIs. I’m not sure what they are doing under the hood to support PKCS11 but I was going to poke around and see how they are using it to provide public private key authentication for their services. If I continue to make progress on this, I will definitely provide you with updates.

1 Like

Thank you. Highly appreciated.

I’m planning on getting a secure4click module for my SOM1 development kit.

I actually have the secure4click sitting on my desk, but never find the time to try it out.

@drewwestrick Note,that cryptoauthlib recipe isnt building the pkcs11 branch, which didnt exist when Digi published that bb.
Also note, the gnutls build may need to have p11-kit enabled via PACKAGECONFIG to get p11tool built.

SLR-

@SuicidalLabRat, Thanks for the heads up. I honestly haven’t really started any of this work yet. Much like @mirzak, I’m hoping to have some time to put toward this effort soon.