Optiga Trust X Integration Manual V1.2
User Manual:
Open the PDF directly: View PDF .
Page Count: 47
Download | |
Open PDF In Browser | View PDF |
OPTIGA Trust X Integration Manual About this document Scope and purpose The scope of this document is to help users get started with OPTIGA Trust X and Infineon’s OPTIGA™Trust X Host Library. OPTIGA™Trust X Host Library has been designed with flexibility and portability in mind reducing design efforts and abstracting complexity. Some of its key characteristis are: • Portable: Host controller architecture agnostic • Ease of Use: Well defined set of APIs that take away complexity, but still enable all powerful features that OPTIGA™Trust X provides. • External Services Tool Box: provides plug-in services such TLS, MQTT, Json. These services can be added as needed. • x.509 certificate support: Through its External Services Tool Box, OPTIGA™Trust X Lib provides support for X.509 certificate handling without adding any extra computing burden on the host such as compressing or de-compressing certificates before they are used. OPTIGA™Trust X Host Library is the base of any application that will incorporate OPTIGA™Trust X. It is written in C so it can be used with a broad set of system architectures such as ARM, Linux or bare metal. This application note discusses how to get started, how to incorporate and use OPTIGA™Trust X Software Library alongside a Host controller. Some examples will also be provided to better illustrate the ease of integration with the Host. Other use cases for OPTIGA™Trust X such as Secure Boot or Firmware Upgrade will be provided as independent application notes. Intended audience This document addresses the audience: customers, solution providers, and system integrators. Application Note www.infineon.com Please read the Important Notice and Warnings at the end of this document<2018-07-03> OPTIGA Trust X Integration Manual Table of contents About this document ......................................................................................................................... 1 Table of contents .............................................................................................................................. 2 Figures 3 1 1.1 Introduction.................................................................................................................... 5 Device Features ........................................................................................................................................ 5 2 OPTIGA TrustX Software Library ....................................................................................... 6 3 3.1 3.2 3.3 3.3.1 Connecting to Host .......................................................................................................... 8 OPTIGA™ Trust X Host Software Architecture ......................................................................................... 8 Release Package Folder Structure .......................................................................................................... 8 Host Software Folder Structure............................................................................................................... 9 Host Software Source Folder Structure ............................................................................................. 9 4 Prerequisites.................................................................................................................. 11 5 5.1 5.2 5.3 5.4 5.5 Getting Development Environment Ready ........................................................................ 13 Installing Dave™ 4................................................................................................................................... 13 Installing Device Library and Dave™ Apps ............................................................................................ 13 Importing to Host Project into Workspace ........................................................................................... 14 Host Project File Structure..................................................................................................................... 15 Testing Host Application........................................................................................................................ 15 6 6.1 6.2 Integrating OPTIGA Trust X Host Library into Host Project ................................................. 18 Including Necessary PAL Directories ..................................................................................................... 18 Adding Necessary Header Files to Workspace Path ............................................................................. 20 7 7.1 7.2 7.3 7.4 Configuring Platform Specific Modules Required by OPTIGA Trust X Host Library................. 22 Scheduler Timer ..................................................................................................................................... 22 Tick Timer ............................................................................................................................................... 24 I2C Master Module .................................................................................................................................. 27 IO for OPTIGA™ Trust Reset Control ...................................................................................................... 29 8 8.1 8.2 8.2.1 8.2.2 8.2.3 8.2.4 8.2.5 8.2.6 8.2.7 8.2.8 8.2.9 8.3 8.3.1 8.3.2 8.3.3 8.3.4 8.3.5 Working with OPTIGA™Trust X from the Application Layer ................................................. 31 Initializing OPTIGA™Trust X using the Host Library .............................................................................. 31 OPTIGA™Trust X Host Library Crypt API Layer ...................................................................................... 32 optiga_crypt_random....................................................................................................................... 32 optiga_crypt_hash_start .................................................................................................................. 32 optiga_crypt_hash_update .............................................................................................................. 33 optiga_crypt_hash_finalize .............................................................................................................. 33 optiga_crypt_ecc_generate_keypair ............................................................................................... 33 optiga_crypt_ecdsa_sign ................................................................................................................. 33 optiga_crypt_ecdsa_verify ............................................................................................................... 33 optiga_crypt_ecdh ............................................................................................................................ 33 optiga_crypt_tls_prf_sha256 ........................................................................................................... 33 Using OPTIGA™Trust X Host Library Crypt API Layer to interact with Application ............................. 33 Configuring Application cmd_iface.c for Optiga Trust Library ....................................................... 35 optx_get_rng ..................................................................................................................................... 