ATECC608 Recommendations

Partners & Sponsors AWS
1

FreeOurToes wrote on November 29, 2019:

Hello,

I would like to know if we have any examples or recommendation for using ATECC608A crypto chip within AFR.

Currently my use case is pretty simple. We are doing R&D for some products. Have a dozens on nodes capturing and streaming data (all for machine learning), because we are doing R&D we are not sure how useful most of the data is so for some of the nodes we just use local MQTT server without AWS to keep the costs low as we generate few GB of data per day. We have some nodes connected via AWS IoT so we started building some sort of architecture around it. But now we use it mainly to send commands via shadow to configure nodes to enable/disable some sensors or change it’s operation mode etc… I would like to use IoT shadow to control all of the nodes and the ones that are streaming a lot of data I could connect via greengrass.

Firmware for all the nodes I just compile and upload from my computer manually. Most of the nodes are without encryption and authentication and the ones that connect to AWS IoT I add private key and credentials as in demo applications. So I compile separate firmware for each of the nodes.
I would like to step out of this process and move it closer towards production. Also, I noticed that a hobby stores like adafruit or sparkfun are selling breakout boards for ATECC608A I thought it can be used as an easy modification for my existing nodes so I don’t have to redesign PCBs.
My goal would be to have a single firmware for all the nodes and that each have their own credentials etc. For example, if it doesn’t have credentials loaded it waits for it to be provisioned. Could do it just initially via serial and if it finds credentials it runs all other applications.
I think ATECC608A could help for my situation for storing credentials. But since it has many other features that can offload work from micro to cryptochip maybe some could be utilized too.

So if anyone has any recommendations or guidance on using such a chip I would be very thankful.
I am aware that microchip has released “Zero Touch Provisioning kit for AWS IoT Release B” [https://www.microchip.com/developmenttools/ProductDetails/at88ckecc-aws-xstk-b] and TrustFlex thing [https://www.microchip.com/design-centers/security-ics/trust-platform/trustflex/trustflex-aws-iot-authentication] I am not sure how could I reuse any of it in my case.
I am using esp32. Sorry for the long message. Thank you for reading and any help.

2

abhijit-AWS wrote on December 02, 2019:

Hello FreeOurToes,

Thanks for reaching out. In our latest release, we have added support for ECC608a with windows simulator.
https://docs.aws.amazon.com/freertos/latest/userguide/getting_started_ecc608a.html
Is that something which will be useful for your development ?

Thanks!

3

DanG-AWS wrote on December 02, 2019:

We’ve reworked our key provisioning demonstration code (please see the link below) in support of the production transition that you describe. In the latest version, at start-up, once you have a private key and certificate provisioned on your ATECC608 part, be sure to avoid defining a private key and/or certificate in aws_clientcredential_keys.h. The described configuration will result in the existing key and certificate being used as-is. Of course, a more likely production firmware implementation is to remove vDevModeKeyProvisioning entirely, but hopefully you get the idea.

https://github.com/aws/amazon-freertos/blob/master/demos/dev_mode_key_provisioning/src/aws_dev_mode_key_provisioning.c#L1224

Regarding ESP32 support, we have an early prototype of a combined ESP32 + ATECC608 port in this pull request https://github.com/aws/amazon-freertos/pull/1558. However, I encourage you to wait until that port has been merged into our master branch before spending any time with it.

4

FreeOurToes wrote on December 02, 2019:

Thank you. Now I have a lot of material to do readings. I will wait for the master branch pull.
amazing work! thanks