MAXREFDES143#: DeepCover Embedded Security in IoT Authenticated Sensing & Notification
Dependencies: MaximInterface mbed
The MAXREFDES143# is an Internet of Things (IoT) embedded security reference design, built to protect an industrial sensing node by means of authentication and notification to a web server. The hardware includes a peripheral module representing a protected sensor node monitoring operating temperature and remaining life of a filter (simulated through ambient light sensing) and an mbed shield representing a controller node responsible for monitoring one or more sensor nodes. The design is hierarchical with each controller node communicating data from connected sensor nodes to a web server that maintains a centralized log and dispatches notifications as necessary. The mbed shield contains a Wi-Fi module, a DS2465 coprocessor with 1-Wire® master function, an LCD, LEDs, and pushbuttons. The protected sensor node contains a DS28E15 authenticator, a DS7505 temperature sensor, and a MAX44009 light sensor. The mbed shield communicates to a web server by the onboard Wi-Fi module and to the protected sensor node with I2C and 1-Wire. The MAXREFDES143# is equipped with a standard shield connector for immediate testing using an mbed board such as the MAX32600MBED#. The simplicity of this design enables rapid integration into any star-topology IoT network requiring the heightened security with low overhead provided by the SHA-256 symmetric-key algorithm.
More information about the MAXREFDES143# is available on the Maxim Integrated website.
Diff: SensorNode.cpp
- Revision:
- 32:0a09505a656d
- Parent:
- 30:0784010d6975
diff -r 7b10bcb3e0fc -r 0a09505a656d SensorNode.cpp --- a/SensorNode.cpp Tue Apr 04 14:10:48 2017 -0500 +++ b/SensorNode.cpp Mon Nov 06 17:34:13 2017 -0600 @@ -28,222 +28,217 @@ * trademarks, maskwork rights, or any other form of intellectual * property whatsoever. Maxim Integrated Products, Inc. retains all * ownership rights. -******************************************************************************* -*/ +*******************************************************************************/ +#include <I2C.h> +#include <MaximInterface/Devices/DS2465.hpp> +#include <MaximInterface/Links/RomCommands.hpp> +#include <MaximInterface/Platforms/mbed/Sleep.hpp> #include "SensorNode.hpp" #include "SensorData.hpp" -#include "Masters/DS2465/DS2465.h" -#include "RomId/RomCommands.h" -#include "I2C.h" #ifdef TARGET_MAX32600 -#include "max32600.h" -#include "clkman_regs.h" -#include "tpu_regs.h" +#include <max32600.h> +#include <clkman_regs.h> +#include <tpu_regs.h> #else #include <cstdlib> #endif -using namespace OneWire; -using namespace OneWire::RomCommands; +using namespace MaximInterface; +const ManId SensorNode::manId = {0, 0}; bool SensorNode::rngInitialized = false; -void SensorNode::initializeRng() -{ +void SensorNode::initializeRng() { #ifdef TARGET_MAX32600 - MXC_CLKMAN->clk_config |= (MXC_F_CLKMAN_CLK_CONFIG_CRYPTO_ENABLE | MXC_F_CLKMAN_CLK_CONFIG_CRYPTO_RESET_N); // Enable crypto oscillator - while ((MXC_CLKMAN->intfl & MXC_F_CLKMAN_INTFL_CRYPTO_STABLE) != MXC_F_CLKMAN_INTFL_CRYPTO_STABLE) ; // Wait for crypto oscillator stability - MXC_CLKMAN->clk_ctrl |= MXC_F_CLKMAN_CLK_CTRL_CRYPTO_GATE_N; // Disable crypto clock gating - MXC_CLKMAN->crypt_clk_ctrl_2_prng = MXC_CLKMAN->clk_ctrl_10_prng = 1; // Set PRNG clock to crypto clock - MXC_CLKMAN->clk_gate_ctrl2 |= (1 << MXC_F_CLKMAN_CLK_GATE_CTRL2_TPU_CLK_GATER_POS); // Use dynamic clock gating + // Enable crypto oscillator + MXC_CLKMAN->clk_config |= (MXC_F_CLKMAN_CLK_CONFIG_CRYPTO_ENABLE | + MXC_F_CLKMAN_CLK_CONFIG_CRYPTO_RESET_N); + // Wait for crypto oscillator stability + while ((MXC_CLKMAN->intfl & MXC_F_CLKMAN_INTFL_CRYPTO_STABLE) != + MXC_F_CLKMAN_INTFL_CRYPTO_STABLE); + // Disable crypto clock gating + MXC_CLKMAN->clk_ctrl |= MXC_F_CLKMAN_CLK_CTRL_CRYPTO_GATE_N; + // Set