35 optx_get_sha256............................................................................................................................... 36 optx_genKey_pair ............................................................................................................................. 37 optx_sign_hash ................................................................................................................................. 38 Application Note 2 <2018-07-03> OPTIGA Trust X Integration Manual 8.3.6 8.3.7 8.3.8 8.3.9 optx_verify_sig .................................................................................................................................. 39 optx_sign_verify_sig ......................................................................................................................... 40 optx_echd .......................................................................................................................................... 41 optx_read_ifx_cert ............................................................................................................................ 44 Revision history ............................................................................................................................... 46 Figures Figure 1 System Block Diagram ........................................................................................................................ 6 Figure 2 OPTIGA™ Trust X Host Software Architecture .................................................................................... 8 Figure 3 Release Package Folder Structure ...................................................................................................... 8 Figure 4 Host Software Folder Structure .......................................................................................................... 9 Figure 5 Host Source Folder Structure ........................................................................................................... 10 Figure 6 XMC and OPTIGA™ 2Go™ series boards ........................................................................................... 11 Figure 7 8-PIN Male and Female Headers ...................................................................................................... 11 Figure 8 Installing Device Library and Dave™ APP ........................................................................................ 13 Figure 9 Installing DAVE Project Library Manage .......................................................................................... 14 Figure 10 Importing xmc2go-TrustX project to Dave™4 .................................................................................. 14 Figure 11 Host Project File Structure ................................................................................................................ 15 Figure 12 OPTIGA™2Go Shield Connected to XMC2Go .................................................................................... 15 Figure 13 Debug Configuration ......................................................................................................................... 16 Figure 14 Initializing Debug Session ................................................................................................................. 16 Figure 15 Running Host Application ................................................................................................................. 17 Figure 16 OPTIGA™Trust X Host Library............................................................................................................ 18 Figure 17 Excluding a Directory from Build ...................................................................................................... 18 Figure 18 Selecting XMC1100 PAL ..................................................................................................................... 19 Figure 19 Excluding other PAL’s from Build Process ....................................................................................... 20 Figure 20 Adding a New Directory to the Build Process................................................................................... 20 Figure 21 Adding OPTIGA™Trust X Header Files to the Path ........................................................................... 21 Figure 23 Preparing Host Platform Specific Hardware .................................................................................... 22 Figure 24 Scheduler Timer Module ................................................................................................................... 23 Figure 25 Scheduler Timer Interrupt ................................................................................................................ 23 Figure 26 HW Signal Connections for Scheduler Timer ................................................................................... 24 Figure 27 Tick Timer Under Existing APP Instance ............................................................................................... 25 Figure 28 Tick Timer Module ............................................................................................................................. 25 Figure 29 Tick Timer Interrupt .......................................................................................................................... 26 Figure 30 HW Signal Connections for Tick Timer ............................................................................................. 26 Figure 31 I2C Master Module .............................................................................................................................. 27 Figure 32 Opening Pin Mapping Perspective ................................................................................................... 28 Figure 33 Pin Mapping Perspective................................................................................................................... 29 Figure 35 Adding OPTIGA™ Trust X Reset Control ............................................................................................ 30 Figure 36 Successful Integration of OPTIGA™Trust X Host Library into Host Project .................................... 30 Figure 37 Successful Initialization of OPTIGA™Trust X Host Library ............................................................... 32 Figure 38 xmc2Go-TrustX Application Layer ................................................................................................... 34 Figure 39 Execution of optx_get_rng by xmc2Go application. ........................................................................ 36 Figure 40 Execution of optx_get_sha256 by xmc2Go application. ................................................................. 37 Figure 41 Execution of optx_genKey_pair by xmc2Go application. ............................................................... 38 Figure 42 Execution of optx_sign_hash by xmc2Go application..................................................................... 38 Application Note 3 <2018-07-03> OPTIGA Trust X Integration Manual Figure 43 Execution of optx_verify_sig by xmc2Go application...................................................................... 39 Figure 44 Execution of optx_verify_sig by xmc2Go application. ......................................................................... 41 Figure 45 Execution of optx_sign_hash by xmc2Go application..................................................................... 44 Figure 47 Execution of optx_read_ifx_cert by xmc2Go application ............................................................... 