Unable to restore PicoHSM Private key (Issue importing DKEK?) #41
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Hi,
I am following the instructions for Backup and restore to setup my Pico HSM with a known DKEK so that it is possible to backup/restore the keys in it. So far all steps seem successful except that I am unable to restore (unwrap) a backed up key.
I suspect there is an issue with the import of the DKEK as when importing the DKEK with (sensitive data is stored in environment variables):
I always get output like:
This also happens when I initialise it with multiple DKEK files, the check value being
0000000000000000does not seem to be correct (is at least not what I would expect). However, this is always the case with everydkek.pbefile I generate (and these files are not the same)I have wrapped the a 2048 bit RSA key (tried with and without loadin the cert) with:
but when I try to load is back after I have reinitialised the PicoHSM) with:
I get the following output:
The device I am using is a WaveShare Pico RP2040 Zero and us image
pico_hsm_waveshare_rp2040_zero-3.6.gnuk.uf2.I also tried to use
pico_hsm_waveshare_rp2040_zero-3.4.gnuk.uf2but tht could not load a DKEK at all with my boardIs there something I am missing in my steps or is this a (known) issue? Any help or hints would be appreciated.
regards,
Frederik
Can you try with latest release 3.8?
Dear @polhenarejos ,
Sure, though at this moment 3.6 seems to be the latest release unless you mean switching to the development branch and compule the image myself ?
regards,
Frederik
Sure, not a problem.
A
DKEK key check value : 0000000000000000means that you have not been logged in. It is totally normal.I cannot reproduce your problem. I use the following commands:
Can you try them? Perhaps is a problem with RSA.
I tried with the
ec:secp256r1key as suggested though that gave the same result unfortunately:would it make sense to build an image myself or perhaps use another board (e.g. a Raspberry Pi Pico - not sure if that could make a differentce) ?
Can you execute this code and upload
output.log? Replacedkek.pbeaccordingly.Sure, please find output.log attached
I see:
Enter password to decrypt DKEK share : ./init_hsm.sh: line 114: 78462 Segmentation fault: 11 sc-hsm-tool --pin env:HSM_PIN --import-dkek-share dkek.pbewhich seems broken.
I see you are using OpenSC 0.25 and I remember it has some troubles. Can you try with OpenSC v0.22 or 0.23? These are the ones tested.
Hi @polhenarejos ,
Thanks for diving into this and pointing this out. I can confirm that installing OpenSC 0.23.0 indeed resolves the problem.
Perhaps good to add this to the documentation that it is required to not use a higher version? I installed OpenSC using HomeBrew (brew.sh) and didn't pay attention to the version. It turns out that only version OpenSC 0.25 is available through that channel so I had to install the official OpenSC package 0.23.0 from their release and that worked.
I have closed this issue, thanks again for your help!
Version 4.0 adds support for OpenSC 0.25.1 and should fix key import.
@polhenarejos thanks for letting me know, I can confirm this works now both with OpenSC 0.25.1 as well as 0.23.0