Embedded certs in the firmware


#1

I have a use case where we will have a large number of devices that will run the same code but connect to AWS IoT. We want to leverage the OTA function Particle offers but not have the certs embedded in the firmware. The code is currently using the MQTT-TLS library. Is there another way to use certs on the photon which are unique to the device and not have them embedded in the firmware? Thanks.


#2

The EEPROM pages are 16KB and 64KB.

https://docs.particle.io/datasheets/wi-fi/photon-datasheet/#memory-map-common-

You may be able to use or co-opt that in some way.

If the certs need to be “secure-ish” private keys, the battery-backed (retained) RAM on the STM32F4 is pretty much designed to do that, though I don’t think it’s configured to be secure storage that is protected from JTAG reads, etc. – and you’d have to re-load it every time your device is rebooted.


#3

The Photon has only 2047 bytes of emulated EEPROM. My designs are around Boron, but I have a similar need. I use FRAM accessed via I2C to store the AWS certificates. MB85RC256V is what I’m using if it interests you.


#4

Thanks. I’ll look into it. On a different board I used this module ATECC608A cryptochip to store encrypted keys. I was hoping it could all be contained on the Photon.


#5

While that is true, this does not contradict the statement made by @HEng.
In order to emulate EEPROM the device OS uses bigger flash pages to spread out multiple writes over these pages for wear leveling.
Granted, you cannot use the EEPROM object to access all of that data directly but your code can coopt these pages for other purposes (when EEPROM is not used otherwise).


#6

Hi @picsil,
Are the keys stored in plain text on the FRAM chip? Thanks.


#7

Yes they are.


#8

what about a FAT32 instance for persisting certs?
we use this on our P1 deployments for local high fidelity sampling storage


#9

@picsil have you come across a way to store them encrypted on the FRAM chip? We are concerned about security. Thanks.


#10

I haven’t really looked into it much, but for secure storage of the private key you’d likely need a chip designed for that task, a Trusted Platform Module (TPM). I haven’t used one personally, but this looks like it might work: AT97SC3205-G3M45-00