45 Application Note 4 <2018-07-03> OPTIGA Trust X Integration Manual 1 Introduction As embedded systems (e.g. IoT devices) are increasingly gaining the attention of attackers, Infineon offers the OPTIGA™ Trust X as a turnkey security solution for industrial automation systems, smart homes, consumer devices and medical devices. This high-end security controller comes with full system integration support for easy and cost-effective deployment of high-end security for your assets. 1.1 Device Features Device Features The OPTIGA™ Trust X comes with up to 10kB user memory that can be used to store X.509 certificates. OPTIGA™ Trust X is based on Common Criteria Certified EAL6+ (high) hardware enabling it to prevent physical attacks on the device itself and providing high assurance that the keys or arbitrary data stored cannot be accessed by an unauthorized entity. OPTIGA™ Trust X supports a high speed I2C communication interface of up to 1MHz (FM+). For further reference and electrical characteristics refer to OPTIGA™Trust X Datasheet. Application Note 5 <2018-07-03> OPTIGA Trust X Integration Manual 2 OPTIGA TrustX Software Library OPTIGA™ Trust X Host Library is a structured library which purpose is to abstract any complexity to the application by using APIs. Figure 1 depicts the system block diagram for OPTIGA™ Trust X Figure 1 System Block Diagram The System Block Diagram is explained below for each layer. 1. Local Host • • • Local Host Application – This is the target application which utilizes OPTIGA™ Trust X for its security needs OPTIGA™ Trust X Host Library o Crypt – Provides APIs to perform cryptographic functionalities. Any TLS stack can be integrated to offload crypto operations to OPTIGA™ Trust X. o Util – Provides APIs such as read/write and open/close applications (e.g. Hibernate) o Cmd – Provides APIs to send and receive commands to and from OPTIGA™ Trust X. Crypto Lib Wrapper – Provides wrapper APIs for Third Party crypto library o Comms – Provides wrapper APIs for communication with OPTIGA™ Trust X which internally uses Infineon I2C Protocol (IFX I2C) PAL – A layer that abstracts platform specific drivers (e.g. i2c, timer, gpio, sockets, 3rd party crypto library etc.) 2. OPTIGA™ Trust X • • • Arbitrary Data Objects – The target application can store up to 4.5kB (~4600 bytes) of data into OPTIGA™ Trust X X.509 – up to 3, X.509 based Certificates can be stored into OPTIGA™ Trust X Keys – up to 3, ECC based keys can be stored into OPTIGA™ Trust X Application Note 6 <2018-07-03> OPTIGA Trust X Integration Manual • • Trust Anchors for Mutual Authentication (TLS/DTLS) and Firmware Updates can be stored into OPTIGA™ Trust X Crypto Functions - OPTIGA™ Trust X provides cryptographic functions that can be invoked via local host Note: Application Note Unique ECC private keys and X.509 Certificates – During production at the Infineon fab, unique asymmetric keys (private and public) are generated. The public key is signed by customer specific CA and resulting X.509 certificate issued is securely stored on OPTIGA™ Trust X. Special measures are taken to prevent leakage and modification of the private key at the Common Criteria Certified production site 7 <2018-07-03> OPTIGA Trust X Integration Manual 3 Connecting to Host 3.1 OPTIGA™ Trust X Host Software Architecture In Figure 1 the System Block Diagram was explained which covered the OPTIGA™ Trust X Host Library layers. In following sections, we will cover how to communicate with OPTIGA™ Trust X using I2C. Figure 2 3.2 OPTIGA™ Trust X Host Software Architecture Release Package Folder Structure Figure 3 shows the release package structure when OPTIGA™ Trust X Host Library is installed/extracted on PC. Figure 3 Application Note Release Package Folder Structure 8 <2018-07-03> OPTIGA Trust X Integration Manual 1. is the root directory to which the release contents are installed or extracted. The content of each subdirectory under installed directory is explained below. Certificates: This directory contains OPTIGA™ Trust X Test and Productive Trust-Anchor/CA certificates. Documents: This directory contains all common OPTIGA™ Trust X documentation. Binaries: This directory contains binaries for OPTIGA™ Trust X Host Software. Source: This directory contains source files, header files for OPTIGA™ Trust X Host Software. 2. 3. 4. 5. 3.3 Host Software Folder Structure Figure 4 shows the Host Software folder structure when OPTIGA™ Trust X is installed or extracted on PC. Figure 4 Host Software Folder Structure 1. Examples 2. 3. 4. 5. This directory contains the examples code for demonstration of crypt and util APIs. Externals This directory contains the external source code e.g. mbedTLS Optiga This directory contains OPTIGA™ Trust X host library source code which is platform agnostic. Pal This directory contains Platform Abstraction Layer source code which needs to be ported, depending on the platform e.g. XMC1100 etc. Projects This directory contains project files for build/compilation e.g. XMC1100 based on Dave. 3.3.1 Host Software Source Folder Structure Figure 5 elaborates the Host Software source folder structure. Application Note 9 <2018-07-03> OPTIGA Trust X Integration Manual Figure 5 Host Source Folder Structure 1. cmd – This folder contains sources for all OPTIGA™ Trust X commands 2. common – This folder contains the common functions used across all the modules 3. comms – This folder contains the driver to communicate with OPTIGA™ Trust X 4. crypt – This folder contains sources for cryptographic functions 5. include – This folder contains header files for all OPTIGA™ Trust X Host Software 6. util – This folder contains utility functions e.g. read/write and open/close application Application Note 10 <2018-07-03> OPTIGA Trust X Integration Manual 4 Prerequisites These are the prerequisites for successfully completing this training • • System Requirements o Windows 7/8/10 o 4GB of RAM or above Hardware Requirements, shown in Figure 6 and Figure 7 o XMC2Go™ o OPTIGA2Go™ o 2x 8-PIN Male Headers o 2x 8-PIN Female Headers o Micro USB Cable Figure 6 XMC and OPTIGA™ 2Go™ series boards Figure 7 8-PIN Male and Female Headers Application Note 11 <2018-07-03> OPTIGA Trust X Integration Manual • Software Requirements o OPTIGA™ Trust X Host Library available at https://github.com/Infineon/optiga-trust-x Note: The version of OPTIGA™ Trust X Host Library used in this application note is: commit f257697135ab8e9e17a381a7441cc6d247b89a14 o o Application Note Dave™ 4.4.2 Putty or any other Terminal Interface. You can obtain Putty from the link below. https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html 12 <2018-07-03> OPTIGA Trust X Integration Manual 5 Getting Development Environment Ready 5.1 Installing Dave™ 4 If you have not downloaded Dave™4, please proceed to download https://infineoncommunity.com/dave-download_ID645 Once you have Downloaded Dave ™, extract it to a folder of your choosing. As a recommendation we suggest creating a new folder and name it DAVE4 in C: directory. 5.2 • Installing Device Library and Dave™ Apps Installing Toolchain o Figure 8 From the top menu (under Help), select “Install DAVE APP/Example/DeviceLibrary” as shown in Fig 8. Installing Device Library and Dave™ APP o From the drop-down menu select “DAVE Project Library Manager” o Select the libraries that are needed for your board Application Note 13 <2018-07-03> OPTIGA Trust X Integration Manual Figure 9 Installing DAVE Project Library Manage o Repeat the process and from the drop-down menu select “DAVE APPs Library Manager” o Install DAVE APPs Library Manager if needed. 