PRNG clock to crypto clock + MXC_CLKMAN->crypt_clk_ctrl_2_prng = MXC_CLKMAN->clk_ctrl_10_prng = 1; + // Use dynamic clock gating + MXC_CLKMAN->clk_gate_ctrl2 |= + (1 << MXC_F_CLKMAN_CLK_GATE_CTRL2_TPU_CLK_GATER_POS); #endif } -SensorNode::SensorNode(mbed::I2C & i2c, uint8_t ds7505_i2c_addr, uint8_t max44009_i2c_addr, DS2465 & ds2465) - : m_initialLux(1), ds2465(ds2465), selector(ds2465), ds28e15(selector), ds7505(i2c, ds7505_i2c_addr), max44009(i2c, max44009_i2c_addr) -{ - if (!rngInitialized) - { +SensorNode::SensorNode(::mbed::I2C & i2c, uint8_t ds7505_i2c_addr, + uint8_t max44009_i2c_addr, DS2465 & ds2465) + : initialLux_(1), ds2465(ds2465), + ds28e15(MaximInterface::mbed::Sleep::instance(), ds2465, &skipRom), + ds7505(i2c, ds7505_i2c_addr), max44009(i2c, max44009_i2c_addr) { + if (!rngInitialized) { initializeRng(); rngInitialized = true; } } -bool SensorNode::initializeSensors() -{ - return (max44009.read_current_lux(m_initialLux) == MAX44009::Success); +bool SensorNode::initializeSensors() { + return (max44009.read_current_lux(initialLux_) == MAX44009::Success); } -bool SensorNode::setSecret() -{ - DS28E15_22_25::Scratchpad scratchpad; - DS28E15_22_25::Page pageData; - +bool SensorNode::setSecret() { // Create constant partial secret + DS28E15::Scratchpad scratchpad; scratchpad.fill(uint8_t(defaultPaddingByte)); - // Read page data - bool result = (ds2465.readMemory(DS2465::UserMemoryPage0, pageData.data(), pageData.size(), false) == OneWireMaster::Success); // Calculate secret - if (result) - { - result = (DS28E15_22_25::computeNextSecret(ds2465, pageData, authData.pageNum, scratchpad, ds28e15.romId(), ds28e15.manId()) == ISha256MacCoproc::Success); - } - return result; + const Sha256::SlaveSecretData data = DS28E15::createSlaveSecretData( + DS28E15::Page(), authData.pageNum, scratchpad, romId_, manId); + return !ds2465.computeSlaveSecretWithSwap(data, 0, DS2465::FullPage); } -bool SensorNode::checkProvisioned(bool & provisioned) -{ - DS28E15_22_25::BlockProtection protectionStatus; +bool SensorNode::checkProvisioned(bool & provisioned) { + DS28E15::BlockProtection protectionStatus; bool result; - - - result = (ds28e15.readBlockProtection(0, protectionStatus) == OneWireSlave::Success); - if (result) - { - if (!protectionStatus.noProtection()) - { - result = (ds28e15.readSegment(authData.pageNum, authData.segmentNum, authData.segment) == OneWireSlave::Success); + + result = !ds28e15.readBlockProtection(0, protectionStatus); + if (result) { + if (!protectionStatus.noProtection()) { + result = !ds28e15.readSegment(authData.pageNum, authData.segmentNum, + authData.segment); if (result) provisioned = true; - } - else - { + } else { provisioned = false; } } return result; } -bool SensorNode::checkAuthentic(unsigned int userEntropy) -{ - DS28E15_22_25::Scratchpad challenge; - DS28E15_22_25::Page pageData; - +bool SensorNode::checkAuthentic(unsigned int userEntropy) { + DS28E15::Scratchpad challenge; + DS28E15::Page pageData; + // Read page data - if (ds28e15.readPage(authData.pageNum, pageData, false) != OneWireSlave::Success) + if (ds28e15.readPage(authData.pageNum, pageData)) return false; - + // Create random challenge // Use hardare RNG on MAX32600 -#ifdef TARGET_MAX32600 +#ifdef TARGET_MAX32600 MXC_TPU->prng_user_entropy = userEntropy; #else std::srand(userEntropy); #endif - for (size_t i = 0; i < challenge.size(); i++) - { + for (size_t i = 0; i < challenge.size(); i++) { #ifdef TARGET_MAX32600 challenge[i] = MXC_TPU->prng_rnd_num; #else - challenge[i] = std::rand(); + challenge[i] = std::rand(); #endif } // Write challenge to scratchpad - if (ds28e15.writeScratchpad(challenge) != OneWireSlave::Success) + if (ds28e15.writeScratchpad(challenge)) return false; // Have device compute MAC - DS28E15_22_25::Mac nodeMac; - if (ds28e15.computeReadPageMac(0, false, nodeMac) != OneWireSlave::Success) + Sha256::Hash