With the Internet of things booming and taking a more important role in our lives, security will become more and more critical. So far, it has often been an afterthought with modems & routers frequently shipping with default username and password, and getting security right is really hard, as shown by the recent CLKSCREW attack that somehow leverages DVFS to break ARM TrustZone security, and that “is not a software bug, nor a hardware bug, it’s a fundamental part of the energy management design”, so most ARM platforms are vulnerable. Optimal security normally combines software and hardware, so having a platform to experiment with different HW security solutions would be useful, and that’s what Secure96 Mezzanine board for 96Boards aims for.
Secure96 expansion board specifications:
- Security ICs
- Storage – EEPROM
- USB – micro USB port connected to FTDI chip
- Expansion – 4-pin for I2C, 40-pin header to connect to 96Boards
Launched in 2011, ATSHA204A is used for symmetric authentication with a random number generator, a unique 72-bit serial number, I2C/SWI host interface, 88 bytes used for configuration, 512 bytes used for data, and 64 bytes of OTP storage. It can be used for accessory (battery, cartridge, …) authentication, secure boot, data integrity verification, and session key exchange. Joakim Bech, Tech Lead for Security Working Group at Linaro, has already published some code to leverage that chip, currently (& temporarily) posted on his own Github, but will be moved to Linaro repo later on.
ATECC508A shares many of the feature of the first chip, but adds asymmetric key pairs. Sadly it requires an NDA to get the datasheet and TRM, It’s supported by the Atmel CryptoAuthLib, so it might be possible to study the code to better understand it. He has not done work on the software part yet for this part. Note that I previously reported about a demo for secure IoT connectivity using ESP8266 + ATECC508A.
Going forward the rough plans are to:
- Finalize the ATSHA204A implementation
- Create a library for the ATSHA204A implementation
- Offline implementation to mimic device behavior (in a Trusted Application in a TEE)
- Use IC(s) for secure boot on a 96Boards IoT device
- Get the specification and implement support for ATECC508A
- TPM chip – Try it out using IMA in Linux & use it to store SSH credentials
You may want to flick through the Linaro Connect presentation slides for more details.
The video has also been uploaded, but the audio is not that clear.
Since there’s still quite a lot more work to do, Secure96 mezzanine is not for sale yet. [Update: You can purchase the board on Amazon for $31.99]. Visit 96Boards Mezzanine products page for details.