5.3 Importing to Host Project into Workspace We will now import our Host project template. This project will be used as base for integrating OPTIGA Trust X Host Library. • Open Dave™ 4 o Go to File -> Import o Select Infineon -> DAVE Project o Select Archive File o Browse to “xmc-2Go-template”. This Folder in inside your “Optiga Trust X Technical Training” training package o Select “xmc2go-TrustX.zip” as the project to import into our workspace, as shown in Figure 10. o Finish Figure 10 Application Note Importing xmc2go-TrustX project to Dave™4 14 <2018-07-03> OPTIGA Trust X Integration Manual 5.4 Host Project File Structure The Host project file structure is as follows. Figure 11: Figure 11 Host Project File Structure • Command Interface: Here we specify the commands that we will use to interact between the terminal window in the PC and OPTIGA™ Trust X. • Serial Interface for Terminal: This is where we manage the serial communication as well as the input and output of characters 5.5 Testing Host Application To test our Host Application, proceed with the following steps: • Assemble the OPTIGA™ 2Go Shield on top of the XMC2Go board, like showing in Figure 12. Figure 12 OPTIGA™2Go Shield Connected to XMC2Go • Connect the micro USB cable to the PC and the 2Go Board Stack up. • Open “Windows Device Manager” to see which COM port was assigned. It should appear as JLink CDC UART port. • Open Putty or any COM Terminal Interface. • The terminal settings are the following o o o o Application Note Desired speed (baud): 57600 Data bits: 8 Stop bit: 1 Stop Bit Parity selection: No Parity 15 <2018-07-03> OPTIGA Trust X Integration Manual • • Proceed to build Host Application o Project -> Build all or Ctrl + B To flash the board, we will open a Debug session o Open Debug Configurations as shown in Figure 13. Figure 13 Debug Configuration o Select, GDB SEGGER J-Link Debugging o Press Debug to initialize debug session as shown in Figure 14. Figure 14 Initializing Debug Session o Press F8 or Run to start code execution If everything works fine the output of the Terminal Window should display our command options, as shown in Figure 15. Note: Application Note We can type a command now, but nothing will happen. We need to incorporate the OPTIGA Trust X Host Library to our Host Project. 16 <2018-07-03> OPTIGA Trust X Integration Manual Figure 15 Application Note Running Host Application 17 <2018-07-03> OPTIGA Trust X Integration Manual 6 Integrating OPTIGA Trust X Host Library into Host Project The OPTIGA™ Trust X Host Library can be placed anywhere in the project directory tree. In this case we will place it in our Libraries folder, as shown in Figure 16. Figure 16 6.1 OPTIGA™Trust X Host Library Including Necessary PAL Directories We will exclude some of the folders from the compilation process that we don’t need to build in the library but are rather in place for our reference. e.g.: examples. • In the “Project Explorer” pane, right click on the “examples” folder. • Under “Resource Configuration” -> Exclude from build • Select both “Release” and “Debug” as shown in figure 17. Figure 17 Application Note Excluding a Directory from Build 18 <2018-07-03> OPTIGA Trust X Integration Manual The OPTIGA™Trust X Host Library was designed to be agnostic to the Host Controller, Operating System or IDE that will be used for the integration process. Having this in mind, the user only needs to adapt the Platform Abstraction Layer and configure the necessary drivers and components needed by OPTIGA™Trust X Host Library to operate (adapting necessary drivers and peripheral components will be covered in section 7 Configuring Platform Specific Modules Required by OPTIGA Trust X Host Library). • In Project Explorer open the “pal” directory • Select all directories except for xmc_dave (Ctrl + Mouse Click on each), as shown in Figure 18. Figure 18 Selecting XMC1100 PAL • Right Click on the selection • Go to “Resource Configuration” • Select “Exclude from Build” • Select both “Release” and “Debug” and OK Application Note 19 <2018-07-03> OPTIGA Trust X Integration Manual Exclude from build also the mbedtls-2.12.0 directory, under externals. We will not be using it, as shown in Figure 19. Figure 19 6.2 Excluding other PAL’s from Build Process Adding Necessary Header Files to Workspace Path To successfully integrate the OPTIGA™Trust X Host Library we need to add to the the necessary header files to the build directory. • Under Project Explorer, select our project • Go to Project -> Properties • C/C++Build -> Settings • ARM-GCC C Compiler -> Directories, as shown in Figure 20. • Add a new path (3) Figure 20 Application Note Adding a New Directory to the Build Process 20 <2018-07-03> OPTIGA Trust X Integration Manual • Under “Add directory to path window”, select Workspace • Go to: Libraries->optiga-trust-x -> optiga -> include • Add the “include” directory to the path, as shown in Figure 21. • Apply -> OK Figure 21 Application Note Adding OPTIGA™Trust X Header Files to the Path 21 <2018-07-03> OPTIGA Trust X Integration Manual 7 Configuring Platform Specific Modules Required by OPTIGA Trust X Host Library OPTIGA™ Trust X Host Library was designed with portability and flexibility in mind. The result is a powerful platform agnostic library. To start with the integration process as we can see from Figure 1 and Figure 2, we need to start by preparing the different peripheral components that the OPTIGA™ Trust X Host Library needs to operate. Figure 22 Preparing Host Platform Specific Hardware This are the components we need to enable: • Scheduler Timer • Tick Timer • I2C Module • I/O for OPTIGA™ Trust Reset Control 7.1 Scheduler Timer Using Dave™4 App wizard we will create a Timer module. • Go to DAVE->Add New APP • In the search filed, type “Timer”. Add the Timer module • Right click on TIMER_0 and select “Rename Instance Label” • Change the timer module name to “scheduler_timer”, as shown in Figure 2324 This timer will provide a system tick. Application Note 22 <2018-07-03> OPTIGA Trust X Integration Manual Figure 23 Scheduler Timer Module To configure the “scheduler_timer”, double click on the module in the APP Dependency. Configure the timer with the following settings: • • General Settings o Timer interval: 1000usec o Start after initialization: Not selected Event Settings o Note: Time interval even: Selected An alert will appear after we select time interval event. Disregard as we will configure it later. Add an Interrupt Module to serve the “scheduler_timer” • Go to DAVE->Add New APP • In the search filed, type “Interrupt”. Add the INTERRUPT module • • Right click on INTERRUPT_0 and select “Rename Instance Label” Change INTERRUPT_0 module to “scheduler_timer_intr”, as shown in Figure 24 Scheduler Timer Interrupt To configure the “scheduler_timer_intr”, double click on the interrupt module, in the APP Dependency pane. Configure the timer with the following settings: Application Note 23 <2018-07-03> OPTIGA Trust X Integration Manual • Under Interrupt Settings o o o Enable interrupt at initialization: Selected Interrupt priority: 3 (It is the max for XMC1100) Interrupt handler: scheduler_timer_isr A signal connection between the modules needs to be configured now as shown in Figure 2526. • Go to DAVE->HW Signal Connections • Under Filter, select “scheduler_timer” • Under Source Signal o Select “event_time_interval” • Under Target APP Instance Name o Select “scheduler_timer_intr” • Under Target Signal o Figure 25 7.2 Select “sr_irq” HW Signal Connections for Scheduler Timer Tick Timer Using Dave™4 App wizard we will create a Timer module. • Go to DAVE->Add New APP • In the search filed, type “Timer”. Add the Timer module • When “Required APP Instance Selection” window appears, select “APP/GLOBAL_CCU4/GLOBAL_CCU4_0” option as shown in Figure 2627 Application Note 24 <2018-07-03> OPTIGA Trust X Integration Manual Figure 26 Tick Timer Under Existing APP Instance • Right click on TIMER_0 and select “Rename Instance Label” • Change the timer module name to “tick_timer”, as shown in Figure 2728 Figure 27 Tick Timer Module To configure the “tick_timer”, double click on the module in the APP Dependency pane. Configure the timer with the following settings: • • General Settings o Timer interval: 1000usec o Start after initialization: Selected Event Settings o Note: Application Note Time interval even: Selected An alert will appear after we select time interval event. Disregard as we will configure it later. 