nodeMac; + if (ds28e15.computeReadPageMac(0, false, nodeMac)) return false; // Compute expected MAC - DS28E15_22_25::Mac controllerMac; - if (DS28E15_22_25::computeAuthMac(ds2465, pageData, authData.pageNum, challenge, ds28e15.romId(), ds28e15.manId(), controllerMac) != ISha256MacCoproc::Success) + const Sha256::AuthMacData controllerMacData = DS28E15::createAuthMacData( + pageData, authData.pageNum, challenge, romId_, manId); + Sha256::Hash controllerMac; + if (ds2465.computeAuthMac(controllerMacData, controllerMac)) return false; // Check if authentic return (nodeMac == controllerMac); } -bool SensorNode::readSensorData(SensorData & sensorData) -{ +bool SensorNode::readSensorData(SensorData & sensorData) { bool result; int8_t temp; - + // Read temperature sensor result = (ds7505.read_current_temp(temp) == DS7505::Success); - - if (result) - { + + if (result) { sensorData.temp = temp; - + // Read light sensor double currentLux; result = (max44009.read_current_lux(currentLux) == MAX44009::Success); - if (result) - { + if (result) { // Convert lux to remaining filter life - sensorData.filterLife = (unsigned int)((currentLux / m_initialLux) * 100); + sensorData.filterLife = + static_cast<uint8_t>((currentLux / initialLux_) * 100); } } - + return result; } -bool SensorNode::checkAndWriteAuthData(SensorData & sensorData) -{ +bool SensorNode::checkAndWriteAuthData(SensorData & sensorData) { bool result = true; - - if (sensorData.filterLife > authData.filterLife) - { - sensorData.filterLife = authData.filterLife; + + if (sensorData.filterLife > authData.filterLife()) { + sensorData.filterLife = authData.filterLife(); + } else if (sensorData.filterLife < authData.filterLife()) { + AuthData newAuthData = authData; + newAuthData.filterLife() = sensorData.filterLife; + const Sha256::WriteMacData macData = DS28E15::createSegmentWriteMacData( + authData.pageNum, authData.segmentNum, newAuthData.segment, + authData.segment, romId_, manId); + Sha256::Hash mac; + result = !ds2465.computeWriteMac(macData, mac); + if (result) + result = !ds28e15.writeAuthSegment(authData.pageNum, authData.segmentNum, + newAuthData.segment, mac); + if (result) + authData = newAuthData; } - else if (sensorData.filterLife < authData.filterLife) - { - AuthData oldAuthData(authData); - authData.filterLife = sensorData.filterLife; - // Write new filter life to DS28E15 - result = (ds28e15.writeAuthSegment(ds2465, authData.pageNum, authData.segmentNum, authData.segment, oldAuthData.segment, false) == OneWireSlave::Success); - } - + return result; } -SensorNode::State SensorNode::detect(unsigned int userEntropy) -{ +SensorNode::State SensorNode::detect(unsigned int userEntropy) { bool provisioned; - - ds2465.OWSetSpeed(DS2465::OverdriveSpeed); - - RomId romId; - if (OWReadRom(ds2465, romId) != OneWireMaster::Success) + + ds2465.setSpeed(DS2465::OverdriveSpeed); + + if (readRom(ds2465, romId_)) return UnableToCommunicate; - ds28e15.setRomId(romId); - + if (!checkProvisioned(provisioned)) return UnableToCommunicate; - + if (!provisioned) - return NotProvisioned; - + return NotProvisioned; + if (!setSecret()) return UnableToCommunicate; - + if (!checkAuthentic(userEntropy)) return NotAuthentic; - + if (!initializeSensors()) return UnableToCommunicate; - + return Authentic; } -SensorNode::State SensorNode::authenticatedReadSensorData(unsigned int userEntropy, SensorData & sensorData) -{ - ds2465.OWSetSpeed(DS2465::OverdriveSpeed); - +SensorNode::State +SensorNode::authenticatedReadSensorData(unsigned int userEntropy, + SensorData & sensorData) { + ds2465.setSpeed(DS2465::OverdriveSpeed); + if (!setSecret()) return UnableToCommunicate; - + if (!checkAuthentic(userEntropy)) return NotAuthentic; - + if (!readSensorData(sensorData)) return UnableToCommunicate; - + if (!checkAndWriteAuthData(sensorData)) return NotAuthentic; - + return Authentic; } \ No newline at end of file