开发环境: s5pv210 linux, imx51 linux
操作流程:
==>烧录工具:
研究烧录工具的使用,能够更快的熟悉芯片功能。
芯片使用之前可导入个性化文件,配置slot/otp data的读写权限以及验证方式。配置完成后再lock住 config zone和data zone;
这样对芯片的个性化配置完成了,从此芯片就会按照你的意图办事拉。
SlotConfig (32bytes, 2bytes per slot):
ReadKey - 该slot数据的读,用指定ReadKey的slot加密起来;
CheckOnly - 该slot是否只适用CheckMac and GenDig Command;
SingleUse - single-use keys,若enable,使用次数限制后会返回出错;
EncryptRead, slotconfig.IsSecret都为0,此slot才能被读写。然后OTP/data zone必须locked,才能读写。
UseFlag - 对应single-use keys, 表示该key可以使用多少次;只针对keys #0~7设置。
OTPmode = 0xAA, OTP zone locked: 写被禁止,读任意。
==>代码部分:
1, wakeup device: 6.1.1 -- chip is asleep.和芯片通信之前要确保它是awake。只能当chip asleep才能唤醒,芯片处于awake时忽略唤醒命令。
sha204c_wakeup()
具体唤醒芯片有两种方式:
1),将SDA配成gpio口,给出60us低,然后拉高2.5ms;条件是clk较高:samsung 400KHz
2),利用标准i2c发送函数,发送0x00 byte给出60us,然后延时2.5ms;条件是clk较低:imx51 200KHz
sleep sequence:
sha204c_sleep() 已验证;
2, read write:
读写要确保芯片的各个区是否有相应的权限。 config zone一直有读的权限,OTP zone通过设置也可任意读;
slot data由slotconfig决定读写的权限。可以直接读,认证读,认证写 ...
Read Command:
* read config zone简单,config zone的内容一直可读的;
* 读取data slots的内容有条件:(此步骤由烧录工具完成)
先通过lock command设置slotconfig unlocked 和 data zone locked;
然后通过write command配置SlotConfig(config zone的20~51字节,每个slot占用2个字节);
读写data zone的权限都是要设置slotconfig的。
Write Command:
* 通过写SlotConfig来设置读写data zone的权限。同时,写config zone的slotconfig区间前,需要确定slotconfig是unlocked(看Lock Command)。(此步骤由烧录工具完成)
* 写data slot;
Lock Command: (此命令由烧录工具调用的,驱动代码中无需调用)
* 设置slotconfig区间的写权限; 写:unlocked详见config zone的 87 byte
* 设置OTP zone和data zone的写权限。读:locked;写:unlocked 详见config zone的 86 byte
只能unlocked -> locked,所以要先write,再read data zone。
Config zone: 88bytes
格式: cnt + data + CRC
0~31: 参数 -- 0x80, 0x0000
1 23 6c 3e 0 4 5 0 94 9d e4 d2 ee 55 1 0 c8 0 55 0 |8f| 80 80 a1 82 e0 a3 60 94 40 a0 85
32~63:参数 -- 0x80, 0x0008
86 40 87 7 f 0 89 f2 8a 7a b 8b c 4c dd 4d c2 42 af 8f ff 0 ff 0 ff 0 ff 0 ff 0 ff 0
63~87:只能4-bytes读,不能一次读32-bytes。
84~87byte:参数 -- 0x00 0x0015
0 0 55 55
OTP zone:64bytes
它的读写权限由OTPmode控制。0xAA -- read-only mode。 可以通过READ COMMAND读出。
Data zone:16 * 32bytes
3,i2c sync:
系统如果芯片response不正确,要做一次reset! sha204c_resync()。 目前此步骤在imx51,s5pv210平台均未实现;采取的是足够的延时(不同的命令,芯片的反应时间也不同)来保证芯片sync。
如何发送9clock的高电平呢?
4, 认证:
MAC Command
* sha204m_execute()mode 决定了参与计算MAC的各种参数:
第一个32bytes:Key[KeyID] or TempKey,
第二个32bytes:user input challenge or Tempkey.