25 <2018-07-03> OPTIGA Trust X Integration Manual Add an Interrupt Module to serve the “tick_timer” • Go to DAVE->Add New APP • In the search filed, type “Interrupt”. Add the INTERRUPT module • • Right click on INTERRUPT_0 and select “Rename Instance Label” Change INTERRUPT_0 module to “tick_timer_intr”, as shown in Figure 2829 Figure 28 Tick Timer Interrupt To configure the “tick_timer_intr”, double click on the interrupt module, in the APP Dependency pane. Configure the timer with the following settings: • Under Interrupt Settings o o o Enable interrupt at initialization: Selected Interrupt priority: 3 (It is the max for XMC1100) Interrupt handler: delay_timer_isr A signal connection between the modules needs to be configured now as shown in Figure 2930. • Go to DAVE->HW Signal Connections • Under Filter, select “tick_timer” • Under Source Signal o Select “event_time_interval” • Under Target APP Instance Name o Select “tick_timer_intr” • Under Target Signal o Figure 29 Application Note Select “sr_irq” HW Signal Connections for Tick Timer 26 <2018-07-03> OPTIGA Trust X Integration Manual 7.3 I2C Master Module Using Dave™4 App wizard we will create an I2C Master module. • Go to DAVE->Add New APP • In the search filed, type “I2C” • Select “I2C MASTER” • Right click on I2C_MASTER_0 and select “Rename Instance Label” • Change the of I2C_MASTER_0 instance to “i2c_master_0”, as shown in Figure 2728 Figure 30 I2C Master Module To configure the “i2c_master_0”, double click on the module in the APP Dependency pane. Configure the I2C with the following settings: • General Settings o Desired bus speed [KHz]: 400 o Enable multi-master: Not selected • Advanced Settings o Transmit mode: Interrupt o Receive mode: Interrupt o Enable Tx FIFO: 16 o Enable Rx FIFO: 16 Note: An alert will appear after enabling the different I2C interrupt callbacks because the callback name field is empty. It will be fixed as we add the different callback names. • Interrupt Settings a. Transmit i. Preemption priority: 3 ii. End of transmit callback: Selected 1. End of transmit callback name: i2c_master_end_of_transmit_callback b. Receive i. Preemption priority: 3 ii. End of receive callback: Selected 1. End of transmit callback name: i2c_master_end_of_receive_callback Application Note 27 <2018-07-03> OPTIGA Trust X Integration Manual c. Error Handling i. Preemption priority: 3 ii. Nack receive: Selected 1. Nack receive name: i2c_master_nack_received_callback iii. Arbitration lost: Selected 1. Arbitration lost name: i2c_master_arbitration_lost_callback iv. Error detect: Selected 1. Error detect name: i2c_master_error_detected_callback • Pin Settings d. Enable noise filter: Not Selected e. Enable advance pin configuration: Not Selected To physically configure the SDA and SCL IO for the I2C module, open the Pin Mapping Perspective, as shown in Figure 3132. Figure 31 Opening Pin Mapping Perspective • Select SCL from the i2c_master_0 menu on the left side, as shown in Figure 3233. • Go to pin P2.11 and assign it to SCL. Right Click and select “i2c_master_0/SCL” • Select SDA from the i2c_master_0 menu on the left side • Go to pin P2.10 and assign it to SDA. Right Click and select “i2c_master_0/SDA” Application Note 28 <2018-07-03> OPTIGA Trust X Integration Manual Figure 32 Pin Mapping Perspective 7.4 IO for OPTIGA™ Trust Reset Control OPTIGA™Trust X Host Library can control OPTIGA™Trust X Reset and Vdd. The OPTIGA™2Go board has only support to control OPTIGA™Trust X Reset. To enable this functionality, we need to add an IO module to our Host Project. • Go to DAVE->Add New APP • In the search filed, type “IO” • Select “DIGITAL_IO” • Right click on DIGITAL_IO _0 and select “Rename Instance Label” • Change the of DIGITAL_IO _0 instance to “pin0_15”, which is the IO Pin assigned to the Reset control, as shown in Figure 3335. To configure the IO PIN, double click on the interrupt module, in the APP Dependency pane. • General Settings o • Pin direction: Input/Output Output Settings o Mode: Push Pull o Initial output level: High Application Note 29 <2018-07-03> OPTIGA Trust X Integration Manual Figure 33 Adding OPTIGA™ Trust X Reset Control Compile the project now and there should not be any errors. Figure 34 Application Note Successful Integration of OPTIGA™Trust X Host Library into Host Project 30 <2018-07-03> OPTIGA Trust X Integration Manual 8 Working with OPTIGA™Trust X from the Application Layer 8.1 Initializing OPTIGA™Trust X using the Host Library For the Application Layer to interact with OPTIGA™Trust X using the Host Library, we need to initialize OPTIGA™ Trust X first. • Open main.c • Add the following code, as shown in Error! Reference source not found.. /*OPTIGA #include #include #include #include Trust Include Files*/ "optiga/comms/optiga_comms.h" "optiga/optiga_util.h" "optiga/ifx_i2c/ifx_i2c_config.h" "optiga/common/AuthLibSettings.h" /************************************************************************* * function prototypes *************************************************************************/ static int32_t optiga_init(void); static int32_t optiga_deinit(void); /************************************************************************* * Global *************************************************************************/ optiga_comms_t optiga_comms = {(void*)&ifx_i2c_context_0,NULL,NULL, OPTIGA_COMMS_SUCCESS}; /************************************************************************* * functions *************************************************************************/ static int32_t optiga_init(void) { int32_t status = (int32_t) OPTIGA_LIB_ERROR; do { status = optiga_util_open_application(&optiga_comms); if(OPTIGA_LIB_SUCCESS != status) { sprintf(stderr, "Failure: CmdLib_OpenApplication(): 0x%04X", status); break; } status = OPTIGA_LIB_SUCCESS; } while(0); return status; } static int32_t optiga_deinit(void) { int32_t status = (int32_t) OPTIGA_LIB_ERROR; //Close IFX I2C Protocol and switch off the security chip status = optiga_comms_close(&optiga_comms); if(OPTIGA_LIB_SUCCESS != status) { sprintf(stderr, "Failure: optiga_comms_close(): 0x%04X", status); } printf("Device closed\n"); return status; } Code Listing 1 Application Note OPTIGA™Trust X Host Library Init and Deinit methods. 