2023-01-31 08:18 AM
Hello,
I am working on an IoT security project, where a TPM like STSAFE-A110 is required for signature verification and data decryption. The latter fails with the mentioned chip and the static (non-ephemeral) private key.
Setup:
X-NUCLEO-SAFEA1 board (with STSAFE-A110 TPM), pairing done
B-U585I-IOT02A MCU board
Windows 10 PC
Tera Term
STM32CubeIDE
I have successfully run the Establish_Secret demo project, it shows ephemeral key usage:
As I need the TPM's private key to survive the power cycle, I replace the ephemeral slot with the static slot 1, also on StSafeA_GenerateKeyPair call:
The call to StSafeA_EstablishKey then fails with code 17 (STSAFEA_UNSATISFIED_ACCESS_CONDITION):
Why does it fail? The documentation for STSAFE A110 clearly states that this feature is supported for slot 1 (document dm00675324):
Thanks.
Solved! Go to Solution.
2023-02-01 08:51 AM
Hi @FrankT ,
The STSAFE_ConfigureKey() will only manage which function can use the key (Sign and/or ECDH) and the permission for the key generation only.
The Encryption mode of a command depends on its configuration
For the ECDH (EstablishKey function), this configuration depends on the profile of your STSAFE-A.
For evaluation purpose, we have 2 profiles : STSAFA110xxSPL02 you will find the configuration of the evaluation sample in the chapter 4 of the AN5435.
And STSAFA110xxSPL03 you will find the configuration in the chapter 5 of the AN5762.
with STSAFA110xxSPL02, the response of the EstablishKey is not encrypted
with STSAFA110xxSPL03, the response of the EstablishKey is encrypted, therefore, you need to have done the pairing before trying to execute this commands (please refer to the pairing example of the X-CUBE-SAFEA1 package)
This configuration is part of the STSAFE-A personalization services that comes with STSAFE-A offer. For more detail on the personalization please contact your local ST support.
Thanks,
Best Regards,
Benjamin
2023-02-01 02:47 AM
Hi @FrankT ,
Thanks for the interest in STSAFE-A110 solution.
To use the private key 1 for ECDH, you need to configure the slot parameters first as the default value is signature generation only.
Be aware that this configuration is a one-time operation and manage the mode of operation and the key generation authentication at the same time.
Therefore you need to be sure to define the correct key usage scheme before changing these parameters.
I have added an command example in my mbedtls_example.c in attachment.
You can have a look at the STSAFEA_ConfigureKey() command that manage the configuration for you.
In the command comments, you will find the different configuration option.
Thanks,
Best Regards,
Benjamin
2023-02-01 07:27 AM
Hi Benjamin,
Thanks for your reply.
Configuring the slot has helped. I can now establish the shared secret using key 1 and STSAFEA_ENCRYPTION_NONE, which is OK for a PoC.
If I try to use STSAFEA_ENCRYPTION_RESPONSE, the result code is 50 (STSAFEA_COMMUNICATION_NACK). Could it be because I have configured the slot with auth=STSAFEA_KEY_AUTH_FREE?
2023-02-01 08:51 AM
Hi @FrankT ,
The STSAFE_ConfigureKey() will only manage which function can use the key (Sign and/or ECDH) and the permission for the key generation only.
The Encryption mode of a command depends on its configuration
For the ECDH (EstablishKey function), this configuration depends on the profile of your STSAFE-A.
For evaluation purpose, we have 2 profiles : STSAFA110xxSPL02 you will find the configuration of the evaluation sample in the chapter 4 of the AN5435.
And STSAFA110xxSPL03 you will find the configuration in the chapter 5 of the AN5762.
with STSAFA110xxSPL02, the response of the EstablishKey is not encrypted
with STSAFA110xxSPL03, the response of the EstablishKey is encrypted, therefore, you need to have done the pairing before trying to execute this commands (please refer to the pairing example of the X-CUBE-SAFEA1 package)
This configuration is part of the STSAFE-A personalization services that comes with STSAFE-A offer. For more detail on the personalization please contact your local ST support.
Thanks,
Best Regards,
Benjamin