IBM IoT Platform secure connectivity using A71CH

prabhunath_gupt · ‎12-28-2020

Hi NXP team,

Hope you are doing good,

We have developed custom hardware based on i.MX6ull processor and we also used the A71CH secure element for security purposes. Our Client requirement is without extracting the certificates from the secure element they want to IBM cloud connectivity.

So We have gone through the iot-nxpimxa71ch-c to connect to the IBM IoT Platform using the A71CH as mentioned on page #11 of AN12186.pdf document. We have observed that at Line #105 of iotfclient.c , it is calling a71ch_retrieveCertificatesFromSE() API to retrieve the certificates from the A71CH and storing it on "/opt/iotnxpimxclient/certs" default path. Basically, it is copying it on root-fs and then using it to connect to the IBM IoT Platform.

We can also copy the certificate directly on root-fs and connect to the IBM IoT Platform. Looks like A71CH SDK is not fulfilling the requirement of the customer.

Please advise here to full fill our client requirement.

Kan_Li · ‎01-07-2021

Hi @prabhunath_gupt ,

Indeed the A71CH is offered off-the-shelf pre-provisioned so that OEMs are not required to program any additional credentials to onboard their devices to Watson IoT. if your customer doesn't want to extract the certificates from the secure element, then they have to provision their devices with device-individual credentials. Is this the way they prefer to ? Please kindly clarify.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

prabhunath_gupt · ‎01-08-2021

Hi Kan,

Thanks for your response.

We have gone through the application note "A71CH for secure connection to IBM Watson IoT" and found there are two types of A71CH as below.

A71CH Customer Programmable type
A71CH Provisioned & Programmable type; Ready for IBM Watson IoT

As per section 4 which is related to the "A71CH Customer Programmable" type, NXP provides C client library source code(iot-nxpimxa71ch-c), and it contains some examples and certificates provisioning script. We have gone through one example "samples/gatewaySample.c" and found there is one API available in "src/iotfclient.c" file which fetch the certificates from the secure element and store the same in the file system.

Please find the below queries based on the above understanding.

Is the same Client library will use if we go with "A71CH Provisioned & Programmable type Ready for IBM Watson IoT" type? If yes then reading the certificates from the A71CH and store the same in the file system is again a security blocker for us.
What are other security advantages in "A71CH Provisioned & Programmable type; Ready for IBM Watson IoT" apart from provisioning certificates performed by NXP?
OpenSSL engine used in this C client library is an older one, is there any plan to update this C library as it is not updated for more than 2 years.

The key point is to integrate the secure element communications with the IBM cloud and create an end to end TLS communication and avoid to extract the certificate from the secure element. for this, it is necessary to have A71CH SDK integration with the IBM cloud, Please direct us to the SDK which supports IBM cloud integration in a secure way.

Kan_Li · ‎01-11-2021

Hello @prabhunath_gupt ,

Is the same Client library will use if we go with "A71CH Provisioned & Programmable type Ready for IBM Watson IoT" type? If yes then reading the certificates from the A71CH and store the same in the file system is again a security blocker for us. - Usually the certificates are provisioned into A71CH and host controller may fetch it from the secure element via a secured channel, here we use SCP on platform/applet level, so I could not understand what the scenario of without extracting certificates from secure element would be like, would you please clarify?
What are other security advantages in "A71CH Provisioned & Programmable type; Ready for IBM Watson IoT" apart from provisioning certificates performed by NXP? - The main advantage is saving the cost for provisioning , this IC can be used directly for IBM Watson IOT application out of box.
OpenSSL engine used in this C client library is an older one, is there any plan to update this C library as it is not updated for more than 2 years. -
The Plug&Trust MW comes with two OpenSSL Engine implementations, both implementations support OpenSSL 1.1.1:
- SSS API based (A71CH SSS OpenSSL Engine)
- A71CH Legacy API based (A71CH Legacy OpenSSL Engine) Does this version meet your requirement? Please kindly clarify.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

prabhunath_gupt · ‎01-04-2021

Dear Nxp Team,

We are waiting for your response to the above query please provide some inputs on this.

Do let us know if any other information required.

IBM IoT Platform secure connectivity using A71CH

IBM IoT Platform secure connectivity using A71CH

i.MX6 All

Security