31 <2018-07-03> OPTIGA Trust X Integration Manual Within “main” add the call to optiga_init() as shown in Code Listing 2. int main(void) { //Return value optiga_lib_status_t return_status = OPTIGA_LIB_ERROR; . . . return_status = optiga_init(); if (OPTIGA_LIB_SUCCESS != return_status) { OPTIGAprintf("OPTIGA Trust initialization failed\n"); while(1U) { } } /* Placeholder for user application code. The while loop below can be replaced with user application code. */ . . . Code } Listing 2 Calling optiga_init from main. • Compile xmc2Go-TrustX project. • No errors should appear, as shown in Figure 3537. Figure 35 Successful Initialization of OPTIGA™Trust X Host Library 8.2 OPTIGA™Trust X Host Library Crypt API Layer OPTIGA™Trust X Host Library Crypt Layer, provides the following API’s: 8.2.1 optiga_crypt_random Generates a random Number of a specific size. It has the option of using either of two methodologies supported by OPTIGA™Trust X. • TRNG • DRNG 8.2.2 optiga_crypt_hash_start Starts a Hash sequence using SHA256 algorithm. Application Note 32 <2018-07-03> OPTIGA Trust X Integration Manual 8.2.3 optiga_crypt_hash_update Updates previously started Hash context, adding to the Hash sequence the new Hash (using SHA256 algorithm) of a given message. 8.2.4 optiga_crypt_hash_finalize Finalized Hash sequence and outputs the Sha256 Digest. 8.2.5 optiga_crypt_ecc_generate_keypair Generates a Key pair based on the NIST P256 or 384 Elliptic Curve Algorithm. Curve ID can be: • OPTIGA_ECC_NIST_P_256 • OPTIGA_ECC_NIST_P_384 8.2.6 optiga_crypt_ecdsa_sign Calculates an Elliptic Curve Signature on provided SHA256 Digest. 8.2.7 optiga_crypt_ecdsa_verify Verifies an Elliptic Curve Signature. 8.2.8 optiga_crypt_ecdh Generates shared secret (premaster secret), using ECDH algorithm. The Public key is sourced from the host and the Private Key is sourced from OPTIGA™Trust X. 8.2.9 optiga_crypt_tls_prf_sha256 Generates a derived secret based on the ECDH premaster secret. It provides the following options: • Derived key is exported to the host from OPTIGA™Trust X. • Derived key is stored in an OPTIGA™Trust X Session OID. 8.3 Using OPTIGA™Trust X Host Library Crypt API Layer to interact with Application This section will demonstrate how to use the OPTIGA™Trust X Host Library Crypt API layer to add cryptographic primitive methods to the Host Application. These methods when combined provide a high level of security to the application. We will use our xmc2Go-TrustX project as reference. Application Note 33 <2018-07-03> OPTIGA Trust X Integration Manual • In your xmc2Go-TrustX project go src/cmd_pocess. It is where the core of our application resides. This is shown in • Figure 3638. Figure 36 xmc2Go-TrustX Application Layer • Under parse_cmd(), we can find the application user interface commands. We will be adding functionality to these commands to demonstrate the interaction with Crypt Layer APIs. • The xmc2Go application user interface commands are: • o optx_get_rng() o optx_get_sha256() o optx_genKey_pair() o optx_sign_hash() o optx_verify_sig() o optx_sign_verify_sig() o optx_ecdh_derive_key() o optx_read_ifx_cert() The above commands use OPTIGA™Trust X Crypt layer APIs to bring application layer functionality to xmc2go application. Now let’s start building our xmc2Go application user interface commands. This will do in the following subsections. Application Note 34 <2018-07-03> OPTIGA Trust X Integration Manual 8.3.1 Configuring Application cmd_iface.c for Optiga Trust Library To use OPTIGA™Trust X Crypt layer APIs we need to add the following header files to our application sorce file cmd_iface.c. Add #include "optiga/optiga_crypt.h", like shown in the code listing below. #include #include #include #include #include #include #include "cbuf.h" "serial_io_iface.h" //Declarations from DAVE Code Generation (includes SFR declaration) /*OPTIGA Trust Include Files*/ #include "optiga/optiga_crypt.h" #include "optiga/optiga_util.h" Code Listing 3 Addign Optiga Trust Library header files to application source file Now add the global variables we will use. Note: In a real-world application, the use of global variables should be avoided. /*Global variable used for this exercise*/ uint8_t global_random[32] = {}; uint8_t global_digest[32] = {}; uint8_t global_signature[80] = {}; uint8_t global_sig_length = 0; uint8_t global_pubkey[80] = {}; uint8_t global_pubkey_length = 0; Code Listing 4 8.3.2 Addign global variable used for this example. optx_get_rng When our xmc2Go application calls this command, it uses OPTIGA™Trust X Host Library Crypt API optiga_crypt_random to generate a random number provided by OPTIGA™Trust X. Copy the piece of code in Code Listing 5 to cmd_iface.c under optx_get_rng(void). int optx_get_rng(void) { optiga_lib_status_t optiga_status = OPTIGA_LIB_ERROR; uint8_t rnd[32]; do{ OPTIGAprintf("Retrieving random numbers from OPTIGA Trust X:\r\n"); optiga_status = optiga_crypt_random(rnd, sizeof(rnd)); if(optiga_status!= 0) break; memcpy(global_random, rnd, sizeof(rnd)); HexDump(rnd, sizeof(rnd)); }while(0); return optiga_status; } Code Listing 5 xmc2Go optx_get_rng application API When we run our xmc2Go application and test the command, it will provide an output as shown in Application Note 35 <2018-07-03> OPTIGA Trust X Integration Manual Figure 3739 Figure 37 Execution of optx_get_rng by xmc2Go application. 8.3.3 optx_get_sha256 When our xmc2Go application calls this command, it uses OPTIGA™Trust X Host Library Crypt API optiga_crypt_hash to compute a SHA256 hash over the provided data. In our xmc2Go application the data is the following message: “OPTIGA Trust X, Hardened Security” Copy the piece of code in Code Listing 6 to cmd_iface.c under optx_get_sha256(void). int optx_get_sha256(void) { optiga_lib_status_t optiga_status = OPTIGA_LIB_ERROR; uint8_t hash_context_buffer [130]; optiga_hash_context_t hash_context; uint8_t data_to_hash [] = {"OPTIGA Trust X, Hardened Security"}; hash_data_from_host_t hash_data_host; hash_context.context_buffer = hash_context_buffer; hash_context.context_buffer_length = sizeof(hash_context_buffer); hash_context.hash_algo = OPTIGA_HASH_TYPE_SHA_256; uint8_t digest[32]; do{ OPTIGAprintf("Message to Hash: -OPTIGA Trust X, Hardened Security- \r\n"); OPTIGAprintf("OPTIGA Trust X Performing SHA256 of Message\r\n"); //Hash start optiga_status = optiga_crypt_hash_start(&hash_context); if(optiga_status != OPTIGA_LIB_SUCCESS) { break; } //Hash update hash_data_host.buffer = data_to_hash; hash_data_host.length = sizeof(data_to_hash); optiga_status = optiga_crypt_hash_update(&hash_context, // OPTIGA_CRYPT_OID_DATA stands for OID OPTIGA_CRYPT_HOST_DATA, &hash_data_host); if(optiga_status != OPTIGA_LIB_SUCCESS) { break; } // hash finalize optiga_status = optiga_crypt_hash_finalize(&hash_context, digest); if(optiga_status != OPTIGA_LIB_SUCCESS) { break; } HexDump(digest, sizeof(digest)); memcpy(global_digest, digest, sizeof(digest)); }while(0); return optiga_status; } Code Listing 6 Application Note xmc2Go opiga_get_sha256 application API 36 <2018-07-03> OPTIGA Trust X Integration Manual When we run our xmc2Go application and test the command, it will provide an output as shown in Figure 3840. Figure 38 Execution of optx_get_sha256 by xmc2Go application. 