cancel
Showing results for 
Search instead for 
Did you mean: 

STSAFE-A110 fails to generate shared secret when using STSAFEA_KEY_SLOT_1

FrankT
Associate

Hello,

I am working on an IoT security project, where a TPM like STSAFE-A110 is required for signature verification and data decryption. The latter fails with the mentioned chip and the static (non-ephemeral) private key.

Setup:

X-NUCLEO-SAFEA1 board (with STSAFE-A110 TPM), pairing done

B-U585I-IOT02A MCU board

Windows 10 PC

Tera Term

STM32CubeIDE

I have successfully run the Establish_Secret demo project, it shows ephemeral key usage:

0693W00000Y9cZ8QAJ.png 

As I need the TPM's private key to survive the power cycle, I replace the ephemeral slot with the static slot 1, also on StSafeA_GenerateKeyPair call:

0693W00000Y9ckbQAB.png 

The call to StSafeA_EstablishKey then fails with code 17 (STSAFEA_UNSATISFIED_ACCESS_CONDITION):

0693W00000Y9cbnQAB.png 

Why does it fail? The documentation for STSAFE A110 clearly states that this feature is supported for slot 1 (document dm00675324):

0693W00000Y9cgsQAB.png 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Benjamin BARATTE
ST Employee

Hi @FrankT​ ,

The STSAFE_ConfigureKey() will only manage which function can use the key (Sign and/or ECDH) and the permission for the key generation only.

The Encryption mode of a command depends on its configuration

For the ECDH (EstablishKey function), this configuration depends on the profile of your STSAFE-A.

For evaluation purpose, we have 2 profiles : STSAFA110xxSPL02 you will find the configuration of the evaluation sample in the chapter 4 of the AN5435.

And STSAFA110xxSPL03 you will find the configuration in the chapter 5 of the AN5762.

with STSAFA110xxSPL02, the response of the EstablishKey is not encrypted

with STSAFA110xxSPL03, the response of the EstablishKey is encrypted, therefore, you need to have done the pairing before trying to execute this commands (please refer to the pairing example of the X-CUBE-SAFEA1 package)

This configuration is part of the STSAFE-A personalization services that comes with STSAFE-A offer. For more detail on the personalization please contact your local ST support.

Thanks,

Best Regards,

Benjamin

View solution in original post

3 REPLIES 3
Benjamin BARATTE
ST Employee

Hi @FrankT​ ,

Thanks for the interest in STSAFE-A110 solution.

To use the private key 1 for ECDH, you need to configure the slot parameters first as the default value is signature generation only.

Be aware that this configuration is a one-time operation and manage the mode of operation and the key generation authentication at the same time.

Therefore you need to be sure to define the correct key usage scheme before changing these parameters.

I have added an command example in my mbedtls_example.c in attachment.

You can have a look at the STSAFEA_ConfigureKey() command that manage the configuration for you.

In the command comments, you will find the different configuration option.

Thanks,

Best Regards,

Benjamin

FrankT
Associate

Hi Benjamin,

Thanks for your reply.

Configuring the slot has helped. I can now establish the shared secret using key 1 and STSAFEA_ENCRYPTION_NONE, which is OK for a PoC.

If I try to use STSAFEA_ENCRYPTION_RESPONSE, the result code is 50 (STSAFEA_COMMUNICATION_NACK). Could it be because I have configured the slot with auth=STSAFEA_KEY_AUTH_FREE?

Benjamin BARATTE
ST Employee

Hi @FrankT​ ,

The STSAFE_ConfigureKey() will only manage which function can use the key (Sign and/or ECDH) and the permission for the key generation only.

The Encryption mode of a command depends on its configuration

For the ECDH (EstablishKey function), this configuration depends on the profile of your STSAFE-A.

For evaluation purpose, we have 2 profiles : STSAFA110xxSPL02 you will find the configuration of the evaluation sample in the chapter 4 of the AN5435.

And STSAFA110xxSPL03 you will find the configuration in the chapter 5 of the AN5762.

with STSAFA110xxSPL02, the response of the EstablishKey is not encrypted

with STSAFA110xxSPL03, the response of the EstablishKey is encrypted, therefore, you need to have done the pairing before trying to execute this commands (please refer to the pairing example of the X-CUBE-SAFEA1 package)

This configuration is part of the STSAFE-A personalization services that comes with STSAFE-A offer. For more detail on the personalization please contact your local ST support.

Thanks,

Best Regards,

Benjamin