Secure96 is a 96Boards Mezzanine Expansion Board To Experiment with Hardware Based Security

With the Internet of things booming and taking a more important role in our lives, security will become more and more critical. So far, it has often been an afterthought with modems & routers frequently shipping with default username and password, and getting security right is really hard, as shown by the recent CLKSCREW attack that somehow leverages DVFS to break ARM TrustZone security, and that “is not a software bug, nor a hardware bug, it’s a fundamental part of the energy management design”, so most ARM platforms are vulnerable. Optimal security normally combines software and hardware, so having a platform to experiment with different HW security solutions would be useful, and that’s what Secure96 Mezzanine board for 96Boards aims for.

Secure96 expansion board specifications:

  • Security ICs
    • Microchip Atmel ATSHA204A SHA-based CryptoAuthentication crypto element device
    • Microchip Atmel ATECC508A crypto device with ECDH (Elliptic Curve Diffie–Hellman) key agreement
    • Infineon SLB 9670 TPM 1.2/2.0
  • Storage – EEPROM
  • USB – micro USB port connected to FTDI chip
  • Expansion – 4-pin for I2C, 40-pin header to connect to 96Boards

Launched in 2011, ATSHA204A is used for symmetric authentication with a random number generator, a unique 72-bit serial number, I2C/SWI host interface, 88 bytes used for configuration, 512 bytes used for data, and 64 bytes of OTP storage. It can be used for accessory (battery, cartridge, …)  authentication, secure boot, data integrity verification, and session key exchange. Joakim Bech, Tech Lead for Security Working Group at Linaro, has already published some code to leverage that chip, currently (& temporarily) posted on his own Github, but will be moved to Linaro repo later on.

Click to Enlarge

ATECC508A shares many of the feature of the first chip, but adds asymmetric key pairs. Sadly it requires an NDA to get the datasheet and TRM, It’s supported by the Atmel CryptoAuthLib, so it might be possible to study the code to better understand it. He has not done work on the software part yet for this part. Note that I previously reported about a demo for secure IoT connectivity using ESP8266 + ATECC508A.

Infineon SLB9670 TPM has just been tested with Intel TSS TPM 2.0 resource manager, and the tpm2.0 tools, but again, no software has been implemented for this chip on Secure96 board yet.

Going forward the rough plans are to:

  • Finalize the ATSHA204A implementation
  • Create a library for the ATSHA204A implementation
  • Offline implementation to mimic device behavior (in a Trusted Application in a TEE)
  • Use IC(s) for secure boot on a 96Boards IoT device
  • Get the specification and implement support for ATECC508A
  • TPM chip – Try it out using IMA in Linux & use it to store SSH credentials

You may want to flick through the Linaro Connect presentation slides for more details.

The video has also been uploaded, but the audio is not that clear. Since there’s still quite a lot more work to do, Secure96 mezzanine is not for sale yet. [Update: You can purchase the board on Amazon for $31.99]. Visit 96Boards Mezzanine products page for details.

12 Replies to “Secure96 is a 96Boards Mezzanine Expansion Board To Experiment with Hardware Based Security”

  1. If the TPM is compliant with the TCG version 2.0 specification, then I think the link in this article is incorrect.

    I think the correct link should be for the Infineon SLB 9670 VQ2.0 FW7.40 SKU instead:

    Please let us know as soon as we can place our orders. This should be a very popular board to enable security development.

  2. @cnxsoft

    I think there are differences in the chip for each listed SKU on the Infineon product pages. The FW version is obviously important, but each SKU is a different chip independent from FW version.

    The SLB 9670 VQ2.0 is a different chip from SLB 9670 XQ2.0 and both of those chips are different from the SLB 9670 VQ1.2 chip.

    I think we need someone to confirm the exact SKU that is used for the board before we start to order them.

    Also, the link in the slides from the conference is also incorrect.

    Please note that I think it would very useful for a separate version of the board to offer an alternative TPM 2.0 chip using the ST Microelectronics ST33TPHF20SPI for development and testing. Please let us know if you can help us get the TPM 2.0 devices available for us to order soon with the Infineon SKU and also the ST Microelectronics SKU. Thanks!

  3. @cnxsoft
    How do we order the Secure96 board?

    Will there be another version of the Secure96 board with the ST Microelectronics ST33TPHF20SPI device?

    Thank you for providing updates here.

    1. I see it there now and I have ordered some to kick off. Is the Dragonboard 410c a good choice to use with the Secure96 board?

  4. @john
    You may check on IRC channel or 96Boards OpenHours.
    The board looks to be made for 96Board IoT Edition, but it should work on 96Boards CE boards too.
    What matters is the current software support.

Leave a Reply

Your email address will not be published. Required fields are marked *