8.3.4 optx_genKey_pair When our xmc2Go application calls this command, it uses OPTIGA™Trust X Host Library Crypt API optiga_crypt_ecc_generate_keypair. By calling this API OPTIGA™Trust X will generate an ECC256 key pair. It will securely keep the ECC Private Key portion internal and will export to the ECC Public Key to the host. Copy the piece of code in Code Listing 7 to cmd_iface.c under optx_genKey_pair(void). int optx_genKey_pair(void) { optiga_lib_status_t optiga_status; optiga_key_id_t optiga_key_id; //To store the generated public key as part of Generate key pair uint8_t public_key [100]; uint16_t public_key_length = sizeof(public_key); do{ /** * Generate ECC Key pair * - Use ECC NIST P 256 Curve * - Specify the Key Usage (Key Agreement or Sign based on requirement) * - Store the Private key in OPTIGA Key store * - Export Public Key */ optiga_key_id = OPTIGA_KEY_STORE_ID_E0F1; //for Session based, use OPTIGA_KEY_ID_SESSION_BASED as key id as shown below. //optiga_key_id = OPTIGA_KEY_ID_SESSION_BASED; optiga_status = optiga_crypt_ecc_generate_keypair(OPTIGA_ECC_NIST_P_256, (uint8_t)OPTIGA_KEY_USAGE_SIGN, FALSE, &optiga_key_id, public_key, &public_key_length); if (OPTIGA_LIB_SUCCESS != optiga_status) { //Key pair generation failed break; } HexDump(public_key, public_key_length); memcpy(global_pubkey, public_key, public_key_length); global_pubkey_length = public_key_length; }while(0); return optiga_status; } Code Listing 7 Application Note xmc2Go optx_genKey_pair application API 37 <2018-07-03> OPTIGA Trust X Integration Manual When we run our xmc2Go application and test the command, it will provide an output as shown in Figure 3941. Figure 39 Execution of optx_genKey_pair by xmc2Go application. 8.3.5 optx_sign_hash When our xmc2Go application calls this command, it uses OPTIGA™Trust X Host Library Crypt API optiga_crypt_ecdsa_sign to sign a message (SHA256 hash of the message). OPTIGA™Trust X receives the SHA256 digest and using the ECC Private Key, signs it and exports the signature back to the Host. Copy the piece of code in Code Listing 8 to cmd_iface.c under optx_sign_hash(void). int optx_sign_hash(void) { optiga_lib_status_t optiga_status; uint8_t signature [80]; //To store the signture generated uint16_t signature_length = sizeof(signature); do{ OPTIGAprintf("OPTIGA Trust Signing Message: \r\n"); optiga_status = optiga_crypt_ecdsa_sign(global_digest, sizeof(global_digest), OPTIGA_KEY_STORE_ID_E0F1, signature, &signature_length); if (OPTIGA_LIB_SUCCESS != optiga_status) break; HexDump(signature, signature_length); memcpy(global_signature, signature, signature_length); global_sig_length = signature_length; }while(0); return optiga_status; } Code Listing 8 xmc2Go optx_sign_hash application API. When we run our xmc2Go application and test the command, it will provide an output as shown in Figure 4042. Figure 40 Application Note Execution of optx_sign_hash by xmc2Go application. 38 <2018-07-03> OPTIGA Trust X Integration Manual 8.3.6 optx_verify_sig When our xmc2Go application calls this command, it uses the past executed commands to verify the ECC256 signature generated The optiga_crypt_ecdsa_verify will take the: • hashed message • signature of the hashed message • ECC Public Key To verify if the signature is mathematically related to the message by using the ECC Public Key. Note: We should remember that an ECC Private Key is the only one able to perform a signature that can later be verified using the ECC Public Key. Copy the piece of code in Code Listing 9 to cmd_iface.c under optx_verify_sig(void). int optx_verify_sig(void) { optiga_lib_status_t optiga_status; public_key_from_host_t public_key_details = { global_pubkey, global_pubkey_length, OPTIGA_ECC_NIST_P_256 }; do{ optiga_status = optiga_crypt_ecdsa_verify (global_digest, sizeof(global_digest), global_signature, global_sig_length, OPTIGA_CRYPT_OID_DATA stands for OID in the public_key_detail &public_key_details); if (OPTIGA_LIB_SUCCESS != optiga_status) break; }while(0); return optiga_status; } Code Listing 9 xmc2Go optx_verify_sig application API. When we run our xmc2Go application and test the command, it will provide an output as shown in Figure 4143. Figure 41 Application Note Execution of optx_verify_sig by xmc2Go application. 39 <2018-07-03> OPTIGA Trust X Integration Manual 8.3.7 optx_sign_verify_sig When our xmc2Go application calls this command, it will execute the following commads following OPTIGA™Trust X Host Library Crypt APIs: • optiga_crypt_hash • optiga_crypt_ecc_generate_keypair • optiga_crypt_ecdsa_sign • optiga_crypt_ecdsa_verify Copy the piece of code in Code Listing 10 to cmd_iface.c under optx_sign_verify_sig(void). int optx_sign_verify_sig(void) { optiga_lib_status_t optiga_status; do{ OPTIGAprintf("OPTIGA Trust Sign/Verify Message: \r\n\n"); do{ OPTIGAprintf("1-. Generate a random ECC Key pair: \r\n\n"); optiga_status = optx_genKey_pair(); OPTIGAprintf("\r\n"); if (optiga_status != 0) break; OPTIGAprintf("2-. Hash (SHA256) the message to sign: \r\n\n"); optiga_status = optx_get_sha256(); OPTIGAprintf("\r\n"); if (optiga_status != 0) break; OPTIGAprintf("3-. Sign the SHA256 digest with our private ECC256 key: \r\n\n"); optiga_status = optx_sign_hash(); OPTIGAprintf("\r\n"); if (optiga_status != 0) break; OPTIGAprintf("4-. Verify signature of message with public ECC256 key: \r\n\n"); optiga_status = optx_verify_sig(); OPTIGAprintf("\r\n"); if (optiga_status != 0) break; }while(0); if (optiga_status != 0) break; OPTIGAprintf("Message is Authentic: \r\n\n"); }while(0); return optiga_status; } Code Listing 10 optx_sign_verify_sig application API. After executing the command, it will provide an output as shown in Figure 4244. Application Note 40 <2018-07-03> OPTIGA Trust X Integration Manual Figure 42 Execution of optx_verify_sig by xmc2Go application. 8.3.8 optx_ecdh_derive_key When our xmc2Go application calls this command, it uses the following OPTIGA™Trust X Host Library Crypt APIs: • optiga_crypt_ecc_generate_keypair • optiga_crypt_ecdh • optx_get_rng • optiga_crypt_tls_prf_sha256 Note: We use a new generated ECC Key Pair for ECDH. The reason this is done, is because in practice ECDH keys life span is only for the lifetime of the session they are used for. OPTIGA™Trust X can create ECC Key Pairs that are RAM resident and their life span is determined by the life span of the context used when initializing OPTIGA™Trust X. When closing the context all RAM resident keys are flushed from OPTIGA™Trust X RAM. In practice we keep the Premaster secret generated by ECDH secret. We then use the Premaster Secret along with a Random Number or Nonce to generate a Session Key. Copy the piece of code in Code Listing 11 to cmd_iface.c under optx_ecdh(void). Application Note 41 <2018-07-03> OPTIGA Trust X Integration Manual int optx_ecdh_derive_key(void) { optiga_lib_status_t optiga_status; uint8_t decryption_key [16] = {0}; uint8_t public_key [80]; uint16_t public_key_length = sizeof(public_key); optiga_key_id_t optiga_key_id; uint8_t label [] = ""; // Peer public key details for the ECDH operation static uint8_t peer_public_key [] = { //Bit string format 0x03, //Remaining length 0x42, //Unused bits 0x00, //Compression format 0x04, //Public Key 0x94, 0x89, 0x2F, 0x09, 0xEA, 0x4E, 0xCA, 0xE0, 0xD5, 0xF9, 0x77, 0xEA, 0xC3, 0xB2, 0x37, 0xBB, 0xBE, 0x46, 0xE4, 0x49, 0x76, 0x5A, 0xF1, 0x29, 0xD7, 0x3A, 0xB6, 0x9B, }; 0xBC, 0x70, 0x38, 0x80, 0x6A, 0xAC, 0x25, 0xAC, 0x4E, 0xE2, 0xB5, 0xC5, 0xF2, 0x19, 0xF8, 0xE1, 0x06, 0x00, 0x94, 0xC3, 0x36, 0xF5, 0x74, 0x10, 0x26, 0xDB, 0x9E, 0xF2, 0xE0, 0x56, 0x1A, 0x16, 0x5D, 0xE7, 0xB6, 0xC6, do{ OPTIGAprintf("1.