WOLFSSL ATMEL ATECC508A

Overview

The wolfSSL embedded SSL/TLS library and wolfCrypt embedded crypto engine have been integrated into the Microchip/Atmel ATECC508A crypto element, adding support for ECC hardware acceleration and protected private key storage on the ATECC508A.

Using wolfSSL, ATECC508A users can benefit from both increased ECC performance and secure key storage, thus hardening their TLS connections.  The wolfCrypt ATECC508A port adds:

  • wolfCrypt support for ECC hardware acceleration using the ATECC508A.  The new defines for this port are WOLFSSL_ATMEL and WOLFSSL_ATECC508A
  • New PK callback for Pre Master Secret

wolfSSL is dual licensed under both the GPLv2 as well as a standard commercial license.  For licensing information, please see the wolfSSL License Page, or contact us directly.

wolfSSL + ATECC508A
August 2016

Where to Download

The wolfSSL/wolfCrypt ATECC508A port can be downloaded from the wolfSSL More Downloads page.

Benchmarks

TLS Establishment Times:

  • Hardware accelerated ATECC508A: 2.342 seconds average
  • Software only: 13.422 seconds average

The TLS connection establishment time is 5.73 times faster with the ATECC508A.

Software only implementation (SAMD21 48Mhz Cortex-M0, Fast Math TFM-ASM):

ECC 256 key generation 3123.000 milliseconds, avg over 5 iterations
EC-DHE key agreement 3117.000 milliseconds, avg over 5 iterations
EC-DSA sign time 1997.000 milliseconds, avg over 5 iterations
EC-DSA verify time 5057.000 milliseconds, avg over 5 iterations

ATECC508A HW accelerated implementation:

ECC 256 key generation 144.400 milliseconds, avg over 5 iterations
EC-DHE key agreement 134.200 milliseconds, avg over 5 iterations
EC-DSA sign time 293.400 milliseconds, avg over 5 iterations
EC-DSA verify time 208.400 milliseconds, avg over 5 iterations

For reference the benchmarks for RNG, AES, MD5, SHA and SHA256 are:

RNG 25 kB took 0.784 seconds, 0.031 MB/s (coming from the ATECC508A)
AES 25 kB took 0.177 seconds, 0.138 MB/s
MD5 25 kB took 0.050 seconds, 0.488 MB/s
SHA 25 kB took 0.141 seconds, 0.173 MB/s
SHA-256 25 kB took 0.352 seconds, 0.069 MB/s

Installation

This package contains the following.  Instructions / README for each is included below as well as in the download package mentioned above.

  1. Atmel Studio client / server TLS examples using PK_CALLBACKS.
  2. Atmel ASF Framework wolfCrypt example using GCC ARM Makefile.

Atmel Studio Client / Server TLS Examples

TLS Demo Project using ATECC508A and WINC1500

The end goal of this project is to show that the "TLS-ECDH-ECDSA-AES128-GCM-SHA256" cipher suite can be fully implemented using the ATECC508A without exposing a private key. This project fullfills the RFC4492 for "ECDH_ECDSA" Transport Layer Security.

Prerequisites for this demo

Software:

  • Atmel Studio 6.2 or
  • Atmel Studio 7

Hardware:

  • Atmel SAMD21 Xplained Pro(2 pcs)
  • Atmel CryptoAuth Xplained Pro extension board(2 pcs)
  • Atmel WINC1500 extension board(2 pcs)

How to Run This Project

  1. The Atmel ATECC508A chips come from the factory un-programmed and need to be provisioned. Atmel provided us code as reference which exists in cryptoauthlib/certs/provision.c. The function isatcatls_device_provision and can be called more than once. If the device is not provisioned it will set it up with default slot settings. If its already provisioned it will skip.
  2. Load the "samd21_winc1500_wolf_tls_ecc508a_server.atsln" using Atmel Studio 7.
  3. Open "tls_demo/tls_common.h", And then edit MAIN_WLAN_SSID and MAIN_WLAN_PSK to access to your WI-FI AP. #define MAIN_WLAN_SSID "AVRGUEST" #define MAIN_WLAN_PSK "MicroController"
  4. Configure your UART port in "config/conf_uart_serial.h". By default its setup to use the UART at PTB10/PTB11 on EXT2/EXT3. The configuration can easily be changed to use the built-in EDBG CDC UART. The default baud rate is 115200. Use terminal software such as CoolTerm or Putty.
  5. Build this project and run.
  6. Once dynamic IP is assigned correctly it will be displayed on the terminal. M2M_WIFI_RESP_CON_STATE_CHANGED: CONNECTED M2M_WIFI_REQ_DHCP_CONF: IP is 192.168.1.241 WINC is connected to ATMEL_409_2G successfully!
  7. Load the "samd21_winc1500_wolf_tls_ecc508a_client.atsln" using Atmel Studio 7.
  8. Open "tls_demo/tls_client.h" and define TLS_SERVER_IP to address that your server was assigned.
  9. Build and run this project.
  10. The TLS client should connect to the TLS server using ECDH-ECDSA.