(1) 随机数认证: mode=0, Key[KeyID] + challenge;
直接执行MAC Command命令; 得到SHA-256 MAC值。
user 通过SHA-256算法计算出的MAC和上述MAC对比来认证。
e.g.>
MAC Command Sent:
27 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BB 97
MacCommand Received:
23 84 09 C2 A7 31 81 83 51 16 EE E1 AD 5F 59 4B EC 63 B8 5E E6 D7 8A 3F EE 26 5E 90 AD 15 B7 D0 0A DC 60
/* user验证 */
计算MAC并比较:slot data + challenge => MAC
(2) Tempkey认证: mode = 1 & tempkey.SourceFlag. Key[KeyID] + Tempkey
须先要执行Nonce Command生成Tempkey。
然后执行MAC Command;得到SHA-256 MAC值。
Nonce Command:
user input challenge + chip internal Randout => Tempkey
Tempkey register: 32bytes Data + Tempkey Config [ 理解SourceFlag , Valid 意义]
tempkey.SourceFlag 标志着; Tempkey.Valid 表示其是否可用:nonce命令执行后,该标志为1;tempkey被用过之后,标志变成了0.
e.g. >
Nonce Command Sent: //执行Nonce command
1B 16 00 00 00 54 79 70 65 20 43 68 61 6C 6C 65 6E 67 65 20 48 65 72 65 00 17 13
NonceCommand Received: //返回芯片内部的Randout; 此时,Tempkey已经生成
23 A6 5A D5 07 A9 81 D7 E1 B0 5F 2D 73 44 72 94 74 AE E6 BC BB 94 BF 73 47 5F 65 F8 A4 6B 47 B8 FB 59 06
MAC Command Sent: //执行MAC command:mode=1,keyid=0(slot0 data + tempkey)
07 08 01 00 00 06 67
MacCommand Received: //返回SHA-256 MAC值
23 98 80 4C 73 13 2E 0F 89 BD A7 7C 69 28 C5 47 D1 BC DC 60 9A C1 A3 09 87 36 26 7C E9 D6 8B 19 10 56 F5
/* 下面的验证部分,实际需要由user完成的 */
CheckMac Command Sent: //执行CheckMac command验证 (方便分析,将数据分割下)
54 28 00 00 00 //mode=0, keyid=0
64 46 F3 95 6E FC 47 AF AC E6 E6 A8 67 09 16 F6 5B E1 F8 3A A0 4E 7B 79 67 9B A3 94 FF ED 9F B5 //user input challenge, 就是tempkey
98 80 4C 73 13 2E 0F 89 BD A7 7C 69 28 C5 47 D1 BC DC 60 9A C1 A3 09 87 36 26 7C E9 D6 8B 19 10 //sha-256 MAC
08 01 00 00 00 00 00 00 00 00 00 00 00 //other data: 和MAC command发送的“07 08 01 00 00 06 67” I/O block相同,补全13字节。
9E C6
CheckMacCommand Received: //返回匹配结果
04 00 03 40
##注意CheckMac命令格式##
/* user 验证 */
计算Tempkey: Nonce 命令的输入challenge(20bytes) + 其返回值Randout => Tempkey
计算MAC并比较:slot data + tempkey => MAC
===> 疑问: 不知道slot 的配置是否影响到上述两种认证方式。 目前验证,随机数的认证不受slotconfig的影响。
* Personalize the device as follows:
* - Slot 0 = Store read-only information e.g. model number, product name, product ID, manufacturer name, or ?? (teach me how). <可用read command直接读到>
* - Slot 1 = Store authentication/encryption key.
* - Slot 2 = Store authentication/encryption key.
* - Slot 3 = Store fixed key with "single use" restrictions having 5 maximum uses.
* - Slot 4 = Store key that can be created in the field with 3 maximum authenticated updates. Use KeyID 1 for authentication
* - Slot 5 = Store key that can be rolled in the field with 6 maximum authenticated updates. Use KeyID 2 for authentication
* - Slot 6 = Store content that requires encrypted read/write using KeyID 3 for READ and KeyID 4 for write
* - Slot 7 = Make this slot write-only (Suggest possible use for this?)
* - Slot 8 = Make this a scratch pad e.g. unrestricted reads/writes
* - Slot 9 = Store content that requires encrypted reads using KeyID 1 but clear writes.
* - Slot 10 = Store content that requires encrypted writes using KeyID 2 but clear reads.
* - Slot 11 = Store key that can be created in the field with MAC required for creation. Use KeyID 2 as parent key.
* - Slot 12 = Store key that can be created in the field by anybody i.e. without requiring MAC
* - Slot 13 = Store key that can be rolled in the field with MAC required for rolling. Use KeyID 2 as parent key.
* - Slot 14 = Store key that can be rolled in the field by anybody i.e. without requiring MAC
* - Slot 15 = Store key with 33 maximum uses controlled by UseFlags. Make it a CheckOnly Key