- Using Peer PubKey for ECDH key agreement: \r\n\n"); HexDump(peer_public_key, sizeof(peer_public_key)); OPTIGAprintf("\r\n"); public_key_from_host_t peer_public_key_details = { (uint8_t *)&peer_public_key, sizeof(peer_public_key), OPTIGA_ECC_NIST_P_256 }; OPTIGAprintf("2-. Generate a random seed: \r\n\n"); optiga_status = optx_get_rng(); OPTIGAprintf("\r\n"); if (OPTIGA_LIB_SUCCESS != optiga_status) { // Key pair generation failed break; } OPTIGAprintf("3-. Generate an ECC256 Key Pair for the session: \r\n"); OPTIGAprintf(" Private Key Securely stored in OPTIGA Trust\r\n\n"); /** * Generate ECC Key pair - To use the private key with ECDH in the next step * - Use ECC NIST P 256 Curve * - Specify the Key Usage as Key Agreement * - Store the Private key with in OPTIGA Session * - Export Public Key */ optiga_key_id = OPTIGA_SESSION_ID_E100; optiga_status = optiga_crypt_ecc_generate_keypair(OPTIGA_ECC_NIST_P_256, (uint8_t)OPTIGA_KEY_USAGE_KEY_AGREEMENT, FALSE, &optiga_key_id, public_key, &public_key_length); OPTIGAprintf(" Public Key is send to Peer\r\n\n"); HexDump(public_key, public_key_length); OPTIGAprintf("\r\n"); if (OPTIGA_LIB_SUCCESS != optiga_status) { // Key pair generation failed break; } Application Note 42 <2018-07-03> OPTIGA Trust X Integration Manual OPTIGAprintf("4-. Performing Key Agreement ECDH(E): \r\n"); OPTIGAprintf(" Pre-master secret is securely stored in OPTIGA Trust\r\n\n"); /** * Perform ECDH using the Peer Public key * - Use ECC NIST P 256 Curve * - Provide the peer public key details * - Export the generated shared secret */ optiga_status = optiga_crypt_ecdh(optiga_key_id, &peer_public_key_details, FALSE, (uint8_t *)&optiga_key_id); OPTIGAprintf("\r\n"); if (OPTIGA_LIB_SUCCESS != optiga_status) { //ECDH Operation failed. break; } OPTIGAprintf("5-. Using OPTIGA Trust internal KDF and Premaster Secret to generate a session key: \r\n"); OPTIGAprintf(" Session key can securely be used for AES encryption of communication channel\r\n\n"); /** * Derive key (e.g. decryption key) using optiga_crypt_tls_prf_sha256 with I2C communication. * - Use shared secret from F1D0 data object */ optiga_status = optiga_crypt_tls_prf_sha256(optiga_key_id, /* Input secret OID */ label, sizeof(label), global_random, sizeof(global_random), sizeof(decryption_key), TRUE, decryption_key); OPTIGAprintf("\r\n"); if(OPTIGA_LIB_SUCCESS != optiga_status) { //Derive key operation failed. break; } OPTIGAprintf("6-. Encryption Key: \r\n"); HexDump(decryption_key, sizeof(decryption_key)); OPTIGAprintf("\r\n"); }while(0); return optiga_status; } Code Listing 11 xmc2Go optx_ecdh application API. When we run our xmc2Go application and test the command, it will provide an output as shown in Figure 4345. Application Note 43 <2018-07-03> OPTIGA Trust X Integration Manual Figure 43 Execution of optx_sign_hash by xmc2Go application. Note: Remember that the Premaster Secret created by ECDH in practice is kept secret. OPTIGA™Trust X has the option of also exporting it to the Host. In practice we use the Premaster Secret to generate a session key. OPTIGA™Trust X has a built in Key Derivation Function (KDF) that uses the internally kept Premaster Secret along with a Random Seed to generate a session key. 8.3.9 optx_read_ifx_cert When our xmc2Go application calls this command, it uses the following OPTIGA™Trust X Host Library Util API optiga_util_read_data to read out the Infineon Endorsement Certificate provisioned during the fabrication process of OPTIGA™Trust X. Copy the piece of code in Code Listing 12 to cmd_iface.c under optx_read_ifx_cert(void). Note: Application Note To run this API successfully we need to add #include "optiga/optiga_util.h" to our cmd_iface.c file. 44 <2018-07-03> OPTIGA Trust X Integration Manual int optx_read_ifx_cert(void) { optiga_lib_status_t optiga_status; uint16_t offset, bytes_to_read; uint16_t optiga_oid; uint8_t read_data_buffer[1024]; do{ //Read device end entity certificate from OPTIGA optiga_oid = eDEVICE_PUBKEY_CERT_IFX; offset = 0x00; bytes_to_read = sizeof(read_data_buffer); /** * 1. Read data from a data object (e.g. certificate data object) * using optiga_util_read_data. */ optiga_status = optiga_util_read_data(optiga_oid, offset, read_data_buffer, &bytes_to_read); if (OPTIGA_LIB_SUCCESS != optiga_status) { //Reading the data object failed. break; } OPTIGAprintf("Infineon Endorsement Certificate provisioned in factory: \r\n"); __hexdump_ascii__(read_data_buffer, bytes_to_read); }while(0); return optiga_status; } Code Listing 12 xmc2Go optx_read_ifx_cert application API. When we run our xmc2Go application and test the command, it will provide an output as shown in Figure 4447. Figure 44 Application Note Execution of optx_read_ifx_cert by xmc2Go application 45 <2018-07-03> OPTIGA Trust X Integration Manual Revision history Major changes since the last revision Page or Reference Description of change Entire Document Spelling and grammer check Application Note 46 <2018-07-03> Trademarks of Infineon Technologies AG µHVIC™, µIPM™, µPFC™, AU-ConvertIR™, AURIX™, C166™, CanPAK™, CIPOS™, CIPURSE™, CoolDP™, CoolGaN™, COOLiR™, CoolMOS™, CoolSET™, CoolSiC™, DAVE™, DI-POL™, DirectFET™, DrBlade™, EasyPIM™, EconoBRIDGE™, EconoDUAL™, EconoPACK™, EconoPIM™, EiceDRIVER™, eupec™, FCOS™, GaNpowIR™, HEXFET™, HITFET™, HybridPACK™, iMOTION™, IRAM™, ISOFACE™, IsoPACK™, LEDrivIR™, LITIX™, MIPAQ™, ModSTACK™, my-d™, NovalithIC™, OPTIGA™, OptiMOS™, ORIGA™, PowIRaudio™, PowIRStage™, PrimePACK™, PrimeSTACK™, PROFET™, PRO-SIL™, RASIC™, REAL3™, SmartLEWIS™, SOLID FLASH™, SPOC™, StrongIRFET™, SupIRBuck™, TEMPFET™, TRENCHSTOP™, TriCore™, UHVIC™, XHP™, XMC™ Trademarks updated November 2015 Other Trademarks All referenced product or service names and trademarks are the property of their respective owners. Edition <2018-07-03> Published by Infineon Technologies AG 81726 Munich, Germany ifx1owners. © 2018 Infineon Technologies AG. All Rights Reserved. Do you have a question about this document? Email: erratum@infineon.com Document reference IMPORTANT NOTICE The information contained in this application note is given as a hint for the implementation of the product only and shall in no event be regarded as a description or warranty of a certain functionality, condition or quality of the product. Before implementation of the product, the recipient of this application note must verify any function and other technical information given herein in the real application. Infineon Technologies hereby disclaims any and all warranties and liabilities of any kind (including without limitation warranties of noninfringement of intellectual property rights of any third party) with respect to any and all information given in this application note. The data contained in this document is exclusively intended for technically trained staff. It is the responsibility of customer’s technical departments to evaluate the suitability of the product for the intended application and the completeness of the product information given in this document with respect to such application. For further information on the product, technology, delivery terms and conditions and prices please contact your nearest Infineon Technologies office (www.infineon.com). WARNINGS Due to technical requirements products may contain dangerous substances. For information on the types in question please contact your nearest Infineon Technologies office. Except as otherwise explicitly approved by Infineon Technologies in a written document signed by authorized representatives of Infineon Technologies, Infineon Technologies’ products may not be used in any applications where a failure of the product or any consequences of the use thereof can reasonably be expected to result in personal injury.
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf Linearized : No Page Count : 47 PDF Version : 1.4 Title : Optiga TrustX Integration Manual_v1.2 Author : SanchezOscar Subject : Producer : macOS Version 10.14.1 (Build 18B75) Quartz PDFContext Creator : Word Create Date : 2018:11:27 07:44:21Z Modify Date : 2018:11:27 07:44:21ZEXIF Metadata provided by EXIF.tools