Example output is included in the README.md included in the download package.

Atmel ASF Framework wolfCrypt Example

This example demonstrates the wolfCrypt test and benchmark applications with the Atmel ATECC508 ECC 256-bit hardware accelerator.

Setup

The Atmel ATECC508A chips come from the factory un-programmed and need to be provisioned. Atmel provided us code as reference which exists in cryptoauthlib/certs/provision.c. The function is atcatls_device_provision and can be called more than once. If the device is not provisioned it will set it up with default slot settings. If its already provisioned it will skip.

The programming interface is SWD. The SAMD21 Xplained Pro board has a built in J-Link programmer.

You can configure your UART port in "config/conf_uart_serial.h" as either the UART at EXT2/EXT3 (PTB11 and PTB10 - default) or the EDBG CDC UART. The default baud rate is 115200. Use terminal software such as CoolTerm or Putty to interface to the console.

Building

The wolfCrypt test example is setup to be built from a terminal using GCC ARM and a Makefile in thewolfcrypt_test/build/gcc directory.

cd wolfcrypt_test/build/gcc
make
MKDIR   common/utils/interrupt/
CC      common/utils/interrupt/interrupt_sam_nvic.o
MKDIR   common2/services/delay/sam0/
CC      common2/services/delay/sam0/systick_counter.o
MKDIR   ../wolfcrypt_test/
CC      ../wolfcrypt_test/main.o
MKDIR   sam0/boards/samd21_xplained_pro/
CC      sam0/boards/samd21_xplained_pro/board_init.o
MKDIR   sam0/drivers/port/
CC      sam0/drivers/port/port.o
MKDIR   sam0/drivers/sercom/i2c/i2c_sam0/
CC      sam0/drivers/sercom/i2c/i2c_sam0/i2c_master.o
CC      sam0/drivers/sercom/sercom.o
CC      sam0/drivers/sercom/sercom_interrupt.o
MKDIR   sam0/drivers/rtc/rtc_sam_d_r/
CC      sam0/drivers/rtc/rtc_sam_d_r/rtc_count.o
CC      sam0/drivers/rtc/rtc_sam_d_r/rtc_count_interrupt.o
CC      sam0/drivers/rtc/rtc_sam_d_r/rtc_calendar.o
MKDIR   sam0/drivers/tcc/
CC      sam0/drivers/tcc/tcc.o
CC      sam0/drivers/tcc/tcc_callback.o
MKDIR   sam0/drivers/sercom/usart/
CC      sam0/drivers/sercom/usart/usart.o
CC      sam0/drivers/sercom/usart/usart_interrupt.o
MKDIR   sam0/drivers/system/clock/clock_samd21_r21_da/
CC      sam0/drivers/system/clock/clock_samd21_r21_da/clock.o
CC      sam0/drivers/system/clock/clock_samd21_r21_da/gclk.o
MKDIR   sam0/drivers/system/interrupt/
CC      sam0/drivers/system/interrupt/system_interrupt.o
MKDIR   sam0/drivers/system/pinmux/
CC      sam0/drivers/system/pinmux/pinmux.o
CC      sam0/drivers/system/system.o
MKDIR   sam0/utils/cmsis/samd21/source/gcc/
CC      sam0/utils/cmsis/samd21/source/gcc/startup_samd21.o
CC      sam0/utils/cmsis/samd21/source/system_samd21.o
MKDIR   sam0/utils/stdio/
CC      sam0/utils/stdio/read.o
CC      sam0/utils/stdio/write.o
MKDIR   sam0/utils/syscalls/gcc/
CC      sam0/utils/syscalls/gcc/syscalls.o
MKDIR   ../wolfssl/wolfcrypt/src/
CC      ../wolfssl/wolfcrypt/src/random.o
CC      ../wolfssl/wolfcrypt/src/logging.o
CC      ../wolfssl/wolfcrypt/src/memory.o
CC      ../wolfssl/wolfcrypt/src/wc_encrypt.o
CC      ../wolfssl/wolfcrypt/src/wc_port.o
CC      ../wolfssl/wolfcrypt/src/error.o
CC      ../wolfssl/wolfcrypt/src/signature.o
CC      ../wolfssl/wolfcrypt/src/hash.o
CC      ../wolfssl/wolfcrypt/src/asn.o
CC      ../wolfssl/wolfcrypt/src/aes.o
CC      ../wolfssl/wolfcrypt/src/dh.o
CC      ../wolfssl/wolfcrypt/src/md5.o
CC      ../wolfssl/wolfcrypt/src/hmac.o
CC      ../wolfssl/wolfcrypt/src/rsa.o
CC      ../wolfssl/wolfcrypt/src/sha.o
CC      ../wolfssl/wolfcrypt/src/sha256.o
