Go Down

Topic: Permanently configure your ATECC508A to ECC608A crypto element (Read 463 times) previous topic - next topic

jamesjl

Several projects using the MKR range of boards connect to third party IoT hubs from the likes of AWS, Google & Azure. The projects state that the crypto element has to be permanently changed to allow connection to the IoT hub.


What isn't stated is if this permanent change will prevent the MKR board from being subsequently re-programmed to wirk with the Arduino IoT Cloud. The Arduino Cloud is great for quickly experimentin with an idea and losing access to it due to having to cahnge the crypto to use an X.509 cert is something I'd like to be certain about before proceeding with an external IoT hub.

Can anyone help me to confirm if this is the case?

I'm not sure if this is the best place to post this topic but given the implication to the IoT Cloud it seemed a good a place as any.

Many thanks,

Jason.

endorama

Hello Jamesjl,

let me clarify this, it's a hard topic so feel free to ask more questions!

The crypto element onboard the MKR series comes from the factory in a "clean" state. This element supports different configurations to allow its use in different situations with different outcomes (this clean state allows advanced usage which is out of scope for this use case).

However, is mandatory to configure it to be able to use it; so the configuration is flashed onto the crypto element, and it must be locked for it to behave as expected.

Note that we are talking about configuration, not data.

So what is locked and how this affect the board capabilities?
  • we lock the configuration zone: this is required to use the crypto features of the crypto element.
    The locked configuration allows storage of 5 different private keys.
    The locked configuration allows 7 slots for certificate storage (certificate slot size varies).
  • we lock the data zone: this is required to have the chip enforce access restrictions on data slots.
    This means that the layout of the data zone cannot be altered anymore, and write operations are allowed only through chip internal commands.


We do not lock the content of the data slots.This allows the storage to be rewritten any amount of time (both private keys and certificates).

Quote
What isn't stated is if this permanent change will prevent the MKR board from being subsequently re-programmed to wirk with the Arduino IoT Cloud. The Arduino Cloud is great for quickly experimentin with an idea and losing access to it due to having to cahnge the crypto to use an X.509 cert is something I'd like to be certain about before proceeding with an external IoT hub.
To address your question directly, this permanent change does not prevent you from using the board with different cloud providers.

Hope it's clearer now!

Go Up