CC      ../wolfssl/wolfcrypt/src/sha512.o
CC      ../wolfssl/wolfcrypt/src/curve25519.o
CC      ../wolfssl/wolfcrypt/src/ed25519.o
CC      ../wolfssl/wolfcrypt/src/ecc.o
CC      ../wolfssl/wolfcrypt/src/tfm.o
CC      ../wolfssl/wolfcrypt/src/integer.o
CC      ../wolfssl/wolfcrypt/src/fe_low_mem.o
CC      ../wolfssl/wolfcrypt/src/ge_low_mem.o
MKDIR   ../wolfssl/wolfcrypt/src/port/atmel/
CC      ../wolfssl/wolfcrypt/src/port/atmel/atmel.o
MKDIR   ../wolfssl/wolfcrypt/test/
CC      ../wolfssl/wolfcrypt/test/test.o
MKDIR   ../wolfssl/wolfcrypt/benchmark/
CC      ../wolfssl/wolfcrypt/benchmark/benchmark.o
MKDIR   ../cryptoauthlib/basic/
CC      ../cryptoauthlib/basic/atca_basic.o
CC      ../cryptoauthlib/basic/atca_helpers.o
MKDIR   ../cryptoauthlib/tls/
CC      ../cryptoauthlib/tls/atcatls.o
CC      ../cryptoauthlib/atca_iface.o
CC      ../cryptoauthlib/atca_command.o
CC      ../cryptoauthlib/atca_device.o
CC      ../cryptoauthlib/atca_cfgs.o
MKDIR   ../cryptoauthlib/host/
CC      ../cryptoauthlib/host/atca_host.o
MKDIR   ../cryptoauthlib/hal/
CC      ../cryptoauthlib/hal/atca_hal.o
CC      ../cryptoauthlib/hal/hal_samd21_i2c_asf.o
CC      ../cryptoauthlib/hal/hal_samd21_timer_asf.o
MKDIR   ../cryptoauthlib/certs/
CC      ../cryptoauthlib/certs/cert_def_1_signer.o
CC      ../cryptoauthlib/certs/cert_def_2_device.o
MKDIR   ../cryptoauthlib/crypto/
CC      ../cryptoauthlib/crypto/atca_crypto_sw_sha1.o
CC      ../cryptoauthlib/crypto/atca_crypto_sw_sha2.o
MKDIR   ../cryptoauthlib/crypto/hashes/
CC      ../cryptoauthlib/crypto/hashes/sha1_routines.o
CC      ../cryptoauthlib/crypto/hashes/sha2_routines.o
MKDIR   ../cryptoauthlib/atcacert/
CC      ../cryptoauthlib/atcacert/atcacert_date.o
CC      ../cryptoauthlib/atcacert/atcacert_client.o
CC      ../cryptoauthlib/atcacert/atcacert_def.o
CC      ../cryptoauthlib/atcacert/atcacert_der.o
CC      ../cryptoauthlib/atcacert/atcacert_host_hw.o
CC      ../cryptoauthlib/atcacert/atcacert_host_sw.o
LN      wolfcrypt_flash.elf
SIZE    wolfcrypt_flash.elf
wolfcrypt_flash.elf  :
section               size         addr
.text              0x1b598          0x0
.relocate            0x1b8   0x20000000
.bss                 0x984   0x200001b8
.stack              0x4004   0x20000b3c
.ARM.attributes       0x28          0x0
.comment              0x6e          0x0
.debug_info        0x400cd          0x0
.debug_abbrev       0x5ea8          0x0
.debug_aranges      0x19b0          0x0
.debug_ranges       0x16d0          0x0
.debug_macro       0x227b2          0x0
.debug_line        0x1a9a1          0x0
.debug_str         0x9f0f2          0x0
.debug_frame        0x6670          0x0
Total             0x14ba18

   text    data     bss     dec     hex filename
0x1b598   0x1b8  0x4988  131288   200d8 wolfcrypt_flash.elf
OBJDUMP wolfcrypt_flash.lss
NM      wolfcrypt_flash.sym
OBJCOPY wolfcrypt_flash.hex
OBJCOPY wolfcrypt_flash.bin

Programming

Use the resulting wolfcrypt_flash.bin to program your microcontroller using JTAG.
Using edgb (see included wolfcrypt_test/build/gcc/flash.sh script):

edbg -bpv -t atmel_cm0p -f ./wolfcrypt_flash.bin

Debugging

GDB with pipe (see included wolfcrypt_test/build/gcc/debug.sh script):

arm-none-eabi-gdb wolfcrypt_flash.elf -ex 'target remote | openocd -c "gdb_port pipe;" -f ../../../../utils/openocd/atmel_samd21_xplained_pro.cfg' load

GDB with remote port:

arm-none-eabi-gdb wolfcrypt_flash.elf -ex 'target remote localhost:9993' openocd -c "gdb_port 9993;" -f ../../../../utils/openocd/atmel_samd21_xplained_pro.cfg

Resources